BUILD-8099 migration to GitHub Actions

julien-carsique-sonarsource · julien-carsique-sonarsource · commit 4a13ce34d252 · 2025-07-02T11:57:31.000+02:00
diff --git a/.cirrus.star b/.cirrus.star
diff --git a/.cirrus.yml b/.cirrus.yml
diff --git a/.cirrus/poetry.Dockerfile b/.cirrus/poetry.Dockerfile
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,4 @@
+# Configuration for https://github.com/rhysd/actionlint run by pre-commit
+self-hosted-runner:
+  labels:
+    - ubuntu-24.04-large
diff --git a/.github/renovate.json b/.github/renovate.json
diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml
@@ -0,0 +1,31 @@
+---
+name: Pull Request Closed
+
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  PullRequestClosed_job:
+    name: Pull Request Closed
+    runs-on: ubuntu-24.04-large
+    permissions:
+      id-token: write
+      pull-requests: read
+    # For external PR, ticket should be moved manually
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@d6d745ffdbc82b040df839b903bc33b5592cd6b0 # 3.0.2
+        with:
+          secrets: |
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2
+        with:
+          github-token: ${{ github.token }}
+          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
+          is-eng-xp-squad: true
diff --git a/.github/workflows/PullRequestCreated.yml b/.github/workflows/PullRequestCreated.yml
@@ -0,0 +1,31 @@
+---
+name: Pull Request Created
+
+on:
+  pull_request:
+    types:
+      - opened
+
+jobs:
+  PullRequestCreated_job:
+    name: Pull Request Created
+    runs-on: ubuntu-24.04-large
+    permissions:
+      id-token: write
+    # For external PR, ticket should be created manually
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@d6d745ffdbc82b040df839b903bc33b5592cd6b0 # 3.0.2
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
+          is-eng-xp-squad: true
diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml
@@ -0,0 +1,31 @@
+---
+name: Request review
+
+on:
+  pull_request:
+    types:
+      - review_requested
+
+jobs:
+  RequestReview_job:
+    name: Request review
+    runs-on: ubuntu-24.04-large
+    permissions:
+      id-token: write
+    # For external PR, ticket should be moved manually
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@d6d745ffdbc82b040df839b903bc33b5592cd6b0 # 3.0.2
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
+          is-eng-xp-squad: true
diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml
@@ -0,0 +1,34 @@
+---
+name: Submit Review
+
+on:
+  pull_request_review:
+    types:
+      - submitted
+
+jobs:
+  SubmitReview_job:
+    name: Submit Review
+    runs-on: ubuntu-24.04-large
+    permissions:
+      id-token: write
+      pull-requests: read
+    # For external PR, ticket should be moved manually
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository
+      && (github.event.review.state == 'changes_requested'
+          || github.event.review.state == 'approved')
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@d6d745ffdbc82b040df839b903bc33b5592cd6b0 # 3.0.2
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
+          is-eng-xp-squad: true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,53 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+#env:
+#  DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+
+jobs:
+  build:
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
+    runs-on: ubuntu-24.04-large
+    name: Build
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: SonarSource/ci-github-actions/get-build-number@master # dogfood
+      - uses: SonarSource/ci-github-actions/build-poetry@master # dogfood
+
+  promote:
+    if: false # TODO WIP BUILD-8099
+    needs:
+      - build
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
+    runs-on: ubuntu-24.04-large
+    name: Promote
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@5cb1df66ed5e1fb3c670ea0b62fd17a76979826a # v2.3.1
+        with:
+          cache_save: false
+      - name: Restore local Poetry cache
+        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ${{ github.workspace }}/.cache/pypoetry
+          key: poetry-${{ runner.os }}-${{ hashFiles('poetry.lock') }}
+          restore-keys: poetry-${{ runner.os }}-
+      - uses: SonarSource/ci-github-actions/get-build-number@feat/jcarsique/BUILD-80099-promotePoetry # TODO WIP BUILD-8099
+      - uses: SonarSource/ci-github-actions/promote-poetry@feat/jcarsique/BUILD-80099-promotePoetry # TODO WIP BUILD-8099
diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml
@@ -0,0 +1,13 @@
+name: Cleanup caches and artifacts on PR close
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+    steps:
+      - uses: SonarSource/ci-github-actions/pr_cleanup@master # dogfood
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -0,0 +1,17 @@
+---
+on:
+  pull_request:
+  merge_group:
+
+jobs:
+  pre-commit:
+    name: "pre-commit"
+    runs-on: ubuntu-24.04-large
+    steps:
+      - uses: jdx/mise-action@5cb1df66ed5e1fb3c670ea0b62fd17a76979826a # v2.3.1
+      - uses: SonarSource/gh-action_pre-commit@3d5b503c1ce51d0f92665875b9bea716eff1e70f # 1.0.7
+        with:
+          extra-args: >
+            --from-ref=origin/${{ github.event.pull_request.base.ref }}
+            --to-ref=${{ github.event.pull_request.head.sha }}
+          ignore-failure: ${{ github.event_name == 'merge_group' }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,4 @@
 name: Release
-
 on:
   release:
     types:
diff --git a/.github/workflows/slack_notify.yml b/.github/workflows/slack_notify.yml
@@ -0,0 +1,20 @@
+---
+name: Slack Notifications
+on:
+  check_suite:
+    types: [completed]
+
+permissions:
+  contents: read
+  id-token: write
+  checks: read
+jobs:
+  notify:
+    runs-on: ubuntu-24.04-large
+    steps:
+      - name: Send Slack Notification
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        uses: SonarSource/gh-action_slack-notify@master # dogfood
+        with:
+          slackChannel: squad-eng-xp-github
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
@@ -0,0 +1,12 @@
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md
+default: true
+
+MD013:
+  line_length: 140
+  tables: false
+
+MD031: # Fenced code blocks should be surrounded by blank lines
+  # Disable for list_items to create a tight list containing a code fence
+  list_items: false
+
+MD034: false
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,44 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+---
+default_language_version:
+  ruby: 2.7.2
+repos:
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b  # frozen: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-json
+      - id: check-yaml
+        args: [--unsafe]  # does not support https://yaml.org/type/merge.html
+      - id: check-added-large-files
+  - repo: https://github.com/adrienverge/yamllint
+    rev: 79a6b2b1392eaf49cdd32ac4f14be1a809bbd8f7  # frozen: v1.37.1
+    hooks:
+      - id: yamllint
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: 192ad822316c3a22fb3d3cc8aa6eafa0b8488360  # frozen: v0.45.0
+    hooks:
+      - id: markdownlint
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 06e4cc849d03f3a59ca223a4046f4bb5bb2aba6d  # frozen: 0.33.0
+    hooks:
+      - id: check-github-workflows
+      - id: check-renovate
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 32ee411cf36142e6082f10870ae62172ce9af133 # frozen: 35.32.0
+    hooks:
+      - id: renovate-config-validator
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.17
+    hooks:
+      - id: shellcheck
+  - repo: https://github.com/rhysd/actionlint
+    rev: 4e683ab8014a63fafa117492a0c6053758e6d593  # frozen: v1.7.3
+    hooks:
+      - id: actionlint
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,6 @@
+extends: default
+
+rules:
+  line-length:
+    max: 140
+    level: warning
diff --git a/SECURITY.md b/SECURITY.md
diff --git a/mise.toml b/mise.toml
