ci: add nightly CRON job for Tiobe TICS.

This patch adds: - the necessary tox env targets for generating Cobertura coverage report XML format - a GitHub Workflow which runs the unit tests with coverage enabled, and calls the `TICSServer` to upload the analysis results Signed-off-by: Nashwan Azhari <[email protected]>
canonical · Dec 13, 2024 · 7286b37 · 7286b37
1 parent 072754d
commit 7286b37
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 1 deletion.
diff --git a/.github/workflows/tiobe-tics-cron.yaml b/.github/workflows/tiobe-tics-cron.yaml
@@ -0,0 +1,76 @@
+name: TiCS Nightly Security Report
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  TiCS:
+
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main }
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Python Testing Deps
+        run: |
+          set -eux -o pipefail
+
+          sudo python3 -m pip install tox
+
+      - name: Install Go for Cobertura Coverage Converter
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+
+      - name: Run Tests With Coverage
+        run: |
+          set -eux -o pipefail
+
+          pushd $GITHUB_WORKSPACE
+          tox -e unit,coverage-xml
+
+          GENERATED_COVERAGE_XML="$GITHUB_WORKSPACE/charms/worker/k8s/coverage.xml"
+          cat "$GENERATED_COVERAGE_XML"
+
+          # TiCS expects the report to be under a "$(pwd)/.coverage" directory.
+          mkdir -p "$GITHUB_WORKSPACE/.coverage"
+          mv "$GENERATED_COVERAGE_XML" .coverage/coverage.xml
+
+      - name: Run TiCS
+        run: |
+          # NOTE(aznashwan): TiCS install script doesn't define defaults; cannot '-u'
+          set -ex -o pipefail
+
+          export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
+
+          # Install the TiCS and staticcheck
+          go install honnef.co/go/tools/cmd/[email protected]
+          . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
+
+          cd $GITHUB_WORKSPACE
+          TICSQServer -project k8s-operator -tmpdir /tmp/tics -branchdir "$GITHUB_WORKSPACE"
+
diff --git a/charms/worker/k8s/tox.ini b/charms/worker/k8s/tox.ini
@@ -43,6 +43,13 @@ deps =
 commands =
     coverage report
 
+[testenv:coverage-xml]
+description = Create test coverage XML report
+deps =
+    coverage[xml]
+commands =
+    coverage xml
+
 [testenv:update-dashboards]
 description = Run the Grafana dashboards update script
 deps = pyyaml

diff --git a/pyproject.toml b/pyproject.toml
@@ -16,6 +16,9 @@ target-version = ["py38"]
 [tool.coverage.report]
 show_missing = true
 
+[tool.coverage.xml]
+output = "coverage.xml"
+
 # Linting tools configuration
 [tool.flake8]
 max-line-length = 99

diff --git a/tox.ini b/tox.ini
@@ -4,7 +4,7 @@
 [tox]
 skipsdist=True
 skip_missing_interpreters = True
-envlist = lint, unit, static, coverage-report
+envlist = lint, unit, static, coverage-report, coverage-xml
 
 [vars]
 lib_path = {toxinidir}/charms/worker/k8s/lib
@@ -77,6 +77,11 @@ allowlist_externals = tox
 commands =
     tox -c {toxinidir}/charms/worker/k8s -e coverage-report
 
+[testenv:coverage-xml]
+allowlist_externals = tox
+commands =
+    tox -c {toxinidir}/charms/worker/k8s -e coverage-xml
+
 [testenv:static]
 description = Run static analysis tests
 deps =