pipeline { agent { kubernetes { defaultContainer 'go-tester' yaml """ apiVersion: v1 kind: Pod spec: nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: go-tester image: registry.bstein.dev/bstein/golang:1.22-bookworm command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: node-tester image: registry.bstein.dev/bstein/node:20-bookworm command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: publisher image: registry.bstein.dev/bstein/python:3.12-slim command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent - name: quality-tools image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: ["cat"] tty: true volumeMounts: - name: workspace-volume mountPath: /home/jenkins/agent volumes: - name: workspace-volume emptyDir: {} """ } } environment { SUITE_NAME = 'pegasus' PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091' SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000' SONARQUBE_PROJECT_KEY = 'pegasus' SONARQUBE_TOKEN = credentials('sonarqube-token') QUALITY_GATE_SONARQUBE_ENFORCE = '0' QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json' QUALITY_GATE_IRONBANK_ENFORCE = '0' QUALITY_GATE_IRONBANK_REQUIRED = '0' QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json' } options { disableConcurrentBuilds() buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120')) } triggers { pollSCM('H/5 * * * *') } stages { stage('Checkout') { steps { checkout scm } } stage('Collect SonarQube evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build args=( "-Dsonar.host.url=${SONARQUBE_HOST_URL}" "-Dsonar.login=${SONARQUBE_TOKEN}" "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}" "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}" "-Dsonar.sources=." "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**" "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx" ) [ -f build/coverage-backend.out ] && args+=("-Dsonar.go.coverage.reportPaths=build/coverage-backend.out") [ -f build/frontend-coverage/lcov.info ] && args+=("-Dsonar.javascript.lcov.reportPaths=build/frontend-coverage/lcov.info") set +e sonar-scanner "${args[@]}" | tee build/sonar-scanner.log rc=${PIPESTATUS[0]} set -e printf '%s\n' "${rc}" > build/sonarqube-analysis.rc ''' } container('publisher') { sh ''' set -eu mkdir -p build python3 - <<'PY' import base64 import json import os import urllib.parse import urllib.request host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/') project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip() token = os.getenv('SONARQUBE_TOKEN', '').strip() report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json') payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"} if host and project_key: query = urllib.parse.urlencode({"projectKey": project_key}) request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET") if token: encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8") request.add_header("Authorization", f"Basic {encoded}") try: with urllib.request.urlopen(request, timeout=12) as response: payload = json.loads(response.read().decode("utf-8")) except Exception as exc: # noqa: BLE001 payload = {"status": "ERROR", "error": str(exc)} with open(report_path, "w", encoding="utf-8") as handle: json.dump(payload, handle, indent=2, sort_keys=True) handle.write("\\n") PY ''' } } } stage('Collect Supply Chain evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build set +e trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . trivy_rc=$? set -e if [ ! -s build/trivy-fs.json ]; then cat > build/ironbank-compliance.json < build/ironbank-compliance.json ''' } container('publisher') { sh ''' set -eu mkdir -p build python3 - <<'PY' import json import os from pathlib import Path report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json')) if report_path.exists(): raise SystemExit(0) status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip() compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower() payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None} payload = {k: v for k, v in payload.items() if v is not None} if "status" not in payload: payload["status"] = "unknown" payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos." report_path.parent.mkdir(parents=True, exist_ok=True) report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8") PY ''' } } } stage('Backend unit tests') { steps { container('go-tester') { sh ''' set -eu export PEGASUS_SESSION_KEY=test-session-key export PEGASUS_COOKIE_INSECURE=1 mkdir -p build cd backend export GOPROXY="${GOPROXY:-https://proxy.golang.org,direct}" retry_command() { attempts=4 delay=8 attempt=1 while [ "${attempt}" -le "${attempts}" ]; do "$@" rc=$? if [ "${rc}" -eq 0 ]; then return 0 fi if [ "${attempt}" -eq "${attempts}" ]; then return "${rc}" fi echo "command failed with rc=${rc}; retrying in ${delay}s (${attempt}/${attempts})" sleep "${delay}" delay=$((delay * 2)) attempt=$((attempt + 1)) done } set +e retry_command go install github.com/jstemmer/go-junit-report/v2@latest tool_rc=$? if [ "${tool_rc}" -eq 0 ]; then retry_command go test -v -coverprofile=../build/coverage-backend.out ./... > ../build/backend-test.out 2>&1 test_rc=$? else test_rc=1 printf 'go-junit-report install failed with rc=%s; skipping backend go test so metrics can publish\\n' "${tool_rc}" > ../build/backend-test.out fi set -e cat ../build/backend-test.out if [ "${tool_rc}" -eq 0 ] && [ -x "$(go env GOPATH)/bin/go-junit-report" ]; then "$(go env GOPATH)/bin/go-junit-report" < ../build/backend-test.out > ../build/junit-backend.xml else cat > ../build/junit-backend.xml <<'EOF' EOF fi coverage="0" if [ -f ../build/coverage-backend.out ]; then coverage="$(go tool cover -func=../build/coverage-backend.out | awk '/^total:/ {gsub("%","",$3); print $3}')" fi printf '%s\n' "${coverage}" > ../build/coverage-backend-percent.txt printf '%s\n' "${test_rc}" > ../build/backend-test.rc ''' } } } stage('Frontend unit tests') { steps { container('node-tester') { sh ''' set -eu mkdir -p build cd frontend retry_command() { attempts=4 delay=8 attempt=1 while [ "${attempt}" -le "${attempts}" ]; do "$@" rc=$? if [ "${rc}" -eq 0 ]; then return 0 fi if [ "${attempt}" -eq "${attempts}" ]; then return "${rc}" fi echo "command failed with rc=${rc}; retrying in ${delay}s (${attempt}/${attempts})" sleep "${delay}" delay=$((delay * 2)) attempt=$((attempt + 1)) done } set +e retry_command npm ci npm_ci_rc=$? if [ "${npm_ci_rc}" -eq 0 ]; then retry_command npm run test:ci > ../build/frontend-test.out 2>&1 test_rc=$? else test_rc=1 printf 'npm ci failed with rc=%s; skipping frontend tests so metrics can publish\\n' "${npm_ci_rc}" > ../build/frontend-test.out fi set -e cat ../build/frontend-test.out if [ ! -f ../build/junit-frontend.xml ]; then cat > ../build/junit-frontend.xml <<'EOF' EOF fi if [ -f ../build/frontend-coverage/coverage-summary.json ]; then node -e 'const fs=require("fs");const p=JSON.parse(fs.readFileSync("../build/frontend-coverage/coverage-summary.json","utf8"));const pct=((p.total||{}).lines||{}).pct||0;process.stdout.write(String(pct));' > ../build/coverage-frontend-percent.txt else echo "0" > ../build/coverage-frontend-percent.txt fi printf '%s\n' "${test_rc}" > ../build/frontend-test.rc ''' } } } stage('Run quality gate') { steps { container('publisher') { sh ''' set -eu mkdir -p build set +e apt-get update apt_rc=$? if [ "${apt_rc}" -eq 0 ]; then apt-get install -y --no-install-recommends golang-go nodejs npm apt_rc=$? fi if [ "${apt_rc}" -eq 0 ]; then python -m testing.pegasus_gate report gate_rc=$? else gate_rc="${apt_rc}" fi set -e if [ ! -f build/gate-summary.json ]; then python3 - <<'PY' import json from pathlib import Path Path("build/gate-summary.json").write_text( json.dumps( { "ok": False, "issues": [ { "check": "gate_glue", "path": "Jenkinsfile", "detail": "quality gate dependencies or report command failed before summary generation", } ], "file_count": 0, "backend_coverage": {}, "frontend_coverage": {}, }, indent=2, sort_keys=True, ) + "\\n", encoding="utf-8", ) PY fi printf '%s\n' "${gate_rc}" > build/quality-report.rc ''' } } } stage('Publish test metrics') { steps { container('publisher') { sh ''' set -eu python scripts/publish_test_metrics.py ''' } } } stage('Enforce quality gate') { steps { container('publisher') { sh ''' set -eu apt-get update apt-get install -y --no-install-recommends golang-go nodejs npm set +e python -m testing.pegasus_gate enforce gate_rc=$? set -e fail=0 if [ "${gate_rc}" -ne 0 ]; then echo "quality gate failed with rc=${gate_rc}" >&2 fail=1 fi enabled() { case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in 1|true|yes|on) return 0 ;; *) return 1 ;; esac } if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then sonar_status="$(python3 - <<'PY' import json from pathlib import Path path = Path("build/sonarqube-quality-gate.json") if not path.exists(): print("missing") raise SystemExit(0) try: payload = json.loads(path.read_text(encoding="utf-8")) except Exception: # noqa: BLE001 print("error") raise SystemExit(0) status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower() print(status or "missing") PY )" case "${sonar_status}" in ok|pass|passed|success) ;; *) echo "SonarQube gate failed: ${sonar_status}" >&2 fail=1 ;; esac fi ironbank_required=0 if enabled "${QUALITY_GATE_IRONBANK_REQUIRED:-0}"; then ironbank_required=1 fi if enabled "${PUBLISH_IMAGES:-0}"; then ironbank_required=1 fi if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}" || [ "${ironbank_required}" -eq 1 ]; then supply_status="$(python3 - <<'PY' import json from pathlib import Path path = Path("build/ironbank-compliance.json") if not path.exists(): print("missing") raise SystemExit(0) try: payload = json.loads(path.read_text(encoding="utf-8")) except Exception: # noqa: BLE001 print("error") raise SystemExit(0) status = payload.get("status") if isinstance(status, str) and status.strip(): print(status.strip().lower()) raise SystemExit(0) compliant = payload.get("compliant") if isinstance(compliant, bool): print("ok" if compliant else "failed") raise SystemExit(0) print("unknown") PY )" case "${supply_status}" in ok|pass|passed|success|compliant) ;; not_applicable) if [ "${ironbank_required}" -eq 1 ]; then echo "Supply-chain check is not applicable but required for this build" >&2 fail=1 fi ;; *) echo "Supply-chain check failed: ${supply_status}" >&2 fail=1 ;; esac fi if [ "${fail}" -ne 0 ]; then exit 1 fi ''' } } } } post { always { script { if (fileExists('build/junit-backend.xml') || fileExists('build/junit-frontend.xml')) { try { junit allowEmptyResults: true, testResults: 'build/junit-backend.xml,build/junit-frontend.xml' } catch (Throwable err) { echo "junit step unavailable: ${err.class.simpleName}" } } } archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true } } }