378 lines
13 KiB
Groovy
378 lines
13 KiB
Groovy
pipeline {
|
|
agent {
|
|
kubernetes {
|
|
defaultContainer 'tester'
|
|
yaml """
|
|
apiVersion: v1
|
|
kind: Pod
|
|
spec:
|
|
nodeSelector:
|
|
kubernetes.io/arch: arm64
|
|
node-role.kubernetes.io/worker: "true"
|
|
containers:
|
|
- name: dind
|
|
image: registry.bstein.dev/bstein/docker:27-dind
|
|
securityContext:
|
|
privileged: true
|
|
env:
|
|
- name: DOCKER_TLS_CERTDIR
|
|
value: ""
|
|
args:
|
|
- "--mtu=1400"
|
|
- "--host=unix:///var/run/docker.sock"
|
|
- "--host=tcp://0.0.0.0:2375"
|
|
- "--tls=false"
|
|
volumeMounts:
|
|
- name: dind-storage
|
|
mountPath: /var/lib/docker
|
|
- name: workspace-volume
|
|
mountPath: /home/jenkins/agent
|
|
- name: builder
|
|
image: registry.bstein.dev/bstein/docker:27
|
|
command:
|
|
- cat
|
|
tty: true
|
|
env:
|
|
- name: DOCKER_HOST
|
|
value: tcp://localhost:2375
|
|
- name: DOCKER_TLS_CERTDIR
|
|
value: ""
|
|
volumeMounts:
|
|
- name: workspace-volume
|
|
mountPath: /home/jenkins/agent
|
|
- name: docker-config-writable
|
|
mountPath: /root/.docker
|
|
- name: harbor-config
|
|
mountPath: /docker-config
|
|
- name: tester
|
|
image: registry.bstein.dev/bstein/python:3.12-slim
|
|
command:
|
|
- cat
|
|
tty: true
|
|
volumeMounts:
|
|
- name: workspace-volume
|
|
mountPath: /home/jenkins/agent
|
|
- name: quality-tools
|
|
image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-arm64
|
|
command:
|
|
- cat
|
|
tty: true
|
|
volumeMounts:
|
|
- name: workspace-volume
|
|
mountPath: /home/jenkins/agent
|
|
volumes:
|
|
- name: docker-config-writable
|
|
emptyDir: {}
|
|
- name: dind-storage
|
|
emptyDir: {}
|
|
- name: harbor-config
|
|
secret:
|
|
secretName: harbor-robot-pipeline
|
|
items:
|
|
- key: .dockerconfigjson
|
|
path: config.json
|
|
- name: workspace-volume
|
|
emptyDir: {}
|
|
"""
|
|
}
|
|
}
|
|
environment {
|
|
PIP_DISABLE_PIP_VERSION_CHECK = '1'
|
|
PYTHONUNBUFFERED = '1'
|
|
SUITE_NAME = 'atlasbot'
|
|
PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
|
|
SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
|
|
SONARQUBE_PROJECT_KEY = 'atlasbot'
|
|
SONARQUBE_TOKEN = credentials('sonarqube-token')
|
|
QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
|
|
QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
|
|
}
|
|
options {
|
|
disableConcurrentBuilds()
|
|
buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
|
|
}
|
|
stages {
|
|
stage('Checkout') {
|
|
steps {
|
|
checkout scm
|
|
}
|
|
}
|
|
stage('Collect SonarQube evidence') {
|
|
steps {
|
|
container('quality-tools') {
|
|
sh '''#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
args=(
|
|
"-Dsonar.host.url=${SONARQUBE_HOST_URL}"
|
|
"-Dsonar.login=${SONARQUBE_TOKEN}"
|
|
"-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}"
|
|
"-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}"
|
|
"-Dsonar.sources=."
|
|
"-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**"
|
|
"-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx"
|
|
)
|
|
[ -f build/coverage.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/coverage.xml")
|
|
set +e
|
|
sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
|
|
rc=${PIPESTATUS[0]}
|
|
set -e
|
|
printf '%s\n' "${rc}" > build/sonarqube-analysis.rc
|
|
'''
|
|
}
|
|
container('tester') {
|
|
sh '''
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
python3 - <<'PY'
|
|
import base64
|
|
import json
|
|
import os
|
|
import urllib.parse
|
|
import urllib.request
|
|
|
|
host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
|
|
project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
|
|
token = os.getenv('SONARQUBE_TOKEN', '').strip()
|
|
report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
|
|
payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"}
|
|
if host and project_key:
|
|
query = urllib.parse.urlencode({"projectKey": project_key})
|
|
request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET")
|
|
if token:
|
|
encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
|
|
request.add_header("Authorization", f"Basic {encoded}")
|
|
try:
|
|
with urllib.request.urlopen(request, timeout=12) as response:
|
|
payload = json.loads(response.read().decode("utf-8"))
|
|
except Exception as exc: # noqa: BLE001
|
|
payload = {"status": "ERROR", "error": str(exc)}
|
|
with open(report_path, "w", encoding="utf-8") as handle:
|
|
json.dump(payload, handle, indent=2, sort_keys=True)
|
|
handle.write("\\n")
|
|
PY
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
stage('Collect Supply Chain evidence') {
|
|
steps {
|
|
container('quality-tools') {
|
|
sh '''#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
set +e
|
|
trivy fs --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
|
|
trivy_rc=$?
|
|
set -e
|
|
if [ ! -s build/trivy-fs.json ]; then
|
|
cat > build/ironbank-compliance.json <<EOF
|
|
{"status":"failed","compliant":false,"scanner":"trivy","scan_type":"filesystem","error":"trivy did not produce JSON output","trivy_rc":${trivy_rc}}
|
|
EOF
|
|
exit 0
|
|
fi
|
|
critical="$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' build/trivy-fs.json)"
|
|
high="$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity=="HIGH")] | length' build/trivy-fs.json)"
|
|
secrets="$(jq '[.Results[]? | .Secrets[]?] | length' build/trivy-fs.json)"
|
|
misconfigs="$(jq '[.Results[]? | .Misconfigurations[]? | select(.Status=="FAIL" and (.Severity=="CRITICAL" or .Severity=="HIGH"))] | length' build/trivy-fs.json)"
|
|
status=ok
|
|
compliant=true
|
|
if [ "${critical}" -gt 0 ] || [ "${secrets}" -gt 0 ] || [ "${misconfigs}" -gt 0 ]; then
|
|
status=failed
|
|
compliant=false
|
|
fi
|
|
jq -n --arg status "${status}" --argjson compliant "${compliant}" --argjson critical "${critical}" --argjson high "${high}" --argjson secrets "${secrets}" --argjson misconfigs "${misconfigs}" --argjson trivy_rc "${trivy_rc}" \
|
|
'{status:$status, compliant:$compliant, category:"artifact_security", scan_type:"filesystem", scanner:"trivy", critical_vulnerabilities:$critical, high_vulnerabilities:$high, secrets:$secrets, high_or_critical_misconfigurations:$misconfigs, trivy_rc:$trivy_rc, high_vulnerability_policy:"observe"}' > build/ironbank-compliance.json
|
|
'''
|
|
}
|
|
container('tester') {
|
|
sh '''
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
python3 - <<'PY'
|
|
import json
|
|
import os
|
|
from pathlib import Path
|
|
|
|
report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
|
|
if report_path.exists():
|
|
raise SystemExit(0)
|
|
status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
|
|
compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
|
|
payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None}
|
|
payload = {k: v for k, v in payload.items() if v is not None}
|
|
if "status" not in payload:
|
|
payload["status"] = "unknown"
|
|
payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos."
|
|
report_path.parent.mkdir(parents=True, exist_ok=True)
|
|
report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
|
|
PY
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
stage('Prep toolchain') {
|
|
steps {
|
|
container('builder') {
|
|
sh '''
|
|
set -euo pipefail
|
|
mkdir -p /root/.docker
|
|
cp /docker-config/config.json /root/.docker/config.json
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
stage('Compute version') {
|
|
steps {
|
|
container('builder') {
|
|
script {
|
|
def base = sh(returnStdout: true, script: 'cat VERSION_BASE 2>/dev/null || true').trim()
|
|
if (!base) {
|
|
base = "0.1.0"
|
|
}
|
|
def buildNum = env.BUILD_NUMBER?.trim()
|
|
if (!buildNum) {
|
|
buildNum = "0"
|
|
}
|
|
def semver = "${base}-${buildNum}"
|
|
sh "echo SEMVER=${semver} > build.env"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
stage('Buildx setup') {
|
|
steps {
|
|
container('builder') {
|
|
sh '''
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
ready=0
|
|
for _ in $(seq 1 10); do
|
|
if docker info >/dev/null 2>&1; then
|
|
ready=1
|
|
break
|
|
fi
|
|
sleep 2
|
|
done
|
|
if [ "${ready}" -ne 1 ]; then
|
|
echo "docker daemon did not become ready on ${DOCKER_HOST}" >&2
|
|
docker version || true
|
|
printf '%s\n' 1 > build/buildx.rc
|
|
exit 0
|
|
fi
|
|
BUILDER_NAME="atlasbot-${BUILD_NUMBER}"
|
|
docker buildx rm "${BUILDER_NAME}" >/dev/null 2>&1 || true
|
|
rc=1
|
|
for attempt in 1 2 3; do
|
|
if docker buildx create --name "${BUILDER_NAME}" --driver docker-container --driver-opt image=registry.bstein.dev/bstein/buildkit:buildx-stable-1 --bootstrap --use; then
|
|
rc=0
|
|
break
|
|
fi
|
|
docker buildx rm "${BUILDER_NAME}" >/dev/null 2>&1 || true
|
|
sleep $((attempt * 10))
|
|
done
|
|
printf '%s\n' "${rc}" > build/buildx.rc
|
|
if [ "${rc}" -ne 0 ]; then
|
|
echo "docker buildx bootstrap failed after retries; quality metrics will record the setup failure" >&2
|
|
fi
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
stage('Run quality gate') {
|
|
steps {
|
|
container('tester') {
|
|
sh '''
|
|
set -euo pipefail
|
|
mkdir -p build
|
|
python3 -m pip install --no-cache-dir -r requirements.txt -r requirements-dev.txt
|
|
set +e
|
|
docs_rc=1
|
|
loc_rc=1
|
|
tests_rc=1
|
|
coverage_contract_rc=1
|
|
gate_rc=1
|
|
python -m ruff check atlasbot scripts --select E,F,W,B,C90,I,RUF,ARG --ignore E501
|
|
ruff_rc=$?
|
|
if [ "${ruff_rc}" -eq 0 ]; then
|
|
python scripts/check_docstrings.py --root atlasbot
|
|
docs_rc=$?
|
|
else
|
|
docs_rc=${ruff_rc}
|
|
fi
|
|
python scripts/check_file_sizes.py --root atlasbot --max-lines 500
|
|
loc_rc=$?
|
|
python -m slipcover --json --out build/coverage.json --source atlasbot --fail-under 95 \
|
|
-m pytest -q --junitxml build/junit.xml
|
|
tests_rc=$?
|
|
python scripts/check_coverage.py build/coverage.json --root atlasbot --threshold 95
|
|
coverage_contract_rc=$?
|
|
printf '%s\n' "${docs_rc}" > build/docs-naming.rc
|
|
gate_rc=0
|
|
[ "${docs_rc}" -eq 0 ] || gate_rc=1
|
|
[ "${loc_rc}" -eq 0 ] || gate_rc=1
|
|
[ "${tests_rc}" -eq 0 ] || gate_rc=1
|
|
[ "${coverage_contract_rc}" -eq 0 ] || gate_rc=1
|
|
set -e
|
|
printf '%s\n' "${gate_rc}" > build/quality-gate.rc
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
|
|
stage('Publish test metrics') {
|
|
steps {
|
|
container('tester') {
|
|
sh '''
|
|
set -euo pipefail
|
|
export JUNIT_PATH='build/junit.xml'
|
|
export COVERAGE_PATH='build/coverage.json'
|
|
export SOURCE_ROOT='atlasbot'
|
|
export QUALITY_GATE_RC_PATH='build/quality-gate.rc'
|
|
export QUALITY_GATE_DOCS_RC_PATH='build/docs-naming.rc'
|
|
python scripts/publish_test_metrics.py || true
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
|
|
stage('Enforce quality gate') {
|
|
steps {
|
|
container('tester') {
|
|
sh '''
|
|
set -euo pipefail
|
|
test "$(cat build/quality-gate.rc 2>/dev/null || echo 1)" -eq 0
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
stage('Build & push image') {
|
|
steps {
|
|
container('builder') {
|
|
sh '''
|
|
set -euo pipefail
|
|
test "$(cat build/buildx.rc 2>/dev/null || echo 1)" -eq 0
|
|
VERSION_TAG=$(cut -d= -f2 build.env)
|
|
docker buildx build --platform linux/arm64 \
|
|
--target runtime \
|
|
--tag registry.bstein.dev/bstein/atlasbot:${VERSION_TAG} \
|
|
--tag registry.bstein.dev/bstein/atlasbot:latest \
|
|
--push .
|
|
'''
|
|
}
|
|
}
|
|
}
|
|
}
|
|
post {
|
|
always {
|
|
script {
|
|
if (fileExists('build.env')) {
|
|
def envFile = readProperties file: 'build.env'
|
|
echo "Build complete for ${envFile.SEMVER}"
|
|
}
|
|
}
|
|
archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
|
|
}
|
|
}
|
|
}
|