Skip to content

BUILD-10586 Fix inconsistencies between actions inputs, outputs and behaviors #231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
julien-carsique-sonarsource wants to merge 1 commit into
base: master
Choose a base branch
from
+282 −133
Open

BUILD-10586 Fix inconsistencies between actions inputs, outputs and behaviors #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 14 additions & 12 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,8 @@ jobs:
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault | `qa-deployer` for private repos, `public-deployer` for public repos |
| `artifactory-deploy-repo` | Deployment repository | `sonarsource-pypi-private-qa` for private repositories, `sonarsource-pypi-public-qa` for public repos |
| `deploy-pull-request` | Whether to deploy pull request artifacts | `false` |
| `deploy` | Whether to deploy on master, maintenance, dogfood and long-lived branches | `true` |
| `deploy-pull-request` | Whether to also deploy pull request artifacts. If `deploy` is `false`, this has no effect | `false` |
| `poetry-virtualenvs-path` | Path to the Poetry virtual environments, relative to GitHub workspace | `.cache/pypoetry/virtualenvs` |
| `poetry-cache-dir` | Path to the Poetry cache directory, relative to GitHub workspace | `.cache/pypoetry` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
Expand Down Expand Up @@ -867,7 +868,8 @@ See also [`get-build-number`](#get-build-number) input environment variables.
|---------------------------|-----------------------------------------------------------------------------|----------------------------------------------------------------------|
| `working-directory` | Relative path under github.workspace to execute the build in | `.` |
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `cache-npm` | Whether to cache NPM dependencies | `true` |
| `disable-caching` | Whether to disable NPM caching entirely | `false` |
| `cache-npm` | Deprecated. Use `disable-caching: 'true'` instead | `true` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |

Expand Down Expand Up @@ -962,9 +964,11 @@ See also [`config-npm`](#config-npm) input environment variables.
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault | `qa-deployer` for private repos, `public-deployer` for public repos |
| `artifactory-deploy-repo` | Deployment repository | `sonarsource-npm-private-qa` for private repos, `sonarsource-npm-public-qa` for public repos |
| `deploy-pull-request` | Whether to deploy pull request artifacts | `false` |
| `deploy` | Whether to deploy on master, maintenance, dogfood and long-lived branches | `true` |
| `deploy-pull-request` | Whether to also deploy pull request artifacts. If `deploy` is `false`, this has no effect | `false` |
| `skip-tests` | Whether to skip running tests | `false` |
| `cache-npm` | Whether to cache NPM dependencies | `true` |
| `disable-caching` | Whether to disable NPM caching entirely | `false` |
| `cache-npm` | Deprecated. Use `disable-caching: 'true'` instead | `true` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', or 'sqc-us' | `next` |
Expand Down Expand Up @@ -1062,9 +1066,11 @@ jobs:
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault | `qa-deployer` for private repos, `public-deployer` for public repos |
| `artifactory-deploy-repo` | Deployment repository | `sonarsource-private-qa` for private repositories, `sonarsource-public-qa` for public repos |
| `deploy-pull-request` | Whether to deploy pull request artifacts | `false` |
| `deploy` | Whether to deploy on master, maintenance, dogfood and long-lived branches | `true` |
| `deploy-pull-request` | Whether to also deploy pull request artifacts. If `deploy` is `false`, this has no effect | `false` |
| `skip-tests` | Whether to skip running tests | `false` |
| `cache-yarn` | Whether to cache Yarn dependencies | `true` |
| `disable-caching` | Whether to disable Yarn caching entirely | `false` |
| `cache-yarn` | Deprecated. Use `disable-caching: 'true'` instead | `true` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans | `next` |
Expand Down Expand Up @@ -1372,16 +1378,12 @@ concrete deploy and scan behavior is implemented in each build script:
| Maintenance (`branch-*`) | yes | yes |
| Pull request | optional | yes |
| Dogfood (`dogfood-on-*`) | yes | no |
| Long-lived feature (`feature/long/*`) | yes ¹ | yes |
| Long-lived feature (`feature/long/*`) | yes | yes |
| Other branches | no | no |

- Pull request deployment requires `deploy-pull-request: 'true'`.
- SonarQube analysis also requires `sonar-platform` to be set (not `none`).
- ¹ `build-maven` and `build-gradle` only; `build-npm`, `build-yarn`, and `build-poetry` do not deploy on long-lived feature branches.
- `build-maven` and `build-gradle` support a `deploy: 'false'` input to override deployment regardless of branch. `build-npm`,
`build-yarn`, and `build-poetry` do not have this input (TODO: add for consistency).
- **`build-gradle` known bug**: SonarQube analysis is not filtered by branch type. When `sonar-platform ≠ none`, analysis runs on all
branches, including dogfood and other branches (unlike all other build actions).
- All build actions support a `deploy: 'false'` input to override deployment regardless of branch.

---

Expand Down
4 changes: 2 additions & 2 deletions build-gradle/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ inputs:
description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans.
default: next
run-shadow-scans:
description: If true, run SonarQube analysis on all three platforms (next, sqc-eu, sqc-us).
If false, run analysis on the platform specified with sonar-platform.
description: If true, run sonar scanner on all 3 platforms using the provided URL and token.
If false, run on the platform provided by sonar-platform. When enabled, the sonar-platform setting is ignored.
default: 'false'
Comment on lines 27 to 30
Copy link

Copilot AI Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description says that when run-shadow-scans is enabled, the sonar-platform setting is ignored. However, the Vault secrets block only fetches NEXT_/SQC_ values when sonar-platform != 'none', so setting sonar-platform: 'none' with run-shadow-scans: 'true' would provide empty credentials and likely fail later. Consider either tightening the description/validation (disallow this combination) or updating the secrets/validation logic so shadow scans still fetch and validate the required sonar credentials.

Copilot uses AI. Check for mistakes.
provenance:
description: Whether to generate provenance attestation for built artifacts
Expand Down
38 changes: 18 additions & 20 deletions build-gradle/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
# - SQC_EU_URL: URL of SonarQube server for sqc-eu platform
# - SQC_EU_TOKEN: Access token to send analysis reports to SonarQube for sqc-eu platform
# - RUN_SHADOW_SCANS: If true, run sonar scanner on all 3 platforms. If false, run on the platform provided by SONAR_PLATFORM.
# When enabled, SONAR_PLATFORM is ignored.
# - CURRENT_VERSION: Current project version as in gradle.properties
# - ARTIFACTORY_ACCESS_TOKEN: Access token to read Repox repositories
# - ARTIFACTORY_DEPLOY_REPO: Name of deployment repository
Expand Down Expand Up @@ -48,25 +49,18 @@ set -euo pipefail
# shellcheck source=../shared/common-functions.sh
source "$(dirname "${BASH_SOURCE[0]}")/../shared/common-functions.sh"

: "${ARTIFACTORY_ACCESS_TOKEN:?}"
: "${ARTIFACTORY_DEPLOY_REPO:?}"
: "${DEPLOY:=true}"
: "${ARTIFACTORY_ACCESS_TOKEN:?}" "${ARTIFACTORY_DEPLOY_REPO:?}" "${DEPLOY:=true}" "${DEPLOY_PULL_REQUEST:=false}" "${RUN_SHADOW_SCANS:?}"
: "${GITHUB_REF_NAME:?}" "${BUILD_NUMBER:?}" "${GITHUB_RUN_ID:?}" "${GITHUB_REPOSITORY:?}" "${GITHUB_EVENT_NAME:?}" "${GITHUB_SHA:?}"
: "${GITHUB_OUTPUT:?}"
: "${PULL_REQUEST?}" "${DEFAULT_BRANCH:?}"
: "${RUN_SHADOW_SCANS:?}"
: "${GITHUB_OUTPUT:?}" "${PULL_REQUEST?}" "${DEFAULT_BRANCH:?}" "${CURRENT_VERSION:?}"
if [[ "$DEPLOY" != "false" && "$RUN_SHADOW_SCANS" != "true" ]]; then
: "${ARTIFACTORY_DEPLOY_USERNAME:?}" "${ARTIFACTORY_DEPLOY_ACCESS_TOKEN:?}"
fi
: "${CURRENT_VERSION:?}"
if [[ "${SONAR_PLATFORM:?}" != "none" ]]; then
: "${NEXT_URL:?}" "${NEXT_TOKEN:?}" "${SQC_US_URL:?}" "${SQC_US_TOKEN:?}" "${SQC_EU_URL:?}" "${SQC_EU_TOKEN:?}"
fi
: "${ORG_GRADLE_PROJECT_signingKey:?}" "${ORG_GRADLE_PROJECT_signingPassword:?}" "${ORG_GRADLE_PROJECT_signingKeyId:?}"
: "${DEPLOY_PULL_REQUEST:=false}"
export DEPLOY_PULL_REQUEST
: "${SKIP_TESTS:=false}"
: "${GRADLE_ARGS:=}"
: "${SKIP_TESTS:=false}" "${GRADLE_ARGS:=}"
export DEPLOY DEPLOY_PULL_REQUEST SKIP_TESTS GRADLE_ARGS

git_fetch_unshallow() {
if [ "$SONAR_PLATFORM" = "none" ]; then
Expand Down Expand Up @@ -112,6 +106,14 @@ should_deploy() {
fi
}

should_scan() {
if [[ "$SONAR_PLATFORM" = "none" ]]; then
return 1
fi
is_default_branch || is_maintenance_branch || is_pull_request || is_long_lived_feature_branch
return $?
}
Comment on lines +109 to +115
Copy link

Copilot AI Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should_scan() unconditionally returns failure when SONAR_PLATFORM='none'. That means a workflow with run-shadow-scans='true' and sonar-platform='none' will skip Sonar analysis entirely, even though the action input description says sonar-platform is ignored when shadow scans are enabled. Consider having should_scan() treat RUN_SHADOW_SCANS='true' as "scan enabled" regardless of SONAR_PLATFORM (and validate the required NEXT_/SQC_ variables accordingly), or update the action docs/validation to disallow sonar-platform='none' when run-shadow-scans='true'.

Copilot uses AI. Check for mistakes.

build_gradle_args() {
local args=()

Expand Down Expand Up @@ -216,19 +218,15 @@ gradle_build() {
echo "Sonar Platform: ${SONAR_PLATFORM}"
echo "Run Shadow Scans: ${RUN_SHADOW_SCANS}"

if [[ "$SONAR_PLATFORM" == "none" ]]; then
if should_scan; then
# Build with sonar analysis via orchestrator
# shellcheck disable=SC2119
orchestrate_sonar_platforms
else
# Build without sonar - call gradle_build_and_analyze directly
echo "::group::Gradle build"
gradle_build_and_analyze
echo "::endgroup::"
else
# Build with sonar analysis via orchestrator
# TODO BUILD-10586: sonar analysis is not filtered by branch type here — it runs on all branches
# (including dogfood and other branches) when sonar-platform != none. This differs from
# build-maven/build-npm/build-yarn/build-poetry which skip sonar on dogfood/other branches.
# Should add a should_scan() guard consistent with the other build scripts.
# shellcheck disable=SC2119
orchestrate_sonar_platforms
fi
}

Expand Down
19 changes: 5 additions & 14 deletions build-maven/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# - RUN_SHADOW_SCANS: If true, run sonar scanner on all 3 platforms. If false, run on the platform provided by SONAR_PLATFORM.
# - ARTIFACTORY_URL: Artifactory repository URL
# - ARTIFACTORY_ACCESS_TOKEN: Access token to read Repox repositories
# - ARTIFACTORY_DEPLOY_REPO: Deployment repository name
# - ARTIFACTORY_DEPLOY_REPO: Deployment repository name. Required by maven-enforcer-plugin in SonarSource parent POM.
# - ARTIFACTORY_DEPLOY_USERNAME: Username used by artifactory-maven-plugin
# - ARTIFACTORY_DEPLOY_PASSWORD: Access token to deploy to the repository
# - CURRENT_VERSION: Current project version as in pom.xml
Expand Down Expand Up @@ -45,26 +45,17 @@ set -euo pipefail
# shellcheck source=../shared/common-functions.sh
source "$(dirname "${BASH_SOURCE[0]}")/../shared/common-functions.sh"

: "${ARTIFACTORY_URL:?}"
# Required by maven-enforcer-plugin in SonarSource parent POM
: "${ARTIFACTORY_DEPLOY_REPO:?}"
: "${DEPLOY:=true}"
: "${CURRENT_VERSION:?}"
: "${ARTIFACTORY_URL:?}" "${ARTIFACTORY_DEPLOY_REPO:?}" "${DEPLOY:=true}" "${DEPLOY_PULL_REQUEST:=false}" "${RUN_SHADOW_SCANS:?}"
: "${GITHUB_REF_NAME:?}" "${BUILD_NUMBER:?}" "${GITHUB_RUN_ID:?}" "${GITHUB_REPOSITORY:?}" "${GITHUB_EVENT_NAME:?}"
: "${GITHUB_SHA:?}"
: "${GITHUB_OUTPUT:?}"
: "${RUNNER_OS:?}"
: "${PULL_REQUEST?}" "${DEFAULT_BRANCH:?}"
: "${GITHUB_SHA:?}" "${GITHUB_OUTPUT:?}" "${RUNNER_OS:?}" "${PULL_REQUEST?}" "${DEFAULT_BRANCH:?}" "${CURRENT_VERSION:?}"
if [[ "${SONAR_PLATFORM:?}" != "none" ]]; then
: "${NEXT_URL:?}" "${NEXT_TOKEN:?}" "${SQC_US_URL:?}" "${SQC_US_TOKEN:?}" "${SQC_EU_URL:?}" "${SQC_EU_TOKEN:?}"
fi
: "${RUN_SHADOW_SCANS:?}"
if [[ "$DEPLOY" != "false" && "$RUN_SHADOW_SCANS" != "true" ]]; then
: "${ARTIFACTORY_DEPLOY_USERNAME:?}" "${ARTIFACTORY_DEPLOY_PASSWORD:?}"
fi
: "${DEPLOY_PULL_REQUEST:=false}"
: "${USER_MAVEN_ARGS:=}"
export ARTIFACTORY_URL DEPLOY_PULL_REQUEST
export DEPLOY DEPLOY_PULL_REQUEST USER_MAVEN_ARGS
readonly DEPLOYED_OUTPUT_KEY="deployed"

# FIXME Workaround for SonarSource parent POM; it can be removed after releases of parent 73+ and parent-oss 84+
Expand Down Expand Up @@ -136,7 +127,7 @@ should_deploy() {
}

should_scan() {
if [ "$SONAR_PLATFORM" = "none" ]; then
if [[ "$SONAR_PLATFORM" = "none" ]]; then
return 1
fi
is_default_branch || is_maintenance_branch || is_pull_request || is_long_lived_feature_branch
Expand Down
Loading
Loading