diff --git a/.cirrus.star b/.cirrus.star deleted file mode 100644 index 462c380..0000000 --- a/.cirrus.star +++ /dev/null @@ -1,5 +0,0 @@ -load("github.com/SonarSource/cirrus-modules@v3", "load_features") - - -def main(ctx): - return load_features(ctx, only_if=dict()) diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 40bce69..0000000 --- a/.cirrus.yml +++ /dev/null @@ -1,171 +0,0 @@ -env: - CIRRUS_CLONE_DEPTH: "20" - CIRRUS_SHELL: bash - - ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url] - ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader - ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token] - ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token] - # Deploy public artifact to artifactory - ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer username] - ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token] - ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa - - ORG_GRADLE_PROJECT_signingKey: VAULT[development/kv/data/sign data.key] - ORG_GRADLE_PROJECT_signingPassword: VAULT[development/kv/data/sign data.passphrase] - ORG_GRADLE_PROJECT_signingKeyId: VAULT[development/kv/data/sign data.key_id] - - GRADLE_USER_HOME: ${CIRRUS_WORKING_DIR}/.gradle - -linux_image_template: &LINUX_IMAGE - image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-g7-latest - cluster_name: ${CIRRUS_CLUSTER_NAME} - region: eu-central-1 - namespace: default - use_in_memory_disk: true - -linux_2_cpu_4G_template: &LINUX_2_CPU_4G - eks_container: - <<: *LINUX_IMAGE - cpu: 2 - memory: 4G - -linux_4_cpu_6G_java_17_template: &LINUX_4_CPU_6G_JAVA_17 - eks_container: - <<: *LINUX_IMAGE - cpu: 4 - memory: 6G - -eks_container: &CONTAINER_DEFINITION - image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-g7-latest - cluster_name: ${CIRRUS_CLUSTER_NAME} - region: eu-central-1 - namespace: default - -## Build tasks - -setup_gradle_cache_template: &SETUP_GRADLE_CACHE - gradle_cache: - folder: .gradle/caches - create_gradle_directory_script: - - mkdir -p "${CIRRUS_WORKING_DIR}/.gradle" - -cleanup_gradle_cache_script_template: &CLEANUP_GRADLE_CACHE_SCRIPT - cleanup_gradle_script: - - /usr/bin/find "${CIRRUS_WORKING_DIR}/.gradle/caches/" -name "*.lock" -type f -delete - - rm -rf "${CIRRUS_WORKING_DIR}/.gradle/caches/4.10.2/" - - rm -rf "${CIRRUS_WORKING_DIR}/.gradle/caches/journal-1/" - - rm -rf "${CIRRUS_WORKING_DIR}/.gradle/caches/build-cache-1/" - -build_task: - <<: *LINUX_2_CPU_4G - <<: *SETUP_GRADLE_CACHE - env: - SONAR_TOKEN: VAULT[development/kv/data/next data.token] - SONAR_HOST_URL: VAULT[development/kv/data/next data.url] - DEPLOY_PULL_REQUEST: "true" - build_script: - - source cirrus-env BUILD - - function gradle(){ ./gradlew "$@"; }; export -f gradle - - gradle --version - - source set_gradle_build_version - - regular_gradle_build_deploy_analyze - on_failure: - error_log_artifacts: - path: "hs_err_pid*.log" - heap_dump_artifacts: - path: "*.hprof" - <<: *CLEANUP_GRADLE_CACHE_SCRIPT - - -### QA tasks - -only_if_sonarsource_qa_template: &ONLY_IF_SONARSOURCE_QA - only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "dogfood-on-.*") - -qa_task_filter_template: &QA_TASK_FILTER - depends_on: - - build - <<: *ONLY_IF_SONARSOURCE_QA - -gradle_its_template: &GRADLE_ITS_TEMPLATE - <<: *SETUP_GRADLE_CACHE - run_its_script: - - source cirrus-env QA - - ./gradlew "${GRADLE_TASK}" "-P${ITS_PROJECT}" - "-Dsonar.runtimeVersion=${SQ_VERSION}" - "-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" - "-DbuildNumber=$BUILD_NUMBER" - -I "${GRADLE_HOME}/init.d/repoxAuth.init.gradle.kts" - -Pqa --info --stacktrace --console plain --no-daemon --build-cache - <<: *CLEANUP_GRADLE_CACHE_SCRIPT - -qa_plugin_task: - <<: *QA_TASK_FILTER - env: - ITS_PROJECT: "plugin" - GRADLE_TASK: ":its:plugin:test" - matrix: - - SQ_VERSION: "DEV[25.1]" - - SQ_VERSION: "LATEST_RELEASE[25.1]" - <<: *LINUX_4_CPU_6G_JAVA_17 - <<: *GRADLE_ITS_TEMPLATE - -qa_ruling_task: - <<: *QA_TASK_FILTER - env: - SQ_VERSION: "LATEST_RELEASE[25.1]" - GRADLE_TASK: ":its:ruling:test" - ITS_PROJECT: "ruling" - GIT_SUB_MODULE: "its/sources" - <<: *LINUX_4_CPU_6G_JAVA_17 - update_test_sources_script: - - git submodule update --init --depth 1 "its/sources" - <<: *GRADLE_ITS_TEMPLATE - - -### Mend tasks - -ws_scan_task: - <<: *LINUX_2_CPU_4G - <<: *SETUP_GRADLE_CACHE - depends_on: - - build - # run only on master, long-term branches and mend-related branches - only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "mend-.*") - env: - WS_APIKEY: VAULT[development/kv/data/mend data.apikey] - GOPATH: ${HOME}/go - go_cache: - folder: ${HOME}/go - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - whitesource_script: - - source cirrus-env QA - - ./gradlew --no-daemon --console plain clean - - ./gradlew --no-daemon --info --stacktrace --console plain --no-daemon build -x test - - source export_ws_variables_from_gradle - - source ws_scan.sh - allow_failures: "true" - always: - ws_artifacts: - path: "whitesource/**/*" - -### Promote task - -promote_task: - depends_on: - - build - - qa_plugin - - qa_ruling - <<: *ONLY_IF_SONARSOURCE_QA - eks_container: - <<: *CONTAINER_DEFINITION - cpu: 1 - memory: 1G - env: - ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token] - GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token] - promote_script: - - function gradle(){ ./gradlew "$@"; }; export -f gradle - - cirrus_promote_gradle multi diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..d7859d3 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,111 @@ +name: Build + +on: + push: + branches: + - master + - branch-* + - dogfood-* + pull_request: + workflow_dispatch: + schedule: + - cron: "45 0 * * *" # Run daily at 0:45 AM UTC + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + build: + runs-on: github-ubuntu-latest-s # Public repository runner + name: Build + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access and tagging + outputs: + build-number: ${{ steps.build-step.outputs.BUILD_NUMBER }} + deployed: ${{ steps.build-step.outputs.deployed }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 + with: + version: 2025.7.12 + - uses: SonarSource/ci-github-actions/build-gradle@v1 + id: build-step + with: + deploy-pull-request: true + artifactory-reader-role: private-reader # Override for public repo using private access + artifactory-deployer-role: qa-deployer # Override for public repo using private access + + qa: + needs: [build] + if: ${{ needs.build.outputs.deployed }} + runs-on: github-ubuntu-latest-s # Public repository runner + name: QA Tests + permissions: + id-token: write # Required for Vault OIDC authentication + contents: read # Required for repository access + strategy: + fail-fast: false + matrix: + # Plugin tests check API compatibility, so they should run against all supported versions. + # Ruling tests check only that the results of analysis have not changed, + # so one sonar.runtimeVersion is enough. + item: + - { suite: "plugin", sq_version: "DEV" } + - { suite: "plugin", sq_version: "LATEST_RELEASE" } + - { suite: "ruling", sq_version: "LATEST_RELEASE" } + env: + BUILD_NUMBER: ${{ needs.build.outputs.build-number }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + submodules: ${{ matrix.item.suite == 'ruling' }} + - name: Remove kotlin ITs as they are not relevant for ruling tests (and cause issues with wrapper validation) + if: ${{ matrix.item.suite == 'ruling' }} + run: rm -r ./its/sources/kotlin + - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 + with: + version: 2025.7.12 + - name: Get Vault secrets + id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/github/token/licenses-ro token | GITHUB_TOKEN; + development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; + - name: Configure Gradle + uses: SonarSource/ci-github-actions/build-gradle@v1 + with: + gradle-args: "-x build -x sonar -x artifactoryPublish" # Skip everything to only configure Gradle and Artifactory access + artifactory-reader-role: private-reader + artifactory-deployer-role: qa-deployer + - name: Run QA Tests + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} + SUITE: ${{ matrix.item.suite }} + SQ_VERSION: ${{ matrix.item.sq_version }} + run: | + ./gradlew ":its:${SUITE}:test" "-P${SUITE}" \ + "-Dsonar.runtimeVersion=${SQ_VERSION}" \ + "-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" \ + "-DbuildNumber=${BUILD_NUMBER}" \ + -Pqa --info --stacktrace --console plain --no-daemon --build-cache + + promote: + name: Promote + needs: + - build + - qa + runs-on: github-ubuntu-latest-s # Public repository runner + if: ${{ needs.build.outputs.deployed }} + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access and tagging + env: + BUILD_NUMBER: ${{ needs.build.outputs.build-number }} + steps: + - uses: SonarSource/ci-github-actions/promote@v1 + with: + promote-pull-request: true # Enable PR artifact promotion \ No newline at end of file diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml new file mode 100644 index 0000000..65c756f --- /dev/null +++ b/.github/workflows/pr-cleanup.yml @@ -0,0 +1,13 @@ +name: Cleanup PR Resources +on: + pull_request: + types: + - closed + +jobs: + cleanup: + runs-on: github-ubuntu-latest-s + permissions: + actions: write + steps: + - uses: SonarSource/ci-github-actions/pr_cleanup@v1 diff --git a/.github/workflows/releasability.yaml b/.github/workflows/releasability.yaml index a8f979d..bb91cf3 100644 --- a/.github/workflows/releasability.yaml +++ b/.github/workflows/releasability.yaml @@ -44,7 +44,7 @@ jobs: echo "LATEST_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT" fi - - uses: SonarSource/gh-action_releasability@v2 + - uses: SonarSource/gh-action_releasability@v3 id: releasability with: branch: ${{ github.ref_name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fa5f8bc..6ce8fb2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: permissions: id-token: write contents: write - uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v5 + uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v6 with: publishToBinaries: true mavenCentralSync: true diff --git a/.github/workflows/unified-dogfooding.yml b/.github/workflows/unified-dogfooding.yml new file mode 100644 index 0000000..506b73e --- /dev/null +++ b/.github/workflows/unified-dogfooding.yml @@ -0,0 +1,29 @@ +name: Unified Dogfooding scans +on: + schedule: + - cron: '0 4 * * *' # Run the workflow every day at 04:00 UTC + workflow_dispatch: + +jobs: + unified-platform-dogfooding: + runs-on: github-ubuntu-latest-s + name: Unified Platform Dogfooding + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: SonarSource/ci-github-actions/build-gradle@v1 + with: + run-shadow-scans: true + artifactory-reader-role: private-reader + artifactory-deployer-role: qa-deployer + - name: Run IRIS Analysis + uses: SonarSource/unified-dogfooding-actions/run-iris@v1 + with: + primary_project_key: SonarSource_sonar-ruby + primary_platform: "SQC-EU" + shadow1_project_key: SonarSource_sonar-ruby + shadow1_platform: "Next" + shadow2_project_key: SonarSource_sonar-ruby + shadow2_platform: "SQC-US" \ No newline at end of file diff --git a/README.md b/README.md index eaa7486..a8e7942 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # sonar-ruby -[![Build Status](https://api.cirrus-ci.com/github/SonarSource/sonar-ruby.svg?branch=master)](https://cirrus-ci.com/github/SonarSource/sonar-ruby) +[![Build Status](https://github.com/SonarSource/sonar-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-ruby/actions/workflows/build.yml) [![Quality Gate Status](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=SonarSource_sonar-ruby&metric=alert_status&token=sqb_a78a1551add08b844fb442b01edcb5cc144ed1cb)](https://next.sonarqube.com/sonarqube/dashboard?id=SonarSource_sonar-ruby) [![Coverage](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=SonarSource_sonar-ruby&metric=coverage&token=sqb_a78a1551add08b844fb442b01edcb5cc144ed1cb)](https://next.sonarqube.com/sonarqube/dashboard?id=SonarSource_sonar-ruby) diff --git a/build.gradle b/build.gradle index ae2109a..7a74bb4 100644 --- a/build.gradle +++ b/build.gradle @@ -29,7 +29,7 @@ allprojects { ext { buildNumber = System.getProperty("buildNumber") - sonarLinksCi = 'https://cirrus-ci.com/github/SonarSource/sonar-ruby' + sonarLinksCi = 'https://github.com/SonarSource/sonar-ruby/actions/workflows/build.yml' sonarLinksScm = 'https://github.com/SonarSource/sonar-ruby' artifactsToPublish = '' @@ -173,7 +173,7 @@ subprojects { def signingPassword = findProperty("signingPassword") useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) required { - def branch = System.getenv()["CIRRUS_BRANCH"] + def branch = System.getenv()["GITHUB_REF_NAME"] return (branch == 'master' || branch ==~ 'branch-[\\d.]+') && gradle.taskGraph.hasTask(":artifactoryPublish") } @@ -182,7 +182,7 @@ subprojects { tasks.withType(Sign) { onlyIf { - def branch = System.getenv()["CIRRUS_BRANCH"] + def branch = System.getenv()["GITHUB_REF_NAME"] return !artifactoryPublish.skip && (branch == 'master' || branch ==~ 'branch-[\\d.]+') && gradle.taskGraph.hasTask(":artifactoryPublish") diff --git a/mise.toml b/mise.toml new file mode 100644 index 0000000..e0cbeec --- /dev/null +++ b/mise.toml @@ -0,0 +1,3 @@ +[tools] +java = "17.0" +gradle = "7.6" \ No newline at end of file diff --git a/wss-unified-agent.config b/wss-unified-agent.config deleted file mode 100644 index 751f56d..0000000 --- a/wss-unified-agent.config +++ /dev/null @@ -1,20 +0,0 @@ -excludes=**/its/sources/** **/*javadoc.jar -fileSystemScan=False -resolveAllDependencies=False - -gradle.aggregateModules=True -gradle.preferredEnvironment=wrapper -gradle.resolveDependencies=True - -maven.aggregateModules=False -maven.downloadMissingDependencies=False -maven.ignoredScopes=None -maven.m2RepositoryPath=.m2/repository -maven.resolveDependencies=False -maven.runPreStep=False - -wss.url=https://saas-eu.whitesourcesoftware.com/agent - -forceUpdate=true -checkPolicies=true -forceUpdate.failBuildOnPolicyViolation=true