From 2ae24e4ce8ce145c42607442e552cc86931fa453 Mon Sep 17 00:00:00 2001 From: David Kunzmann Date: Fri, 24 Oct 2025 11:19:03 +0200 Subject: [PATCH 1/2] SCANPY-219 Migrate shadow scan and iris tasks to github actions --- .cirrus.yml | 20 +---------- .cirrus/run_iris.sh | 46 ------------------------ .github/workflows/Iris.yml | 74 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+), 65 deletions(-) delete mode 100755 .cirrus/run_iris.sh create mode 100644 .github/workflows/Iris.yml diff --git a/.cirrus.yml b/.cirrus.yml index 9aaba700..dd93ee8a 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -6,7 +6,7 @@ env: ARTIFACTORY_DEPLOY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token] ARTIFACTORY_DEPLOY_REPO: sonarsource-pypi-public-qa GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - DEPLOY_PULL_REQUEST: 'true' + DEPLOY_PULL_REQUEST: "true" POETRY_VIRTUALENVS_PATH: "~/.cache/poetry/venvs" POETRY_CACHE_DIR: "~/.cache/poetry/pypoetry" SONARQUBE_VERSION: 25.3.0.104237 @@ -103,21 +103,3 @@ its_macos_task: fingerprint_script: echo "sonarqube-$SONARQUBE_VERSION" its_script: - .cirrus/run_its.sh - -run_iris_task: - <<: *LINUX_CONTAINER_DEFINITION - # only executed in CRON job AND on master branch - only_if: $CIRRUS_CRON == $CRON_NIGHTLY_JOB_NAME && $CIRRUS_BRANCH == "master" - env: - SONAR_SOURCE_IRIS_TOKEN: VAULT[development/kv/data/iris data.next] - matrix: - - name: "IRIS SQ NEXT -> Sonarcloud.io" - env: - SONAR_TARGET_URL: https://sonarcloud.io - SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-eu] - - name: "IRIS SQ NEXT -> SonarQube.us" - env: - SONAR_TARGET_URL: https://sonarqube.us - SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-us] - script: - - .cirrus/run_iris.sh diff --git a/.cirrus/run_iris.sh b/.cirrus/run_iris.sh deleted file mode 100755 index c39f6c86..00000000 --- a/.cirrus/run_iris.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -set -euo pipefail - -: "${ARTIFACTORY_PRIVATE_USERNAME?}" "${ARTIFACTORY_PRIVATE_ACCESS_TOKEN?}" "${ARTIFACTORY_URL?}" -: "${SONAR_SOURCE_IRIS_TOKEN?}" "${SONAR_TARGET_IRIS_TOKEN?}" "${SONAR_TARGET_URL?}" - -function run_iris () { - java \ - -Diris.source.projectKey="SonarSource_sonar-scanner-python" \ - -Diris.source.url="https://next.sonarqube.com/sonarqube" \ - -Diris.source.token="$SONAR_SOURCE_IRIS_TOKEN" \ - -Diris.destination.projectKey="SonarSource_sonar-scanner-python" \ - -Diris.destination.url="$SONAR_TARGET_URL" \ - -Diris.destination.token="$SONAR_TARGET_IRIS_TOKEN" \ - -Diris.destination.organization="sonarsource" \ - -Diris.dryrun=$1 \ - -jar iris-\[RELEASE\]-jar-with-dependencies.jar -} - -VERSION="\[RELEASE\]" -HTTP_CODE=$(\ - curl \ - --write-out '%{http_code}' \ - --location \ - --remote-name \ - --user "$ARTIFACTORY_PRIVATE_USERNAME:$ARTIFACTORY_PRIVATE_ACCESS_TOKEN" \ - "$ARTIFACTORY_URL/sonarsource-private-releases/com/sonarsource/iris/iris/$VERSION/iris-$VERSION-jar-with-dependencies.jar"\ -) - -if [ "$HTTP_CODE" != "200" ]; then - echo "Download $VERSION failed -> $HTTP_CODE" - exit 1 -else - echo "Downloaded $VERSION" -fi - -echo "===== Execute IRIS as dry-run" -run_iris "true" -STATUS=$? -if [ $STATUS -ne 0 ]; then - echo "===== Failed to run IRIS dry-run" - exit 1 -else - echo "===== Successful IRIS dry-run - executing IRIS for real." - run_iris "false" -fi diff --git a/.github/workflows/Iris.yml b/.github/workflows/Iris.yml new file mode 100644 index 00000000..c9b39c83 --- /dev/null +++ b/.github/workflows/Iris.yml @@ -0,0 +1,74 @@ +name: Iris sync +on: + schedule: + - cron: "0 2 * * *" + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + coverage: + name: "Coverage report generation" + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - name: Configure poetry + uses: ./.github/actions/config-poetry + - run: | + poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests + poetry run mypy src/ > mypy-report.txt || true + - name: Upload coverage artifacts + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: coverage-reports + path: | + coverage.xml + mypy-report.txt + + shadow-scans: + name: Shadow Scans + needs: coverage + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + contents: write + steps: + - name: Checkout code + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + + - name: Download coverage artifacts + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: coverage-reports + + - name: Build and run shadow scan + uses: SonarSource/ci-github-actions/build-poetry@v1 + with: + sonar-platform: next + run-shadow-scans: true + artifactory-reader-role: private-reader + artifactory-deployer-role: qa-deployer + + iris: + name: IRIS Sync + needs: shadow-scans + runs-on: github-ubuntu-latest-s + permissions: + id-token: write + contents: write + steps: + - name: Run IRIS Analysis + uses: SonarSource/unified-dogfooding-actions/run-iris@v1 + with: + primary_project_key: "SonarSource_sonar-scanner-python" + primary_platform: "Next" + shadow1_project_key: "SonarSource_sonar-scanner-python" + shadow1_platform: "SQC-EU" + shadow2_project_key: "SonarSource_sonar-scanner-python" + shadow2_platform: "SQC-US" From 692dafe2407a0058741d130e175ed898a551aa03 Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Mon, 27 Oct 2025 11:28:17 +0100 Subject: [PATCH 2/2] remove unused yml anchors --- .cirrus.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index dd93ee8a..0664c3b7 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -17,21 +17,6 @@ env: only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == 'master' || $CIRRUS_BRANCH =~ "branch-.*") -linux_container_definition: &LINUX_CONTAINER_DEFINITION - eks_container: - dockerfile: .cirrus/poetry.Dockerfile - cluster_name: ${CIRRUS_CLUSTER_NAME} - region: eu-central-1 - namespace: default - builder_role: cirrus-builder - builder_image: docker-builder-v* - builder_instance_type: t3.small - use_in_memory_disk: true - docker_arguments: - CIRRUS_AWS_ACCOUNT: ${CIRRUS_AWS_ACCOUNT} - cpu: 3 - memory: 8G - .jfrog_config_template: &JFROG_CONFIG_TEMPLATE jfrog_config_script: - $JF_ALIAS config add repox --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_PRIVATE_ACCESS_TOKEN" @@ -43,12 +28,6 @@ poetry_cache_template: &POETRY_CACHE folder: ~/.cache/poetry/ fingerprint_script: cat poetry.lock -.poetry_install_template: &POETRY_INSTALL - <<: *POETRY_CACHE - <<: *JFROG_CONFIG_TEMPLATE - poetry_install_script: - - poetry install - .poetry_macos_template: &POETRY_MACOS_TEMPLATE <<: *POETRY_CACHE jfrog_install_script: