feat(ci): fix CI, switch to self-hosted SonarQube (#310)

Reviewed-on: #310

.gitea/workflows/ci.yml

@@ -55,10 +55,11 @@ jobs:
       - name: Minimize uv cache
         run: uv cache prune --ci
 
-      - name: SonarQube Cloud Scan
+      - name: SonarQube Scan
         uses: SonarSource/sonarqube-scan-action@v4.2.1
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
 
       - name: Snyk Vulnerability Scan
         uses: snyk/actions/python@master

.gitea/workflows/release.yml

@@ -5,18 +5,13 @@ on:
     - cron: "0 9 * * 0"
 
 jobs:
-  # test:
+  test:
-  #   name: Test
+    name: Test
-  #   uses: https://git.tainton.uk/public/pypilot/.gitea/workflows/ci.yml@main
+    uses: https://git.tainton.uk/repos/pypilot/.gitea/workflows/ci.yml@main
-  #   with:
-  #     python-version: 3.13
-  #   secrets:
-  #     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-  #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   create_release:
     name: Create Release
-    # needs: test
+    needs: test
     uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release.yml@main
     secrets:
       ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }}
@@ -51,8 +46,7 @@ jobs:
       - name: Setup Poetry
         uses: abatilo/actions-poetry@v4
       - name: Update pyproject.toml
-        run:
+        run: ./tools/update_pyproject.sh ${{ needs.create_release.outputs.release_name }}
-          ./tools/update_pyproject.sh ${{ needs.create_release.outputs.release_name }}
       - name: Install dependencies
         run: poetry install
       - name: Build wheel file

.gitea/workflows/security.yml

@@ -0,0 +1,34 @@
+name: Security
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4.2.2
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v4.2.1
+        env:
+          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4.2.2
+
+      - name: Snyk
+        uses: snyk/actions/python@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.gitignore

@@ -9,6 +9,7 @@ __pycache__/
 # Distribution / packaging
 .Python
 build/
+.pdm-build/
 develop-eggs/
 dist/
 downloads/

sonar-project.properties

@@ -1,12 +1,10 @@
-sonar.organization=luketainton
+sonar.projectKey=pypilot
-sonar.projectKey=luketainton_pypilot2
 sonar.projectName=pypilot
-sonar.projectVersion=1.0
+sonar.python.version=3.13
-sonar.python.version=3.10
 sonar.python.coverage.reportPaths=coverage.xml
 sonar.python.pylint.reportPaths=lintreport.txt
 sonar.python.xunit.reportPath=testresults.xml
-sonar.sources=app
+sonar.sources=Dockerfile,app
 sonar.tests=tests
-sonar.exclusions=,.github/**,.gitignore,CODEOWNERS,CHANGELOG.md,LICENSE.md,README.md,renovate.json,requirements-dev.txt,requirements.txt
+sonar.exclusions=,.archive/**,.gitea/**,.gitignore,renovate.json
 sonar.coverage.exclusions=app/_version.py,app/args.py,app/main.py