Skip to content

BUILD-10586 Fix inconsistencies between actions inputs, outputs and behaviors#231

Draft
julien-carsique-sonarsource wants to merge 1 commit intomasterfrom
fix/jcarsique/BUILD-10586-inconsistencies
Draft

BUILD-10586 Fix inconsistencies between actions inputs, outputs and behaviors#231
julien-carsique-sonarsource wants to merge 1 commit intomasterfrom
fix/jcarsique/BUILD-10586-inconsistencies

Conversation

@julien-carsique-sonarsource
Copy link
Contributor

@julien-carsique-sonarsource julien-carsique-sonarsource commented Mar 11, 2026
edited by atlassian bot
Loading

Summary

Fixes BUILD-10586 — inconsistencies between ci-github-actions inputs, outputs, deploy and scan behaviors.

  • Add deploy input to build-npm, build-yarn, build-poetry (was already present in build-gradle/build-maven)
  • Enable deployment on long-lived feature branches for npm/yarn/poetry (aligns with maven/gradle behavior)
  • Add disable-caching input to build-npm/build-yarn; deprecate cache-npm/cache-yarn (aligns with poetry/gradle/maven naming)
  • Filter Sonar analysis by branch type in build-gradle via new should_scan() function (was previously running on all branches when sonar-platform != none)
  • Align shadow scan warning to GitHub Actions ::warning stderr format across all actions
  • Condition deploy vault secret on deploy being enabled (inputs.deploy != 'false' && inputs.run-shadow-scans != 'true')

Test plan

  • All 271 shellspec tests pass with 0 failures and 0 warnings
  • Pre-commit hooks pass (yamllint, shellcheck, trailing whitespace)
  • Manual integration test on a branch with long-lived feature branch pattern

@julien-carsique-sonarsource @claude
BUILD-10586 Fix inconsistencies between actions inputs, outputs and b…
ff38872 
…ehaviors

- Add `deploy` input to build-npm, build-yarn, build-poetry actions
- Enable deployment on long-lived feature branches (npm/yarn/poetry)
- Align shadow scan warning to GitHub Actions `::warning` format
- Add `disable-caching` input to build-npm/build-yarn (deprecate `cache-npm`/`cache-yarn`)
- Add `should_scan()` to build-gradle to filter Sonar analysis by branch type
- Condition Artifactory deploy token vault secret on deploy being enabled
- Update specs: add DEPLOY tests, fix stderr/stdout assertions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@hashicorp-vault-sonar-prod
Copy link

hashicorp-vault-sonar-prod bot commented Mar 11, 2026
edited by atlassian bot
Loading

BUILD-10586

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 11, 2026

SonarQube reviewer guide

Review in SonarQube

Summary: Standardize deployment and Sonar scanning behavior across build scripts (Gradle, NPM, Yarn, Poetry) by adding explicit DEPLOY control, conditional credential fetching, and consistent branch-type handling for long-lived feature branches.

Review Focus:

  • Conditional vault secret retrieval now skips fetching deployment credentials when DEPLOY=false or shadow scans are enabled — verify this pattern is correctly applied across all four build systems
  • Long-lived feature branches (feature/long/*) now deploy by default instead of skipping deployment — ensure this aligns with business requirements
  • New should_scan() function in Gradle properly filters Sonar execution by branch type — confirm it matches the NPM/Yarn/Poetry implementation
  • Shadow scan warning messages changed from stdout to stderr with structured format — verify GitHub Actions recognizes these correctly

Start review at: build-gradle/build.sh. This file introduces the new should_scan() function that serves as the reference implementation for the conditional Sonar analysis pattern being applied across all build systems. Understanding this logic is critical before reviewing how it's replicated (or should be replicated) in the other three build scripts.

💬 Please send your feedback

Quality Gate Failed Quality Gate failed

Failed conditions
1 New issue

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julien-carsique-sonarsource