From bf15f8824ff5211fc5ab2b54083da4551166fc63 Mon Sep 17 00:00:00 2001 From: Julien Carsique Date: Tue, 3 Mar 2026 14:07:11 +0100 Subject: [PATCH 1/2] BUILD-8677 Add job name to summaries and fix consistency - Add `$GITHUB_JOB` to the ## heading in all build and promote summaries so jobs sharing the same action are distinguishable - Add missing `generate-summary` input to build-gradle, build-npm, build-poetry, build-yarn (was already present in build-maven). Generalize #222 - Fix bug: build-npm/poetry/yarn summary checked non-existent output `should-deploy`; corrected to `deployed`. Fix #136 - Fix build-yarn: missing blank lines before outputs: and summary step Update README for workflow summary changes - Document `generate-summary` input in build-maven, build-gradle, build-npm, build-poetry, and build-yarn Inputs tables - Add "GitHub workflow job summary" entry to Features sections for build-maven, build-gradle, build-npm, build-yarn, and promote Co-Authored-By: Claude Sonnet 4.6 --- README.md | 10 ++++++++++ build-gradle/action.yml | 7 +++++-- build-maven/action.yml | 2 +- build-npm/action.yml | 9 ++++++--- build-poetry/action.yml | 9 ++++++--- build-yarn/action.yml | 11 ++++++++--- promote/promote.sh | 7 +++++-- spec/promote_spec.sh | 1 + 8 files changed, 42 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 6ef6ec2f..a046a35d 100644 --- a/README.md +++ b/README.md @@ -332,6 +332,7 @@ See also [`config-maven`](#config-maven) input environment variables. | `provenance` | Whether to generate provenance attestation for built artifacts | `false` | | `provenance-artifact-paths` | Relative paths of artifacts for provenance attestation (glob pattern). See [Provenance Attestation](#provenance-attestation) | (optional) | | `mixed-privacy` | Whether the repository contains both public and private code | `false` | +| `generate-summary` | Whether to generate a workflow summary after the build | `true` | #### `cache-cleanup` @@ -387,6 +388,7 @@ See also [`config-maven`](#config-maven) output environment variables. - **feature** (`feature/long/*`): Verify + SonarQube analysis only - **default**: Basic verify goal only - Mixed privacy repository support for combined public and private artifacts +- GitHub workflow job summary with build information and deployment status ## `build-poetry` @@ -474,6 +476,7 @@ jobs: | `disable-caching` | Whether to disable Poetry caching entirely | `false` | | `provenance` | Whether to generate provenance attestation for built artifacts | `false` | | `provenance-artifact-paths` | Relative paths of artifacts for provenance attestation (glob pattern). See [Provenance Attestation](#provenance-attestation) | (optional) | +| `generate-summary` | Whether to generate a workflow summary after the build | `true` | ### Outputs @@ -711,6 +714,7 @@ See also [`config-gradle`](#config-gradle) input environment variables. | `disable-caching` | Whether to disable Gradle caching entirely | `false` | | `provenance` | Whether to generate provenance attestation for built artifacts | `false` | | `provenance-artifact-paths` | Relative paths of artifacts for provenance attestation (glob pattern). See [Provenance Attestation](#provenance-attestation) | (optional) | +| `generate-summary` | Whether to generate a workflow summary after the build | `true` | > [!TIP] > When using `working-directory`, Java must be available at root due to a limitation @@ -750,6 +754,7 @@ See also [`config-gradle`](#config-gradle) input environment variables. - Develocity integration for build scans - Gradle caching with customization options - Comprehensive build logging and error handling +- GitHub workflow job summary with build information and deployment status ### Caching Configuration @@ -999,6 +1004,7 @@ See also [`config-npm`](#config-npm) input environment variables. | `build-name` | Name of the JFrog build to publish. | `` | | `provenance` | Whether to generate provenance attestation for built artifacts | `false` | | `provenance-artifact-paths` | Relative paths of artifacts for provenance attestation (glob pattern). See [Provenance Attestation](#provenance-attestation) | (optional) | +| `generate-summary` | Whether to generate a workflow summary after the build | `true` | ### Outputs @@ -1029,6 +1035,7 @@ See also [`config-npm`](#config-npm) output environment variables. - JFrog build info publishing with UI links - Support for different branch types (default, maintenance, PR, dogfood, long-lived feature) - Comprehensive build logging and error handling +- GitHub workflow job summary with build information and deployment status ## `build-yarn` @@ -1108,6 +1115,7 @@ jobs: | `run-shadow-scans` | Enable analysis across all 3 SonarQube platforms (unified platform dogfooding) | `false` | | `provenance` | Whether to generate provenance attestation for built artifacts | `false` | | `provenance-artifact-paths` | Relative paths of artifacts for provenance attestation (glob pattern). See [Provenance Attestation](#provenance-attestation) | (optional) | +| `generate-summary` | Whether to generate a workflow summary after the build | `true` | ### Outputs @@ -1129,6 +1137,7 @@ jobs: - JFrog build info publishing with UI links - Support for different branch types (default, maintenance, PR, dogfood, long-lived feature) - Comprehensive build logging and error handling +- GitHub workflow job summary with build information and deployment status ## `config-pip` @@ -1318,6 +1327,7 @@ This action does not provide any outputs. - Support for both single and multi-repository promotions - Automatic target repository determination based on branch type - Pull request artifact promotion support +- GitHub workflow job summary with promotion information and deployment link --- diff --git a/build-gradle/action.yml b/build-gradle/action.yml index 29ec3f5e..4e389896 100644 --- a/build-gradle/action.yml +++ b/build-gradle/action.yml @@ -64,6 +64,9 @@ inputs: disable-caching: description: Whether to disable Gradle caching entirely default: 'false' + generate-summary: + description: Whether to generate a workflow summary after the build. + default: 'true' outputs: project-version: @@ -192,11 +195,11 @@ runs: show-summary: true - name: Generate workflow summary - if: always() + if: always() && inputs.generate-summary != 'false' shell: bash run: | build_name="${GITHUB_REPOSITORY#*/}" - echo "## ๐Ÿ—๏ธ Gradle Build Summary" >> $GITHUB_STEP_SUMMARY + echo "## ๐Ÿ—๏ธ Gradle Build Summary (\`${GITHUB_JOB}\`)" >> $GITHUB_STEP_SUMMARY if [[ "${{ steps.build.conclusion }}" == "success" ]]; then echo "โœ… **Build SUCCESS**" >> $GITHUB_STEP_SUMMARY else diff --git a/build-maven/action.yml b/build-maven/action.yml index 7d29f255..0c626d60 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -237,7 +237,7 @@ runs: shell: bash run: | build_name="${GITHUB_REPOSITORY#*/}" - echo "## ๐Ÿ—๏ธ Maven Build Summary" >> $GITHUB_STEP_SUMMARY + echo "## ๐Ÿ—๏ธ Maven Build Summary (\`${GITHUB_JOB}\`)" >> $GITHUB_STEP_SUMMARY if [[ "${{ steps.build.conclusion }}" == "success" ]]; then echo "โœ… **Build SUCCESS**" >> $GITHUB_STEP_SUMMARY else diff --git a/build-npm/action.yml b/build-npm/action.yml index 019b1ec5..376bcb1d 100644 --- a/build-npm/action.yml +++ b/build-npm/action.yml @@ -50,6 +50,9 @@ inputs: Relative paths of the artifacts for which to generate a provenance attestation (glob pattern). Default is collected from '.attestation-artifacts/' directory default: '' + generate-summary: + description: Whether to generate a workflow summary after the build. + default: 'true' outputs: BUILD_NUMBER: @@ -177,14 +180,14 @@ runs: show-summary: true - name: Generate workflow summary - if: always() + if: always() && inputs.generate-summary != 'false' shell: bash env: ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || format('{0}/artifactory', inputs.repox-url) }} run: | build_name="${GITHUB_REPOSITORY#*/}" - echo "## ๐Ÿ“ฆ NPM Build Summary" >> $GITHUB_STEP_SUMMARY + echo "## ๐Ÿ“ฆ NPM Build Summary (\`${GITHUB_JOB}\`)" >> $GITHUB_STEP_SUMMARY if [[ "${{ steps.build.conclusion }}" == "success" ]]; then echo "โœ… **Build SUCCESS**" >> $GITHUB_STEP_SUMMARY else @@ -197,7 +200,7 @@ runs: echo "- **Branch**: \`${GITHUB_REF}\`" >> $GITHUB_STEP_SUMMARY echo "- **Commit**: \`$GITHUB_SHA\`" >> $GITHUB_STEP_SUMMARY - if [[ "${{ steps.build.outputs.should-deploy }}" == true ]]; then + if [[ "${{ steps.build.outputs.deployed }}" == true ]]; then echo "### ๐Ÿš€ Deployment" >> $GITHUB_STEP_SUMMARY ARTIFACTORY_BROWSE_URL="${ARTIFACTORY_URL%/*}/ui/builds/$build_name/$BUILD_NUMBER" echo "๐Ÿ”— **[Browse artifacts in Artifactory](${ARTIFACTORY_BROWSE_URL})**" >> $GITHUB_STEP_SUMMARY diff --git a/build-poetry/action.yml b/build-poetry/action.yml index f2a5096c..eacc2c26 100644 --- a/build-poetry/action.yml +++ b/build-poetry/action.yml @@ -54,6 +54,9 @@ inputs: disable-caching: description: Whether to disable Poetry caching entirely default: 'false' + generate-summary: + description: Whether to generate a workflow summary after the build. + default: 'true' outputs: project-version: @@ -174,14 +177,14 @@ runs: show-summary: true - name: Generate workflow summary - if: always() + if: always() && inputs.generate-summary != 'false' shell: bash env: ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || format('{0}/artifactory', inputs.repox-url) }} run: | build_name="${GITHUB_REPOSITORY#*/}" - echo "## ๐Ÿ“ฆ Poetry Build Summary" >> $GITHUB_STEP_SUMMARY + echo "## ๐Ÿ“ฆ Poetry Build Summary (\`${GITHUB_JOB}\`)" >> $GITHUB_STEP_SUMMARY if [[ "${{ steps.build.conclusion }}" == "success" ]]; then echo "โœ… **Build SUCCESS**" >> $GITHUB_STEP_SUMMARY else @@ -194,7 +197,7 @@ runs: echo "- **Branch**: \`${GITHUB_REF}\`" >> $GITHUB_STEP_SUMMARY echo "- **Commit**: \`$GITHUB_SHA\`" >> $GITHUB_STEP_SUMMARY - if [[ "${{ steps.build.outputs.should-deploy }}" == true ]]; then + if [[ "${{ steps.build.outputs.deployed }}" == true ]]; then echo "### ๐Ÿš€ Deployment" >> $GITHUB_STEP_SUMMARY ARTIFACTORY_BROWSE_URL="${ARTIFACTORY_URL%/*}/ui/builds/$build_name/$BUILD_NUMBER" echo "๐Ÿ”— **[Browse artifacts in Artifactory](${ARTIFACTORY_BROWSE_URL})**" >> $GITHUB_STEP_SUMMARY diff --git a/build-yarn/action.yml b/build-yarn/action.yml index dd5c9993..44debebe 100644 --- a/build-yarn/action.yml +++ b/build-yarn/action.yml @@ -50,6 +50,10 @@ inputs: Relative paths of the artifacts for which to generate a provenance attestation (glob pattern). Default is collected from '.attestation-artifacts/' directory default: '' + generate-summary: + description: Whether to generate a workflow summary after the build. + default: 'true' + outputs: project-version: description: The project version from package.json @@ -173,15 +177,16 @@ runs: subject-path: >- ${{ inputs.provenance-artifact-paths != '' && inputs.provenance-artifact-paths || steps.build.outputs.artifact-paths }} show-summary: true + - name: Generate workflow summary - if: always() + if: always() && inputs.generate-summary != 'false' shell: bash env: ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || format('{0}/artifactory', inputs.repox-url) }} run: | build_name="${GITHUB_REPOSITORY#*/}" - echo "## ๐Ÿ“ฆ Yarn Build Summary" >> $GITHUB_STEP_SUMMARY + echo "## ๐Ÿ“ฆ Yarn Build Summary (\`${GITHUB_JOB}\`)" >> $GITHUB_STEP_SUMMARY if [[ "${{ steps.build.conclusion }}" == "success" ]]; then echo "โœ… **Build SUCCESS**" >> $GITHUB_STEP_SUMMARY else @@ -194,7 +199,7 @@ runs: echo "- **Branch**: \`${GITHUB_REF}\`" >> $GITHUB_STEP_SUMMARY echo "- **Commit**: \`$GITHUB_SHA\`" >> $GITHUB_STEP_SUMMARY - if [[ "${{ steps.build.outputs.should-deploy }}" == true ]]; then + if [[ "${{ steps.build.outputs.deployed }}" == true ]]; then echo "### ๐Ÿš€ Deployment" >> $GITHUB_STEP_SUMMARY ARTIFACTORY_BROWSE_URL="${ARTIFACTORY_URL%/*}/ui/builds/$build_name/$BUILD_NUMBER" echo "๐Ÿ”— **[Browse artifacts in Artifactory](${ARTIFACTORY_BROWSE_URL})**" >> $GITHUB_STEP_SUMMARY diff --git a/promote/promote.sh b/promote/promote.sh index 43171ee6..d00d31a4 100755 --- a/promote/promote.sh +++ b/promote/promote.sh @@ -5,12 +5,15 @@ # - ARTIFACTORY_PROMOTE_ACCESS_TOKEN: Access token to promote builds # - BUILD_NUMBER: Build number (e.g. 42) # - BUILD_NAME: Name of the JFrog Artifactory build (e.g. sonar-dummy) +# - GITHUB_TOKEN: GitHub token with repo access to update commit status # # GitHub Actions auto-provided: # - GITHUB_REF_NAME: Short ref name of the branch or tag (e.g. main, branch-123, dogfood-on-123) # - GITHUB_REPOSITORY: Repository name (e.g. sonarsource/sonar-dummy) # - GITHUB_EVENT_NAME: Event name (e.g. push, pull_request) # - GITHUB_EVENT_PATH: Path to the event webhook payload file. For example, /github/workflow/event.json. +# - GITHUB_SHA: Git commit SHA that triggered the workflow +# - GITHUB_JOB: The job_id of the current job, used for generating workflow summary # # Optional user customization: # - ARTIFACTORY_URL: Repox URL. @@ -34,7 +37,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/../shared/common-functions.sh" : "${ARTIFACTORY_URL:="https://repox.jfrog.io/artifactory"}" : "${ARTIFACTORY_PROMOTE_ACCESS_TOKEN:?}" : "${GITHUB_REF_NAME:?}" "${BUILD_NUMBER:?}" "${GITHUB_REPOSITORY:?}" "${GITHUB_EVENT_NAME:?}" "${GITHUB_EVENT_PATH:?}" "${GITHUB_TOKEN:?}" -: "${GITHUB_SHA:?}" +: "${GITHUB_SHA:?}" "${GITHUB_JOB:?}" GH_API_VERSION_HEADER="X-GitHub-Api-Version: 2022-11-28" BUILD_INFO_FILE=$(mktemp) rm -f "$BUILD_INFO_FILE" @@ -186,7 +189,7 @@ generate_workflow_summary() { cat >> "$GITHUB_STEP_SUMMARY" < Date: Tue, 3 Mar 2026 14:43:07 +0100 Subject: [PATCH 2/2] BUILD-8677 Simplify README by removing redundant Features sections Remove all ### Features sections that were either redundant with the action description or contained generic boilerplate. Rescue the branch-strategy information from build-maven as a proper Deployment Strategy table, and rescue the build-gradle gradlew fallback note into the action description. Move Deployment Strategy to standalone section and fix inaccuracies Move the deployment strategy table out of build-maven into a shared standalone section (grouped with Provenance Attestation) since it applies to all build actions. Fix inaccuracies verified against implementation: - feature/long/* branches DO deploy (was incorrectly marked as no) - "master" renamed to "Default branch" (configured via DEFAULT_BRANCH) - Remove Maven-specific "Notes" column that did not apply to other actions - Add build-gradle exception: sonar analysis not branch-filtered in Gradle Note build-gradle sonar branch filtering as a known bug Add a TODO comment in build-gradle/build.sh and update the README to flag that sonar analysis is not filtered by branch type in build-gradle, unlike all other build actions. Should add a should_scan() guard to skip sonar on dogfood/other branches consistently. Fix deploy input verification: document inconsistencies and add TODOs - Fix README Deployment Strategy table: long-lived feature branches only deploy for build-maven and build-gradle, not for build-npm/build-yarn/build-poetry - Add note that deploy:'false' override is only supported by build-maven and build-gradle - Add TODO comments to build-npm, build-yarn, build-poetry noting the missing DEPLOY env var support and long-lived feature branch deploy discrepancy Co-Authored-By: Claude Sonnet 4.6 --- README.md | 173 +++++++++++++++++------------------------- build-gradle/build.sh | 4 + build-npm/build.sh | 3 + build-poetry/build.sh | 3 + build-yarn/build.sh | 3 + 5 files changed, 84 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index a046a35d..f5964a88 100644 --- a/README.md +++ b/README.md @@ -43,15 +43,6 @@ These badges show the status of workflows in dummy repositories that use (or sho [![Pre-commit checks](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/pre-commit.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/pre-commit.yml) [![Unified Dogfooding scans](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/unified-dogfooding.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/unified-dogfooding.yml) -## Using AI for Cirrus CI to GitHub Actions Migration - -It is recommended to use AI tools like Cursor or Claude code to assist with Cirrus CI to GitHub actions migration. -This repository contains a comprehensive guide to be passed as a context to AI. The guide is shared with Sonar developers using Cursor, -accessible using `@Doc` tag. - -See the [documentation](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4232970266/Migration+From+Cirrus+CI+-+GitHub) -for details on how to use it. - --- ## Actions provided in this repository @@ -70,6 +61,8 @@ for details on how to use it. - [`pr_cleanup`](#pr_cleanup) - [`code-signing`](#code-signing) +--- + ## `get-build-number` Manage the build number in GitHub Actions. @@ -125,12 +118,7 @@ No inputs are required for this action. |----------------------|--------------------------| | `BUILD_NUMBER` | The current build number | -### Features - -- Automatic build number management with GitHub repository properties -- Build number uniqueness per workflow run ID -- No increment on workflow reruns -- Sets both environment variable and output variable +--- ## `config-maven` @@ -250,6 +238,8 @@ steps: See also [`get-build-number`](#get-build-number) output environment variables. +--- + ## `build-maven` Build and deploy a Maven project with SonarQube analysis and Artifactory deployment. @@ -372,23 +362,7 @@ for the public values, and by setting the environment variables for the private See also [`config-maven`](#config-maven) output environment variables. -### Features - -- Build context detection with automatic deployment strategies -- SonarQube analysis for code quality -- Artifact signing with GPG keys -- Conditional deployment based on branch patterns -- Develocity integration for build optimization (optional) -- Maven local repository caching with customization options -- Support for different branch types: - - **master**: Deploy + SonarQube analysis with full profiles - - **maintenance** (`branch-*`): Deploy with full profiles + separate SonarQube analysis - - **pr**: Conditional deployment with SonarQube analysis - - **dogfood** (`dogfood-on-*`): Deploy only with dogfood profiles - - **feature** (`feature/long/*`): Verify + SonarQube analysis only - - **default**: Basic verify goal only -- Mixed privacy repository support for combined public and private artifacts -- GitHub workflow job summary with build information and deployment status +--- ## `build-poetry` @@ -486,6 +460,8 @@ jobs: | `project-version` | The project version from pyproject.toml with build number. Also set as environment variable `PROJECT_VERSION` | | `deployed` | `true` if the build succeed and was supposed to deploy | +--- + ## `config-gradle` Configure Gradle build environment with build number, authentication, and default settings. @@ -610,11 +586,14 @@ If provided, `SONARSOURCE_REPOSITORY` is used at runtime by the Gradle init scri See also [`get-build-number`](#get-build-number) output environment variables. +--- + ## `build-gradle` Build and publish a Gradle project with SonarQube analysis and Artifactory deployment. > **Note:** This action automatically calls [`config-gradle`](#config-gradle) to set up the Gradle environment. +> **Note:** Uses the Gradle wrapper (`./gradlew`) by default, falling back to the `gradle` binary if not found. ### Requirements @@ -741,21 +720,6 @@ See also [`config-gradle`](#config-gradle) input environment variables. | `BUILD_NUMBER` | The current build number. Also set as environment variable `BUILD_NUMBER` | | `deployed` | `true` if the build succeed and was supposed to deploy | -### Features - -- Uses the gradle wrapper (`./gradlew`) by default and falls back to the `gradle` binary in case it is not found -- Automated version management with build numbers -- SonarQube analysis for code quality with multi-platform support -- Unified platform dogfooding - analyze across all 3 SonarQube platforms (next, sqc-eu, sqc-us) -- Automatic deployment prevention during shadow scans to avoid duplicate artifacts -- Conditional deployment based on branch patterns -- Automatic artifact signing with credentials from Vault -- Pull request support with optional deployment -- Develocity integration for build scans -- Gradle caching with customization options -- Comprehensive build logging and error handling -- GitHub workflow job summary with build information and deployment status - ### Caching Configuration By default, Gradle caches `~/.gradle/caches` and `~/.gradle/wrapper`. You can customize this behavior: @@ -849,6 +813,8 @@ artifactory { } ``` +--- + ## `config-npm` Configure NPM and JFrog build environment with build number, authentication, and settings. @@ -922,6 +888,8 @@ See also [`get-build-number`](#get-build-number) input environment variables. See also [`get-build-number`](#get-build-number) output environment variables. +--- + ## `build-npm` Build, test, analyze with SonarQube, and deploy an NPM project to JFrog Artifactory. @@ -1023,19 +991,7 @@ See also [`config-npm`](#config-npm) input environment variables. See also [`config-npm`](#config-npm) output environment variables. -### Features - -- Automated version management with build numbers and SNAPSHOT handling -- SonarQube analysis for code quality with multi-platform support -- Unified platform dogfooding - analyze across all 3 SonarQube platforms (next, sqc-eu, sqc-us) -- Automatic deployment prevention during shadow scans to avoid duplicate artifacts -- Conditional deployment based on branch patterns -- NPM dependency caching for faster builds (configurable) -- Pull request support with optional deployment -- JFrog build info publishing with UI links -- Support for different branch types (default, maintenance, PR, dogfood, long-lived feature) -- Comprehensive build logging and error handling -- GitHub workflow job summary with build information and deployment status +--- ## `build-yarn` @@ -1125,19 +1081,7 @@ jobs: | `project-version` | The project version from package.json | | `deployed` | `true` if the build succeed and was supposed to deploy | -### Features - -- Automated version management with build numbers and SNAPSHOT handling -- SonarQube analysis for code quality with multi-platform support -- Unified platform dogfooding - analyze across all 3 SonarQube platforms (next, sqc-eu, sqc-us) -- Automatic deployment prevention during shadow scans to avoid duplicate artifacts -- Conditional deployment based on branch patterns -- Yarn dependency caching for faster builds (configurable) -- Pull request support with optional deployment -- JFrog build info publishing with UI links -- Support for different branch types (default, maintenance, PR, dogfood, long-lived feature) -- Comprehensive build logging and error handling -- GitHub workflow job summary with build information and deployment status +--- ## `config-pip` @@ -1218,14 +1162,6 @@ steps: See also [`get-build-number`](#get-build-number) output environment variables. -### Features - -- Build number management via [`get-build-number`](#get-build-number) -- Automatic Artifactory authentication via Vault -- Auto-detection of reader role based on repository visibility -- Pip dependency caching with customization options -- Global pip configuration for all subsequent `pip install` commands - ### Migration from configure-pipx-repox If you're currently using `SonarSource/sonarqube-cloud-github-actions/configure-pipx-repox@master`, you can replace it with: @@ -1240,6 +1176,8 @@ If you're currently using `SonarSource/sonarqube-cloud-github-actions/configure- Both actions produce the same configuration and are functionally equivalent. +--- + ## `promote` This action promotes a build in JFrog Artifactory and updates the GitHub status check accordingly. @@ -1320,15 +1258,6 @@ promote: This action does not provide any outputs. -### Features - -- Automatic promotion of build artifacts in JFrog Artifactory -- GitHub status check updates with promotion status -- Support for both single and multi-repository promotions -- Automatic target repository determination based on branch type -- Pull request artifact promotion support -- GitHub workflow job summary with promotion information and deployment link - --- ## `pr_cleanup` @@ -1367,13 +1296,7 @@ No inputs are required for this action. No outputs are provided by this action. -### Features - -- Remove GitHub Actions caches associated with the PR -- Clean up artifacts created during PR workflows -- Provide detailed output of the deleted resources -- Show before/after state of caches and artifacts -- Automatic triggering on PR closure +--- ## `code-signing` @@ -1435,12 +1358,32 @@ After running this action, the following environment variables are available: - `SM_CODE_SIGNING_CERT_SHA1_HASH`: Certificate fingerprint for signing - `SMTOOLS_PATH`: Path where SMTools are installed, certificate and `.cfg` file is stored. -### Features +--- + +## Deployment Strategy + +All build actions (`build-maven`, `build-gradle`, `build-npm`, `build-yarn`, `build-poetry`) share the same branch-based deployment and +SonarQube analysis strategy. Shared helper predicates and orchestration utilities are provided by `shared/common-functions.sh`, while the +concrete deploy and scan behavior is implemented in each build script: + +| Branch | Deploy | SonarQube | +|---------------------------------------|----------|-----------| +| Default branch (`master`, `main`) | yes | yes | +| Maintenance (`branch-*`) | yes | yes | +| Pull request | optional | yes | +| Dogfood (`dogfood-on-*`) | yes | no | +| Long-lived feature (`feature/long/*`) | yes ยน | yes | +| Other branches | no | no | + +- Pull request deployment requires `deploy-pull-request: 'true'`. +- SonarQube analysis also requires `sonar-platform` to be set (not `none`). +- ยน `build-maven` and `build-gradle` only; `build-npm`, `build-yarn`, and `build-poetry` do not deploy on long-lived feature branches. +- `build-maven` and `build-gradle` support a `deploy: 'false'` input to override deployment regardless of branch. `build-npm`, + `build-yarn`, and `build-poetry` do not have this input (TODO: add for consistency). +- **`build-gradle` known bug**: SonarQube analysis is not filtered by branch type. When `sonar-platform โ‰  none`, analysis runs on all + branches, including dogfood and other branches (unlike all other build actions). -- **Official DigiCert Integration**: Uses the official DigiCert `ssm-code-signing` action for reliable smctl installation -- **Unified Caching Strategy**: Single cache key for both smctl and jsign tools to optimize cache efficiency -- **Smart Cache Management**: Caches smctl installation directory and jsign .deb package for faster subsequent runs -- **Automatic Setup**: Handles all DigiCert authentication and environment configuration +--- ## Provenance Attestation @@ -1588,3 +1531,29 @@ improvements, fixes, documentation, and **breaking changes**). Communicate major updates, changes and migrations that require action from users following as indicated in the [Updates, Changes and Migrations for Squads - Platform](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4385374219/Updates+Changes+and+Migrations+for+Squads+-+Platform#Usage-of-Communication-Channels) xtranet page. + +--- + +## Using AI for Cirrus CI to GitHub Actions Migration + +It is recommended to use AI tools like Cursor or Claude code to assist with Cirrus CI to GitHub actions migration. + +This repository contains a comprehensive guide to be passed as a context to +AI: [.cursor/cirrus-github-migration.md](.cursor/cirrus-github-migration.md). Here are some example prompts: + +```md +Refer @https://github.com/SonarSource/ci-github-actions/blob/master/.cursor/cirrus-github-migration.md +Migrate @.cirrus.yml to GitHub Actions +``` + +Or, in the [re-terraform-aws-vault](https://github.com/SonarSource/re-terraform-aws-vault) repository, you can use it to check for missing +vault secrets before migration: + +```md +Refer @https://github.com/SonarSource/ci-github-actions/blob/master/.cursor/cirrus-github-migration.md +Give me a report of the missing vault secrets for the repository `sonar-dummy` +``` + +See +the ["Migration From Cirrus CI - GitHub" xtranet documentation](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4232970266/Migration+From+Cirrus+CI+-+GitHub) +for more details. diff --git a/build-gradle/build.sh b/build-gradle/build.sh index 80fe9e20..1a67ec0a 100755 --- a/build-gradle/build.sh +++ b/build-gradle/build.sh @@ -223,6 +223,10 @@ gradle_build() { echo "::endgroup::" else # Build with sonar analysis via orchestrator + # TODO BUILD-10586: sonar analysis is not filtered by branch type here โ€” it runs on all branches + # (including dogfood and other branches) when sonar-platform != none. This differs from + # build-maven/build-npm/build-yarn/build-poetry which skip sonar on dogfood/other branches. + # Should add a should_scan() guard consistent with the other build scripts. # shellcheck disable=SC2119 orchestrate_sonar_platforms fi diff --git a/build-npm/build.sh b/build-npm/build.sh index e97c3f70..e767a0d6 100755 --- a/build-npm/build.sh +++ b/build-npm/build.sh @@ -123,6 +123,9 @@ jfrog_npm_publish() { } # Determine build configuration based on branch type +# TODO BUILD-10586: this function does not support a DEPLOY env var to override deployment (unlike build-maven and build-gradle). +# Should add a DEPLOY=${DEPLOY:=true} check consistent with those build scripts. +# Note: unlike build-maven and build-gradle, long-lived feature branches (feature/long/*) do not deploy here. get_build_config() { local enable_sonar enable_deploy local sonar_args=() diff --git a/build-poetry/build.sh b/build-poetry/build.sh index 332045d8..0b9a8611 100755 --- a/build-poetry/build.sh +++ b/build-poetry/build.sh @@ -193,6 +193,9 @@ set_project_version() { } # Determine build configuration based on branch type +# TODO BUILD-10586: this function does not support a DEPLOY env var to override deployment (unlike build-maven and build-gradle). +# Should add a DEPLOY=${DEPLOY:=true} check consistent with those build scripts. +# Note: unlike build-maven and build-gradle, long-lived feature branches (feature/long/*) do not deploy here. get_build_config() { local enable_sonar enable_deploy local sonar_args=() diff --git a/build-yarn/build.sh b/build-yarn/build.sh index 6a35a0a3..e0f34882 100755 --- a/build-yarn/build.sh +++ b/build-yarn/build.sh @@ -193,6 +193,9 @@ jfrog_yarn_publish() { } # Determine build configuration based on branch type +# TODO BUILD-10586: this function does not support a DEPLOY env var to override deployment (unlike build-maven and build-gradle). +# Should add a DEPLOY=${DEPLOY:=true} check consistent with those build scripts. +# Note: unlike build-maven and build-gradle, long-lived feature branches (feature/long/*) do not deploy here. get_build_config() { local enable_sonar enable_deploy local sonar_args=()