pipeline {
  agent {
    kubernetes {
      defaultContainer 'builder'
      yaml """
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: metis
spec:
  nodeSelector:
    kubernetes.io/arch: arm64
    node-role.kubernetes.io/worker: "true"
  imagePullSecrets:
    - name: harbor-robot-pipeline
  containers:
    - name: dind
      image: registry.bstein.dev/bstein/docker:27-dind
      securityContext:
        privileged: true
      env:
        - name: DOCKER_TLS_CERTDIR
          value: ""
      args:
        - --mtu=1400
        - --host=unix:///var/run/docker.sock
        - --host=tcp://0.0.0.0:2375
        - --tls=false
      volumeMounts:
        - name: dind-storage
          mountPath: /var/lib/docker
    - name: builder
      image: registry.bstein.dev/bstein/docker:27
      command: ["cat"]
      tty: true
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375
        - name: DOCKER_TLS_CERTDIR
          value: ""
        - name: DOCKER_CONFIG
          value: /root/.docker
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
        - name: docker-config-writable
          mountPath: /root/.docker
        - name: harbor-config
          mountPath: /docker-config
    - name: tester
      image: registry.bstein.dev/bstein/golang:1.23-bookworm
      command: ["cat"]
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
    - name: publisher
      image: registry.bstein.dev/bstein/python:3.12-slim
      command: ["cat"]
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
    - name: quality-tools
      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
      command: ["cat"]
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
  volumes:
    - name: workspace-volume
      emptyDir: {}
    - name: docker-config-writable
      emptyDir: {}
    - name: dind-storage
      emptyDir: {}
    - name: harbor-config
      secret:
        secretName: harbor-robot-pipeline
        items:
          - key: .dockerconfigjson
            path: config.json
"""
    }
  }
  environment {
    REGISTRY = 'registry.bstein.dev/bstein'
    IMAGE = "${REGISTRY}/metis"
    SENTINEL_IMAGE = "${REGISTRY}/metis-sentinel"
    VERSION_TAG = 'dev'
    SEMVER = 'dev'
    COVERAGE_JSON = 'build/coverage.json'
    JUNIT_XML = 'build/junit.xml'
    TEST_EXIT_CODE_PATH = 'build/test.exitcode'
    SUITE_NAME = 'metis'
    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
    SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
    SONARQUBE_PROJECT_KEY = 'metis'
    SONARQUBE_TOKEN = credentials('sonarqube-token')
    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
  }
  options {
    disableConcurrentBuilds()
    buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
  }
  parameters {
    booleanParam(
      name: 'PUBLISH_IMAGES',
      defaultValue: false,
      description: 'Build and push runtime images (enable for release runs).'
    )
  }
  triggers {
    pollSCM('H/5 * * * *')
  }
  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }

    stage('Collect Supply Chain evidence') {
      steps {
        container('quality-tools') {
          sh '''#!/usr/bin/env bash
            set -euo pipefail
            mkdir -p build
            set +e
            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
            trivy_rc=$?
            set -e
            if [ ! -s build/trivy-fs.json ]; then
              cat > build/ironbank-compliance.json <<EOF
{"status":"failed","compliant":false,"scanner":"trivy","scan_type":"filesystem","error":"trivy did not produce JSON output","trivy_rc":${trivy_rc}}
EOF
              exit 0
            fi
            critical="$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' build/trivy-fs.json)"
            high="$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity=="HIGH")] | length' build/trivy-fs.json)"
            secrets="$(jq '[.Results[]? | .Secrets[]?] | length' build/trivy-fs.json)"
            misconfigs="$(jq '[.Results[]? | .Misconfigurations[]? | select(.Status=="FAIL" and (.Severity=="CRITICAL" or .Severity=="HIGH"))] | length' build/trivy-fs.json)"
            status=ok
            compliant=true
            if [ "${critical}" -gt 0 ] || [ "${secrets}" -gt 0 ] || [ "${misconfigs}" -gt 0 ]; then
              status=failed
              compliant=false
            fi
            jq -n --arg status "${status}" --argjson compliant "${compliant}" --argjson critical "${critical}" --argjson high "${high}" --argjson secrets "${secrets}" --argjson misconfigs "${misconfigs}" --argjson trivy_rc "${trivy_rc}" \
              '{status:$status, compliant:$compliant, category:"artifact_security", scan_type:"filesystem", scanner:"trivy", critical_vulnerabilities:$critical, high_vulnerabilities:$high, secrets:$secrets, high_or_critical_misconfigurations:$misconfigs, trivy_rc:$trivy_rc, high_vulnerability_policy:"observe"}' > build/ironbank-compliance.json
          '''
        }
        container('publisher') {
          sh '''
            set -eu
            mkdir -p build
            python3 - <<'PY'
import json
import os
from pathlib import Path

report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
if report_path.exists():
    raise SystemExit(0)
status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None}
payload = {k: v for k, v in payload.items() if v is not None}
if "status" not in payload:
    payload["status"] = "unknown"
payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos."
report_path.parent.mkdir(parents=True, exist_ok=True)
report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
PY
          '''
        }
      }
    }

    stage('Run quality gate') {
      steps {
        container('tester') {
          sh '''
            set -eu
            apt-get update >/dev/null
            apt-get install -y --no-install-recommends xz-utils >/dev/null
            mkdir -p build
            export GOPROXY="${GOPROXY:-https://proxy.golang.org,direct}"
            retry_command() {
              attempts=4
              delay=8
              attempt=1
              while [ "${attempt}" -le "${attempts}" ]; do
                if "$@"; then
                  return 0
                else
                  rc=$?
                fi
                if [ "${attempt}" -eq "${attempts}" ]; then
                  return "${rc}"
                fi
                echo "command failed with rc=${rc}; retrying in ${delay}s (${attempt}/${attempts})"
                sleep "${delay}"
                delay=$((delay * 2))
                attempt=$((attempt + 1))
              done
            }
            retry_command go install github.com/jstemmer/go-junit-report/v2@latest
            cd "${WORKSPACE}"
            docs_rc=1
            quality_rc=1
            test_rc=1

            set +e
            cd "${WORKSPACE}/testing"
            retry_command env METIS_USE_EXISTING_COVERAGE=1 go test -v -run TestExportedDocs ./...
            docs_rc=$?
            printf '%s\n' "${docs_rc}" > "${WORKSPACE}/build/docs-naming.rc"
            if [ "${docs_rc}" -eq 0 ]; then
              retry_command env METIS_USE_EXISTING_COVERAGE=1 go test -v ./...
              quality_rc=$?
            fi
            cd "${WORKSPACE}"

            if [ "${docs_rc}" -eq 0 ] && [ "${quality_rc}" -eq 0 ]; then
              retry_command go test -v -count=1 -coverprofile=build/coverage.out ./... > build/test.out 2>&1
              test_rc=$?
            fi
            set -e

            if [ -f build/test.out ]; then
              cat build/test.out
              "$(go env GOPATH)/bin/go-junit-report" < build/test.out > "${JUNIT_XML}"
            else
              cat > "${JUNIT_XML}" <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<testsuites tests="0" failures="0" errors="0" skipped="0"></testsuites>
EOF
            fi

            coverage="0"
            if [ -f build/coverage.out ]; then
              coverage="$(go tool cover -func=build/coverage.out | awk '/^total:/ {gsub("%","",$3); print $3}')"
            fi
            export GO_COVERAGE="${coverage}"
            printf '{"summary":{"percent_covered":%s}}\n' "${GO_COVERAGE}" > "${COVERAGE_JSON}"

            gate_rc=0
            if [ "${docs_rc}" -ne 0 ] || [ "${quality_rc}" -ne 0 ] || [ "${test_rc}" -ne 0 ]; then
              gate_rc=1
            fi
            printf '%s\n' "${gate_rc}" > "${TEST_EXIT_CODE_PATH}"
          '''
        }
      }
    }

    stage('Collect SonarQube evidence') {
      steps {
        container('quality-tools') {
          sh '''#!/usr/bin/env bash
            set -euo pipefail
            mkdir -p build
            args=(
              "-Dsonar.host.url=${SONARQUBE_HOST_URL}"
              "-Dsonar.login=${SONARQUBE_TOKEN}"
              "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}"
              "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}"
              "-Dsonar.sources=."
              "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**"
              "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx"
            )
            [ -f build/coverage.out ] && args+=("-Dsonar.go.coverage.reportPaths=build/coverage.out")
            set +e
            sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
            rc=${PIPESTATUS[0]}
            set -e
            printf '%s\n' "${rc}" > build/sonarqube-analysis.rc
          '''
        }
        container('publisher') {
          sh '''
            set -eu
            mkdir -p build
            python3 - <<'PY'
import base64
import json
import os
import urllib.parse
import urllib.request

host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
token = os.getenv('SONARQUBE_TOKEN', '').strip()
report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"}
if host and project_key:
    query = urllib.parse.urlencode({"projectKey": project_key})
    request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET")
    if token:
        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
        request.add_header("Authorization", f"Basic {encoded}")
    try:
        with urllib.request.urlopen(request, timeout=12) as response:
            payload = json.loads(response.read().decode("utf-8"))
    except Exception as exc:  # noqa: BLE001
        payload = {"status": "ERROR", "error": str(exc)}
with open(report_path, "w", encoding="utf-8") as handle:
    json.dump(payload, handle, indent=2, sort_keys=True)
    handle.write("\\n")
PY
          '''
        }
      }
    }

    stage('Publish test metrics') {
      steps {
        container('publisher') {
          sh '''
            set -eu
            python scripts/publish_test_metrics.py
          '''
        }
      }
    }

    stage('Enforce quality gate') {
      steps {
        container('tester') {
          sh '''
            set -eu
            test_rc="$(cat "${TEST_EXIT_CODE_PATH}")"
            exit "${test_rc}"
          '''
        }
      }
    }

    stage('Prep toolchain') {
      when {
        expression { return params.PUBLISH_IMAGES }
      }
      steps {
        container('builder') {
          sh '''
            set -eu
            mkdir -p /root/.docker
            cp /docker-config/config.json /root/.docker/config.json
          '''
        }
      }
    }

    stage('Compute version') {
      when {
        expression { return params.PUBLISH_IMAGES }
      }
      steps {
        container('builder') {
          script {
            sh '''
              set -eu
              SEMVER="0.1.0-${BUILD_NUMBER}"
              echo "SEMVER=${SEMVER}" > build.env
            '''
            def props = readProperties file: 'build.env'
            env.SEMVER = props['SEMVER'] ?: "0.1.0-${env.BUILD_NUMBER}"
            env.VERSION_TAG = env.SEMVER
          }
        }
      }
    }

    stage('Buildx setup') {
      when {
        expression { return params.PUBLISH_IMAGES }
      }
      steps {
        container('builder') {
          sh '''
            set -eu
            ready=0
            for i in $(seq 1 90); do
              if docker info >/dev/null 2>&1; then
                ready=1
                break
              fi
              sleep 2
            done
            if [ "${ready}" -ne 1 ]; then
              echo "docker daemon did not become ready on ${DOCKER_HOST}"
              docker version || true
              exit 1
            fi
            docker run --privileged --rm tonistiigi/binfmt --install amd64,arm64
            BUILDER_NAME="metis-builder-${BUILD_NUMBER}"
            docker buildx rm "${BUILDER_NAME}" >/dev/null 2>&1 || true
            docker buildx create --name "${BUILDER_NAME}" --driver docker-container --driver-opt image=registry.bstein.dev/bstein/buildkit:buildx-stable-1 --use
            docker buildx inspect "${BUILDER_NAME}" --bootstrap
          '''
        }
      }
    }

    stage('Build & push images') {
      when {
        expression { return params.PUBLISH_IMAGES }
      }
      steps {
        container('builder') {
          sh '''
            set -eu
            VERSION_TAG="$(cut -d= -f2 build.env)"
            docker info >/dev/null
            for arch in amd64 arm64; do
              docker buildx build \
                --platform "linux/${arch}" \
                --build-arg TARGETOS=linux \
                --build-arg TARGETARCH="${arch}" \
                --tag "${IMAGE}:${VERSION_TAG}-${arch}" \
                --tag "${IMAGE}:latest-${arch}" \
                --target runtime \
                --push \
                .
              docker buildx build \
                --platform "linux/${arch}" \
                --build-arg TARGETOS=linux \
                --build-arg TARGETARCH="${arch}" \
                --tag "${SENTINEL_IMAGE}:${VERSION_TAG}-${arch}" \
                --tag "${SENTINEL_IMAGE}:latest-${arch}" \
                --target sentinel \
                --push \
                .
            done
          '''
        }
      }
    }
  }
  post {
    always {
      script {
        if (fileExists('build/junit.xml')) {
          try {
            junit allowEmptyResults: true, testResults: 'build/junit.xml'
          } catch (Throwable err) {
            echo "junit step unavailable: ${err.class.simpleName}"
          }
        }
      }
      archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
    }
  }
}
