---
# Verify that tags matching v* are protected, so only maintainers can create
# release tags. Auto-fix posts a v* protection rule with create_access_level=40
# (Maintainer).
gitlab:recommended:protected_tags_v:
  extends: .gitlab_check
  script:
    - >
      curl -sSLf -H "PRIVATE-TOKEN: ${GL_TOKEN}"
      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/protected_tags"
      -o protected_tags.json
    - printf "[*] Checking protected tags for v*..."
    - |
      if grep -qF '"name":"v*"' protected_tags.json; then
        echo -e " \e[32mprotected\e[0m."
      else
        echo -e " \e[31mnot protected\e[0m."
        echo "Tags matching v* should be protected so only maintainers can create release tags."
        if [ "${GITLAB_RECOMMENDED_AUTO_FIX}" = "true" ]; then
          printf "[*] Automatically fixing the problem..."
          curl -sSLf -H "PRIVATE-TOKEN: ${GL_TOKEN}" -X POST \
            "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/protected_tags" \
            -d "name=v*" -d "create_access_level=40" > /dev/null
          echo -e " \e[32mdone\e[0m."
        else
          echo "[!] To resolve automatically, set: GITLAB_RECOMMENDED_AUTO_FIX=true"
          exit 1
        fi
      fi