Update protobuf monorepo to v4.33.2 #624
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - branch-* | |
| - dogfood-* | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 0 * * *' # Nightly for analyze and iris tasks | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| setup: | |
| runs-on: github-ubuntu-latest-s | |
| name: Setup - Prepare Node.js versions and test hashes | |
| permissions: &read_permissions | |
| id-token: write | |
| contents: read | |
| outputs: | |
| node-matrix: ${{ steps.generate-matrix.outputs.matrix }} | |
| js-files-hash: ${{ steps.compute-js-hash.outputs.hash }} | |
| maven-hash: ${{ steps.compute-maven-hash.outputs.hash }} | |
| npm-hash: ${{ steps.compute-npm-hash.outputs.hash }} | |
| steps: | |
| - &checkout | |
| name: Checkout source code | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Generate Node.js version matrix from package.json | |
| id: generate-matrix | |
| run: | | |
| # Extract node version range from package.json and parse versions with jq | |
| MATRIX=$(jq -c '{ | |
| "node-version": ( | |
| .engines.node | |
| | split(" || ") | |
| | map(gsub("^[~^>=<]+"; "")) | |
| ) | |
| }' package.json) | |
| echo "matrix=$MATRIX" >> $GITHUB_OUTPUT | |
| echo "Generated Node.js version matrix from package.json: $MATRIX" | |
| - name: Compute JS files hash for test caching | |
| id: compute-js-hash | |
| run: | | |
| HASH=$(find packages patches sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules tools typings .nycrc package.json server.mjs -type f 2>/dev/null | sort | xargs sha256sum | sha256sum | cut -d' ' -f1) | |
| echo "hash=$HASH" >> $GITHUB_OUTPUT | |
| echo "Computed JS files hash: $HASH" | |
| - name: Compute Maven hash for cache key | |
| id: compute-maven-hash | |
| run: | | |
| HASH=$(find . -name 'pom.xml' -type f | sort | xargs sha256sum | sha256sum | cut -d' ' -f1) | |
| echo "hash=$HASH" >> $GITHUB_OUTPUT | |
| echo "Computed Maven hash: $HASH" | |
| - name: Compute NPM hash for cache key | |
| id: compute-npm-hash | |
| run: | | |
| HASH=$(sha256sum package-lock.json patches/* 2>/dev/null | sha256sum | cut -d' ' -f1) | |
| echo "hash=$HASH" >> $GITHUB_OUTPUT | |
| echo "Computed NPM hash: $HASH" | |
| config_maven: | |
| runs-on: github-ubuntu-latest-s | |
| name: Configure Maven | |
| needs: setup | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - &mise_java_maven | |
| name: Setup Java and Maven | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| - name: Configure Maven | |
| id: config-maven | |
| uses: SonarSource/ci-github-actions/config-maven@master | |
| with: | |
| artifactory-reader-role: private-reader | |
| populate_maven_cache: | |
| runs-on: github-ubuntu-latest-m | |
| name: Populate Maven cache for Linux | |
| needs: [setup, config_maven] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: &populate_maven_cache_steps | |
| - name: Check Maven cache | |
| id: cache | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: ~/.m2/repository | |
| key: maven-${{ runner.os }}-${{ needs.setup.outputs.maven-hash }} | |
| lookup-only: true | |
| - name: Checkout source code | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Setup Java and Maven | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Configure Maven | |
| uses: SonarSource/ci-github-actions/config-maven@master | |
| with: | |
| artifactory-reader-role: private-reader | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Populate Maven dependencies | |
| run: | | |
| # Download all external dependencies (excludes reactor/internal modules) | |
| mvn dependency:go-offline -B | |
| populate_maven_cache_win: | |
| runs-on: github-windows-latest-s | |
| name: Populate Maven cache for Windows | |
| needs: [setup, config_maven] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: *populate_maven_cache_steps | |
| populate_npm_cache: | |
| runs-on: github-ubuntu-latest-s | |
| name: Populate NPM cache for Linux | |
| needs: setup | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: &populate_npm_cache_steps | |
| - name: Cache NPM dependencies | |
| id: cache | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: node_modules | |
| key: npm-${{ runner.os }}-${{ needs.setup.outputs.npm-hash }} | |
| lookup-only: true | |
| - name: Checkout source code | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Setup Node | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| node = "24.11.0" | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| id: secrets | |
| name: Access vault secrets | |
| uses: SonarSource/vault-action-wrapper@v3 | |
| with: | |
| secrets: | | |
| development/artifactory/token/${{ github.repository_owner }}-${{ github.event.repository.name }}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Configure npm registry | |
| run: | | |
| npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} | |
| npm config set registry https://repox.jfrog.io/artifactory/api/npm/npm/ | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Install NPM dependencies | |
| run: npm ci | |
| populate_npm_cache_win: | |
| runs-on: github-windows-latest-s | |
| name: Populate NPM cache for Windows | |
| needs: setup | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: *populate_npm_cache_steps | |
| build: | |
| runs-on: github-ubuntu-latest-m | |
| name: Build SonarJS on Linux | |
| needs: [setup, populate_maven_cache, populate_npm_cache] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - &mise | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| node = "24.11.0" | |
| - &npm_cache | |
| name: Cache NPM dependencies | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: node_modules | |
| key: npm-${{ runner.os }}-${{ needs.setup.outputs.npm-hash }} | |
| - &maven_cache | |
| name: Cache Maven repository | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: ~/.m2/repository | |
| key: maven-${{ runner.os }}-${{ needs.setup.outputs.maven-hash }} | |
| - uses: SonarSource/ci-github-actions/build-maven@master | |
| with: | |
| deploy: true | |
| deploy-pull-request: true | |
| artifactory-reader-role: private-reader | |
| artifactory-deployer-role: qa-deployer | |
| sonar-platform: none | |
| maven-args: '-DskipTests -T1C' | |
| - &config_maven | |
| name: Configure Maven | |
| id: config-maven | |
| uses: SonarSource/ci-github-actions/config-maven@master | |
| with: | |
| artifactory-reader-role: private-reader | |
| - &upload_maven_targets | |
| name: Upload Maven target artifacts | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: maven-targets-${{ runner.os }}-${{ github.sha }} | |
| path: | | |
| **/target/ | |
| !**/target/site/ | |
| retention-days: 1 | |
| # Windows builds and tests | |
| build_win: | |
| runs-on: github-windows-latest-m | |
| name: Build SonarJS on Windows | |
| needs: [setup, populate_maven_cache_win, populate_npm_cache_win] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - *npm_cache | |
| - *maven_cache | |
| - name: Build Maven (no deploy) | |
| uses: SonarSource/ci-github-actions/build-maven@master | |
| with: | |
| deploy: false | |
| artifactory-reader-role: private-reader | |
| artifactory-deployer-role: qa-deployer | |
| sonar-platform: none | |
| maven-args: '-DskipTests -T1C' | |
| - *upload_maven_targets | |
| build_eslint_plugin: | |
| runs-on: github-ubuntu-latest-s | |
| needs: [setup, populate_npm_cache] | |
| name: Build ESLint Plugin | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - id: secrets | |
| name: Access vault secrets | |
| uses: SonarSource/vault-action-wrapper@v3 | |
| with: | |
| secrets: | | |
| development/artifactory/token/${{ github.repository_owner }}-${{ github.event.repository.name }}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; | |
| - name: Configure npm registry | |
| run: | | |
| npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} | |
| npm config set registry https://repox.jfrog.io/artifactory/api/npm/npm/ | |
| - *npm_cache | |
| - name: Build ESLint plugin | |
| run: npm run eslint-plugin:build | |
| - &eslint_tarball_cache | |
| name: Cache ESLint plugin tarball | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: lib/*.tgz | |
| key: eslint-tarball-${{ github.sha }} | |
| test_eslint_plugin: | |
| runs-on: github-ubuntu-latest-s | |
| name: ESLint Plugin Test - ESLint ${{ matrix.eslint-version }} Node ${{ matrix.node-version }} | |
| needs: build_eslint_plugin | |
| permissions: *read_permissions | |
| strategy: | |
| matrix: | |
| include: | |
| - eslint-version: 9 | |
| node-version: '18.18.0' | |
| node-label: 'min supported' | |
| - eslint-version: 8 | |
| node-version: '18.18.0' | |
| node-label: 'min supported' | |
| - eslint-version: 8 | |
| node-version: '16.20.2' | |
| node-label: 'node 16' | |
| steps: | |
| - *checkout | |
| - uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| node = "${{ matrix.node-version }}" | |
| - *eslint_tarball_cache | |
| - name: Test ESLint Plugin | |
| run: | | |
| cd its/eslint${{ matrix.eslint-version }}-plugin-sonarjs | |
| npm install --ignore-scripts | |
| npx tsc --noEmit | |
| npm run test | |
| knip: | |
| runs-on: github-ubuntu-latest-s | |
| name: Knip | |
| needs: [setup, populate_npm_cache] | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - &mise_node_only | |
| name: Setup Node | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| node = "24.11.0" | |
| - *npm_cache | |
| - name: Run knip | |
| run: | | |
| npm run bbf | |
| npx knip | |
| test_js: | |
| runs-on: github-ubuntu-latest-l | |
| name: Unit tests JavaScript/TypeScript | |
| needs: [setup, populate_npm_cache] | |
| permissions: *read_permissions | |
| steps: | |
| - name: Check JS coverage cache | |
| id: cache | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: coverage/js | |
| key: js-coverage-${{ needs.setup.outputs.js-files-hash }} | |
| lookup-only: true | |
| - name: Checkout source code | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup tools | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| node = "24.11.0" | |
| - name: Cache NPM dependencies | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: node_modules | |
| key: npm-${{ runner.os }}-${{ needs.setup.outputs.npm-hash }} | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Run JS tests with coverage | |
| run: | | |
| npm run generate-meta | |
| npm run bridge:compile | |
| npm run bridge:test:cov | |
| test_js_win: | |
| runs-on: github-windows-latest-m | |
| name: Unit tests JavaScript on Windows | |
| needs: [setup, populate_npm_cache_win] | |
| permissions: *read_permissions | |
| steps: | |
| - name: Cache JS test results marker (Windows) | |
| id: cache | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: .js-test-marker-win | |
| key: js-test-win-${{ needs.setup.outputs.js-files-hash }} | |
| lookup-only: true | |
| - name: Checkout source code | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| - name: Setup tools | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| node = "24.11.0" | |
| - name: Cache NPM dependencies | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: node_modules | |
| key: npm-${{ runner.os }}-${{ needs.setup.outputs.npm-hash }} | |
| - if: steps.cache.outputs.cache-hit != 'true' | |
| name: Run JS tests on Windows | |
| shell: bash | |
| run: | | |
| npm run generate-meta | |
| npm run bridge:compile | |
| npm run bridge:test:js | |
| mkdir -p .js-test-marker-win && touch .js-test-marker-win/success | |
| test_java: | |
| runs-on: github-ubuntu-latest-m | |
| name: Unit tests Java | |
| needs: [setup, build] | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - *maven_cache | |
| - *npm_cache | |
| - &download_maven_targets | |
| name: Download Maven target artifacts | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: maven-targets-${{ runner.os }}-${{ github.sha }} | |
| - &prevent_recompilation | |
| name: Fix timestamps and restore executable permissions | |
| shell: bash | |
| run: | | |
| # Make all class files and jars newer than source files to prevent Maven from recompiling | |
| find . -type f \( -name "*.class" -o -name "*.jar" \) -exec touch {} + | |
| # Restore executable permissions (lost during artifact upload/download) | |
| # Find all executables: .sh, .exe, files in bin/ directories, and binaries without extensions | |
| find . -type f \( -name "*.sh" -o -name "*.exe" -o -path "*/bin/*" \) -exec chmod +x {} + 2>/dev/null || true | |
| - &java_coverage_cache | |
| name: Cache Java coverage | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: coverage/java | |
| key: java-coverage-${{ github.sha }} | |
| - *config_maven | |
| - name: Run Java tests with coverage | |
| run: mvn verify -T1C -Pcoverage,coverage-report | |
| test_java_win: | |
| runs-on: github-windows-latest-m | |
| name: Unit tests Java on Windows | |
| needs: [setup, build_win] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - *maven_cache | |
| - *npm_cache | |
| - *download_maven_targets | |
| - *prevent_recompilation | |
| - *config_maven | |
| - name: Run Java tests on Windows | |
| run: mvn test -T1C | |
| analyze_primary: | |
| runs-on: github-ubuntu-latest-s | |
| name: Analyze in SonarQube NEXT | |
| needs: [setup, test_js, test_java] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - &checkout_with_tags | |
| name: Checkout source code with tags | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 | |
| with: | |
| fetch-depth: '0' | |
| fetch-tags: 'true' | |
| - *mise | |
| - *npm_cache | |
| - *maven_cache | |
| - &js_coverage_cache | |
| name: Cache JS coverage | |
| id: js-coverage-cache | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: coverage/js | |
| key: js-coverage-${{ needs.setup.outputs.js-files-hash }} | |
| - *java_coverage_cache | |
| - *download_maven_targets | |
| - *prevent_recompilation | |
| - *config_maven | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@v3 | |
| with: | |
| secrets: | | |
| development/kv/data/next url | SONAR_URL; | |
| development/kv/data/next token | SONAR_TOKEN; | |
| - name: Run SonarQube analysis on Next | |
| env: | |
| SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_URL }} | |
| SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} | |
| run: | | |
| SONAR_ARGS="-Dsonar.host.url=$SONAR_HOST_URL" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.token=$SONAR_TOKEN" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.projectKey=org.sonarsource.javascript:javascript" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.projectVersion=${{ steps.config-maven.outputs.project-version }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.scm.revision=${{ github.sha }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dcommercial" | |
| # Add branch/PR information | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.pullrequest.branch=${{ github.head_ref }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.pullrequest.base=${{ github.base_ref }}" | |
| else | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.branch.name=${{ github.ref_name }}" | |
| fi | |
| mvn org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751:sonar $SONAR_ARGS | |
| analyze_shadows: | |
| runs-on: github-ubuntu-latest-s | |
| name: Analyze in ${{ matrix.platform }} | |
| needs: [setup, test_js, test_java] | |
| permissions: *read_permissions | |
| if: github.event_name == 'schedule' | |
| strategy: | |
| matrix: | |
| include: | |
| - platform: SonarCloud EU | |
| sonar-platform: sonarcloud | |
| - platform: SonarQube US | |
| sonar-platform: sonarqube-us | |
| steps: | |
| - *checkout_with_tags | |
| - *mise | |
| - *npm_cache | |
| - *maven_cache | |
| - *js_coverage_cache | |
| - *java_coverage_cache | |
| - *download_maven_targets | |
| - *prevent_recompilation | |
| - *config_maven | |
| - id: secrets | |
| uses: SonarSource/vault-action-wrapper@v3 | |
| with: | |
| secrets: | | |
| development/kv/data/${{ matrix.sonar-platform }} url | SONAR_URL; | |
| development/kv/data/${{ matrix.sonar-platform }} token | SONAR_TOKEN; | |
| - name: Run SonarQube analysis on ${{ matrix.platform }} | |
| env: | |
| SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_URL }} | |
| SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} | |
| run: | | |
| SONAR_ARGS="-Dsonar.host.url=$SONAR_HOST_URL" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.token=$SONAR_TOKEN" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.projectKey=SonarSource_SonarJS" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.projectVersion=${{ steps.config-maven.outputs.project-version }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.scm.revision=${{ github.sha }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.organization=sonarsource" | |
| SONAR_ARGS="$SONAR_ARGS -Dcommercial" | |
| # Add branch/PR information | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.pullrequest.branch=${{ github.head_ref }}" | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.pullrequest.base=${{ github.base_ref }}" | |
| else | |
| SONAR_ARGS="$SONAR_ARGS -Dsonar.branch.name=${{ github.ref_name }}" | |
| fi | |
| mvn org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751:sonar $SONAR_ARGS | |
| plugin_qa_with_node: | |
| runs-on: github-ubuntu-latest-m | |
| name: QA with Node ${{ matrix.node-version }} on Ubuntu | |
| needs: [setup, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| strategy: | |
| matrix: ${{ fromJson(needs.setup.outputs.node-matrix) }} | |
| steps: | |
| - *checkout | |
| - &mise_with_java_and_matrix_node | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| node = "${{ matrix.node-version }}" | |
| - *maven_cache | |
| - *config_maven | |
| - &get_licenses_token | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@v3 | |
| with: | |
| secrets: | | |
| development/github/token/licenses-ro token | licenses_token; | |
| - &set_monthly_cache_date | |
| name: Set monthly cache date | |
| shell: bash | |
| run: | | |
| MONTHLY_CACHE_DATE=$(date +'%Y-%m') | |
| echo "MONTHLY_CACHE_DATE=$MONTHLY_CACHE_DATE" >> $GITHUB_ENV | |
| echo "ORCHESTRATOR_HOME_MONTHLY=${{ github.workspace }}/orchestrator/$MONTHLY_CACHE_DATE" >> $GITHUB_ENV | |
| - &orchestrator_cache_monthly | |
| name: Cache Orchestrator (monthly) | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: ${{ env.ORCHESTRATOR_HOME_MONTHLY }} | |
| key: orchestrator-monthly-${{ env.MONTHLY_CACHE_DATE }} | |
| - &setup_orchestrator_home_monthly | |
| name: Setup Orchestrator home directory (monthly) | |
| shell: bash | |
| run: | | |
| mkdir -p "$ORCHESTRATOR_HOME_MONTHLY" | |
| echo "ORCHESTRATOR_HOME=$ORCHESTRATOR_HOME_MONTHLY" >> $GITHUB_ENV | |
| - name: Run Plugin QA | |
| run: | | |
| mvn package -f its/plugin/plugins/consumer-plugin/pom.xml | |
| mvn -f its/plugin/sonarlint-tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -B -e -V verify surefire-report:report | |
| mvn -f its/plugin/tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| plugin_qa_fast_with_node: | |
| runs-on: github-ubuntu-latest-m | |
| name: Fast QA with Node ${{ matrix.node-version }} on Ubuntu | |
| needs: [setup, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| strategy: | |
| matrix: ${{ fromJson(needs.setup.outputs.node-matrix) }} | |
| steps: | |
| - *checkout | |
| - *mise_with_java_and_matrix_node | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - name: Run Fast Plugin QA | |
| run: | | |
| mvn package -f its/plugin/plugins/pom.xml | |
| mvn -f its/plugin/fast-tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| plugin_qa_without_node: | |
| runs-on: github-ubuntu-latest-m | |
| name: QA without Node on ${{ matrix.os }} SQ:${{ matrix.sq-version }} | |
| needs: [setup, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| strategy: | |
| matrix: | |
| include: | |
| - os: Ubuntu | |
| sq-version: LATEST_RELEASE | |
| artifact: multi | |
| cache-type: monthly | |
| # - os: Alpine | |
| # sq-version: LATEST_RELEASE | |
| # artifact: linux-x64-musl | |
| # cache-type: monthly | |
| - os: Ubuntu | |
| sq-version: DEV | |
| artifact: multi | |
| cache-type: daily | |
| steps: | |
| - *checkout | |
| - &mise_with_java | |
| name: Setup Java and Maven | |
| uses: jdx/[email protected] | |
| with: | |
| version: 2025.11.2 | |
| mise_toml: | | |
| [tools] | |
| java = "21.0" | |
| maven = "3.9" | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - *set_monthly_cache_date | |
| - name: Set daily cache date | |
| shell: bash | |
| run: | | |
| DAILY_CACHE_DATE=$(date +'%Y-%m-%d') | |
| echo "DAILY_CACHE_DATE=$DAILY_CACHE_DATE" >> $GITHUB_ENV | |
| echo "ORCHESTRATOR_HOME_DAILY=${{ github.workspace }}/orchestrator/$DAILY_CACHE_DATE" >> $GITHUB_ENV | |
| - &remove_node_from_path | |
| name: Disable existing node | |
| shell: bash | |
| run: | | |
| node --version | |
| NODE_PATH=$(which node) | |
| sudo mv "$NODE_PATH" "${NODE_PATH}.disabled" | |
| # Verify node is no longer accessible | |
| if which node 2>/dev/null; then | |
| echo "ERROR: node is still accessible!" | |
| exit 1 | |
| else | |
| echo "SUCCESS: node is no longer accessible" | |
| fi | |
| - name: Cache Orchestrator | |
| uses: SonarSource/ci-github-actions/cache@v1 | |
| with: | |
| path: ${{ matrix.cache-type == 'monthly' && env.ORCHESTRATOR_HOME_MONTHLY || env.ORCHESTRATOR_HOME_DAILY }} | |
| key: orchestrator-${{ matrix.cache-type }}-${{ matrix.cache-type == 'monthly' && env.MONTHLY_CACHE_DATE || env.DAILY_CACHE_DATE }} | |
| - name: Setup Orchestrator home directory | |
| shell: bash | |
| run: | | |
| if [ "${{ matrix.cache-type }}" = "monthly" ]; then | |
| mkdir -p "$ORCHESTRATOR_HOME_MONTHLY" | |
| echo "ORCHESTRATOR_HOME=$ORCHESTRATOR_HOME_MONTHLY" >> $GITHUB_ENV | |
| else | |
| mkdir -p "$ORCHESTRATOR_HOME_DAILY" | |
| echo "ORCHESTRATOR_HOME=$ORCHESTRATOR_HOME_DAILY" >> $GITHUB_ENV | |
| fi | |
| - name: Run Plugin QA without Node | |
| run: | | |
| mvn package -f its/plugin/plugins/consumer-plugin/pom.xml | |
| mvn -f its/plugin/sonarlint-tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=${{ matrix.sq-version }} -B -e -V verify surefire-report:report | |
| mvn -f its/plugin/tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=${{ matrix.sq-version }} -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| SONARJS_ARTIFACT: ${{ matrix.artifact }} | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| plugin_qa_fast_without_node: | |
| runs-on: github-ubuntu-latest-m | |
| name: Fast QA without Node on ${{ matrix.os }} SQ:${{ matrix.sq-version }} | |
| needs: [setup, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| strategy: | |
| matrix: | |
| include: | |
| - os: Ubuntu | |
| sq-version: LATEST_RELEASE | |
| artifact: multi | |
| # - os: Alpine | |
| # sq-version: LATEST_RELEASE | |
| # artifact: linux-x64-musl | |
| - os: Ubuntu | |
| sq-version: DEV | |
| artifact: multi | |
| steps: | |
| - *checkout | |
| - *mise_with_java | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - *remove_node_from_path | |
| - name: Run Fast Plugin QA without Node | |
| run: | | |
| mvn package -f its/plugin/plugins/pom.xml --projects !org.sonarsource.javascript:eslint-custom-rules-plugin,!org.sonarsource.javascript:eslint-custom-rules-plugin-legacy | |
| mvn -f its/plugin/fast-tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=${{ matrix.sq-version }} -Dtest=!EslintCustomRulesTest,!EslintCustomRulesLegacyTest -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| SONARJS_ARTIFACT: ${{ matrix.artifact }} | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| plugin_qa_win: | |
| runs-on: github-windows-latest-m | |
| name: QA on Windows | |
| needs: [setup, populate_maven_cache_win, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - *set_monthly_cache_date | |
| - *orchestrator_cache_monthly | |
| - *setup_orchestrator_home_monthly | |
| - name: Run Plugin QA on Windows | |
| shell: bash | |
| run: | | |
| mvn package -f its/plugin/plugins/consumer-plugin/pom.xml | |
| mvn -f its/plugin/tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| plugin_qa_sonarlint_win: | |
| runs-on: github-windows-latest-m | |
| name: QA SonarLint on Windows | |
| needs: [setup, populate_maven_cache_win, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - *maven_cache | |
| - *config_maven | |
| - *set_monthly_cache_date | |
| - *orchestrator_cache_monthly | |
| - *setup_orchestrator_home_monthly | |
| - name: Run Plugin QA on Windows | |
| shell: bash | |
| run: | | |
| mvn -f its/plugin/sonarlint-tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| plugin_qa_win_fast_with_node: | |
| runs-on: github-windows-latest-m | |
| name: Fast QA on Windows with Node | |
| needs: [setup, populate_maven_cache_win, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - name: Run Fast Plugin QA on Windows | |
| shell: bash | |
| run: | | |
| mvn package -f its/plugin/plugins/pom.xml | |
| mvn -f its/plugin/fast-tests/pom.xml -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -B -e -V verify surefire-report:report | |
| env: | |
| SONARSOURCE_QA: true | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| js_ts_ruling: | |
| runs-on: github-ubuntu-latest-m | |
| name: JS/TS Ruling | |
| needs: [setup, populate_npm_cache] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - &checkout_with_submodules | |
| name: Checkout source code | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 | |
| with: | |
| submodules: true | |
| - *mise_node_only | |
| - *npm_cache | |
| - name: Run JS/TS Ruling | |
| run: | | |
| npm run generate-meta | |
| npm run ruling | |
| - name: Upload ruling differences | |
| if: failure() | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: ruling-differences-jsts | |
| path: packages/ruling/actual/jsts/ | |
| ruling: | |
| runs-on: github-ubuntu-latest-l | |
| name: Ruling Test | |
| needs: [setup, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout_with_submodules | |
| - *mise | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - *set_monthly_cache_date | |
| - *orchestrator_cache_monthly | |
| - *setup_orchestrator_home_monthly | |
| - name: Run Ruling Tests | |
| run: | | |
| cd its/ruling | |
| mvn test -Dtest=JsTsRulingTest -DskipTests=false -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -Djunit.jupiter.execution.parallel.config.dynamic.factor=1 -B -e -V | |
| env: | |
| SONARSOURCE_QA: true | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| - name: Upload ruling differences | |
| if: failure() | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: ruling-differences | |
| path: its/ruling/target/actual/jsts/ | |
| css_ruling: | |
| runs-on: github-ubuntu-latest-m | |
| name: CSS Ruling | |
| needs: [setup, build] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout_with_submodules | |
| - *mise | |
| - *maven_cache | |
| - *config_maven | |
| - *get_licenses_token | |
| - *set_monthly_cache_date | |
| - *orchestrator_cache_monthly | |
| - *setup_orchestrator_home_monthly | |
| - name: Run CSS Ruling | |
| run: | | |
| cd its/ruling | |
| mvn test -DskipTests=false -Dtest=CssRulingTest -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -Djunit.jupiter.execution.parallel.config.dynamic.factor=1 -B -e -V | |
| env: | |
| SONARSOURCE_QA: true | |
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }} | |
| - name: Upload ruling differences | |
| if: failure() | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: ruling-differences-css | |
| path: its/ruling/target/actual/ | |
| # IRIS tasks (nightly only) | |
| run_iris: | |
| runs-on: github-ubuntu-latest-s | |
| name: IRIS SQ NEXT -> ${{ matrix.shadow-name }} | |
| needs: [analyze_primary, analyze_shadows] | |
| if: github.event_name == 'schedule' | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| include: | |
| - shadow-name: SonarCloud EU | |
| shadow-platform: SQC-EU | |
| - shadow-name: SonarQube US | |
| shadow-platform: SQC-US | |
| steps: | |
| - uses: SonarSource/unified-dogfooding-actions/run-iris@v1 | |
| with: | |
| primary_project_key: org.sonarsource.javascript:javascript | |
| primary_platform: Next | |
| shadow1_project_key: SonarSource_SonarJS | |
| shadow1_platform: ${{ matrix.shadow-platform }} | |
| promote: | |
| runs-on: github-ubuntu-latest-s | |
| needs: | |
| - build | |
| - test_js | |
| - test_java | |
| - test_js_win | |
| - test_java_win | |
| - analyze_primary | |
| - test_eslint_plugin | |
| - plugin_qa_with_node | |
| - plugin_qa_without_node | |
| - plugin_qa_fast_with_node | |
| - plugin_qa_fast_without_node | |
| - plugin_qa_win | |
| - plugin_qa_sonarlint_win | |
| - plugin_qa_win_fast_with_node | |
| - css_ruling | |
| - ruling | |
| - js_ts_ruling | |
| if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) | |
| permissions: *read_permissions | |
| steps: | |
| - *checkout | |
| - *mise | |
| - uses: SonarSource/ci-github-actions/promote@v1 | |
| with: | |
| promote-pull-request: true |