BUILD-9094 local action

CONTRIBUTE.md

@@ -119,6 +119,112 @@ the [Bash parameter expansion](https://xtranet-sonarsource.atlassian.net/wiki/sp
 
 Additional tests will be added to cover specific scenarios or edge cases, when fixing bugs (test-driven development).
 
+## Step Formatting
+
+```yaml
+    - name: Add a name to the step ONLY IF RELEVANT
+      uses: ...
+      if: ...
+      id: underscore_id_only_if_needed
+```
+
+Do not name obvious steps, for instance: checkout, vault, etc. But name a step when it deserves a description.
+
+Set an ID only if it is used.
+
+## Referring Local Actions
+
+When using local actions in an action, some fixes are necessary to ensure that the action works correctly both in the standard usage and in
+a container (see [BUILD-9094](https://sonarsource.atlassian.net/browse/BUILD-9094)).
+
+### Symlinks to Local Actions And Host Paths Variables
+
+Example of action `build-xyz` calling local action `config-xyz`:
+
+```yaml
+runs:
+  using: composite
+  steps:
+    - name: Set local action paths
+      id: set-path
+      shell: bash
+      run: |
+        echo "::group::Fix for using local actions"
+        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"                           # For debugging purposes
+        echo "github.action_path=${{ github.action_path }}"                     # For debugging purposes
+        ACTION_PATH_BUILD_XYZ="${{ github.action_path }}"                       # For local usage instead of GITHUB_ACTION_PATH
+        echo "ACTION_PATH_BUILD_XYZ=$ACTION_PATH_BUILD_XYZ"                     # For debugging purposes
+        echo "ACTION_PATH_BUILD_XYZ=$ACTION_PATH_BUILD_XYZ" >> "$GITHUB_ENV"    # For local usage instead of GITHUB_ACTION_PATH
+        host_actions_root="$(dirname "$ACTION_PATH_BUILD_XYZ")"                 # Effective path to the local actions checkout on the host
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
+        mkdir -p ".actions"
+        ln -sf "$host_actions_root/config-xyz" .actions/config-xyz              # For local reference
+        ln -sf "$host_actions_root/shared" .actions/shared                      # For use in the Shell scripts
+        ls -la .actions/*                                                       # For debugging purposes
+        echo "::endgroup::"
+
+    - uses: ./.actions/config-xyz                                               # Local action reference
+      with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}      # Only needed if the child action will use local references
+
+    - shell: bash
+      run: $ACTION_PATH_BUILD_XYZ/build.sh                                      # Use ACTION_PATH_BUILD_XYZ instead of GITHUB_ACTION_PATH
+```
+
+```shell
+#!/bin/bash
+# Example build.sh loading the common functions
+
+set -euo pipefail
+
+# shellcheck source=SCRIPTDIR/../shared/common-functions.sh
+source "$(dirname "${BASH_SOURCE[0]}")/../shared/common-functions.sh"
+```
+
+### Child Action With Local References
+
+In the case of a child action that also uses local references, `host-actions-root` input and similar fixes are necessary.
+
+```yaml
+inputs:
+  host-actions-root:
+    description: Path to the actions folder on the host (used when called from another local action)
+    default: ''
+
+runs:
+  using: composite
+  steps:
+    - name: Set local action paths
+      id: set-path
+      shell: bash
+      run: |
+        echo "::group::Fix for using local actions"
+        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
+        echo "github.action_path=${{ github.action_path }}"
+        ACTION_PATH_CONFIG_XYZ="${{ github.action_path }}"
+        host_actions_root="${{ inputs.host-actions-root }}"
+        if [ -z "$host_actions_root" ]; then
+          host_actions_root="$(dirname "$ACTION_PATH_CONFIG_XYZ")"
+        else
+          ACTION_PATH_CONFIG_XYZ="$host_actions_root/config-xyz"
+        fi
+        echo "ACTION_PATH_CONFIG_XYZ=$ACTION_PATH_CONFIG_XYZ"
+        echo "ACTION_PATH_CONFIG_XYZ=$ACTION_PATH_CONFIG_XYZ" >> "$GITHUB_ENV"
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
+        mkdir -p ".actions"
+        ln -sf "$host_actions_root/another-action" .actions/another-action
+        ln -sf "$host_actions_root/shared" .actions/shared
+        ls -la .actions/*
+        echo "::endgroup::"
+
+    - uses: ./.actions/another-action
+
+    - shell: bash
+      run: $ACTION_PATH_CONFIG_XYZ/config.sh
+```
+
 ## Documentation for AI tools
 
 This repository includes a comprehensive migration guide at [cirrus-github-migration.md](.cursor/cirrus-github-migration.md) that

build-gradle/action.yml

@@ -64,6 +64,25 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: Set local action paths
+      id: set-path
+      shell: bash
+      run: |
+        echo "::group::Fix for using local actions"
+        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
+        echo "github.action_path=${{ github.action_path }}"
+        ACTION_PATH_BUILD_GRADLE="${{ github.action_path }}"
+        echo "ACTION_PATH_BUILD_GRADLE=$ACTION_PATH_BUILD_GRADLE"
+        echo "ACTION_PATH_BUILD_GRADLE=$ACTION_PATH_BUILD_GRADLE" >> "$GITHUB_ENV"
+        host_actions_root="$(dirname "$ACTION_PATH_BUILD_GRADLE")"
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
+        mkdir -p ".actions"
+        ln -sf "$host_actions_root/get-build-number" .actions/get-build-number
+        ln -sf "$host_actions_root/shared" .actions/shared
+        ls -la .actions/*
+        echo "::endgroup::"
+
     - name: Set build parameters
       shell: bash
       env:
@@ -74,11 +93,12 @@ runs:
       run: |
         echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
         echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
-    - uses: SonarSource/ci-github-actions/get-build-number@v1
+    - uses: ./.actions/get-build-number
       id: get_build_number
-    - name: Vault
+      with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
+    - uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
       id: secrets
-      uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
       with:
         # yamllint disable rule:line-length
         secrets: |
@@ -137,7 +157,7 @@ runs:
       run: |
         GRADLE_INIT_DIR="$GRADLE_USER_HOME/init.d"
         mkdir -p "$GRADLE_INIT_DIR"
-        cp "${GITHUB_ACTION_PATH}/resources/repoxAuth.init.gradle.kts" "$GRADLE_INIT_DIR/"
+        cp "$ACTION_PATH_BUILD_GRADLE/resources/repoxAuth.init.gradle.kts" "$GRADLE_INIT_DIR/"
 
     - name: Extract Develocity hostname
       id: develocity-hostname
@@ -192,7 +212,7 @@ runs:
         ORG_GRADLE_PROJECT_signingKeyId: ${{ fromJSON(steps.secrets.outputs.vault).SIGN_KEY_ID }}
         DEVELOCITY_ACCESS_KEY: ${{ inputs.use-develocity == 'true' &&
           format('{0}={1}', steps.develocity-hostname.outputs.hostname, fromJSON(steps.secrets.outputs.vault).DEVELOCITY_TOKEN) || '' }}
-      run: ${GITHUB_ACTION_PATH}/build.sh
+      run: $ACTION_PATH_BUILD_GRADLE/build.sh
 
     - name: Archive problems report
       if: always()

build-maven/action.yml

@@ -63,15 +63,29 @@ outputs:
 runs:
   using: composite
   steps:
-    - name: Set local action
+    - name: Set local action paths
+      id: set-path
       shell: bash
       run: |
+        echo "::group::Fix for using local actions"
+        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
+        echo "github.action_path=${{ github.action_path }}"
+        ACTION_PATH_BUILD_MAVEN="${{ github.action_path }}"
+        echo "ACTION_PATH_BUILD_MAVEN=$ACTION_PATH_BUILD_MAVEN"
+        echo "ACTION_PATH_BUILD_MAVEN=$ACTION_PATH_BUILD_MAVEN" >> "$GITHUB_ENV"
+        host_actions_root="$(dirname "$ACTION_PATH_BUILD_MAVEN")"
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
         mkdir -p ".actions"
-        ln -s "${{github.action_path}}/../config-maven" .actions/config-maven
-        ln -s "${{github.action_path}}/../shared" .actions/shared
-    - uses: ./.actions/config-maven # TODO BUILD-9094
+        ln -sf "$host_actions_root/config-maven" .actions/config-maven
+        ln -sf "$host_actions_root/shared" .actions/shared
+        ls -la .actions/*
+        echo "::endgroup::"
+
+    - uses: ./.actions/config-maven
       id: config
       with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
         working-directory: ${{ inputs.working-directory }}
         artifactory-reader-role: ${{ inputs.artifactory-reader-role }}
         common-mvn-flags: ${{ inputs.common-mvn-flags }}
@@ -89,10 +103,9 @@ runs:
       run: |
         echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
         echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV"
-    - name: Vault
-      # yamllint disable rule:line-length
+    - uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
       id: secrets
-      uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
+      # yamllint disable rule:line-length
       with:
         secrets: |
           ${{ inputs.sonar-platform != 'none' && 'development/kv/data/next url | NEXT_URL;' || '' }}
@@ -132,7 +145,7 @@ runs:
         USER_MAVEN_ARGS: ${{ inputs.maven-args }}
         SONAR_SCANNER_JAVA_OPTS: ${{ inputs.scanner-java-opts }}
       working-directory: ${{ inputs.working-directory }}
-      run: ${GITHUB_ACTION_PATH}/build.sh $USER_MAVEN_ARGS
+      run: $ACTION_PATH_BUILD_MAVEN/build.sh $USER_MAVEN_ARGS
 
     - name: Cleanup Maven repository before caching
       shell: bash

build-npm/action.yml

@@ -57,6 +57,26 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: Set local action paths
+      id: set-path
+      shell: bash
+      run: |
+        echo "::group::Fix for using local actions"
+        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
+        echo "github.action_path=${{ github.action_path }}"
+        ACTION_PATH_BUILD_NPM="${{ github.action_path }}"
+        echo "ACTION_PATH_BUILD_NPM=$ACTION_PATH_BUILD_NPM"
+        echo "ACTION_PATH_BUILD_NPM=$ACTION_PATH_BUILD_NPM" >> "$GITHUB_ENV"
+        host_actions_root="$(dirname "$ACTION_PATH_BUILD_NPM")"
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
+        mkdir -p ".actions"
+        ln -sf "$host_actions_root/get-build-number" .actions/get-build-number
+        ln -sf "$host_actions_root/config-npm" .actions/config-npm
+        ln -sf "$host_actions_root/shared" .actions/shared
+        ls -la .actions/*
+        echo "::endgroup::"
+
     - name: Set build parameters
       shell: bash
       env:
@@ -67,28 +87,25 @@ runs:
       run: |
         echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
         echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
-        cp ${GITHUB_ACTION_PATH}/mise.local.toml mise.local.toml
-        mkdir -p ".actions"
-        ln -s "${{github.action_path}}/../config-npm" .actions/config-npm
-        ln -s "${{github.action_path}}/../shared" .actions/shared
+        cp "$ACTION_PATH_BUILD_NPM/mise.local.toml" mise.local.toml
 
     - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
       with:
         version: 2025.7.12
 
-    - uses: ./.actions/config-npm # TODO BUILD-9094
+    - uses: ./.actions/config-npm
       id: config
       with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
         artifactory-reader-role: ${{ env.ARTIFACTORY_READER_ROLE }}
         repox-url: ${{ inputs.repox-url }}
         repox-artifactory-url: ${{ inputs.repox-artifactory-url }}
         working-directory: ${{ inputs.working-directory }}
         cache-npm: ${{ inputs.cache-npm }}
 
-    - name: Vault
-      # yamllint disable rule:line-length
+    - uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
       id: secrets
-      uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
+      # yamllint disable rule:line-length
       with:
         secrets: |
           ${{ inputs.sonar-platform != 'none' && 'development/kv/data/next url | NEXT_URL;' || '' }}
@@ -126,7 +143,7 @@ runs:
         SQC_US_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_URL }}
         SQC_US_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_TOKEN }}
       working-directory: ${{ inputs.working-directory }}
-      run: ${GITHUB_ACTION_PATH}/build.sh
+      run: $ACTION_PATH_BUILD_NPM/build.sh
 
     - name: Archive logs
       if: failure()

build-poetry/action.yml

@@ -55,6 +55,25 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: Set local action paths
+      id: set-path
+      shell: bash
+      run: |
+        echo "::group::Fix for using local actions"
+        echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
+        echo "github.action_path=${{ github.action_path }}"
+        ACTION_PATH_BUILD_POETRY="${{ github.action_path }}"
+        echo "ACTION_PATH_BUILD_POETRY=$ACTION_PATH_BUILD_POETRY"
+        echo "ACTION_PATH_BUILD_POETRY=$ACTION_PATH_BUILD_POETRY" >> "$GITHUB_ENV"
+        host_actions_root="$(dirname "$ACTION_PATH_BUILD_POETRY")"
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
+        mkdir -p ".actions"
+        ln -sf "$host_actions_root/get-build-number" .actions/get-build-number
+        ln -sf "$host_actions_root/shared" .actions/shared
+        ls -la .actions/*
+        echo "::endgroup::"
+
     - name: Set build parameters
       shell: bash
       env:
@@ -65,9 +84,11 @@ runs:
       run: |
         echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
         echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
-        cp ${GITHUB_ACTION_PATH}/mise.local.toml mise.local.toml
-    - uses: SonarSource/ci-github-actions/get-build-number@v1
+        cp "$ACTION_PATH_BUILD_POETRY/mise.local.toml" mise.local.toml
+    - uses: ./.actions/get-build-number
       id: get_build_number
+      with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
     - name: Cache local Poetry cache
       uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
@@ -77,10 +98,9 @@ runs:
     - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
       with:
         version: 2025.7.12
-    - name: Vault
-      # yamllint disable rule:line-length
+    - uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
       id: secrets
-      uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
+      # yamllint disable rule:line-length
       with:
         secrets: |
           ${{ inputs.sonar-platform != 'none' && 'development/kv/data/next url | NEXT_URL;' || '' }}
@@ -124,7 +144,7 @@ runs:
         RUN_SHADOW_SCANS: ${{ inputs.run-shadow-scans }}
       run: |
         cd "${{ inputs.working-directory }}"
-        ${GITHUB_ACTION_PATH}/build.sh
+        "$ACTION_PATH_BUILD_POETRY/build.sh"
 
     - name: Generate workflow summary
       if: always()