From a47d1f7cd7d5ac31eb3c3bb007868f4ca6e8803d Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Fri, 17 Apr 2026 19:20:15 +0100 Subject: [PATCH] feat(ci): add SonarQube workflow for code quality analysis Co-authored-by: Copilot --- .gitea/workflows/ci.yml | 46 ---------------------------- .gitea/workflows/sonar.yml | 61 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 46 deletions(-) create mode 100644 .gitea/workflows/sonar.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 2e80841..9cf1a5e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -16,14 +16,6 @@ jobs: with: fetch-depth: 0 - - name: Run Hadolint - uses: hadolint/hadolint-action@v3.3.0 - with: - dockerfile: Dockerfile - output-file: hadolint.out - format: sonarqube - no-fail: true - - name: Setup Python uses: actions/setup-python@v6 with: @@ -53,44 +45,6 @@ jobs: run: | uv run coverage run -m pytest -v --junitxml=testresults.xml uv run coverage report - uv run coverage xml -q -o coverage.xml - sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml - name: Minimize uv cache run: uv cache prune --ci - - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@v7.1.0 - env: - SONAR_HOST_URL: ${{ vars.SONAR_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - # - name: Set up environment for Snyk - # run: | - # uv pip freeze > requirements.txt - # mv pyproject.toml pyproject.toml.bak - # mv uv.lock uv.lock.bak - - # - name: Snyk SAST Scan - # uses: snyk/actions/python@master - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # with: - # # command: snyk - # args: snyk code test #--all-projects --exclude=.archive - - # - name: Snyk Vulnerability Scan - # uses: snyk/actions/python@master - # continue-on-error: true # Sometimes vulns aren't immediately fixable - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # DEBUG: "*snyk*" - # with: - # # command: snyk - # args: snyk test #--all-projects --exclude=.archive - - # - name: Reverse set up environment for Snyk - # run: | - # rm -f requirements.txt - # mv pyproject.toml.bak pyproject.toml - # mv uv.lock.bak uv.lock diff --git a/.gitea/workflows/sonar.yml b/.gitea/workflows/sonar.yml new file mode 100644 index 0000000..d2e416e --- /dev/null +++ b/.gitea/workflows/sonar.yml @@ -0,0 +1,61 @@ +name: Sonar +on: + push: + branches: + - main + +jobs: + ci: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v6.0.2 + with: + fetch-depth: 0 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.3.0 + with: + dockerfile: Dockerfile + output-file: hadolint.out + format: sonarqube + no-fail: true + + - name: Setup Python + uses: actions/setup-python@v6 + with: + python-version: "3.14" + + - name: uv cache + uses: actions/cache@v5 + with: + path: /tmp/.uv-cache + key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + uv-${{ runner.os }} + + - name: Install dependencies + run: uv sync + + + - name: Lint + run: | + uv run pylint --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/ + cat lintreport.txt + + - name: Unit Test + run: | + uv run coverage run -m pytest -v --junitxml=testresults.xml + uv run coverage report + uv run coverage xml -q -o coverage.xml + sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml + + - name: Minimize uv cache + run: uv cache prune --ci + + - name: SonarQube Scan + uses: SonarSource/sonarqube-scan-action@v7.1.0 + env: + SONAR_HOST_URL: ${{ vars.SONAR_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}