From 7921a490b456fc6e1479cc08661d125ed5ef21e1 Mon Sep 17 00:00:00 2001
From: Nashwan Azhari <nashwan.azhari@canonical.com>
Date: Fri, 8 Nov 2024 16:29:19 +0200
Subject: [PATCH 1/5] ci: add nightly CRON job for Tiobe TICS.

This patch adds:
- the necessary tox env targets for generating Cobertura
  coverage report XML format
- a GitHub Workflow which runs the unit tests with coverage enabled,
  and calls the `TICSServer` to upload the analysis results

Signed-off-by: Nashwan Azhari <nashwan.azhari@canonical.com>
---
 .github/workflows/tiobe-tics-cron.yaml | 76 ++++++++++++++++++++++++++
 charms/worker/k8s/tox.ini              |  7 +++
 pyproject.toml                         |  3 +
 tox.ini                                |  7 ++-
 4 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/tiobe-tics-cron.yaml

diff --git a/.github/workflows/tiobe-tics-cron.yaml b/.github/workflows/tiobe-tics-cron.yaml
new file mode 100644
index 00000000..f8cfd675
--- /dev/null
+++ b/.github/workflows/tiobe-tics-cron.yaml
@@ -0,0 +1,76 @@
+name: TiCS Nightly Security Report
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  TiCS:
+
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main }
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Python Testing Deps
+        run: |
+          set -eux -o pipefail
+
+          sudo python3 -m pip install tox
+
+      - name: Install Go for Cobertura Coverage Converter
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22"
+
+      - name: Run Tests With Coverage
+        run: |
+          set -eux -o pipefail
+
+          pushd $GITHUB_WORKSPACE
+          tox -e unit,coverage-xml
+
+          GENERATED_COVERAGE_XML="$GITHUB_WORKSPACE/charms/worker/k8s/coverage.xml"
+          cat "$GENERATED_COVERAGE_XML"
+
+          # TiCS expects the report to be under a "$(pwd)/.coverage" directory.
+          mkdir -p "$GITHUB_WORKSPACE/.coverage"
+          mv "$GENERATED_COVERAGE_XML" .coverage/coverage.xml
+
+      - name: Run TiCS
+        run: |
+          # NOTE(aznashwan): TiCS install script doesn't define defaults; cannot '-u'
+          set -ex -o pipefail
+
+          export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
+
+          # Install the TiCS and staticcheck
+          go install honnef.co/go/tools/cmd/staticcheck@v0.5.1
+          . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
+
+          cd $GITHUB_WORKSPACE
+          TICSQServer -project k8s-operator -tmpdir /tmp/tics -branchdir "$GITHUB_WORKSPACE"
+
diff --git a/charms/worker/k8s/tox.ini b/charms/worker/k8s/tox.ini
index 04050690..5e7437bd 100644
--- a/charms/worker/k8s/tox.ini
+++ b/charms/worker/k8s/tox.ini
@@ -43,6 +43,13 @@ deps =
 commands =
     coverage report
 
+[testenv:coverage-xml]
+description = Create test coverage XML report
+deps =
+    coverage[xml]
+commands =
+    coverage xml
+
 [testenv:update-dashboards]
 description = Run the Grafana dashboards update script
 deps = pyyaml
diff --git a/pyproject.toml b/pyproject.toml
index bffeb7fe..3c2de1af 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -16,6 +16,9 @@ target-version = ["py38"]
 [tool.coverage.report]
 show_missing = true
 
+[tool.coverage.xml]
+output = "coverage.xml"
+
 # Linting tools configuration
 [tool.flake8]
 max-line-length = 99
diff --git a/tox.ini b/tox.ini
index 0621c291..5f527359 100644
--- a/tox.ini
+++ b/tox.ini
@@ -4,7 +4,7 @@
 [tox]
 skipsdist=True
 skip_missing_interpreters = True
-envlist = lint, unit, static, coverage-report
+envlist = lint, unit, static, coverage-report, coverage-xml
 
 [vars]
 lib_path = {toxinidir}/charms/worker/k8s/lib
@@ -77,6 +77,11 @@ allowlist_externals = tox
 commands =
     tox -c {toxinidir}/charms/worker/k8s -e coverage-report
 
+[testenv:coverage-xml]
+allowlist_externals = tox
+commands =
+    tox -c {toxinidir}/charms/worker/k8s -e coverage-xml
+
 [testenv:static]
 description = Run static analysis tests
 deps =

From 31f38beba03a644e23dda958acf6a482c480d80e Mon Sep 17 00:00:00 2001
From: Nashwan Azhari <nashwan.azhari@canonical.com>
Date: Tue, 19 Nov 2024 16:22:29 +0200
Subject: [PATCH 2/5] ci: ensure pylint and flake8 are installed in the TiCS
 workflow.

Signed-off-by: Nashwan Azhari <nashwan.azhari@canonical.com>
---
 .github/workflows/tiobe-tics-cron.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/tiobe-tics-cron.yaml b/.github/workflows/tiobe-tics-cron.yaml
index f8cfd675..d5b20ff8 100644
--- a/.github/workflows/tiobe-tics-cron.yaml
+++ b/.github/workflows/tiobe-tics-cron.yaml
@@ -39,8 +39,19 @@ jobs:
         run: |
           set -eux -o pipefail
 
+          # Upgrade pip to be able to read the requirements.txt
+          sudo python3 -m pip install --upgrade pip
+
+          # tox required for running the unit tests with coverage:
           sudo python3 -m pip install tox
 
+          # Required by TICSQServer:
+          sudo python3 -m pip install pylint flake8
+
+          # Must pre-install dependencies for TICSQServer:
+          sudo python3 -m pip install -r $GITHUB_WORKSPACE/charms/worker/k8s/requirements.txt
+          sudo python3 -m pip install -r $GITHUB_WORKSPACE/test_requirements.txt
+
       - name: Install Go for Cobertura Coverage Converter
         uses: actions/setup-go@v5
         with:

From abcad3f100935694a4884fff7210f0fdadebeb40 Mon Sep 17 00:00:00 2001
From: Nashwan Azhari <nashwan.azhari@canonical.com>
Date: Fri, 13 Dec 2024 14:33:27 +0200
Subject: [PATCH 3/5] integration: fix coverage.xml location for TiCS workflow.

Signed-off-by: Nashwan Azhari <nashwan.azhari@canonical.com>
---
 .github/workflows/tiobe-tics-cron.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/tiobe-tics-cron.yaml b/.github/workflows/tiobe-tics-cron.yaml
index d5b20ff8..257983ac 100644
--- a/.github/workflows/tiobe-tics-cron.yaml
+++ b/.github/workflows/tiobe-tics-cron.yaml
@@ -67,9 +67,9 @@ jobs:
           GENERATED_COVERAGE_XML="$GITHUB_WORKSPACE/charms/worker/k8s/coverage.xml"
           cat "$GENERATED_COVERAGE_XML"
 
-          # TiCS expects the report to be under a "$(pwd)/.coverage" directory.
-          mkdir -p "$GITHUB_WORKSPACE/.coverage"
-          mv "$GENERATED_COVERAGE_XML" .coverage/coverage.xml
+          # TiCS expects the report to be under a "$(pwd)/cover" directory.
+          mkdir -p "$GITHUB_WORKSPACE/cover"
+          mv "$GENERATED_COVERAGE_XML" cover/coverage.xml
 
       - name: Run TiCS
         run: |

From 23598645c43e1e67b4673fb8edfc9cd1eb306be5 Mon Sep 17 00:00:00 2001
From: Nashwan Azhari <nashwan.azhari@canonical.com>
Date: Fri, 13 Dec 2024 15:34:08 +0200
Subject: [PATCH 4/5] integration: try to log TICSQServer logs at end of
 workflow.

Signed-off-by: Nashwan Azhari <nashwan.azhari@canonical.com>
---
 .github/workflows/tiobe-tics-cron.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/tiobe-tics-cron.yaml b/.github/workflows/tiobe-tics-cron.yaml
index 257983ac..768a75e1 100644
--- a/.github/workflows/tiobe-tics-cron.yaml
+++ b/.github/workflows/tiobe-tics-cron.yaml
@@ -85,3 +85,17 @@ jobs:
           cd $GITHUB_WORKSPACE
           TICSQServer -project k8s-operator -tmpdir /tmp/tics -branchdir "$GITHUB_WORKSPACE"
 
+      - name: Print TICSQServer Logs
+        if: always()
+        run: |
+          set -eux -o pipefail
+
+          TICS_TEMP_DIR="/tmp/tics/ticstmpdir"
+
+          if [ -d "$TICS_TEMP_DIR" ]; then
+            for file in "$TICS_TEMP_DIR"/*; do
+              echo "### cat $file"
+              cat "$file"
+              echo
+            done
+          fi

From cef783ab772a0899dd33a330d01648ce9e069f82 Mon Sep 17 00:00:00 2001
From: Claudiu Belu <claudiu.belu@canonical.com>
Date: Mon, 13 Jan 2025 15:12:37 +0000
Subject: [PATCH 5/5] WIP

---
 .github/workflows/tiobe-tics-cron.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tiobe-tics-cron.yaml b/.github/workflows/tiobe-tics-cron.yaml
index 768a75e1..f90cbb06 100644
--- a/.github/workflows/tiobe-tics-cron.yaml
+++ b/.github/workflows/tiobe-tics-cron.yaml
@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 10 * * *'
+  pull_request:
 
 permissions:
   contents: read
@@ -74,10 +75,10 @@ jobs:
       - name: Run TiCS
         run: |
           # NOTE(aznashwan): TiCS install script doesn't define defaults; cannot '-u'
-          set -ex -o pipefail
-
           export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
 
+          set -ex -o pipefail
+
           # Install the TiCS and staticcheck
           go install honnef.co/go/tools/cmd/staticcheck@v0.5.1
           . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')