// Mirror of ci/Jenkinsfile.titan-iac for multibranch discovery. pipeline { agent { kubernetes { defaultContainer 'python' yaml """ apiVersion: v1 kind: Pod spec: nodeSelector: hardware: rpi5 kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: jnlp image: jenkins/inbound-agent:3355.v388858a_47b_33-2-jdk21 resources: requests: cpu: "25m" memory: "256Mi" - name: python image: registry.bstein.dev/bstein/python:3.12-slim command: - cat tty: true - name: quality-tools image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64 command: - cat tty: true """ } } environment { PIP_DISABLE_PIP_VERSION_CHECK = '1' PYTHONUNBUFFERED = '1' SUITE_NAME = 'titan_iac' PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091' SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000' SONARQUBE_PROJECT_KEY = 'titan_iac' SONARQUBE_TOKEN = credentials('sonarqube-token') VM_URL = 'http://victoria-metrics-single-server.monitoring.svc.cluster.local:8428' QUALITY_GATE_SONARQUBE_ENFORCE = '1' QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json' QUALITY_GATE_IRONBANK_ENFORCE = '1' QUALITY_GATE_IRONBANK_REQUIRED = '0' QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json' } options { disableConcurrentBuilds() buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120')) } stages { stage('Checkout') { steps { checkout scm } } stage('Install deps') { steps { sh ''' set -eu if ! command -v git >/dev/null 2>&1; then apt-get update apt-get install -y --no-install-recommends git ca-certificates rm -rf /var/lib/apt/lists/* fi pip install --no-cache-dir -r ci/requirements.txt ''' } } stage('Prepare local quality evidence') { steps { sh ''' set -eu mkdir -p build set +e python3 -m testing.quality_gate --profile local --build-dir build local_quality_rc=$? set -e printf '%s\n' "${local_quality_rc}" > build/local-quality-gate.rc ''' } } stage('Collect SonarQube evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build args=( "-Dsonar.host.url=${SONARQUBE_HOST_URL}" "-Dsonar.login=${SONARQUBE_TOKEN}" "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}" "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}" "-Dsonar.sources=." "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**,services/monitoring/dashboards/**,services/monitoring/grafana-dashboard-*.yaml" "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx" ) [ -f build/coverage-unit.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/coverage-unit.xml") set +e sonar-scanner "${args[@]}" | tee build/sonar-scanner.log rc=${PIPESTATUS[0]} set -e printf '%s\n' "${rc}" > build/sonarqube-analysis.rc ''' } sh ''' set -eu mkdir -p build python3 - <<'PY' import base64 import json import os import time import urllib.parse import urllib.request from pathlib import Path host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/') project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip() token = os.getenv('SONARQUBE_TOKEN', '').strip() report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json') payload = { "status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY", } if host and project_key: task_file = Path('.scannerwork/report-task.txt') task_id = '' if task_file.exists(): for line in task_file.read_text(encoding='utf-8').splitlines(): key, _, value = line.partition('=') if key == 'ceTaskId': task_id = value.strip() break if task_id: ce_query = urllib.parse.urlencode({"id": task_id}) deadline = time.monotonic() + 180 while time.monotonic() < deadline: ce_request = urllib.request.Request(f"{host}/api/ce/task?{ce_query}", method="GET") if token: encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8") ce_request.add_header("Authorization", f"Basic {encoded}") try: with urllib.request.urlopen(ce_request, timeout=12) as response: ce_payload = json.loads(response.read().decode("utf-8")) except Exception: time.sleep(3) continue status = str(ce_payload.get("task", {}).get("status", "")).upper() if status in {"SUCCESS", "FAILED", "CANCELED"}: break time.sleep(3) query = urllib.parse.urlencode({"projectKey": project_key}) request = urllib.request.Request( f"{host}/api/qualitygates/project_status?{query}", method="GET", ) if token: encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8") request.add_header("Authorization", f"Basic {encoded}") try: with urllib.request.urlopen(request, timeout=12) as response: payload = json.loads(response.read().decode("utf-8")) except Exception as exc: # noqa: BLE001 payload = {"status": "ERROR", "error": str(exc)} with open(report_path, "w", encoding="utf-8") as handle: json.dump(payload, handle, indent=2, sort_keys=True) handle.write("\\n") PY ''' } } stage('Collect IronBank evidence') { steps { container('quality-tools') { sh '''#!/usr/bin/env bash set -euo pipefail mkdir -p build set +e trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --skip-files clusters/atlas/flux-system/gotk-components.yaml --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL . trivy_rc=$? set -e if [ ! -s build/trivy-fs.json ]; then cat > build/ironbank-compliance.json < build/quality-gate.rc ''' } } stage('Publish test metrics') { steps { sh ''' set -eu export JUNIT_GLOB='build/junit-*.xml' export QUALITY_GATE_EXIT_CODE_PATH='build/quality-gate.rc' export QUALITY_GATE_SUMMARY_PATH='build/quality-gate-summary.json' python3 ci/scripts/publish_test_metrics.py ''' } } stage('Enforce quality gate') { steps { sh ''' set -euo pipefail gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)" fail=0 if [ "${gate_rc}" -ne 0 ]; then echo "quality gate failed with rc=${gate_rc}" >&2 fail=1 fi enabled() { case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in 1|true|yes|on) return 0 ;; *) return 1 ;; esac } if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then sonar_status="$(python3 - <<'PY' import json from pathlib import Path path = Path("build/sonarqube-quality-gate.json") if not path.exists(): print("missing") raise SystemExit(0) try: payload = json.loads(path.read_text(encoding="utf-8")) except Exception: # noqa: BLE001 print("error") raise SystemExit(0) status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower() print(status or "missing") PY )" case "${sonar_status}" in ok|pass|passed|success) ;; *) echo "sonarqube gate failed: ${sonar_status}" >&2 fail=1 ;; esac fi ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-0}" if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then ironbank_required=1 fi if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then supply_status="$(python3 - <<'PY' import json from pathlib import Path path = Path("build/ironbank-compliance.json") if not path.exists(): print("missing") raise SystemExit(0) try: payload = json.loads(path.read_text(encoding="utf-8")) except Exception: # noqa: BLE001 print("error") raise SystemExit(0) compliant = payload.get("compliant") if compliant is True: print("ok") elif compliant is False: print("failed") else: status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower() print(status or "missing") PY )" case "${supply_status}" in ok|pass|passed|success|compliant) ;; not_applicable|na|n/a) if enabled "${ironbank_required}"; then echo "supply chain gate required but status=${supply_status}" >&2 fail=1 fi ;; *) if enabled "${ironbank_required}"; then echo "supply chain gate failed: ${supply_status}" >&2 fail=1 else echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2 fi ;; esac fi exit "${fail}" ''' } } stage('Resolve Flux branch') { steps { script { env.FLUX_BRANCH = sh( returnStdout: true, script: "grep -m1 '^\\s*branch:' clusters/atlas/flux-system/gotk-sync.yaml | sed 's/^\\s*branch:\\s*//'" ).trim() if (!env.FLUX_BRANCH) { error('Flux branch not found in gotk-sync.yaml') } echo "Flux branch: ${env.FLUX_BRANCH}" } } } stage('Promote') { when { expression { def branch = env.BRANCH_NAME ?: (env.GIT_BRANCH ?: '').replaceFirst('origin/', '') return env.FLUX_BRANCH && branch == env.FLUX_BRANCH } } steps { withCredentials([usernamePassword(credentialsId: 'gitea-pat', usernameVariable: 'GIT_USER', passwordVariable: 'GIT_TOKEN')]) { sh ''' set -euo pipefail if ! command -v git >/dev/null 2>&1; then if command -v apk >/dev/null 2>&1; then apk add --no-cache git >/dev/null elif command -v apt-get >/dev/null 2>&1; then apt-get update >/dev/null apt-get install -y git >/dev/null fi fi cd "${WORKSPACE:-$PWD}" if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then echo "workspace is not a git checkout; skipping promote" exit 0 fi set +x git config user.email "jenkins@bstein.dev" git config user.name "jenkins" git remote set-url origin https://${GIT_USER}:${GIT_TOKEN}@scm.bstein.dev/bstein/titan-iac.git git push origin HEAD:${FLUX_BRANCH} ''' } } } } post { always { script { if (fileExists('build/junit-unit.xml') || fileExists('build/junit-glue.xml')) { try { junit allowEmptyResults: true, testResults: 'build/junit-*.xml' } catch (Throwable err) { echo "junit step unavailable: ${err.class.simpleName}" } } } archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true } } }