diff --git a/.github/actions/config-poetry/action.yml b/.github/actions/config-poetry/action.yml deleted file mode 100644 index be589d68..00000000 --- a/.github/actions/config-poetry/action.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -name: Configure Poetry -description: GitHub Action to configure a poetry project - -inputs: - python-version: - description: The version of python to use - default: 3.12.1 - poetry-version: - description: The version of poetry to install - default: 2.2.1 - jfrog-version: - description: The version of jFrog to install - default: 2.77.0 - poetry-virtualenvs-path: - description: - Path to the Poetry virtual environments, relative to GitHub workspace. The folder is cached only if it is a subdirectory of - `poetry-cache-dir`. - default: .cache/pypoetry/virtualenvs - poetry-cache-dir: - description: Path to the Poetry cache directory, relative to GitHub workspace. - default: .cache/pypoetry -outputs: - BUILD_NUMBER: - description: The build number, incremented or reused if already cached - value: ${{ steps.get_build_number.outputs.BUILD_NUMBER }} - -runs: - using: composite - steps: - - name: Set build parameters - shell: bash - env: - ARTIFACTORY_READER_ROLE: private-reader - run: | - echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV" - - uses: SonarSource/ci-github-actions/get-build-number@v1 - id: get_build_number - - name: Cache local Poetry cache - uses: SonarSource/gh-action_cache@v1 - with: - path: ${{ inputs.poetry-cache-dir }} - key: poetry-${{ runner.os }}-${{ inputs.python-version }}-${{ hashFiles('poetry.lock') }} - restore-keys: | - poetry-${{ runner.os }}-${{ inputs.python-version }}- - poetry-${{ runner.os }}- - - # python needs to be installed before jfrog and poetry - # (see https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4344217683/Mise+Poetry+Install+-+GitHub) - - name: Install mise and python - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - with: - version: 2025.7.12 - tool_versions: | - python ${{ inputs.python-version }} - experimental: true # needed to use the http backend for installation of jfrog on windows - - - name: Install jfrog and poetry through mise - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - with: - version: 2025.7.12 - experimental: true # needed to use the http backend for installation of jfrog on windows - - - name: Vault - # yamllint disable rule:line-length - id: secrets - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 - with: - secrets: | - development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; - # yamllint enable rule:line-length - - name: Config Poetry - id: config - shell: bash - env: - ARTIFACTORY_URL: https://repox.jfrog.io/artifactory - ARTIFACTORY_PYPI_REPO: sonarsource-pypi - ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} - POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/${{ inputs.poetry-virtualenvs-path }} - POETRY_CACHE_DIR: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }} - run: | - echo "POETRY_VIRTUALENVS_PATH=${POETRY_VIRTUALENVS_PATH}" >> "$GITHUB_ENV" - echo "POETRY_CACHE_DIR=${POETRY_CACHE_DIR}" >> "$GITHUB_ENV" - ${GITHUB_ACTION_PATH}/config-poetry.sh diff --git a/.github/actions/config-poetry/config-poetry.sh b/.github/actions/config-poetry/config-poetry.sh deleted file mode 100755 index 64b6b47a..00000000 --- a/.github/actions/config-poetry/config-poetry.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# Config script for SonarSource Poetry projects. - -set -euo pipefail - -: "${ARTIFACTORY_URL:?}" -: "${ARTIFACTORY_PYPI_REPO:?}" "${ARTIFACTORY_ACCESS_TOKEN:?}" -: "${BUILD_NUMBER:?}" "${GITHUB_REPOSITORY:?}" - -set_build_env() { - export PROJECT=${GITHUB_REPOSITORY#*/} - echo "PROJECT: $PROJECT" -} - -config_poetry() { - jf config add repox --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_ACCESS_TOKEN" - jf poetry-config --server-id-resolve repox --repo-resolve "$ARTIFACTORY_PYPI_REPO" - # force poetry to use python available in the environment to avoid cached .venv to point to old python version - jf poetry env use python --build-name="$PROJECT" --build-number="$BUILD_NUMBER" - jf poetry install --build-name="$PROJECT" --build-number="$BUILD_NUMBER" -} - -main() { - set_build_env - config_poetry -} - -if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then - main "$@" -fi diff --git a/.github/workflows/Iris.yml b/.github/workflows/Iris.yml deleted file mode 100644 index 01afaa93..00000000 --- a/.github/workflows/Iris.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Iris sync -on: - schedule: - - cron: "0 2 * * *" - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - coverage: - name: "Coverage report generation" - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - contents: write - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Configure poetry - uses: ./.github/actions/config-poetry - - run: | - poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests - poetry run mypy src/ > mypy-report.txt || true - - name: Upload coverage artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: coverage-reports - path: | - coverage.xml - mypy-report.txt - - shadow-scans: - name: Shadow Scans - needs: coverage - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - contents: write - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Download coverage artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: coverage-reports - - - name: Build and run shadow scan - uses: SonarSource/ci-github-actions/build-poetry@v1 - with: - sonar-platform: next - run-shadow-scans: true - artifactory-reader-role: private-reader - artifactory-deployer-role: qa-deployer - - iris: - name: IRIS Sync - needs: shadow-scans - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - contents: write - steps: - - name: Run IRIS Analysis - uses: SonarSource/unified-dogfooding-actions/run-iris@v1 - with: - primary_project_key: "SonarSource_sonar-scanner-python" - primary_platform: "Next" - shadow1_project_key: "SonarSource_sonar-scanner-python" - shadow1_platform: "SQC-EU" - shadow2_project_key: "SonarSource_sonar-scanner-python" - shadow2_platform: "SQC-US" diff --git a/.github/workflows/MacOsNightly.yml b/.github/workflows/MacOsNightly.yml index 09337d41..273435a6 100644 --- a/.github/workflows/MacOsNightly.yml +++ b/.github/workflows/MacOsNightly.yml @@ -13,6 +13,12 @@ on: type: boolean # Only allow one instance of this workflow to run at a time +env: + MISE_EXPERIMENTAL: "1" + MISE_PYTHON_GITHUB_ATTESTATIONS: "false" + POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry + POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs + concurrency: group: ${{ github.workflow }} cancel-in-progress: true @@ -35,10 +41,21 @@ jobs: - name: Setup Cloudflare WARP uses: SonarSource/gh-action_setup-cloudflare-warp@v1 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python ${{ matrix.python-version }} + experimental: true + - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 with: - python-version: ${{ matrix.python-version }} + artifactory-reader-role: private-reader + + - name: Install dependencies + run: poetry install - name: Execute the test suite run: poetry run pytest tests/ @@ -76,8 +93,18 @@ jobs: wget -q https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONARQUBE_VERSION.zip -O sonarqube_cache/sonarqube.zip fi + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true + - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader - name: Execute the integration tests run: ./.github/scripts/run_its.sh diff --git a/.github/workflows/SlackNotify.yml b/.github/workflows/SlackNotify.yml index a8433329..54b6fd91 100644 --- a/.github/workflows/SlackNotify.yml +++ b/.github/workflows/SlackNotify.yml @@ -4,7 +4,6 @@ on: workflow_run: workflows: - Build - - Iris sync - Releasability status - macOS Nightly Build - sonar-release diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a7b7c9c1..10af7265 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,10 +1,18 @@ name: Build on: + schedule: + - cron: "0 1 * * *" push: branches: [master, branch-*, dogfood-*] pull_request: workflow_dispatch: +env: + MISE_EXPERIMENTAL: "1" + MISE_PYTHON_GITHUB_ATTESTATIONS: "false" + POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry + POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -21,8 +29,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Install mise and tools - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - name: Build the scanner uses: SonarSource/ci-github-actions/build-poetry@v1 id: build-poetry @@ -41,8 +47,17 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry # We use this job to cache the poetry depend + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader - run: | poetry install @@ -56,8 +71,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - run: | poetry run black src/ tests/ --check poetry run licenseheaders -t license_header.tmpl -o "SonarSource Sàrl" -y 2011-2026 -n "Sonar Scanner Python" -E .py -d src/ @@ -76,6 +102,17 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install mise and tools uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true + - name: Configure poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - name: Check for incorrect documentation run: | poetry run python tools/generate_cli_documentation.py @@ -91,8 +128,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - run: | poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests poetry run mypy src/ > mypy-report.txt || true @@ -118,8 +166,6 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: coverage-reports - - name: Install mise and tools - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - name: Analysis the project on next uses: SonarSource/ci-github-actions/build-poetry@v1 with: @@ -127,6 +173,48 @@ jobs: artifactory-reader-role: private-reader artifactory-deployer-role: qa-deployer + shadow-scans: + name: Shadow Scans + if: ${{ github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' }} + runs-on: github-ubuntu-latest-s + needs: [coverage] + permissions: + id-token: write + contents: write + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Download coverage artifacts + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: coverage-reports + - name: Build and run shadow scan + uses: SonarSource/ci-github-actions/build-poetry@v1 + with: + sonar-platform: next + run-shadow-scans: true + artifactory-reader-role: private-reader + artifactory-deployer-role: qa-deployer + + iris: + name: IRIS Sync + if: ${{ github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' }} + runs-on: github-ubuntu-latest-s + needs: [shadow-scans] + permissions: + id-token: write + contents: write + steps: + - name: Run IRIS Analysis + uses: SonarSource/unified-dogfooding-actions/run-iris@v1 + with: + primary_project_key: "SonarSource_sonar-scanner-python" + primary_platform: "Next" + shadow1_project_key: "SonarSource_sonar-scanner-python" + shadow1_platform: "SQC-EU" + shadow2_project_key: "SonarSource_sonar-scanner-python" + shadow2_platform: "SQC-US" + qa: name: "Test Python ${{ matrix.python-version }}" runs-on: github-ubuntu-latest-s @@ -142,10 +230,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python ${{ matrix.python-version }} + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 with: - python-version: ${{ matrix.python-version }} + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - name: Execute the test suite run: | poetry run pytest tests/ @@ -160,8 +257,24 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry for Windows - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + continue-on-error: true + with: + artifactory-reader-role: private-reader + - name: Clean up local action symlinks + if: ${{ always() }} + shell: bash + run: rm -rf .actions + - name: Install dependencies + run: poetry install - name: Execute the test suite run: | poetry run pytest tests/ @@ -192,13 +305,23 @@ jobs: if [ ! -f sonarqube_cache/sonarqube.zip ]; then wget -q https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONARQUBE_VERSION.zip -O sonarqube_cache/sonarqube.zip fi + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader - name: Execute the integration tests run: ./.github/scripts/run_its.sh promote: name: "Promote" + if: ${{ github.event_name == 'pull_request' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/branch-') || startsWith(github.ref, 'refs/heads/dogfood-') }} needs: [ build, diff --git a/mise.toml b/mise.toml index 80ef1bc0..b0ed070c 100644 --- a/mise.toml +++ b/mise.toml @@ -1,13 +1,16 @@ [tools] "pipx:poetry" = "2.2.1" +[tool_alias] +jfrog-cli = "asdf:mise-plugins/mise-jfrog-cli" + [tools."asdf:jfrog-cli"] -version = "2.77.0" +version = "2.96.0" os = ["linux", "macos"] [tools."http:jfrog-cli"] -version = "2.77.0" +version = "2.96.0" os = ["windows"] [tools."http:jfrog-cli".platforms] -windows-x64 = { url = "https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/2.77.0/jfrog-cli-windows-amd64/jf.exe", install = "cp ${MISE_DOWNLOAD_PATH} ${MISE_INSTALL_PATH}/bin/jf.exe" } +windows-x64 = { url = "https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/2.96.0/jfrog-cli-windows-amd64/jf.exe", install = "cp ${MISE_DOWNLOAD_PATH} ${MISE_INSTALL_PATH}/bin/jf.exe" }