chore(ci): migrate SOT to Gitea (#429)

Reviewed-on: #429

.archive/.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @luketainton

.archive/.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: CI
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - "README.md"
+      - "LICENSE.md"
+      - ".gitignore"
+      - ".github/CODEOWNERS"
+      - ".github/renovate.json"
+      - ".github/dependabot.yml"
+
+jobs:
+  ci:
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry-with-docker.yml@main
+    with:
+      python-version: "3.13"
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.archive/.github/workflows/release.yml

@@ -0,0 +1,26 @@
+name: Release
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 9 * * 0"
+
+jobs:
+  test:
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry-with-docker.yml@main
+    with:
+      python-version: "3.13"
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  create_release:
+    name: Create Release
+    uses: luketainton/gha-workflows/.github/workflows/create-release.yml@main
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    uses: luketainton/gha-workflows/.github/workflows/build-push-attest-docker.yml@main
+    with:
+        release: ${{ needs.create_release.outputs.release_name }}

.gitea/CODEOWNERS

@@ -0,0 +1 @@
+*   @luke

.gitea/workflows/ci.yml

@@ -0,0 +1,74 @@
+name: CI
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - "README.md"
+      - "LICENSE.md"
+      - ".gitignore"
+      - "renovate.json"
+      - ".gitea/CODEOWNERS"
+      - ".archive"
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4.1.7
+        with:
+          fetch-depth: 0
+
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: sonarqube
+          no-fail: true
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "${{ vars.PYTHON_VERSION }}"
+
+      - name: Setup Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+
+      - name: Update PATH
+        run: export PATH="/root/.local/bin:$PATH"
+
+      - name: Install dependencies
+        run: /root/.local/bin/poetry install
+
+      - name: Lint
+        run: |
+          /root/.local/bin/poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
+          cat lintreport.txt
+
+      - name: Unit Test
+        run: |
+          /root/.local/bin/poetry run coverage run -m pytest -v --junitxml=testresults.xml
+          /root/.local/bin/poetry run coverage xml
+          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
+
+      # TEMPORARY - DISABLED DUE TO GITHUB > GITEA MIGRATION
+      # SONARQUBE CLOUD IS CURRENTLY TIGHTLY COUPLED TO GITHUB
+      - name: SonarQube Cloud Scan
+        uses: SonarSource/sonarqube-scan-action@v4.2.1
+        continue-on-error: true
+        env:
+          # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: Snyk Vulnerability Scan
+        uses: snyk/actions/python-3.10@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif --all-projects
+
+      # - name: Upload result to GitHub Code Scanning
+      #   uses: github/codeql-action/upload-sarif@v3
+      #   with:
+      #     sarif_file: snyk.sarif

.gitea/workflows/release.yml

@@ -0,0 +1,133 @@
+name: Release
+on:
+  schedule:
+    - cron: "0 9 * * 0"
+
+jobs:
+  test:
+    uses: https://git.tainton.uk/public/webexmemebot/src/branch/main/.gitea/workflows/ci.yml
+
+  create_release:
+    runs-on: ubuntu-latest
+    outputs:
+      release_name: ${{ steps.tag_version.outputs.new_tag }}
+      success: ${{ steps.set_flag.outputs.success }}
+    steps:
+      - uses: actions/checkout@v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: Changes since last tag
+        id: changes
+        run: |
+          CHANGES=$(git log $(git describe --tags --abbrev=0)..HEAD --no-merges --oneline)
+          echo "$CHANGES"
+          if [ -z "$CHANGES" ]; then echo "changes=false" >> "$GITEA_OUTPUT"; else echo "changes=true" >> "$GITEA_OUTPUT"; fi
+
+      - name: Bump version and push tag
+        id: tag_version
+        if: steps.changes.outputs.changes == 'true'
+        uses: mathieudutour/github-tag-action@v6.2
+        with:
+          github_token: ${{ gitea.token }}
+          default_bump: minor
+          # default_bump: false
+
+      - name: Build Changelog
+        uses: mikepenz/release-changelog-builder-action@v4
+        id: build_changelog
+        env:
+          GITHUB_TOKEN: ${{ gitea.token }}
+        with:
+          configurationJson: |
+            {
+              "pr_template": "- #{{TITLE}} ([##{{NUMBER}}](#{{URL}}))",
+              "empty_template": "- no changes",
+              "categories": [
+                {
+                    "title": "## 💬 Other",
+                    "labels": ["type/other"]
+                },
+                {
+                    "title": "## 📦 Dependencies",
+                    "labels": ["type/dependencies"]
+                },
+                {
+                  "title": "## 🚀 Features",
+                  "labels": ["type/feature"]
+                },
+                {
+                  "title": "## 🐛 Bug Fixes",
+                  "labels": ["type/bugfix"]
+                },
+              ]
+            }
+
+      - name: Create release
+        id: create_release
+        uses: akkuman/gitea-release-action@v1
+        env:
+          NODE_OPTIONS: '--experimental-fetch' # if nodejs < 18
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.build_changelog.outputs.changelog }}
+
+      - name: Set success/fail flag
+        id: set_flag
+        if: steps.changes.outputs.changes == 'true'
+        run: if test "${{ steps.changes.outputs.changes }}" = "true"; then echo "success=true" >> "$GITHUB_OUTPUT"; else echo "success=false" >> "$GITHUB_OUTPUT"; fi
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    outputs:
+      success: ${{ steps.set_flag.outputs.success }}
+    with:
+        release: ${{ needs.create_release.outputs.release_name }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.release }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.tainton.uk
+          username: ${{ gitea.actor }}
+          password: ${{ gitea.token }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            git.tainton.uk/${{ gitea.repository }}
+          tags: |
+            type=semver,pattern=v{{version}},value=${{ inputs.release }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            git.tainton.uk/${{ gitea.repository }}:latest
+            git.tainton.uk/${{ gitea.repository }}:${{ inputs.release }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: git.tainton.uk/${{ gitea.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Set success flag
+        id: set_flag
+        run: echo "success=true" >> "$GITHUB_OUTPUT"

renovate.json

@@ -0,0 +1,42 @@
+{
+  "assignAutomerge": true,
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "extends": [
+    "config:base"
+  ],
+  "labels": [
+    "type/dependencies"
+  ],
+  "packageRules": [
+    {
+      "labels": [
+        "linting"
+      ],
+      "matchPackagePatterns": [
+        "black",
+        "pylint"
+      ]
+    },
+    {
+      "labels": [
+        "unit-tests"
+      ],
+      "matchPackagePatterns": [
+        "coverage",
+        "pytest"
+      ]
+    }
+  ],
+  "platformCommit": true,
+  "rebaseWhen": "behind-base-branch",
+  "rollbackPrs": true,
+  "vulnerabilityAlerts": {
+    "commitMessagePrefix": "[SECURITY] ",
+    "enabled": true,
+    "labels": [
+      "security"
+    ],
+    "prCreation": "immediate"
+  }
+}

sonar-project.properties

@@ -1,8 +1,8 @@
 sonar.organization=luketainton
-sonar.projectKey=luketainton_webexmemebot
+sonar.projectKey=luketainton_webexmemebot2
 sonar.projectName=webexmemebot
 sonar.projectVersion=0.1.0
-sonar.python.version=3.11
+sonar.python.version=3.13
 sonar.python.coverage.reportPaths=coverage.xml
 sonar.python.pylint.reportPaths=lintreport.txt
 sonar.python.xunit.reportPath=testresults.xml