Skip to content

BUILD-10591 Leverage setup-jfrog-cli summary in ci-github-actions#233

Open
julien-carsique-sonarsource wants to merge 1 commit intomasterfrom
feat/jcarsique/BUILD-10591-setup-jfrog-cli-summary
Open

BUILD-10591 Leverage setup-jfrog-cli summary in ci-github-actions#233
julien-carsique-sonarsource wants to merge 1 commit intomasterfrom
feat/jcarsique/BUILD-10591-setup-jfrog-cli-summary

Conversation

@julien-carsique-sonarsource
Copy link
Contributor

@julien-carsique-sonarsource julien-carsique-sonarsource commented Mar 16, 2026
edited
Loading

Summary

Generate the JFrog CLI job summary explicitly rather than relying on the setup-jfrog-cli post-step, which fails and conflicts with the CLI.

Changes

build-maven, build-npm, build-yarn, build-poetry, config-npm, promote (scripts):

  • Add --url flag to jf config add repox, otherwise the config is not working with all the CLI commands
  • Add jf config use repox after jf config add to explicitly activate the server configuration

build-maven, build-npm, build-yarn, build-poetry (action.yml):

  • Set JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR in the build step env so JFrog CLI writes command summary data during execution
  • Enrich Generate workflow summary step with an extract from JFrog CLI summary

All build actions (workflow summary):

  • Extract Published Modules from JFrog markdown.md: bold module names and multi-line <pre> file tree blocks, displayed in a collapsible <details> block
  • Change build URL link text: Browse artifacts in ArtifactoryBrowse build name:number in Artifactory

promote/action.yml:

  • Add repox-url and repox-artifactory-url inputs
  • Add ARTIFACTORY_URL env var to the Promote artifacts step

Other:

  • Upgrade renovatebot/pre-commit-hooks to 43.76.3 in .pre-commit-config.yaml (to support the managerFilePatterns field used in .github/renovate.json)
  • Fix trailing spaces in deprecation warning messages (cache/action.yml, config-npm/action.yml, build-npm/action.yml, build-yarn/action.yml)
  • Minor doc fixes in build-maven/build.sh and promote/promote.sh
  • Update spec tests to match new command signatures and line counts (100% coverage)

Test plan

@hashicorp-vault-sonar-prod
Copy link

hashicorp-vault-sonar-prod bot commented Mar 16, 2026
edited by atlassian bot
Loading

BUILD-10591

@julien-carsique-sonarsource julien-carsique-sonarsource mentioned this pull request Mar 17, 2026
Closed
@julien-carsique-sonarsource julien-carsique-sonarsource force-pushed the feat/jcarsique/BUILD-10591-setup-jfrog-cli-summary branch 5 times, most recently from 069ec09 to e83ff86 Compare March 18, 2026 15:10
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 18, 2026
edited
Loading

Review in SonarQube

Quality Gate Passed Quality Gate passed

Issues
0 New issues
5 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@julien-carsique-sonarsource julien-carsique-sonarsource marked this pull request as ready for review March 18, 2026 15:26
@julien-carsique-sonarsource julien-carsique-sonarsource requested a review from a team as a code owner March 18, 2026 15:26
Copilot AI review requested due to automatic review settings March 18, 2026 15:26
@sonar-review-alpha
Copy link

sonar-review-alpha bot commented Mar 18, 2026
edited
Loading

Summary

This PR fixes the JFrog CLI configuration and adds explicit summary generation across build actions.

Core Fix: All build scripts now add the --url flag when configuring the JFrog server (pointing to the base Repox URL before /artifactory), followed by jf config use repox to explicitly activate it. This resolves the conflict where the setup-jfrog-cli post-step was failing because the config wasn't properly initialized for all CLI commands.

Summary Generation: Build actions (npm, yarn, poetry) now capture JFrog CLI summary data via the JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR environment variable and parse the markdown output to extract published modules and file trees, displaying them in collapsible details blocks in the workflow summary.

Promote Action Updates: Added repox-url and repox-artifactory-url inputs to the promote action, and changed ARTIFACTORY_URL from optional to required in the promote script (no longer has a default value).

Supporting Changes: renovatebot/pre-commit-hooks upgraded (enables managerFilePatterns in renovate config), deprecation warning trailing spaces fixed, spec tests updated for new JFrog CLI version (2.96.0), and minor emoji/link text changes in workflow summaries.

What reviewers should know

Start by reviewing: The changes to build scripts (e.g., build-npm/build.sh, build-yarn/build.sh) to understand the --url flag addition and jf config use pattern — this is the core fix applied consistently across all build actions.

Key decision to verify: The summary markdown parsing in action.yml files uses grep and awk to extract published modules and file trees from JFrog's generated markdown. This approach is hardcoded to the JFrog CLI output format — if JFrog changes their markdown structure, this parsing will break silently.

Breaking change: The promote/promote.sh script now requires ARTIFACTORY_URL to be explicitly provided (no longer defaults to https://repox.jfrog.io/artifactory). Verify this is intentional and that all callers of the promote action pass repox-url or repox-artifactory-url.

Test coverage: The author tested across multiple projects (Maven, Gradle, npm, yarn, poetry) and verified that the JFrog summary gracefully handles cases where no artifacts are published (|| true ensures no failure). Spec tests were updated to reflect the new JFrog CLI version.

  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha bot reviewed Mar 18, 2026
View reviewed changes
Copy link

@sonar-review-alpha sonar-review-alpha bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conclusion: Solid PR overall — the fix is well-motivated, end-to-end tested, and the new JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR pattern is applied consistently. One logic duplication worth addressing before this pattern spreads further.

🗣️ Give feedback

build-maven/action.yml
ARTIFACTORY_BROWSE_URL="${ARTIFACTORY_URL%/*}/ui/builds/$build_name/$BUILD_NUMBER"
echo "🔗 **[Browse artifacts in Artifactory](${ARTIFACTORY_BROWSE_URL})**" >> $GITHUB_STEP_SUMMARY
echo "🐸 [Browse build \`${build_name}:${BUILD_NUMBER}\` in Artifactory](${ARTIFACTORY_BROWSE_URL})" >> $GITHUB_STEP_SUMMARY
jf_summary_dir="${JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR}/jfrog-command-summary"
Copy link

@sonar-review-alpha sonar-review-alpha bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic duplication: This 16-line JFrog CLI summary extraction block (the jf_summary_dir check, jf generate-summary-markdown call, and grep/awk parsing into a <details> block) is copy-pasted verbatim into build-npm/action.yml:222, build-poetry/action.yml:211, and build-yarn/action.yml:220. The only difference across the four is the config name (deploy here vs repox in the others).

Any future change to the parsing logic — e.g. if the markdown.md format changes, or the <details> structure is adjusted — requires four synchronised edits. Extract to shared/generate-jfrog-summary.sh that accepts the config name as a $1 argument, then replace each block with:

"$ACTION_PATH_SHARED/generate-jfrog-summary.sh" deploy

(or repox for the other three). The env vars JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR and GITHUB_STEP_SUMMARY are already in the environment of the step, so no extra wiring is needed.

  • Mark as noise

Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CI GitHub Actions build/promote workflows to explicitly generate and enrich GitHub workflow summaries using JFrog CLI command summary output, while also updating JFrog CLI configuration to be more explicit/compatible.

Changes:

  • Update JFrog CLI config usage across build/promote scripts (add --url, explicitly jf config use ..., bump JFrog CLI to 2.96.0).
  • Enrich workflow summaries (build links + “Published Modules” extracted from JFrog-generated markdown.md) and wire JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR.
  • Misc maintenance: spec updates, doc updates, pre-commit hook upgrade, and whitespace fixes in warnings.

Reviewed changes

Copilot reviewed 27 out of 29 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
config-npm/npm_config.sh Update JFrog CLI server config to include --url and explicitly select the server.
build-npm/build.sh Update JFrog CLI config for NPM publish flow (add --url, config use).
build-yarn/build.sh Update JFrog CLI config for Yarn resolve/publish flows (add --url, config use).
build-poetry/build.sh Update JFrog CLI config for Poetry resolve/publish flows (add --url, config use).
build-maven/deploy-artifacts.sh Switch to jf CLI and add --url to deploy server config; use jf rt u.
build-npm/action.yml Enable JFrog CLI command summary output + parse/publish “Published Modules” in workflow summary.
build-yarn/action.yml Same: wire command summary output dir and enrich workflow summary.
build-poetry/action.yml Same: wire command summary output dir and enrich workflow summary.
build-maven/action.yml Wire command summary output dir for artifact upload + enrich workflow summary.
build-gradle/action.yml Update summary link text/icon consistency.
promote/action.yml Add Repox URL inputs and pass ARTIFACTORY_URL into promote step.
promote/promote.sh Require ARTIFACTORY_URL, update JFrog config steps, tweak workflow summary link text.
mise.toml + */mise.local.toml Bump jfrog-cli to 2.96.0 and set env exclusions / warning suppression.
README.md Document new promote action inputs (repox-url, repox-artifactory-url).
.pre-commit-config.yaml Bump renovate pre-commit hooks rev.
spec/*.sh Update specs to match updated JFrog CLI commands/version and output line counts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

build-npm/action.yml
Comment on lines +222 to +238
jf_summary_dir="${JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR}/jfrog-command-summary"
if [[ -d "$jf_summary_dir" ]]; then
jf config use repox
jf generate-summary-markdown
if [[ -f "${jf_summary_dir}/markdown.md" ]]; then
{
echo ""
echo "<details>"
echo "<summary>Published Modules</summary>"
echo ""
grep -E '^\*\*[^*]+\*\*$' "${jf_summary_dir}/markdown.md" | sed 's/^\*\*\(.*\)\*\*$/- `\1`/'
echo ""
awk 'index($0,"<pre>") && !index($0,"</pre>"){p=1} p{print} index($0,"</pre>"){p=0}' "${jf_summary_dir}/markdown.md"
echo "</details>"
} >> "$GITHUB_STEP_SUMMARY"
fi
fi
bwalsh434
bwalsh434 approved these changes Mar 18, 2026
View reviewed changes
Copy link
Contributor

@bwalsh434 bwalsh434 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM and nice improvement! Copilot has lots of thoughts on the Artifactory URL construction, so make sure that works in varying scenarios/repos.

@julien-carsique-sonarsource @claude
BUILD-10591 Leverage JFrog CLI summary in build-npm, build-yarn, buil…
5047c75 
…d-poetry and promote

Generate the JFrog CLI job summary explicitly rather than relying on the setup-jfrog-cli post-step, which fails and conflicts with the CLI.

**JFrog CLI configuration fixes (build-npm, build-yarn, build-poetry, config-npm, promote)**:
- Add --url flag to 'jf config add repox' with the JFrog Platform URL (base URL without '/artifactory')
- Add 'jf config use repox' (or 'deploy' for maven) after 'jf config add' to explicitly activate the server configuration
- In promote.sh and build scripts, suppress 'jf config remove repox' output (redirect to /dev/null)
- Make ARTIFACTORY_URL required (via :?) in promote.sh

**JFrog CLI command summary (all build actions + promote)**:
- Set JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR in build step env so JFrog CLI writes command summary data during execution
- build-maven/deploy-artifacts.sh: also set JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR in the Artifacts upload step

**Generate workflow summary (all build actions)**:
- Merge JFrog CLI summary generation into 'Generate workflow summary' step (remove the separate 'Generate JFrog CLI summary' step)
- Add JFrog summary support to build-maven (when mixed-privacy=true, using 'jf config use deploy') and build-gradle
- Rework summary format: extract Published Modules from JFrog markdown.md (bold module names and multi-line <pre> file tree blocks) into a collapsible <details> block
- Change build URL link text from 'Browse artifacts in Artifactory' to 'Browse build `name:number` in Artifactory'

**promote/action.yml**:
- Add repox-url and repox-artifactory-url inputs (forwarded from callers)
- Add ARTIFACTORY_URL env var to the Promote artifacts step

**Other**:
- Upgrade renovatebot/pre-commit-hooks to 43.76.3 in .pre-commit-config.yaml
- Fix trailing spaces in deprecation warning messages (cache/action.yml, config-npm/action.yml, build-npm/action.yml, build-yarn/action.yml)
- Minor doc fix in build-maven/build.sh and promote/promote.sh
- Update spec tests to match new command signatures and line counts (100% coverage)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@julien-carsique-sonarsource julien-carsique-sonarsource force-pushed the feat/jcarsique/BUILD-10591-setup-jfrog-cli-summary branch from e83ff86 to 5047c75 Compare March 18, 2026 17:54
sonar-review-alpha[bot]
sonar-review-alpha bot reviewed Mar 18, 2026
View reviewed changes
Copy link

@sonar-review-alpha sonar-review-alpha bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conclusion: One concrete test bug found: the config-npm spec will fail due to a wrong expected --url value. The logic duplication from the previous review (the 16-line JFrog summary extraction block copied verbatim into all four action.yml files) remains unaddressed.

🗣️ Give feedback

spec/config-npm_spec.sh
@@ -98,7 +98,7 @@ Describe 'set_build_env()'
The contents of file "$HOME/.npmrc" should include "registry=https://repox.jfrog.io/artifactory/api/npm/npm"
The contents of file "$HOME/.npmrc" should include "//repox.jfrog.io/artifactory/api/npm/:_authToken=reader-token"
Copy link

@sonar-review-alpha sonar-review-alpha bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The expected --url value here is wrong. ARTIFACTORY_URL is set to "https://repox.jfrog.io/artifactory" (line 49), and the script strips the /artifactory suffix via ${ARTIFACTORY_URL%/artifactory*}, so the actual output will be:

jf config add repox --url https://repox.jfrog.io --artifactory-url https://repox.jfrog.io/artifactory --access-token reader-token

The assertion expects --url https://repox.jfrog.io/artifactory (the full URL, unsripped). This test will fail. Either:

  • Fix the expected value to https://repox.jfrog.io, or

  • Change the fixture to export ARTIFACTORY_URL="https://dummy.repox" (no /artifactory suffix, matching every other spec file) and update the .npmrc content assertions accordingly.

  • Mark as noise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@bwalsh434 bwalsh434 bwalsh434 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@julien-carsique-sonarsource @bwalsh434