From 7aa39d5c768803ce8dacf4d55afa753180a84eca Mon Sep 17 00:00:00 2001 From: Julien Carsique Date: Thu, 4 Jun 2026 15:59:50 +0200 Subject: [PATCH] BUILD-11521: Use conditional vault URL when repox-url contains dev.sonar.build When repox-url contains dev.sonar.build, Artifactory credentials are fetched from vault.dev.sonar.build instead of the default vault.sonar.build. Sonar platform credentials (SonarQube, signing) and Develocity always come from the production vault regardless of repox-url. Changes: - Remove repox-artifactory-url input from all actions (superseded by repox-url) - config-gradle, config-maven: split vault into id:artifactory (conditional URL, reader creds) and id:secrets (always prod vault, Develocity token) - config-npm, config-pip: add conditional url: to the single vault step - build-maven, build-gradle, build-npm, build-yarn, build-poetry, promote: split vault into id:artifactory (conditional URL, deploy creds) and id:secrets (always prod vault, Sonar platform + sign keys) - config-gradle/resources/repoxAuth.init.gradle.kts: derive host dynamically from ARTIFACTORY_URL instead of hardcoding repox.jfrog.io Co-Authored-By: Claude Sonnet 4.6 --- build-gradle/action.yml | 24 ++++++++----- build-maven/action.yml | 34 +++++++++++-------- build-npm/action.yml | 24 +++++++------ build-poetry/action.yml | 28 ++++++++------- build-yarn/action.yml | 28 ++++++++------- config-gradle/action.yml | 22 +++++++----- .../resources/repoxAuth.init.gradle.kts | 4 +-- config-maven/action.yml | 22 +++++++----- config-npm/action.yml | 7 ++-- config-pip/action.yml | 8 ++--- promote/action.yml | 15 ++++---- 11 files changed, 119 insertions(+), 97 deletions(-) diff --git a/build-gradle/action.yml b/build-gradle/action.yml index eb1c6f51..c67efc3b 100644 --- a/build-gradle/action.yml +++ b/build-gradle/action.yml @@ -47,9 +47,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -115,7 +112,6 @@ runs: working-directory: ${{ inputs.working-directory }} artifactory-reader-role: ${{ inputs.artifactory-reader-role }} repox-url: ${{ inputs.repox-url }} - repox-artifactory-url: ${{ inputs.repox-artifactory-url }} use-develocity: ${{ inputs.use-develocity }} develocity-url: ${{ inputs.develocity-url }} cache-paths: ${{ inputs.cache-paths }} @@ -129,6 +125,16 @@ runs: run: | echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV" + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + if: inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' + id: artifactory + with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} + # yamllint disable rule:line-length + secrets: | + ${{ format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} username | ARTIFACTORY_DEPLOY_USERNAME;', env.ARTIFACTORY_DEPLOYER_ROLE) }} + ${{ format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) }} + # yamllint enable rule:line-length - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: @@ -140,8 +146,6 @@ runs: ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} username | ARTIFACTORY_DEPLOY_USERNAME;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} development/kv/data/sign key | SIGN_KEY; development/kv/data/sign passphrase | PGP_PASSPHRASE; development/kv/data/sign key_id | SIGN_KEY_ID; @@ -167,9 +171,11 @@ runs: github.event.repository.visibility == 'public' && 'sonarsource-public-qa' || 'sonarsource-private-qa' }} # Vault secrets - ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} - ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # deprecated + # yamllint disable rule:line-length + ARTIFACTORY_DEPLOY_USERNAME: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME || '' }} + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }} + ARTIFACTORY_DEPLOY_PASSWORD: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }} # deprecated + # yamllint enable rule:line-length NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }} NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }} SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }} diff --git a/build-maven/action.yml b/build-maven/action.yml index 6c23b147..fb2f13ff 100644 --- a/build-maven/action.yml +++ b/build-maven/action.yml @@ -51,9 +51,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -117,7 +114,6 @@ runs: artifactory-reader-role: ${{ inputs.artifactory-reader-role }} common-mvn-flags: ${{ inputs.common-mvn-flags }} repox-url: ${{ inputs.repox-url }} - repox-artifactory-url: ${{ inputs.repox-artifactory-url }} use-develocity: ${{ inputs.use-develocity }} develocity-url: ${{ inputs.develocity-url }} cache-paths: ${{ inputs.cache-paths }} @@ -151,6 +147,17 @@ runs: echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV" # yamllint enable rule:line-length + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + if: inputs.deploy != 'false' + id: artifactory + with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} + # yamllint disable rule:line-length + secrets: | + ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }} + ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }} + ${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }} + # yamllint enable rule:line-length - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: @@ -162,9 +169,6 @@ runs: ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_USERNAME_VAULT || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && steps.params.outputs.ARTIFACTORY_DEPLOY_ACCESS_TOKEN_VAULT || '' }} - ${{ inputs.deploy != 'false' && inputs.mixed-privacy == 'true' && steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT || '' }} development/kv/data/sign key | SIGN_KEY; development/kv/data/sign passphrase | PGP_PASSPHRASE; # yamllint enable rule:line-length @@ -188,9 +192,11 @@ runs: ARTIFACTORY_DEPLOY_REPO: ${{ steps.params.outputs.ARTIFACTORY_DEPLOY_REPO }} # Vault secrets - ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} - ARTIFACTORY_DEPLOY_PASSWORD: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} # used in parent POM + # yamllint disable rule:line-length + ARTIFACTORY_DEPLOY_USERNAME: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME || '' }} + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }} + ARTIFACTORY_DEPLOY_PASSWORD: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }} # used in parent POM + # yamllint enable rule:line-length NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }} NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }} SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }} @@ -209,9 +215,11 @@ runs: (github.event_name != 'pull_request' || inputs.deploy-pull-request == 'true') env: ARTIFACTORY_DEPLOY_REPO: ${{ steps.params.outputs.ARTIFACTORY_DEPLOY_REPO }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} + # yamllint disable rule:line-length + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }} ARTIFACTORY_PRIVATE_DEPLOY_REPO: ${{ steps.params.outputs.ARTIFACTORY_PRIVATE_DEPLOY_REPO }} - ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN }} + ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN || '' }} + # yamllint enable rule:line-length INSTALLED_ARTIFACTS: ${{ steps.build.outputs.installed-artifacts }} JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary run: $ACTION_PATH_BUILD_MAVEN/deploy-artifacts.sh @@ -238,8 +246,6 @@ runs: if: always() && inputs.generate-summary != 'false' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary run: | build_name="${GITHUB_REPOSITORY#*/}" diff --git a/build-npm/action.yml b/build-npm/action.yml index cf0b429a..9578e3e1 100644 --- a/build-npm/action.yml +++ b/build-npm/action.yml @@ -35,9 +35,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' sonar-platform: description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans. default: next @@ -131,10 +128,18 @@ runs: host-actions-root: ${{ steps.set-path.outputs.host_actions_root }} artifactory-reader-role: ${{ env.ARTIFACTORY_READER_ROLE }} repox-url: ${{ inputs.repox-url }} - repox-artifactory-url: ${{ inputs.repox-artifactory-url }} working-directory: ${{ inputs.working-directory }} disable-caching: ${{ inputs.cache-npm != 'true' && 'true' || inputs.disable-caching }} + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + if: inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' + id: artifactory + with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} + # yamllint disable rule:line-length + secrets: | + ${{ format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) }} + # yamllint enable rule:line-length - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets # yamllint disable rule:line-length @@ -146,7 +151,6 @@ runs: ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }} - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} # yamllint enable rule:line-length - name: Build, test, analyze and deploy id: build @@ -158,11 +162,12 @@ runs: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} BUILD_NAME: ${{ inputs.build-name || github.event.repository.name }} - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo || (github.event.repository.visibility == 'public' && 'sonarsource-npm-public-qa' || 'sonarsource-npm-private-qa') }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} + # yamllint disable rule:line-length + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }} + # yamllint enable rule:line-length DEPLOY: ${{ inputs.deploy }} DEPLOY_PULL_REQUEST: ${{ inputs.deploy-pull-request }} SKIP_TESTS: ${{ inputs.skip-tests }} @@ -210,8 +215,7 @@ runs: if: always() && inputs.generate-summary != 'false' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary run: | build_name="${GITHUB_REPOSITORY#*/}" diff --git a/build-poetry/action.yml b/build-poetry/action.yml index df8de888..11295471 100644 --- a/build-poetry/action.yml +++ b/build-poetry/action.yml @@ -33,9 +33,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' sonar-platform: description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans. default: next @@ -120,6 +117,16 @@ runs: - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: version: 2026.5.9 + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + id: artifactory + with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} + # yamllint disable rule:line-length + secrets: | + development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; + development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; + ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} + # yamllint enable rule:line-length - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets # yamllint disable rule:line-length @@ -131,9 +138,6 @@ runs: ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }} - development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; - development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} # yamllint enable rule:line-length - name: Build, Analyze and deploy id: build @@ -145,16 +149,15 @@ runs: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} # Action inputs - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} DEPLOY: ${{ inputs.deploy }} DEPLOY_PULL_REQUEST: ${{ inputs.deploy-pull-request }} ARTIFACTORY_PYPI_REPO: ${{ inputs.public == 'true' && 'sonarsource-pypi' || 'sonarsource-pypi' }} # FIXME: sonarsource-pypi-public ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo || github.event.repository.visibility == 'public' && 'sonarsource-pypi-public-qa' || 'sonarsource-pypi-private-qa' }} - ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} - ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} + ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} + ARTIFACTORY_USERNAME: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_USERNAME }} + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/${{ inputs.poetry-virtualenvs-path }} POETRY_CACHE_DIR: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }} @@ -189,8 +192,7 @@ runs: if: always() && inputs.generate-summary != 'false' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary run: | build_name="${GITHUB_REPOSITORY#*/}" diff --git a/build-yarn/action.yml b/build-yarn/action.yml index 59a3ab53..06b4caed 100644 --- a/build-yarn/action.yml +++ b/build-yarn/action.yml @@ -38,9 +38,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' sonar-platform: description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans. default: next @@ -130,6 +127,16 @@ runs: key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }} restore-keys: yarn-${{ runner.os }}- + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + id: artifactory + with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} + # yamllint disable rule:line-length + secrets: | + development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; + development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; + ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} + # yamllint enable rule:line-length - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets # yamllint disable rule:line-length @@ -141,9 +148,6 @@ runs: ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarqube-us token | SQC_US_TOKEN;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud url | SQC_EU_URL;' || '' }} ${{ (inputs.sonar-platform != 'none' || inputs.run-shadow-scans == 'true') && 'development/kv/data/sonarcloud token | SQC_EU_TOKEN;' || '' }} - development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; - development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; - ${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }} # yamllint enable rule:line-length - name: Build, test, analyze and deploy @@ -155,13 +159,12 @@ runs: DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} # Action inputs - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo || github.event.repository.visibility == 'public' && 'sonarsource-public-qa' || 'sonarsource-private-qa' }} - ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }} - ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} + ARTIFACTORY_USERNAME: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_USERNAME }} + ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} + ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }} DEPLOY: ${{ inputs.deploy }} DEPLOY_PULL_REQUEST: ${{ inputs.deploy-pull-request }} SKIP_TESTS: ${{ inputs.skip-tests }} @@ -195,8 +198,7 @@ runs: if: always() && inputs.generate-summary != 'false' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary run: | build_name="${GITHUB_REPOSITORY#*/}" diff --git a/config-gradle/action.yml b/config-gradle/action.yml index b1f3e390..a918dc67 100644 --- a/config-gradle/action.yml +++ b/config-gradle/action.yml @@ -12,9 +12,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -93,12 +90,18 @@ runs: echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV" - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 if: steps.config-gradle-completed.outputs.skip != 'true' - id: secrets + id: artifactory with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; - ${{ inputs.use-develocity == 'true' && 'development/kv/data/develocity token | DEVELOCITY_TOKEN;' || '' }} + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.use-develocity == 'true' + id: secrets + with: + secrets: | + development/kv/data/develocity token | DEVELOCITY_TOKEN; - name: Extract Develocity hostname id: develocity-hostname @@ -112,10 +115,11 @@ runs: if: steps.config-gradle-completed.outputs.skip != 'true' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} - ARTIFACTORY_USERNAME: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME || '' }} - ARTIFACTORY_ACCESS_TOKEN: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} + # yamllint disable rule:line-length + ARTIFACTORY_USERNAME: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_USERNAME || '' }} + ARTIFACTORY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }} + # yamllint enable rule:line-length DEVELOCITY_TOKEN: ${{ inputs.use-develocity == 'true' && steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).DEVELOCITY_TOKEN || '' }} run: | diff --git a/config-gradle/resources/repoxAuth.init.gradle.kts b/config-gradle/resources/repoxAuth.init.gradle.kts index cbc79357..6a9c8962 100644 --- a/config-gradle/resources/repoxAuth.init.gradle.kts +++ b/config-gradle/resources/repoxAuth.init.gradle.kts @@ -1,5 +1,5 @@ /** - * Authenticate repox.jfrog.io repositories with Bearer scheme + * Authenticate Repox repositories with Bearer scheme * and remove all other Maven repositories (e.g., Maven Central) * * Credentials can be set by using one of these options: @@ -82,8 +82,8 @@ allprojects { class RepoxAuth { companion object { - const val host = "repox.jfrog.io" val artifactoryUrl = System.getenv("ARTIFACTORY_URL") ?: "https://repox.jfrog.io/artifactory" + val host = java.net.URI(artifactoryUrl).host val sonarsourceRepositoryUrl = RepoxAuth.artifactoryUrl.trimEnd('/') + "/" + (System.getenv("SONARSOURCE_REPOSITORY") ?: "sonarsource") const val authType = "header" diff --git a/config-maven/action.yml b/config-maven/action.yml index 7841b459..9f2f7c04 100644 --- a/config-maven/action.yml +++ b/config-maven/action.yml @@ -15,9 +15,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' use-develocity: description: Whether to use Develocity for build tracking. default: 'false' @@ -94,12 +91,18 @@ runs: echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV" - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 if: steps.config-maven-completed.outputs.skip != 'true' - id: secrets + id: artifactory with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; - ${{ inputs.use-develocity == 'true' && 'development/kv/data/develocity token | DEVELOCITY_TOKEN;' || '' }} + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + if: steps.config-maven-completed.outputs.skip != 'true' && inputs.use-develocity == 'true' + id: secrets + with: + secrets: | + development/kv/data/develocity token | DEVELOCITY_TOKEN; - name: Extract Develocity hostname id: develocity-hostname @@ -113,10 +116,11 @@ runs: if: steps.config-maven-completed.outputs.skip != 'true' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} - ARTIFACTORY_USERNAME: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME || '' }} - ARTIFACTORY_ACCESS_TOKEN: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} + # yamllint disable rule:line-length + ARTIFACTORY_USERNAME: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_USERNAME || '' }} + ARTIFACTORY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault && fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }} + # yamllint enable rule:line-length DEVELOCITY_TOKEN: ${{ inputs.use-develocity == 'true' && steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).DEVELOCITY_TOKEN || '' }} run: | diff --git a/config-npm/action.yml b/config-npm/action.yml index b991ab9f..e223cac9 100644 --- a/config-npm/action.yml +++ b/config-npm/action.yml @@ -18,9 +18,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' host-actions-root: description: Path to the actions folder on the host (used when called from another local action) default: '' @@ -96,6 +93,7 @@ runs: if: steps.config-npm-completed.outputs.skip != 'true' id: secrets with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; @@ -104,8 +102,7 @@ runs: if: steps.config-npm-completed.outputs.skip != 'true' shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} ARTIFACTORY_ACCESS_TOKEN: ${{ steps.secrets.outputs.vault && fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN || '' }} run: | $ACTION_PATH_CONFIG_NPM/npm_config.sh diff --git a/config-pip/action.yml b/config-pip/action.yml index 8937369f..b601313b 100644 --- a/config-pip/action.yml +++ b/config-pip/action.yml @@ -13,9 +13,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' cache-paths: description: Cache paths to use (multiline). default: ~/.cache/pip @@ -76,6 +73,7 @@ runs: - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 id: secrets with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME; development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN; @@ -84,9 +82,7 @@ runs: id: config shell: bash env: - # Use custom Artifactory URL if provided, otherwise construct from repox-url - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }} ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} run: $ACTION_PATH_CONFIG_PIP/config.sh diff --git a/promote/action.yml b/promote/action.yml index c5fab660..cfaa90c1 100644 --- a/promote/action.yml +++ b/promote/action.yml @@ -5,9 +5,6 @@ inputs: repox-url: description: URL for Repox default: https://repox.jfrog.io - repox-artifactory-url: - description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided) - default: '' promote-pull-request: description: Whether to promote pull request artifacts. Requires `deploy-pull-request` input to be set to `true` in the build action. default: 'false' @@ -52,10 +49,15 @@ runs: with: host-actions-root: ${{ steps.set-path.outputs.host_actions_root }} - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 - id: secrets + id: artifactory with: + url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }} secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token | ARTIFACTORY_PROMOTE_ACCESS_TOKEN; + - uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0 + id: secrets + with: + secrets: | development/github/token/{REPO_OWNER_NAME_DASH}-promotion token | GITHUB_TOKEN; - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: @@ -63,9 +65,8 @@ runs: - name: Promote artifacts shell: bash env: - ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url || - format('{0}/artifactory', inputs.repox-url) }} - ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }} + ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }} + ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }} GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} MULTI_REPO_PROMOTE: ${{ inputs.multi-repo }}