ci-github-actions

Dogfooding Status

These badges show the status of workflows in dummy repositories that use (or should use) ci-github-actions@master:

sonar-dummy (Maven)

sonar-dummy-gradle-oss (Gradle)

sonar-dummy-js (NPM)

sonar-dummy-maven-enterprise (Maven)

sonar-dummy-python-oss (Python)

sonar-dummy-yarn (Yarn)

`get-build-number`

Manage the build number in GitHub Actions.

The build number is stored in the GitHub repository property named build_number. This action will reuse or increment the build number, and set it as an environment variable named BUILD_NUMBER, and as a GitHub Actions output variable also named BUILD_NUMBER.

The build number is unique per workflow run ID. It is not incremented on workflow reruns.

Requirements

Required GitHub Permissions

id-token: write
contents: read

Required Vault Permissions

build-number: GitHub preset to read and write the build number property. This is built-in to the Vault auth.github permission.

Usage

jobs:
  get-build-number:
    runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: SonarSource/ci-github-actions/get-build-number@v1

Input Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	If present in the environment, it will be reused as the build number

Inputs

No inputs are required for this action.

Outputs

Output	Description
`BUILD_NUMBER`	The current build number

Output Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	The current build number

`config-maven`

Configure Maven build environment with build number, authentication, and default settings.

Note: This action automatically calls get-build-number to manage the build number.

This action sets up the complete Maven environment for SonarSource projects, including:

Build number management
Artifactory authentication and repository setup
Maven settings configuration for Repox
Maven local repository caching
Common Maven flags and JVM options
Project version management: Automatically replaces -SNAPSHOT versions with the build number (skipped if both CURRENT_VERSION and PROJECT_VERSION environment variables are set)

Caching Configuration

By default, Maven caches ~/.m2/repository. You can customize this behavior:

Cache custom directories:

- uses: SonarSource/ci-github-actions/config-maven@v1
  with:
    cache-paths: |
      ~/.m2/repository
      .custom-cache
      target/cache

Disable caching entirely:

- uses: SonarSource/ci-github-actions/config-maven@v1
  with:
    disable-caching: 'true'

Requirements

Required GitHub Permissions

id-token: write
contents: read

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies.

Other Dependencies

The Maven tool must be pre-installed. Use of mise is recommended.

Usage

permissions:
  id-token: write
  contents: write
steps:
  - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  - uses: SonarSource/ci-github-actions/config-maven@v1
  - run: mvn verify

Input Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	If present, it will be reused by the `get-build-number` action.
`CURRENT_VERSION` and `PROJECT_VERSION`	If both are set, they will be used as-is and no version update will be performed.
`MAVEN_OPTS`	JVM options for Maven execution. Defaults to `-Xmx1536m -Xms128m`.
`JAVA_TOOL_OPTIONS`	JVM options. Defaults to `-XX:-UseContainerSupport`.
`CONFIG_MAVEN_COMPLETED`	For internal use. If set, the action is skipped

Inputs

Input	Description	Default
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`common-mvn-flags`	Maven flags for all subsequent mvn calls	`--batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`use-develocity`	Whether to use Develocity for build tracking	`false`
`develocity-url`	URL for Develocity	`https://develocity.sonar.build/`
`cache-paths`	Custom cache paths (multiline).	(optional)
`disable-caching`	Whether to disable Maven caching entirely	`false`

Outputs

Output	Description
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`
`current-version`	The project version set in the pom.xml (before replacement). Also set as environment variable `CURRENT_VERSION`
`project-version`	The project version with build number (after replacement). Also set as environment variable `PROJECT_VERSION`

Output Environment Variables

Environment Variable	Description
`ARTIFACTORY_ACCESS_TOKEN`	Access token for Artifactory authentication
`ARTIFACTORY_ACCESS_USERNAME`	Deprecated alias for `ARTIFACTORY_USERNAME`
`ARTIFACTORY_USERNAME`	Username for Artifactory authentication
`ARTIFACTORY_PASSWORD`	Deprecated alias for `ARTIFACTORY_ACCESS_TOKEN`
`ARTIFACTORY_URL`	Artifactory (Repox) URL. E.x.: `https://repox.jfrog.io/artifactory`
`BASH_ENV`	Path to the bash profile with mvn function for adding common flags to Maven calls
`CURRENT_VERSION`	The original project version from pom.xml
`DEVELOCITY_ACCESS_KEY`	The Develocity access key when `use-develocity` is true
`MAVEN_OPTS`	JVM options for Maven execution.
`PROJECT_VERSION`	The project version with build number (after replacement)
`SONARSOURCE_REPOSITORY_URL`	URL for SonarSource Artifactory root virtual repository (i.e.: `sonarsource` for release builds or `sonarsource-qa` for QA builds)
`CONFIG_MAVEN_COMPLETED`	For internal use. If set, the action is skipped
`MAVEN_CONFIG`	Path to m2 root `$HOME/.m2`

See also get-build-number output environment variables.

`build-maven`

Build and deploy a Maven project with SonarQube analysis and Artifactory deployment.

Note: This action automatically calls config-maven to set up the Maven environment.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies.
public-deployer or qa-deployer: Artifactory role for deployment.
development/kv/data/develocity: Develocity access token (only fetched when use-develocity: true).

Other Dependencies

The Java and Maven tools must be pre-installed. Use of mise is recommended.
The "Sonar parent POM" ([org|com].sonarsource.parent:parent) must be used. There's a public POM (org) and a private POM (com), respectively for public or private code.
Develocity: In order to access Develocity from GitHub hosted runner e.g. github-ubuntu-latest-s you need to adjust your Develocity plugin configuration to use the following URL:

<develocity>
  <server>
    <url>https://develocity-public.sonar.build</url>
  </server>
</develocity>

You also need to provide the same url in develocity-url parameter.

Usage

permissions:
  id-token: write
  contents: write
steps:
  - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  - uses: SonarSource/ci-github-actions/config-maven@v1
  - uses: SonarSource/ci-github-actions/build-maven@v1

Input Environment Variables

Environment Variable	Description	Default
`ARTIFACTORY_PRIVATE_DEPLOY_REPO`	Only if `mixed-privacy == true`. Repository to deploy private artifacts.	`sonarsource-private-qa`
`ARTIFACTORY_PRIVATE_DEPLOYER_ROLE`	Only if `mixed-privacy == true`. Suffix for the Artifactory private deployer role in Vault.	`qa-deployer`

See also config-maven input environment variables.

Inputs

Input	Description	Default
`artifactory-deploy-repo`	Deployment repository	`sonarsource-private-qa` for private repositories, `sonarsource-public-qa` for public repos
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`artifactory-deployer-role`	Suffix for the Artifactory deployer role in Vault	`qa-deployer` for private repos, `public-deployer` for public repos
`deploy`	Whether to deploy on master, maintenance, dogfood and long-lived branches	`true`
`deploy-pull-request`	Whether to also deploy for pull requests. If deploy is false, this has no effect.	`false`
`maven-args`	Additional arguments to pass to Maven	(optional)
`scanner-java-opts`	Additional Java options for the Sonar scanner (`SONAR_SCANNER_JAVA_OPTS`)	`-Xmx512m`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`use-develocity`	Whether to use Develocity for build tracking	`false`
`develocity-url`	URL for Develocity	`https://develocity.sonar.build/`
`sonar-platform`	SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans	`next`
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`run-shadow-scans`	If true, run SonarQube analysis on all 3 platforms (next, sqc-eu, sqc-us); if false, only on the selected `sonar-platform`	`false`
`cache-paths`	Custom cache paths (multiline). Overrides default `~/.m2/repository`.	(optional)
`cache-cleanup`	Whether to clean up the cache before saving it.	`true`
`disable-caching`	Whether to disable Maven caching entirely	`false`
`provenance`	Whether to generate provenance attestation for built artifacts	`false`
`provenance-artifact-paths`	Relative paths of artifacts for provenance attestation (glob pattern). See Provenance Attestation	(optional)
`mixed-privacy`	Whether the repository contains both public and private code	`false`
`generate-summary`	Whether to generate a workflow summary after the build	`true`

`cache-cleanup`

Adds an extra step to delete the <org|com>/sonarsource artifacts from the cache before saving it.

This is useful for avoiding the caching of Sonar artifacts which are built in the same repository and will not be reused. However, they may need to be kept, or deleted later in the workflow, if other steps depend on them.

`mixed-privacy`

When set to true, this input option configures the build to handle both public and private artifacts.

The Maven Artifactory plugin will not publish the artifacts.
The artifacts are individually deployed after the build with the JFrog CLI to their respective repositories.
This feature relies on Maven install being enabled (maven.install.skip=false).

It is possible to customize the target public and private repository names and the roles used for deployment by setting the input parameters for the public values, and by setting the environment variables for the private values:

artifactory-deploy-repo input
artifactory-deployer-role input
ARTIFACTORY_PRIVATE_DEPLOY_REPO environment variable
ARTIFACTORY_PRIVATE_DEPLOYER_ROLE environment variable

Outputs

Output	Description
`project-version`	The project version with build number (after replacement). Also set as environment variable `PROJECT_VERSION`
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`
`deployed`	`true` if the build succeed and was supposed to deploy

Output Environment Variables

SONARSOURCE_REPOSITORY_URL: URL for SonarSource Artifactory root virtual repository is set to sonarsource

See also config-maven output environment variables.

`build-poetry`

Build, analyze, and publish a Python project using Poetry with SonarQube integration and Artifactory deployment.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies
public-deployer or qa-deployer: Artifactory role for deployment

Other Dependencies

The Python and Poetry tools must be pre-installed. Use of mise is recommended.

Usage

name: Build
on:
  push:
    branches:
      - master
      - branch-*
  pull_request:
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true # or ${{ github.ref_name != github.event.repository.default_branch }}

jobs:
  build:
    runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
    name: Build
    permissions:
      id-token: write
      contents: write
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: SonarSource/ci-github-actions/build-poetry@v1
        with:
          public: false                                        # Defaults to `true` if the repository is public
          artifactory-reader-role: private-reader              # or public-reader if `public` is `true`
          artifactory-deployer-role: qa-deployer               # or public-deployer if `public` is `true`
          deploy-pull-request: false                           # Deploy pull request artifacts
          poetry-virtualenvs-path: .cache/pypoetry/virtualenvs # Poetry virtual environment path
          poetry-cache-dir: .cache/pypoetry                    # Poetry cache directory
          repox-url: https://repox.jfrog.io                    # Repox URL
          sonar-platform: next                                 # SonarQube platform (next, sqc-eu, or sqc-us)
          run-shadow-scans: false                              # Run SonarQube scans on all 3 platforms (next, sqc-eu, sqc-us)

Disable caching entirely:

- uses: SonarSource/ci-github-actions/build-poetry@v1
  with:
    disable-caching: 'true'

Inputs

Input	Description	Default
`public`	Deprecated	Repository visibility
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`artifactory-deployer-role`	Suffix for the Artifactory deployer role in Vault	`qa-deployer` for private repos, `public-deployer` for public repos
`artifactory-deploy-repo`	Deployment repository	`sonarsource-pypi-private-qa` for private repositories, `sonarsource-pypi-public-qa` for public repos
`deploy-pull-request`	Whether to deploy pull request artifacts	`false`
`poetry-virtualenvs-path`	Path to the Poetry virtual environments, relative to GitHub workspace	`.cache/pypoetry/virtualenvs`
`poetry-cache-dir`	Path to the Poetry cache directory, relative to GitHub workspace	`.cache/pypoetry`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`sonar-platform`	SonarQube primary platform - 'next', 'sqc-eu', sqc-us, or 'none'. Use 'none' to skip sonar scans	`next`
`run-shadow-scans`	If true, run sonar scanner on all 3 platforms using the provided URL and token. If false, run on the platform provided by sonar-platform. When enabled, the sonar-platform setting is ignored	`false`
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`disable-caching`	Whether to disable Poetry caching entirely	`false`
`provenance`	Whether to generate provenance attestation for built artifacts	`false`
`provenance-artifact-paths`	Relative paths of artifacts for provenance attestation (glob pattern). See Provenance Attestation	(optional)
`generate-summary`	Whether to generate a workflow summary after the build	`true`

Outputs

Output	Description
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`
`project-version`	The project version from pyproject.toml with build number. Also set as environment variable `PROJECT_VERSION`
`deployed`	`true` if the build succeed and was supposed to deploy

`config-gradle`

Configure Gradle build environment with build number, authentication, and default settings.

Note: This action automatically calls get-build-number to manage the build number.

This action sets up the complete Gradle environment for SonarSource projects, including:

Build number management
Artifactory authentication and repository setup
Gradle authentication configuration for Repox
Gradle caching (caches and wrapper directories)
JVM options configuration
Develocity integration for build tracking (optional)
Project version management: Automatically replaces -SNAPSHOT versions with the build number (skipped if both CURRENT_VERSION and PROJECT_VERSION environment variables are set)

Caching Configuration

By default, Gradle caches ~/.gradle/caches and ~/.gradle/wrapper. You can customize this behavior:

Cache custom directories:

- uses: SonarSource/ci-github-actions/config-gradle@v1
  with:
    cache-paths: |
      ~/.gradle/caches
      ~/.gradle/wrapper
      ~/custom/directory

Disable caching entirely:

- uses: SonarSource/ci-github-actions/config-gradle@v1
  with:
    disable-caching: 'true'

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies.
development/kv/data/develocity: Develocity access token (only fetched when use-develocity: true).

Other Dependencies

Java: Must be pre-installed in the runner image. We recommend using mise to install and manage Java versions.

Gradle: Must be pre-installed in the runner image. We recommend including the Gradle wrapper (gradlew) in your repository, which will be used automatically. If the Gradle wrapper is not available, you can install Gradle using mise in your pipeline.

Usage

permissions:
  id-token: write
  contents: write
steps:
  - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  - uses: SonarSource/ci-github-actions/config-gradle@v1
  - run: ./gradlew build

Input Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	If present, it will be reused by the `get-build-number` action.
`CURRENT_VERSION` and `PROJECT_VERSION`	If both are set, they will be used as-is and no version update will be performed.
`ARTIFACTORY_URL`	Artifactory (Repox) URL. Default: `https://repox.jfrog.io/artifactory`
`SONARSOURCE_REPOSITORY`	SonarSource Repox repository (e.x.: `sonarsource` (default) or `sonarsource-qa`)

If provided, ARTIFACTORY_URL is used at runtime by the Gradle init script to configure the Artifactory URL. artifactoryUrl Gradle property can also be used instead.

If provided, SONARSOURCE_REPOSITORY is used at runtime by the Gradle init script to configure the source repository for artifacts.

Inputs

Input	Description	Default
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`use-develocity`	Whether to use Develocity for build tracking	`false`
`develocity-url`	URL for Develocity	`https://develocity.sonar.build/`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`cache-paths`	Custom cache paths (multiline).	`~/.gradle/caches` `~/.gradle/wrapper`
`disable-caching`	Whether to disable Gradle caching entirely	`false`

Outputs

Output	Description
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`
`current-version`	The project version set in gradle.properties (before replacement). Also set as environment variable `CURRENT_VERSION`
`project-version`	The project version with build number (after replacement). Also set as environment variable `PROJECT_VERSION`

Output Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	The current build number.
`CURRENT_VERSION`	The original project version from gradle.properties
`PROJECT_VERSION`	The project version with build number (after replacement)
`ARTIFACTORY_READER_ROLE`	Reader role for Artifactory authentication
`ARTIFACTORY_USERNAME`	Username for Artifactory authentication
`ARTIFACTORY_ACCESS_TOKEN`	Access token for Artifactory authentication
`ARTIFACTORY_URL`	Artifactory (Repox) URL. E.x.: `https://repox.jfrog.io/artifactory`
`ARTIFACTORY_ACCESS_USERNAME`	Deprecated alias for `ARTIFACTORY_USERNAME`
`ARTIFACTORY_PASSWORD`	Deprecated alias for `ARTIFACTORY_ACCESS_TOKEN`
`DEVELOCITY_ACCESS_KEY`	The Develocity access key when `use-develocity` is true
`GRADLE_CACHE_KEY`	The Gradle cache key generated from all gradle files

See also get-build-number output environment variables.

`build-gradle`

Build and publish a Gradle project with SonarQube analysis and Artifactory deployment.

Note: This action automatically calls config-gradle to set up the Gradle environment. Note: Uses the Gradle wrapper (./gradlew) by default, falling back to the gradle binary if not found.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

development/kv/data/develocity: Develocity access token (only fetched when use-develocity: true)
public-reader or private-reader: Artifactory role for reading dependencies
public-deployer or qa-deployer: Artifactory role for deployment

Other Dependencies

Java: Not pre-installed in the runner image. We recommend using mise to install and manage Java versions.

Gradle: Not pre-installed in the runner image. We recommend including the Gradle wrapper (gradlew) in your repository, which will be used automatically. If the Gradle wrapper is not available, you can install Gradle using mise in your pipeline.

Develocity: In order to access Develocity from GitHub hosted runner e.g. github-ubuntu-latest-s you need to adjust your Develocity plugin configuration to use the following URL:

  develocity {
    server = "https://develocity-public.sonar.build"
    // ...
  }

You also need to provide the same url in develocity-url parameter.

Additional Configuration: The Gradle Artifactory plugin configuration is required in build.gradle file.

Usage

name: Build
on:
  push:
    branches:
      - master
      - branch-*
  pull_request:
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true # or ${{ github.ref_name != github.event.repository.default_branch }}

jobs:
  build:
    runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
    name: Build
    permissions:
      id-token: write
      contents: write
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: SonarSource/ci-github-actions/build-gradle@v1
        with:
          # Enable shadow scans for unified platform dogfooding (optional)
          run-shadow-scans: 'true'
          # Primary platform when shadow scans disabled (optional)
          sonar-platform: 'next'

Input Environment Variables

Environment Variable	Description
`JAVA_TOOL_OPTIONS`	JVM options. Defaults to `-XX:-UseContainerSupport`.

See also config-gradle input environment variables.

Inputs

Input	Description	Default
`artifactory-deploy-repo`	Deployment repository	`sonarsource-private-qa` for private repositories, `sonarsource-public-qa` for public repos
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`artifactory-deployer-role`	Suffix for the Artifactory deployer role in Vault	`qa-deployer` for private repos, `public-deployer` for public repos
`deploy`	Whether to deploy on master, maintenance, dogfood and long-lived branches	`true`
`deploy-pull-request`	Whether to also deploy for pull requests. If deploy is false, this has no effect.	`false`
`skip-tests`	Whether to skip running tests	`false`
`use-develocity`	Whether to use Develocity for build tracking	`false`
`gradle-args`	Additional arguments to pass to Gradle	(optional)
`develocity-url`	URL for Develocity	`https://develocity.sonar.build/`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`sonar-platform`	SonarQube variant - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans	`next`
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`run-shadow-scans`	Enable analysis across all 3 SonarQube platforms (unified platform dogfooding)	`false`
`cache-paths`	Custom cache paths (multiline).	`~/.gradle/caches` `~/.gradle/wrapper`
`disable-caching`	Whether to disable Gradle caching entirely	`false`
`provenance`	Whether to generate provenance attestation for built artifacts	`false`
`provenance-artifact-paths`	Relative paths of artifacts for provenance attestation (glob pattern). See Provenance Attestation	(optional)
`generate-summary`	Whether to generate a workflow summary after the build	`true`

Tip

When using working-directory, Java must be available at root due to a limitation of setup-gradle. For instance, if the mise.toml file is in the working directory, and not at root.

     - name: Workaround for setup-gradle which has no working-directory input
       run: |
         cp <working-directory>/mise.toml mise.toml
     - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
       with:
         version: 2025.11.1
     - uses: SonarSource/ci-github-actions/build-gradle@v1
       with:
         working-directory: <working-directory>

Outputs

Output	Description
`project-version`	The project version from gradle.properties
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`
`deployed`	`true` if the build succeed and was supposed to deploy

Caching Configuration

By default, Gradle caches ~/.gradle/caches and ~/.gradle/wrapper. You can customize this behavior:

Cache custom directories:

- uses: SonarSource/ci-github-actions/build-gradle@v1
  with:
    cache-paths: |
      ~/.gradle/caches
      ~/.gradle/wrapper
      ~/custom/directory

Disable caching entirely:

- uses: SonarSource/ci-github-actions/build-gradle@v1
  with:
    disable-caching: 'true'

Repox Authentication

The action configures Repox authentication using repoxAuth.init.gradle.kts Gradle hook.

Follow the xtranet/Developer Box documentation for the developer local setup.

The Gradle project must be configured to use Repox for dependency resolution and deployment.

See for instance the configuration in https://github.com/SonarSource/sonar-dummy-gradle-oss.

gradle.properties:

group=org.sonarsource.dummy
version=2.8-SNAPSHOT
projectType=application
org.gradle.caching=true

build.gradle:

// Replaces the version defined in sources, usually x.y-SNAPSHOT, by a version identifying the build.
def buildNumber = System.getProperty("buildNumber")
if (version.endsWith('-SNAPSHOT') && buildNumber != null) {
  version = version.replace('-SNAPSHOT', ".0.$buildNumber")
}

repositories {
  mavenLocal()
  mavenCentral()
  maven {
    url System.env.'ARTIFACTORY_URL' + '/sonarsource'
  }
}

artifactory {
  clientConfig.setIncludeEnvVars(true)
  clientConfig.setEnvVarsExcludePatterns('*password*,*PASSWORD*,*secret*,*MAVEN_CMD_LINE_ARGS*,sun.java.command,*token*,*TOKEN*,*LOGIN*,*login*,*signing*')
  contextUrl = System.getenv('ARTIFACTORY_URL')
  publish {
    repository {
      repoKey = System.getenv('ARTIFACTORY_DEPLOY_REPO')
      username = System.getenv('ARTIFACTORY_DEPLOY_USERNAME')
      password = System.getenv('ARTIFACTORY_DEPLOY_ACCESS_TOKEN')
    }
    defaults {
      properties = [
        'build.name'      : 'sonar-dummy-gradle-oss',
        'build.number'    : System.getenv('BUILD_NUMBER'),
        'pr.branch.target': System.getenv('PULL_REQUEST_BRANCH_TARGET'),
        'pr.number'       : System.getenv('PULL_REQUEST_NUMBER'),
        'vcs.branch'      : System.getenv('GIT_BRANCH'),
        'vcs.revision'    : System.getenv('GIT_COMMIT'),
        'version'         : version
      ]
      publications('mavenJava')
      publishPom = true
      publishIvy = false
    }
    clientConfig.info.addEnvironmentProperty('ARTIFACTS_TO_PUBLISH', 'org.sonarsource.dummy:sonar-dummy-gradle-oss-plugin:jar,org.sonarsource.dummy:sonar-dummy-gradle-oss-plugin:json:cyclonedx')
  }

  clientConfig.info.setBuildName('sonar-dummy-gradle-oss')
  clientConfig.info.setBuildNumber(System.getenv('BUILD_NUMBER'))
  clientConfig.info.addEnvironmentProperty('PROJECT_VERSION', "${version}")
}

`config-npm`

Configure NPM and JFrog build environment with build number, authentication, and settings.

Set the project version in package.json with the build number if the file exists.

Note: This action automatically calls get-build-number to manage the build number.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies

Other Dependencies

The Node.js and NPM tools must be pre-installed. Use of mise is recommended.

Usage

config:
  runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
  name: Build
  permissions:
    id-token: write
    contents: write
  steps:
    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
    - uses: SonarSource/ci-github-actions/config-npm@v1

Input Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	If present, it will be reused by the `get-build-number` action.
`CURRENT_VERSION` and `PROJECT_VERSION`	If both are set, they will be used as-is and no version update will be performed.

See also get-build-number input environment variables.

Inputs

Input	Description	Default
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`cache-npm`	Whether to cache NPM dependencies	`true`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)

Outputs

Output	Description
`current-version`	The project version from package.json
`project-version`	The project version with build number (after replacement)
`BUILD_NUMBER`	The current build number

Output Environment Variables

Environment Variable	Description
`CURRENT_VERSION`	The project version from package.json
`PROJECT_VERSION`	The project version with build number (after replacement)

See also get-build-number output environment variables.

`build-npm`

Build, test, analyze with SonarQube, and deploy an NPM project to JFrog Artifactory.

Note: This action automatically calls config-npm to set up the NPM environment.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies
public-deployer or qa-deployer: Artifactory role for deployment

Other Dependencies

The Node.js and NPM tools must be pre-installed. Use of mise is recommended.

Usage

name: Build
on:
  push:
    branches:
      - master
      - branch-*
  pull_request:
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true # or ${{ github.ref_name != github.event.repository.default_branch }}

jobs:
  build:
    runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
    name: Build
    permissions:
      id-token: write
      contents: write
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: SonarSource/ci-github-actions/build-npm@v1
        with:
          # Enable shadow scans for unified platform dogfooding (optional)
          run-shadow-scans: 'true'
          # Primary platform when shadow scans disabled (optional)
          sonar-platform: 'next'

Input Environment Variables

Environment Variable	Description	Default
`SQ_SCANNER_VERSION`	SonarQube scanner version.	'4.3.0'

See also config-npm input environment variables.

Inputs

Input	Description	Default
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`artifactory-deployer-role`	Suffix for the Artifactory deployer role in Vault	`qa-deployer` for private repos, `public-deployer` for public repos
`artifactory-deploy-repo`	Deployment repository	`sonarsource-npm-private-qa` for private repos, `sonarsource-npm-public-qa` for public repos
`deploy-pull-request`	Whether to deploy pull request artifacts	`false`
`skip-tests`	Whether to skip running tests	`false`
`cache-npm`	Whether to cache NPM dependencies	`true`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`sonar-platform`	SonarQube primary platform - 'next', 'sqc-eu', or 'sqc-us'	`next`
`run-shadow-scans`	Enable analysis across all 3 SonarQube platforms (unified platform dogfooding)	`false`
`build-name`	Name of the JFrog build to publish.	`<Repository name>`
`provenance`	Whether to generate provenance attestation for built artifacts	`false`
`provenance-artifact-paths`	Relative paths of artifacts for provenance attestation (glob pattern). See Provenance Attestation	(optional)
`generate-summary`	Whether to generate a workflow summary after the build	`true`

Outputs

Output	Description
`current-version`	The project version from package.json
`project-version`	The project version with build number (after replacement)
`BUILD_NUMBER`	The current build number
`deployed`	`true` if the build succeed and was supposed to deploy

Output Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	The current build number

See also config-npm output environment variables.

`build-yarn`

Build, test, analyze, and deploy a Yarn project with SonarQube integration and Artifactory deployment.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies
public-deployer or qa-deployer: Artifactory role for deployment

Other Dependencies

The Node.js and Yarn tools must be pre-installed. Use of mise is recommended.

Usage

name: Build
on:
  push:
    branches:
      - master
      - branch-*
  pull_request:
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true # or ${{ github.ref_name != github.event.repository.default_branch }}

jobs:
  build:
    runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
    name: Build
    permissions:
      id-token: write
      contents: write
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: SonarSource/ci-github-actions/build-yarn@v1
        with:
          # Enable shadow scans for unified platform dogfooding (optional)
          run-shadow-scans: 'true'
          # Primary platform when shadow scans disabled (optional)
          sonar-platform: 'next'

Input Environment Variables

Environment Variable	Description	Default
`SQ_SCANNER_VERSION`	SonarQube scanner version.	'4.3.0'

Inputs

Input	Description	Default
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`public`	Deprecated	Repository visibility
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`artifactory-deployer-role`	Suffix for the Artifactory deployer role in Vault	`qa-deployer` for private repos, `public-deployer` for public repos
`artifactory-deploy-repo`	Deployment repository	`sonarsource-private-qa` for private repositories, `sonarsource-public-qa` for public repos
`deploy-pull-request`	Whether to deploy pull request artifacts	`false`
`skip-tests`	Whether to skip running tests	`false`
`cache-yarn`	Whether to cache Yarn dependencies	`true`
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`sonar-platform`	SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans	`next`
`run-shadow-scans`	Enable analysis across all 3 SonarQube platforms (unified platform dogfooding)	`false`
`provenance`	Whether to generate provenance attestation for built artifacts	`false`
`provenance-artifact-paths`	Relative paths of artifacts for provenance attestation (glob pattern). See Provenance Attestation	(optional)
`generate-summary`	Whether to generate a workflow summary after the build	`true`

Outputs

Output	Description
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`
`project-version`	The project version from package.json
`deployed`	`true` if the build succeed and was supposed to deploy

`config-pip`

Configure pip build environment with build number, authentication, and default settings.

This action configures pip to pull packages from the internal JFrog Artifactory registry instead of the default PyPI.

Note: This action automatically calls get-build-number to manage the build number. Note: This action replaces the deprecated configure-pipx-repox action from sonarqube-cloud-github-actions repository.

Requirements

Required GitHub Permissions

id-token: write
contents: read

Required Vault Permissions

public-reader or private-reader: Artifactory role for reading dependencies.

Usage

permissions:
  id-token: write
  contents: read
steps:
  - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
  - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
    with:
      python-version: 3.12
  - uses: SonarSource/ci-github-actions/config-pip@v1
  - run: pip install pipenv

With Custom Artifactory Reader Role

steps:
  - uses: SonarSource/ci-github-actions/config-pip@v1
    with:
      artifactory-reader-role: custom-reader

With Working Directory and Caching Options

steps:
  - uses: SonarSource/ci-github-actions/config-pip@v1
    with:
      working-directory: ./python-project
      disable-caching: false

Inputs

Input	Description	Default
`working-directory`	Relative path under github.workspace to execute the build in	`.`
`artifactory-reader-role`	Suffix for the Artifactory reader role in Vault	`private-reader` for private repos, `public-reader` for public repos
`repox-url`	URL for Repox	`https://repox.jfrog.io`
`repox-artifactory-url`	URL for Repox Artifactory API (overrides repox-url/artifactory if provided)	(optional)
`cache-paths`	Cache paths to use (multiline)	`~/.cache/pip`
`disable-caching`	Whether to disable pip caching entirely	`false`

Outputs

Output	Description
`BUILD_NUMBER`	The current build number. Also set as environment variable `BUILD_NUMBER`

Output Environment Variables

Environment Variable	Description
`BUILD_NUMBER`	The current build number

See also get-build-number output environment variables.

Migration from configure-pipx-repox

If you're currently using SonarSource/sonarqube-cloud-github-actions/configure-pipx-repox@master, you can replace it with:

# Old
- uses: SonarSource/sonarqube-cloud-github-actions/configure-pipx-repox@master

# New
- uses: SonarSource/ci-github-actions/config-pip@v1

Both actions produce the same configuration and are functionally equivalent.

`promote`

This action promotes a build in JFrog Artifactory and updates the GitHub status check accordingly.

The GitHub status check is named repox-${GITHUB_REF_NAME}.

Requirements

Required GitHub Permissions

id-token: write
contents: write

Required Vault Permissions

promoter: Artifactory role for the promotion.
promotion: custom GitHub token for promotion.

Other Dependencies

Required properties in the build info:

buildInfo.env.ARTIFACTORY_DEPLOY_REPO: Repository to deploy to (e.g. sonarsource-deploy-qa). It can also be set as an input.
buildInfo.env.PROJECT_VERSION: Version of the project (e.g. 1.2.3). Can also be set as an environment variable to override the build info value.

Usage

Basic usage (version from JFrog build info):

promote:
  needs:
    - build
  runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
  name: Promote
  permissions:
    id-token: write
    contents: write
  steps:
    - uses: SonarSource/ci-github-actions/promote@v1

With custom project version:

promote:
  needs:
    - build
  runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
  name: Promote
  permissions:
    id-token: write
    contents: write
  env:
    PROJECT_VERSION: '2.0.0-custom'  # Override version from JFrog build info
  steps:
    - uses: SonarSource/ci-github-actions/promote@v1

Input Environment Variables

Environment Variable	Description
`PROJECT_VERSION`	Version of the project (e.g. 1.2.3). If set, it takes precedence over the version from JFrog build info.

Inputs

Input	Description	Default
`promote-pull-request`	Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action	`false`
`multi-repo`	If true, promotes to public and private repositories. For projects with both public and private artifacts	(optional)
`artifactory-deploy-repo`	Repository to deploy to. If not set, it will be retrieved from the build info	(optional)
`artifactory-target-repo`	Target repository for the promotion. If not set, it will be determined based on the branch type and the deploy repository	(optional)
`build-name`	Name of the JFrog build to promote.	`<Repository name>`

Outputs

This action does not provide any outputs.

`pr_cleanup`

Automatically clean up caches and artifacts associated with a pull request when it is closed.

Requirements

Required GitHub Permissions

actions: write: Required to delete caches and artifacts.

Usage

name: Cleanup PR Resources
on:
  pull_request:
    types:
      - closed

jobs:
  cleanup:
    runs-on: sonar-xs  # Private repos default; use github-ubuntu-latest-s for public repos
    permissions:
      actions: write
    steps:
      - uses: SonarSource/ci-github-actions/pr_cleanup@v1

Inputs

No inputs are required for this action.

Outputs

No outputs are provided by this action.

`code-signing`

Install and configure DigiCert smctl and jsign tools for code signing with caching support.

This action provides a complete setup for DigiCert's SigningManager tools (smctl) and jsign with intelligent caching to avoid re-downloading tools on every run. It handles all DigiCert authentication setup and environment configuration.

Requirements

Required GitHub Permissions

id-token: write
contents: read

Required Vault Permissions

development/kv/data/sign/digicert: DigiCert signing credentials including:
- apikey: DigiCert API key for downloading tools
- client_cert_file_base64: Base64-encoded client certificate
- cert_fp: Certificate fingerprint (SHA1 hash)
- client_cert_password: Client certificate password
- host: DigiCert SigningManager host URL

Other Dependencies

Linux runner
Java installed

Usage

    steps:
      - build:
        # Build artifacts
      - name: Setup DigiCert Client Tools
        uses: SonarSource/ci-github-actions/code-signing@v1
      - name: Sign artifacts
        run: |
          # smctl and jsign are now available and configured, use them in run block or in your custom scripts
          smctl sign --keypair-alias=key_525594307 --config-file "${SMTOOLS_PATH}/pkcs11properties.cfg" --input ${fileToSign}.dll --tool jsign

Inputs

Input	Description	Default
`jsign-version`	Version of jsign to install	`7.2`
`force-download-tools`	Force download both DigiCert and jsign tools (disables caching)	`false`

Environment Variables Set

After running this action, the following environment variables are available:

SM_HOST: DigiCert SigningManager host URL
SM_API_KEY: DigiCert API key
SM_CLIENT_CERT_FILE: Path to the decoded client certificate file
SM_CLIENT_CERT_PASSWORD: Client certificate password
SM_CODE_SIGNING_CERT_SHA1_HASH: Certificate fingerprint for signing
SMTOOLS_PATH: Path where SMTools are installed, certificate and .cfg file is stored.

Deployment Strategy

All build actions (build-maven, build-gradle, build-npm, build-yarn, build-poetry) share the same branch-based deployment and SonarQube analysis strategy. Shared helper predicates and orchestration utilities are provided by shared/common-functions.sh, while the concrete deploy and scan behavior is implemented in each build script:

Branch	Deploy	SonarQube
Default branch (`master`, `main`)	yes	yes
Maintenance (`branch-*`)	yes	yes
Pull request	optional	yes
Dogfood (`dogfood-on-*`)	yes	no
Long-lived feature (`feature/long/*`)	yes ¹	yes
Other branches	no	no

Pull request deployment requires deploy-pull-request: 'true'.
SonarQube analysis also requires sonar-platform to be set (not none).
¹ build-maven and build-gradle only; build-npm, build-yarn, and build-poetry do not deploy on long-lived feature branches.
build-maven and build-gradle support a deploy: 'false' input to override deployment regardless of branch. build-npm, build-yarn, and build-poetry do not have this input (TODO: add for consistency).
build-gradle known bug: SonarQube analysis is not filtered by branch type. When sonar-platform ≠ none, analysis runs on all branches, including dogfood and other branches (unlike all other build actions).

Provenance Attestation

The build actions in this repository can automatically generate SLSA build provenance attestations for produced artifacts when the build is considered deployable. This feature is powered by actions/attest-build-provenance.

Attestations identify the artifact(s) that serve as the subject of the attestation. The build-* actions attempt to discover these subjects automatically using conventional build output locations and common file types for each ecosystem. Automatic discovery runs only when deployment is enabled. The attestation step runs when provenance parameter is enabled and artifact paths are available (either via provenance-artifact-paths or from the build output); otherwise, it is skipped.

Ecosystem assumptions (automatic discovery)

Gradle
- Locations: **/build/libs/**, **/build/distributions/**, **/build/reports/** (for SBOM JSONs)
- File types: *.jar, *.war, *.ear, *.zip, *.tar.gz, *.tar, *.json
- Exclusions: *-sources.jar, *-javadoc.jar, *-tests.jar
Maven
- Location: **/<project.build.directory>/** (queried via Maven); falls back to target/
- File types: *.jar, *.war, *.ear, *.zip, *.tar.gz, *.tar, *.pom, *.json
- Exclusions: *-sources.jar, *-javadoc.jar, *-tests.jar
- Skip rule: if maven.deploy.skip=true is effective, attestation is skipped for that module
Poetry (Python)
- Location: dist/
- File types: *.whl, *.tar.gz, *.json
NPM
- Location: .attestation-artifacts/
- File types: *.tgz
Yarn
- Location: .attestation-artifacts/
- File types: *.tgz

These assumptions are based on widely-used industry conventions and on how artifacts are currently published to our Artifactory. They should cover most repositories, but they are not exhaustive. If needed, you can customize the paths via the provenance-artifact-paths input.

Manually specify subjects when needed

For complete accuracy, we recommend explicitly specifying the artifacts to attest using the provenance-artifact-paths input. Repository owners know best what their build produces, so providing explicit paths might be sometimes preferable. provenance-artifact-paths is passed to actions/attest-build-provenance as the subject-path input. It may be a glob pattern or a newline-separated list of paths (total subject count cannot exceed 1024). See upstream docs for details and more examples: actions/attest-build-provenance.

Example with a build action (same idea applies to other actions):

- uses: SonarSource/ci-github-actions/build-maven@v1
  with:
    provenance-artifact-paths: |
      target/*.jar
      target/*bom.json

Release

Before making a release, ensure that all the dummy dogfooding actions succeed and that their badges are green. See the Dogfooding Status at the top of this README.

Follow semantic versioning principles when determining the new version number based on the nature of the changes (new features, improvements, fixes, documentation, and breaking changes).

Create a new GitHub release on https://github.com/SonarSource/ci-github-actions/releases

Semantic versioning is crucial for clear communication of the changes in each release:
- Increase the patch number for bug fixes, improvements, and documentation updates,
- Increase the minor number for new features,
- Increase the major number for breaking changes.
Edit the generated release notes to curate the highlights and key fixes. Make sure that the notes are clear and informative.
```
## What's Changed
### New Features
* BUILD-... by @username in https://github.com/SonarSource/ci-github-actions/pull/...

### Improvements
* ...

### Bug Fixes
* ...

### Documentation
* ...

## New Contributors
* ...

---

Additional notes, examples, or references if applicable.

**Full Changelog**: https://github.com/SonarSource/ci-github-actions/compare/...
```
Make sure to include any breaking changes in the notes.

After release, the v* branch must be updated for pointing to the new tag.

git fetch --tags
git update-ref -m "reset: update branch v1 to tag 1.y.z" refs/heads/v1 1.y.z
git push origin v1

Communicate Updates, Changes and Migrations

Communicate the new release on the #ops-platform-releases Slack channel.
🚀 New release 1.y.z of ci-github-actions (v1 branch updated) 🚀

✨ What's New
- Curated highlights from release notes: new features, important new options
⚡ Improvements
- Curated highlights from release notes: improvement and upgrades
🐛 Bug Fixes
- Curated highlights from release notes
📚 Documentation
- Curated highlights from release notes
For all the details, you can read the full release notes on GitHub.
Communicate major updates, changes and migrations that require action from users following as indicated in the Updates, Changes and Migrations for Squads - Platform xtranet page.

Using AI for Cirrus CI to GitHub Actions Migration

It is recommended to use AI tools like Cursor or Claude code to assist with Cirrus CI to GitHub actions migration.

This repository contains a comprehensive guide to be passed as a context to AI: .cursor/cirrus-github-migration.md. Here are some example prompts:

Refer @https://github.com/SonarSource/ci-github-actions/blob/master/.cursor/cirrus-github-migration.md
Migrate @.cirrus.yml to GitHub Actions

Or, in the re-terraform-aws-vault repository, you can use it to check for missing vault secrets before migration:

Refer @https://github.com/SonarSource/ci-github-actions/blob/master/.cursor/cirrus-github-migration.md
Give me a report of the missing vault secrets for the repository `sonar-dummy`

See the "Migration From Cirrus CI - GitHub" xtranet documentation for more details.

Name		Name	Last commit message	Last commit date
Latest commit History 214 Commits
.cursor		.cursor
.github		.github
.sonarlint		.sonarlint
build-gradle		build-gradle
build-maven		build-maven
build-npm		build-npm
build-poetry		build-poetry
build-yarn		build-yarn
cache		cache
code-signing		code-signing
config-gradle		config-gradle
config-maven		config-maven
config-npm		config-npm
config-pip		config-pip
get-build-number		get-build-number
pr_cleanup		pr_cleanup
promote		promote
shared		shared
spec		spec
.gitignore		.gitignore
.markdownlint.yaml		.markdownlint.yaml
.pre-commit-config.yaml		.pre-commit-config.yaml
.shellcheckrc		.shellcheckrc
.shellspec		.shellspec
.yamllint.yaml		.yamllint.yaml
CONTRIBUTE.md		CONTRIBUTE.md
LICENSE		LICENSE
README.md		README.md
mise.toml		mise.toml
run_shell_tests.sh		run_shell_tests.sh
sonar-project.properties		sonar-project.properties

Folders and files

Latest commit

History

Repository files navigation

ci-github-actions

Dogfooding Status

sonar-dummy (Maven)

sonar-dummy-gradle-oss (Gradle)

sonar-dummy-js (NPM)

sonar-dummy-maven-enterprise (Maven)

sonar-dummy-python-oss (Python)

sonar-dummy-yarn (Yarn)

Actions provided in this repository

get-build-number

Requirements

Required GitHub Permissions

Required Vault Permissions

Usage

Input Environment Variables

Inputs

Outputs

Output Environment Variables

config-maven

Caching Configuration

Requirements

Required GitHub Permissions

Required Vault Permissions

Other Dependencies

Usage

Input Environment Variables

Inputs

Outputs

Output Environment Variables

build-maven

Requirements

Required GitHub Permissions

Required Vault Permissions

Other Dependencies

Usage

Input Environment Variables

Inputs

cache-cleanup

mixed-privacy

Outputs

Output Environment Variables

build-poetry

Requirements

Required GitHub Permissions

Required Vault Permissions

Other Dependencies

Usage

Inputs

Outputs

config-gradle

Caching Configuration

Requirements

Required GitHub Permissions

Required Vault Permissions

Other Dependencies

Usage

Input Environment Variables

Inputs

Outputs

Output Environment Variables

build-gradle

Requirements

Required GitHub Permissions

Required Vault Permissions

Other Dependencies

Usage

Input Environment Variables

Inputs

Outputs

Caching Configuration

Repox Authentication

config-npm

Requirements

Required GitHub Permissions

Required Vault Permissions

Other Dependencies

`get-build-number`

`config-maven`

`build-maven`

`cache-cleanup`

`mixed-privacy`

`build-poetry`

`config-gradle`

`build-gradle`

`config-npm`

`build-npm`

`build-yarn`

`config-pip`

`promote`

`pr_cleanup`

`code-signing`