First draft

Author: joke1196

.github/scripts/run_iris.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -euo pipefail
+
+: "${ARTIFACTORY_PRIVATE_USERNAME?}" "${ARTIFACTORY_PRIVATE_ACCESS_TOKEN?}" "${ARTIFACTORY_URL?}"
+: "${SONAR_SOURCE_IRIS_TOKEN?}" "${SONAR_TARGET_IRIS_TOKEN?}" "${SONAR_TARGET_URL?}"
+
+function run_iris () {
+  java \
+    -Diris.source.projectKey="SonarSource_sonar-scanner-python" \
+    -Diris.source.url="https://next.sonarqube.com/sonarqube" \
+    -Diris.source.token="$SONAR_SOURCE_IRIS_TOKEN" \
+    -Diris.destination.projectKey="SonarSource_sonar-scanner-python" \
+    -Diris.destination.url="$SONAR_TARGET_URL" \
+    -Diris.destination.token="$SONAR_TARGET_IRIS_TOKEN" \
+    -Diris.destination.organization="sonarsource" \
+    -Diris.dryrun=$1 \
+    -jar iris-\[RELEASE\]-jar-with-dependencies.jar
+}
+
+VERSION="\[RELEASE\]"
+HTTP_CODE=$(\
+  curl \
+    --write-out '%{http_code}' \
+    --location \
+    --remote-name \
+    --user "$ARTIFACTORY_PRIVATE_USERNAME:$ARTIFACTORY_PRIVATE_ACCESS_TOKEN" \
+    "$ARTIFACTORY_URL/sonarsource-private-releases/com/sonarsource/iris/iris/$VERSION/iris-$VERSION-jar-with-dependencies.jar"\
+)
+
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "Download $VERSION failed -> $HTTP_CODE"
+  exit 1
+else
+  echo "Downloaded $VERSION"
+fi
+
+echo "===== Execute IRIS as dry-run"
+run_iris "true"
+STATUS=$?
+if [ $STATUS -ne 0 ]; then
+  echo "===== Failed to run IRIS dry-run"
+  exit 1
+else
+  echo "===== Successful IRIS dry-run - executing IRIS for real."
+  run_iris "false"
+fi

.github/workflows/iris.yml

@@ -0,0 +1,36 @@
+name: Iris sync
+on:
+  schedule:
+    # Nightly job
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  iris:
+    name: "IRIS ${{ matrix.name }}"
+    needs: [analysis-shadow-sqc-eu, analysis-shadow-sqc-us]
+    runs-on: sonar-s-public
+    if: github.ref == 'refs/heads/master'
+    permissions:
+      id-token: write
+      contents: write
+    strategy:
+      matrix:
+        include:
+          - name: "IRIS SQ NEXT -> Sonarcloud.io"
+            env:
+              SONAR_TARGET_URL: https://sonarcloud.io
+              SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-eu]
+          - name: "IRIS SQ NEXT -> SonarQube.us"
+            env:
+              SONAR_TARGET_URL: https://sonarqube.us
+              SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-us]
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Run IRIS
+        run: ./.github/scripts/run_iris.sh
+

.github/workflows/shadow-analysis.yml

@@ -0,0 +1,81 @@
+name: Shadow Analysis
+on:
+  schedule:
+    # Nightly job
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  coverage:
+    name: "Coverage report generation"
+    runs-on: github-ubuntu-latest-s
+    needs: [install_deps]
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: ./.github/actions/config-poetry
+      - run: |
+          poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests
+          poetry run mypy src/ > mypy-report.txt || true
+      - name: Upload coverage artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: coverage-reports
+          path: |
+            coverage.xml
+            mypy-report.txt
+
+  analysis-shadow-sqc-eu:
+    name: "SQC-EU Shadow Analysis"
+    needs: [coverage]
+    runs-on: github-ubuntu-latest-s
+    if: github.ref == 'refs/heads/master'
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: coverage-reports
+      - uses: jdx/mise-action@e3d7b8d67a7958d1207f6ed871e83b1ea780e7b0 #v3.3.1
+        with:
+          install_args: "[email protected]"
+      - run: mise use -g [email protected]
+      - uses: SonarSource/ci-github-actions/build-poetry@v1
+        env:
+          sonar-platform: sqc-eu
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+
+  analysis-shadow-sqc-us:
+    name: "SQC-US Shadow Analysis"
+    needs: [coverage]
+    runs-on: sonar-s-public
+    if: github.ref == 'refs/heads/master'
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: coverage-reports
+      - uses: jdx/mise-action@e3d7b8d67a7958d1207f6ed871e83b1ea780e7b0 #v3.3.1
+        with:
+          install_args: "[email protected]"
+      - run: mise use -g [email protected]
+      - uses: SonarSource/ci-github-actions/build-poetry@v1
+        env:
+          sonar-platform: sqc-us
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+