feat(BUILD-4592): Sonar build & release workflow (#41)

Author: julien-carsique-sonarsource

.cirrus.yml

@@ -1,46 +1,48 @@
 env:
   ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
-  ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader
-  ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
-  ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
-  ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
-  #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
-  ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
-  REPOX_URL: VAULT[development/kv/data/repox data.url]
+  ARTIFACTORY_PRIVATE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer username]
+  ARTIFACTORY_DEPLOY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
+  ARTIFACTORY_DEPLOY_REPO: sonarsource-pypi-public-qa
   GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
   SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
   SONAR_HOST_URL: https://sonarcloud.io
+  DEPLOY_PULL_REQUEST: 'true'
+  POETRY_VIRTUALENVS_PATH: ".cache/poetry/venvs"
+  POETRY_CACHE_DIR: ".cache/poetry/pypoetry"
 
-only_sonarsource_qa: &ONLY_SONARSOURCE_QA
-  only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "feature/*" || $CIRRUS_BRANCH =~ "dogfood-on-.*")
+only_if: $CIRRUS_USER_COLLABORATOR == "true" && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "feature/*" || $CIRRUS_BRANCH =~ "dogfood-on-.*")
 
 container_definition: &CONTAINER_DEFINITION
   dockerfile: .cirrus/poetry.Dockerfile
   cluster_name: ${CIRRUS_CLUSTER_NAME}
   region: eu-central-1
-  builder_image_name: POETRY_VM
+  namespace: default
+  builder_subnet_ids: ${CIRRUS_AWS_SUBNETS}
   builder_role: cirrus-builder
   builder_image: docker-builder-v*
   builder_instance_type: t3.small
-  builder_subnet_id: ${CIRRUS_AWS_SUBNET}
-  zone: eu-central-1
-  namespace: default
   use_in_memory_disk: true
   docker_arguments:
     CIRRUS_AWS_ACCOUNT: ${CIRRUS_AWS_ACCOUNT}
-  DEPLOY_PULL_REQUEST: true
   cpu: 3
   memory: 8G
 
+poetry_cache_template: &POETRY_CACHE
+  poetry_cache:
+    folder: .cache/poetry/
+    fingerprint_script: cat poetry.lock
 
 .poetry_template: &POETRY_TEMPLATE
-  <<: *ONLY_SONARSOURCE_QA
   eks_container:
     <<: *CONTAINER_DEFINITION
-  poetry_script:
-    - poetry config repositories.repox "${REPOX_URL}/api/pypi/sonarsource-pypi/simple/"
-    - poetry config http-basic.repox "${ARTIFACTORY_PRIVATE_USERNAME}" "${ARTIFACTORY_PRIVATE_PASSWORD}"
-    - poetry install
+  <<: *POETRY_CACHE
+  poetry_install_script:
+    - source set_poetry_build_version "$CI_BUILD_NUMBER"
+    - echo "PROJECT_VERSION=$PROJECT_VERSION" >> $CIRRUS_ENV
+    - jfrog config add repox --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_PRIVATE_ACCESS_TOKEN"
+    - jfrog poetry-config --server-id-resolve repox --repo-resolve sonarsource-pypi
+    - jfrog poetry install --build-name="$CIRRUS_REPO_NAME" --build-number="$CI_BUILD_NUMBER"
 
 formatting_task:
   <<: *POETRY_TEMPLATE
@@ -60,6 +62,11 @@ analysis_task:
   analysis_script:
     - poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests
     - sonar-scanner -Dsonar.organization=sonarsource -DbuildNumber=${CI_BUILD_NUMBER}
+  always:
+    pytest_artifacts:
+      path: "coverage.xml"
+      format: junit
+      type: text/xml
 
 qa_task:
   alias: qa
@@ -88,17 +95,24 @@ qa_task:
   qa_script:
     - poetry run pytest tests/
 
-publish_task:
+build_task:
+  <<: *POETRY_TEMPLATE
+  alias: build
+  name: "Build"
+  build_script: regular_poetry_build_publish
+
+promote_task:
   depends_on:
     - formatting
     - analysis
     - qa
+    - build
+  env:
+    ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
+    GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token]
+    BURGR_URL: VAULT[development/kv/data/burgr data.url]
+    BURGR_USERNAME: VAULT[development/kv/data/burgr data.cirrus_username]
+    BURGR_PASSWORD: VAULT[development/kv/data/burgr data.cirrus_password]
+    ARTIFACTS: :pysonar:tar.gz,:pysonar:whl:py3-none-any
   <<: *POETRY_TEMPLATE
-  name: "Publish (Repox)"
-  publish_script:
-    - poetry version patch
-    - poetry version $(poetry version -s).dev${CI_BUILD_NUMBER}
-    - poetry build
-    - poetry config repositories.sonarsource https://repox.jfrog.io/artifactory/api/pypi/sonarsource-pypi-builds
-    - poetry publish -r sonarsource --username ${ARTIFACTORY_DEPLOY_USERNAME} --password ${ARTIFACTORY_DEPLOY_PASSWORD} --verbose
-
+  promote_script: cirrus_promote

.cirrus/poetry.Dockerfile

@@ -25,10 +25,7 @@ RUN curl "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-
 USER sonarsource
 
 RUN curl -sSL https://install.python-poetry.org | python3 -
-ENV PATH=/usr/bin:$PATH
-ENV PATH="/home/sonarsource/bin:${PATH}"
 ENV PATH="${PATH}:/opt/sonar-scanner/bin"
 ENV PATH="${PATH}:/home/sonarsource/.local/bin"
 
 ENV SONARCLOUD_ANALYSIS true
-

.github/workflows/build-pr.yml

@@ -1,34 +1,17 @@
 name: sonar-release
-# This workflow is triggered when publishing a new github release
+# This workflow is triggered when publishing a new GitHub release
 on:
   release:
     types:
       - published
 
 jobs:
-  pypi-publish:
-    name: Upload release to TestPyPI
-    runs-on: ubuntu-latest
-    environment:
-      name: pypi
+  release:
     permissions:
-      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
-      contents: read
-    steps:
-    # retrieve your distributions here
-      - uses: actions/checkout@v3
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.x'
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install build
-      - name: Build package
-        run: python -m build
-      - name: Publish package distributions to TestPyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository-url: https://test.pypi.org/legacy/
+      id-token: write
+      contents: write
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v5
+    with:
+      publishToPyPI: false
+      publishToTestPyPI: true
+      skipPythonReleasabilityChecks: true

.github/workflows/release.yml

@@ -184,12 +184,16 @@ Also `dist/*` can be a bit more precise to upload a specific version of the bina
 
 # Update the package version
 
-To update the version use the hatch command:
+To update the version use the Poetry command:
 
 ```
 poetry version "X.Y.Z"
 ```
-For more options on the version update see [the hatch documentation](https://hatch.pypa.io/latest/version/)
+or
+```shell
+poetry version patch
+```
+For more options on the version update see [the Poetry documentation](https://python-poetry.org/docs/cli/#version)
 
 # Tooling 
 ## Formatting