pipeline { agent { kubernetes { defaultContainer 'builder' yaml """ apiVersion: v1 kind: Pod metadata: labels: app: bstein-dev-home spec: nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: dind image: registry.bstein.dev/bstein/docker:27-dind securityContext: privileged: true env: - name: DOCKER_TLS_CERTDIR value: "" args: - --mtu=1400 - --host=unix:///var/run/docker.sock - --host=tcp://0.0.0.0:2375 - --tls=false volumeMounts: - name: dind-storage mountPath: /var/lib/docker - name: builder image: registry.bstein.dev/bstein/docker:27 command: ["cat"] tty: true env: - name: DOCKER_HOST value: tcp://localhost:2375 - name: DOCKER_TLS_CERTDIR value: "" volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: docker-config-writable mountPath: /root/.docker - name: harbor-config mountPath: /docker-config - name: tester image: registry.bstein.dev/bstein/python:3.12-slim command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: frontend image: registry.bstein.dev/bstein/playwright:v1.59.1-jammy command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: quality-tools image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent volumes: - name: workspace-volume emptyDir: {} - name: docker-config-writable emptyDir: {} - name: dind-storage emptyDir: {} - name: harbor-config secret: secretName: harbor-robot-pipeline items: - key: .dockerconfigjson path: config.json """ } } environment { REGISTRY = 'registry.bstein.dev/bstein' FRONT_IMAGE = "${REGISTRY}/bstein-dev-home-frontend" BACK_IMAGE = "${REGISTRY}/bstein-dev-home-backend" VERSION_TAG = 'dev' SEMVER = 'dev' SUITE_NAME = 'bstein_home' PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091' SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000' SONARQUBE_PROJECT_KEY = 'bstein_home' SONARQUBE_TOKEN = credentials('sonarqube-token') QUALITY_GATE_SONARQUBE_ENFORCE = '0' QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json' QUALITY_GATE_IRONBANK_ENFORCE = '0' QUALITY_GATE_IRONBANK_REQUIRED = '1' QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json' } options { disableConcurrentBuilds() buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120')) } triggers { // Poll every 2 minutes; notifyCommit can also trigger, but polling keeps it moving without webhook tokens. pollSCM('H/2 * * * *') } stages { stage('Checkout') { steps { checkout scm } } stage('Collect SonarQube evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build args=( "-Dsonar.host.url=${SONARQUBE_HOST_URL}" "-Dsonar.login=${SONARQUBE_TOKEN}" "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}" "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}" "-Dsonar.sources=." "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**,frontend/public/media/**" "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx" ) [ -f build/backend-coverage.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/backend-coverage.xml") [ -f frontend/coverage/lcov.info ] && args+=("-Dsonar.javascript.lcov.reportPaths=frontend/coverage/lcov.info") set +e sonar-scanner "${args[@]}" | tee build/sonar-scanner.log rc=${PIPESTATUS[0]} set -e printf '%s\n' "${rc}" > build/sonarqube-analysis.rc ''' } container('tester') { sh ''' set -euo pipefail mkdir -p build python3 - <<'PY' import base64 import json import os import urllib.parse import urllib.request host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/') project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip() token = os.getenv('SONARQUBE_TOKEN', '').strip() report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json') payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"} if host and project_key: query = urllib.parse.urlencode({"projectKey": project_key}) request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET") if token: encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8") request.add_header("Authorization", f"Basic {encoded}") try: with urllib.request.urlopen(request, timeout=12) as response: payload = json.loads(response.read().decode("utf-8")) except Exception as exc: # noqa: BLE001 payload = {"status": "ERROR", "error": str(exc)} with open(report_path, "w", encoding="utf-8") as handle: json.dump(payload, handle, indent=2, sort_keys=True) handle.write("\\n") PY ''' } } } stage('Collect Supply Chain evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build set +e trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . trivy_rc=$? set -e if [ ! -s build/trivy-fs.json ]; then cat > build/ironbank-compliance.json < build/ironbank-compliance.json ''' } container('tester') { sh ''' set -euo pipefail mkdir -p build python3 - <<'PY' import json import os from pathlib import Path report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json')) if report_path.exists(): raise SystemExit(0) status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip() compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower() payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None} payload = {k: v for k, v in payload.items() if v is not None} if "status" not in payload: payload["status"] = "unknown" payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos." report_path.parent.mkdir(parents=True, exist_ok=True) report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8") PY ''' } } } stage('Prep toolchain') { steps { container('builder') { sh ''' set -euo pipefail for attempt in 1 2 3 4 5; do if apk add --no-cache bash git jq curl; then break fi if [ "$attempt" -eq 5 ]; then echo "apk add failed after ${attempt} attempts" >&2 exit 1 fi sleep $((attempt * 2)) done mkdir -p /root/.docker cp /docker-config/config.json /root/.docker/config.json ''' } } } stage('Compute version') { steps { container('builder') { script { sh ''' set -euo pipefail if git describe --tags --exact-match >/dev/null 2>&1; then SEMVER="$(git describe --tags --exact-match)" else BASE="$(jq -r '.version' frontend/package.json || echo '0.1.0')" SEMVER="${BASE}-${BUILD_NUMBER}" fi # Accept bare semver or leading v (with optional prerelease). if ! echo "$SEMVER" | grep -Eq '^v?[0-9]+\\.[0-9]+\\.[0-9]+([-.][0-9A-Za-z]+)?$'; then SEMVER="0.1.0-${BUILD_NUMBER}" fi echo "SEMVER=${SEMVER}" > build.env ''' def props = readProperties file: 'build.env' env.SEMVER = props['SEMVER'] ?: "0.1.0-${env.BUILD_NUMBER}" env.VERSION_TAG = env.SEMVER } } } } stage('Docker readiness') { steps { container('builder') { sh ''' set -euo pipefail mkdir -p build set +e ready=0 for i in $(seq 1 10); do if docker info >/dev/null 2>&1; then ready=1 break fi sleep 2 done rc=0 if [ "${ready}" -ne 1 ]; then echo "docker daemon did not become ready on ${DOCKER_HOST}" >&2 docker version || true rc=1 fi set -e printf '%s\n' "${rc}" > build/docker-ready.rc if [ "${rc}" -ne 0 ]; then echo "warning: docker daemon readiness failed; publish stages will fail later" >&2 fi ''' } } } stage('Backend unit tests') { steps { container('tester') { sh ''' set -euo pipefail mkdir -p build export PYTHONPATH="${WORKSPACE}/backend:${PYTHONPATH:-}" set +e pip_rc=1 for attempt in 1 2 3 4 5; do python -m pip install --no-cache-dir -r backend/requirements.txt -r backend/requirements-dev.txt pip_rc=$? if [ "${pip_rc}" -eq 0 ]; then break fi if [ "${attempt}" -lt 5 ]; then sleep $((attempt * 4)) fi done backend_rc=1 if [ "${pip_rc}" -eq 0 ]; then python -m pytest backend/tests -q --cov=backend/atlas_portal --cov-report=xml:build/backend-coverage.xml --junitxml=build/junit-backend.xml backend_rc=$? else echo "backend dependency install failed after retries" >&2 fi set -e printf '%s\n' "${backend_rc}" > build/backend-tests.rc ''' } } } stage('Frontend tests') { steps { container('frontend') { sh(script: '''#!/usr/bin/env bash set -euo pipefail mkdir -p build ulimit -n 8192 || true cd frontend set +e npm_ci_rc=1 for attempt in 1 2 3 4 5; do npm ci npm_ci_rc=$? if [ "${npm_ci_rc}" -eq 0 ]; then break fi if [ "${attempt}" -lt 5 ]; then sleep $((attempt * 4)) fi done frontend_rc=1 if [ "${npm_ci_rc}" -eq 0 ]; then npm run lint npm run test:unit npm run test:component npm run build PLAYWRIGHT_REUSE_DIST=1 npm run test:e2e frontend_rc=$? else echo "frontend dependency install failed after retries" >&2 fi set -e printf '%s\n' "${frontend_rc}" > ../build/frontend-tests.rc ''') } } } stage('Run quality gate') { steps { container('tester') { sh ''' set -euo pipefail export PYTHONPATH="${WORKSPACE}:${PYTHONPATH:-}" set +e python -m testing.ci.quality_gate \ --backend-coverage build/backend-coverage.xml \ --frontend-coverage frontend/coverage/coverage-summary.json \ --report build/quality-gate.json gate_rc=$? backend_rc="$(cat build/backend-tests.rc 2>/dev/null || echo 1)" frontend_rc="$(cat build/frontend-tests.rc 2>/dev/null || echo 1)" if [ "${backend_rc}" -ne 0 ] || [ "${frontend_rc}" -ne 0 ]; then gate_rc=1 fi set -e printf '%s\n' "${gate_rc}" > build/quality-gate.rc ''' } } } stage('Publish test metrics') { steps { container('tester') { sh ''' set -euo pipefail gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)" status="ok" if [ "${gate_rc}" -ne 0 ]; then status="failed" fi python -m testing.ci.publish_metrics \ --gateway "${PUSHGATEWAY_URL}" \ --suite "${SUITE_NAME}" \ --job platform-quality-ci \ --status "${status}" \ --quality-report build/quality-gate.json \ --junit build/junit-backend.xml build/junit-frontend-unit.xml build/junit-frontend-component.xml build/junit-frontend-e2e.xml ''' } } } stage('Enforce quality gate') { steps { container('tester') { sh ''' set -euo pipefail gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)" fail=0 if [ "${gate_rc}" -ne 0 ]; then echo "quality gate failed with rc=${gate_rc}" >&2 fail=1 fi enabled() { case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in 1|true|yes|on) return 0 ;; *) return 1 ;; esac } if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then sonar_status="$(python3 - <<'PY' import json from pathlib import Path path = Path("build/sonarqube-quality-gate.json") if not path.exists(): print("missing") raise SystemExit(0) try: payload = json.loads(path.read_text(encoding="utf-8")) except Exception: # noqa: BLE001 print("error") raise SystemExit(0) status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower() print(status or "missing") PY )" case "${sonar_status}" in ok|pass|passed|success) ;; *) echo "sonarqube gate failed: ${sonar_status}" >&2 fail=1 ;; esac fi ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-1}" if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then ironbank_required=1 fi if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then supply_status="$(python3 - <<'PY' import json from pathlib import Path path = Path("build/ironbank-compliance.json") if not path.exists(): print("missing") raise SystemExit(0) try: payload = json.loads(path.read_text(encoding="utf-8")) except Exception: # noqa: BLE001 print("error") raise SystemExit(0) compliant = payload.get("compliant") if compliant is True: print("ok") elif compliant is False: print("failed") else: status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower() print(status or "missing") PY )" case "${supply_status}" in ok|pass|passed|success|compliant) ;; not_applicable|na|n/a) if enabled "${ironbank_required}"; then echo "supply chain gate required but status=${supply_status}" >&2 fail=1 fi ;; *) if enabled "${ironbank_required}"; then echo "supply chain gate failed: ${supply_status}" >&2 fail=1 else echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2 fi ;; esac fi exit "${fail}" ''' } } } stage('Build & push frontend') { steps { container('builder') { sh ''' set -euo pipefail test "$(cat build/docker-ready.rc 2>/dev/null || echo 1)" -eq 0 VERSION_TAG="$(cut -d= -f2 build.env)" for attempt in 1 2 3; do if docker build --tag "${FRONT_IMAGE}:${VERSION_TAG}" --tag "${FRONT_IMAGE}:latest" --file Dockerfile.frontend .; then break fi if [ "${attempt}" -eq 3 ]; then exit 1 fi sleep $((attempt * 10)) done docker push "${FRONT_IMAGE}:${VERSION_TAG}" docker push "${FRONT_IMAGE}:latest" ''' } } } stage('Build & push backend') { steps { container('builder') { sh ''' set -euo pipefail test "$(cat build/docker-ready.rc 2>/dev/null || echo 1)" -eq 0 VERSION_TAG="$(cut -d= -f2 build.env)" for attempt in 1 2 3; do if docker build --tag "${BACK_IMAGE}:${VERSION_TAG}" --tag "${BACK_IMAGE}:latest" --file Dockerfile.backend .; then break fi if [ "${attempt}" -eq 3 ]; then exit 1 fi sleep $((attempt * 10)) done docker push "${BACK_IMAGE}:${VERSION_TAG}" docker push "${BACK_IMAGE}:latest" ''' } } } } post { always { script { def props = fileExists('build.env') ? readProperties(file: 'build.env') : [:] echo "Build complete for ${props['SEMVER'] ?: env.VERSION_TAG}" } archiveArtifacts artifacts: 'build/**, frontend/coverage/**, frontend/test-results/**, frontend/playwright-report/**', allowEmptyArchive: true, fingerprint: true } } }