pipeline { agent { kubernetes { defaultContainer 'builder' yaml """ apiVersion: v1 kind: Pod metadata: labels: app: metis spec: nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" imagePullSecrets: - name: harbor-robot-pipeline containers: - name: dind image: registry.bstein.dev/bstein/docker:27-dind securityContext: privileged: true env: - name: DOCKER_TLS_CERTDIR value: "" args: - --mtu=1400 - --host=unix:///var/run/docker.sock - --host=tcp://0.0.0.0:2375 - --tls=false volumeMounts: - name: dind-storage mountPath: /var/lib/docker - name: builder image: registry.bstein.dev/bstein/docker:27 command: ["cat"] tty: true env: - name: DOCKER_HOST value: tcp://localhost:2375 - name: DOCKER_TLS_CERTDIR value: "" - name: DOCKER_CONFIG value: /root/.docker volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: docker-config-writable mountPath: /root/.docker - name: harbor-config mountPath: /docker-config - name: tester image: registry.bstein.dev/bstein/golang:1.23-bookworm command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: publisher image: registry.bstein.dev/bstein/python:3.12-slim command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: quality-tools image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent volumes: - name: workspace-volume emptyDir: {} - name: docker-config-writable emptyDir: {} - name: dind-storage emptyDir: {} - name: harbor-config secret: secretName: harbor-robot-pipeline items: - key: .dockerconfigjson path: config.json """ } } environment { REGISTRY = 'registry.bstein.dev/bstein' IMAGE = "${REGISTRY}/metis" SENTINEL_IMAGE = "${REGISTRY}/metis-sentinel" VERSION_TAG = 'dev' SEMVER = 'dev' COVERAGE_JSON = 'build/coverage.json' JUNIT_XML = 'build/junit.xml' TEST_EXIT_CODE_PATH = 'build/test.exitcode' SUITE_NAME = 'metis' PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091' SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000' SONARQUBE_PROJECT_KEY = 'metis' SONARQUBE_TOKEN = credentials('sonarqube-token') QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json' QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json' } options { disableConcurrentBuilds() buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120')) } parameters { booleanParam( name: 'PUBLISH_IMAGES', defaultValue: false, description: 'Build and push runtime images (enable for release runs).' ) } triggers { pollSCM('H/5 * * * *') } stages { stage('Checkout') { steps { checkout scm } } stage('Collect SonarQube evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build args=( "-Dsonar.host.url=${SONARQUBE_HOST_URL}" "-Dsonar.login=${SONARQUBE_TOKEN}" "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}" "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}" "-Dsonar.sources=." "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**" "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx" ) [ -f build/coverage.out ] && args+=("-Dsonar.go.coverage.reportPaths=build/coverage.out") set +e sonar-scanner "${args[@]}" | tee build/sonar-scanner.log rc=${PIPESTATUS[0]} set -e printf '%s\n' "${rc}" > build/sonarqube-analysis.rc ''' } container('publisher') { sh ''' set -eu mkdir -p build python3 - <<'PY' import base64 import json import os import urllib.parse import urllib.request host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/') project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip() token = os.getenv('SONARQUBE_TOKEN', '').strip() report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json') payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"} if host and project_key: query = urllib.parse.urlencode({"projectKey": project_key}) request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET") if token: encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8") request.add_header("Authorization", f"Basic {encoded}") try: with urllib.request.urlopen(request, timeout=12) as response: payload = json.loads(response.read().decode("utf-8")) except Exception as exc: # noqa: BLE001 payload = {"status": "ERROR", "error": str(exc)} with open(report_path, "w", encoding="utf-8") as handle: json.dump(payload, handle, indent=2, sort_keys=True) handle.write("\\n") PY ''' } } } stage('Collect Supply Chain evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build set +e trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . trivy_rc=$? set -e if [ ! -s build/trivy-fs.json ]; then cat > build/ironbank-compliance.json < build/ironbank-compliance.json ''' } container('publisher') { sh ''' set -eu mkdir -p build python3 - <<'PY' import json import os from pathlib import Path report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json')) if report_path.exists(): raise SystemExit(0) status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip() compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower() payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None} payload = {k: v for k, v in payload.items() if v is not None} if "status" not in payload: payload["status"] = "unknown" payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos." report_path.parent.mkdir(parents=True, exist_ok=True) report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8") PY ''' } } } stage('Run quality gate') { steps { container('tester') { sh ''' set -eu apt-get update >/dev/null apt-get install -y --no-install-recommends xz-utils >/dev/null mkdir -p build export GOPROXY="${GOPROXY:-https://proxy.golang.org,direct}" retry_command() { attempts=4 delay=8 attempt=1 while [ "${attempt}" -le "${attempts}" ]; do if "$@"; then return 0 fi rc=$? if [ "${attempt}" -eq "${attempts}" ]; then return "${rc}" fi echo "command failed with rc=${rc}; retrying in ${delay}s (${attempt}/${attempts})" sleep "${delay}" delay=$((delay * 2)) attempt=$((attempt + 1)) done } retry_command go install github.com/jstemmer/go-junit-report/v2@latest cd "${WORKSPACE}" docs_rc=1 quality_rc=1 test_rc=1 set +e cd "${WORKSPACE}/testing" retry_command env METIS_USE_EXISTING_COVERAGE=1 go test -v -run TestExportedDocs ./... docs_rc=$? printf '%s\n' "${docs_rc}" > "${WORKSPACE}/build/docs-naming.rc" if [ "${docs_rc}" -eq 0 ]; then retry_command env METIS_USE_EXISTING_COVERAGE=1 go test -v ./... quality_rc=$? fi cd "${WORKSPACE}" if [ "${docs_rc}" -eq 0 ] && [ "${quality_rc}" -eq 0 ]; then retry_command go test -v -count=1 -coverprofile=build/coverage.out ./... > build/test.out 2>&1 test_rc=$? fi set -e if [ -f build/test.out ]; then cat build/test.out "$(go env GOPATH)/bin/go-junit-report" < build/test.out > "${JUNIT_XML}" else cat > "${JUNIT_XML}" <<'EOF' EOF fi coverage="0" if [ -f build/coverage.out ]; then coverage="$(go tool cover -func=build/coverage.out | awk '/^total:/ {gsub("%","",$3); print $3}')" fi export GO_COVERAGE="${coverage}" printf '{"summary":{"percent_covered":%s}}\n' "${GO_COVERAGE}" > "${COVERAGE_JSON}" gate_rc=0 if [ "${docs_rc}" -ne 0 ] || [ "${quality_rc}" -ne 0 ] || [ "${test_rc}" -ne 0 ]; then gate_rc=1 fi printf '%s\n' "${gate_rc}" > "${TEST_EXIT_CODE_PATH}" ''' } } } stage('Publish test metrics') { steps { container('publisher') { sh ''' set -eu python scripts/publish_test_metrics.py ''' } } } stage('Enforce quality gate') { steps { container('tester') { sh ''' set -eu test_rc="$(cat "${TEST_EXIT_CODE_PATH}")" exit "${test_rc}" ''' } } } stage('Prep toolchain') { when { expression { return params.PUBLISH_IMAGES } } steps { container('builder') { sh ''' set -eu mkdir -p /root/.docker cp /docker-config/config.json /root/.docker/config.json ''' } } } stage('Compute version') { when { expression { return params.PUBLISH_IMAGES } } steps { container('builder') { script { sh ''' set -eu SEMVER="0.1.0-${BUILD_NUMBER}" echo "SEMVER=${SEMVER}" > build.env ''' def props = readProperties file: 'build.env' env.SEMVER = props['SEMVER'] ?: "0.1.0-${env.BUILD_NUMBER}" env.VERSION_TAG = env.SEMVER } } } } stage('Buildx setup') { when { expression { return params.PUBLISH_IMAGES } } steps { container('builder') { sh ''' set -eu ready=0 for i in $(seq 1 90); do if docker info >/dev/null 2>&1; then ready=1 break fi sleep 2 done if [ "${ready}" -ne 1 ]; then echo "docker daemon did not become ready on ${DOCKER_HOST}" docker version || true exit 1 fi docker run --privileged --rm tonistiigi/binfmt --install amd64,arm64 BUILDER_NAME="metis-builder-${BUILD_NUMBER}" docker buildx rm "${BUILDER_NAME}" >/dev/null 2>&1 || true docker buildx create --name "${BUILDER_NAME}" --driver docker-container --driver-opt image=registry.bstein.dev/bstein/buildkit:buildx-stable-1 --use docker buildx inspect "${BUILDER_NAME}" --bootstrap ''' } } } stage('Build & push images') { when { expression { return params.PUBLISH_IMAGES } } steps { container('builder') { sh ''' set -eu VERSION_TAG="$(cut -d= -f2 build.env)" docker info >/dev/null for arch in amd64 arm64; do docker buildx build \ --platform "linux/${arch}" \ --build-arg TARGETOS=linux \ --build-arg TARGETARCH="${arch}" \ --tag "${IMAGE}:${VERSION_TAG}-${arch}" \ --tag "${IMAGE}:latest-${arch}" \ --target runtime \ --push \ . docker buildx build \ --platform "linux/${arch}" \ --build-arg TARGETOS=linux \ --build-arg TARGETARCH="${arch}" \ --tag "${SENTINEL_IMAGE}:${VERSION_TAG}-${arch}" \ --tag "${SENTINEL_IMAGE}:latest-${arch}" \ --target sentinel \ --push \ . done ''' } } } } post { always { script { if (fileExists('build/junit.xml')) { try { junit allowEmptyResults: true, testResults: 'build/junit.xml' } catch (Throwable err) { echo "junit step unavailable: ${err.class.simpleName}" } } } archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true } } }