SCANPY-252 Migrate Poetry workflows to official actions#321
Conversation
0920264 to
6912c9c
Compare
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - name: Install mise and tools | ||
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 | ||
| with: | ||
| version: 2026.5.9 | ||
| tool_versions: | | ||
| python 3.12.1 | ||
| experimental: true | ||
| - name: Configure poetry | ||
| uses: SonarSource/ci-github-actions/config-poetry@v1 | ||
| with: | ||
| artifactory-reader-role: private-reader | ||
| - name: Install dependencies | ||
| run: poetry install |
There was a problem hiding this comment.
seems like you are running the exact same steps as above and also below, perhaps you want to create an anchor that you can reference so they don't run out of sync or you don't need to update it in 3 places.
There was a problem hiding this comment.
Personally, I really don't like them. I find that they make the CI harder to read. As such, I would prefer leaving the duplication in
| @@ -4,6 +4,12 @@ on: | |||
| - cron: "0 2 * * *" | |||
| workflow_dispatch: | |||
There was a problem hiding this comment.
in SonarJS, we actually put this job into the build so that we can safely run it after the analyze has already finished and was succesful.
There was a problem hiding this comment.
That would make sense. I'll see if I can get rid of the Iris.yml workflow
There was a problem hiding this comment.
I removed the Iris.yml workflow and integrated it instead in the build.yml workflow. It is somewhat hard to test on a feature branch due to how the build-poetry action is built. But I think it make sense
| shadow-scans: | ||
| name: Shadow Scans | ||
| if: ${{ github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' }} | ||
| runs-on: github-ubuntu-latest-s | ||
| needs: [coverage] | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - name: Download coverage artifacts | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: coverage-reports |
There was a problem hiding this comment.
💡 Quality: IRIS sync now runs on every master push, not just schedule
The old Iris.yml workflow triggered IRIS sync only on a daily schedule (cron 0 2 * * *) and workflow_dispatch. By moving the shadow-scans and iris jobs into build.yml, these jobs now also run on every push to master (and on the build workflow's 0 1 * * * schedule), because the if condition github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' is satisfied by push events to master.
This significantly increases how often IRIS sync and shadow scans execute (every merge to master vs. once daily). If this increased frequency is intentional for dogfooding, no change is needed. If IRIS sync is meant to remain a daily/manual operation, consider also gating on github.event_name == 'schedule' (e.g. github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') to preserve the previous cadence.
Was this helpful? React with 👍 / 👎
|
Code Review 👍 Approved with suggestions 0 resolved / 1 findingsMigrates local Poetry workflows to official SonarSource actions and integrates 💡 Quality: IRIS sync now runs on every master push, not just schedule📄 .github/workflows/build.yml:176-190 The old This significantly increases how often IRIS sync and shadow scans execute (every merge to master vs. once daily). If this increased frequency is intentional for dogfooding, no change is needed. If IRIS sync is meant to remain a daily/manual operation, consider also gating on 🤖 Prompt for agentsOptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |





Summary
Local validation
Note: actionlint is not installed locally.
Summary by Gitar
jdx/mise-action@v4.0.1across all jobs inbuild.ymlandMacOsNightly.ymlfor unified Python tool management.jfrog-clito2.96.0inmise.toml.MISEexperimental environment variables and Poetry cache paths in workflow global scopes.shadow-scansandirissync jobs to thebuildworkflow for automated analysis.build.ymland restrictedpromotejob execution conditions.config-poetryaction withSonarSource/ci-github-actions/config-poetry@v1and removed local action files.Iris.ymlworkflow and redundant local action symlinks.This will update automatically on new commits.