chore(ci): migrate SOT to Gitea

2024-12-31 22:37:37 +00:00
parent d05905e432
commit 7a2424ca76
10 changed files with 282 additions and 0 deletions
--- a/.archive/.github/CODEOWNERS
+++ b/.archive/.github/CODEOWNERS
@@ -0,0 +1 @@
+*   @luketainton
--- a/.archive/.github/dependabot.yml
+++ b/.archive/.github/dependabot.yml
--- a/.archive/.github/renovate.json
+++ b/.archive/.github/renovate.json
--- a/.archive/.github/workflows-old/release.yml
+++ b/.archive/.github/workflows-old/release.yml
--- a/.archive/.github/workflows/ci.yml
+++ b/.archive/.github/workflows/ci.yml
@@ -0,0 +1,20 @@
+name: CI
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - "README.md"
+      - "LICENSE.md"
+      - ".gitignore"
+      - ".github/CODEOWNERS"
+      - ".github/renovate.json"
+      - ".github/dependabot.yml"
+
+jobs:
+  ci:
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry-with-docker.yml@main
+    with:
+      python-version: "3.13"
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
--- a/.archive/.github/workflows/release.yml
+++ b/.archive/.github/workflows/release.yml
@@ -0,0 +1,26 @@
+name: Release
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 9 * * 0"
+
+jobs:
+  test:
+    uses: luketainton/gha-workflows/.github/workflows/ci-python-poetry-with-docker.yml@main
+    with:
+      python-version: "3.13"
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  create_release:
+    name: Create Release
+    uses: luketainton/gha-workflows/.github/workflows/create-release.yml@main
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    uses: luketainton/gha-workflows/.github/workflows/build-push-attest-docker.yml@main
+    with:
+        release: ${{ needs.create_release.outputs.release_name }}
--- a/.gitea/CODEOWNERS
+++ b/.gitea/CODEOWNERS
@@ -0,0 +1 @@
+*   @luke
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,59 @@
+name: CI
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - "README.md"
+      - "LICENSE.md"
+      - ".gitignore"
+      - "renovate.json"
+      - ".gitea/CODEOWNERS"
+      - ".archive"
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4.1.7
+        with:
+          fetch-depth: 0
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: sonarqube
+          no-fail: true
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "${{ vars.PYTHON_VERSION }}"
+      - name: Setup Poetry
+        uses: abatilo/actions-poetry@v3
+      - name: Install dependencies
+        run: poetry install
+      - name: Lint
+        run: |
+          poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
+          cat lintreport.txt
+      - name: Unit Test
+        run: |
+          poetry run coverage run -m pytest -v --junitxml=testresults.xml
+          poetry run coverage xml
+          sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
+      - name: SonarQube Cloud Scan
+        uses: SonarSource/sonarqube-scan-action@v4.2.1
+        env:
+          # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - name: Snyk Vulnerability Scan
+        uses: snyk/actions/python-3.10@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif --all-projects
+      # - name: Upload result to GitHub Code Scanning
+      #   uses: github/codeql-action/upload-sarif@v3
+      #   with:
+      #     sarif_file: snyk.sarif
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,133 @@
+name: Release
+on:
+  schedule:
+    - cron: "0 9 * * 0"
+
+jobs:
+  test:
+    uses: https://git.tainton.uk/public/webexmemebot/src/branch/main/.gitea/workflows/ci.yml
+
+  create_release:
+    runs-on: ubuntu-latest
+    outputs:
+      release_name: ${{ steps.tag_version.outputs.new_tag }}
+      success: ${{ steps.set_flag.outputs.success }}
+    steps:
+      - uses: actions/checkout@v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: Changes since last tag
+        id: changes
+        run: |
+          CHANGES=$(git log $(git describe --tags --abbrev=0)..HEAD --no-merges --oneline)
+          echo "$CHANGES"
+          if [ -z "$CHANGES" ]; then echo "changes=false" >> "$GITEA_OUTPUT"; else echo "changes=true" >> "$GITEA_OUTPUT"; fi
+
+      - name: Bump version and push tag
+        id: tag_version
+        if: steps.changes.outputs.changes == 'true'
+        uses: mathieudutour/github-tag-action@v6.2
+        with:
+          github_token: ${{ gitea.token }}
+          default_bump: minor
+          # default_bump: false
+
+      - name: Build Changelog
+        uses: mikepenz/release-changelog-builder-action@v4
+        id: build_changelog
+        env:
+          GITHUB_TOKEN: ${{ gitea.token }}
+        with:
+          configurationJson: |
+            {
+              "pr_template": "- #{{TITLE}} ([##{{NUMBER}}](#{{URL}}))",
+              "empty_template": "- no changes",
+              "categories": [
+                {
+                    "title": "## 💬 Other",
+                    "labels": ["other"]
+                },
+                {
+                    "title": "## 📦 Dependencies",
+                    "labels": ["dependencies"]
+                },
+                {
+                  "title": "## 🚀 Features",
+                  "labels": ["feature"]
+                },
+                {
+                  "title": "## 🐛 Bug Fixes",
+                  "labels": ["bugfix"]
+                },
+              ]
+            }
+
+      - name: Create release
+        id: create_release
+        uses: akkuman/gitea-release-action@v1
+        env:
+          NODE_OPTIONS: '--experimental-fetch' # if nodejs < 18
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.build_changelog.outputs.changelog }}
+
+      - name: Set success/fail flag
+        id: set_flag
+        if: steps.changes.outputs.changes == 'true'
+        run: if test "${{ steps.changes.outputs.changes }}" = "true"; then echo "success=true" >> "$GITHUB_OUTPUT"; else echo "success=false" >> "$GITHUB_OUTPUT"; fi
+
+  create_docker:
+    name: Create Docker Image
+    needs: create_release
+    if: ${{ needs.create_release.outputs.success == 'true' }}
+    outputs:
+      success: ${{ steps.set_flag.outputs.success }}
+    with:
+        release: ${{ needs.create_release.outputs.release_name }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.release }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.tainton.uk
+          username: ${{ gitea.actor }}
+          password: ${{ gitea.token }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            git.tainton.uk/${{ gitea.repository }}
+          tags: |
+            type=semver,pattern=v{{version}},value=${{ inputs.release }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            git.tainton.uk/${{ gitea.repository }}:latest
+            git.tainton.uk/${{ gitea.repository }}:${{ inputs.release }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: git.tainton.uk/${{ gitea.repository }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Set success flag
+        id: set_flag
+        run: echo "success=true" >> "$GITHUB_OUTPUT"
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,42 @@
+{
+  "assignAutomerge": true,
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "extends": [
+    "config:base"
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "packageRules": [
+    {
+      "labels": [
+        "linting"
+      ],
+      "matchPackagePatterns": [
+        "black",
+        "pylint"
+      ]
+    },
+    {
+      "labels": [
+        "unit-tests"
+      ],
+      "matchPackagePatterns": [
+        "coverage",
+        "pytest"
+      ]
+    }
+  ],
+  "platformCommit": true,
+  "rebaseWhen": "behind-base-branch",
+  "rollbackPrs": true,
+  "vulnerabilityAlerts": {
+    "commitMessagePrefix": "[SECURITY] ",
+    "enabled": true,
+    "labels": [
+      "security"
+    ],
+    "prCreation": "immediate"
+  }
+}