CLI-77 Auto-install sonar-secrets during sonar integrate claude #697
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - branch-* | |
| - dogfood-* | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| # Workflow-level concurrency | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }} | |
| # Required permissions for Vault OIDC and repo operations | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| prepare: | |
| name: Prepare Build | |
| runs-on: github-ubuntu-latest-s | |
| outputs: | |
| BUILD_NUMBER: ${{ steps.get-build-number.outputs.BUILD_NUMBER }} | |
| PROJECT_VERSION: ${{ steps.project_version.outputs.PROJECT_VERSION }} | |
| PACKAGE_VERSION: ${{ steps.project_version.outputs.PACKAGE_VERSION }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - uses: SonarSource/ci-github-actions/get-build-number@148774f456203f228b7bd1bd68ed0c22254d9cd1 | |
| id: get-build-number | |
| - name: Update package.json version with build number | |
| id: project_version | |
| env: | |
| BUILD_NUMBER: ${{ steps.get-build-number.outputs.BUILD_NUMBER }} | |
| run: | | |
| PACKAGE_VERSION=$(bun build-scripts/set-build-number.ts "${BUILD_NUMBER}") | |
| echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT | |
| echo "PROJECT_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT | |
| build-binaries: | |
| name: Build Binary - ${{ matrix.os }} | |
| runs-on: ${{ matrix.runner }} | |
| needs: prepare | |
| strategy: | |
| matrix: | |
| include: | |
| - os: linux | |
| runner: github-ubuntu-latest-m | |
| target: bun-linux-x64 | |
| platform: linux-x86-64 | |
| - os: macos | |
| runner: macos-latest-xlarge | |
| target: bun-darwin-arm64 | |
| platform: macos-arm64 | |
| - os: windows | |
| runner: warp-custom-windows-2022-s | |
| target: bun-windows-x64 | |
| platform: windows-x86-64 | |
| steps: | |
| - name: Setup Cloudflare WARP (macOS only) | |
| if: matrix.os == 'macos' | |
| uses: SonarSource/gh-action_setup-cloudflare-warp@v1 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - name: Setup JFrog CLI | |
| uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 | |
| with: | |
| version: 2.77.0 | |
| - name: Vault Secrets | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0 | |
| with: | |
| secrets: | | |
| development/kv/data/repox url | ARTIFACTORY_URL; | |
| development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader username | ARTIFACTORY_USER; | |
| development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; | |
| development/kv/data/sign key | GPG_SIGNING_KEY; | |
| development/kv/data/sign passphrase | GPG_SIGNING_PASSPHRASE; | |
| - name: Cache Bun dependencies | |
| uses: SonarSource/gh-action_cache@54a48984cf6564fd48f3c6c67c0891d7fe89604c | |
| with: | |
| path: | | |
| ~/.bun | |
| key: bun-${{ runner.os }}-${{ hashFiles('**/bun.lock') }} | |
| restore-keys: bun-${{ runner.os }} | |
| - name: Install dependencies | |
| env: | |
| ARTIFACTORY_PRIVATE_READER_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USER }} | |
| ARTIFACTORY_PRIVATE_READER_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} | |
| run: bun ci | |
| - name: Compute artifact name | |
| id: artifact | |
| shell: bash | |
| env: | |
| PROJECT_VERSION: ${{ needs.prepare.outputs.PROJECT_VERSION }} | |
| run: echo "name=sonarqube-cli-${PROJECT_VERSION}-${{ matrix.platform }}.exe" >> $GITHUB_OUTPUT | |
| - name: Fetch binary signatures | |
| run: bun run fetch:signatures | |
| - name: Build binary for ${{ matrix.os }} | |
| run: bun build src/index.ts --compile --outfile dist/${{ steps.artifact.outputs.name }} --target ${{ matrix.target }} | |
| - name: Sign binary | |
| env: | |
| GPG_SIGNING_KEY: ${{ fromJSON(steps.secrets.outputs.vault).GPG_SIGNING_KEY }} | |
| GPG_SIGNING_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).GPG_SIGNING_PASSPHRASE }} | |
| run: bun build-scripts/sign.mjs dist/${{ steps.artifact.outputs.name }} | |
| - name: Upload binary to GitHub | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f | |
| with: | |
| name: binary-${{ matrix.os }} | |
| path: | | |
| dist/${{ steps.artifact.outputs.name }} | |
| dist/${{ steps.artifact.outputs.name }}.asc | |
| publish-binaries: | |
| name: Publish Binaries to Artifactory | |
| runs-on: github-ubuntu-latest-s | |
| needs: | |
| - prepare | |
| - build-binaries | |
| if: ${{ github.event_name == 'pull_request' || github.ref_name == github.event.repository.default_branch || startsWith(github.ref_name, 'branch-') || startsWith(github.ref_name, 'dogfood-on-') }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Setup JFrog CLI | |
| uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 | |
| with: | |
| version: 2.77.0 | |
| - name: Vault Secrets | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0 | |
| with: | |
| secrets: | | |
| development/kv/data/repox url | ARTIFACTORY_URL; | |
| development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer access_token | ARTIFACTORY_DEPLOY_PASSWORD; | |
| - name: Download linux binary | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 | |
| with: | |
| name: binary-linux | |
| path: dist/ | |
| - name: Download macos binary | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 | |
| with: | |
| name: binary-macos | |
| path: dist/ | |
| - name: Download windows binary | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 | |
| with: | |
| name: binary-windows | |
| path: dist/ | |
| - name: Copy user scripts to dist | |
| run: cp user-scripts/install.sh user-scripts/install.ps1 dist/ | |
| - name: Generate latest-version.txt | |
| env: | |
| PROJECT_VERSION: ${{ needs.prepare.outputs.PROJECT_VERSION }} | |
| run: echo "${PROJECT_VERSION}" > dist/latest-version.txt | |
| - name: Upload binaries to Artifactory | |
| env: | |
| ARTIFACTORY_URL: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_URL }} | |
| ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_PASSWORD }} | |
| PROJECT_VERSION: ${{ needs.prepare.outputs.PROJECT_VERSION }} | |
| ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa | |
| PROJECT: ${{ github.event.repository.name }} | |
| BUILD_NUMBER: ${{ needs.prepare.outputs.BUILD_NUMBER }} | |
| ARTIFACTS_TO_PUBLISH: "org.sonarsource.cli:sonarqube-cli:exe:linux-x86-64,org.sonarsource.cli:sonarqube-cli:exe:macos-arm64,org.sonarsource.cli:sonarqube-cli:exe:windows-x86-64" | |
| run: | | |
| jf config add repox \ | |
| --artifactory-url="${ARTIFACTORY_URL}" \ | |
| --access-token="${ARTIFACTORY_DEPLOY_PASSWORD}" | |
| jf rt upload \ | |
| "dist/*" \ | |
| "${ARTIFACTORY_DEPLOY_REPO}/org/sonarsource/cli/sonarqube-cli/${PROJECT_VERSION}/" \ | |
| --server-id=repox \ | |
| --flat=true \ | |
| --build-name="${PROJECT}" \ | |
| --build-number="${BUILD_NUMBER}" \ | |
| --module="org.sonarsource.cli:${PROJECT}:${PROJECT_VERSION}" | |
| jf rt build-collect-env "${PROJECT}" "${BUILD_NUMBER}" | |
| jf rt build-publish "${PROJECT}" "${BUILD_NUMBER}" | |
| test-and-scan: | |
| name: Run Tests and Scan with SonarQube | |
| runs-on: github-ubuntu-latest-m | |
| needs: [prepare] | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4 | |
| with: | |
| version: 2025.7.12 | |
| - name: Vault Secrets | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0 | |
| with: | |
| secrets: | | |
| development/kv/data/sonarcloud token | SONAR_TOKEN; | |
| development/kv/data/sonarcloud url | SONAR_URL; | |
| development/kv/data/repox url | ARTIFACTORY_URL; | |
| development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader username | ARTIFACTORY_USER; | |
| development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; | |
| development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer access_token | ARTIFACTORY_DEPLOY_PASSWORD; | |
| - name: Install libsecret (Linux) | |
| if: ${{ runner.os == 'linux' }} | |
| run: sudo apt-get update && sudo apt-get install -y libsecret-1-0 | |
| - name: Cache Bun dependencies | |
| uses: SonarSource/gh-action_cache@54a48984cf6564fd48f3c6c67c0891d7fe89604c | |
| with: | |
| path: | | |
| ~/.bun | |
| key: bun-${{ runner.os }}-${{ hashFiles('**/bun.lock') }} | |
| restore-keys: bun-${{ runner.os }} | |
| - name: Install dependencies | |
| env: | |
| ARTIFACTORY_PRIVATE_READER_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USER }} | |
| ARTIFACTORY_PRIVATE_READER_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} | |
| run: bun ci | |
| - name: Check style | |
| run: bun format:check | |
| - name: Check linting | |
| run: bun lint | |
| - name: Run all tests | |
| run: bun test:coverage | |
| - name: Analyze on SonarQubeCloud | |
| env: | |
| SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_URL }} | |
| SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} | |
| BUILD_NUMBER: ${{ needs.prepare.outputs.BUILD_NUMBER }} | |
| CURRENT_VERSION: ${{ needs.prepare.outputs.PROJECT_VERSION }} | |
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| PULL_REQUEST: ${{ github.event.pull_request.number || 'false' }} | |
| run: | | |
| .github/scripts/sonarqube-analysis.sh | |
| promote: | |
| runs-on: github-ubuntu-latest-s | |
| name: Promote | |
| needs: | |
| - prepare | |
| - build-binaries | |
| - publish-binaries | |
| - test-and-scan | |
| if: ${{ github.event_name == 'pull_request' || github.ref_name == github.event.repository.default_branch || startsWith(github.ref_name, 'branch-') || startsWith(github.ref_name, 'dogfood-on-') }} | |
| steps: | |
| - uses: SonarSource/ci-github-actions/promote@148774f456203f228b7bd1bd68ed0c22254d9cd1 # 1.3.24 | |
| env: | |
| PROJECT_VERSION: ${{ needs.prepare.outputs.PROJECT_VERSION }} | |
| ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa | |
| with: | |
| promote-pull-request: true |