pipeline {
  agent {
    kubernetes {
      label 'pegasus-tests'
      defaultContainer 'go-tester'
      yaml """
apiVersion: v1
kind: Pod
spec:
  nodeSelector:
    kubernetes.io/arch: arm64
    node-role.kubernetes.io/worker: "true"
  containers:
    - name: go-tester
      image: golang:1.22-bookworm
      command: ["cat"]
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
    - name: node-tester
      image: node:20-bookworm
      command: ["cat"]
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
    - name: publisher
      image: python:3.12-slim
      command: ["cat"]
      tty: true
      volumeMounts:
        - name: workspace-volume
          mountPath: /home/jenkins/agent
  volumes:
    - name: workspace-volume
      emptyDir: {}
"""
    }
  }

  environment {
    SUITE_NAME = 'pegasus'
    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
    SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
    SONARQUBE_PROJECT_KEY = 'pegasus'
    QUALITY_GATE_SONARQUBE_ENFORCE = '0'
    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
    QUALITY_GATE_IRONBANK_ENFORCE = '0'
    QUALITY_GATE_IRONBANK_REQUIRED = '0'
    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
  }

  options {
    disableConcurrentBuilds()
    buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
  }

  triggers {
    pollSCM('H/5 * * * *')
  }

  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }

    stage('Collect SonarQube evidence') {
      steps {
        container('publisher') {
          sh '''
            set -eu
            mkdir -p build
            python3 - <<'PY'
import base64
import json
import os
import urllib.parse
import urllib.request

host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
token = os.getenv('SONARQUBE_TOKEN', '').strip()
report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"}
if host and project_key:
    query = urllib.parse.urlencode({"projectKey": project_key})
    request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET")
    if token:
        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
        request.add_header("Authorization", f"Basic {encoded}")
    try:
        with urllib.request.urlopen(request, timeout=12) as response:
            payload = json.loads(response.read().decode("utf-8"))
    except Exception as exc:  # noqa: BLE001
        payload = {"status": "ERROR", "error": str(exc)}
with open(report_path, "w", encoding="utf-8") as handle:
    json.dump(payload, handle, indent=2, sort_keys=True)
    handle.write("\\n")
PY
          '''
        }
      }
    }

    stage('Collect Supply Chain evidence') {
      steps {
        container('publisher') {
          sh '''
            set -eu
            mkdir -p build
            python3 - <<'PY'
import json
import os
from pathlib import Path

report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
if report_path.exists():
    raise SystemExit(0)
status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None}
payload = {k: v for k, v in payload.items() if v is not None}
if "status" not in payload:
    payload["status"] = "unknown"
payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos."
report_path.parent.mkdir(parents=True, exist_ok=True)
report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
PY
          '''
        }
      }
    }

    stage('Backend unit tests') {
      steps {
        container('go-tester') {
          sh '''
            set -eu
            export PEGASUS_SESSION_KEY=test-session-key
            export PEGASUS_COOKIE_INSECURE=1
            mkdir -p build
            cd backend
            go install github.com/jstemmer/go-junit-report/v2@latest
            set +e
            go test -coverprofile=../build/coverage-backend.out ./... > ../build/backend-test.out 2>&1
            test_rc=$?
            set -e
            cat ../build/backend-test.out
            "$(go env GOPATH)/bin/go-junit-report" < ../build/backend-test.out > ../build/junit-backend.xml
            coverage="0"
            if [ -f ../build/coverage-backend.out ]; then
              coverage="$(go tool cover -func=../build/coverage-backend.out | awk '/^total:/ {gsub("%","",$3); print $3}')"
            fi
            printf '%s\n' "${coverage}" > ../build/coverage-backend-percent.txt
            printf '%s\n' "${test_rc}" > ../build/backend-test.rc
          '''
        }
      }
    }

    stage('Frontend unit tests') {
      steps {
        container('node-tester') {
          sh '''
            set -eu
            mkdir -p build
            cd frontend
            npm ci
            set +e
            npm run test:ci > ../build/frontend-test.out 2>&1
            test_rc=$?
            set -e
            cat ../build/frontend-test.out
            if [ -f ../build/frontend-coverage/coverage-summary.json ]; then
              node -e 'const fs=require("fs");const p=JSON.parse(fs.readFileSync("../build/frontend-coverage/coverage-summary.json","utf8"));const pct=((p.total||{}).lines||{}).pct||0;process.stdout.write(String(pct));' > ../build/coverage-frontend-percent.txt
            else
              echo "0" > ../build/coverage-frontend-percent.txt
            fi
            printf '%s\n' "${test_rc}" > ../build/frontend-test.rc
          '''
        }
      }
    }

    stage('Run quality gate') {
      steps {
        container('publisher') {
          sh '''
            set -eu
            apt-get update
            apt-get install -y --no-install-recommends golang-go nodejs npm
            python -m testing.pegasus_gate report
          '''
        }
      }
    }

    stage('Publish test metrics') {
      steps {
        container('publisher') {
          sh '''
            set -eu
            python scripts/publish_test_metrics.py
          '''
        }
      }
    }

    stage('Enforce quality gate') {
      steps {
        container('publisher') {
          sh '''
            set -euo pipefail
            apt-get update
            apt-get install -y --no-install-recommends golang-go nodejs npm
            set +e
            python -m testing.pegasus_gate enforce
            gate_rc=$?
            set -e
            fail=0
            if [ "${gate_rc}" -ne 0 ]; then
              echo "quality gate failed with rc=${gate_rc}" >&2
              fail=1
            fi

            enabled() {
              case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
                1|true|yes|on) return 0 ;;
                *) return 1 ;;
              esac
            }

            if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
              sonar_status="$(python3 - <<'PY'
import json
from pathlib import Path

path = Path("build/sonarqube-quality-gate.json")
if not path.exists():
    print("missing")
    raise SystemExit(0)
try:
    payload = json.loads(path.read_text(encoding="utf-8"))
except Exception:  # noqa: BLE001
    print("error")
    raise SystemExit(0)
status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
print(status or "missing")
PY
)"
              case "${sonar_status}" in
                ok|pass|passed|success) ;;
                *)
                  echo "SonarQube gate failed: ${sonar_status}" >&2
                  fail=1
                  ;;
              esac
            fi

            ironbank_required=0
            if enabled "${QUALITY_GATE_IRONBANK_REQUIRED:-0}"; then
              ironbank_required=1
            fi
            if enabled "${PUBLISH_IMAGES:-0}"; then
              ironbank_required=1
            fi
            if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}" || [ "${ironbank_required}" -eq 1 ]; then
              supply_status="$(python3 - <<'PY'
import json
from pathlib import Path

path = Path("build/ironbank-compliance.json")
if not path.exists():
    print("missing")
    raise SystemExit(0)
try:
    payload = json.loads(path.read_text(encoding="utf-8"))
except Exception:  # noqa: BLE001
    print("error")
    raise SystemExit(0)

status = payload.get("status")
if isinstance(status, str) and status.strip():
    print(status.strip().lower())
    raise SystemExit(0)
compliant = payload.get("compliant")
if isinstance(compliant, bool):
    print("ok" if compliant else "failed")
    raise SystemExit(0)
print("unknown")
PY
)"
              case "${supply_status}" in
                ok|pass|passed|success|compliant)
                  ;;
                not_applicable)
                  if [ "${ironbank_required}" -eq 1 ]; then
                    echo "Supply-chain check is not applicable but required for this build" >&2
                    fail=1
                  fi
                  ;;
                *)
                  echo "Supply-chain check failed: ${supply_status}" >&2
                  fail=1
                  ;;
              esac
            fi

            if [ "${fail}" -ne 0 ]; then
              exit 1
            fi
          '''
        }
      }
    }
  }

  post {
    always {
      script {
        if (fileExists('build/junit-backend.xml') || fileExists('build/junit-frontend.xml')) {
          try {
            junit allowEmptyResults: true, testResults: 'build/junit-backend.xml,build/junit-frontend.xml'
          } catch (Throwable err) {
            echo "junit step unavailable: ${err.class.simpleName}"
          }
        }
      }
      archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
    }
  }
}
