Finalize CI migration

Author: GabrielFleischer

.cirrus.star

@@ -23,25 +23,27 @@ jobs:
       id-token: write  # Required for Vault OIDC authentication
       contents: write  # Required for repository access and tagging
     outputs:
-      build-number: ${{ steps.build-gradle.outputs.BUILD_NUMBER }}
+      build-number: ${{ steps.build.outputs.BUILD_NUMBER }}
+      deployed: ${{ steps.build.outputs.deployed }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
         with:
           version: 2025.7.12
       - uses: SonarSource/ci-github-actions/build-gradle@v1
-        id: build-gradle
+        id: build
         with:
           deploy-pull-request: true
           artifactory-reader-role: private-reader    # Override for public repo using private access
           artifactory-deployer-role: qa-deployer     # Override for public repo using private access
 
   qa:
     needs: [build]
+    if: ${{ needs.build.outputs.deployed }}
     runs-on: github-ubuntu-latest-s  # Public repository runner
     permissions:
       id-token: write  # Required for Vault OIDC authentication
-      contents: write  # Required for repository access
+      contents: read  # Required for repository access
     strategy:
       fail-fast: false
       matrix:
@@ -62,21 +64,24 @@ jobs:
         run: rm -r ./its/sources/kotlin
       - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
         with:
-          cache_save: false
           version: 2025.7.12
       - name: Get GitHub Token for QA Licenses
         id: secrets
         uses: SonarSource/vault-action-wrapper@v3
         with:
           secrets: |
             development/github/token/licenses-ro token | GITHUB_TOKEN;
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
       - name: Configure Gradle
-        uses: SonarSource/ci-github-actions/config-gradle@v1
+        uses: SonarSource/ci-github-actions/build-gradle@v1
         with:
-          artifactory-reader-role: private-reader    # Override for public repo using private access
+          gradle-args: "-x build -x sonar -x artifactoryPublish"  # Skip everything to only configure Gradle and Artifactory access
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
       - name: Run QA Tests
         env:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
           SUITE: ${{ matrix.item.suite }}
           SQ_VERSION: ${{ matrix.item.sq_version }}
         run: |
@@ -86,18 +91,16 @@ jobs:
             "-DbuildNumber=${BUILD_NUMBER}" \
             --info --stacktrace --console plain --no-daemon --build-cache
   promote:
-    needs: [build, qa]
-    runs-on: github-ubuntu-latest-s  # Public repository runner
     name: Promote
+    needs:
+      - build
+      - qa
+    runs-on: github-ubuntu-latest-s  # Public repository runner
+    if: ${{ needs.build.outputs.deployed }}
     permissions:
       id-token: write  # Required for Vault OIDC authentication
       contents: write  # Required for repository access and tagging
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
-        with:
-          cache_save: false
-          version: 2025.7.12
       - uses: SonarSource/ci-github-actions/promote@v1
         with:
           promote-pull-request: true  # Enable PR artifact promotion

.cirrus.yml

@@ -29,7 +29,7 @@ allprojects {
     ext {
         buildNumber = System.getProperty("buildNumber")
 
-        sonarLinksCi = 'https://cirrus-ci.com/github/SonarSource/sonar-scala'
+        sonarLinksCi = 'https://github.com/SonarSource/sonar-scala/actions/workflows/build.yml'
         sonarLinksScm = 'https://github.com/SonarSource/sonar-scala'
 
         artifactsToPublish = ''