Add Schutzbot and Sonarqube

This adds the ability to use our Schutzbot Gitlab CI and run Sonarqube scan there. We have pretty much the exact same thing in weldr-client repo and use it only for Sonarqube. This could also be used in the future if there is any need to use our own CI. The added scan is just informative and is by no means supposed to be used to gate PRs, there will be just one more link to check the results in case anyone is interested.
2022-08-30 13:19:39 +02:00 · 2022-08-30 13:19:39 +02:00 · 4ec5c97758
commit 4ec5c97758
parent c9c75da7ba
6 changed files with 127 additions and 0 deletions
--- a/.github/workflows/trigger-gitlab.yml
+++ b/.github/workflows/trigger-gitlab.yml
@ -0,0 +1,33 @@
+# inspired by rhinstaller/anaconda
+
+name: Trigger GitLab CI
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  trigger-gitlab:
+    runs-on: ubuntu-latest
+    env:
+      IMAGEBUILDER_BOT_GITLAB_SSH_KEY: ${{ secrets.IMAGEBUILDER_BOT_GITLAB_SSH_KEY }}
+    steps:
+      - name: Install Dependencies
+        run: |
+          sudo apt install -y jq
+
+      - name: Clone repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Push to gitlab
+        run: |
+          mkdir -p ~/.ssh
+          echo "${IMAGEBUILDER_BOT_GITLAB_SSH_KEY}" > ~/.ssh/id_rsa
+          chmod 400 ~/.ssh/id_rsa
+          touch ~/.ssh/known_hosts
+          ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
+          git remote add ci git@gitlab.com:redhat/services/products/image-builder/ci/image-builder-frontend.git
+          git push -f ci
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,34 @@
+stages:
+  - init
+  - test
+  - finish
+
+.terraform:
+  after_script:
+    - schutzbot/update_github_status.sh update
+  tags:
+    - terraform
+
+init:
+  stage: init
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh start
+
+SonarQube:
+  stage: test
+  extends: .terraform
+  script:
+    - schutzbot/sonarqube.sh
+  variables:
+    RUNNER: aws/centos-stream-8-x86_64
+    INTERNAL_NETWORK: "true"
+    GIT_DEPTH: 0
+
+finish:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh finish
--- a/schutzbot/RH-IT-Root-CA.keystore
+++ b/schutzbot/RH-IT-Root-CA.keystore
--- a/schutzbot/sonarqube.sh
+++ b/schutzbot/sonarqube.sh
@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SONAR_SCANNER_CLI_VERSION=${SONAR_SCANNER_CLI_VERSION:-4.6.2.2472}
+
+export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=schutzbot/RH-IT-Root-CA.keystore -Djavax.net.ssl.trustStorePassword=$KEYSTORE_PASS"
+sudo dnf install -y unzip nodejs
+curl "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_CLI_VERSION-linux.zip" -o sonar-scanner-cli.zip
+unzip -q sonar-scanner-cli.zip
+
+SONAR_SCANNER_CMD="sonar-scanner-$SONAR_SCANNER_CLI_VERSION-linux/bin/sonar-scanner"
+SCANNER_OPTS="-Dsonar.projectKey=osbuild:image-builder-frontend -Dsonar.sources=. -Dsonar.host.url=https://sonarqube.corp.redhat.com -Dsonar.login=$SONAR_SCANNER_TOKEN"
+
+# add options for branch analysis if not running on main
+if [ "$CI_COMMIT_BRANCH" != "main" ];then
+    SCANNER_OPTS="$SCANNER_OPTS -Dsonar.pullrequest.branch=$CI_COMMIT_BRANCH -Dsonar.pullrequest.key=$CI_COMMIT_SHA -Dsonar.pullrequest.base=main"
+fi
+
+# run the sonar-scanner
+eval "$SONAR_SCANNER_CMD $SCANNER_OPTS"
+
+SONARQUBE_URL="https://sonarqube.corp.redhat.com/dashboard?id=osbuild%3Aimage-builder-frontend&pullRequest=$CI_COMMIT_SHA"
+# Report back to GitHub
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/RedHatInsights/image-builder-frontend/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"success", "description": "SonarQube scan sent for analysis", "context": "SonarQube", "target_url": "'"${SONARQUBE_URL}"'"}'
--- a/schutzbot/terraform
+++ b/schutzbot/terraform
@ -0,0 +1 @@
+75d786e792a7b58634689b24ac379678b444fa65
--- a/schutzbot/update_github_status.sh
+++ b/schutzbot/update_github_status.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [[ $1 == "start" ]]; then
+  GITHUB_NEW_STATE="pending"
+  GITHUB_NEW_DESC="I'm currently testing this commit, be patient."
+elif [[ $1 == "finish" ]]; then
+  GITHUB_NEW_STATE="success"
+  GITHUB_NEW_DESC="I like this commit!"
+elif [[ $1 == "update" ]]; then
+  if [[ $CI_JOB_STATUS == "canceled" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="Someone told me to cancel this test run."
+  elif [[ $CI_JOB_STATUS == "failed" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="I'm sorry, something is odd about this commit."
+  else
+    exit 0
+  fi
+else
+  echo "unknown command"
+  exit 1
+fi
+
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/RedHatInsights/image-builder-frontend/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"'"${GITHUB_NEW_STATE}"'", "description": "'"${GITHUB_NEW_DESC}"'", "context": "Schutzbot on GitLab", "target_url": "'"${CI_PIPELINE_URL}"'"}'