Skip to content

Commit cf24075

Browse files
julien-carsique-sonarsourceclaude
julien-carsique-sonarsource
and
claude
committed
BUILD-10586 Fix inconsistencies between actions inputs, outputs and behaviors
- Add `deploy` input to build-npm, build-yarn, build-poetry (consistent with build-maven/build-gradle) - Enable deployment on long-lived feature branches (feature/long/*) for npm/yarn/poetry - Add `disable-caching` input to build-npm, build-yarn, config-npm; deprecate `cache-npm`/`cache-yarn` - Add `should_scan()` to build-gradle to filter SonarQube analysis by branch type - Add CONFIG_NPM_COMPLETED idempotency guard to config-npm (consistent with config-gradle/config-maven) - Condition Artifactory deploy token vault secret on deploy being enabled - Align shadow scan warning to GitHub Actions ::warning stderr format across all actions - Align run-shadow-scans description and sh header documentation across all build actions - Fix artifactory-deploy-repo description in build-npm (private-qa was incorrectly named public-qa) - Update README: deployment strategy table, input tables, remove resolved known bugs and TODOs - Code style: consolidate parameter validation, fix readonly declarations, align sh header labels Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent c15f373 commit cf24075

22 files changed

Lines changed: 341 additions & 208 deletions

README.md

Lines changed: 14 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -411,16 +411,6 @@ jobs:
411411
steps:
412412
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
413413
- uses: SonarSource/ci-github-actions/build-poetry@v1
414-
with:
415-
public: false # Defaults to `true` if the repository is public
416-
artifactory-reader-role: private-reader # or public-reader if `public` is `true`
417-
artifactory-deployer-role: qa-deployer # or public-deployer if `public` is `true`
418-
deploy-pull-request: false # Deploy pull request artifacts
419-
poetry-virtualenvs-path: .cache/pypoetry/virtualenvs # Poetry virtual environment path
420-
poetry-cache-dir: .cache/pypoetry # Poetry cache directory
421-
repox-url: https://repox.jfrog.io # Repox URL
422-
sonar-platform: next # SonarQube platform (next, sqc-eu, or sqc-us)
423-
run-shadow-scans: false # Run SonarQube scans on all 3 platforms (next, sqc-eu, sqc-us)
424414
```
425415

426416
**Disable caching entirely:**
@@ -439,7 +429,8 @@ jobs:
439429
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
440430
| `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault | `qa-deployer` for private repos, `public-deployer` for public repos |
441431
| `artifactory-deploy-repo` | Deployment repository | `sonarsource-pypi-private-qa` for private repositories, `sonarsource-pypi-public-qa` for public repos |
442-
| `deploy-pull-request` | Whether to deploy pull request artifacts | `false` |
432+
| `deploy` | Whether to deploy on master, maintenance, dogfood and long-lived branches | `true` |
433+
| `deploy-pull-request` | Whether to also deploy pull request artifacts. If `deploy` is `false`, this has no effect | `false` |
443434
| `poetry-virtualenvs-path` | Path to the Poetry virtual environments, relative to GitHub workspace | `.cache/pypoetry/virtualenvs` |
444435
| `poetry-cache-dir` | Path to the Poetry cache directory, relative to GitHub workspace | `.cache/pypoetry` |
445436
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
@@ -656,11 +647,6 @@ jobs:
656647
steps:
657648
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
658649
- uses: SonarSource/ci-github-actions/build-gradle@v1
659-
with:
660-
# Enable shadow scans for unified platform dogfooding (optional)
661-
run-shadow-scans: 'true'
662-
# Primary platform when shadow scans disabled (optional)
663-
sonar-platform: 'next'
664650
```
665651

666652
### Input Environment Variables
@@ -867,7 +853,8 @@ See also [`get-build-number`](#get-build-number) input environment variables.
867853
|---------------------------|-----------------------------------------------------------------------------|----------------------------------------------------------------------|
868854
| `working-directory` | Relative path under github.workspace to execute the build in | `.` |
869855
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
870-
| `cache-npm` | Whether to cache NPM dependencies | `true` |
856+
| `disable-caching` | Whether to disable NPM caching entirely | `false` |
857+
| `cache-npm` | Deprecated. Use `disable-caching: 'true'` instead | `true` |
871858
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
872859
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
873860

@@ -939,11 +926,6 @@ jobs:
939926
steps:
940927
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
941928
- uses: SonarSource/ci-github-actions/build-npm@v1
942-
with:
943-
# Enable shadow scans for unified platform dogfooding (optional)
944-
run-shadow-scans: 'true'
945-
# Primary platform when shadow scans disabled (optional)
946-
sonar-platform: 'next'
947929
```
948930

949931
### Input Environment Variables
@@ -962,9 +944,11 @@ See also [`config-npm`](#config-npm) input environment variables.
962944
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
963945
| `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault | `qa-deployer` for private repos, `public-deployer` for public repos |
964946
| `artifactory-deploy-repo` | Deployment repository | `sonarsource-npm-private-qa` for private repos, `sonarsource-npm-public-qa` for public repos |
965-
| `deploy-pull-request` | Whether to deploy pull request artifacts | `false` |
947+
| `deploy` | Whether to deploy on master, maintenance, dogfood and long-lived branches | `true` |
948+
| `deploy-pull-request` | Whether to also deploy pull request artifacts. If `deploy` is `false`, this has no effect | `false` |
966949
| `skip-tests` | Whether to skip running tests | `false` |
967-
| `cache-npm` | Whether to cache NPM dependencies | `true` |
950+
| `disable-caching` | Whether to disable NPM caching entirely | `false` |
951+
| `cache-npm` | Deprecated. Use `disable-caching: 'true'` instead | `true` |
968952
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
969953
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
970954
| `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', or 'sqc-us' | `next` |
@@ -1040,11 +1024,6 @@ jobs:
10401024
steps:
10411025
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
10421026
- uses: SonarSource/ci-github-actions/build-yarn@v1
1043-
with:
1044-
# Enable shadow scans for unified platform dogfooding (optional)
1045-
run-shadow-scans: 'true'
1046-
# Primary platform when shadow scans disabled (optional)
1047-
sonar-platform: 'next'
10481027
```
10491028

10501029
### Input Environment Variables
@@ -1062,9 +1041,11 @@ jobs:
10621041
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
10631042
| `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault | `qa-deployer` for private repos, `public-deployer` for public repos |
10641043
| `artifactory-deploy-repo` | Deployment repository | `sonarsource-private-qa` for private repositories, `sonarsource-public-qa` for public repos |
1065-
| `deploy-pull-request` | Whether to deploy pull request artifacts | `false` |
1044+
| `deploy` | Whether to deploy on master, maintenance, dogfood and long-lived branches | `true` |
1045+
| `deploy-pull-request` | Whether to also deploy pull request artifacts. If `deploy` is `false`, this has no effect | `false` |
10661046
| `skip-tests` | Whether to skip running tests | `false` |
1067-
| `cache-yarn` | Whether to cache Yarn dependencies | `true` |
1047+
| `disable-caching` | Whether to disable Yarn caching entirely | `false` |
1048+
| `cache-yarn` | Deprecated. Use `disable-caching: 'true'` instead | `true` |
10681049
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
10691050
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
10701051
| `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans | `next` |
@@ -1372,16 +1353,12 @@ concrete deploy and scan behavior is implemented in each build script:
13721353
| Maintenance (`branch-*`) | yes | yes |
13731354
| Pull request | optional | yes |
13741355
| Dogfood (`dogfood-on-*`) | yes | no |
1375-
| Long-lived feature (`feature/long/*`) | yes ¹ | yes |
1356+
| Long-lived feature (`feature/long/*`) | yes | yes |
13761357
| Other branches | no | no |
13771358

13781359
- Pull request deployment requires `deploy-pull-request: 'true'`.
13791360
- SonarQube analysis also requires `sonar-platform` to be set (not `none`).
1380-
- ¹ `build-maven` and `build-gradle` only; `build-npm`, `build-yarn`, and `build-poetry` do not deploy on long-lived feature branches.
1381-
- `build-maven` and `build-gradle` support a `deploy: 'false'` input to override deployment regardless of branch. `build-npm`,
1382-
`build-yarn`, and `build-poetry` do not have this input (TODO: add for consistency).
1383-
- **`build-gradle` known bug**: SonarQube analysis is not filtered by branch type. When `sonar-platform ≠ none`, analysis runs on all
1384-
branches, including dogfood and other branches (unlike all other build actions).
1361+
- All build actions support a `deploy: 'false'` input to override deployment regardless of branch.
13851362
13861363
---
13871364

build-gradle/action.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ inputs:
1616
description: Whether to deploy on master, maintenance, dogfood and long-lived branches.
1717
default: 'true'
1818
deploy-pull-request:
19-
description: Whether to also deploy pull request artifacts. If deploy is 'false', this has no effect.
19+
description: Whether to also deploy pull request artifacts. If deploy is `false`, this has no effect.
2020
default: 'false'
2121
skip-tests:
2222
description: Whether to skip running tests
@@ -25,8 +25,8 @@ inputs:
2525
description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans.
2626
default: next
2727
run-shadow-scans:
28-
description: If true, run SonarQube analysis on all three platforms (next, sqc-eu, sqc-us).
29-
If false, run analysis on the platform specified with sonar-platform.
28+
description: If `true`, run sonar scanner on all 3 platforms. If `false`, run on the platform provided by `sonar-platform`.
29+
When enabled, the `sonar-platform` setting is ignored.
3030
default: 'false'
3131
provenance:
3232
description: Whether to generate provenance attestation for built artifacts
@@ -126,12 +126,12 @@ runs:
126126
with:
127127
# yamllint disable rule:line-length
128128
secrets: |
129-
${{ inputs.sonar-platform != 'none' && 'development/kv/data/next url | NEXT_URL;' || '' }}
130-
${{ inputs.sonar-platform != 'none' && 'development/kv/data/next token | NEXT_TOKEN;' || '' }}
131-
${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarqube-us url | SQC_US_URL;' || '' }}
132-
${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }}
133-
${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }}
134-
${{ inputs.sonar-platform != 'none' && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }}
129+
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/next url | NEXT_URL;' || '' }}
130+
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/next token | NEXT_TOKEN;' || '' }}
131+
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us url | SQC_US_URL;' || '' }}
132+
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }}
133+
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }}
134+
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }}
135135
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} username | ARTIFACTORY_DEPLOY_USERNAME;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }}
136136
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }}
137137
development/kv/data/sign key | SIGN_KEY;

0 commit comments

Comments
 (0)