ci: collect sonar and supply-chain evidence for gate metrics

2026-04-19 14:12:58 -03:00 · 2026-04-19 14:12:58 -03:00 · 420c6a90ad
commit 420c6a90ad
parent 30b3aee931
1 changed files with 160 additions and 86 deletions
--- a/92
+++ b/92
@ -70,6 +70,8 @@ spec:
  environment {
    SUITE_NAME = 'soteria'
    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
+    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
+    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
  }
  options {
    disableConcurrentBuilds()
@ -91,9 +93,6 @@ spec:
      }
    }
    stage('Prep toolchain') {
-      when {
-        expression { return params.PUBLISH_IMAGES }
-      }
      steps {
        container('builder') {
          sh '''
@ -108,12 +107,56 @@ spec:
    stage('Run quality gate') {
      steps {
        container('tester') {
-          retry(2) {
          sh '''
            set -eu
            apt-get update >/dev/null
-              apt-get install -y --no-install-recommends jq python3 ripgrep >/dev/null
+            apt-get install -y --no-install-recommends jq python3 >/dev/null
            mkdir -p build
+            python3 - <<'PY'
+import base64
+import json
+import os
+import urllib.parse
+import urllib.request
+from pathlib import Path
+
+host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
+project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
+token = os.getenv('SONARQUBE_TOKEN', '').strip()
+sonar_report = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
+
+payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"}
+if host and project_key:
+    query = urllib.parse.urlencode({"projectKey": project_key})
+    request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET")
+    if token:
+        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
+        request.add_header("Authorization", f"Basic {encoded}")
+    try:
+        with urllib.request.urlopen(request, timeout=12) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except Exception as exc:  # noqa: BLE001
+        payload = {"status": "ERROR", "error": str(exc)}
+Path(sonar_report).write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
+
+ironbank_report = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
+if not ironbank_report.exists():
+    status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
+    compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
+    ironbank_payload = {
+        "status": status or "unknown",
+        "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None,
+    }
+    ironbank_payload = {k: v for k, v in ironbank_payload.items() if v is not None}
+    if "status" not in ironbank_payload:
+        ironbank_payload["status"] = "unknown"
+    ironbank_payload["note"] = (
+        "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT "
+        "or write build/ironbank-compliance.json in image-building repos."
+    )
+    ironbank_report.parent.mkdir(parents=True, exist_ok=True)
+    ironbank_report.write_text(json.dumps(ironbank_payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
+PY
            set +e
            bash scripts/check.sh
            gate_rc=$?
@ -147,11 +190,9 @@ EOF
        }
      }
    }
-    }
    stage('Publish test metrics') {
      steps {
        container('tester') {
-          retry(2) {
          sh '''
            set -eu
            apt-get update >/dev/null
@ -197,8 +238,39 @@ EOF
            if [ "${over_500}" -eq 0 ]; then
              loc_check="ok"
            fi
+            docs_naming_check="not_applicable"
+            gate_glue_check="ok"
+            sonarqube_check="not_applicable"
+            if [ -f build/sonarqube-quality-gate.json ]; then
+              sonar_status="$(jq -r '.status // .projectStatus.status // .qualityGate.status // empty' build/sonarqube-quality-gate.json 2>/dev/null | tr '[:upper:]' '[:lower:]')"
+              if [ -n "${sonar_status}" ]; then
+                case "${sonar_status}" in
+                  ok|pass|passed|success) sonarqube_check="ok" ;;
+                  *) sonarqube_check="failed" ;;
+                esac
+              else
+                sonarqube_check="failed"
+              fi
+            fi
+            supply_chain_check="not_applicable"
+            if [ -f build/ironbank-compliance.json ]; then
+              compliant="$(jq -r '.compliant // empty' build/ironbank-compliance.json 2>/dev/null)"
+              if [ "${compliant}" = "true" ]; then
+                supply_chain_check="ok"
+              elif [ "${compliant}" = "false" ]; then
+                supply_chain_check="failed"
+              else
+                ironbank_status="$(jq -r '.status // .result // .compliance // empty' build/ironbank-compliance.json 2>/dev/null | tr '[:upper:]' '[:lower:]')"
+                case "${ironbank_status}" in
+                  ok|pass|passed|success|compliant) supply_chain_check="ok" ;;
+                  "") supply_chain_check="failed" ;;
+                  *) supply_chain_check="failed" ;;
+                esac
+              fi
+            fi
            if ! cat <<METRICS | curl -fsS --data-binary @- "${gateway}/metrics/job/platform-quality-ci/suite/${suite}" >/dev/null; then
              echo "warning: metrics push failed for suite=${suite}" >&2
+            fi
 # TYPE platform_quality_gate_runs_total counter
 platform_quality_gate_runs_total{suite="${suite}",status="ok"} ${ok_count}
 platform_quality_gate_runs_total{suite="${suite}",status="failed"} ${failed_count}
@ -217,13 +289,15 @@ platform_quality_gate_source_lines_over_500_total{suite="${suite}"} ${over_500}
 soteria_quality_gate_checks_total{suite="${suite}",check="tests",result="${tests_check}"} 1
 soteria_quality_gate_checks_total{suite="${suite}",check="coverage",result="${coverage_check}"} 1
 soteria_quality_gate_checks_total{suite="${suite}",check="loc",result="${loc_check}"} 1
+soteria_quality_gate_checks_total{suite="${suite}",check="docs_naming",result="${docs_naming_check}"} 1
+soteria_quality_gate_checks_total{suite="${suite}",check="gate_glue",result="${gate_glue_check}"} 1
+soteria_quality_gate_checks_total{suite="${suite}",check="sonarqube",result="${sonarqube_check}"} 1
+soteria_quality_gate_checks_total{suite="${suite}",check="supply_chain",result="${supply_chain_check}"} 1
 METRICS
-              fi
          '''
        }
      }
    }
-    }
    stage('Enforce quality gate') {
      steps {
        container('tester') {