@Library('fzx-jenkins-library') _

pipeline {
    agent any

    tools {
        maven 'Maven 3.9'
        jdk 'JDK 21'
    }

    triggers {
        // =====================================================================
        // 架构优化说明（2026-06-28，符合大厂CI/CD标准）：
        // 原设计：Fzx-Build(构建) + Fzx-Deploy(部署) 双流水线各自独立触发
        // 问题点：1) 重复拉取代码+双重构建，浪费资源；2) 竞态条件导致"构建未结束就部署"
        //         3) 版本不一致风险，违反阿里发布可追溯原则
        // 优化后：仅Fzx-Deploy流水线自包含全流程(拉取→安全→构建→质量门禁→镜像→部署)
        //         Fzx-Build保留为【手动快速验证工具】，不自动触发
        // 使用场景：需要快速验证代码编译通过时，手动点击Build with Parameters触发Fzx-Build
        // =====================================================================
        // pollSCM已禁用（避免自动触发），如需手动验证请在Jenkins UI点击"Build with Parameters"
        // GenericTrigger已禁用（避免与Fzx-Deploy重复触发）
    }

    parameters {
        string(name: 'BRANCH', defaultValue: 'develop', description: 'Git分支')
        string(name: 'ENVIRONMENT', defaultValue: 'dev', description: '构建环境: dev/staging/prod')
        string(name: 'FULL_VERSION', defaultValue: '', description: '完整版本号（由外部传入）')
        string(name: 'BASE_VERSION', defaultValue: '', description: '基础版本号')
        string(name: 'DINGTALK_WEBHOOK', defaultValue: '', description: '钉钉通知Webhook地址')
        
        booleanParam(name: 'CLEAN_BUILD', defaultValue: false, description: '清理构建（清理旧产物，执行全量构建）')
        booleanParam(name: 'FORCE_BUILD', defaultValue: false, description: '强制构建（忽略变更检查）')
        booleanParam(name: 'SKIP_CODE_QUALITY', defaultValue: false, description: '跳过代码质量检测（仅在紧急修复时使用）')
        booleanParam(name: 'AUTO_TRIGGER_DEPLOY', defaultValue: true, description: '自动触发部署流水线')
        booleanParam(name: 'INCREMENTAL_DEPLOY', defaultValue: true, description: '启用增量部署')
    }

    options {
        buildDiscarder(logRotator(
            daysToKeepStr: '3',
            numToKeepStr: '5',
            artifactDaysToKeepStr: '3',
            artifactNumToKeepStr: '3',
            discardBuildArtifacts: true
        ))
        disableConcurrentBuilds()
        timeout(time: 60, unit: 'MINUTES')
        timestamps()
        lock(resource: "fzx-platform-build-lock", inversePrecedence: true)
    }

    environment {
        // ===== 依赖仓库配置 =====
        ALIYUN_MAVEN_URL = 'https://maven.aliyun.com/repository/public'
        
        // ===== 构建配置 =====
        MAVEN_OPTS = '-Xmx2g -XX:+UseSerialGC -Dhttp.connection.timeout=300000'
        MVN_ARGS = '-T 1 -Dmaven.compiler.failOnError=true -Dmaven.deploy.parallel=false'
        
        // ===== 环境标识 =====
        ENVIRONMENT = "${params.ENVIRONMENT ?: 'dev'}"
        
        // ===== 版本信息 =====
        FULL_VERSION = "${params.FULL_VERSION ?: ''}"
        BASE_VERSION = "${params.BASE_VERSION ?: ''}"
        
        // ===== 部署控制 =====
        AUTO_TRIGGER_DEPLOY = "${params.AUTO_TRIGGER_DEPLOY ?: 'true'}"
        INCREMENTAL_DEPLOY = "${params.INCREMENTAL_DEPLOY ?: 'true'}"
        
        // ===== 通知配置 =====
        DINGTALK_WEBHOOK = "${params.DINGTALK_WEBHOOK ?: ''}"
    }

    stages {
        stage('Branch Protection') {
            steps {
                script {
                    def allowedBranches = ['develop', 'release/*', 'hotfix/*', 'master']
                    def branch = env.BRANCH_NAME ?: params.BRANCH
                    echo "🌿 当前分支: ${branch}"
                    
                    def isAllowed = allowedBranches.any { it == branch || (it.contains('*') && branch ==~ it.replace('*', '.*')) }
                    if (!isAllowed) {
                        error("❌ 分支 ${branch} 不在允许构建的分支列表中\n允许的分支: ${allowedBranches.join(', ')}")
                    }
                    echo "✅ 分支 ${branch} 通过分支保护校验"
                }
            }
        }

        stage('Production Approval') {
            when {
                environment name: 'ENVIRONMENT', value: 'prod'
            }
            steps {
                input message: '请确认部署到生产环境?', submitter: 'ops-team'
            }
        }

        stage('Environment Validation') {
            steps {
                script {
                    echo '🔍 执行环境验证（预防措施）'

                    def errors = []

                    // 1. 验证settings.xml中server ID配置
                    echo '⚙️ 验证Maven settings.xml配置...'
                    def settingsCheck = sh script: "grep -q 'nexus-snapshots' ~/.m2/settings.xml && echo 'OK' || echo 'MISSING'", returnStdout: true
                    if (settingsCheck.trim() != 'OK') {
                        errors.add("settings.xml缺少nexus-snapshots配置")
                        echo '❌ settings.xml验证失败'
                    } else {
                        echo '✅ settings.xml配置正确'
                    }

                    // 2. 验证代码质量检查脚本存在
                    echo '📜 验证代码质量检查脚本...'
                    def scriptCheck = sh script: "test -f scripts/version_check.py && echo 'OK' || echo 'MISSING'", returnStdout: true
                    if (scriptCheck.trim() != 'OK') {
                        errors.add("version_check.py脚本不存在")
                        echo '❌ 脚本验证失败'
                    } else {
                        echo '✅ 脚本存在'
                    }

                    // 3. 验证Git配置
                    echo '🌿 验证Git配置...'
                    def gitCheck = sh script: "git rev-parse --git-dir > /dev/null 2>&1 && echo 'OK' || echo 'FAIL'", returnStdout: true
                    if (gitCheck.trim() != 'OK') {
                        errors.add("Git仓库配置异常")
                        echo '❌ Git验证失败'
                    } else {
                        echo '✅ Git配置正确'
                    }

                    // 如果有验证失败，终止构建
                    if (errors.size() > 0) {
                        error("❌ 环境验证失败:\n${errors.join('\n')}\n\n请根据错误信息修复环境配置")
                    }

                    echo '✅ 所有环境验证通过'
                }
            }
        }

        stage('Clean Workspace') {
            steps {
                script {
                    echo '🧹 检查并清理旧构建产物'
                    
                    // 检查是否存在旧的构建产物
                    def hasOldBuild = sh script: '''
                        if [ -d "target" ] && [ -n "$(find target -name "*.jar" 2>/dev/null)" ]; then
                            echo "YES"
                        elif [ -d ".repository" ] && [ -n "$(find .repository -name "*.jar" 2>/dev/null)" ]; then
                            echo "YES"
                        else
                            echo "NO"
                        fi
                    ''', returnStdout: true
                    
                    // 检查旧构建产物大小
                    def oldBuildSize = sh script: '''
                        total=0
                        if [ -d "target" ]; then
                            du -sb target 2>/dev/null | cut -f1 || echo "0"
                        else
                            echo "0"
                        fi
                    ''', returnStdout: true
                    
                    def oldBuildSizeMB = (oldBuildSize.trim().toInteger() / 1024 / 1024).toInteger()
                    echo "📊 检测到旧构建产物大小: ${oldBuildSizeMB} MB"
                    
                    // 如果旧构建产物大于100MB，提示清理
                    if (oldBuildSizeMB > 100) {
                        echo "⚠️ 旧构建产物较大（${oldBuildSizeMB} MB），建议清理以加快构建速度"
                    }
                    
                    // 根据构建参数决定是否清理
                    def cleanOldBuild = params.CLEAN_BUILD ?: false
                    if (cleanOldBuild) {
                        echo '🔄 执行全量构建，清理所有旧构建产物...'
                        sh '''
                            echo "🗑️ 清理旧构建产物..."
                            # 清理Maven构建产物
                            if [ -d "target" ]; then
                                echo "  - 清理 target 目录"
                                rm -rf target
                            fi
                            # 清理本地Maven仓库中的旧构件（可选）
                            if [ -d ".repository" ]; then
                                echo "  - 清理 .repository 目录"
                                rm -rf .repository
                            fi
                            # 清理所有服务的target目录
                            for svc in services/*/; do
                                if [ -d "${svc}target" ]; then
                                    echo "  - 清理 ${svc}target"
                                    rm -rf "${svc}target"
                                fi
                            done
                            echo "✅ 旧构建产物清理完成"
                        '''
                    } else {
                        echo '⚠️ 跳过旧构建产物清理（增量构建模式）'
                        echo '💡 如需清理，请设置 CLEAN_BUILD=true 参数'
                    }
                }
            }
        }

        stage('Pre-Build') {
            steps {
                script {
                    // 关键步骤：同步VERSION文件到pom.xml（确保单一版本源）
                    echo '🔄 同步版本号（VERSION文件 -> pom.xml）'
                    sh "python scripts/update_version.py --fix"
                    
                    // 计算完整版本号
                    def pomVersion = sh(script: 'mvn help:evaluate -Dexpression=project.version -q -DforceStdout', returnStdout: true).trim()
                    def branch = sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim()
                    def commitHash = sh(script: 'git rev-parse --short=8 HEAD', returnStdout: true).trim()
                    def buildNum = env.BUILD_NUMBER ?: new Date().format('yyyyMMddHHmmss')
                    def baseVersion = pomVersion.replace('-SNAPSHOT', '')
                    def cleanBranch = branch.replace('/', '-')

                    // 设置环境变量
                    env.POM_VERSION = pomVersion
                    env.BASE_VERSION = baseVersion
                    env.BRANCH_NAME = branch
                    env.COMMIT_HASH = commitHash
                    env.BUILD_NUM = buildNum

                    // 生成完整版本号（优先使用传入参数）
                    if (!env.FULL_VERSION) {
                        env.FULL_VERSION = "${baseVersion}-${cleanBranch}-${commitHash}-${buildNum}"
                    }

                    echo "="*70
                    echo "📋 构建参数"
                    echo "="*70
                    echo "🌿 分支: ${branch}"
                    echo "🔗 Commit: ${commitHash}"
                    echo "🏗️ 构建号: ${buildNum}"
                    echo "📦 Maven版本: ${pomVersion}"
                    echo "📊 完整版本号: ${env.FULL_VERSION}"
                    echo "🖥️ 环境: ${env.ENVIRONMENT}"
                    echo "🚀 自动触发部署: ${env.AUTO_TRIGGER_DEPLOY}"
                    echo "="*70
                }
            }
        }

        stage('版本合规校验') {
            steps {
                echo '🔍 执行版本合规校验（大厂标准）'
                sh "python scripts/version_check.py"
            }
            post {
                success {
                    echo '✅ 版本合规校验通过'
                }
                failure {
                    echo '❌ 版本合规校验失败'
                    error('版本不合规，终止构建')
                }
            }
        }

        stage('Build') {
            steps {
                script {
                    echo '🔧 检查Maven依赖仓库可用性'
                    
                    // 检查主仓库（阿里云）是否可用
                    def aliyunCheck = sh script: "curl -s -o /dev/null -w '%{http_code}' https://maven.aliyun.com/repository/public/ || echo '000'", returnStdout: true
                    
                    if (aliyunCheck.trim() != '200') {
                        echo "⚠️ 阿里云Maven仓库不可用 (HTTP ${aliyunCheck.trim()})"
                        echo "🔄 尝试使用备选仓库..."
                    } else {
                        echo '✅ 阿里云Maven仓库可用'
                    }
                    
                    // 执行构建，最多重试3次
                    def maxRetries = 3
                    def buildSuccess = false
                    def attempt = 0
                    
                    while (attempt < maxRetries && !buildSuccess) {
                        attempt++
                        echo "📦 构建尝试 ${attempt}/${maxRetries}"
                        
                        def exitCode = sh script: "mvn clean package ${MVN_ARGS}", returnStatus: true
                        
                        if (exitCode == 0) {
                            buildSuccess = true
                            echo "✅ 构建成功"
                        } else {
                            echo "⚠️ 构建失败 (尝试 ${attempt}/${maxRetries})"
                            if (attempt < maxRetries) {
                                echo "🔄 等待5秒后重试..."
                                sleep 5
                            }
                        }
                    }
                    
                    if (!buildSuccess) {
                        error("❌ 构建失败，已尝试${maxRetries}次，请检查依赖配置")
                    }
                }
            }
            post {
                success {
                    echo '✅ 编译成功'
                }
                failure {
                    echo '❌ 编译失败'
                    error('构建失败，终止流水线')
                }
            }
        }

        stage('Code Quality Analysis') {
            when {
                not { expression { params.SKIP_CODE_QUALITY } }
            }
            steps {
                script {
                    echo '🔍 开始代码质量检测（按照阿里开发手册规范）'
                    
                    def failedChecks = []
                    
                    // 0. 先安装依赖到本地Maven仓库（确保代码质量检测能找到依赖）
                    echo '📦 安装项目依赖到本地仓库...'
                    def installExitCode = sh script: "mvn install -Dcheckstyle.skip -Dpmd.skip -Dspotbugs.skip ${MVN_ARGS}", returnStatus: true
                    if (installExitCode != 0) {
                        echo "⚠️ 安装依赖失败，将尝试继续检测..."
                    } else {
                        echo '✅ 依赖安装完成'
                    }

                    // 1. Checkstyle检测（代码风格检查）
                    echo '📝 执行Checkstyle代码风格检测'
                    def checkstyleExitCode = sh script: "mvn checkstyle:check ${MVN_ARGS}", returnStatus: true
                    if (checkstyleExitCode != 0) {
                        failedChecks.push('Checkstyle')
                        echo '❌ Checkstyle检测失败'
                    } else {
                        echo '✅ Checkstyle检测通过'
                    }

                    // 2. PMD检测（静态代码分析）
                    echo '🔍 执行PMD静态代码分析'
                    def pmdExitCode = sh script: "mvn pmd:check pmd:cpd-check ${MVN_ARGS}", returnStatus: true
                    if (pmdExitCode != 0) {
                        failedChecks.push('PMD')
                        echo '❌ PMD检测失败'
                    } else {
                        echo '✅ PMD检测通过'
                    }

                    // 3. SpotBugs检测（潜在缺陷检测）
                    echo '🐛 执行SpotBugs潜在缺陷检测'
                    def spotbugsExitCode = sh script: "mvn spotbugs:check ${MVN_ARGS}", returnStatus: true
                    if (spotbugsExitCode != 0) {
                        failedChecks.push('SpotBugs')
                        echo '❌ SpotBugs检测失败'
                    } else {
                        echo '✅ SpotBugs检测通过'
                    }

                    // 4. Dependency Check（依赖安全检测）- 所有环境执行，dev环境阈值宽松
                    echo '🛡️ 执行依赖安全检测'
                    def depCheckArgs = env.ENVIRONMENT == 'dev' ? '-DfailBuildOnCVSS=9' : ''
                    def depCheckExitCode = sh script: "mvn dependency-check:check ${depCheckArgs} ${MVN_ARGS}", returnStatus: true
                    if (depCheckExitCode != 0) {
                        failedChecks.push('Dependency Check')
                        echo '❌ 依赖安全检测失败'
                    } else {
                        echo '✅ 依赖安全检测通过'
                    }

                    // 如果有检测失败，终止构建并输出详细信息
                    if (failedChecks.size() > 0) {
                        error("❌ 代码质量检测未通过，失败项: ${failedChecks.join(', ')}\n请根据检测报告修复代码后重新构建")
                    }

                    echo '✅ 所有代码质量检测通过'
                }
            }
        }

        stage('SonarQube Analysis') {
            when {
                not { expression { params.SKIP_CODE_QUALITY } }
            }
            steps {
                script {
                    echo "🔍 SonarQube分析 - 环境: ${env.ENVIRONMENT}"
                    withSonarQubeEnv('sonar-fzx') {
                        def isDevEnv = env.ENVIRONMENT == 'dev'
                        // 大厂标准：所有环境都等待安全门禁结果，dev环境对关键安全问题阻断
                        // 非dev环境：等待完整质量门禁
                        // dev环境：不等待完整质量门禁，但强制要求安全规则通过（通过sonar参数控制）
                        def sonarArgs = isDevEnv 
                            ? '-Dsonar.qualitygate.wait=false -Dsonar.security.standards=owaspTop10,sansTop25 -Dsonar.security.hotspots.reviewPriority=high'
                            : '-Dsonar.qualitygate.wait=true'
                        
                        // 激活硬编码密钥检测规则集（阿里开发手册重点要求）
                        def secretDetectionProfile = '-Dsonar.issue.ignore.multicriteria=false'
                        
                        sh "mvn sonar:sonar -Dsonar.projectKey=fzx-platform -Dsonar.projectName=fzx-platform -Dsonar.version=${env.FULL_VERSION} ${secretDetectionProfile} ${sonarArgs}"
                        
                        echo "📊 SonarQube分析完成，查看报告: http://8.140.221.49:9000/dashboard?id=fzx-platform"
                        echo "🔒 重点检查项：硬编码密钥(S2068/S6437)、SQL注入(S3649)、XSS漏洞(P3146)"
                    }
                }
            }
        }

        stage('Quality Gate') {
            when {
                allOf {
                    not { environment name: 'ENVIRONMENT', value: 'dev' }
                    not { expression { params.SKIP_CODE_QUALITY } }
                }
            }
            steps {
                timeout(time: 1, unit: 'HOURS') {
                    waitForQualityGate abortPipeline: true
                }
            }
        }

        stage('Artifact Integrity Check') {
            steps {
                script {
                    echo '🔍 执行制品完整性校验'
                    def errors = []
                    
                    // 1. 检查jar包是否存在
                    def jarFiles = sh(script: 'find services -name "*.jar" -path "*/target/*" 2>/dev/null | head -20', returnStdout: true).trim()
                    if (!jarFiles) {
                        errors.add('未找到构建产物jar包')
                    } else {
                        echo "📦 找到以下jar包:\n${jarFiles}"
                    }
                    
                    // 2. 校验迁移脚本是否打入jar包
                    def firstJar = sh(script: 'find services -name "*.jar" -path "*/target/*" 2>/dev/null | head -1', returnStdout: true).trim()
                    if (firstJar) {
                        def hasMigrations = sh(script: "jar -tf ${firstJar} | grep -q 'db/migrations/' && echo 'YES' || echo 'NO'", returnStdout: true).trim()
                        if (hasMigrations == 'YES') {
                            echo '✅ jar包中包含迁移脚本'
                        } else {
                            errors.add("jar包 ${firstJar} 中缺少迁移脚本")
                        }
                    }
                    
                    // 3. 检查jar包大小（防止空包）
                    if (firstJar) {
                        def jarSize = sh(script: "wc -c < ${firstJar}", returnStdout: true).trim().toInteger()
                        if (jarSize < 1024 * 1024) {
                            errors.add("jar包 ${firstJar} 异常小（${jarSize} bytes）")
                        } else {
                            echo "✅ jar包大小正常（${(jarSize / 1024 / 1024).round(2)} MB）"
                        }
                    }
                    
                    if (errors.size() > 0) {
                        error("❌ 制品完整性校验失败:\n${errors.join('\n')}")
                    }
                    echo '✅ 制品完整性校验通过'
                }
            }
        }

        stage('Hardcoded Secret Pre-Scan') {
            steps {
                script {
                    echo '🔒 执行硬编码密钥预扫描（大厂安全红线）'
                    
                    def secretPatterns = [
                        [name: '钉钉Token', pattern: 'access_token[=:]\\s*[a-f0-9]{32,}', severity: 'P0'],
                        [name: 'AK/SK密钥', pattern: '(accesskey|secretkey|access_key|secret_key)[=:]\\s*[A-Za-z0-9]{16,}', severity: 'P0'],
                        [name: '密码明文', pattern: '(password|passwd|pwd)[=:]\\s*["\'][^"\'\\n]{6,}["\']', severity: 'P0'],
                        [name: 'JWT密钥', pattern: '(jwt\\.?secret|jwt_secret)[=:]\\s*[A-Za-z0-9_\\-]{16,}', severity: 'P0'],
                        [name: 'Redis密码', pattern: 'redis.*password[=:]\\s*[^\\s\\n$]{6,}', severity: 'P1'],
                        [name: '数据库连接串含密码', pattern: 'jdbc:mysql://[^\\s]+password=[^\\s&]+', severity: 'P0'],
                        [name: 'Private Key', pattern: '-----BEGIN (RSA|EC|DSA|OPENSSH) PRIVATE KEY-----', severity: 'P0']
                    ]
                    
                    def foundSecrets = []
                    
                    secretPatterns.each { rule ->
                        def scanResult = sh(
                            script: "grep -rIn --exclude-dir={.git,target,node_modules,.idea,.settings} -E '${rule.pattern}' . 2>/dev/null | head -20 || true",
                            returnStdout: true
                        ).trim()
                        
                        if (scanResult) {
                            foundSecrets << [
                                rule: rule.name,
                                severity: rule.severity,
                                details: scanResult.readLines()
                            ]
                        }
                    }
                    
                    if (foundSecrets.size() > 0) {
                        echo "❌ 检测到 ${foundSecrets.size()} 类硬编码密钥风险:"
                        foundSecrets.each { secret ->
                            echo "  [${secret.severity}] ${secret.rule}:"
                            secret.details.each { line ->
                                echo "    - ${line.take(200)}"
                            }
                        }
                        
                        def p0Count = foundSecrets.count { it.severity == 'P0' }
                        if (p0Count > 0) {
                            error("❌ 检测到 ${p0Count} 项P0级硬编码密钥风险，阻断构建。\n请修复后重新提交，参考方案：\n1. 使用Jenkins Credentials管理敏感信息\n2. 通过环境变量注入而非硬编码\n3. 使用Nacos配置中心的加密配置功能")
                        } else {
                            echo "⚠️ 检测到非P0级密钥风险，建议修复但不阻断构建"
                        }
                    } else {
                        echo '✅ 硬编码密钥预扫描通过，未发现明文密钥'
                    }
                }
            }
        }

        stage('Archive Artifacts') {
            steps {
                script {
                    echo '📦 归档构建产物（含审计溯源文件）'
                    
                    if (!fileExists('version.json')) {
                        echo '⚠️ version.json不存在，触发生成...'
                        sh 'python scripts/update_version.py --fix 2>&1 || true'
                    }
                    
                    archiveArtifacts(
                        artifacts: 'version.json',
                        fingerprint: true,
                        onlyIfSuccessful: false,
                        allowEmptyArchive: true
                    )
                    echo '✅ 版本溯源文件 version.json 已归档（发布审计必备）'
                    
                    archiveArtifacts(
                        artifacts: 'services/**/target/*.jar',
                        fingerprint: true,
                        onlyIfSuccessful: true,
                        allowEmptyArchive: true
                    )
                    
                    archiveArtifacts(
                        artifacts: '**/target/checkstyle-result.xml,**/target/pmd.xml,**/target/spotbugsXml.xml,**/target/dependency-check-report.html',
                        fingerprint: false,
                        onlyIfSuccessful: false,
                        allowEmptyArchive: true
                    )
                    echo '✅ 代码质量检测报告已归档'
                    
                    archiveArtifacts(
                        artifacts: 'build.log',
                        fingerprint: false,
                        onlyIfSuccessful: false,
                        allowEmptyArchive: true
                    )
                    
                    echo '🧹 清理旧构建产物以节省磁盘空间...'
                    sh '''
                        find services -type d -name "target" -mtime +3 2>/dev/null | head -50 | xargs rm -rf 2>/dev/null || true
                        find . -type f -name "*.tmp" -o -name "*.bak" -mtime +10 2>/dev/null | xargs rm -f 2>/dev/null || true
                    '''
                    echo '✅ 构建产物归档完成（符合大厂合规标准）'
                }
            }
        }
    }

    post {
        always {
            echo "="*70
            echo "📊 构建验证完成"
            echo "="*70
            echo "ℹ️  【工具说明】本流水线(Fzx-Build)仅供【手动快速验证编译】使用"
            echo "ℹ️  自动部署请使用 Fzx-Deploy 流水线（包含完整全流程:构建+安全+镜像+部署）"
            echo "🖥️ 环境: ${env.ENVIRONMENT}"
            echo "📦 Maven版本: ${env.POM_VERSION ?: '未获取'}"
            echo "📊 完整版本号: ${env.FULL_VERSION ?: '未生成'}"
            echo "🌿 分支: ${env.BRANCH_NAME ?: '未获取'}"
            echo "🔗 Commit: ${env.COMMIT_HASH ?: '未获取'}"
            echo "🏗️ 构建号: ${env.BUILD_NUM ?: '未获取'}"
            echo "="*70
        }
        success {
            echo '🎉 流水线执行成功!'
            script {
                sendNotification("构建成功: ${JOB_NAME} #${BUILD_NUMBER}\n版本: ${env.FULL_VERSION}\n环境: ${env.ENVIRONMENT}\n分支: ${env.BRANCH_NAME}")
            }
        }
        failure {
            echo '💥 流水线执行失败!'
            script {
                sendNotification("构建失败: ${JOB_NAME} #${BUILD_NUMBER}\n环境: ${env.ENVIRONMENT}\n状态: FAILURE")
                cleanWs()
            }
        }
    }
}

// ============================================
// 通知辅助函数（符合大厂最佳实践）
// ============================================

/**
 * 发送钉钉通知
 * @param message 通知消息内容
 */
def sendNotification(String message) {
    echo "📧 通知: ${message}"
    
    def webhook = env.DINGTALK_WEBHOOK ?: params.DINGTALK_WEBHOOK
    if (!webhook) {
        echo "ℹ️ 未配置钉钉Webhook，跳过通知"
        return
    }
    
    try {
        def payload = """{
            "msgtype": "text",
            "text": {
                "content": "${message.replace('"', '\\"')}"
            }
        }"""
        
        httpRequest(
            url: webhook,
            method: 'POST',
            requestBody: payload,
            contentType: 'application/json',
            timeout: 10
        )
        echo "✅ 钉钉通知发送成功"
    } catch (Exception e) {
        echo "⚠️ 钉钉通知发送失败: ${e.message}"
    }
}
