pipeline {
  agent {
    kubernetes {
      defaultContainer 'tester'
      yaml """
apiVersion: v1
kind: Pod
spec:
  nodeSelector:
    kubernetes.io/arch: arm64
    node-role.kubernetes.io/worker: "true"
  containers:
    - name: dind
      image: docker:27-dind
      securityContext:
        privileged: true
      env:
        - name: DOCKER_TLS_CERTDIR
          value: ""
      args:
        - "--mtu=1400"
        - "--host=unix:///var/run/docker.sock"
        - "--host=tcp://0.0.0.0:2375"
      volumeMounts:
        - name: dind-storage
          mountPath: /var/lib/docker
        - name: workspace-volume
          mountPath: /home/jenkins/agent
    - name: builder
      image: docker:27
      command:
        - cat
      tty: true
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375
        - name: DOCKER_TLS_CERTDIR
          value: ""
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
        - name: docker-config-writable
          mountPath: /root/.docker
        - name: harbor-config
          mountPath: /docker-config
    - name: tester
      image: python:3.12-slim
      command:
        - cat
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
  volumes:
    - name: docker-config-writable
      emptyDir: {}
    - name: dind-storage
      emptyDir: {}
    - name: harbor-config
      secret:
        secretName: harbor-robot-pipeline
        items:
          - key: .dockerconfigjson
            path: config.json
    - name: workspace-volume
      emptyDir: {}
"""
    }
  }
  environment {
    PIP_DISABLE_PIP_VERSION_CHECK = '1'
    PYTHONUNBUFFERED = '1'
    SUITE_NAME = 'atlasbot'
    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
    QUALITY_GATE_SONARQUBE_ENFORCE = '1'
    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
    QUALITY_GATE_IRONBANK_ENFORCE = '1'
    QUALITY_GATE_IRONBANK_REQUIRED = '1'
    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
  }
  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }
    stage('Collect SonarQube evidence') {
      steps {
        container('tester') {
          sh '''
            set -euo pipefail
            mkdir -p build
            python3 - <<'PY'
import base64
import json
import os
import urllib.parse
import urllib.request

host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
token = os.getenv('SONARQUBE_TOKEN', '').strip()
report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"}
if host and project_key:
    query = urllib.parse.urlencode({"projectKey": project_key})
    request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET")
    if token:
        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
        request.add_header("Authorization", f"Basic {encoded}")
    try:
        with urllib.request.urlopen(request, timeout=12) as response:
            payload = json.loads(response.read().decode("utf-8"))
    except Exception as exc:  # noqa: BLE001
        payload = {"status": "ERROR", "error": str(exc)}
with open(report_path, "w", encoding="utf-8") as handle:
    json.dump(payload, handle, indent=2, sort_keys=True)
    handle.write("\\n")
PY
          '''
        }
      }
    }
    stage('Collect Supply Chain evidence') {
      steps {
        container('tester') {
          sh '''
            set -euo pipefail
            mkdir -p build
            python3 - <<'PY'
import json
import os
from pathlib import Path

report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
if report_path.exists():
    raise SystemExit(0)
status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None}
payload = {k: v for k, v in payload.items() if v is not None}
if "status" not in payload:
    payload["status"] = "unknown"
payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos."
report_path.parent.mkdir(parents=True, exist_ok=True)
report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
PY
          '''
        }
      }
    }
    stage('Prep toolchain') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            mkdir -p /root/.docker
            cp /docker-config/config.json /root/.docker/config.json
          '''
        }
      }
    }
    stage('Compute version') {
      steps {
        container('builder') {
          script {
            def base = sh(returnStdout: true, script: 'cat VERSION_BASE 2>/dev/null || true').trim()
            if (!base) {
              base = "0.1.0"
            }
            def buildNum = env.BUILD_NUMBER?.trim()
            if (!buildNum) {
              buildNum = "0"
            }
            def semver = "${base}-${buildNum}"
            sh "echo SEMVER=${semver} > build.env"
          }
        }
      }
    }
    stage('Buildx setup') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            ready=0
            for _ in $(seq 1 10); do
              if docker info >/dev/null 2>&1; then
                ready=1
                break
              fi
              sleep 2
            done
            if [ "${ready}" -ne 1 ]; then
              echo "docker daemon did not become ready on ${DOCKER_HOST}" >&2
              docker version || true
              exit 1
            fi
            BUILDER_NAME="atlasbot-${BUILD_NUMBER}"
            docker buildx rm "${BUILDER_NAME}" >/dev/null 2>&1 || true
            docker buildx create --name "${BUILDER_NAME}" --driver docker-container --bootstrap --use
          '''
        }
      }
    }
    stage('Run quality gate') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            mkdir -p build
            case "${TEST_PLATFORM:-$(uname -m)}" in
              x86_64|amd64|linux/amd64)
                TEST_PLATFORM_RESOLVED=linux/amd64
                ;;
              aarch64|arm64|linux/arm64)
                TEST_PLATFORM_RESOLVED=linux/arm64
                ;;
              *)
                TEST_PLATFORM_RESOLVED=linux/amd64
                ;;
            esac
            set +e
              docker buildx build --platform "${TEST_PLATFORM_RESOLVED}" --target test --load -t atlasbot-test . \
              && docker run --rm -v "$PWD/build:/out" atlasbot-test \
                python -m ruff check atlasbot scripts --select E,F,W,B,C90,I,RUF,ARG --ignore E501 \
              && docker run --rm -v "$PWD/build:/out" atlasbot-test \
                python scripts/check_file_sizes.py --root atlasbot --max-lines 500 \
              && docker run --rm -v "$PWD/build:/out" atlasbot-test \
                python scripts/check_docstrings.py --root atlasbot \
              && docker run --rm -v "$PWD/build:/out" atlasbot-test \
                python -m slipcover --json --out /out/coverage.json --source atlasbot --fail-under 95 \
                -m pytest -q --junitxml /out/junit.xml \
              && docker run --rm -v "$PWD/build:/out" atlasbot-test \
                python scripts/check_coverage.py /out/coverage.json --root atlasbot --threshold 95
            gate_rc=$?
            set -e
            printf '%s\n' "${gate_rc}" > build/quality-gate.rc
          '''
        }
      }
    }

    stage('Publish test metrics') {
      steps {
        container('tester') {
          sh '''
            set -euo pipefail
            export JUNIT_PATH='build/junit.xml'
            export COVERAGE_PATH='build/coverage.json'
            export SOURCE_ROOT='atlasbot'
            export QUALITY_GATE_RC_PATH='build/quality-gate.rc'
            python scripts/publish_test_metrics.py || true
          '''
        }
      }
    }

    stage('Enforce quality gate') {
      steps {
        container('tester') {
          sh '''
            set -euo pipefail
            gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)"
            fail=0
            if [ "${gate_rc}" -ne 0 ]; then
              echo "quality gate failed with rc=${gate_rc}" >&2
              fail=1
            fi

            enabled() {
              case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
                1|true|yes|on) return 0 ;;
                *) return 1 ;;
              esac
            }

            if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
              sonar_status="$(python3 - <<'PY'
import json
from pathlib import Path

path = Path("build/sonarqube-quality-gate.json")
if not path.exists():
    print("missing")
    raise SystemExit(0)
try:
    payload = json.loads(path.read_text(encoding="utf-8"))
except Exception:  # noqa: BLE001
    print("error")
    raise SystemExit(0)
status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
print(status or "missing")
PY
)"
              case "${sonar_status}" in
                ok|pass|passed|success) ;;
                *)
                  echo "sonarqube gate failed: ${sonar_status}" >&2
                  fail=1
                  ;;
              esac
            fi

            ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-1}"
            if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then
              ironbank_required=1
            fi
            if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then
              supply_status="$(python3 - <<'PY'
import json
from pathlib import Path

path = Path("build/ironbank-compliance.json")
if not path.exists():
    print("missing")
    raise SystemExit(0)
try:
    payload = json.loads(path.read_text(encoding="utf-8"))
except Exception:  # noqa: BLE001
    print("error")
    raise SystemExit(0)
compliant = payload.get("compliant")
if compliant is True:
    print("ok")
elif compliant is False:
    print("failed")
else:
    status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower()
    print(status or "missing")
PY
)"
              case "${supply_status}" in
                ok|pass|passed|success|compliant) ;;
                not_applicable|na|n/a)
                  if enabled "${ironbank_required}"; then
                    echo "supply chain gate required but status=${supply_status}" >&2
                    fail=1
                  fi
                  ;;
                *)
                  if enabled "${ironbank_required}"; then
                    echo "supply chain gate failed: ${supply_status}" >&2
                    fail=1
                  else
                    echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2
                  fi
                  ;;
              esac
            fi

            exit "${fail}"
          '''
        }
      }
    }
    stage('Build & push image') {
      steps {
        container('builder') {
          sh '''
            set -euo pipefail
            VERSION_TAG=$(cut -d= -f2 build.env)
            docker buildx build --platform linux/arm64 \
              --target runtime \
              --tag registry.bstein.dev/bstein/atlasbot:${VERSION_TAG} \
              --tag registry.bstein.dev/bstein/atlasbot:latest \
              --push .
          '''
        }
      }
    }
  }
  post {
    always {
      script {
        if (fileExists('build.env')) {
          def envFile = readProperties file: 'build.env'
          echo "Build complete for ${envFile.SEMVER}"
        }
      }
      archiveArtifacts artifacts: 'build/*', allowEmptyArchive: true
    }
  }
}
