titan-iac/Jenkinsfile

// Mirror of ci/Jenkinsfile.titan-iac for multibranch discovery.
pipeline {
  agent {
    kubernetes {
      defaultContainer 'python'
      yaml """
apiVersion: v1
kind: Pod
spec:
  nodeSelector:
    hardware: rpi5
    kubernetes.io/arch: arm64
    node-role.kubernetes.io/worker: "true"
  containers:
    - name: jnlp
      image: jenkins/inbound-agent:3355.v388858a_47b_33-2-jdk21
      resources:
        requests:
          cpu: "25m"
          memory: "256Mi"
    - name: python
      image: registry.bstein.dev/bstein/python:3.12-slim
      command:
        - cat
      tty: true
    - name: quality-tools
      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
      command:
        - cat
      tty: true
"""
    }
  }
  environment {
    PIP_DISABLE_PIP_VERSION_CHECK = '1'
    PYTHONUNBUFFERED = '1'
    SUITE_NAME = 'titan_iac'
    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
    SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
    SONARQUBE_PROJECT_KEY = 'titan_iac'
    SONARQUBE_TOKEN = credentials('sonarqube-token')
    VM_URL = 'http://victoria-metrics-single-server.monitoring.svc.cluster.local:8428'
    QUALITY_GATE_SONARQUBE_ENFORCE = '1'
    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
    QUALITY_GATE_IRONBANK_ENFORCE = '1'
    QUALITY_GATE_IRONBANK_REQUIRED = '0'
    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
  }
  options {
    disableConcurrentBuilds()
    buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
  }
  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }
    stage('Install deps') {
      steps {
        sh '''
          set -eu
          if ! command -v git >/dev/null 2>&1; then
            apt-get update
            apt-get install -y --no-install-recommends git ca-certificates
            rm -rf /var/lib/apt/lists/*
          fi
          pip install --no-cache-dir -r ci/requirements.txt
        '''
      }
    }
    stage('Prepare local quality evidence') {
      steps {
        sh '''
          set -eu
          mkdir -p build
          set +e
          python3 -m testing.quality_gate --profile local --build-dir build
          local_quality_rc=$?
          set -e
          printf '%s\n' "${local_quality_rc}" > build/local-quality-gate.rc
        '''
      }
    }
    stage('Collect SonarQube evidence') {
      steps {
        container('quality-tools') {
          sh '''#!/usr/bin/env bash
            set -euo pipefail
            mkdir -p build
            args=(
              "-Dsonar.host.url=${SONARQUBE_HOST_URL}"
              "-Dsonar.login=${SONARQUBE_TOKEN}"
              "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}"
              "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}"
              "-Dsonar.sources=."
              "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**,services/monitoring/dashboards/**,services/monitoring/grafana-dashboard-*.yaml"
              "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx"
            )
            [ -f build/coverage-unit.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/coverage-unit.xml")
            set +e
            sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
            rc=${PIPESTATUS[0]}
            set -e
            printf '%s\n' "${rc}" > build/sonarqube-analysis.rc
          '''
        }
        sh '''
          set -eu
          mkdir -p build
          python3 - <<'PY'
import base64
import json
import os
import time
import urllib.parse
import urllib.request
from pathlib import Path

host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
token = os.getenv('SONARQUBE_TOKEN', '').strip()
report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')

payload = {
    "status": "ERROR",
    "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY",
}
if host and project_key:
    task_file = Path('.scannerwork/report-task.txt')
    task_id = ''
    if task_file.exists():
        for line in task_file.read_text(encoding='utf-8').splitlines():
            key, _, value = line.partition('=')
            if key == 'ceTaskId':
                task_id = value.strip()
                break
    if task_id:
        ce_query = urllib.parse.urlencode({"id": task_id})
        deadline = time.monotonic() + 180
        while time.monotonic() < deadline:
            ce_request = urllib.request.Request(f"{host}/api/ce/task?{ce_query}", method="GET")
            if token:
                encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
                ce_request.add_header("Authorization", f"Basic {encoded}")
            try:
                with urllib.request.urlopen(ce_request, timeout=12) as response:
                    ce_payload = json.loads(response.read().decode("utf-8"))
            except Exception:
                time.sleep(3)
                continue
            status = str(ce_payload.get("task", {}).get("status", "")).upper()
            if status in {"SUCCESS", "FAILED", "CANCELED"}:
                break
            time.sleep(3)

    query = urllib.parse.urlencode({"projectKey": project_key})
    request = urllib.request.Request(
        f"{host}/api/qualitygates/project_status?{query}",
        method="GET",
    )
    if token:
        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
        request.add_header("Authorization", f"Basic {encoded}")
    try:
        with urllib.request.urlopen(request, timeout=12) as response:
            payload = json.loads(response.read().decode("utf-8"))
    except Exception as exc:  # noqa: BLE001
        payload = {"status": "ERROR", "error": str(exc)}

with open(report_path, "w", encoding="utf-8") as handle:
    json.dump(payload, handle, indent=2, sort_keys=True)
    handle.write("\\n")
PY
        '''
      }
    }
    stage('Collect IronBank evidence') {
      steps {
        container('quality-tools') {
          sh '''#!/usr/bin/env bash
            set -euo pipefail
            mkdir -p build
            set +e
            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --skip-files clusters/atlas/flux-system/gotk-components.yaml --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
            trivy_rc=$?
            set -e
            if [ ! -s build/trivy-fs.json ]; then
              cat > build/ironbank-compliance.json <<EOF
{"status":"failed","compliant":false,"scanner":"trivy","scan_type":"filesystem","error":"trivy did not produce JSON output","trivy_rc":${trivy_rc}}
EOF
              exit 0
            fi
          '''
        }
        sh '''
          set -eu
          mkdir -p build
          if [ -s build/trivy-fs.json ]; then
            python3 ci/scripts/supply_chain_report.py --trivy-json build/trivy-fs.json --waivers ci/titan-iac-trivy-waivers.json --output build/ironbank-compliance.json
            exit 0
          fi
          python3 - <<'PY'
import json
import os
from pathlib import Path

report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
if report_path.exists():
    raise SystemExit(0)

status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
payload = {
    "status": status or "unknown",
    "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None,
}
payload = {k: v for k, v in payload.items() if v is not None}
if "status" not in payload:
    payload["status"] = "unknown"
payload["note"] = (
    "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT "
    "or write build/ironbank-compliance.json in image-building repos."
)

report_path.parent.mkdir(parents=True, exist_ok=True)
report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
PY
        '''
      }
    }
    stage('Run quality gate') {
      steps {
        sh '''
          set -eu
          mkdir -p build
          set +e
          python3 -m testing.quality_gate --profile jenkins --build-dir build
          quality_gate_rc=$?
          set -e
          printf '%s\n' "${quality_gate_rc}" > build/quality-gate.rc
        '''
      }
    }
    stage('Publish test metrics') {
      steps {
        sh '''
          set -eu
          export JUNIT_GLOB='build/junit-*.xml'
          export QUALITY_GATE_EXIT_CODE_PATH='build/quality-gate.rc'
          export QUALITY_GATE_SUMMARY_PATH='build/quality-gate-summary.json'
          python3 ci/scripts/publish_test_metrics.py
        '''
      }
    }
    stage('Enforce quality gate') {
      steps {
        sh '''
          set -euo pipefail
          gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)"
          fail=0
          if [ "${gate_rc}" -ne 0 ]; then
            echo "quality gate failed with rc=${gate_rc}" >&2
            fail=1
          fi

          enabled() {
            case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
              1|true|yes|on) return 0 ;;
              *) return 1 ;;
            esac
          }

          if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
            sonar_status="$(python3 - <<'PY'
import json
from pathlib import Path

path = Path("build/sonarqube-quality-gate.json")
if not path.exists():
    print("missing")
    raise SystemExit(0)
try:
    payload = json.loads(path.read_text(encoding="utf-8"))
except Exception:  # noqa: BLE001
    print("error")
    raise SystemExit(0)
status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
print(status or "missing")
PY
)"
            case "${sonar_status}" in
              ok|pass|passed|success) ;;
              *)
                echo "sonarqube gate failed: ${sonar_status}" >&2
                fail=1
                ;;
            esac
          fi

          ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-0}"
          if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then
            ironbank_required=1
          fi
          if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then
            supply_status="$(python3 - <<'PY'
import json
from pathlib import Path

path = Path("build/ironbank-compliance.json")
if not path.exists():
    print("missing")
    raise SystemExit(0)
try:
    payload = json.loads(path.read_text(encoding="utf-8"))
except Exception:  # noqa: BLE001
    print("error")
    raise SystemExit(0)
compliant = payload.get("compliant")
if compliant is True:
    print("ok")
elif compliant is False:
    print("failed")
else:
    status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower()
    print(status or "missing")
PY
)"
            case "${supply_status}" in
              ok|pass|passed|success|compliant) ;;
              not_applicable|na|n/a)
                if enabled "${ironbank_required}"; then
                  echo "supply chain gate required but status=${supply_status}" >&2
                  fail=1
                fi
                ;;
              *)
                if enabled "${ironbank_required}"; then
                  echo "supply chain gate failed: ${supply_status}" >&2
                  fail=1
                else
                  echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2
                fi
                ;;
            esac
          fi

          exit "${fail}"
        '''
      }
    }
    stage('Resolve Flux branch') {
      steps {
        script {
          env.FLUX_BRANCH = sh(
            returnStdout: true,
            script: "grep -m1 '^\\s*branch:' clusters/atlas/flux-system/gotk-sync.yaml | sed 's/^\\s*branch:\\s*//'"
          ).trim()
          if (!env.FLUX_BRANCH) {
            error('Flux branch not found in gotk-sync.yaml')
          }
          echo "Flux branch: ${env.FLUX_BRANCH}"
        }
      }
    }
    stage('Promote') {
      when {
        expression {
          def branch = env.BRANCH_NAME ?: (env.GIT_BRANCH ?: '').replaceFirst('origin/', '')
          return env.FLUX_BRANCH && branch == env.FLUX_BRANCH
        }
      }
      steps {
        withCredentials([usernamePassword(credentialsId: 'gitea-pat', usernameVariable: 'GIT_USER', passwordVariable: 'GIT_TOKEN')]) {
          sh '''
            set -euo pipefail
            if ! command -v git >/dev/null 2>&1; then
              if command -v apk >/dev/null 2>&1; then
                apk add --no-cache git >/dev/null
              elif command -v apt-get >/dev/null 2>&1; then
                apt-get update >/dev/null
                apt-get install -y git >/dev/null
              fi
            fi
            cd "${WORKSPACE:-$PWD}"
            if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
              echo "workspace is not a git checkout; skipping promote"
              exit 0
            fi
            set +x
            git config user.email "jenkins@bstein.dev"
            git config user.name "jenkins"
            git remote set-url origin https://${GIT_USER}:${GIT_TOKEN}@scm.bstein.dev/bstein/titan-iac.git
            git push origin HEAD:${FLUX_BRANCH}
          '''
        }
      }
    }
  }
  post {
    always {
      script {
        if (fileExists('build/junit-unit.xml') || fileExists('build/junit-glue.xml')) {
          try {
            junit allowEmptyResults: true, testResults: 'build/junit-*.xml'
          } catch (Throwable err) {
            echo "junit step unavailable: ${err.class.simpleName}"
          }
        }
      }
      archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
    }
  }
}