diff --git a/README.md b/README.md
index f05fa1c1..38a04032 100644
--- a/README.md
+++ b/README.md
@@ -171,17 +171,20 @@ By default, Maven caches `~/.m2/repository`. You can customize this behavior:
#### Required Vault Permissions
- `public-reader` or `private-reader`: Artifactory role for reading dependencies.
+- `development/kv/data/develocity`: Develocity access token (only when `use-develocity: true`).
#### Other Dependencies
The Maven tool must be pre-installed. Use of `mise` is recommended.
+Dependencies are resolved from the self-hosted Artifactory instance at `https://repox.dev.sonar.build/artifactory` (not configurable).
+
### Usage
```yaml
permissions:
id-token: write
- contents: write
+ contents: read
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: SonarSource/ci-github-actions/config-maven@v1
@@ -205,8 +208,6 @@ steps:
| `working-directory` | Relative path under github.workspace to execute the build in | `.` |
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `common-mvn-flags` | Maven flags for all subsequent mvn calls | `--batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false` |
-| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
-| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `use-develocity` | Whether to use Develocity for build tracking | `false` |
| `develocity-url` | URL for Develocity | `https://develocity.sonar.build/` |
| `cache-paths` | Custom cache paths (multiline). | (optional) |
@@ -228,13 +229,13 @@ steps:
| `ARTIFACTORY_ACCESS_USERNAME` | Deprecated alias for `ARTIFACTORY_USERNAME` |
| `ARTIFACTORY_USERNAME` | Username for Artifactory authentication |
| `ARTIFACTORY_PASSWORD` | Deprecated alias for `ARTIFACTORY_ACCESS_TOKEN` |
-| `ARTIFACTORY_URL` | Artifactory (Repox) URL. E.x.: `https://repox.jfrog.io/artifactory` |
+| `ARTIFACTORY_URL` | Artifactory API base URL. E.g. `https://repox.dev.sonar.build/artifactory` |
| `BASH_ENV` | Path to the bash profile with mvn function for adding common flags to Maven calls |
| `CURRENT_VERSION` | The original project version from pom.xml |
| `DEVELOCITY_ACCESS_KEY` | The Develocity access key when `use-develocity` is true |
| `MAVEN_OPTS` | JVM options for Maven execution. |
| `PROJECT_VERSION` | The project version with build number (after replacement) |
-| `SONARSOURCE_REPOSITORY_URL` | URL for SonarSource Artifactory root virtual repository (i.e.: [`sonarsource`](https://repox.jfrog.io/artifactory/sonarsource) for release builds or [`sonarsource-qa`](https://repox.jfrog.io/artifactory/sonarsource-qa) for QA builds) |
+| `SONARSOURCE_REPOSITORY_URL` | URL for SonarSource Artifactory root virtual repository (i.e.: [`sonarsource`](https://repox.dev.sonar.build/artifactory/sonarsource) for release builds or [`sonarsource-qa`](https://repox.dev.sonar.build/artifactory/sonarsource-qa) for QA builds) |
| `CONFIG_MAVEN_COMPLETED` | For internal use. If set, the action is skipped |
| `MAVEN_CONFIG` | Path to m2 root `$HOME/.m2` |
@@ -311,8 +312,6 @@ See also [`config-maven`](#config-maven) input environment variables.
| `deploy-pull-request` | Whether to also deploy for pull requests. If deploy is false, this has no effect. | `false` |
| `maven-args` | Additional arguments to pass to Maven | (optional) |
| `scanner-java-opts` | Additional Java options for the Sonar scanner (`SONAR_SCANNER_JAVA_OPTS`) | `-Xmx512m` |
-| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
-| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `use-develocity` | Whether to use Develocity for build tracking | `false` |
| `develocity-url` | URL for Develocity | `https://develocity.sonar.build/` |
| `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans | `next` |
@@ -1259,8 +1258,6 @@ promote:
| Input | Description | Default |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------------------|
-| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
-| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `promote-pull-request` | Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action | `false` |
| `multi-repo` | If true, promotes to public and private repositories. For projects with both public and private artifacts | (optional) |
| `artifactory-deploy-repo` | Repository to deploy to. If not set, it will be retrieved from the build info | (optional) |
diff --git a/build-maven/action.yml b/build-maven/action.yml
index 6c23b147..ca4fe032 100644
--- a/build-maven/action.yml
+++ b/build-maven/action.yml
@@ -48,12 +48,6 @@ inputs:
common-mvn-flags:
description: Maven flags for all subsequent mvn calls
default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false
- repox-url:
- description: URL for Repox
- default: https://repox.jfrog.io
- repox-artifactory-url:
- description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
- default: ''
use-develocity:
description: Whether to use Develocity for build tracking.
default: 'false'
@@ -116,8 +110,6 @@ runs:
working-directory: ${{ inputs.working-directory }}
artifactory-reader-role: ${{ inputs.artifactory-reader-role }}
common-mvn-flags: ${{ inputs.common-mvn-flags }}
- repox-url: ${{ inputs.repox-url }}
- repox-artifactory-url: ${{ inputs.repox-artifactory-url }}
use-develocity: ${{ inputs.use-develocity }}
develocity-url: ${{ inputs.develocity-url }}
cache-paths: ${{ inputs.cache-paths }}
@@ -151,6 +143,16 @@ runs:
echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV"
# yamllint enable rule:line-length
+ - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
+ id: artifactory
+ with:
+ url: https://vault.dev.sonar.build
+ # yamllint disable rule:line-length
+ secrets: |
+ ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }}
+ ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
+ ${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
+
- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
id: secrets
with:
@@ -162,9 +164,6 @@ runs:
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }}
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }}
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }}
- ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }}
- ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
- ${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
development/kv/data/sign key | SIGN_KEY;
development/kv/data/sign passphrase | PGP_PASSPHRASE;
# yamllint enable rule:line-length
@@ -188,9 +187,9 @@ runs:
ARTIFACTORY_DEPLOY_REPO: ${{ steps.params.outputs.ARTIFACTORY_DEPLOY_REPO }}
# Vault secrets
- ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
- ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
- ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM
+ ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
+ ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
+ ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM
NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }}
NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }}
SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }}
@@ -238,8 +237,6 @@ runs:
if: always() && inputs.generate-summary != 'false'
shell: bash
env:
- ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
- format('{0}/artifactory', inputs.repox-url) }}
JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary
run: |
build_name="${GITHUB_REPOSITORY#*/}"
diff --git a/config-maven/action.yml b/config-maven/action.yml
index 7841b459..2e747d82 100644
--- a/config-maven/action.yml
+++ b/config-maven/action.yml
@@ -12,12 +12,6 @@ inputs:
common-mvn-flags:
description: Maven flags for all subsequent mvn calls
default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false
- repox-url:
- description: URL for Repox
- default: https://repox.jfrog.io
- repox-artifactory-url:
- description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
- default: ''
use-develocity:
description: Whether to use Develocity for build tracking.
default: 'false'
@@ -96,6 +90,7 @@ runs:
if: steps.config-maven-completed.outputs.skip != 'true'
id: secrets
with:
+ url: https://vault.dev.sonar.build
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN;
@@ -113,8 +108,7 @@ runs:
if: steps.config-maven-completed.outputs.skip != 'true'
shell: bash
env:
- ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
- format('{0}/artifactory', inputs.repox-url) }}
+ ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory
ARTIFACTORY_USERNAME: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME || '' }}
ARTIFACTORY_ACCESS_TOKEN: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }}
DEVELOCITY_TOKEN: ${{ inputs.use-develocity == 'true' && steps.secrets.outputs.vault &&
@@ -124,7 +118,7 @@ runs:
echo "::warning title=Found invalid DEVELOCITY_ACCESS_KEY::DEVELOCITY_ACCESS_KEY should not be set manually" \
"in the environment." >&2
echo "[WARNING] DEVELOCITY_ACCESS_KEY is set in the environment with an empty token. This is a deprecated configuration." \
- "The Develocity token is configured by config-maven. Please remove external configuration of DEVELOCITY_ACCESS_KEY."
+ "The Develocity token is configured by config-maven. Please remove external configuration of DEVELOCITY_ACCESS_KEY."
fi
echo "ARTIFACTORY_URL=$ARTIFACTORY_URL" >> "$GITHUB_ENV"
diff --git a/config-maven/resources/settings.xml b/config-maven/resources/settings.xml
index 6b724928..c885c054 100644
--- a/config-maven/resources/settings.xml
+++ b/config-maven/resources/settings.xml
@@ -62,7 +62,7 @@
true
- interval:60
+ always
fail
diff --git a/promote/action.yml b/promote/action.yml
index c5fab660..4ea0c4c8 100644
--- a/promote/action.yml
+++ b/promote/action.yml
@@ -2,12 +2,6 @@
name: Promote
description: GitHub Action to promote a project
inputs:
- repox-url:
- description: URL for Repox
- default: https://repox.jfrog.io
- repox-artifactory-url:
- description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
- default: ''
promote-pull-request:
description: Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action.
default: 'false'
@@ -54,19 +48,18 @@ runs:
- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
id: secrets
with:
+ url: https://vault.dev.sonar.build
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token | ARTIFACTORY_PROMOTE_ACCESS_TOKEN;
- development/github/token/{REPO_OWNER_NAME_DASH}-promotion token | GITHUB_TOKEN;
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
version: 2026.5.9
- name: Promote artifacts
shell: bash
env:
- ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
- format('{0}/artifactory', inputs.repox-url) }}
+ ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory
ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }}
- GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ github.token }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
MULTI_REPO_PROMOTE: ${{ inputs.multi-repo }}
ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo }}