feat(ci): fix CI, switch to SonarQube self-hosted (#337)

Reviewed-on: repos/roboluke-tasks#337

.gitea/workflows/ci.yml

@@ -8,15 +8,64 @@ on:
       - reopened
 
 jobs:
-  validate_pr_title:
-    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/conventional-commit.yml@main
-    with:
-      commit_message: ${{ gitea.event.pull_request.title }}
-
   ci:
-    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/ci-python-uv-with-docker.yml@main
+    runs-on: ubuntu-latest
-    with:
+    steps:
-      python-version: 3.13
+      - name: Check out repository code
-    secrets:
+        uses: actions/checkout@v4.2.2
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
-      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          fetch-depth: 0
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: sonarqube
+          no-fail: true
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: uv cache
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.uv-cache
+          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+            uv-${{ runner.os }}
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Lint
+        run: |
+          uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
+          cat lintreport.txt
+
+      - name: Unit Test
+        run: |
+          uv run coverage run -m pytest -v --junitxml=testresults.xml
+          uv run coverage xml
+          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
+
+      - name: Minimize uv cache
+        run: uv cache prune --ci
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v4.2.1
+        env:
+          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+      - name: Snyk Vulnerability Scan
+        uses: snyk/actions/python@master
+        continue-on-error: true # Sometimes vulns aren't immediately fixable
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: snyk
+          args: test --all-projects

.gitea/workflows/conventional_commit.yml

@@ -0,0 +1,16 @@
+name: Validate PR Title
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: https://git.tainton.uk/actions/conventional-commits-check-action@v1.2.4
+        with:
+          commit-message: ${{ gitea.event.pull_request.title }}

.gitea/workflows/release.yml

@@ -7,11 +7,12 @@ on:
 jobs:
   test:
     name: Test
-    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/ci-python-uv-with-docker.yml@main
+    uses: https://git.tainton.uk/repos/roboluke-tasks/.gitea/workflows/ci.yml@main
     with:
       python-version: 3.13
     secrets:
-      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+      SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   create_release:

.gitea/workflows/snyk.yml

@@ -0,0 +1,24 @@
+name: Snyk
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4.2.2
+
+      - name: Snyk
+        uses: snyk/actions/python@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor

pyproject.toml

@@ -17,7 +17,7 @@ dependencies = [
 dev-dependencies = [
     "black<25.2.0,>=25.1.0",
     "coverage<8.0.0,>=7.6.10",
-    "isort<6.0.0,>=5.13.2",
+    "isort<6.1.0,>=6.0.0",
     "pylint<4.0.0,>=3.3.3",
     "pylint-exit<2.0.0,>=1.2.0",
     "pytest<9.0.0,>=8.3.4",

sonar-project.properties

@@ -1,7 +1,5 @@
-sonar.organization=luketainton
+sonar.projectKey=roboluke
-sonar.projectKey=luketainton_roboluke-tasks2
+sonar.projectName=roboluke
-sonar.projectName=roboluke-tasks
-sonar.projectVersion=1.0
 sonar.python.version=3.13
 sonar.python.coverage.reportPaths=coverage.xml
 sonar.python.pylint.reportPaths=lintreport.txt

uv.lock

@@ -252,11 +252,11 @@ wheels = [
 
 [[package]]
 name = "isort"
-version = "5.13.2"
+version = "6.0.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/87/f9/c1eb8635a24e87ade2efce21e3ce8cd6b8630bb685ddc9cdaca1349b2eb5/isort-5.13.2.tar.gz", hash = "sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109", size = 175303 }
+sdist = { url = "https://files.pythonhosted.org/packages/1c/28/b382d1656ac0ee4cef4bf579b13f9c6c813bff8a5cb5996669592c8c75fa/isort-6.0.0.tar.gz", hash = "sha256:75d9d8a1438a9432a7d7b54f2d3b45cad9a4a0fdba43617d9873379704a8bdf1", size = 828356 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d1/b3/8def84f539e7d2289a02f0524b944b15d7c75dab7628bedf1c4f0992029c/isort-5.13.2-py3-none-any.whl", hash = "sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6", size = 92310 },
+    { url = "https://files.pythonhosted.org/packages/76/c7/d6017f09ae5b1206fbe531f7af3b6dac1f67aedcbd2e79f3b386c27955d6/isort-6.0.0-py3-none-any.whl", hash = "sha256:567954102bb47bb12e0fae62606570faacddd441e45683968c8d1734fb1af892", size = 94053 },
 ]
 
 [[package]]
@@ -324,7 +324,7 @@ wheels = [
 
 [[package]]
 name = "pylint"
-version = "3.3.3"
+version = "3.3.4"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "astroid" },
@@ -335,9 +335,9 @@ dependencies = [
     { name = "platformdirs" },
     { name = "tomlkit" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/17/fd/e9a739afac274a39596bbe562e9d966db6f3917fdb2bd7322ffc56da0ba2/pylint-3.3.3.tar.gz", hash = "sha256:07c607523b17e6d16e2ae0d7ef59602e332caa762af64203c24b41c27139f36a", size = 1516550 }
+sdist = { url = "https://files.pythonhosted.org/packages/ab/b9/50be49afc91469f832c4bf12318ab4abe56ee9aa3700a89aad5359ad195f/pylint-3.3.4.tar.gz", hash = "sha256:74ae7a38b177e69a9b525d0794bd8183820bfa7eb68cc1bee6e8ed22a42be4ce", size = 1518905 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/91/e1/26d55acea92b1ea4d33672e48f09ceeb274e84d7d542a4fb9a32a556db46/pylint-3.3.3-py3-none-any.whl", hash = "sha256:26e271a2bc8bce0fc23833805a9076dd9b4d5194e2a02164942cb3cdc37b4183", size = 521918 },
+    { url = "https://files.pythonhosted.org/packages/0d/8b/eef15df5f4e7aa393de31feb96ca9a3d6639669bd59d589d0685d5ef4e62/pylint-3.3.4-py3-none-any.whl", hash = "sha256:289e6a1eb27b453b08436478391a48cd53bb0efb824873f949e709350f3de018", size = 522280 },
 ]
 
 [[package]]
@@ -441,7 +441,7 @@ requires-dist = [
 dev = [
     { name = "black", specifier = ">=25.1.0,<25.2.0" },
     { name = "coverage", specifier = ">=7.6.10,<8.0.0" },
-    { name = "isort", specifier = ">=5.13.2,<6.0.0" },
+    { name = "isort", specifier = ">=6.0.0,<6.1.0" },
     { name = "pylint", specifier = ">=3.3.3,<4.0.0" },
     { name = "pylint-exit", specifier = ">=1.2.0,<2.0.0" },
     { name = "pytest", specifier = ">=8.3.4,<9.0.0" },