Skip to content

SCANPY-252 Migrate Poetry workflows to official actions#321

Merged
Seppli11 merged 7 commits into
masterfrom
sz/migrate-to-official-poetry-actions
Jun 26, 2026
Merged

SCANPY-252 Migrate Poetry workflows to official actions#321
Seppli11 merged 7 commits into
masterfrom
sz/migrate-to-official-poetry-actions

Conversation

@Seppli11

@Seppli11 Seppli11 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • replace local config-poetry action usage with SonarSource/ci-github-actions/config-poetry@v1
  • keep build jobs on SonarSource/ci-github-actions/build-poetry@v1
  • remove the local config-poetry action files

Local validation

  • rg "./.github/actions/config-poetry" .github
  • python3 YAML parse for .github/workflows/*.yml
  • git diff --check

Note: actionlint is not installed locally.


Summary by Gitar

  • Tooling and environment:
    • Integrated jdx/mise-action@v4.0.1 across all jobs in build.yml and MacOsNightly.yml for unified Python tool management.
    • Updated jfrog-cli to 2.96.0 in mise.toml.
    • Defined MISE experimental environment variables and Poetry cache paths in workflow global scopes.
  • Pipeline enhancements:
    • Added shadow-scans and iris sync jobs to the build workflow for automated analysis.
    • Added scheduled daily triggers to build.yml and restricted promote job execution conditions.
  • CI/CD migration:
    • Replaced local config-poetry action with SonarSource/ci-github-actions/config-poetry@v1 and removed local action files.
  • Cleanup:
    • Removed Iris.yml workflow and redundant local action symlinks.

This will update automatically on new commits.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Migrate Poetry workflows to official actions SCANPY-252 Migrate Poetry workflows to official actions Jun 25, 2026
@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jun 25, 2026

Copy link
Copy Markdown

SCANPY-252

@Seppli11 Seppli11 requested review from a team and removed request for a team June 25, 2026 13:39
@Seppli11 Seppli11 force-pushed the sz/migrate-to-official-poetry-actions branch from 0920264 to 6912c9c Compare June 26, 2026 09:59
@Seppli11 Seppli11 requested a review from a team June 26, 2026 11:36

@zglicz zglicz left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nits

Comment on lines 101 to +115
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install mise and tools
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
version: 2026.5.9
tool_versions: |
python 3.12.1
experimental: true
- name: Configure poetry
uses: SonarSource/ci-github-actions/config-poetry@v1
with:
artifactory-reader-role: private-reader
- name: Install dependencies
run: poetry install

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like you are running the exact same steps as above and also below, perhaps you want to create an anchor that you can reference so they don't run out of sync or you don't need to update it in 3 places.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I really don't like them. I find that they make the CI harder to read. As such, I would prefer leaving the duplication in

Comment thread .github/workflows/Iris.yml Outdated
Comment on lines 1 to 5
@@ -4,6 +4,12 @@ on:
- cron: "0 2 * * *"
workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in SonarJS, we actually put this job into the build so that we can safely run it after the analyze has already finished and was succesful.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would make sense. I'll see if I can get rid of the Iris.yml workflow

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the Iris.yml workflow and integrated it instead in the build.yml workflow. It is somewhat hard to test on a feature branch due to how the build-poetry action is built. But I think it make sense

Comment on lines +176 to +190
shadow-scans:
name: Shadow Scans
if: ${{ github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' }}
runs-on: github-ubuntu-latest-s
needs: [coverage]
permissions:
id-token: write
contents: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Download coverage artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: coverage-reports

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Quality: IRIS sync now runs on every master push, not just schedule

The old Iris.yml workflow triggered IRIS sync only on a daily schedule (cron 0 2 * * *) and workflow_dispatch. By moving the shadow-scans and iris jobs into build.yml, these jobs now also run on every push to master (and on the build workflow's 0 1 * * * schedule), because the if condition github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' is satisfied by push events to master.

This significantly increases how often IRIS sync and shadow scans execute (every merge to master vs. once daily). If this increased frequency is intentional for dogfooding, no change is needed. If IRIS sync is meant to remain a daily/manual operation, consider also gating on github.event_name == 'schedule' (e.g. github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') to preserve the previous cadence.

Was this helpful? React with 👍 / 👎

@sonarqube-next

Copy link
Copy Markdown

Quality Gate passed Quality Gate passed for 'Python Scanner'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@Seppli11 Seppli11 merged commit 8064b09 into master Jun 26, 2026
40 checks passed
@Seppli11 Seppli11 deleted the sz/migrate-to-official-poetry-actions branch June 26, 2026 13:21
@gitar-bot

gitar-bot Bot commented Jun 26, 2026

Copy link
Copy Markdown
Code Review 👍 Approved with suggestions 0 resolved / 1 findings

Migrates local Poetry workflows to official SonarSource actions and integrates jdx/mise-action for centralized tool management. Ensure the new IRIS sync job is scoped to scheduled runs only to avoid unnecessary resource consumption on every master push.

💡 Quality: IRIS sync now runs on every master push, not just schedule

📄 .github/workflows/build.yml:176-190

The old Iris.yml workflow triggered IRIS sync only on a daily schedule (cron 0 2 * * *) and workflow_dispatch. By moving the shadow-scans and iris jobs into build.yml, these jobs now also run on every push to master (and on the build workflow's 0 1 * * * schedule), because the if condition github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' is satisfied by push events to master.

This significantly increases how often IRIS sync and shadow scans execute (every merge to master vs. once daily). If this increased frequency is intentional for dogfooding, no change is needed. If IRIS sync is meant to remain a daily/manual operation, consider also gating on github.event_name == 'schedule' (e.g. github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') to preserve the previous cadence.

🤖 Prompt for agents
Code Review: Migrates local Poetry workflows to official SonarSource actions and integrates `jdx/mise-action` for centralized tool management. Ensure the new IRIS sync job is scoped to scheduled runs only to avoid unnecessary resource consumption on every master push.

1. 💡 Quality: IRIS sync now runs on every master push, not just schedule
   Files: .github/workflows/build.yml:176-190

   The old `Iris.yml` workflow triggered IRIS sync only on a daily schedule (cron `0 2 * * *`) and `workflow_dispatch`. By moving the `shadow-scans` and `iris` jobs into `build.yml`, these jobs now also run on every `push` to `master` (and on the build workflow's `0 1 * * *` schedule), because the `if` condition `github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch'` is satisfied by push events to master.
   
   This significantly increases how often IRIS sync and shadow scans execute (every merge to master vs. once daily). If this increased frequency is intentional for dogfooding, no change is needed. If IRIS sync is meant to remain a daily/manual operation, consider also gating on `github.event_name == 'schedule'` (e.g. `github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'`) to preserve the previous cadence.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants