SCANPY-219 Migrate shadow scan and iris tasks to github actions

Author: joke1196

.cirrus.yml

@@ -6,7 +6,7 @@ env:
   ARTIFACTORY_DEPLOY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
   ARTIFACTORY_DEPLOY_REPO: sonarsource-pypi-public-qa
   GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
-  DEPLOY_PULL_REQUEST: 'true'
+  DEPLOY_PULL_REQUEST: "true"
   POETRY_VIRTUALENVS_PATH: "~/.cache/poetry/venvs"
   POETRY_CACHE_DIR: "~/.cache/poetry/pypoetry"
   SONARQUBE_VERSION: 25.3.0.104237
@@ -103,21 +103,3 @@ its_macos_task:
     fingerprint_script: echo "sonarqube-$SONARQUBE_VERSION"
   its_script:
     - .cirrus/run_its.sh
-
-run_iris_task:
-  <<: *LINUX_CONTAINER_DEFINITION
-  # only executed in CRON job AND on master branch
-  only_if: $CIRRUS_CRON == $CRON_NIGHTLY_JOB_NAME && $CIRRUS_BRANCH == "master"
-  env:
-    SONAR_SOURCE_IRIS_TOKEN: VAULT[development/kv/data/iris data.next]
-  matrix:
-    - name: "IRIS SQ NEXT -> Sonarcloud.io"
-      env:
-        SONAR_TARGET_URL: https://sonarcloud.io
-        SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-eu]
-    - name: "IRIS SQ NEXT -> SonarQube.us"
-      env:
-        SONAR_TARGET_URL: https://sonarqube.us
-        SONAR_TARGET_IRIS_TOKEN: VAULT[development/kv/data/iris data.sqc-us]
-  script:
-    - .cirrus/run_iris.sh

.cirrus/run_iris.sh

@@ -0,0 +1,74 @@
+name: Iris sync
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  coverage:
+    name: "Coverage report generation"
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - name: Configure poetry
+        uses: ./.github/actions/config-poetry
+      - run: |
+          poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests
+          poetry run mypy src/ > mypy-report.txt || true
+      - name: Upload coverage artifacts
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: coverage-reports
+          path: |
+            coverage.xml
+            mypy-report.txt
+
+  shadow-scans:
+    name: Shadow Scans
+    needs: coverage
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: coverage-reports
+
+      - name: Build and run shadow scan
+        uses: SonarSource/ci-github-actions/build-poetry@v1
+        with:
+          sonar-platform: next
+          run-shadow-scans: true
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+
+  iris:
+    name: IRIS Sync
+    needs: shadow-scans
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Run IRIS Analysis
+        uses: SonarSource/unified-dogfooding-actions/run-iris@v1
+        with:
+          primary_project_key: "SonarSource_sonar-scanner-python"
+          primary_platform: "Next"
+          shadow1_project_key: "SonarSource_sonar-scanner-python"
+          shadow1_platform: "SQC-EU"
+          shadow2_project_key: "SonarSource_sonar-scanner-python"
+          shadow2_platform: "SQC-US"