From 44d6f9d1613cdba06f52b2ac67e74525ecf4c9d6 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sun, 9 Feb 2025 20:38:33 +0000 Subject: [PATCH] feat(ci): fix CI, switch to self-hosted SonarQube --- {.github => .archive/.github.old}/CODEOWNERS | 0 .../{.github => .github.old}/dependabot.yml | 0 .../{.github => .github.old}/renovate.json | 0 .../workflows-old/release.yml | 0 .../.github.old}/workflows/ci.yml | 0 .../.github.old}/workflows/release.yml | 0 .gitea/workflows/ci.yml | 20 +++++------ .gitea/workflows/pr-title-semantic.yml | 2 -- .gitea/workflows/security.yml | 34 +++++++++++++++++++ .gitignore | 1 + 10 files changed, 44 insertions(+), 13 deletions(-) rename {.github => .archive/.github.old}/CODEOWNERS (100%) rename .archive/{.github => .github.old}/dependabot.yml (100%) rename .archive/{.github => .github.old}/renovate.json (100%) rename .archive/{.github => .github.old}/workflows-old/release.yml (100%) rename {.github => .archive/.github.old}/workflows/ci.yml (100%) rename {.github => .archive/.github.old}/workflows/release.yml (100%) create mode 100644 .gitea/workflows/security.yml diff --git a/.github/CODEOWNERS b/.archive/.github.old/CODEOWNERS similarity index 100% rename from .github/CODEOWNERS rename to .archive/.github.old/CODEOWNERS diff --git a/.archive/.github/dependabot.yml b/.archive/.github.old/dependabot.yml similarity index 100% rename from .archive/.github/dependabot.yml rename to .archive/.github.old/dependabot.yml diff --git a/.archive/.github/renovate.json b/.archive/.github.old/renovate.json similarity index 100% rename from .archive/.github/renovate.json rename to .archive/.github.old/renovate.json diff --git a/.archive/.github/workflows-old/release.yml b/.archive/.github.old/workflows-old/release.yml similarity index 100% rename from .archive/.github/workflows-old/release.yml rename to .archive/.github.old/workflows-old/release.yml diff --git a/.github/workflows/ci.yml b/.archive/.github.old/workflows/ci.yml similarity index 100% rename from .github/workflows/ci.yml rename to .archive/.github.old/workflows/ci.yml diff --git a/.github/workflows/release.yml b/.archive/.github.old/workflows/release.yml similarity index 100% rename from .github/workflows/release.yml rename to .archive/.github.old/workflows/release.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index fc7057a..2aad0f9 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,14 +1,11 @@ name: CI on: pull_request: - types: [opened, synchronize, reopened] - paths-ignore: - - "README.md" - - "LICENSE.md" - - ".gitignore" - - "renovate.json" - - ".gitea/CODEOWNERS" - - ".archive" + types: + - opened + - edited + - synchronize + - reopened jobs: ci: @@ -30,7 +27,7 @@ jobs: - name: Setup Python uses: actions/setup-python@v5 with: - python-version: "${{ vars.PYTHON_VERSION }}" + python-version: "3.13" - name: uv cache uses: actions/cache@v4 @@ -58,10 +55,11 @@ jobs: - name: Minimize uv cache run: uv cache prune --ci - - name: SonarQube Cloud Scan + - name: SonarQube Scan uses: SonarSource/sonarqube-scan-action@v4.2.1 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} - name: Snyk Vulnerability Scan uses: snyk/actions/python@master diff --git a/.gitea/workflows/pr-title-semantic.yml b/.gitea/workflows/pr-title-semantic.yml index 3991141..e40f86d 100644 --- a/.gitea/workflows/pr-title-semantic.yml +++ b/.gitea/workflows/pr-title-semantic.yml @@ -7,8 +7,6 @@ on: - edited - synchronize - reopened - - labeled - - unlabeled jobs: validate: diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml new file mode 100644 index 0000000..e5b8112 --- /dev/null +++ b/.gitea/workflows/security.yml @@ -0,0 +1,34 @@ +name: Security + +on: + workflow_dispatch: + push: + branches: + - main + schedule: + - cron: "@daily" + +jobs: + sonarqube: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4.2.2 + + - name: SonarQube Scan + uses: SonarSource/sonarqube-scan-action@v4.2.1 + env: + SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + + snyk: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4.2.2 + + - name: Snyk + uses: snyk/actions/python@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.gitignore b/.gitignore index 1a3864a..52e822a 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ __pycache__/ # Distribution / packaging .Python build/ +.pdm-build/ develop-eggs/ dist/ downloads/ -- 2.47.2