ci: add nightly CRON job for Tiobe TICS.

.github/workflows/tiobe-tics-cron.yaml

@@ -0,0 +1,71 @@
+name: TiCS Nightly Security Report
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  TiCS:
+
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main }
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Go for Cobertura Coverage Converter
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+
+      - name: Run Tests With Coverage
+        run: |
+          set -eux -o pipefail
+
+          # tox required for running the unit tests with coverage:
+          pip install tox
+
+          pushd $GITHUB_WORKSPACE
+          tox -e unit,coverage-xml
+
+          GENERATED_COVERAGE_XML="$GITHUB_WORKSPACE/charms/worker/k8s/coverage.xml"
+
+          # TiCS expects the report to be under a "$(pwd)/cover" directory.
+          mkdir -p "$GITHUB_WORKSPACE/cover"
+          mv "$GENERATED_COVERAGE_XML" cover/coverage.xml
+
+      - name: Run TiCS
+        run: |
+          export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
+
+          # NOTE(aznashwan): TiCS install script doesn't define defaults; cannot '-u'
+          set -ex -o pipefail
+
+          # Install the TiCS and staticcheck
+          go install honnef.co/go/tools/cmd/[email protected]
+          . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
+
+          cd $GITHUB_WORKSPACE
+          TICSQServer -project k8s-operator -tmpdir /tmp/tics -branchdir "$GITHUB_WORKSPACE"

charms/worker/k8s/tox.ini

@@ -43,6 +43,13 @@ deps =
 commands =
     coverage report
 
+[testenv:coverage-xml]
+description = Create test coverage XML report
+deps =
+    coverage[xml]
+commands =
+    coverage xml
+
 [testenv:update-dashboards]
 description = Run the Grafana dashboards update script
 deps = pyyaml

pyproject.toml

@@ -16,6 +16,9 @@ target-version = ["py38"]
 [tool.coverage.report]
 show_missing = true
 
+[tool.coverage.xml]
+output = "coverage.xml"
+
 # Linting tools configuration
 [tool.flake8]
 max-line-length = 99

tox.ini

@@ -4,7 +4,7 @@
 [tox]
 skipsdist=True
 skip_missing_interpreters = True
-envlist = lint, unit, static, coverage-report
+envlist = lint, unit, static, coverage-report, coverage-xml
 
 [vars]
 lib_path = {toxinidir}/charms/worker/k8s/lib
@@ -77,6 +77,11 @@ allowlist_externals = tox
 commands =
     tox -c {toxinidir}/charms/worker/k8s -e coverage-report
 
+[testenv:coverage-xml]
+allowlist_externals = tox
+commands =
+    tox -c {toxinidir}/charms/worker/k8s -e coverage-xml
+
 [testenv:static]
 description = Run static analysis tests
 deps =