Merge branch 'main' into feature/#409-Doc-link-&-checks

Author: Jannis-Mittenzwei

.github/actions/security-issues/action.yml

@@ -39,7 +39,7 @@ runs:
     - name: Install Python Toolbox / Security tool
       shell: bash
       run: |
-        pip install exasol-toolbox==1.3.0
+        pip install exasol-toolbox==1.4.0
 
     - name: Create Security Issue Report
       shell: bash

.github/workflows/ci.yml

@@ -1,26 +1,21 @@
 name: CI
 
 on:
-  push:
-    branches-ignore:
-      - "github-pages/*"
-      - "gh-pages/*"
-      - "main"
-      - "master"
+  pull_request:
+      types: [opened, synchronize, reopened]
   schedule:
-    # “At 00:00 on every 7th day-of-month from 1 through 31.” (https://crontab.guru)
+    # At 00:00 on every 7th day-of-month from 1 through 31. (https://crontab.guru)
     - cron: "0 0 1/7 * *"
 
 jobs:
-
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
     permissions:
       contents: read
-
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    secrets: inherit
     permissions:
       contents: read

.github/workflows/pr-merge.yml

@@ -25,5 +25,6 @@ jobs:
   metrics:
     needs: [ ci-job ]
     uses: ./.github/workflows/report.yml
+    secrets: inherit
     permissions:
       contents: read

.github/workflows/report.yml

@@ -35,6 +35,9 @@ jobs:
       - name: Generate Report
         run: poetry run -- nox -s project:report -- --format json | tee metrics.json
 
+      - name: Upload to sonar
+        run: poetry run -- nox -s sonar:check -- ${{ secrets.SONAR_TOKEN }}
+
       - name: Upload Artifacts
         uses: actions/[email protected]
         with:

.gitignore

@@ -7,6 +7,7 @@ odbcconfig/odbcinst.ini
 .html-documentation
 
 .coverage
+.sonar
 
 _build/
 

doc/changes/changelog.md

@@ -1,6 +1,7 @@
 # Changelog
 
 * [unreleased](unreleased.md)
+* [1.4.0](changes_1.4.0.md)
 * [1.3.0](changes_1.3.0.md)
 * [1.2.0](changes_1.2.0.md)
 * [1.1.0](changes_1.1.0.md)
@@ -35,6 +36,7 @@
 hidden:
 ---
 unreleased
+changes_1.4.0
 changes_1.3.0
 changes_1.2.0
 changes_1.1.0

doc/changes/changes_1.4.0.md

@@ -0,0 +1,11 @@
+# 1.4.0 - 2025-06-06
+
+## Summary
+
+## ✨ Features
+
+* #426: Allowed configuring the python version used for coverage
+
+## Bugfixes
+
+* #463: Fixed dependency:licenses to correctly parse exceptional names

doc/changes/unreleased.md

@@ -1,8 +1,30 @@
 # Unreleased
 
 ## Summary
+This version of the PTB adds nox task `sonar:check`, see #451. This allows us to
+use SonarQube Cloud to analyze, visualize, & track linting, security, & coverage. In
+order to properly set it up, you'll need to do the following instruction for each **public** project.
+At this time, PTB currently does not support setting up SonarQube for a **private** project.
+
+1. Specify in the `noxconfig.py` the relative path to the project's source code in `Config.source`
+    ```python
+        source: Path = Path("exasol/toolbox")
+    ```
+2. Add the 'SONAR_TOKEN' to the 'Organization secrets' in GitHub (this requires a person being a GitHub organization owner).
+3. Activate the SonarQubeCloud App
+4. Create a project on SonarCloud
+5. Add the following information to the project's file `pyproject.toml`
+    ```toml
+        [tool.sonar]
+        projectKey = "com.exasol:<project-key>"
+        hostUrl = "https://sonarcloud.io"
+        organization = "exasol"
+    ```
+6. Post-merge, update the branch protections to include SonarQube analysis
 
 ## ✨ Features
+* #451: Added nox task to execute pysonar & added Sonar to the CI
+* #409: Doc link & checks
 
-* #426: Allowed configuring the python version used for coverage
-* [#409](https://github.com/exasol/python-toolbox/issues/409): Doc link & checks
+## ⚒️ Refactorings
+* #451: Reduced scope of nox tasks `lint:code` (pylint) and `lint:security` (bandit) to analyze only the package code

doc/user_guide/getting_started.rst

@@ -181,8 +181,8 @@ forward, and you just can use the example *noxfile.py* below.
 
 .. _toolbox tasks:
 
-7. Setup for deploying documentation (optional)
-+++++++++++++++++++++++++++++++++++++++++++++++
+7. Set up for deploying documentation (optional)
+++++++++++++++++++++++++++++++++++++++++++++++++
 Within the `gh-pages.yml`, we use the GitHub `upload-pages-artifact` and `deploy-pages`
 actions. In order to properly deploy your pages, you'll need to reconfigure the GitHub
 Pages settings for the repo:
@@ -201,8 +201,32 @@ We also need to configure settings for github-pages environment:
 5. In the 'Deployment branches and tags', click 'Add deployment branch or tag rule'
 6. Select 'Ref type' to be 'Tag' and set the 'Name pattern' to `[0-9]*.[0-9]*.[0-9]*` (or whatever matches that repo's tags)
 
+8. Set up for Sonar
++++++++++++++++++++
+PTB supports using SonarQube Cloud to analyze, visualize, & track linting, security, &
+coverage. In order to properly set it up, you'll need to do the following instructions
+for each **public** project. At this time, PTB currently does not support setting up
+SonarQube for a **private** project.
 
-8. Go 🥜
+1. Specify in the `noxconfig.py` the relative path to the project's source code in `Config.source`
+    .. code-block:: python
+
+        source: Path = Path("exasol/toolbox")
+2. Add the 'SONAR_TOKEN' to the 'Organization secrets' in GitHub (this requires a person being a GitHub organization owner).
+3. Activate the SonarQubeCloud App
+4. Create a project on SonarCloud
+5. Add the following information to the project's file `pyproject.toml`
+    .. code-block:: toml
+
+        [tool.sonar]
+        projectKey = "com.exasol:<project-key>"
+        hostUrl = "https://sonarcloud.io"
+        organization = "exasol"
+6. Post-merge, update the branch protections to include SonarQube analysis
+
+
+
+9. Go 🥜
 +++++++++++++
 You are ready to use the toolbox. With *nox -l* you can list all available tasks.