Conversation
Ruling Report✅ No changes to ruling expected issues in this PR |
d234a88 to
546fd7d
Compare
|
a363064 to
e32820f
Compare
e32820f to
e6956d4
Compare
README Freshness Check❌ The rules README is out of date. A fix PR has been created: #6829 Please review and merge it into your branch. |
e6956d4 to
9012a41
Compare
Co-authored-by: Hedi Nasr <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Hedi Nasr <[email protected]>
Co-authored-by: Hedi Nasr <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Hedi Nasr <[email protected]>
098feb4 to
b5f7b97
Compare
Co-authored-by: Hedi Nasr <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Hedi Nasr <[email protected]>
06803e3 to
965c2b8
Compare
965c2b8 to
3d12462
Compare
3d12462 to
396b422
Compare
|
@copilot resolve the merge conflicts in this pull request |
SummaryThis PR migrates SonarJS workflows from GitHub-hosted runners to SonarSource self-hosted runners and improves npm registry handling on self-hosted runners. Runner changes: Replaces
npm registry routing: Self-hosted runners block direct npmjs access. All workflows now use Code improvement: What reviewers should knowWhere to start: Review workflow changes by category:
Non-obvious decisions:
Gotchas:
|
| function node() { | ||
| echo "node is disabled" | ||
| exit 0 | ||
| } | ||
| export -f node | ||
|
|
||
| node |
There was a problem hiding this comment.
The bash function override does not disable node for subsequent steps. In GitHub Actions, each step spawns a fresh shell process — export -f node only propagates to child processes launched from this step's shell, not to the next step. The Run Plugin QA without Node step at line 793 will run with the real node binary fully accessible, making this job's constraint meaningless.
The old sudo mv approach worked because it modified the filesystem (persisting across steps). Options for self-hosted runners without sudo:
- Use
PATHmanipulation: prepend a directory with a fakenodewrapper that errors out, then persist it via$GITHUB_PATH - Or simply accept that these runners have node available and rely on the test itself to verify no-node behaviour
| function node() { | |
| echo "node is disabled" | |
| exit 0 | |
| } | |
| export -f node | |
| node | |
| # Prepend a fake 'node' shim that the QA step will see | |
| mkdir -p "$RUNNER_TEMP/no-node" | |
| printf '#!/bin/sh\necho "node is disabled" >&2\nexit 1\n' > "$RUNNER_TEMP/no-node/node" | |
| chmod +x "$RUNNER_TEMP/no-node/node" | |
| echo "$RUNNER_TEMP/no-node" >> "$GITHUB_PATH" | |
| # Verify shim is active | |
| if node --version 2>/dev/null; then | |
| echo "ERROR: node is still accessible!" | |
| exit 1 | |
| else | |
| echo "SUCCESS: node is no longer accessible" | |
| fi |
- Mark as noise
Co-authored-by: sonar-review-alpha[bot] <266116024+sonar-review-alpha[bot]@users.noreply.github.com>
Co-authored-by: sonar-review-alpha[bot] <266116024+sonar-review-alpha[bot]@users.noreply.github.com>
There was a problem hiding this comment.
LGTM! ✅
The previously flagged issue — export -f node not persisting across steps — remains unresolved in this PR. The plugin_qa_without_node job still uses the bash function override approach, which only affects the current step's shell, not subsequent steps where the actual QA runs.
|





BUILD-10993: Migrate SonarJS to sonar-m-docker and sonar-*-public runners
Replace
github-ubuntu-latest-s/github-ubuntu-latest-mrunners with SonarSource self-hosted runners across all workflows.Runner mapping
sonar-m-docker— Docker image build jobs (docker-a3s.yml,docker-a3s-repox.yml) and all Linux CI jobs inbuild.yml(unit tests, QA, ruling, etc.)sonar-xs-public— lightweight jobs: PR/review event workflows (PullRequestCreated,PullRequestClosed,RequestReview,SubmitReview),bump-versions,dogfood,release_eslint_plugin,update-eslint-plugin-changelognpm registry routing
Self-hosted runners block direct npmjs access. The manual "Configure npm registry" step and
ARTIFACTORY_ACCESS_TOKENvault secret have been replaced bySonarSource/ci-github-actions/config-npm@v1, which handles Repox routing automatically.Notes
populate_npm_cache_winstays ongithub-windows-latest-s(Windows runner, unchanged)automated-release.yml: therunner-environmentfield is a workflow call input passed toSonarSource/release-github-actions, not aruns-onlabel — intentionally left unchangedPart of the Milestone 5 effort tracked under BUILD-10864.