SONARAZDO-473 Migrate from Cirrus CI to GHA #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - 'branch-*' | |
| - 'dogfood-on-*' | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write # Required for Vault OIDC authentication | |
| contents: write # Required for repository access and tagging | |
| jobs: | |
| build: | |
| runs-on: github-ubuntu-latest-s # Using custom GitHub-hosted runner for public repo | |
| name: Build and Test | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 # Fetch all history for git operations | |
| - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| with: | |
| version: 2025.7.12 | |
| # Fetch vault secrets for build | |
| - name: Vault | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@v3 # v3.1.0 | |
| with: | |
| secrets: | | |
| development/kv/data/next url | SONAR_HOST_URL; | |
| development/kv/data/next token | SONAR_TOKEN; | |
| development/kv/data/sign key | GPG_SIGNING_KEY; | |
| development/kv/data/sign passphrase | GPG_SIGNING_PASSPHRASE; | |
| # Install dependencies | |
| - name: Install dependencies | |
| run: bash scripts/install.sh | |
| # Validate generated ITS are up-to-date | |
| - name: Validate generated ITS | |
| run: | | |
| npm run generate-its | |
| git diff --exit-code | |
| # Run validation and build | |
| - name: Build and validate | |
| env: | |
| SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} | |
| SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_HOST_URL }} | |
| GPG_SIGNING_KEY: ${{ fromJSON(steps.secrets.outputs.vault).GPG_SIGNING_KEY }} | |
| GPG_SIGNING_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).GPG_SIGNING_PASSPHRASE }} | |
| run: | | |
| npm run validate-ci | |
| npm run build | |
| npm run sonarqube | |
| npm run upload | |
| check_size: | |
| runs-on: github-ubuntu-latest-s # Using custom GitHub-hosted runner for public repo | |
| name: Check Extension Size | |
| env: | |
| MAX_FILE_SIZE_MB: 40 | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| version: 2025.7.12 | |
| # Fetch vault secrets for build | |
| - name: Vault | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@v3 # v3.1.0 | |
| with: | |
| secrets: | | |
| development/kv/data/next url | SONAR_HOST_URL; | |
| development/kv/data/next token | SONAR_TOKEN; | |
| development/kv/data/sign key | GPG_SIGNING_KEY; | |
| development/kv/data/sign passphrase | GPG_SIGNING_PASSPHRASE; | |
| # Install dependencies | |
| - name: Install dependencies | |
| run: bash scripts/install.sh | |
| # Build extensions | |
| - name: Build extensions | |
| env: | |
| SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }} | |
| SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_HOST_URL }} | |
| GPG_SIGNING_KEY: ${{ fromJSON(steps.secrets.outputs.vault).GPG_SIGNING_KEY }} | |
| GPG_SIGNING_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).GPG_SIGNING_PASSPHRASE }} | |
| run: npm run build | |
| # Check file size | |
| - name: Check extension file size | |
| run: | | |
| du -a -m dist/*.vsix | awk '{print $1}' | xargs -I % bash -c ' | |
| echo "File size: % MB" | |
| if [ % -ge ${{ env.MAX_FILE_SIZE_MB }} ]; then | |
| echo "Error: File size exceeds limit of ${{ env.MAX_FILE_SIZE_MB }} MB." | |
| exit 1 | |
| fi | |
| ' | |
| promote: | |
| needs: | |
| - build | |
| runs-on: github-ubuntu-latest-s # Using custom GitHub-hosted runner for public repo | |
| name: Promote | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| cache_save: false | |
| version: 2025.7.12 | |
| - uses: SonarSource/ci-github-actions/promote@v1 | |
| with: | |
| promote-pull-request: true # Deploy and promote PR artifacts |