feat(ci): fix CI, switch to self-hosted SonarQube (#310)

Reviewed-on: #310

.archive/.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @luketainton

.archive/.github/archive/.deepsource.toml

@@ -0,0 +1,30 @@
+version = 1
+
+test_patterns = ["tests/**"]
+
+exclude_patterns = [
+  ".github/workflows/**",
+  ".gitignore",
+  "CODEOWNERS",
+  "LICENSE.md",
+  "README.md",
+  "codecov.yml",
+  "renovate.json",
+  "requirements-dev.txt",
+  "requirements.txt"
+]
+
+[[analyzers]]
+name = "python"
+enabled = true
+
+  [analyzers.meta]
+  runtime_version = "3.x.x"
+
+[[analyzers]]
+name = "test-coverage"
+enabled = true
+
+[[transformers]]
+name = "black"
+enabled = true

.archive/.github/archive/codecov.yml

@@ -0,0 +1,2 @@
+ignore:
+  - "*/tests/*”

.archive/.github/archive/renovate.json

@@ -0,0 +1,42 @@
+{
+  "extends": [
+    "config:base"
+  ],
+  "platformCommit": true,
+  "dependencyDashboardAutoclose": true,
+  "assignAutomerge": true,
+  "assigneesFromCodeOwners": true,
+  "rebaseWhen": "behind-base-branch",
+  "rollbackPrs": true,
+  "labels": [
+    "dependencies"
+  ],
+  "packageRules": [
+    {
+      "matchPackagePatterns": [
+        "black",
+        "pylint"
+      ],
+      "labels": [
+        "linting"
+      ]
+    },
+    {
+      "matchPackagePatterns": [
+        "coverage",
+        "pytest"
+      ],
+      "labels": [
+        "unit-tests"
+      ]
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": [
+      "security"
+    ],
+    "commitMessagePrefix": "[SECURITY] ",
+    "prCreation": "immediate"
+  }
+}

.archive/.github/archive/workflows-disabled/ci-branch-main.yml

@@ -0,0 +1,89 @@
+name: CI - Merge to main
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+    paths-ignore:
+      - 'README.md'
+      - 'LICENSE.md'
+      - 'CHANGELOG.md'
+      - '.gitignore'
+      - 'renovate.json'
+      - 'CODEOWNERS'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Lint
+        run: pylint --recursive=yes .
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [ '3.10' ]
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Run test suite
+        run: coverage run -m py.test -v
+      - name: Upload Coverage to Codecov
+        uses: codecov/codecov-action@v3
+
+  build:
+    needs:
+      - lint
+      - test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python 3.10
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      # - name: Install dependencies
+      #   run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Install build dependencies
+        run: pip install setuptools wheel
+      - name: Build wheel file
+        run: python setup.py bdist_wheel
+      - id: skip_check
+        uses: actions/upload-artifact@v3
+        with:
+          name: whl
+          path: dist/
+
+  publish:
+    needs: build
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create dist folder
+        run: |
+          mkdir -p dist
+      - uses: actions/download-artifact@v3
+        with:
+          name: whl
+          path: dist
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          user: __token__
+          password: ${{ secrets.PYPI_API_TOKEN }}

.archive/.github/archive/workflows-disabled/ci-development.yml

@@ -0,0 +1,110 @@
+name: CI - Development
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - '!main'
+    paths-ignore:
+      - 'README.md'
+      - 'LICENSE.md'
+      - 'CHANGELOG.md'
+      - '.gitignore'
+      - 'renovate.json'
+      - 'CODEOWNERS'
+
+jobs:
+  skip_duplicate:
+    name: Skip if duplicate run
+    runs-on: ubuntu-latest
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - id: skip_check
+        uses: fkirc/skip-duplicate-actions@v4.0.0
+        with:
+          github_token: ${{ github.token }}
+
+  analyze:
+    name: Analyze
+    needs: skip_duplicate
+    if: ${{ needs.skip_duplicate.outputs.should_skip == 'false' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: python
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+
+  lint:
+    name: Lint
+    needs: skip_duplicate
+    if: ${{ needs.skip_duplicate.outputs.should_skip == 'false' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Lint
+        run: pylint --recursive=yes .
+
+  test:
+    name: Run unit tests
+    needs: skip_duplicate
+    if: ${{ needs.skip_duplicate.outputs.should_skip == 'false' }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [ '3.10' ]
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Run test suite
+        run: coverage run -m py.test -v
+      - name: Upload Coverage to Codecov
+        uses: codecov/codecov-action@v3
+
+  build:
+    name: Build
+    needs:
+      - lint
+      - test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python 3.10
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install build dependencies
+        run: pip install setuptools wheel
+      - name: Build wheel file
+        run: python setup.py bdist_wheel
+      - id: skip_check
+        uses: actions/upload-artifact@v3
+        with:
+          name: whl
+          path: dist/

.archive/.github/archive/workflows-disabled/merge-to-main.yml

@@ -0,0 +1,69 @@
+name: Merge to main
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Run test suite
+        run: |
+          coverage run -m py.test -v --junitxml=testresults.xml
+          coverage xml
+      - uses: sonarsource/sonarqube-scan-action@master
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+      - uses: sonarsource/sonarqube-quality-gate-action@master
+        timeout-minutes: 5
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  build:
+    needs: coverage
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python 3.10
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install build dependencies
+        run: pip install setuptools wheel
+      - name: Build wheel file
+        run: python setup.py bdist_wheel
+      - id: skip_check
+        uses: actions/upload-artifact@v3
+        with:
+          name: whl
+          path: dist/
+
+  publish:
+    needs: build
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create dist folder
+        run: mkdir -p dist
+      - uses: actions/download-artifact@v3
+        with:
+          name: whl
+          path: dist
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          user: __token__
+          password: ${{ secrets.PYPI_API_TOKEN }}

.archive/.github/archive/workflows-disabled/pull-request.yml

@@ -0,0 +1,67 @@
+name: CI - Pull request
+on:
+  pull_request:
+    paths-ignore:
+      - 'README.md'
+      - 'LICENSE.md'
+      - 'CHANGELOG.md'
+      - '.gitignore'
+      - 'renovate.json'
+      - 'CODEOWNERS'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: python
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Lint
+        run: pylint --recursive=yes .
+
+  test:
+    name: Run unit tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [ '3.10' ]
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Setup Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install -r requirements.txt && pip install -r requirements-dev.txt
+      - name: Run test suite
+        run: coverage run -m py.test -v
+      - name: Upload Coverage to Codecov
+        uses: codecov/codecov-action@v3

.archive/.github/dependabot.yml

@@ -0,0 +1,59 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    assignees:
+      - "luketainton"
+    # reviewers:
+    #   - "luketainton"
+    commit-message:
+      prefix: "chore(actions)"
+      include: "scope"
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    assignees:
+      - "luketainton"
+    # reviewers:
+    #   - "luketainton"
+    commit-message:
+      prefix: "chore(docker)"
+      include: "scope"
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    assignees:
+      - "luketainton"
+    # reviewers:
+    #   - "luketainton"
+    commit-message:
+      prefix: "chore(pip-prod)"
+      prefix-development: "chore(pip-dev)"
+      include: "scope"
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    assignees:
+      - "luketainton"
+    # reviewers:
+    #   - "luketainton"
+    commit-message:
+      prefix: "chore(devcontainers)"
+      prefix-development: "chore(devcontainers)"
+      include: "scope"
+    labels:
+      - "devcontainers"

.archive/.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: CI
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - "README.md"
+      - "LICENSE.md"
+      - ".gitignore"
+      - ".github/CODEOWNERS"
+      - ".github/renovate.json"
+      - ".github/dependabot.yml"
+
+jobs:
+  ci:
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry.yml@main
+    with:
+      python-version: 3.11
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.archive/.github/workflows/publish.yml

@@ -0,0 +1,80 @@
+name: Publish
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 9 * * 0"
+
+jobs:
+  test:
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry.yml@main
+    with:
+      python-version: 3.11
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  create_release:
+    name: Create Release
+    needs: test
+    uses: luketainton/gha-workflows/.github/workflows/create-release.yml@main
+
+  build:
+    name: Build Wheel File
+    needs: create_release
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Setup Poetry
+        uses: abatilo/actions-poetry@v4
+      - name: Update pyproject.toml
+        run:
+          ./tools/update_pyproject.sh ${{ needs.create_release.outputs.release_name }}
+      - name: Install dependencies
+        run: poetry install
+      - name: Build wheel file
+        run: poetry build
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: whl
+          path: dist/
+      - name: Upload Release Asset
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload ${{ needs.create_release.outputs.release_name }} dist/*.whl
+
+  publish:
+    name: Publish to PyPI
+    needs: [create_release, build]
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    runs-on: ubuntu-latest
+    # Specifying a GitHub environment is optional, but strongly encouraged
+    environment:
+      name: release
+      url: https://pypi.org/p/ipilot
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+    steps:
+      - name: Create dist folder
+        run: mkdir -p dist
+      - uses: actions/download-artifact@v4
+        with:
+          name: whl
+          path: dist
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    uses: luketainton/gha-workflows/.github/workflows/build-push-attest-docker.yml@main
+    with:
+        release: ${{ needs.create_release.outputs.release_name }}