# do not use "latest" here, if you want this to work in the future
# docker-in-docker: the runner uses docker from inside a docker container to execute the CI-jobs
image: docker:20 # this image is globally used for all jobs and provides the docker toolset (but without an active daemon)

stages:
  - build
  - push

# services configure images that run during jobs linked to the (global) image
services:
  - docker:dind # dind build on docker and starts up the dockerdaemon (docker itself doesn't do that), which is needed to call docker build etc.

before_script:
  # docker login asks for the password to be passed through stdin for security
  # we use $CI_REGISTRY_PASSWORD here which is a special variable provided by GitLab
  # https://docs.gitlab.com/ce/ci/variables/predefined_variables.html
  - echo -n $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY

Build:
  stage: build
  needs: []
  rules:
    - changes: # only run CI when these files have changed
      - "*.py"
      - Dockerfile
  script:
    # fetches the latest image from this projects registry to use as cache (not failing if image is not found)
    - docker pull $CI_REGISTRY_IMAGE:latest || true
    # the built image is tagged locally with the commit SHA, and then pushed to
    # the GitLab registry
    - >
      docker build
      --pull
      --cache-from $CI_REGISTRY_IMAGE:latest
      --label "org.opencontainers.image.title=$CI_PROJECT_TITLE"
      --label "org.opencontainers.image.url=$CI_PROJECT_URL"
      --label "org.opencontainers.image.created=$CI_JOB_STARTED_AT"
      --label "org.opencontainers.image.revision=$CI_COMMIT_SHA"
      --label "org.opencontainers.image.version=$CI_COMMIT_REF_NAME"
      --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
      .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

# Here, the goal is to tag the "master" branch as "latest"
Push latest:
  variables:
    # We are just playing with Docker here.
    # We do not need GitLab to clone the source code.
    GIT_STRATEGY: none
  stage: push
  needs: ["Build"]
  script:
    # Because we have no guarantee that this job will be picked up by the same runner
    # that built the image in the previous step, we pull it again locally
    - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    # Then we tag it "latest"
    - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
    # Annnd we push it.
    - docker push $CI_REGISTRY_IMAGE:latest