Merge branch 'master' into rule/add-RSPEC-S7456

Author: ghislainpiot

.cirrus.star

@@ -0,0 +1,30 @@
+name: 'Install common dependencies'
+description: 'Install common dependencies for the project'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Vault
+      id: artifactory-secrets
+      uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0
+      with:
+        secrets: |
+          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+    - name: Configure npm
+      shell: bash
+      env:
+        ARTIFACTORY_URL: https://repox.jfrog.io
+        ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory-secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+      run: |
+        npm config set registry "$ARTIFACTORY_URL/api/npm/npm"
+        npm config set "${ARTIFACTORY_URL//https:}/api/npm/:_authToken=$ARTIFACTORY_ACCESS_TOKEN"
+    - uses: jdx/mise-action@be3be2260bc02bc3fbf94c5e2fed8b7964baf074 # v3.4.0
+      env:
+        MISE_PYTHON_DEFAULT_PACKAGES_FILE: ${{ github.workspace }}/ci/mise-default-python-packages
+      with:
+        version: 2025.11.3
+    - name: Setup asciidoctor
+      shell: bash
+      run: |
+        sudo gem install asciidoctor -v 2.0.26
+        asciidoctor --version

.cirrus.yml

@@ -0,0 +1,186 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+      - dogfood-*
+  pull_request:
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tooling_tests:
+    runs-on: github-ubuntu-latest-s
+    name: Tooling Tests
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install common dependencies
+        uses: ./.github/actions/install-common-dependencies
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0
+        with:
+          secrets: |
+            development/kv/data/next url | SONAR_HOST_URL;
+            development/kv/data/next token | SONAR_TOKEN;
+      - name: Run tests
+        working-directory: rspec-tools
+        run: |
+          pipenv install --dev
+          pipenv run pytest --cov=rspec_tools --cov-report=xml
+          pipenv run black --check rspec_tools tests
+          pipenv run usort check rspec_tools tests
+      - name: SonarQube Scan
+        uses: sonarsource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
+        with:
+          projectBaseDir: rspec-tools
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_HOST_URL }}
+
+  frontend_tests:
+    runs-on: github-ubuntu-latest-s
+    name: Frontend Tests
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install common dependencies
+        uses: ./.github/actions/install-common-dependencies
+      - name: Setup Node.js cache
+        uses: SonarSource/gh-action_cache@v1
+        with:
+          path: frontend/node_modules
+          key: node-${{ runner.os }}-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            node-${{ runner.os }}-
+      - name: Install dependencies
+        working-directory: frontend
+        run: npm install
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0
+        with:
+          secrets: |
+            development/kv/data/next url | SONAR_HOST_URL;
+            development/kv/data/next token | SONAR_TOKEN;
+      - name: Run tests
+        working-directory: frontend
+        run: |
+          npm run build
+          npm test -- --reporter=verbose --coverage
+      - name: SonarQube Scan
+        uses: sonarsource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
+        with:
+          projectBaseDir: frontend
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_HOST_URL }}
+
+  validate_ci_tests:
+    runs-on: github-ubuntu-latest-s
+    name: Validate CI Tests
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            ci_tests:
+              - 'ci_tests/**'
+            ci:
+              - 'ci/**'
+      - name: Install common dependencies
+        if: steps.changes.outputs.ci_tests == 'true' || steps.changes.outputs.ci == 'true'
+        uses: ./.github/actions/install-common-dependencies
+      - name: Run CI tests
+        if: steps.changes.outputs.ci_tests == 'true' || steps.changes.outputs.ci == 'true'
+        run: ./ci_tests/asciidoc_validation/run_tests.sh
+
+  validate_rules:
+    runs-on: github-ubuntu-latest-s
+    name: Validate Rules
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Install common dependencies
+        uses: ./.github/actions/install-common-dependencies
+      - name: Validate metadata
+        env:
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: ./ci/validate_metadata.sh
+      - name: Validate file extensions
+        run: ./ci/validate_file_extensions.sh
+      - name: Validate AsciiDoc
+        env:
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: ./ci/validate_asciidoc.sh
+
+  validate_links:
+    if: github.event_name != 'merge_group'
+    runs-on: github-ubuntu-latest-s
+    name: Validate Links
+    timeout-minutes: 120
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          fetch-depth: 0
+      - name: Install common dependencies
+        uses: ./.github/actions/install-common-dependencies
+      - name: Restore link cache
+        id: cache-link-restore
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: link-probing.cache
+          key: link-probing-cache-${{ github.sha }}
+          restore-keys: |
+            link-probing-cache-${{ github.sha }}
+            link-probing-cache-
+      - name: Validate links
+        run: |
+          ./ci/validate_links.sh link-probing.cache
+      - name: Save link cache
+        if: always() && !cancelled()
+        id: cache-link-save
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: link-probing.cache
+          key: link-probing-cache-${{ github.sha }}
+
+  all_required_checks:
+    needs:
+      - tooling_tests
+      - frontend_tests
+      - validate_rules
+      - validate_ci_tests
+    runs-on: github-ubuntu-latest-s
+    name: all_required_checks
+    steps:
+      - name: All required checks passed
+        run: echo 'All required checks have passed'

.github/actions/install-common-dependencies/action.yml

@@ -15,11 +15,26 @@ jobs:
       contents: write # Get the contents of open new-rule PRs, the 'master' with updated-coverage from 'dogfood-automerge'; write to 'gh-pages' branch
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@v4 # If you're using actions/checkout you must set persist-credentials to false in most cases for the deployment to work correctly.
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           persist-credentials: false
           ref: 'dogfood-automerge'
 
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0
+        with:
+          secrets: |
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+
+      - name: Configure npm
+        env:
+          ARTIFACTORY_URL: https://repox.jfrog.io
+          ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+        run: |
+          npm config set registry "$ARTIFACTORY_URL/api/npm/npm"
+          npm config set "${ARTIFACTORY_URL//https:}/api/npm/:_authToken=$ARTIFACTORY_ACCESS_TOKEN"
+
       - name: Install and Build 🔧 # This example project is built using npm and outputs the result to the 'build' folder. Replace with the commands required to build your project, or remove this step entirely if your site is pre-built.
         working-directory: frontend
         run: |