diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index 0358c1d5..00000000 --- a/.cirrus.yml +++ /dev/null @@ -1,210 +0,0 @@ -env: - CIRRUS_VAULT_URL: https://vault.sonar.build:8200 - CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci - CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME} - - # Use bash (instead of sh on linux or cmd.exe on windows) - CIRRUS_SHELL: bash - CIRRUS_CLONE_DEPTH: 20 - ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url] - ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader - ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token] - ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer - ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token] - #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa - ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa - ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token] - -container_definition: &CONTAINER_DEFINITION - eks_container: - image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest - cluster_name: ${CIRRUS_CLUSTER_NAME} - region: eu-central-1 - namespace: default - cpu: 2 - memory: 2G - -only_sonarsource_qa: &ONLY_SONARSOURCE_QA - only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "dogfood-on-.*") - -maven_cache_definition: &MAVEN_CACHE - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - fingerprint_script: | - if [ "$CIRRUS_OS" = "windows" ]; then - powershell.exe -NoLogo -Command "Get-ChildItem -Path . -Filter "pom.xml" -Recurse -ErrorAction SilentlyContinue -Force | cat" - fi - if [ "$CIRRUS_OS" = "linux" ]; then - find . -name pom.xml -exec cat {} \+ - fi - -java_coverage_cache_definition: &JAVA_COVERAGE_CACHE - java_coverage_cache: - folder: ${CIRRUS_WORKING_DIR}/coverage/java - fingerprint_script: echo "JAVA$(git rev-parse HEAD)" - reupload_on_changes: 'true' - -build_task: - <<: *CONTAINER_DEFINITION - <<: *MAVEN_CACHE - <<: *JAVA_COVERAGE_CACHE - env: - # analysis on next - SONAR_TOKEN: VAULT[development/kv/data/next data.token] - SONAR_HOST_URL: https://next.sonarqube.com/sonarqube - SIGN_KEY: VAULT[development/kv/data/sign data.key] - PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase] - #allow deployment of pull request artifacts to repox - DEPLOY_PULL_REQUEST: true - <<: *MAVEN_CACHE - build_script: - - source cirrus-env BUILD - - regular_mvn_build_deploy_analyze -Dsonar.skip=true -Pcoverage-report - cleanup_before_cache_script: cleanup_maven_repository - -analyze_task: - <<: *CONTAINER_DEFINITION - <<: *MAVEN_CACHE - <<: *JAVA_COVERAGE_CACHE - depends_on: - - build - alias: analyze - matrix: - - name: "Analyze in SQ NEXT" - env: - SONAR_TOKEN: VAULT[development/kv/data/next data.token] - SONAR_HOST_URL: https://next.sonarqube.com/sonarqube - SONAR_PROJECT_KEY: org.sonarsource.flex:flex - - name: "Analyze in Sonarcloud.io" - only_if: $CIRRUS_CRON == "nightly" - env: - SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token] - SONAR_HOST_URL: https://sonarcloud.io - SONAR_PROJECT_KEY: SonarSource_sonar-flex - - name: "Analyze in SonarQube.us" - only_if: $CIRRUS_CRON == "nightly" - env: - SONAR_TOKEN: VAULT[development/kv/data/sonarqube-us data.token] - SONAR_HOST_URL: https://sonarqube.us - SONAR_PROJECT_KEY: SonarSource_sonar-flex - analyze_script: - - source cirrus-env BUILD - - PULL_REQUEST_SHA=$GIT_SHA1 regular_mvn_build_deploy_analyze -P-deploy-sonarsource,-release,-sign -Dsonar.organization=sonarsource -Dsonar.projectKey="${SONAR_PROJECT_KEY}" -Dcommercial -Dmaven.shade.skip=true -Dmaven.install.skip=true -Dmaven.deploy.skip=true -DskipTests - - -run_iris_task: - <<: *CONTAINER_DEFINITION - only_if: $CIRRUS_CRON == "nightly" - depends_on: - - analyze - env: - SONAR_SOURCE_IRIS_TOKEN: VAULT[development/kv/data/iris data.next] - matrix: - - name: 'IRIS SQ NEXT -> Sonarcloud.io' - env: - SONAR_TARGET_URL: https://sonarcloud.io - SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-eu] - - name: 'IRIS SQ NEXT -> SonarQube.us' - env: - SONAR_TARGET_URL: https://sonarqube.us - SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-us] - script: - - source .cirrus/run-iris.sh - -ws_scan_task: - <<: *CONTAINER_DEFINITION - depends_on: - - build - # run only on master and long-term branches - only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*") - env: - WS_APIKEY: VAULT[development/kv/data/mend data.apikey] - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - whitesource_script: - - source cirrus-env QA - - source set_maven_build_version $BUILD_NUMBER - - mvn clean install -DskipTests - - source ws_scan.sh - allow_failures: "true" - always: - ws_artifacts: - path: "whitesource/**/*" - -win_task: - ec2_instance: - experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051 - image: base-windows-jdk17-v* - platform: windows - region: eu-central-1 - type: t3.xlarge - maven_cache: - #windows cache fails with ${CIRRUS_WORKING_DIR} - folder: ~/.m2/repository - build_script: - - source cirrus-env CI - - mvn.cmd clean verify - cleanup_before_cache_script: cleanup_maven_repository - -plugin_qa_task: - depends_on: - - build - <<: *ONLY_SONARSOURCE_QA - <<: *CONTAINER_DEFINITION - eks_container: - cpu: 3 - memory: 8G - env: - GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - matrix: - - SQ_VERSION: LATEST_RELEASE - - SQ_VERSION: DEV - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - qa_script: - - source cirrus-env QA - - source set_maven_build_version $BUILD_NUMBER - - cd its/plugin - - mvn verify -Pit-plugin -Dsonar.runtimeVersion=${SQ_VERSION} -Dmaven.test.redirectTestOutputToFile=false -B -e -V - cleanup_before_cache_script: cleanup_maven_repository - -ruling_task: - depends_on: - - build - <<: *ONLY_SONARSOURCE_QA - <<: *CONTAINER_DEFINITION - eks_container: - cpu: 4 - memory: 8G - env: - GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - submodules_script: - - git submodule update --init - ruling_script: - - source cirrus-env QA - - source set_maven_build_version $BUILD_NUMBER - - cd its/ruling - - mvn verify -Pit-ruling -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V - cleanup_before_cache_script: cleanup_maven_repository - -promote_task: - depends_on: - - build - - ws_scan - - ruling - - plugin_qa - <<: *ONLY_SONARSOURCE_QA - <<: *CONTAINER_DEFINITION - eks_container: - cpu: 0.5 - memory: 500M - env: - #see https://xtranet-sonarsource.atlassian.net/wiki/spaces/RE/pages/2931064959/Cirrus+CI+-+How+to+migrate+away+of+GCP+promote+function - ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token] - GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token] - maven_cache: - folder: ${CIRRUS_WORKING_DIR}/.m2/repository - script: cirrus_promote_maven - cleanup_before_cache_script: cleanup_maven_repository diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..9652e797 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,138 @@ +--- +name: Build +on: + push: + branches: + - master + - 'branch-*' + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + build: + name: Build and analyze + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + id-token: write + contents: write + pull-requests: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Build with Maven + uses: SonarSource/ci-github-actions/build-maven@v1 + with: + deploy-pull-request: true + additional-maven-options: -Dsonar.skip=true -Pcoverage-report + + analyze: + name: Analyze in SQ NEXT + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: [build] + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Analyze with SonarQube + uses: SonarSource/ci-github-actions/analyze-maven@v1 + with: + sonar-host-url: https://next.sonarqube.com/sonarqube + sonar-project-key: org.sonarsource.flex:flex + additional-maven-options: -P-deploy-sonarsource,-release,-sign -Dcommercial -Dmaven.shade.skip=true -Dmaven.install.skip=true -Dmaven.deploy.skip=true -DskipTests + + ws_scan: + name: Mend (WhiteSource) scan + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: [build] + if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/branch-')) + permissions: + id-token: write + contents: read + continue-on-error: true + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/kv/data/mend apikey | WS_APIKEY; + + - name: Run Mend scan + env: + WS_APIKEY: ${{ fromJSON(steps.secrets.outputs.vault).WS_APIKEY }} + run: | + source cirrus-env QA + source set_maven_build_version ${{ github.run_number }} + mvn clean install -DskipTests + source ws_scan.sh + + - name: Upload Mend artifacts + if: always() + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: whitesource-artifacts + path: whitesource/**/* + + promote: + name: Promote + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: [build, ws_scan] + if: | + always() && + needs.build.result == 'success' && + (needs.ws_scan.result == 'success' || needs.ws_scan.result == 'skipped') && + github.event_name != 'pull_request' && + (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/branch-') || startsWith(github.ref, 'refs/heads/dogfood-on-')) + permissions: + id-token: write + contents: write + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Promote Maven artifacts + uses: SonarSource/ci-github-actions/promote@v1 diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml new file mode 100644 index 00000000..517a19e8 --- /dev/null +++ b/.github/workflows/nightly.yml @@ -0,0 +1,151 @@ +--- +name: Nightly +on: + schedule: + - cron: '0 2 * * *' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze_sonarcloud: + name: Analyze in Sonarcloud.io + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/kv/data/sonarcloud token | SONAR_TOKEN; + + - name: Analyze with SonarCloud + env: + SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} + run: | + source cirrus-env BUILD + mvn verify sonar:sonar \ + -P-deploy-sonarsource,-release,-sign \ + -Dsonar.organization=sonarsource \ + -Dsonar.projectKey=SonarSource_sonar-flex \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dcommercial \ + -Dmaven.shade.skip=true \ + -Dmaven.install.skip=true \ + -Dmaven.deploy.skip=true \ + -DskipTests + + analyze_sonarqube_us: + name: Analyze in SonarQube.us + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/kv/data/sonarqube-us token | SONAR_TOKEN; + + - name: Analyze with SonarQube.us + env: + SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} + run: | + source cirrus-env BUILD + mvn verify sonar:sonar \ + -P-deploy-sonarsource,-release,-sign \ + -Dsonar.organization=sonarsource \ + -Dsonar.projectKey=SonarSource_sonar-flex \ + -Dsonar.host.url=https://sonarqube.us \ + -Dcommercial \ + -Dmaven.shade.skip=true \ + -Dmaven.install.skip=true \ + -Dmaven.deploy.skip=true \ + -DskipTests + + iris_sonarcloud: + name: IRIS SQ NEXT → Sonarcloud.io + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: [analyze_sonarcloud] + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/kv/data/iris next | SONAR_SOURCE_IRIS_TOKEN; + development/kv/data/iris sqc-eu | SONAR_TARGET_IRIS_TOKEN; + + - name: Run IRIS + env: + SONAR_SOURCE_IRIS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_SOURCE_IRIS_TOKEN }} + SONAR_TARGET_IRIS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TARGET_IRIS_TOKEN }} + SONAR_TARGET_URL: https://sonarcloud.io + run: source .cirrus/run-iris.sh + + iris_sonarqube_us: + name: IRIS SQ NEXT → SonarQube.us + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: [analyze_sonarqube_us] + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/kv/data/iris next | SONAR_SOURCE_IRIS_TOKEN; + development/kv/data/iris sqc-us | SONAR_TARGET_IRIS_TOKEN; + + - name: Run IRIS + env: + SONAR_SOURCE_IRIS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_SOURCE_IRIS_TOKEN }} + SONAR_TARGET_IRIS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TARGET_IRIS_TOKEN }} + SONAR_TARGET_URL: https://sonarqube.us + run: source .cirrus/run-iris.sh diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml new file mode 100644 index 00000000..91daf6c6 --- /dev/null +++ b/.github/workflows/qa.yml @@ -0,0 +1,137 @@ +--- +name: QA +on: + workflow_run: + workflows: [Build] + types: [completed] + branches: + - master + - 'branch-*' + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + plugin_qa: + name: Plugin QA (SQ ${{ matrix.sq_version }}) + runs-on: ubuntu-latest + timeout-minutes: 45 + if: | + (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || + github.event_name == 'pull_request' || + github.event_name == 'workflow_dispatch' + strategy: + matrix: + sq_version: [LATEST_RELEASE, DEV] + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/github/token/licenses-ro token | GITHUB_TOKEN; + + - name: Run Plugin QA + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + SQ_VERSION: ${{ matrix.sq_version }} + run: | + source cirrus-env QA + source set_maven_build_version ${{ github.run_number }} + cd its/plugin + mvn verify -Pit-plugin -Dsonar.runtimeVersion=${SQ_VERSION} -Dmaven.test.redirectTestOutputToFile=false -B -e -V + + - name: Cleanup Maven cache + if: always() + run: cleanup_maven_repository + + ruling: + name: Ruling + runs-on: ubuntu-latest + timeout-minutes: 60 + if: | + (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || + github.event_name == 'pull_request' || + github.event_name == 'workflow_dispatch' + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + submodules: true + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Get secrets from Vault + id: secrets + uses: SonarSource/vault-action-wrapper@3996073b47b49ac5c58c750d27ab4edf469401c8 # v3.0.1 + with: + secrets: | + development/github/token/licenses-ro token | GITHUB_TOKEN; + + - name: Run Ruling tests + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + run: | + source cirrus-env QA + source set_maven_build_version ${{ github.run_number }} + cd its/ruling + mvn verify -Pit-ruling -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V + + - name: Cleanup Maven cache + if: always() + run: cleanup_maven_repository + + win_build: + name: Windows Build + runs-on: windows-latest + timeout-minutes: 45 + if: | + (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || + github.event_name == 'pull_request' || + github.event_name == 'workflow_dispatch' + permissions: + id-token: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup mise + uses: jdx/mise-action@v2.2.3 + with: + experimental: true + + - name: Build on Windows + run: | + source cirrus-env CI + mvn.cmd clean verify + + - name: Cleanup Maven cache + if: always() + run: cleanup_maven_repository diff --git a/mise.toml b/mise.toml new file mode 100644 index 00000000..dcad49dd --- /dev/null +++ b/mise.toml @@ -0,0 +1,3 @@ +[tools] +java = "17" +maven = "3.9"