From 5978a83254dee502c5ce33a0ac5cdb7b88f372a1 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sun, 9 Feb 2025 20:52:26 +0000 Subject: [PATCH 1/3] feat(ci): fix CI, switch to self-hosted SonarQube --- .../.devcontainer}/devcontainer.json | 0 {ARCHIVE => .archive}/.github/CODEOWNERS | 0 .../.github/archive/.deepsource.toml | 0 .../.github/archive/codecov.yml | 0 .../.github/archive/renovate.json | 0 .../workflows-disabled/ci-branch-main.yml | 0 .../workflows-disabled/ci-development.yml | 0 .../archive/workflows-disabled/merge-to-main.yml | 0 .../archive/workflows-disabled/pull-request.yml | 0 {ARCHIVE => .archive}/.github/dependabot.yml | 0 {ARCHIVE => .archive}/.github/workflows/ci.yml | 0 .../.github/workflows/publish.yml | 0 .gitea/workflows/ci.yml | 1 + .gitea/workflows/release.yml | 16 +++++----------- .gitignore | 1 + sonar-project.properties | 10 ++++------ 16 files changed, 11 insertions(+), 17 deletions(-) rename {.devcontainer => .archive/.devcontainer}/devcontainer.json (100%) rename {ARCHIVE => .archive}/.github/CODEOWNERS (100%) rename {ARCHIVE => .archive}/.github/archive/.deepsource.toml (100%) rename {ARCHIVE => .archive}/.github/archive/codecov.yml (100%) rename {ARCHIVE => .archive}/.github/archive/renovate.json (100%) rename {ARCHIVE => .archive}/.github/archive/workflows-disabled/ci-branch-main.yml (100%) rename {ARCHIVE => .archive}/.github/archive/workflows-disabled/ci-development.yml (100%) rename {ARCHIVE => .archive}/.github/archive/workflows-disabled/merge-to-main.yml (100%) rename {ARCHIVE => .archive}/.github/archive/workflows-disabled/pull-request.yml (100%) rename {ARCHIVE => .archive}/.github/dependabot.yml (100%) rename {ARCHIVE => .archive}/.github/workflows/ci.yml (100%) rename {ARCHIVE => .archive}/.github/workflows/publish.yml (100%) diff --git a/.devcontainer/devcontainer.json b/.archive/.devcontainer/devcontainer.json similarity index 100% rename from .devcontainer/devcontainer.json rename to .archive/.devcontainer/devcontainer.json diff --git a/ARCHIVE/.github/CODEOWNERS b/.archive/.github/CODEOWNERS similarity index 100% rename from ARCHIVE/.github/CODEOWNERS rename to .archive/.github/CODEOWNERS diff --git a/ARCHIVE/.github/archive/.deepsource.toml b/.archive/.github/archive/.deepsource.toml similarity index 100% rename from ARCHIVE/.github/archive/.deepsource.toml rename to .archive/.github/archive/.deepsource.toml diff --git a/ARCHIVE/.github/archive/codecov.yml b/.archive/.github/archive/codecov.yml similarity index 100% rename from ARCHIVE/.github/archive/codecov.yml rename to .archive/.github/archive/codecov.yml diff --git a/ARCHIVE/.github/archive/renovate.json b/.archive/.github/archive/renovate.json similarity index 100% rename from ARCHIVE/.github/archive/renovate.json rename to .archive/.github/archive/renovate.json diff --git a/ARCHIVE/.github/archive/workflows-disabled/ci-branch-main.yml b/.archive/.github/archive/workflows-disabled/ci-branch-main.yml similarity index 100% rename from ARCHIVE/.github/archive/workflows-disabled/ci-branch-main.yml rename to .archive/.github/archive/workflows-disabled/ci-branch-main.yml diff --git a/ARCHIVE/.github/archive/workflows-disabled/ci-development.yml b/.archive/.github/archive/workflows-disabled/ci-development.yml similarity index 100% rename from ARCHIVE/.github/archive/workflows-disabled/ci-development.yml rename to .archive/.github/archive/workflows-disabled/ci-development.yml diff --git a/ARCHIVE/.github/archive/workflows-disabled/merge-to-main.yml b/.archive/.github/archive/workflows-disabled/merge-to-main.yml similarity index 100% rename from ARCHIVE/.github/archive/workflows-disabled/merge-to-main.yml rename to .archive/.github/archive/workflows-disabled/merge-to-main.yml diff --git a/ARCHIVE/.github/archive/workflows-disabled/pull-request.yml b/.archive/.github/archive/workflows-disabled/pull-request.yml similarity index 100% rename from ARCHIVE/.github/archive/workflows-disabled/pull-request.yml rename to .archive/.github/archive/workflows-disabled/pull-request.yml diff --git a/ARCHIVE/.github/dependabot.yml b/.archive/.github/dependabot.yml similarity index 100% rename from ARCHIVE/.github/dependabot.yml rename to .archive/.github/dependabot.yml diff --git a/ARCHIVE/.github/workflows/ci.yml b/.archive/.github/workflows/ci.yml similarity index 100% rename from ARCHIVE/.github/workflows/ci.yml rename to .archive/.github/workflows/ci.yml diff --git a/ARCHIVE/.github/workflows/publish.yml b/.archive/.github/workflows/publish.yml similarity index 100% rename from ARCHIVE/.github/workflows/publish.yml rename to .archive/.github/workflows/publish.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6e869fc..76c7b4e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -58,6 +58,7 @@ jobs: - name: SonarQube Cloud Scan uses: SonarSource/sonarqube-scan-action@v4.2.1 env: + SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - name: Snyk Vulnerability Scan diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 330ab4f..3437167 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -5,18 +5,13 @@ on: - cron: "0 9 * * 0" jobs: - # test: - # name: Test - # uses: https://git.tainton.uk/public/pypilot/.gitea/workflows/ci.yml@main - # with: - # python-version: 3.13 - # secrets: - # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + test: + name: Test + uses: https://git.tainton.uk/repos/pypilot/.gitea/workflows/ci.yml@main create_release: name: Create Release - # needs: test + needs: test uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release.yml@main secrets: ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }} @@ -51,8 +46,7 @@ jobs: - name: Setup Poetry uses: abatilo/actions-poetry@v4 - name: Update pyproject.toml - run: - ./tools/update_pyproject.sh ${{ needs.create_release.outputs.release_name }} + run: ./tools/update_pyproject.sh ${{ needs.create_release.outputs.release_name }} - name: Install dependencies run: poetry install - name: Build wheel file diff --git a/.gitignore b/.gitignore index 7f4045e..c1cb423 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ __pycache__/ # Distribution / packaging .Python build/ +.pdm-build/ develop-eggs/ dist/ downloads/ diff --git a/sonar-project.properties b/sonar-project.properties index 5c059f8..4710b79 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,12 +1,10 @@ -sonar.organization=luketainton -sonar.projectKey=luketainton_pypilot2 +sonar.projectKey=pypilot sonar.projectName=pypilot -sonar.projectVersion=1.0 -sonar.python.version=3.10 +sonar.python.version=3.13 sonar.python.coverage.reportPaths=coverage.xml sonar.python.pylint.reportPaths=lintreport.txt sonar.python.xunit.reportPath=testresults.xml -sonar.sources=app +sonar.sources=Dockerfile,app sonar.tests=tests -sonar.exclusions=,.github/**,.gitignore,CODEOWNERS,CHANGELOG.md,LICENSE.md,README.md,renovate.json,requirements-dev.txt,requirements.txt +sonar.exclusions=,.archive/**,.gitea/**,.gitignore,renovate.json sonar.coverage.exclusions=app/_version.py,app/args.py,app/main.py -- 2.47.2 From 4a318d480283621d3c88436dfff6217d8d417e13 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sun, 9 Feb 2025 20:54:30 +0000 Subject: [PATCH 2/3] Rename SQ step --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 76c7b4e..5251f58 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -55,7 +55,7 @@ jobs: - name: Minimize uv cache run: uv cache prune --ci - - name: SonarQube Cloud Scan + - name: SonarQube Scan uses: SonarSource/sonarqube-scan-action@v4.2.1 env: SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} -- 2.47.2 From 0922ba145e551bae0bcd4ed9c7577f5c9c1a9f82 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sun, 9 Feb 2025 20:57:58 +0000 Subject: [PATCH 3/3] add security.yml --- .gitea/workflows/ci.yml | 2 +- .gitea/workflows/security.yml | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 .gitea/workflows/security.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 5251f58..ef0118d 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -59,7 +59,7 @@ jobs: uses: SonarSource/sonarqube-scan-action@v4.2.1 env: SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - name: Snyk Vulnerability Scan uses: snyk/actions/python@master diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml new file mode 100644 index 0000000..e5b8112 --- /dev/null +++ b/.gitea/workflows/security.yml @@ -0,0 +1,34 @@ +name: Security + +on: + workflow_dispatch: + push: + branches: + - main + schedule: + - cron: "@daily" + +jobs: + sonarqube: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4.2.2 + + - name: SonarQube Scan + uses: SonarSource/sonarqube-scan-action@v4.2.1 + env: + SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + + snyk: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4.2.2 + + - name: Snyk + uses: snyk/actions/python@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} -- 2.47.2