-
Notifications
You must be signed in to change notification settings - Fork 340
162 lines (143 loc) · 6.07 KB
/
Copy pathsonarqube.yml
File metadata and controls
162 lines (143 loc) · 6.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: SonarQube Analysis
on:
push:
branches:
- main
- develop
- "release/**"
pull_request:
branches:
- main
- develop
- "release/**"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
sonarqube:
name: SonarQube Scan (${{ matrix.name }})
runs-on: sonarqube-workflows-bp-sre
timeout-minutes: 30
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
strategy:
fail-fast: false
matrix:
include:
- name: agent
project_key: TEGRASW_metropolis_video-search-and-summarization-agent_video-search-and-summarization
project_name: video-search-and-summarization-agent
sources: services/agent
tests: services/agent/tests
python_version: "3.13"
- name: ui
project_key: TEGRASW_metropolis_video-search-and-summarization-ui_video-search-and-summarization
project_name: video-search-and-summarization-ui
sources: services/ui
tests: ""
python_version: ""
- name: skills
project_key: TEGRASW_metropolis_video-search-and-summarization-skills_video-search-and-summarization
project_name: video-search-and-summarization-skills
sources: skills
tests: ""
python_version: ""
steps:
- name: Checkout source
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
persist-credentials: false
- name: Validate SonarQube secrets
env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
if [ -z "$SONAR_HOST_URL" ]; then
echo "SONAR_HOST_URL secret is required."
exit 1
fi
if [ -z "$SONAR_TOKEN" ]; then
echo "SONAR_TOKEN secret is required."
exit 1
fi
- name: Write SonarQube configuration
env:
EVENT_NAME: ${{ github.event_name }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_HEAD_REF: ${{ github.head_ref }}
PR_BASE_REF: ${{ github.base_ref }}
SONAR_PROJECT_KEY: ${{ matrix.project_key }}
SONAR_PROJECT_NAME: ${{ matrix.project_name }}
SONAR_SOURCES: ${{ matrix.sources }}
SONAR_TESTS: ${{ matrix.tests }}
SONAR_PYTHON_VERSION: ${{ matrix.python_version }}
run: |
exclusions="**/node_modules/**,**/.venv/**,**/__pycache__/**,**/.mypy_cache/**,**/.ruff_cache/**,**/dist/**,**/build/**,**/.next/**,**/coverage/**,**/__tests__/**,**/*.test.ts,**/*.test.tsx,**/*.test.js,**/*.test.jsx,**/*.spec.ts,**/*.spec.tsx,**/3rdparty/**"
{
echo "sonar.projectKey=${SONAR_PROJECT_KEY}"
echo "sonar.projectName=${SONAR_PROJECT_NAME}"
echo "sonar.projectVersion=1.0.0"
echo "sonar.sourceEncoding=UTF-8"
echo "sonar.scm.provider=git"
echo "sonar.sources=${SONAR_SOURCES}"
echo "sonar.exclusions=${exclusions}"
} > sonar-project.properties
if [ -n "$SONAR_TESTS" ]; then
{
echo "sonar.tests=${SONAR_TESTS}"
echo "sonar.test.inclusions=${SONAR_TESTS}/**/*.py"
} >> sonar-project.properties
fi
if [ -n "$SONAR_PYTHON_VERSION" ]; then
echo "sonar.python.version=${SONAR_PYTHON_VERSION}" >> sonar-project.properties
fi
if [ "$SONAR_PROJECT_NAME" = "video-search-and-summarization-agent" ]; then
echo "sonar.python.coverage.reportPaths=services/agent/coverage.xml" >> sonar-project.properties
fi
if [ "$SONAR_PROJECT_NAME" = "video-search-and-summarization-skills" ]; then
# Skills helper scripts (skills/**/scripts/**) have no unit-test or
# coverage harness in CI, so exclude them from the new-code coverage
# gate. They are still analyzed for bugs, code smells, and duplication.
echo "sonar.coverage.exclusions=skills/**/scripts/**" >> sonar-project.properties
fi
if [ "$EVENT_NAME" = "pull_request" ]; then
{
echo "sonar.pullrequest.key=${PR_NUMBER}"
echo "sonar.pullrequest.branch=${PR_HEAD_REF}"
echo "sonar.pullrequest.base=${PR_BASE_REF}"
} >> sonar-project.properties
elif [ -n "${GITHUB_REF_NAME:-}" ]; then
echo "sonar.branch.name=${GITHUB_REF_NAME}" >> sonar-project.properties
fi
sed -E 's/(sonar.token|SONAR_TOKEN).*/[REDACTED]/g' sonar-project.properties
- name: Install uv
if: matrix.name == 'agent'
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
with:
version: "0.6.2"
- name: Set up Python
if: matrix.name == 'agent'
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ matrix.python_version }}
- name: Generate agent coverage
if: matrix.name == 'agent'
working-directory: services/agent
run: |
# The Sonar self-hosted runner cannot install system packages.
# Coverage does not exercise PDF rendering, so skip pycairo/rlpycairo
# instead of requiring cairo headers and pkg-config on the runner.
uv sync --group dev --frozen --no-install-package pycairo --no-install-package rlpycairo
uv run --no-sync pytest \
--cov=src/vss_agents \
--cov-report=xml:coverage.xml \
--cov-report=term-missing \
-m "not slow and not integration"
- name: Run SonarQube scanner
uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6
env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}