[BUGFIX] sonarcloud: Omitting "--only-binary :all:" can lead to the execution of setup scripts. Make sure it is safe here. #1306
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Python CI Coverage | |
| on: # yamllint disable-line rule:truthy | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| # The branches below must be a subset of the branches above | |
| branches: ["main"] | |
| workflow_dispatch: | |
| env: | |
| LOG_LEVEL: INFO | |
| jobs: | |
| coverage: | |
| name: "Python CI Coverage" | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| # Shallow clones should be disabled for a better relevancy of analysis | |
| fetch-depth: 0 | |
| - name: Setup Python | |
| uses: actions/setup-python@master | |
| with: | |
| python-version: 3.14 | |
| - name: Install tooling | |
| run: > | |
| sudo apt install pipenv | |
| - name: Tooling check | |
| run: | | |
| python3 --version | |
| pipenv --version | |
| make --version | |
| - name: Install | |
| run: | | |
| # Use the lockfile to install deterministic, audited dependencies | |
| pipenv sync --dev | |
| - name: Test an coverage collect | |
| run: > | |
| pipenv run coverage run -m pytest --verbose | |
| -o log_cli=true | |
| --log-cli-level=INFO | |
| src/ | |
| - name: Coverage Report | |
| run: | | |
| pipenv run coverage report | |
| - name: Coverage lcov (codecov) | |
| run: | | |
| pipenv run coverage lcov -o coverage/lcov.info | |
| - name: Coverage xml (sonarcloud) | |
| run: | | |
| pipenv run coverage xml -o coverage/coverage.xml | |
| - name: Upload coverage artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: coverage-report | |
| path: coverage | |
| codecov: | |
| name: Upload to Codecov | |
| runs-on: ubuntu-24.04 | |
| needs: coverage | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download coverage artifact | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: coverage-report | |
| path: coverage | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| verbose: true | |
| sonarqube: | |
| name: Analyze with SonarQube | |
| runs-on: ubuntu-24.04 | |
| needs: coverage | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download coverage artifact | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: coverage-report | |
| path: coverage | |
| - name: SonarQube Scan | |
| # yamllint disable-line rule:line-length | |
| uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |