BUILD-11521: Use conditional vault URL when repox-url contains dev.sonar.build

[julien-carsique-sonarsource]

Summary

• Removes repox-artifactory-url input from all actions (superseded by repox-url)
• When repox-url contains dev.sonar.build, Artifactory credentials are retrieved from vault.dev.sonar.build (dev vault) instead of the default vault.sonar.build
• Sonar platform credentials (SonarQube scanning, signing keys) and Develocity always come from the production vault regardless of repox-url
• Fixes repoxAuth.init.gradle.kts: host was hardcoded to repox.jfrog.io; now derived dynamically from ARTIFACTORY_URL so Bearer auth applies to any Repox instance

Implementation:

• Config actions (config-maven, config-gradle): vault call split into id: artifactory (conditional URL, Artifactory reader creds) and id: secrets (always prod vault, Develocity token, skipped when use-develocity=false)
• Config actions (config-npm, config-pip): conditional url: on the single vault step (no Develocity, only Artifactory reader creds)
• Build actions (build-maven, build-gradle, build-npm, build-yarn, build-poetry) and promote: vault call split into a dedicated artifactory step (conditional URL, Artifactory deploy creds) and the existing secrets step (always prod vault, Sonar platform + sign keys)
• config-gradle/resources/repoxAuth.init.gradle.kts: host now derived from java.net.URI(artifactoryUrl).host

Follows the same approach as #280 but conditional on repox-url.

Jira: https://sonarsource.atlassian.net/browse/BUILD-11521

Test plan

Test PRs using repox-url: https://repox.dev.sonar.build on runs-on: {group: sonar-dev, labels: sonar-xs}:

Repo	PR	Action tested	Status
sonar-dummy	https://github.com/SonarSource/sonar-dummy/pull/611	build-maven	✅ All checks pass (Build Linux/macOS/Windows/WarpBuild + Promote)
sonar-dummy-gradle-oss	SonarSource/sonar-dummy-gradle-oss#351	build-gradle + config-gradle	✅ Build + Promote pass
sonar-dummy-js	SonarSource/sonar-dummy-js#140	build-npm + config-npm	❌ Build: @sonar/scan 403 — npm package absent from dev Repox npm virtual repo (dev Repox content gap)
sonar-dummy-maven-enterprise	https://github.com/SonarSource/sonar-dummy-maven-enterprise/pull/134	build-maven + config-maven	✅ All checks pass (Build Linux/Windows + Verify Linux/Windows + Promote)
sonar-dummy-python-oss	SonarSource/sonar-dummy-python-oss#109	build-poetry	❌ Build: deploy 403 to sonarsource-pypi-public-qa — repo missing or deployer lacks write permission on dev Repox (dev Repox content gap)
sonar-dummy-yarn	https://github.com/SonarSource/sonar-dummy-yarn/pull/61	build-yarn	❌ Build: @sonar/scan 403 — same as sonar-dummy-js

Note: The 3 remaining failures are all dev Repox content/permission gaps unrelated to this PR:

1. @sonar/scan npm package not proxied in dev Repox npm virtual repo (affects js + yarn)
2. sonarsource-pypi-public-qa missing or not writable on dev Repox (affects python-oss)

[hashicorp-vault-sonar-prod]

BUILD-11521

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gitar-bot]

Code Review ✅ Approved 1 resolved / 1 findings

Implements conditional vault URL selection for Artifactory credentials based on the repox-url, ensuring development builds use the correct vault environment. The issue regarding the new artifactory vault step potentially running with empty secrets has been resolved.

✅ 1 resolved

✅ Edge Case: New 'artifactory' vault step may run with empty secrets

📄 build-gradle/action.yml:128-136 📄 build-gradle/action.yml:173-175 📄 build-npm/action.yml 📄 build-maven/action.yml
In build-gradle, build-npm and build-maven, the new dedicated artifactory vault step only contains deploy credentials, all gated on inputs.deploy != 'false' && inputs.run-shadow-scans != 'true'. For the common PR / non-deploy path (deploy == 'false' or run-shadow-scans == 'true'), every line evaluates to '', so the vault-action-wrapper step runs against the (possibly dev) vault with a completely empty secrets: input.

This is a behavior change: previously these deploy credentials lived in the secrets step, which always also requested the sign keys (development/kv/data/sign ...), so that step was never empty. Now the split-off artifactory step can be empty. If vault-action-wrapper errors (or performs an unnecessary auth round-trip) when given no secrets, this would impact the main PR build path.

Note build-yarn and build-poetry are not affected because their artifactory step always includes the unconditional reader credentials.

Suggested action: verify vault-action-wrapper tolerates empty secrets, or add an if: guard to the artifactory step (e.g. if: inputs.deploy != 'false' && inputs.run-shadow-scans != 'true') so it is skipped entirely when no Artifactory deploy creds are needed. If the step is skipped, also confirm steps.artifactory.outputs.vault is still safe to fromJSON() (use a guard like in config-gradle: steps.artifactory.outputs.vault && fromJSON(...) || '').

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

This PR updates the composite actions to (1) remove the repox-artifactory-url input (standardizing on repox-url) and (2) conditionally use the dev Vault (vault.dev.sonar.build) for Artifactory credentials when repox-url targets dev.sonar.build, while keeping Sonar platform / signing / Develocity secrets sourced from the production Vault. It also fixes the Gradle init script so Bearer auth applies to any Repox host derived from ARTIFACTORY_URL.

Changes:

• Remove repox-artifactory-url across actions; always construct ARTIFACTORY_URL from repox-url.
• Split Vault retrieval into separate “artifactory” (conditional Vault URL) vs “secrets” (prod Vault) steps where needed.
• Update repoxAuth.init.gradle.kts to derive the authenticated host from ARTIFACTORY_URL instead of hardcoding repox.jfrog.io.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
promote/action.yml	Removes repox-artifactory-url and fetches Artifactory promotion token from dev/prod Vault based on repox-url.
config-pip/action.yml	Removes repox-artifactory-url; Vault URL for Artifactory reader creds becomes conditional on repox-url.
config-npm/action.yml	Removes repox-artifactory-url; Vault URL for Artifactory reader creds becomes conditional on repox-url.
config-maven/action.yml	Removes repox-artifactory-url; splits Artifactory vs Develocity Vault reads; Artifactory Vault URL becomes conditional.
config-gradle/action.yml	Removes repox-artifactory-url; splits Artifactory vs Develocity Vault reads; Artifactory Vault URL becomes conditional.
config-gradle/resources/repoxAuth.init.gradle.kts	Derives the Repox host from ARTIFACTORY_URL so Bearer auth applies to any Repox instance.
build-yarn/action.yml	Removes repox-artifactory-url; adds conditional Artifactory Vault step separated from prod “secrets”.
build-poetry/action.yml	Removes repox-artifactory-url; adds conditional Artifactory Vault step separated from prod “secrets”.
build-npm/action.yml	Removes repox-artifactory-url; adds conditional Artifactory deploy-token Vault step separated from prod “secrets”.
build-maven/action.yml	Removes repox-artifactory-url; adds conditional Artifactory deploy-creds Vault step separated from prod “secrets”.
build-gradle/action.yml	Removes repox-artifactory-url; adds conditional Artifactory deploy-creds Vault step separated from prod “secrets”.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.