diff --git a/.cirrus.star b/.cirrus.star deleted file mode 100644 index 9f91e154..00000000 --- a/.cirrus.star +++ /dev/null @@ -1,4 +0,0 @@ -load("github.com/SonarSource/cirrus-modules@v3", "load_features") - -def main(ctx): - return load_features(ctx) diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 4bcf19c5..00000000 --- a/.cirrus.yml +++ /dev/null @@ -1,184 +0,0 @@ -env: - CIRRUS_VAULT_URL: https://vault.sonar.build:8200 - CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci - CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME} - - CIRRUS_CLONE_DEPTH: 20 - ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url] - ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader - ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token] - ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer - ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token] - #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa - ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa - ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token] - DEVELOCITY_TOKEN: VAULT[development/kv/data/develocity data.token] - DEVELOCITY_ACCESS_KEY: develocity.sonar.build=${DEVELOCITY_TOKEN} - # Use bash (instead of sh on linux or cmd.exe on windows) - CIRRUS_SHELL: bash - -container_definition: &CONTAINER_DEFINITION - image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest - cluster_name: ${CIRRUS_CLUSTER_NAME} - region: eu-central-1 - namespace: default - -qa_container_definition: &QA_CONTAINER_DEFINITION - image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest - cluster_name: ${CIRRUS_CLUSTER_NAME} - region: eu-central-1 - namespace: default - -win_vm_definition: &WINDOWS_VM_DEFINITION - ec2_instance: - experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051 - image: base-windows-jdk17-v* - platform: windows - region: eu-central-1 - disk: 128 - type: c5.4xlarge - -only_sonarsource_qa: &ONLY_SONARSOURCE_QA - only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "dogfood-on-.*") - -log_develocity_url_script: &log_develocity_url_script | - echo "Develocity URL: https://develocity.sonar.build/scans?search.publicHostnames=cirrus-ci-task-${CIRRUS_TASK_ID}" - -build_task: - eks_container: - <<: *CONTAINER_DEFINITION - cpu: 2 - memory: 2G - env: - # analysis on next - SONAR_TOKEN: VAULT[development/kv/data/next data.token] - SONAR_HOST_URL: https://next.sonarqube.com/sonarqube - SIGN_KEY: VAULT[development/kv/data/sign data.key] - PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase] - #allow deployment of pull request artifacts to repox - DEPLOY_PULL_REQUEST: true - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - build_script: - - *log_develocity_url_script - - source cirrus-env BUILD - - regular_mvn_build_deploy_analyze - cleanup_before_cache_script: cleanup_maven_repository - -sonar_shadow_scan_and_issue_replication_task: - depends_on: - - build - # Only run when triggered by the cirrus-ci cron job named "nightly" - only_if: $CIRRUS_CRON == "nightly" - eks_container: - <<: *CONTAINER_DEFINITION - cpu: 2 - memory: 2G - env: - SONAR_PROJECT_KEY: "org.sonarsource.xml:xml" - SHADOW_ORGANIZATION: "sonarsource" - SHADOW_PROJECT_KEY: "SonarSource_sonar-xml" - # to replicate issue states from next - SONAR_TOKEN: VAULT[development/kv/data/next data.token] - SONAR_HOST_URL: https://next.sonarqube.com/sonarqube - matrix: - - name: "sonarcloud.io" - SHADOW_SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token] - SHADOW_SONAR_HOST_URL: "https://sonarcloud.io" - - name: "sonarqube.us" - SHADOW_SONAR_TOKEN: VAULT[development/kv/data/sonarqube-us data.token] - SHADOW_SONAR_HOST_URL: "https://sonarqube.us" - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - build_and_shadow_scan_script: - - *log_develocity_url_script - - source cirrus-env BUILD - - ./shadow-scan-and-issue-replication.sh - cleanup_before_cache_script: cleanup_maven_repository - -build_win_task: - <<: *WINDOWS_VM_DEFINITION - maven_cache: { folder: .m2/repository } - build_script: - - *log_develocity_url_script - - source cirrus-env CI - - mvn test - cleanup_before_cache_script: cleanup_maven_repository - -plugin_qa_task: - depends_on: - - build - <<: *ONLY_SONARSOURCE_QA - eks_container: - <<: *QA_CONTAINER_DEFINITION - cpu: 3 - memory: 8G - env: - GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - matrix: - - SQ_VERSION: LATEST_RELEASE - - SQ_VERSION: DEV - maven_cache: - folder: $CIRRUS_WORKING_DIR/.m2/repository - qa_script: - - *log_develocity_url_script - - source cirrus-env QA - - source set_maven_build_version $BUILD_NUMBER - - cd its/plugin - - mvn verify -Pit-plugin -Dsonar.runtimeVersion=${SQ_VERSION} -Dmaven.test.redirectTestOutputToFile=false -B -e -V - cleanup_before_cache_script: cleanup_maven_repository - -ruling_task: - depends_on: - - build - <<: *ONLY_SONARSOURCE_QA - env: - GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - eks_container: - <<: *QA_CONTAINER_DEFINITION - cpu: 4 - memory: 8G - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - ruling_script: - - *log_develocity_url_script - - source cirrus-env QA - - source set_maven_build_version $BUILD_NUMBER - - cd its/ruling - - mvn verify -Pit-ruling -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V - cleanup_before_cache_script: cleanup_maven_repository - -ruling_win_task: - depends_on: - - build_win - <<: *WINDOWS_VM_DEFINITION - env: - GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - build_script: - - *log_develocity_url_script - - source cirrus-env QA - - mvn verify -Pit-ruling -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V - cleanup_before_cache_script: cleanup_maven_repository - -promote_task: - depends_on: - - build - - sonar_shadow_scan_and_issue_replication - - build_win - - ruling - - ruling_win - - plugin_qa - <<: *ONLY_SONARSOURCE_QA - eks_container: - <<: *CONTAINER_DEFINITION - cpu: 0.5 - memory: 500M - env: - ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token] - GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token] - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - script: cirrus_promote_maven - cleanup_before_cache_script: cleanup_maven_repository diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml new file mode 100644 index 00000000..931010d3 --- /dev/null +++ b/.github/workflows/build-windows.yml @@ -0,0 +1,29 @@ +name: Windows Build +on: + push: + branches: + - master + - branch-* + - dogfood-* + pull_request: + merge_group: + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + build-windows: + runs-on: github-windows-latest-s # Custom GitHub-hosted Windows runner + name: Windows Build + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + version: 2025.7.12 + - name: Run tests + run: mvn test -B -e -V \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..83022d63 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,49 @@ +name: Build +on: + push: + branches: + - master + - branch-* + - dogfood-* + pull_request: + merge_group: + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + build: + runs-on: github-ubuntu-latest-s # Custom GitHub-hosted runner for public repos + name: Build + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access and tagging + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + version: 2025.7.12 + - uses: SonarSource/ci-github-actions/build-maven@v1 + with: + deploy-pull-request: true + artifactory-reader-role: private-reader # Override for public repo with private access + artifactory-deployer-role: qa-deployer # Override for public repo with private access + + promote: + needs: [build] + runs-on: github-ubuntu-latest-s # Custom GitHub-hosted runner for public repos + name: Promote + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access and tagging + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + cache_save: false + version: 2025.7.12 + - uses: SonarSource/ci-github-actions/promote@v1 + with: + promote-pull-request: true \ No newline at end of file diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml new file mode 100644 index 00000000..37932763 --- /dev/null +++ b/.github/workflows/nightly.yml @@ -0,0 +1,49 @@ +name: Nightly +on: + schedule: + - cron: "0 2 * * *" # Run daily at 2 AM UTC (equivalent to nightly cron) + workflow_dispatch: # Allow manual triggering + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + shadow-scan: + runs-on: github-ubuntu-latest-s # Custom GitHub-hosted runner for public repos + name: Shadow Scan and Issue Replication (${{ matrix.platform }}) + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access + strategy: + matrix: + include: + - platform: "sonarcloud.io" + shadow_host_url: "https://sonarcloud.io" + vault_path: "development/kv/data/sonarcloud" + - platform: "sonarqube.us" + shadow_host_url: "https://sonarqube.us" + vault_path: "development/kv/data/sonarqube-us" + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + version: 2025.7.12 + - name: Vault + id: secrets + uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0 + with: + secrets: | + development/kv/data/next token | SONAR_TOKEN; + development/kv/data/next url | SONAR_HOST_URL; + ${{ matrix.vault_path }} token | SHADOW_SONAR_TOKEN; + - name: Shadow Scan and Issue Replication + env: + SONAR_PROJECT_KEY: "org.sonarsource.xml:xml" + SHADOW_ORGANIZATION: "sonarsource" + SHADOW_PROJECT_KEY: "SonarSource_sonar-xml" + SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} + SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_HOST_URL }} + SHADOW_SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SHADOW_SONAR_TOKEN }} + SHADOW_SONAR_HOST_URL: ${{ matrix.shadow_host_url }} + run: ./shadow-scan-and-issue-replication.sh \ No newline at end of file diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml new file mode 100644 index 00000000..664b1512 --- /dev/null +++ b/.github/workflows/pr-cleanup.yml @@ -0,0 +1,13 @@ +name: Cleanup PR Resources +on: + pull_request: + types: [closed] + +jobs: + cleanup: + runs-on: github-ubuntu-latest-s # Custom GitHub-hosted runner for public repos + name: Cleanup + permissions: + actions: write # Required for cleaning up caches and artifacts + steps: + - uses: SonarSource/ci-github-actions/pr_cleanup@v1 \ No newline at end of file diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml new file mode 100644 index 00000000..75fd027a --- /dev/null +++ b/.github/workflows/qa.yml @@ -0,0 +1,88 @@ +name: QA +on: + push: + branches: + - master + - branch-* + - dogfood-* + pull_request: + merge_group: + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + plugin-qa: + runs-on: github-ubuntu-latest-s # Custom GitHub-hosted runner for public repos + name: Plugin QA (${{ matrix.sq_version }}) + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access + strategy: + matrix: + sq_version: [LATEST_RELEASE, DEV] + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + version: 2025.7.12 + - name: Vault + id: secrets + uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0 + with: + secrets: | + development/github/token/licenses-ro token | GITHUB_TOKEN; + - name: Plugin QA + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + run: | + cd its/plugin + mvn verify -Pit-plugin -Dsonar.runtimeVersion=${{ matrix.sq_version }} -Dmaven.test.redirectTestOutputToFile=false -B -e -V + + ruling: + runs-on: github-ubuntu-latest-s # Custom GitHub-hosted runner for public repos + name: Ruling Tests + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + version: 2025.7.12 + - name: Vault + id: secrets + uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0 + with: + secrets: | + development/github/token/licenses-ro token | GITHUB_TOKEN; + - name: Ruling Tests + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + run: | + cd its/ruling + mvn verify -Pit-ruling -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V + + ruling-windows: + runs-on: github-windows-latest-s # Custom GitHub-hosted Windows runner + name: Ruling Tests (Windows) + permissions: + id-token: write # Required for Vault OIDC authentication + contents: write # Required for repository access + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 + with: + version: 2025.7.12 + - name: Vault + id: secrets + uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0 + with: + secrets: | + development/github/token/licenses-ro token | GITHUB_TOKEN; + - name: Ruling Tests (Windows) + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + run: mvn verify -Pit-ruling -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V \ No newline at end of file diff --git a/mise.toml b/mise.toml new file mode 100644 index 00000000..0e361e1d --- /dev/null +++ b/mise.toml @@ -0,0 +1,3 @@ +[tools] +java = "17.0" +maven = "3.9" \ No newline at end of file