Update .gitea/workflows/sonar.yml

fix(docker): add user creation and permissions in Dockerfile (#442 )
2026-04-17 18:48:40 +00:00 · 2026-04-17 18:25:48 +00:00 · 2026-04-17 18:21:31 +00:00 · 2026-04-17 18:03:16 +00:00
8 changed files with 71 additions and 58 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -16,14 +16,6 @@ jobs:
        with:
          fetch-depth: 0
      - name: Run Hadolint
        uses: hadolint/hadolint-action@v3.3.0
        with:
          dockerfile: Dockerfile
          output-file: hadolint.out
          format: sonarqube
          no-fail: true
      - name: Setup Python
        uses: actions/setup-python@v6
        with:
@@ -53,43 +45,6 @@ jobs:
        run: |
          uv run coverage run -m pytest -v --junitxml=testresults.xml
          uv run coverage report
        # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
      - name: Minimize uv cache
        run: uv cache prune --ci
      # - name: SonarQube Scan
      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
      #   env:
      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
      # - name: Set up environment for Snyk
      #   run: |
      #     uv pip freeze > requirements.txt
      #     mv pyproject.toml pyproject.toml.bak
      #     mv uv.lock uv.lock.bak
      # - name: Snyk SAST Scan
      #   uses: snyk/actions/python@master
      #   env:
      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      #   with:
      #     # command: snyk
      #     args: snyk code test #--all-projects --exclude=.archive
      # - name: Snyk Vulnerability Scan
      #   uses: snyk/actions/python@master
      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
      #   env:
      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      #     DEBUG: "*snyk*"
      #   with:
      #     # command: snyk
      #     args: snyk test #--all-projects --exclude=.archive
      # - name: Reverse set up environment for Snyk
      #   run: |
      #     rm -f requirements.txt
      #     mv pyproject.toml.bak pyproject.toml
      #     mv uv.lock.bak uv.lock
--- a/.gitea/workflows/sonar.yml
+++ b/.gitea/workflows/sonar.yml
@@ -0,0 +1,61 @@
 name: Sonar
 on:
  push:
    branches:
      - main
 jobs:
  sonar:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v6.0.2
        with:
          fetch-depth: 0
      - name: Run Hadolint
        uses: hadolint/hadolint-action@v3.3.0
        with:
          dockerfile: Dockerfile
          output-file: hadolint.out
          format: sonarqube
          no-fail: true
      - name: Setup Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.14"
      - name: uv cache
        uses: actions/cache@v5
        with:
          path: /tmp/.uv-cache
          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
          restore-keys: |
            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
            uv-${{ runner.os }}
      - name: Install dependencies
        run: uv sync
      - name: Lint
        run: |
          uv run pylint --exit-zero --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
          cat lintreport.txt
      - name: Unit Test
        run: |
          uv run coverage run -m pytest -v --junitxml=testresults.xml
          uv run coverage report
          uv run coverage xml -q -o coverage.xml
          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
      - name: Minimize uv cache
        run: uv cache prune --ci
      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v7.1.0
        env:
          SONAR_HOST_URL: ${{ vars.SONAR_URL }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
--- a/7
+++ b/7
@@ -2,6 +2,8 @@ FROM python:3.13.12-slim
 LABEL maintainer="Luke Tainton <luke@tainton.uk>"
 USER root
 RUN useradd -r -s /sbin/nologin -M user
 ENV PYTHONPATH="/run:/usr/local/lib/python3.13/lib-dynload:/usr/local/lib/python3.13/site-packages:/usr/local/lib/python3.13"
 ENV UV_PROJECT_ENVIRONMENT="/usr/local/"
@@ -9,7 +11,7 @@ WORKDIR /run
 RUN mkdir -p /.local && \
    chmod -R 777 /.local && \
-    pip install -U pip uv==0.9.21
+    pip install --no-cache-dir -U pip uv==0.9.21
 COPY pyproject.toml /run/pyproject.toml
 COPY uv.lock /run/uv.lock
@@ -24,3 +26,6 @@ ARG version="dev"
 ENV APP_VERSION=$version
 COPY app /run/app
 RUN chown -R user:user /run
 USER user
--- a/sonar-project.properties
+++ b/sonar-project.properties
@@ -1,10 +1,10 @@
 sonar.projectKey=roboluke
 sonar.projectName=roboluke
-sonar.python.version=3.13
+sonar.python.version=3.14
 sonar.python.coverage.reportPaths=coverage.xml
 sonar.python.pylint.reportPaths=lintreport.txt
 sonar.python.xunit.reportPath=testresults.xml
 sonar.docker.hadolint.reportPaths=hadolint.out
 sonar.sources=Dockerfile,app
 sonar.tests=tests
-sonar.exclusions=,.github/**,.gitignore,CODEOWNERS,CHANGELOG.md,LICENSE.md,README.md,renovate.json,requirements-dev.txt,requirements.txt
+sonar.exclusions=.archive/**,.github/**,.gitea/**,.gitignore,CODEOWNERS,CHANGELOG.md,LICENSE.md,README.md,renovate.json,requirements-dev.txt,requirements.txt
--- a/tests/test_config_1.py
+++ b/tests/test_config_1.py
@@ -1,5 +1,3 @@
 #!/usr/bin/env python3
 # ruff: noqa: E402 pylint: disable=wrong-import-position
 """Provides test cases for app/utils/config.py."""
@@ -27,7 +25,7 @@ def test_config() -> None:
        os.environ[config_var] = value
    # needs to be imported AFTER environment variables are set
-    from app.utils.config import config  # pragma: no cover
+    from app.utils.config import config  # pragma: no cover # NOSONAR (C0415)
    assert config.admin_emails == config_vars["ADMIN_EMAIL"].split(",")
    assert config.admin_first_name == config_vars["ADMIN_FIRST_NAME"]
--- a/tests/test_config_2.py
+++ b/tests/test_config_2.py
@@ -1,5 +1,3 @@
 #!/usr/bin/env python3
 # ruff: noqa: E402 pylint: disable=wrong-import-position
 """Provides test cases for app/utils/config.py."""
@@ -24,7 +22,7 @@ def test_config_no_admin_vars() -> None:
        os.environ[config_var] = value
    # needs to be imported AFTER environment variables are set
-    from app.utils.config import config  # pragma: no cover
+    from app.utils.config import config  # pragma: no cover # NOSONAR (C0415)
    assert config.approved_domains == []
    assert config.approved_rooms == []
--- a/tests/test_datetime.py
+++ b/tests/test_datetime.py
@@ -1,5 +1,3 @@
 #!/usr/bin/env python3
 """Provides test cases for app/utils/datetime.py."""
 import pytest
--- a/tests/test_helpers.py
+++ b/tests/test_helpers.py
@@ -1,5 +1,3 @@
 #!/usr/bin/env python3
 """Provides test cases for app/utils/helpers.py."""
 from app.utils.helpers import validate_email_syntax  # pragma: no cover
Author	SHA1	Message	Date
Luke Tainton	aa64fe6e10	Update .gitea/workflows/sonar.yml All checks were successful Sonar / sonar (push) Successful in 56s Details	2026-04-17 18:48:40 +00:00
Luke Tainton	096c72f0d2	Update .gitea/workflows/sonar.yml All checks were successful Sonar / ci (push) Successful in 1m1s Details	2026-04-17 18:25:48 +00:00
Luke Tainton	518014149e	fix(docker): add user creation and permissions in Dockerfile (#442 ) Some checks failed Sonar / ci (push) Failing after 16s Details Co-authored-by: Copilot <copilot@github.com> Reviewed-on: #442	2026-04-17 18:21:31 +00:00
Luke Tainton	e70360a8d6	chore(ci): enable SonarQube (#441 ) Reviewed-on: #441	2026-04-17 18:03:16 +00:00