From 67d47341575172b9c2d4b6f086d84f1ccac49e8e Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Thu, 25 Jun 2026 14:55:15 +0200 Subject: [PATCH 1/7] Migrate Poetry workflows to official actions --- .github/actions/config-poetry/action.yml | 84 ----------------- .../actions/config-poetry/config-poetry.sh | 30 ------ .github/workflows/Iris.yml | 17 +++- .github/workflows/MacOsNightly.yml | 31 ++++++- .github/workflows/build.yml | 93 ++++++++++++++++--- 5 files changed, 126 insertions(+), 129 deletions(-) delete mode 100644 .github/actions/config-poetry/action.yml delete mode 100755 .github/actions/config-poetry/config-poetry.sh diff --git a/.github/actions/config-poetry/action.yml b/.github/actions/config-poetry/action.yml deleted file mode 100644 index be589d68..00000000 --- a/.github/actions/config-poetry/action.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -name: Configure Poetry -description: GitHub Action to configure a poetry project - -inputs: - python-version: - description: The version of python to use - default: 3.12.1 - poetry-version: - description: The version of poetry to install - default: 2.2.1 - jfrog-version: - description: The version of jFrog to install - default: 2.77.0 - poetry-virtualenvs-path: - description: - Path to the Poetry virtual environments, relative to GitHub workspace. The folder is cached only if it is a subdirectory of - `poetry-cache-dir`. - default: .cache/pypoetry/virtualenvs - poetry-cache-dir: - description: Path to the Poetry cache directory, relative to GitHub workspace. - default: .cache/pypoetry -outputs: - BUILD_NUMBER: - description: The build number, incremented or reused if already cached - value: ${{ steps.get_build_number.outputs.BUILD_NUMBER }} - -runs: - using: composite - steps: - - name: Set build parameters - shell: bash - env: - ARTIFACTORY_READER_ROLE: private-reader - run: | - echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV" - - uses: SonarSource/ci-github-actions/get-build-number@v1 - id: get_build_number - - name: Cache local Poetry cache - uses: SonarSource/gh-action_cache@v1 - with: - path: ${{ inputs.poetry-cache-dir }} - key: poetry-${{ runner.os }}-${{ inputs.python-version }}-${{ hashFiles('poetry.lock') }} - restore-keys: | - poetry-${{ runner.os }}-${{ inputs.python-version }}- - poetry-${{ runner.os }}- - - # python needs to be installed before jfrog and poetry - # (see https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4344217683/Mise+Poetry+Install+-+GitHub) - - name: Install mise and python - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - with: - version: 2025.7.12 - tool_versions: | - python ${{ inputs.python-version }} - experimental: true # needed to use the http backend for installation of jfrog on windows - - - name: Install jfrog and poetry through mise - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - with: - version: 2025.7.12 - experimental: true # needed to use the http backend for installation of jfrog on windows - - - name: Vault - # yamllint disable rule:line-length - id: secrets - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 - with: - secrets: | - development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; - # yamllint enable rule:line-length - - name: Config Poetry - id: config - shell: bash - env: - ARTIFACTORY_URL: https://repox.jfrog.io/artifactory - ARTIFACTORY_PYPI_REPO: sonarsource-pypi - ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} - POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/${{ inputs.poetry-virtualenvs-path }} - POETRY_CACHE_DIR: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }} - run: | - echo "POETRY_VIRTUALENVS_PATH=${POETRY_VIRTUALENVS_PATH}" >> "$GITHUB_ENV" - echo "POETRY_CACHE_DIR=${POETRY_CACHE_DIR}" >> "$GITHUB_ENV" - ${GITHUB_ACTION_PATH}/config-poetry.sh diff --git a/.github/actions/config-poetry/config-poetry.sh b/.github/actions/config-poetry/config-poetry.sh deleted file mode 100755 index 64b6b47a..00000000 --- a/.github/actions/config-poetry/config-poetry.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# Config script for SonarSource Poetry projects. - -set -euo pipefail - -: "${ARTIFACTORY_URL:?}" -: "${ARTIFACTORY_PYPI_REPO:?}" "${ARTIFACTORY_ACCESS_TOKEN:?}" -: "${BUILD_NUMBER:?}" "${GITHUB_REPOSITORY:?}" - -set_build_env() { - export PROJECT=${GITHUB_REPOSITORY#*/} - echo "PROJECT: $PROJECT" -} - -config_poetry() { - jf config add repox --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_ACCESS_TOKEN" - jf poetry-config --server-id-resolve repox --repo-resolve "$ARTIFACTORY_PYPI_REPO" - # force poetry to use python available in the environment to avoid cached .venv to point to old python version - jf poetry env use python --build-name="$PROJECT" --build-number="$BUILD_NUMBER" - jf poetry install --build-name="$PROJECT" --build-number="$BUILD_NUMBER" -} - -main() { - set_build_env - config_poetry -} - -if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then - main "$@" -fi diff --git a/.github/workflows/Iris.yml b/.github/workflows/Iris.yml index 01afaa93..7a72444d 100644 --- a/.github/workflows/Iris.yml +++ b/.github/workflows/Iris.yml @@ -4,6 +4,10 @@ on: - cron: "0 2 * * *" workflow_dispatch: +env: + POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry + POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -18,8 +22,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - run: | poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests poetry run mypy src/ > mypy-report.txt || true diff --git a/.github/workflows/MacOsNightly.yml b/.github/workflows/MacOsNightly.yml index 09337d41..dabafb3b 100644 --- a/.github/workflows/MacOsNightly.yml +++ b/.github/workflows/MacOsNightly.yml @@ -13,6 +13,10 @@ on: type: boolean # Only allow one instance of this workflow to run at a time +env: + POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry + POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs + concurrency: group: ${{ github.workflow }} cancel-in-progress: true @@ -35,10 +39,21 @@ jobs: - name: Setup Cloudflare WARP uses: SonarSource/gh-action_setup-cloudflare-warp@v1 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python ${{ matrix.python-version }} + experimental: true + - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 with: - python-version: ${{ matrix.python-version }} + artifactory-reader-role: private-reader + + - name: Install dependencies + run: poetry install - name: Execute the test suite run: poetry run pytest tests/ @@ -76,8 +91,18 @@ jobs: wget -q https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONARQUBE_VERSION.zip -O sonarqube_cache/sonarqube.zip fi + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true + - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader - name: Execute the integration tests run: ./.github/scripts/run_its.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a7b7c9c1..0f2b0ea4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,10 @@ on: pull_request: workflow_dispatch: +env: + POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry + POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -21,8 +25,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Install mise and tools - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - name: Build the scanner uses: SonarSource/ci-github-actions/build-poetry@v1 id: build-poetry @@ -41,8 +43,17 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry # We use this job to cache the poetry depend + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader - run: | poetry install @@ -56,8 +67,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - run: | poetry run black src/ tests/ --check poetry run licenseheaders -t license_header.tmpl -o "SonarSource Sàrl" -y 2011-2026 -n "Sonar Scanner Python" -E .py -d src/ @@ -76,6 +98,17 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install mise and tools uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true + - name: Configure poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - name: Check for incorrect documentation run: | poetry run python tools/generate_cli_documentation.py @@ -91,8 +124,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - run: | poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests poetry run mypy src/ > mypy-report.txt || true @@ -118,8 +162,6 @@ jobs: uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: coverage-reports - - name: Install mise and tools - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - name: Analysis the project on next uses: SonarSource/ci-github-actions/build-poetry@v1 with: @@ -142,10 +184,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python ${{ matrix.python-version }} + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 with: - python-version: ${{ matrix.python-version }} + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - name: Execute the test suite run: | poetry run pytest tests/ @@ -160,8 +211,19 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry for Windows - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader + - name: Install dependencies + run: poetry install - name: Execute the test suite run: | poetry run pytest tests/ @@ -192,8 +254,17 @@ jobs: if [ ! -f sonarqube_cache/sonarqube.zip ]; then wget -q https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONARQUBE_VERSION.zip -O sonarqube_cache/sonarqube.zip fi + - name: Install mise and tools + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 + with: + version: 2026.5.9 + tool_versions: | + python 3.12.1 + experimental: true - name: Configure poetry - uses: ./.github/actions/config-poetry + uses: SonarSource/ci-github-actions/config-poetry@v1 + with: + artifactory-reader-role: private-reader - name: Execute the integration tests run: ./.github/scripts/run_its.sh From 85807d7a20e7ec2f3ed0205e2dc530c4424d2a3b Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Thu, 25 Jun 2026 15:00:45 +0200 Subject: [PATCH 2/7] Fix mise setup for official Poetry actions --- .github/workflows/Iris.yml | 2 ++ .github/workflows/MacOsNightly.yml | 2 ++ .github/workflows/build.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/Iris.yml b/.github/workflows/Iris.yml index 7a72444d..f54ed294 100644 --- a/.github/workflows/Iris.yml +++ b/.github/workflows/Iris.yml @@ -5,6 +5,8 @@ on: workflow_dispatch: env: + MISE_EXPERIMENTAL: "1" + MISE_PYTHON_GITHUB_ATTESTATIONS: "false" POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs diff --git a/.github/workflows/MacOsNightly.yml b/.github/workflows/MacOsNightly.yml index dabafb3b..273435a6 100644 --- a/.github/workflows/MacOsNightly.yml +++ b/.github/workflows/MacOsNightly.yml @@ -14,6 +14,8 @@ on: # Only allow one instance of this workflow to run at a time env: + MISE_EXPERIMENTAL: "1" + MISE_PYTHON_GITHUB_ATTESTATIONS: "false" POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f2b0ea4..c2368ec0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,8 @@ on: workflow_dispatch: env: + MISE_EXPERIMENTAL: "1" + MISE_PYTHON_GITHUB_ATTESTATIONS: "false" POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs From 7eefc83908d20ecc727fe6d02d8bb3412ed6a04a Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Thu, 25 Jun 2026 15:05:46 +0200 Subject: [PATCH 3/7] Align mise JFrog setup with official actions --- mise.toml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/mise.toml b/mise.toml index 80ef1bc0..b0ed070c 100644 --- a/mise.toml +++ b/mise.toml @@ -1,13 +1,16 @@ [tools] "pipx:poetry" = "2.2.1" +[tool_alias] +jfrog-cli = "asdf:mise-plugins/mise-jfrog-cli" + [tools."asdf:jfrog-cli"] -version = "2.77.0" +version = "2.96.0" os = ["linux", "macos"] [tools."http:jfrog-cli"] -version = "2.77.0" +version = "2.96.0" os = ["windows"] [tools."http:jfrog-cli".platforms] -windows-x64 = { url = "https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/2.77.0/jfrog-cli-windows-amd64/jf.exe", install = "cp ${MISE_DOWNLOAD_PATH} ${MISE_INSTALL_PATH}/bin/jf.exe" } +windows-x64 = { url = "https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/2.96.0/jfrog-cli-windows-amd64/jf.exe", install = "cp ${MISE_DOWNLOAD_PATH} ${MISE_INSTALL_PATH}/bin/jf.exe" } From abf558eb486d38dee2e4494ba7133cbbc7613fb8 Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Thu, 25 Jun 2026 15:35:23 +0200 Subject: [PATCH 4/7] Handle Windows poetry action cleanup --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c2368ec0..ec746c39 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -222,8 +222,13 @@ jobs: experimental: true - name: Configure poetry for Windows uses: SonarSource/ci-github-actions/config-poetry@v1 + continue-on-error: true with: artifactory-reader-role: private-reader + - name: Clean up local action symlinks + if: ${{ always() }} + shell: bash + run: rm -rf .actions - name: Install dependencies run: poetry install - name: Execute the test suite From 6912c9c2b4e69360c51d7cd03a30196c8bb0b79c Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Fri, 26 Jun 2026 11:56:07 +0200 Subject: [PATCH 5/7] Add scheduled build --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec746c39..baddb4c4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,7 @@ name: Build on: + schedule: + - cron: "0 1 * * *" push: branches: [master, branch-*, dogfood-*] pull_request: From 0a9016e3ebba8f84959f8c299ebd365085110ac1 Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Fri, 26 Jun 2026 14:38:37 +0200 Subject: [PATCH 6/7] SCANPY-252 Migrate IRIS sync into build workflow --- .github/workflows/Iris.yml | 91 ------------------------------- .github/workflows/SlackNotify.yml | 1 - .github/workflows/build.yml | 42 ++++++++++++++ 3 files changed, 42 insertions(+), 92 deletions(-) delete mode 100644 .github/workflows/Iris.yml diff --git a/.github/workflows/Iris.yml b/.github/workflows/Iris.yml deleted file mode 100644 index f54ed294..00000000 --- a/.github/workflows/Iris.yml +++ /dev/null @@ -1,91 +0,0 @@ -name: Iris sync -on: - schedule: - - cron: "0 2 * * *" - workflow_dispatch: - -env: - MISE_EXPERIMENTAL: "1" - MISE_PYTHON_GITHUB_ATTESTATIONS: "false" - POETRY_CACHE_DIR: ${{ github.workspace }}/.cache/pypoetry - POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/.cache/pypoetry/virtualenvs - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - coverage: - name: "Coverage report generation" - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - contents: write - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Install mise and tools - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 - with: - version: 2026.5.9 - tool_versions: | - python 3.12.1 - experimental: true - - name: Configure poetry - uses: SonarSource/ci-github-actions/config-poetry@v1 - with: - artifactory-reader-role: private-reader - - name: Install dependencies - run: poetry install - - run: | - poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests - poetry run mypy src/ > mypy-report.txt || true - - name: Upload coverage artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: coverage-reports - path: | - coverage.xml - mypy-report.txt - - shadow-scans: - name: Shadow Scans - needs: coverage - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - contents: write - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Download coverage artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: coverage-reports - - - name: Build and run shadow scan - uses: SonarSource/ci-github-actions/build-poetry@v1 - with: - sonar-platform: next - run-shadow-scans: true - artifactory-reader-role: private-reader - artifactory-deployer-role: qa-deployer - - iris: - name: IRIS Sync - needs: shadow-scans - runs-on: github-ubuntu-latest-s - permissions: - id-token: write - contents: write - steps: - - name: Run IRIS Analysis - uses: SonarSource/unified-dogfooding-actions/run-iris@v1 - with: - primary_project_key: "SonarSource_sonar-scanner-python" - primary_platform: "Next" - shadow1_project_key: "SonarSource_sonar-scanner-python" - shadow1_platform: "SQC-EU" - shadow2_project_key: "SonarSource_sonar-scanner-python" - shadow2_platform: "SQC-US" diff --git a/.github/workflows/SlackNotify.yml b/.github/workflows/SlackNotify.yml index a8433329..54b6fd91 100644 --- a/.github/workflows/SlackNotify.yml +++ b/.github/workflows/SlackNotify.yml @@ -4,7 +4,6 @@ on: workflow_run: workflows: - Build - - Iris sync - Releasability status - macOS Nightly Build - sonar-release diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index baddb4c4..5a685561 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -173,6 +173,48 @@ jobs: artifactory-reader-role: private-reader artifactory-deployer-role: qa-deployer + shadow-scans: + name: Shadow Scans + if: ${{ github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' }} + runs-on: github-ubuntu-latest-s + needs: [coverage] + permissions: + id-token: write + contents: write + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Download coverage artifacts + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: coverage-reports + - name: Build and run shadow scan + uses: SonarSource/ci-github-actions/build-poetry@v1 + with: + sonar-platform: next + run-shadow-scans: true + artifactory-reader-role: private-reader + artifactory-deployer-role: qa-deployer + + iris: + name: IRIS Sync + if: ${{ github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' }} + runs-on: github-ubuntu-latest-s + needs: [shadow-scans] + permissions: + id-token: write + contents: write + steps: + - name: Run IRIS Analysis + uses: SonarSource/unified-dogfooding-actions/run-iris@v1 + with: + primary_project_key: "SonarSource_sonar-scanner-python" + primary_platform: "Next" + shadow1_project_key: "SonarSource_sonar-scanner-python" + shadow1_platform: "SQC-EU" + shadow2_project_key: "SonarSource_sonar-scanner-python" + shadow2_platform: "SQC-US" + qa: name: "Test Python ${{ matrix.python-version }}" runs-on: github-ubuntu-latest-s From 37e493984ea3f754acc2609b4ef6b178566a827b Mon Sep 17 00:00:00 2001 From: Sebastian Zumbrunn Date: Fri, 26 Jun 2026 14:50:38 +0200 Subject: [PATCH 7/7] SCANPY-252 Skip promote for manual feature branch builds --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5a685561..10af7265 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -321,6 +321,7 @@ jobs: promote: name: "Promote" + if: ${{ github.event_name == 'pull_request' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/branch-') || startsWith(github.ref, 'refs/heads/dogfood-') }} needs: [ build,