From 8c0357a3d657081dd54699a998b1ec4629d26f02 Mon Sep 17 00:00:00 2001
From: Pierre Smeyers <pierre.smeyers@gmail.com>
Date: Sun, 17 Apr 2022 23:29:21 +0200
Subject: [PATCH] chore: use workflow rules

---
 templates/gitlab-ci-python.yml | 87 +++++++++++++---------------------
 1 file changed, 32 insertions(+), 55 deletions(-)

diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index eb8c7a5..c125701 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -13,6 +13,14 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth 
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
+# default workflow rules
+workflow:
+  rules:
+    # exclude merge requests
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    - when: always
+
 variables:
   # variabilized tracking image
   TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
@@ -57,7 +65,6 @@ variables:
   PYTHON_REPOSITORY_USERNAME: 'gitlab-ci-token'
   PYTHON_REPOSITORY_PASSWORD: $CI_JOB_TOKEN
 
-
 .python-scripts: &python-scripts |
   # BEGSCRIPT
   set -e
@@ -572,9 +579,6 @@ py-package:
     paths:
       - $PYTHON_PROJECT_DIR/dist/*
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     - if: '$PYTHON_PACKAGE_ENABLED == "true"'
 
 py-lint:
@@ -604,16 +608,15 @@ py-lint:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
+    # exclude if $PYLINT_ENABLED not set
+    - if: '$PYLINT_ENABLED != "true"'
       when: never
-    # on production branch(es): if $PYLINT_ENABLED is set
-    - if: '$PYLINT_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
-    # on integration branch(es): if $PYLINT_ENABLED is set
-    - if: '$PYLINT_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $INTEG_REF'
-    # on non-production, non-integration branches, with $PYLINT_ENABLED set: auto & non-blocking
-    - if: '$PYLINT_ENABLED == "true"'
+    # on non-production, non-integration branches: manual & non-blocking
+    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
+      when: manual
       allow_failure: true
+    # else: manual & non-blocking
+    - when: always
 
 py-compile:
   extends: .python-base
@@ -622,9 +625,6 @@ py-compile:
     - install_requirements
     - _python -m compileall $PYTHON_COMPILE_ARGS
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # on any branch: only when none of supported unit test framework is enabled
     - if: '$UNITTEST_ENABLED != "true" && $PYTEST_ENABLED != "true" && $NOSETESTS_ENABLED != "true"'
 
@@ -657,9 +657,6 @@ py-unittest:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # on any branch: when $UNITTEST_ENABLED is set
     - if: '$UNITTEST_ENABLED == "true"'
 
@@ -684,9 +681,6 @@ py-pytest:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # on any branch: when $PYTEST_ENABLED is set
     - if: '$PYTEST_ENABLED == "true"'
 
@@ -710,9 +704,6 @@ py-nosetests:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # on any branch: when $NOSETESTS_ENABLED is set
     - if: '$NOSETESTS_ENABLED == "true"'
 
@@ -741,17 +732,15 @@ py-bandit:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
+    # exclude if $BANDIT_ENABLED not set
+    - if: '$BANDIT_ENABLED != "true"'
       when: never
-    # on production branch(es): if $BANDIT_ENABLED is set
-    - if: '$BANDIT_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
-    # on integration branch(es): if $BANDIT_ENABLED is set
-    - if: '$BANDIT_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $INTEG_REF'
-    # on non-production, non-integration branches, with $BANDIT_ENABLED set: manual & non-blocking
-    - if: '$BANDIT_ENABLED == "true"'
+    # on non-production, non-integration branches: manual & non-blocking
+    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
       when: manual
       allow_failure: true
+    # else: manual & non-blocking
+    - when: always
 
 # Safety (dependency check)
 py-safety:
@@ -779,17 +768,15 @@ py-safety:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
+    # exclude if $SAFETY_ENABLED not set
+    - if: '$SAFETY_ENABLED != "true"'
       when: never
-    # on production branch(es): if $SAFETY_ENABLED is set
-    - if: '$SAFETY_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
-    # on integration branch(es): if $SAFETY_ENABLED is set
-    - if: '$SAFETY_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $INTEG_REF'
-    # on non-production, non-integration branches, with $SAFETY_ENABLED set: manual & non-blocking
-    - if: '$SAFETY_ENABLED == "true"'
+    # on non-production, non-integration branches: manual & non-blocking
+    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
       when: manual
       allow_failure: true
+    # else: manual & non-blocking
+    - when: always
 
 # Trivy (dependency check)
 py-trivy:
@@ -840,19 +827,15 @@ py-trivy:
     paths:
       - $PYTHON_PROJECT_DIR/reports/
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
-    # on production branch(es): if $TRIVY_ENABLED is set
     # exclude if $PYTHON_TRIVY_ENABLED not set
     - if: '$PYTHON_TRIVY_ENABLED != "true"'
       when: never
-    # on production or integration branches: auto
-    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
     # on non-production, non-integration branches: manual & non-blocking
-    - if: '$PYTHON_TRIVY_ENABLED == "true"' # useless but prevents GitLab warning
+    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
       when: manual
       allow_failure: true
+    # else: manual & non-blocking
+    - when: always
 
 # (manual from master branch): triggers a release (tag creation)
 py-release:
@@ -868,16 +851,10 @@ py-release:
     paths:
       - $PYTHON_PROJECT_DIR/dist/*
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
-      when: never
     # exclude if $PYTHON_RELEASE_ENABLED not set
     - if: '$PYTHON_RELEASE_ENABLED != "true"'
       when: never
-    # exclude on non-prod, non-integ branches
-    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
-      when: never
-    # else: manual
-    - if: '$PYTHON_RELEASE_ENABLED == "true"' # useless but prevents GitLab warning
+    # on production or integration branch: manual, non blocking
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
       when: manual
       allow_failure: true
-- 
GitLab