Skip to content

JAVASE-144 Bootstrap GHA for sonar-java-symbolic-execution #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 24, 2025
Merged

JAVASE-144 Bootstrap GHA for sonar-java-symbolic-execution #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3f08da1
Bootstrap GHA for sonar-java-symbolic-execution
GabrielFleischer Oct 20, 2025
4fc26fb
Use proper java versions and checkout action
GabrielFleischer Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .cirrus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@
ruling_script:
- source cirrus-env QA
- source set_maven_build_version $BUILD_NUMBER
- export SONAR_JAVA_VERSION="$(.cirrus/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
- export SONAR_JAVA_VERSION="$(.github/scripts/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
- echo "Using SONAR_JAVA_VERSION=${SONAR_JAVA_VERSION}"
- cd its/ruling
- mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.java.version="$SONAR_JAVA_VERSION" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
Expand All @@ -125,7 +125,7 @@
actual_artifacts:
path: "${CIRRUS_WORKING_DIR}/its/ruling/target/actual/**/*"

promote_task:

Check warning on line 128 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L128 

task "promote" depends on task "sonar_shadow_scan_and_issue_replication", but their only_if conditions are different

Check warning on line 128 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L128 

task "promote" depends on task "sonar_shadow_scan_and_issue_replication", but their only_if conditions are different
depends_on:
- build
- sonar_shadow_scan_and_issue_replication
Expand Down
0 .cirrus/resolve-sonar-java-plugin-version.sh → ...ipts/resolve-sonar-java-plugin-version.sh
View file
Open in desktop
File renamed without changes.
117 changes: 117 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
name: Build
on:
push:
branches:
- master
- branch-*
- dogfood-*
pull_request:
workflow_dispatch:
schedule:
- cron: "30 1 * * *" # Run daily at 1:30 AM UTC

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
build:
name: Build
runs-on: github-ubuntu-latest-s
permissions:
id-token: write
contents: write
outputs:
build-number: ${{ steps.build-maven.outputs.BUILD_NUMBER }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
with:
version: 2025.7.12
- uses: SonarSource/ci-github-actions/build-maven@v1
id: build-maven
with:
deploy-pull-request: true
artifactory-reader-role: private-reader # Override default public-reader
artifactory-deployer-role: qa-deployer # Override default public-deployer

qa:
needs: [build]
runs-on: github-ubuntu-latest-l
if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it prevents QA from being executed on a fork.

Given that we maintain the runners, I think so.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could discuss it offile at some point. This should be consistent across out repos and other squads.

permissions:
id-token: write
strategy:
fail-fast: false
matrix:
item:
- { name: "with Lastest SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
- { name: "for SonarQube Project Only", profile: "only-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
- { name: "with Prod SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "POM_PROPERTY" }
name: "QA Tests ${{ matrix.item.name }}"
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
submodules: recursive
- uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
with:
working-directory: its/ruling
version: 2025.7.12
- name: Get GitHub Token for QA Licenses
id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/github/token/licenses-ro token | GITHUB_TOKEN;
- name: Configure Maven
id: configure-maven
uses: SonarSource/ci-github-actions/config-maven@v1
with:
artifactory-reader-role: private-reader # Override default public-reader
- name: Get Sonar Java plugin version
id: resolve-sonar-java-plugin-version
run: |
VERSION=$(.github/scripts/resolve-sonar-java-plugin-version.sh "${{ matrix.item.java_plugin_version }}")
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Run QA Tests
working-directory: its/ruling
env:
GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
MAVEN_OPTS: "-Xmx3g"
SONAR_JAVA_VERSION: ${{ steps.resolve-sonar-java-plugin-version.outputs.version }}
run: |
mvn package --batch-mode \
"-Pit-ruling,${{ matrix.item.profile }}" \
"-Dsonar.java.version=${SONAR_JAVA_VERSION}" \
"-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" \
"-Dsonar.runtimeVersion=LATEST_RELEASE" \
"-Dmaven.test.redirectTestOutputToFile=false" \
"-DbuildNumber=${BUILD_NUMBER}" \
-B -e -V \
"-Dparallel=methods" \
"-DuseUnlimitedThreads=true"
- name: Upload ruling artifacts on failure
if: failure()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.5.0
with:
name: ruling-actual-${{ matrix.item.profile }}-${{ matrix.item.java_plugin_version }}
path: its/ruling/target/actual/**/*

promote:
name: Promote
needs: [build, qa]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you consider doing build (plus night and cleanup) separately from qa?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure I understand

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant separate PRs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a preference for smaller tasks, so that we could start building while we are ironing out the details of QA. We can keep it one PR if you prefer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR is complete, I don't think the work needed to split it outweigh the gain.

But if you have a strong view on this, I can split it.

runs-on: github-ubuntu-latest-s
if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
permissions:
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
with:
cache_save: false
version: 2025.7.12
- name: Promote artifacts
uses: SonarSource/ci-github-actions/promote@v1
13 changes: 13 additions & 0 deletions .github/workflows/pr-cleanup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Cleanup PR Resources
on:
pull_request:
types:
- closed

jobs:
cleanup:
runs-on: github-ubuntu-latest-s
permissions:
actions: write
steps:
- uses: SonarSource/ci-github-actions/pr_cleanup@v1
2 changes: 2 additions & 0 deletions its/ruling/mise.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[tools]
java = "17.0"
3 changes: 3 additions & 0 deletions mise.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[tools]
java = "23"
maven = "3.9"
Loading