From 4ec5c97758869c57c2b22edb9fc9d230460413a8 Mon Sep 17 00:00:00 2001
From: Jakub Rusz <jrusz@redhat.com>
Date: Tue, 30 Aug 2022 13:19:39 +0200
Subject: [PATCH] Add Schutzbot and Sonarqube

This adds the ability to use our Schutzbot Gitlab CI and run Sonarqube
scan there. We have pretty much the exact same thing in weldr-client
repo and use it only for Sonarqube. This could also be used in the
future if there is any need to use our own CI.

The added scan is just informative and is by no means supposed to be
used to gate PRs, there will be just one more link to
check the results in case anyone is interested.
---
 .github/workflows/trigger-gitlab.yml |  33 ++++++++++++++++++++++++++
 .gitlab-ci.yml                       |  34 +++++++++++++++++++++++++++
 schutzbot/RH-IT-Root-CA.keystore     | Bin 0 -> 1447 bytes
 schutzbot/sonarqube.sh               |  30 +++++++++++++++++++++++
 schutzbot/terraform                  |   1 +
 schutzbot/update_github_status.sh    |  29 +++++++++++++++++++++++
 6 files changed, 127 insertions(+)
 create mode 100644 .github/workflows/trigger-gitlab.yml
 create mode 100644 .gitlab-ci.yml
 create mode 100644 schutzbot/RH-IT-Root-CA.keystore
 create mode 100755 schutzbot/sonarqube.sh
 create mode 100644 schutzbot/terraform
 create mode 100755 schutzbot/update_github_status.sh

diff --git a/.github/workflows/trigger-gitlab.yml b/.github/workflows/trigger-gitlab.yml
new file mode 100644
index 00000000..6ad78a04
--- /dev/null
+++ b/.github/workflows/trigger-gitlab.yml
@@ -0,0 +1,33 @@
+# inspired by rhinstaller/anaconda
+
+name: Trigger GitLab CI
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  trigger-gitlab:
+    runs-on: ubuntu-latest
+    env:
+      IMAGEBUILDER_BOT_GITLAB_SSH_KEY: ${{ secrets.IMAGEBUILDER_BOT_GITLAB_SSH_KEY }}
+    steps:
+      - name: Install Dependencies
+        run: |
+          sudo apt install -y jq
+
+      - name: Clone repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Push to gitlab
+        run: |
+          mkdir -p ~/.ssh
+          echo "${IMAGEBUILDER_BOT_GITLAB_SSH_KEY}" > ~/.ssh/id_rsa
+          chmod 400 ~/.ssh/id_rsa
+          touch ~/.ssh/known_hosts
+          ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
+          git remote add ci git@gitlab.com:redhat/services/products/image-builder/ci/image-builder-frontend.git
+          git push -f ci
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 00000000..f6457f7d
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,34 @@
+stages:
+  - init
+  - test
+  - finish
+
+.terraform:
+  after_script:
+    - schutzbot/update_github_status.sh update
+  tags:
+    - terraform
+
+init:
+  stage: init
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh start
+
+SonarQube:
+  stage: test
+  extends: .terraform
+  script:
+    - schutzbot/sonarqube.sh
+  variables:
+    RUNNER: aws/centos-stream-8-x86_64
+    INTERNAL_NETWORK: "true"
+    GIT_DEPTH: 0
+
+finish:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh finish
diff --git a/schutzbot/RH-IT-Root-CA.keystore b/schutzbot/RH-IT-Root-CA.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..f6a60adbfb76ee2fb1ccb7cd75cbb7ea86349b9b
GIT binary patch
literal 1447
zcmV;Y1z7qpf(4@j0Ru3C1zZLRDuzgg_YDCD0ic2fO$34kNic#1MKFQ|K?VsbhDe6@
z4FLxRpn?T5FoFdx0s#Opf(0iA2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1QhiCInF~-1-%0%`mz#z^-eLggZcsjClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q1<L6<AL5MbA;#J{OyTcY%O{1h5Q;$e+IvWvY;Phe1}xxtYQY
zCu9+qtHZcZbl1V<ZQT$a*{AtW(JUrAe038cG~zV`xAzL?Xwf6V#FuH5ZH^%<*aFWu
z0>#MI&OVhPpW79tvl8OI8gW?@5qC48mbvr|fu*|S988~Nk+*5tBWJ}wsHRLfm?mjY
zk>qr&au3L<Yt8M|C-6QfqcBOlNoXswYh~QI8Jf>3dfdHn91KCl7aR=k3*@dc_H+|q
z+k2NQ^TYId5H8F#lhw_%crL=8f84FaVk*;qdK$;bvV<gyDG?P2s_#7#KZ})JH`IfQ
z)!qhSw|?*|o7^WUo#d?XY5QTwn)doIbCJOU6q_~kc>l%gn;wY$X`*UoWB$KJpVm??
z5Janvq~OFJICyM?i7t1kCSS>SinW;+h9rT&h%ZuviUl99Ir$k;XifhZGbYB0q{W!x
z__<q~4Tu@e7FUp|!V-t0bT9G#d$m2F*pPs@hJ9*im5|w2$TS@_-4h*>zQyu7nDS#D
zHwBI(tUSrS>(eFF#I8h@x3*i1R>vs>`*mWJUlcbzjJ(*HNPHy*_^>O{#f7B+&;nij
z#Xx?{r~@H2PD_?CIoiaaM#k?f6du(VRzv^qK(TCpu8(;DlN_L~Xd3L`Gs&*t7{Y<S
zM#>R5&fzsz;IJOlT28CD(l;TUB%Zsu!#<_Dw|Eq@*~~%GxF>o!YH5-8)d=jUD{M$>
z8rz0;KG-pEi0rfe%#d2EkGa@5EV5YmUM+v4azt<U2BV<E*EuDL^+Uw;eNzO-5*IXV
z+JnN6YW-geMl_y>*|QAy@K8zGvG7Uxd|q=B=X)FBR4G)#UL=;a`BxH?&9qA#5wR7|
zll?%<Q~YrSdw+zSDv@<<8uf}W_}JNug-V`gs`loNES+1?gB{Ivu0#VjD9WVqKx0J(
z43iXw2t+GOA}yI>a)zvCCqohp(qWeCQ%r2m_D{OGjTMzTMtO5e;n7lGHE;oqU9P&-
zHb4CXLFB)ml*-?Vl+@aJJZ0?$7@fTr5+`<N7{xQooOL$X`avu4a|1X3XV6=-!9eDK
z`-;TmRTKq+j7t(0HzP&Ry?|**#Y6&_8rm=tY(?&AiCW`xL;O-MPZ9c3W8z|$zo+Iz
z8#o0j{iM?sL*j6o-YY2H>BRrtb>1^zj*!#I=!T|wQiU9|tfJDjV8TK{!&_q`i|f5k
z7k^F&B32r2BCcW4=@eINxPn_~)H$$M#A&F*FFgg_Jun`bkUwGr<8*4sTIO?MQo9*6
zPo%CML8?fG1JaOkQG4mdKK3v5g8}mfRojkH@=}Xcwt4*m|E;mnSCa`{epK&NFl|*;
zcNYS9+-{(tn-3uJn`gL;VBsaz*Q=b}Z=dQ|u)o5m69M~iB5Nx5J*KhLndXiC!Is!{
z7|;{d)Si={8(9&d1|MV)Jjo!9uD-MBHUtV(BkieT@@txio8!l|-b#dmNhTz#{cNZu
zkx5)_o&xsgj7oSJ328s(V3j!!3>IJh);V|a3OBwvV9IKl)1(4yEy2aHGP&Ylx|zWG
zRBVsFWbAihyPjGbT9*NXbg+~)dX;<Cbj`pvrJ604HT`62F^e!hFd;Ar1_dh)0|FWa
z00b0QLiru7{!Rf{rZwpz6R-2QeZ#2)6#6zeXiJ{j&<-RQogW3vM3C^c69NMPhM<Wp
BnV|px

literal 0
HcmV?d00001

diff --git a/schutzbot/sonarqube.sh b/schutzbot/sonarqube.sh
new file mode 100755
index 00000000..24b631c9
--- /dev/null
+++ b/schutzbot/sonarqube.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SONAR_SCANNER_CLI_VERSION=${SONAR_SCANNER_CLI_VERSION:-4.6.2.2472}
+
+export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=schutzbot/RH-IT-Root-CA.keystore -Djavax.net.ssl.trustStorePassword=$KEYSTORE_PASS"
+sudo dnf install -y unzip nodejs
+curl "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_CLI_VERSION-linux.zip" -o sonar-scanner-cli.zip
+unzip -q sonar-scanner-cli.zip
+
+SONAR_SCANNER_CMD="sonar-scanner-$SONAR_SCANNER_CLI_VERSION-linux/bin/sonar-scanner"
+SCANNER_OPTS="-Dsonar.projectKey=osbuild:image-builder-frontend -Dsonar.sources=. -Dsonar.host.url=https://sonarqube.corp.redhat.com -Dsonar.login=$SONAR_SCANNER_TOKEN"
+
+# add options for branch analysis if not running on main
+if [ "$CI_COMMIT_BRANCH" != "main" ];then
+    SCANNER_OPTS="$SCANNER_OPTS -Dsonar.pullrequest.branch=$CI_COMMIT_BRANCH -Dsonar.pullrequest.key=$CI_COMMIT_SHA -Dsonar.pullrequest.base=main"
+fi
+
+# run the sonar-scanner
+eval "$SONAR_SCANNER_CMD $SCANNER_OPTS"
+
+SONARQUBE_URL="https://sonarqube.corp.redhat.com/dashboard?id=osbuild%3Aimage-builder-frontend&pullRequest=$CI_COMMIT_SHA"
+# Report back to GitHub
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/RedHatInsights/image-builder-frontend/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"success", "description": "SonarQube scan sent for analysis", "context": "SonarQube", "target_url": "'"${SONARQUBE_URL}"'"}'
diff --git a/schutzbot/terraform b/schutzbot/terraform
new file mode 100644
index 00000000..ed7c5613
--- /dev/null
+++ b/schutzbot/terraform
@@ -0,0 +1 @@
+75d786e792a7b58634689b24ac379678b444fa65
diff --git a/schutzbot/update_github_status.sh b/schutzbot/update_github_status.sh
new file mode 100755
index 00000000..4a0122da
--- /dev/null
+++ b/schutzbot/update_github_status.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [[ $1 == "start" ]]; then
+  GITHUB_NEW_STATE="pending"
+  GITHUB_NEW_DESC="I'm currently testing this commit, be patient."
+elif [[ $1 == "finish" ]]; then
+  GITHUB_NEW_STATE="success"
+  GITHUB_NEW_DESC="I like this commit!"
+elif [[ $1 == "update" ]]; then
+  if [[ $CI_JOB_STATUS == "canceled" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="Someone told me to cancel this test run."
+  elif [[ $CI_JOB_STATUS == "failed" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="I'm sorry, something is odd about this commit."
+  else
+    exit 0
+  fi
+else
+  echo "unknown command"
+  exit 1
+fi
+
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/RedHatInsights/image-builder-frontend/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"'"${GITHUB_NEW_STATE}"'", "description": "'"${GITHUB_NEW_DESC}"'", "context": "Schutzbot on GitLab", "target_url": "'"${CI_PIPELINE_URL}"'"}'