SCANPY-219 Migrate shadow scan and iris tasks to github actions (#264)

Co-authored-by: David Kunzmann <[email protected]>

Author: Seppli11

.cirrus.yml

@@ -6,7 +6,7 @@ env:
   ARTIFACTORY_DEPLOY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
   ARTIFACTORY_DEPLOY_REPO: sonarsource-pypi-public-qa
   GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
-  DEPLOY_PULL_REQUEST: 'true'
+  DEPLOY_PULL_REQUEST: "true"
   POETRY_VIRTUALENVS_PATH: "~/.cache/poetry/venvs"
   POETRY_CACHE_DIR: "~/.cache/poetry/pypoetry"
   SONARQUBE_VERSION: 25.3.0.104237
@@ -17,21 +17,6 @@ env:
 
 only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == 'master' || $CIRRUS_BRANCH =~ "branch-.*")
 
-linux_container_definition: &LINUX_CONTAINER_DEFINITION
-  eks_container:
-    dockerfile: .cirrus/poetry.Dockerfile
-    cluster_name: ${CIRRUS_CLUSTER_NAME}
-    region: eu-central-1
-    namespace: default
-    builder_role: cirrus-builder
-    builder_image: docker-builder-v*
-    builder_instance_type: t3.small
-    use_in_memory_disk: true
-    docker_arguments:
-      CIRRUS_AWS_ACCOUNT: ${CIRRUS_AWS_ACCOUNT}
-    cpu: 3
-    memory: 8G
-
 .jfrog_config_template: &JFROG_CONFIG_TEMPLATE
   jfrog_config_script:
     - $JF_ALIAS config add repox --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_PRIVATE_ACCESS_TOKEN"
@@ -43,12 +28,6 @@ poetry_cache_template: &POETRY_CACHE
     folder: ~/.cache/poetry/
     fingerprint_script: cat poetry.lock
 
-.poetry_install_template: &POETRY_INSTALL
-  <<: *POETRY_CACHE
-  <<: *JFROG_CONFIG_TEMPLATE
-  poetry_install_script:
-    - poetry install
-
 .poetry_macos_template: &POETRY_MACOS_TEMPLATE
   <<: *POETRY_CACHE
   jfrog_install_script:
@@ -103,21 +82,3 @@ its_macos_task:
     fingerprint_script: echo "sonarqube-$SONARQUBE_VERSION"
   its_script:
     - .cirrus/run_its.sh
-
-run_iris_task:
-  <<: *LINUX_CONTAINER_DEFINITION
-  # only executed in CRON job AND on master branch
-  only_if: $CIRRUS_CRON == $CRON_NIGHTLY_JOB_NAME && $CIRRUS_BRANCH == "master"
-  env:
-    SONAR_SOURCE_IRIS_TOKEN: VAULT[development/kv/data/iris data.next]
-  matrix:
-    - name: "IRIS SQ NEXT -> Sonarcloud.io"
-      env:
-        SONAR_TARGET_URL: https://sonarcloud.io
-        SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-eu]
-    - name: "IRIS SQ NEXT -> SonarQube.us"
-      env:
-        SONAR_TARGET_URL: https://sonarqube.us
-        SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-us]
-  script:
-    - .cirrus/run_iris.sh

.cirrus/run_iris.sh

@@ -0,0 +1,74 @@
+name: Iris sync
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  coverage:
+    name: "Coverage report generation"
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - name: Configure poetry
+        uses: ./.github/actions/config-poetry
+      - run: |
+          poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests
+          poetry run mypy src/ > mypy-report.txt || true
+      - name: Upload coverage artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: coverage-reports
+          path: |
+            coverage.xml
+            mypy-report.txt
+
+  shadow-scans:
+    name: Shadow Scans
+    needs: coverage
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: coverage-reports
+
+      - name: Build and run shadow scan
+        uses: SonarSource/ci-github-actions/build-poetry@v1
+        with:
+          sonar-platform: next
+          run-shadow-scans: true
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+
+  iris:
+    name: IRIS Sync
+    needs: shadow-scans
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Run IRIS Analysis
+        uses: SonarSource/unified-dogfooding-actions/run-iris@v1
+        with:
+          primary_project_key: "SonarSource_sonar-scanner-python"
+          primary_platform: "Next"
+          shadow1_project_key: "SonarSource_sonar-scanner-python"
+          shadow1_platform: "SQC-EU"
+          shadow2_project_key: "SonarSource_sonar-scanner-python"
+          shadow2_platform: "SQC-US"