Skip to content

BUILD-11500 Use self-hosted Artifactory for Maven actions #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
hedinasr wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

BUILD-11500 Use self-hosted Artifactory for Maven actions #280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0314185
BUILD-11500 Use self-hosted Artifactory for Maven actions
hedinasr Jun 2, 2026
4407515
BUILD-11500 Restore vault-action-wrapper 3.5.0 on Maven actions
hedinasr Jun 2, 2026
bdfd8a3
use vault dev
hedinasr Jun 2, 2026
a032b28
mvn -U (--update-snapshots)
hedinasr Jun 3, 2026
1875321
pluginRepository updatePolicy always
hedinasr Jun 3, 2026
230867c
remove mvn -U and fetch artifactory token from vault dev
hedinasr Jun 3, 2026
8bac5c3
replace vault github token by github.token
hedinasr Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 6 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,17 +171,20 @@ By default, Maven caches `~/.m2/repository`. You can customize this behavior:
#### Required Vault Permissions

- `public-reader` or `private-reader`: Artifactory role for reading dependencies.
- `development/kv/data/develocity`: Develocity access token (only when `use-develocity: true`).

#### Other Dependencies

The Maven tool must be pre-installed. Use of `mise` is recommended.

Dependencies are resolved from the self-hosted Artifactory instance at `https://repox.dev.sonar.build/artifactory` (not configurable).

### Usage

```yaml
permissions:
id-token: write
contents: write
contents: read
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: SonarSource/ci-github-actions/config-maven@v1
Expand All @@ -205,8 +208,6 @@ steps:
| `working-directory` | Relative path under github.workspace to execute the build in | `.` |
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `common-mvn-flags` | Maven flags for all subsequent mvn calls | `--batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `use-develocity` | Whether to use Develocity for build tracking | `false` |
| `develocity-url` | URL for Develocity | `https://develocity.sonar.build/` |
| `cache-paths` | Custom cache paths (multiline). | (optional) |
Expand All @@ -228,13 +229,13 @@ steps:
| `ARTIFACTORY_ACCESS_USERNAME` | Deprecated alias for `ARTIFACTORY_USERNAME` |
| `ARTIFACTORY_USERNAME` | Username for Artifactory authentication |
| `ARTIFACTORY_PASSWORD` | Deprecated alias for `ARTIFACTORY_ACCESS_TOKEN` |
| `ARTIFACTORY_URL` | Artifactory (Repox) URL. E.x.: `https://repox.jfrog.io/artifactory` |
| `ARTIFACTORY_URL` | Artifactory API base URL. E.g. `https://repox.dev.sonar.build/artifactory` |
| `BASH_ENV` | Path to the bash profile with mvn function for adding common flags to Maven calls |
| `CURRENT_VERSION` | The original project version from pom.xml |
| `DEVELOCITY_ACCESS_KEY` | The Develocity access key when `use-develocity` is true |
| `MAVEN_OPTS` | JVM options for Maven execution. |
| `PROJECT_VERSION` | The project version with build number (after replacement) |
| `SONARSOURCE_REPOSITORY_URL` | URL for SonarSource Artifactory root virtual repository (i.e.: [`sonarsource`](https://repox.jfrog.io/artifactory/sonarsource) for release builds or [`sonarsource-qa`](https://repox.jfrog.io/artifactory/sonarsource-qa) for QA builds) |
| `SONARSOURCE_REPOSITORY_URL` | URL for SonarSource Artifactory root virtual repository (i.e.: [`sonarsource`](https://repox.dev.sonar.build/artifactory/sonarsource) for release builds or [`sonarsource-qa`](https://repox.dev.sonar.build/artifactory/sonarsource-qa) for QA builds) |
| `CONFIG_MAVEN_COMPLETED` | For internal use. If set, the action is skipped |
| `MAVEN_CONFIG` | Path to m2 root `$HOME/.m2` |

Expand Down Expand Up @@ -311,8 +312,6 @@ See also [`config-maven`](#config-maven) input environment variables.
| `deploy-pull-request` | Whether to also deploy for pull requests. If deploy is false, this has no effect. | `false` |
| `maven-args` | Additional arguments to pass to Maven | (optional) |
| `scanner-java-opts` | Additional Java options for the Sonar scanner (`SONAR_SCANNER_JAVA_OPTS`) | `-Xmx512m` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `use-develocity` | Whether to use Develocity for build tracking | `false` |
| `develocity-url` | URL for Develocity | `https://develocity.sonar.build/` |
| `sonar-platform` | SonarQube primary platform - 'next', 'sqc-eu', 'sqc-us', or 'none'. Use 'none' to skip sonar scans | `next` |
Expand Down Expand Up @@ -1259,8 +1258,6 @@ promote:

| Input | Description | Default |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------------------|
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `repox-artifactory-url` | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional) |
| `promote-pull-request` | Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action | `false` |
| `multi-repo` | If true, promotes to public and private repositories. For projects with both public and private artifacts | (optional) |
| `artifactory-deploy-repo` | Repository to deploy to. If not set, it will be retrieved from the build info | (optional) |
Expand Down
29 changes: 13 additions & 16 deletions build-maven/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,6 @@ inputs:
common-mvn-flags:
description: Maven flags for all subsequent mvn calls
default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false
repox-url:
description: URL for Repox
default: https://repox.jfrog.io
repox-artifactory-url:
description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
default: ''
use-develocity:
description: Whether to use Develocity for build tracking.
default: 'false'
Expand Down Expand Up @@ -116,8 +110,6 @@ runs:
working-directory: ${{ inputs.working-directory }}
artifactory-reader-role: ${{ inputs.artifactory-reader-role }}
common-mvn-flags: ${{ inputs.common-mvn-flags }}
repox-url: ${{ inputs.repox-url }}
repox-artifactory-url: ${{ inputs.repox-artifactory-url }}
use-develocity: ${{ inputs.use-develocity }}
develocity-url: ${{ inputs.develocity-url }}
cache-paths: ${{ inputs.cache-paths }}
Expand Down Expand Up @@ -151,6 +143,16 @@ runs:
echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV"
# yamllint enable rule:line-length

- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
id: artifactory
with:
url: https://vault.dev.sonar.build
# yamllint disable rule:line-length
secrets: |
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }}
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
Comment on lines +146 to +154
Copy link
Copy Markdown

@gitar-bot gitar-bot Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Edge Case: artifactory vault step may emit empty output for non-deploy builds

The new artifactory step requests zero secrets when inputs.deploy == 'false' (all three secret lines evaluate to ''), and it has no if: guard, so it always runs. Lines 190-192 then call fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME etc.

Previously these deploy credentials lived in the secrets step, whose output was always non-empty valid JSON because it also requested SIGN_KEY/PGP_PASSPHRASE. Now, for non-deploy builds (e.g. PR builds with deploy=false), the dedicated artifactory step may produce an empty vault output. If the wrapper emits '' rather than {} in that case, fromJSON('') would throw and fail the env evaluation of the build step for all non-deploy runs.

Please confirm vault-action-wrapper outputs {} (not empty string) when no secrets are requested; if not, add an if: guard on the artifactory step (e.g. only when deploy != 'false') and gate the dependent env vars accordingly.

Was this helpful? React with 👍 / 👎


- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
id: secrets
with:
Expand All @@ -162,9 +164,6 @@ runs:
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }}
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }}
${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }}
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }}
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }}
development/kv/data/sign key | SIGN_KEY;
development/kv/data/sign passphrase | PGP_PASSPHRASE;
# yamllint enable rule:line-length
Expand All @@ -188,9 +187,9 @@ runs:
ARTIFACTORY_DEPLOY_REPO: ${{ steps.params.outputs.ARTIFACTORY_DEPLOY_REPO }}

# Vault secrets
ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM
ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM
NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }}
NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }}
SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }}
Expand Down Expand Up @@ -238,8 +237,6 @@ runs:
if: always() && inputs.generate-summary != 'false'
shell: bash
env:
ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
format('{0}/artifactory', inputs.repox-url) }}
JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary
run: |
build_name="${GITHUB_REPOSITORY#*/}"
Expand Down
12 changes: 3 additions & 9 deletions config-maven/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,6 @@ inputs:
common-mvn-flags:
description: Maven flags for all subsequent mvn calls
default: --batch-mode --no-transfer-progress --errors --fail-at-end --show-version -Dmaven.test.redirectTestOutputToFile=false
repox-url:
description: URL for Repox
default: https://repox.jfrog.io
repox-artifactory-url:
description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
default: ''
use-develocity:
description: Whether to use Develocity for build tracking.
default: 'false'
Expand Down Expand Up @@ -96,6 +90,7 @@ runs:
if: steps.config-maven-completed.outputs.skip != 'true'
id: secrets
with:
url: https://vault.dev.sonar.build
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN;
Expand All @@ -113,8 +108,7 @@ runs:
if: steps.config-maven-completed.outputs.skip != 'true'
shell: bash
env:
ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
format('{0}/artifactory', inputs.repox-url) }}
ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory
ARTIFACTORY_USERNAME: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME || '' }}
ARTIFACTORY_ACCESS_TOKEN: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }}
DEVELOCITY_TOKEN: ${{ inputs.use-develocity == 'true' && steps.secrets.outputs.vault &&
Expand All @@ -124,7 +118,7 @@ runs:
echo "::warning title=Found invalid DEVELOCITY_ACCESS_KEY::DEVELOCITY_ACCESS_KEY should not be set manually" \
"in the environment." >&2
echo "[WARNING] DEVELOCITY_ACCESS_KEY is set in the environment with an empty token. This is a deprecated configuration." \
"The Develocity token is configured by config-maven. Please remove external configuration of DEVELOCITY_ACCESS_KEY."
"The Develocity token is configured by config-maven. Please remove external configuration of DEVELOCITY_ACCESS_KEY."
fi

echo "ARTIFACTORY_URL=$ARTIFACTORY_URL" >> "$GITHUB_ENV"
Expand Down
2 changes: 1 addition & 1 deletion config-maven/resources/settings.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
<releases>
<enabled>true</enabled>
<!-- no need to always check if new versions are available when executing a Maven plugin without specifying the version -->
<updatePolicy>interval:60</updatePolicy>
<updatePolicy>always</updatePolicy>
<checksumPolicy>fail</checksumPolicy>
Comment on lines 62 to 66
Copy link
Copy Markdown

@gitar-bot gitar-bot Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Quality: updatePolicy=always contradicts adjacent comment and adds overhead

In the plugin releases repository, updatePolicy was changed from interval:60 to always, but the comment directly above it still reads: "no need to always check if new versions are available when executing a Maven plugin without specifying the version". The code now does the exact opposite of what the comment states.

Functionally, always makes Maven check the remote repository for plugin updates on every single build. For a release (non-snapshot) plugin repository this is almost never desired — released artifacts are immutable, so the only effect is added network round-trips (and slower, less reliable builds) on each invocation. interval:60 (or daily) already balanced freshness against performance.

Suggested fix: either revert to interval:60/daily, or if always is intentional, update the comment to explain why frequent checks are now required. Note the <releases> repository block above (line 48) still uses interval:60, so this also introduces an inconsistency between the two repository definitions.

Revert to interval:60 to match the comment and the releases repository above.:

<releases>
  <enabled>true</enabled>
  <!-- no need to always check if new versions are available when executing a Maven plugin without specifying the version -->
  <updatePolicy>interval:60</updatePolicy>
  <checksumPolicy>fail</checksumPolicy>
</releases>
  • Apply fix

Check the box to apply the fix or reply for a change | Was this helpful? React with 👍 / 👎

</releases>
<snapshots>
Expand Down
13 changes: 3 additions & 10 deletions promote/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@
name: Promote
description: GitHub Action to promote a project
inputs:
repox-url:
description: URL for Repox
default: https://repox.jfrog.io
repox-artifactory-url:
description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
default: ''
promote-pull-request:
description: Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action.
default: 'false'
Expand Down Expand Up @@ -54,19 +48,18 @@ runs:
- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
id: secrets
with:
url: https://vault.dev.sonar.build
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token | ARTIFACTORY_PROMOTE_ACCESS_TOKEN;
development/github/token/{REPO_OWNER_NAME_DASH}-promotion token | GITHUB_TOKEN;
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
version: 2026.5.9
- name: Promote artifacts
shell: bash
env:
ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
format('{0}/artifactory', inputs.repox-url) }}
ARTIFACTORY_URL: https://repox.dev.sonar.build/artifactory
ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ github.token }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
MULTI_REPO_PROMOTE: ${{ inputs.multi-repo }}
ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo }}
Expand Down
Loading