diff --git a/Jenkinsfile b/Jenkinsfile index f0b9925..a5db45b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -90,10 +90,19 @@ spec: TEST_EXIT_CODE_PATH = 'build/test.exitcode' SUITE_NAME = 'metis' PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091' + QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json' + QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json' } options { disableConcurrentBuilds() } + parameters { + booleanParam( + name: 'PUBLISH_IMAGES', + defaultValue: false, + description: 'Build and push runtime images (enable for release runs).' + ) + } triggers { pollSCM('H/5 * * * *') } @@ -104,7 +113,74 @@ spec: } } - stage('Unit tests') { + stage('Collect SonarQube evidence') { + steps { + container('publisher') { + sh ''' + set -eu + mkdir -p build + python3 - <<'PY' +import base64 +import json +import os +import urllib.parse +import urllib.request + +host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/') +project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip() +token = os.getenv('SONARQUBE_TOKEN', '').strip() +report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json') +payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"} +if host and project_key: + query = urllib.parse.urlencode({"projectKey": project_key}) + request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET") + if token: + encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8") + request.add_header("Authorization", f"Basic {encoded}") + try: + with urllib.request.urlopen(request, timeout=12) as response: + payload = json.loads(response.read().decode("utf-8")) + except Exception as exc: # noqa: BLE001 + payload = {"status": "ERROR", "error": str(exc)} +with open(report_path, "w", encoding="utf-8") as handle: + json.dump(payload, handle, indent=2, sort_keys=True) + handle.write("\\n") +PY + ''' + } + } + } + + stage('Collect Supply Chain evidence') { + steps { + container('publisher') { + sh ''' + set -eu + mkdir -p build + python3 - <<'PY' +import json +import os +from pathlib import Path + +report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json')) +if report_path.exists(): + raise SystemExit(0) +status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip() +compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower() +payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None} +payload = {k: v for k, v in payload.items() if v is not None} +if "status" not in payload: + payload["status"] = "unknown" +payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos." +report_path.parent.mkdir(parents=True, exist_ok=True) +report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8") +PY + ''' + } + } + } + + stage('Run quality gate') { steps { container('tester') { sh ''' @@ -117,7 +193,6 @@ spec: go test -v -count=1 -coverprofile=build/coverage.out ./... > build/test.out 2>&1 test_rc=$? set -e - printf '%s\n' "${test_rc}" > "${TEST_EXIT_CODE_PATH}" cat build/test.out "$(go env GOPATH)/bin/go-junit-report" < build/test.out > "${JUNIT_XML}" coverage="0" @@ -126,6 +201,24 @@ spec: fi export GO_COVERAGE="${coverage}" printf '{"summary":{"percent_covered":%s}}\n' "${GO_COVERAGE}" > "${COVERAGE_JSON}" + + quality_rc=0 + if [ "${test_rc}" -eq 0 ]; then + set +e + cd testing + METIS_USE_EXISTING_COVERAGE=1 go test -v ./... + quality_rc=$? + set -e + cd "${WORKSPACE}" + else + quality_rc=1 + fi + + gate_rc=0 + if [ "${test_rc}" -ne 0 ] || [ "${quality_rc}" -ne 0 ]; then + gate_rc=1 + fi + printf '%s\n' "${gate_rc}" > "${TEST_EXIT_CODE_PATH}" ''' } } @@ -142,7 +235,7 @@ spec: } } - stage('Enforce test result') { + stage('Enforce quality gate') { steps { container('tester') { sh ''' @@ -154,19 +247,10 @@ spec: } } - stage('Quality gate') { - steps { - container('tester') { - sh ''' - set -eu - cd testing - METIS_USE_EXISTING_COVERAGE=1 go test -v ./... - ''' - } - } - } - stage('Prep toolchain') { + when { + expression { return params.PUBLISH_IMAGES } + } steps { container('builder') { sh ''' @@ -179,6 +263,9 @@ spec: } stage('Compute version') { + when { + expression { return params.PUBLISH_IMAGES } + } steps { container('builder') { script { @@ -196,6 +283,9 @@ spec: } stage('Buildx setup') { + when { + expression { return params.PUBLISH_IMAGES } + } steps { container('builder') { sh ''' @@ -224,6 +314,9 @@ spec: } stage('Build & push images') { + when { + expression { return params.PUBLISH_IMAGES } + } steps { container('builder') { sh ''' diff --git a/scripts/publish_test_metrics.py b/scripts/publish_test_metrics.py index 0effd37..04b9688 100644 --- a/scripts/publish_test_metrics.py +++ b/scripts/publish_test_metrics.py @@ -9,6 +9,8 @@ from pathlib import Path import urllib.request import xml.etree.ElementTree as ET +QUALITY_SUCCESS_STATES = {"ok", "pass", "passed", "success", "compliant"} + def _escape_label(value: str) -> str: return value.replace("\\", "\\\\").replace("\n", "\\n").replace('"', '\\"') @@ -81,6 +83,33 @@ def _post_text(url: str, payload: str) -> None: raise RuntimeError(f"metrics push failed status={resp.status}") +def _read_http(url: str) -> str: + try: + with urllib.request.urlopen(url, timeout=10) as resp: + return resp.read().decode("utf-8", errors="replace") + except Exception: + return "" + + +def _fetch_existing_counter(pushgateway_url: str, metric: str, labels: dict[str, str]) -> float: + text = _read_http(f"{pushgateway_url.rstrip('/')}/metrics") + if not text: + return 0.0 + for line in text.splitlines(): + if not line.startswith(metric + "{"): + continue + if any(f'{key}="{value}"' not in line for key, value in labels.items()): + continue + parts = line.split() + if len(parts) < 2: + continue + try: + return float(parts[1]) + except ValueError: + return 0.0 + return 0.0 + + def _count_source_files_over_limit(repo_root: Path, max_lines: int = 500) -> int: """Count source files above the configured line budget.""" @@ -100,6 +129,45 @@ def _count_source_files_over_limit(repo_root: Path, max_lines: int = 500) -> int return count +def _load_json(path: Path) -> dict | None: + if not path.exists(): + return None + try: + payload = json.loads(path.read_text(encoding="utf-8")) + except Exception: + return None + return payload if isinstance(payload, dict) else None + + +def _sonarqube_check_status(build_dir: Path) -> str: + report = _load_json(Path(os.getenv("QUALITY_GATE_SONARQUBE_REPORT", str(build_dir / "sonarqube-quality-gate.json")))) + if not report: + return "not_applicable" + status_candidates = [ + report.get("status"), + ((report.get("projectStatus") or {}).get("status") if isinstance(report.get("projectStatus"), dict) else None), + ((report.get("qualityGate") or {}).get("status") if isinstance(report.get("qualityGate"), dict) else None), + ] + for value in status_candidates: + if isinstance(value, str): + return "ok" if value.strip().lower() in QUALITY_SUCCESS_STATES else "failed" + return "failed" + + +def _supply_chain_check_status(build_dir: Path) -> str: + report = _load_json(Path(os.getenv("QUALITY_GATE_IRONBANK_REPORT", str(build_dir / "ironbank-compliance.json")))) + if not report: + return "not_applicable" + compliant = report.get("compliant") + if isinstance(compliant, bool): + return "ok" if compliant else "failed" + status_candidates = [report.get("status"), report.get("result"), report.get("compliance")] + for value in status_candidates: + if isinstance(value, str): + return "ok" if value.strip().lower() in QUALITY_SUCCESS_STATES else "failed" + return "failed" + + def main() -> int: coverage_path = os.getenv("COVERAGE_JSON", "build/coverage.json") junit_path = os.getenv("JUNIT_XML", "build/junit.xml") @@ -113,6 +181,7 @@ def main() -> int: commit = os.getenv("GIT_COMMIT", "") strict = os.getenv("METRICS_STRICT", "") == "1" repo_root = Path(__file__).resolve().parents[1] + build_dir = repo_root / "build" if not os.path.exists(coverage_path): raise RuntimeError(f"missing coverage file {coverage_path}") @@ -133,6 +202,29 @@ def main() -> int: or totals["errors"] > 0 ): outcome = "failed" + checks = { + "tests": "ok" if outcome == "ok" else "failed", + "coverage": "ok" if coverage >= 95.0 else "failed", + "loc": "ok" if source_lines_over_500 == 0 else "failed", + "docs_naming": "not_applicable", + "gate_glue": "ok", + "sonarqube": _sonarqube_check_status(build_dir), + "supply_chain": _supply_chain_check_status(build_dir), + } + ok_count = _fetch_existing_counter( + pushgateway_url, + "platform_quality_gate_runs_total", + {"job": "platform-quality-ci", "suite": suite, "status": "ok"}, + ) + failed_count = _fetch_existing_counter( + pushgateway_url, + "platform_quality_gate_runs_total", + {"job": "platform-quality-ci", "suite": suite, "status": "failed"}, + ) + if outcome == "ok": + ok_count += 1 + else: + failed_count += 1 labels = { "job": "platform-quality-ci", @@ -142,6 +234,9 @@ def main() -> int: "commit": commit, } payload_lines = [ + "# TYPE platform_quality_gate_runs_total counter", + f'platform_quality_gate_runs_total{{suite="{suite}",status="ok"}} {ok_count:.0f}', + f'platform_quality_gate_runs_total{{suite="{suite}",status="failed"}} {failed_count:.0f}', "# TYPE metis_quality_gate_tests_total gauge", f'metis_quality_gate_tests_total{{suite="{suite}",result="total"}} {totals["tests"]}', f'metis_quality_gate_tests_total{{suite="{suite}",result="passed"}} {passed}', @@ -157,9 +252,14 @@ def main() -> int: f'platform_quality_gate_workspace_line_coverage_percent{{suite="{suite}"}} {coverage:.3f}', "# TYPE platform_quality_gate_source_lines_over_500_total gauge", f'platform_quality_gate_source_lines_over_500_total{{suite="{suite}"}} {source_lines_over_500}', + "# TYPE metis_quality_gate_checks_total gauge", "# TYPE metis_quality_gate_build_info gauge", f"metis_quality_gate_build_info{_label_str(labels)} 1", ] + payload_lines.extend( + f'metis_quality_gate_checks_total{{suite="{suite}",check="{check_name}",result="{check_status}"}} 1' + for check_name, check_status in checks.items() + ) payload = "\n".join(payload_lines) + "\n" try: