From 0314185ff293ea3ce5278c3cf079d8d9aa3b629c Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Tue, 2 Jun 2026 11:23:52 +0200 Subject: [PATCH 1/7] BUILD-11500 Use self-hosted Artifactory for Maven actions Remove repox-url and repox-artifactory-url from config-maven, build-maven, and promote. Set ARTIFACTORY_URL to https://repox.dev.sonar.build/artifactory in those actions; credentials still come from Vault as before. Update README for config-maven, build-maven, and promote. Breaking change: repox-url and repox-artifactory-url are no longer accepted on config-maven, build-maven, or promote. --- README.md | 15 ++++++--------- build-maven/action.yml | 12 +----------- config-maven/action.yml | 13 +++---------- promote/action.yml | 11 ++--------- 4 files changed, 12 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index f05fa1c1..38a04032 100644 --- a/README.md +++ b/README.md @@ -171,17 +171,20 @@ By default, Maven caches `~/.m2/repository`. You can customize this behavior: #### Required Vault Permissions - `public-reader` or `private-reader`: Artifactory role for reading dependencies. +- `development/kv/data/develocity`: Develocity access token (only when `use-develocity: true`). #### Other Dependencies The Maven tool must be pre-installed. Use of `mise` is recommended. +Dependencies are resolved from the self-hosted Artifactory instance at `https://repox.dev.sonar.build/artifactory` (not configurable). + ### Usage ```yaml permissions: id-token: write - contents: write + contents: read steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: SonarSource/ci-github-actions/config-maven@v1 @@ -205,8 +208,6 @@ steps: | `working-directory` | Relative path under github.workspace to execute the build in | `.` | | `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos | | `common-mvn-flags` | Maven flags for all subsequent mvn calls | `--batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false` | -| `repox-url` | URL for Repox | `https://repox.jfrog.io` | -| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) | | `use-develocity` | Whether to use Develocity for build tracking | `false` | | `develocity-url` | URL for Develocity | `https://develocity.sonar.build/` | | `cache-paths` | Custom cache paths (multiline). | (optional) | @@ -228,13 +229,13 @@ steps: | `ARTIFACTORY_ACCESS_USERNAME` | Deprecated alias for `ARTIFACTORY_USERNAME` | | `ARTIFACTORY_USERNAME` | Username for Artifactory authentication | | `ARTIFACTORY_PASSWORD` | Deprecated alias for `ARTIFACTORY_ACCESS_TOKEN` | -| `ARTIFACTORY_URL` | Artifactory (Repox) URL. E.x.: `https://repox.jfrog.io/artifactory` | +| `ARTIFACTORY_URL` | Artifactory API base URL. E.g. `https://repox.dev.sonar.build/artifactory` | | `BASH_ENV` | Path to the bash profile with mvn function for adding common flags to Maven calls | | `CURRENT_VERSION` | The original project version from pom.xml | | `DEVELOCITY_ACCESS_KEY` | The Develocity access key when `use-develocity` is true | | `MAVEN_OPTS` | JVM options for Maven execution. | | `PROJECT_VERSION` | The project version with build number (after replacement) | -| `SONARSOURCE_REPOSITORY_URL` | URL for SonarSource Artifactory root virtual repository (i.e.: [`sonarsource`](https://repox.jfrog.io/artifactory/sonarsource) for release builds or [`sonarsource-qa`](https://repox.jfrog.io/artifactory/sonarsource-qa) for QA builds) | +| `SONARSOURCE_REPOSITORY_URL` | URL for SonarSource Artifactory root virtual repository (i.e.: [`sonarsource`](https://repox.dev.sonar.build/artifactory/sonarsource) for release builds or [`sonarsource-qa`](https://repox.dev.sonar.build/artifactory/sonarsource-qa) for QA builds) | | `CONFIG_MAVEN_COMPLETED` | For internal use. If set, the action is skipped | | `MAVEN_CONFIG` | Path to m2 root `$HOME/.m2` | @@ -311,8 +312,6 @@ See also [`config-maven`](#config-maven) input environment variables. | `deploy-pull-request` | Whether to also deploy for pull requests. If deploy is false, this has no effect. | `false` | | `maven-args` | Additional arguments to pass to Maven | (optional) | | `scanner-java-opts` | Additional Java options for the Sonar scanner (`SONAR_SCANNER_JAVA_OPTS`) | `-Xmx512m` | -| `repox-url` | URL for Repox | `https://repox.jfrog.io` | -| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) | | `use-develocity` | Whether to use Develocity for build tracking | `false` | | `develocity-url` | URL for Develocity | `https://develocity.sonar.build/` | | `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans | `next` | @@ -1259,8 +1258,6 @@ promote: | Input | Description | Default | |---------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------------------| -| `repox-url` | URL for Repox | `https://repox.jfrog.io` | -| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) | | `promote-pull-request` | Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action | `false` | | `multi-repo` | If true, promotes to public and private repositories. For projects with both public and private artifacts | (optional) | | `artifactory-deploy-repo` | Repository to deploy to. If not set, it will be retrieved from the build info | (optional) | diff --git a/build-maven/action.yml b/build-maven/action.yml index 6c23b147..c1d28f5d 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -48,12 +48,6 @@ inputs: common-mvn-flags: description: Maven flags for all subsequent mvn calls default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false - repox-url: - description: URL for Repox - default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -116,8 +110,6 @@ runs: working-directory: ${{ inputs.working-directory }} artifactory-reader-role: ${{ inputs.artifactory-reader-role }} common-mvn-flags: ${{ inputs.common-mvn-flags }} - repox-url: ${{ inputs.repox-url }} - repox-artifactory-url: ${{ inputs.repox-artifactory-url }} use-develocity: ${{ inputs.use-develocity }} develocity-url: ${{ inputs.develocity-url }} cache-paths: ${{ inputs.cache-paths }} @@ -151,7 +143,7 @@ runs: echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV" # yamllint enable rule:line-length - - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 id: secrets with: # yamllint disable rule:line-length @@ -238,8 +230,6 @@ runs: if: always() && inputs.generate-summary != 'false' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary run: | build_name="${GITHUB_REPOSITORY#*/}" diff --git a/config-maven/action.yml b/config-maven/action.yml index 7841b459..75774166 100644 --- a/config-maven/action.yml +++ b/config-maven/action.yml @@ -12,12 +12,6 @@ inputs: common-mvn-flags: description: Maven flags for all subsequent mvn calls default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false - repox-url: - description: URL for Repox - default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -92,7 +86,7 @@ runs: (github.event.repository.visibility == 'public' && 'public-reader' || 'private-reader') }} run: | echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV" - - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 if: steps.config-maven-completed.outputs.skip != 'true' id: secrets with: @@ -113,8 +107,7 @@ runs: if: steps.config-maven-completed.outputs.skip != 'true' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory ARTIFACTORY_USERNAME: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME || '' }} ARTIFACTORY_ACCESS_TOKEN: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }} DEVELOCITY_TOKEN: ${{ inputs.use-develocity == 'true' && steps.secrets.outputs.vault && @@ -124,7 +117,7 @@ runs: echo "::warning title=Found invalid DEVELOCITY_ACCESS_KEY::DEVELOCITY_ACCESS_KEY should not be set manually" \ "in the environment." >&2 echo "[WARNING] DEVELOCITY_ACCESS_KEY is set in the environment with an empty token. This is a deprecated configuration." \ - "The Develocity token is configured by config-maven. Please remove external configuration of DEVELOCITY_ACCESS_KEY." + "The Develocity token is configured by config-maven. Please remove external configuration of DEVELOCITY_ACCESS_KEY." fi echo "ARTIFACTORY_URL=$ARTIFACTORY_URL" >> "$GITHUB_ENV" diff --git a/promote/action.yml b/promote/action.yml index c5fab660..adf9b90c 100644 --- a/promote/action.yml +++ b/promote/action.yml @@ -2,12 +2,6 @@ name: Promote description: GitHub Action to promote a project inputs: - repox-url: - description: URL for Repox - default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' promote-pull-request: description: Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action. default: 'false' @@ -51,7 +45,7 @@ runs: - uses: ./.actions/get-build-number with: host-actions-root: ${{ steps.set-path.outputs.host_actions_root }} - - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 id: secrets with: secrets: | @@ -63,8 +57,7 @@ runs: - name: Promote artifacts shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }} GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} From 44075157ba1cf3c1cab0c0622006fa2f08484cbd Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Tue, 2 Jun 2026 11:26:52 +0200 Subject: [PATCH 2/7] BUILD-11500 Restore vault-action-wrapper 3.5.0 on Maven actions Accidentally downgraded when restoring action files from an older branch commit. --- build-maven/action.yml | 2 +- config-maven/action.yml | 2 +- promote/action.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build-maven/action.yml b/build-maven/action.yml index c1d28f5d..7368b8f9 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -143,7 +143,7 @@ runs: echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV" # yamllint enable rule:line-length - - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: # yamllint disable rule:line-length diff --git a/config-maven/action.yml b/config-maven/action.yml index 75774166..97a789e9 100644 --- a/config-maven/action.yml +++ b/config-maven/action.yml @@ -86,7 +86,7 @@ runs: (github.event.repository.visibility == 'public' && 'public-reader' || 'private-reader') }} run: | echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV" - - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 if: steps.config-maven-completed.outputs.skip != 'true' id: secrets with: diff --git a/promote/action.yml b/promote/action.yml index adf9b90c..8aa03825 100644 --- a/promote/action.yml +++ b/promote/action.yml @@ -45,7 +45,7 @@ runs: - uses: ./.actions/get-build-number with: host-actions-root: ${{ steps.set-path.outputs.host_actions_root }} - - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0 + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: secrets: | From bdfd8a34588241a7bcd44ed8891e59175d123bbf Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Tue, 2 Jun 2026 15:02:01 +0200 Subject: [PATCH 3/7] use vault dev --- build-maven/action.yml | 1 + config-maven/action.yml | 1 + promote/action.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/build-maven/action.yml b/build-maven/action.yml index 7368b8f9..b0cccd7c 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -147,6 +147,7 @@ runs: id: secrets with: # yamllint disable rule:line-length + url: https://vault.dev.sonar.build secrets: | ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/next url | NEXT_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/next token | NEXT_TOKEN;' || '' }} diff --git a/config-maven/action.yml b/config-maven/action.yml index 97a789e9..2e747d82 100644 --- a/config-maven/action.yml +++ b/config-maven/action.yml @@ -90,6 +90,7 @@ runs: if: steps.config-maven-completed.outputs.skip != 'true' id: secrets with: + url: https://vault.dev.sonar.build secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; diff --git a/promote/action.yml b/promote/action.yml index 8aa03825..31838e1f 100644 --- a/promote/action.yml +++ b/promote/action.yml @@ -48,6 +48,7 @@ runs: - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: + url: https://vault.dev.sonar.build secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token | ARTIFACTORY_PROMOTE_ACCESS_TOKEN; development/github/token/{REPO_OWNER_NAME_DASH}-promotion token | GITHUB_TOKEN; From a032b2853377807e59d407648e4d650999f9c206 Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Wed, 3 Jun 2026 12:08:22 +0200 Subject: [PATCH 4/7] mvn -U (--update-snapshots) --- build-maven/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-maven/action.yml b/build-maven/action.yml index b0cccd7c..873b1296 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -47,7 +47,7 @@ inputs: default: '' common-mvn-flags: description: Maven flags for all subsequent mvn calls - default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false + default: -U --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false use-develocity: description: Whether to use Develocity for build tracking. default: 'false' From 1875321ab4000803ba83d358f9c3f7bcede5b3bc Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Wed, 3 Jun 2026 12:13:15 +0200 Subject: [PATCH 5/7] pluginRepository updatePolicy always --- config-maven/resources/settings.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-maven/resources/settings.xml b/config-maven/resources/settings.xml index 6b724928..c885c054 100644 --- a/config-maven/resources/settings.xml +++ b/config-maven/resources/settings.xml @@ -62,7 +62,7 @@ true - interval:60 + always fail From 230867c6c7254f210b70520963ff4965b7647a71 Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Wed, 3 Jun 2026 13:49:10 +0200 Subject: [PATCH 6/7] remove mvn -U and fetch artifactory token from vault dev --- build-maven/action.yml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/build-maven/action.yml b/build-maven/action.yml index 873b1296..ca4fe032 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -47,7 +47,7 @@ inputs: default: '' common-mvn-flags: description: Maven flags for all subsequent mvn calls - default: -U --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false + default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -143,11 +143,20 @@ runs: echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV" # yamllint enable rule:line-length + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + id: artifactory + with: + url: https://vault.dev.sonar.build + # yamllint disable rule:line-length + secrets: | + ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }} + ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }} + ${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }} + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: # yamllint disable rule:line-length - url: https://vault.dev.sonar.build secrets: | ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/next url | NEXT_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/next token | NEXT_TOKEN;' || '' }} @@ -155,9 +164,6 @@ runs: ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }} - ${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }} development/kv/data/sign key | SIGN_KEY; development/kv/data/sign passphrase | PGP_PASSPHRASE; # yamllint enable rule:line-length @@ -181,9 +187,9 @@ runs: ARTIFACTORY_DEPLOY_REPO: ${{ steps.params.outputs.ARTIFACTORY_DEPLOY_REPO }} # Vault secrets - ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} - ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM + ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }} + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} + ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }} NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }} SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }} From 8bac5c39de7b01b7af357f9fc593462c8842f2b6 Mon Sep 17 00:00:00 2001 From: Hedi Nasr Date: Wed, 3 Jun 2026 14:30:48 +0200 Subject: [PATCH 7/7] replace vault github token by github.token --- promote/action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/promote/action.yml b/promote/action.yml index 31838e1f..4ea0c4c8 100644 --- a/promote/action.yml +++ b/promote/action.yml @@ -51,7 +51,6 @@ runs: url: https://vault.dev.sonar.build secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token | ARTIFACTORY_PROMOTE_ACCESS_TOKEN; - development/github/token/{REPO_OWNER_NAME_DASH}-promotion token | GITHUB_TOKEN; - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: version: 2026.5.9 @@ -60,7 +59,7 @@ runs: env: ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }} - GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} MULTI_REPO_PROMOTE: ${{ inputs.multi-repo }} ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo }}