PYSCAN-45: Migrate CI from GitHub Action to Cirrus (#33)

Author: joke1196

.cirrus.star

@@ -0,0 +1,4 @@
+load("github.com/SonarSource/cirrus-modules@v2", "load_features")
+
+def main(ctx):
+  return load_features(ctx)

.cirrus.yml

@@ -0,0 +1,104 @@
+env:
+  ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
+  ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader
+  ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
+  ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
+  #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
+  ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
+  REPOX_URL: VAULT[development/kv/data/repox data.url]
+  GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
+  SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
+  SONAR_HOST_URL: https://sonarcloud.io
+
+only_sonarsource_qa: &ONLY_SONARSOURCE_QA
+  only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "feature/*" || $CIRRUS_BRANCH =~ "dogfood-on-.*")
+
+container_definition: &CONTAINER_DEFINITION
+  dockerfile: .cirrus/poetry.Dockerfile
+  cluster_name: ${CIRRUS_CLUSTER_NAME}
+  region: eu-central-1
+  builder_image_name: POETRY_VM
+  builder_role: cirrus-builder
+  builder_image: docker-builder-v*
+  builder_instance_type: t3.small
+  builder_subnet_id: ${CIRRUS_AWS_SUBNET}
+  zone: eu-central-1
+  namespace: default
+  use_in_memory_disk: true
+  docker_arguments:
+    CIRRUS_AWS_ACCOUNT: ${CIRRUS_AWS_ACCOUNT}
+  DEPLOY_PULL_REQUEST: true
+  cpu: 3
+  memory: 8G
+
+
+.poetry_template: &POETRY_TEMPLATE
+  <<: *ONLY_SONARSOURCE_QA
+  eks_container:
+    <<: *CONTAINER_DEFINITION
+  poetry_script:
+    - poetry config repositories.repox "${REPOX_URL}/api/pypi/sonarsource-pypi/simple/"
+    - poetry config http-basic.repox "${ARTIFACTORY_PRIVATE_USERNAME}" "${ARTIFACTORY_PRIVATE_PASSWORD}"
+    - poetry install
+
+formatting_task:
+  <<: *POETRY_TEMPLATE
+  alias: formatting
+  name: "Formatting"
+  formatting_script:
+    - poetry run black src/ tests/ --check
+    - poetry run licenseheaders -t license_header.tmpl -o "SonarSource SA" -y 2011-2024 -n "Sonar Scanner Python" -E .py -d src/
+    - poetry run licenseheaders -t license_header.tmpl -o "SonarSource SA" -y 2011-2024 -n "Sonar Scanner Python" -E .py -d tests/
+    - poetry run licenseheaders -t license_header.tmpl -o "SonarSource SA" -y 2011-2024 -n "Sonar Scanner Python" -E .py -d its/ -x its/sources/**.py
+    - git diff --name-only --exit-code ./src ./tests ./its
+
+analysis_task:
+  <<: *POETRY_TEMPLATE
+  alias: analysis
+  name: "SC Analysis"
+  analysis_script:
+    - poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests
+    - sonar-scanner -Dsonar.organization=sonarsource -DbuildNumber=${CI_BUILD_NUMBER}
+
+qa_task:
+  alias: qa
+  matrix:
+    - name: "Test Python 3.8"
+      eks_container:
+        docker_arguments:
+          PYTHON_VERSION: 3.8.18
+    - name: "Test Python 3.9"
+      eks_container:
+        docker_arguments:
+          PYTHON_VERSION: 3.9.18
+    - name: "Test Python 3.10"
+      eks_container:
+        docker_arguments:
+          PYTHON_VERSION: 3.10.13
+    - name: "Test Python 3.11"
+      eks_container:
+        docker_arguments:
+          PYTHON_VERSION: 3.11.7
+    - name: "Test Python 3.12"
+      eks_container:
+        docker_arguments:
+          PYTHON_VERSION: 3.12.1
+  <<: *POETRY_TEMPLATE
+  qa_script:
+    - poetry run pytest tests/
+
+publish_task:
+  depends_on:
+    - formatting
+    - analysis
+    - qa
+  <<: *POETRY_TEMPLATE
+  name: "Publish (Repox)"
+  publish_script:
+    - poetry version patch
+    - poetry version $(poetry version -s).dev${CI_BUILD_NUMBER}
+    - poetry build
+    - poetry config repositories.sonarsource https://repox.jfrog.io/artifactory/api/pypi/sonarsource-pypi-builds
+    - poetry publish -r sonarsource --username ${ARTIFACTORY_DEPLOY_USERNAME} --password ${ARTIFACTORY_DEPLOY_PASSWORD} --verbose
+

.cirrus/poetry.Dockerfile

@@ -0,0 +1,34 @@
+ARG CIRRUS_AWS_ACCOUNT=275878209202
+FROM ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
+
+USER root
+
+ARG SCANNER_VERSION=5.0.1.3006
+ARG PYTHON_VERSION=3.12.1
+
+# install required dependencies to build Python from source see: https://devguide.python.org/getting-started/setup-building/#install-dependencies
+RUN apt-get update && apt-get install -y build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libsqlite3-dev libreadline-dev libffi-dev curl libbz2-dev
+RUN curl -O https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz
+RUN tar -xf Python-${PYTHON_VERSION}.tar.xz
+RUN cd Python-${PYTHON_VERSION} && ./configure && make -s -j 4 && make altinstall
+RUN cd /usr/local/bin \
+    && ln -s python${PYTHON_VERSION%.*} python \
+    && ln -s python${PYTHON_VERSION%.*} python3 \
+    && ln -s pip${PYTHON_VERSION%.*} pip \
+    && ln -s pip${PYTHON_VERSION%.*} pip3
+
+RUN curl "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}.zip" -o /tmp/sonar-scanner.zip \
+  && unzip -d /opt /tmp/sonar-scanner.zip \
+  && mv /opt/sonar-scanner-${SCANNER_VERSION} /opt/sonar-scanner \
+  && rm /tmp/sonar-scanner.zip
+
+USER sonarsource
+
+RUN curl -sSL https://install.python-poetry.org | python3 -
+ENV PATH=/usr/bin:$PATH
+ENV PATH="/home/sonarsource/bin:${PATH}"
+ENV PATH="${PATH}:/opt/sonar-scanner/bin"
+ENV PATH="${PATH}:/home/sonarsource/.local/bin"
+
+ENV SONARCLOUD_ANALYSIS true
+

.github/workflows/build-pr.yml

@@ -9,99 +9,6 @@ on:
       - 'feature/**'
 
 jobs:
-  test:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write     # required by SonarSource/vault-action-wrapper
-      contents: read      # required by actions/checkout
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
-    steps:
-    - name: Get vault secrets
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v2
-      with:
-        secrets: |
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader role | ARTIFACTORY_ROLE;
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_PASSWORD;
-          development/kv/data/repox url | REPOX_URL;
-    - uses: actions/checkout@v3
-    - name: Install Poetry
-      run: |
-        pipx install poetry
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
-      with:
-        python-version: ${{ matrix.python-version }}
-        cache: "poetry"
-    - name: Install dependencies
-      env:
-        ARTIFACTORY_USERNAME: vault-${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ROLE }}
-        ARTIFACTORY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PASSWORD }}
-        REPOX_URL: ${{ fromJSON(steps.secrets.outputs.vault).REPOX_URL }}
-      run: |
-        poetry config repositories.repox "${REPOX_URL}/api/pypi/sonarsource-pypi/simple/"
-        poetry config http-basic.repox "${ARTIFACTORY_USERNAME}" "${ARTIFACTORY_PASSWORD}"
-        poetry install 
-    - name: Check tests 
-      run: |
-        poetry run pytest tests/
-  analysis:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write     # required by SonarSource/vault-action-wrapper
-      contents: read      # required by actions/checkout
-      pull-requests: read # required by SonarSource/sonarcloud-github-action
-    strategy:
-      fail-fast: false
-    steps:
-    - name: Get vault secrets
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v2
-      with:
-        secrets: |
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader role | ARTIFACTORY_ROLE;
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_PASSWORD;
-          development/kv/data/repox url | REPOX_URL;
-          development/kv/data/sonarcloud token | SONARCLOUD_TOKEN;
-    - uses: actions/checkout@v3
-    - name: Install Poetry
-      run: |
-        pipx install poetry
-    - name: Set up Python 
-      uses: actions/setup-python@v4
-      with:
-        python-version: |
-          3.12
-        cache: "poetry"
-    - name: Install dependencies
-      env:
-        ARTIFACTORY_USERNAME: vault-${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ROLE }}
-        ARTIFACTORY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PASSWORD }}
-        REPOX_URL: ${{ fromJSON(steps.secrets.outputs.vault).REPOX_URL }}
-      run: |
-        poetry config repositories.repox "${REPOX_URL}/api/pypi/sonarsource-pypi/simple/"
-        poetry config http-basic.repox "${ARTIFACTORY_USERNAME}" "${ARTIFACTORY_PASSWORD}"
-        poetry install
-    - name: Check formatting
-      run: |
-        poetry run black src/ tests/ --check
-    - name: Check licensing
-      run: |
-        poetry run licenseheaders -t license_header.tmpl -o "SonarSource SA" -y 2011-2024 -n "Sonar Scanner Python" -E .py -d src/
-        poetry run licenseheaders -t license_header.tmpl -o "SonarSource SA" -y 2011-2024 -n "Sonar Scanner Python" -E .py -d tests/
-        poetry run licenseheaders -t license_header.tmpl -o "SonarSource SA" -y 2011-2024 -n "Sonar Scanner Python" -E .py -d its/ -x its/sources/**.py
-        git diff --name-only --exit-code ./src ./tests ./its
-    - name: Check tests and generate coverage
-      run: |
-        poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests
-    - name: SonarCloud Scan
-      uses: SonarSource/sonarcloud-github-action@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONARCLOUD_TOKEN }}
   integration_tests:
     runs-on: ubuntu-latest
     permissions:
@@ -144,37 +51,3 @@ jobs:
       working-directory: ./its
       run: |
         poetry run pytest 
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write     # required by SonarSource/vault-action-wrapper
-      contents: read      # required by actions/checkout
-    strategy:
-      fail-fast: false
-    steps:
-    - name: Get vault secrets
-      id: secrets
-      uses: SonarSource/vault-action-wrapper@v2
-      with:
-        secrets: |
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer access_token | ARTIFACTORY_PASSWORD_QA;
-    - uses: actions/checkout@v3
-    - name: Set up Python 
-      uses: actions/setup-python@v4
-      with:
-        python-version: |
-          3.12
-    - name: Install Poetry
-      run: |
-        pipx install poetry
-    - name: Configure pypi repo
-      run: poetry config repositories.sonarsource https://repox.jfrog.io/artifactory/api/pypi/sonarsource-pypi-builds
-    - name: Build and publish
-      env:
-        ARTIFACTORY_PYPI_DEPLOYER_USER: vault-SonarSource-sonar-scanner-python-qa-deployer
-        ARTIFACTORY_PYPI_DEPLOYER_API_KEY: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PASSWORD_QA }}
-      run: |
-        poetry version patch
-        poetry version $(poetry version -s).dev${{ github.run_number }}
-        poetry build
-        poetry publish -r sonarsource --username $ARTIFACTORY_PYPI_DEPLOYER_USER --password $ARTIFACTORY_PYPI_DEPLOYER_API_KEY --verbose