BUILD-11521: Test build-poetry with repox.dev.sonar.build

[julien-carsique-sonarsource]

Test PR for SonarSource/ci-github-actions#284

Uses repox-url: https://repox.dev.sonar.build on dev runners (group: sonar-dev) to verify that:

• Artifactory reader credentials come from vault.dev.sonar.build
• Artifactory deployer credentials come from vault.dev.sonar.build
• Sonar platform credentials still come from vault.sonar.build (prod)

Jobs testing with dev repox: build (Poetry, deploy-pull-request=true)

Jira: https://sonarsource.atlassian.net/browse/BUILD-11521

[hashicorp-vault-sonar-prod]

BUILD-11521

✅ All code review findings resolved.

_{Configure merge blocking}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gitar-bot]

CI failed: The build failed during the artifact upload step because the provided Artifactory token lacks the necessary write permissions for the 'sonarsource-pypi-public-qa' repository.

Overview

The build process failed during the final artifact publication to Artifactory. While the project analysis and build steps completed successfully, the deployment was rejected by the Artifactory server with a 403 Forbidden error, indicating a mismatch between the deployment token's scope and the target repository.

Failures

Artifactory Deployment Access Denied (confidence: high)

• Type: configuration
• Affected jobs: 79731516843
• Related to change: yes
• Root cause: The Vault-provided service account token (vault-sonarsource-*-python-oss-public-deployer) does not have the required permissions to deploy artifacts into the sonarsource-pypi-public-qa repository path.
• Suggested fix: Review the Artifactory permissions assigned to the public-deployer role in Vault/Artifactory. Ensure the repository path specified in the workflow configuration matches the scope allowed for this specific service account, or update the service account's permissions to include write access for the target repository.

Summary

• Change-related failures: 1 (deployment authorization error triggered by workflow changes)
• Infrastructure/flaky failures: 0
• Recommended action: Verify the Artifactory access policy for the service account used by this pipeline. If the intention is to deploy to a QA repository, ensure the CI/CD role is correctly mapped to that target in Artifactory/Vault.

Code Review ✅ Approved 2 resolved / 2 findings

Updates CI workflow to test Poetry builds against the dev Repox instance. Resolved duplicate YAML keys in the promote step and corrected the runner assignment to ensure dev environment compatibility.

✅ 2 resolved

✅ Bug: Invalid YAML: duplicate/misnested with: in promote step

📄 .github/workflows/build.yml:52-55
The promote step now contains a malformed block:

      - uses: SonarSource/ci-github-actions/promote@... # dogfood
        with:
          promote-pull-request: true
              with:
                repox-url: https://repox.dev.sonar.build

This is not valid YAML and will fail to parse, breaking the entire workflow. Two problems:

1. There is a second with: key nested under the scalar value promote-pull-request: true (a scalar cannot have child mappings), and the indentation (14 spaces) does not align with any valid parent.
2. Even if reformatted, a step may only have a single with: mapping — the repox-url must be added as an additional key under the existing with:.

The repox-url should be merged into the existing with: block of the promote step at the same indentation as promote-pull-request.

✅ Bug: promote job targets dev repox but runs on non-dev runner

📄 .github/workflows/build.yml:16-18 📄 .github/workflows/build.yml:42 📄 .github/workflows/build.yml:53
The build job runs on runs-on: { group: sonar-dev } (lines 16-18), while the promote job runs on a plain runs-on: github-ubuntu-latest-s (line 42) with no group: sonar-dev. Both jobs point to repox-url: https://repox.dev.sonar.build (lines 31, 53). The PR description states the goal is to verify that Artifactory credentials resolve from vault.dev.sonar.build on dev runners. If repox.dev.sonar.build/vault.dev.sonar.build are only network-reachable from sonar-dev group runners, the promote job could fail to reach the dev endpoints. If the intent is to exercise dev repox in promote as well, align its runs-on with the build job (group: sonar-dev). Note: this is a DO NOT MERGE draft test PR, so this may be intentional.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}