BUILD-9723 fix public & private artifacts deployment

julien-carsique-sonarsource · sonartech · commit 733c141e1a86 · 2025-11-14T13:33:07.000Z
GitOrigin-RevId: a5d4d1c821845ffeedc29d089899dd441a731770
diff --git a/.github-commons/actions/analyze/action.yml b/.github-commons/actions/analyze/action.yml
@@ -7,9 +7,6 @@ inputs:
   sonar-project-key:
     description: 'SonarQube project key'
     required: true
-  build-number:
-    description: 'Build number for analysis'
-    required: true
 
 runs:
   using: 'composite'
@@ -53,10 +50,9 @@ runs:
         SONAR_TOKEN: ${{ fromJson(steps.secrets.outputs.vault).SONAR_TOKEN }}
         SONAR_HOST_URL: ${{ steps.sonar-config.outputs.sonar_host_url }}
         SONAR_PROJECT_KEY: ${{ inputs.sonar-project-key }}
-        BUILD_NUMBER: ${{ inputs.build-number }}
         GIT_SHA1: ${{ github.sha }}
         GITHUB_REPO: ${{ github.repository }}
         GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
         GITHUB_BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
         PULL_REQUEST: ${{ github.event.pull_request.number || 'false' }}
-        PIPELINE_ID: ${{ inputs.build-number }}
+        PIPELINE_ID: ${{ env.BUILD_NUMBER }}
diff --git a/.github/actions/build-sonar-python/action.yml b/.github/actions/build-sonar-python/action.yml
@@ -1,51 +1,41 @@
 name: 'Build Sonar Python'
 description: 'Build both public and private modules of sonar-python'
-outputs:
-  build-number:
-    description: 'The build number used'
-    value: ${{ steps.config.outputs.build-number }}
+
 runs:
   using: 'composite'
   steps:
     - name: Configure sonar-python project
       uses: ./.github/actions/config-sonar-python
-      id: config
-      with:
-        build-number: ${{ inputs.build-number }}
 
-    - name: Build public module with maven
-      uses: SonarSource/ci-github-actions/build-maven@7fea21c7155e8f0d5d429c1af625d851a6fadc3d # master, 13.10.2025
+    - name: Build public and private modules
+      uses: SonarSource/ci-github-actions/build-maven@f1d7e9107578478801454495c63078f85f9f5615 # 1.2.1-BUILD-9723
+      id: build
       with:
-        artifactory-deploy-repo: "sonarsource-public-qa"
-        maven-args: "-DskipTests=true -Dsonar.skip=true -P-typeshed_serializer"
+        artifactory-deploy-repo: 'sonarsource-public-qa'
+        maven-args: '-DskipTests=true -Dsonar.skip=true -P-typeshed_serializer -Dartifactory.publish.artifacts=false'
         deploy-pull-request: true
         sonar-platform: none
+        cache-cleanup: false
+
+    - uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # 3.1.0
+      id: secrets
+      with:
+        secrets: |
+          development/artifactory/token/{REPO_OWNER_NAME_DASH}-public-deployer access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;
+          development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer access_token | ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN;
+    - name: Artifacts upload
+      shell: bash
       env:
-        IS_COMMUNITY: true
-        BUILD_NUMBER: ${{ steps.config.outputs.build-number }}
+        ARTIFACTORY_DEPLOY_REPO: 'sonarsource-public-qa'
+        ARTIFACTORY_PRIVATE_DEPLOY_REPO: 'sonarsource-private-qa'
+        ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
+        ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN }}
+        INSTALLED_ARTIFACTS: ${{ steps.build.outputs.installed-artifacts }}
+      run: ${GITHUB_ACTION_PATH}/deploy-artifacts.sh
 
-    - name: Remove .actions folder and make repository shallow for next steps
+    - name: Cleanup Maven repository before caching
       shell: bash
       run: |
-        echo "Making repository shallow"
-        # BUILD-9065 will fix this, making this step redundant
-        # git pull fails because we're not on a branch, but it still makes the repo shallow again
-        git pull --depth 1 || true
-
-        # This step is needed because build-maven removes the .m2 folder, removing the built jar files of the public modules. 
-        # This re-builds the public modules so the private modules will find them. 
-        # See BUILD-9394 for details
-        echo "Build public module with maven as build-maven cleans up after itself"
-        IS_COMMUNITY=true mvn install -DskipTests -DskipTypeshed
-
-    - name: Build private module with maven
-      uses: SonarSource/ci-github-actions/build-maven@7fea21c7155e8f0d5d429c1af625d851a6fadc3d # master, 13.10.2025 
-      with:
-        artifactory-deploy-repo: "sonarsource-private-qa"
-        maven-args: "-DskipTests=true -Dsonar.skip=true -P-typeshed_serializer"
-        deploy-pull-request: true
-        working-directory: private
-        sonar-platform: none
-      env:
-        BUILD_NUMBER: ${{ steps.config.outputs.build-number }}
-        MAVEN_ARGS: "-Dsonar.skip=true"
+        rm -rf "$MAVEN_CONFIG/repository/org/sonarsource/"
+        rm -rf "$MAVEN_CONFIG/repository/com/sonarsource/"
+        /usr/bin/find "$MAVEN_CONFIG/repository" -name resolver-status.properties -delete
diff --git a/.github/actions/build-sonar-python/deploy-artifacts.sh b/.github/actions/build-sonar-python/deploy-artifacts.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# Deploy to public and private Artifactory repositories using JFrog CLI
+#
+# Required environment variables:
+# - ARTIFACTORY_URL: URL to Artifactory repository. Set by 'build-maven'.
+# - ARTIFACTORY_DEPLOY_REPO: Repository to deploy public artifacts.
+# - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: Access token to deploy to public repository.
+# - ARTIFACTORY_PRIVATE_DEPLOY_REPO: Repository to deploy private artifacts
+# - ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN: Access token to deploy to private repository
+# - INSTALLED_ARTIFACTS: Artifacts produced by Maven and installed in the local repository.
+# - MAVEN_CONFIG: Path to the Maven configuration directory (typically $HOME/.m2). Set by 'build-maven'.
+
+set -euo pipefail
+
+: "${ARTIFACTORY_URL:?}" "${INSTALLED_ARTIFACTS:?}" "${MAVEN_CONFIG:?}"
+: "${ARTIFACTORY_DEPLOY_REPO:?}" "${ARTIFACTORY_DEPLOY_ACCESS_TOKEN:?}"
+: "${ARTIFACTORY_PRIVATE_DEPLOY_REPO:?}" "${ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN:?}"
+
+public_artifacts=()
+private_artifacts=()
+for artifact in $INSTALLED_ARTIFACTS; do
+  if [[ $artifact == "org/"* ]]; then
+    public_artifacts+=("$artifact")
+  elif [[ $artifact == "com/"* ]]; then
+    private_artifacts+=("$artifact")
+  else
+    echo "WARN: Unrecognized artifact path: $artifact" >&2
+  fi
+done
+
+# TODO BUILD-9723 review this function
+extract_module_names() {
+  artifact=$1
+  module=$(echo "$artifact" | sed -E "s,^([^/]+/[^/]+/([^/]+))/([^/]+)/(([0-9].)+[0-9]+)/.*$,\1:\3:\4," | sed "s,/,.,g")
+  echo "$module"
+}
+
+build_name="${GITHUB_REPOSITORY#*/}"
+pushd "$MAVEN_CONFIG/repository"
+jfrog config add deploy --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_DEPLOY_ACCESS_TOKEN"
+jfrog config use deploy
+echo "Deploying public artifacts..."
+for artifact in "${public_artifacts[@]}"; do
+  module=$(extract_module_names "$artifact")
+  jfrog rt u --module "$module" --build-name "$build_name" --build-number "$BUILD_NUMBER" "$artifact" "${ARTIFACTORY_DEPLOY_REPO}"
+done
+echo "Deploying private artifacts..."
+jfrog config edit deploy --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN"
+for artifact in "${private_artifacts[@]}"; do
+  module=$(extract_module_names "$artifact")
+  jfrog rt u --module "$module" --build-name "$build_name" --build-number "$BUILD_NUMBER" "$artifact" "${ARTIFACTORY_PRIVATE_DEPLOY_REPO}"
+done
+popd
diff --git a/.github/actions/config-sonar-python/action.yml b/.github/actions/config-sonar-python/action.yml
@@ -1,23 +1,11 @@
 name: 'Config Sonar Python'
 description: 'Configure maven and update versions for sonar-python project'
-inputs:
-  build-number:
-    description: 'Build number to use for versioning. If not provided, will use the build number from config-maven action'
-    required: false
 
-outputs:
-  build-number:
-    description: 'The build number used'
-    value: ${{ steps.mvn-config.outputs.BUILD_NUMBER}}
-    
 runs:
   using: 'composite'
   steps:
     - name: Configure private maven projects
       uses: SonarSource/ci-github-actions/config-maven@1.1.2
-      id: mvn-config
-      env:
-        BUILD_NUMBER: ${{ inputs.build-number }}
 
     - name: Update versions of public modules
       shell: bash
@@ -27,5 +15,3 @@ runs:
         # See BUILD-9394 for details 
         cd private
         bash ${GITHUB_ACTION_PATH}/set_maven_version.sh
-      env:
-        BUILD_NUMBER: ${{ inputs.build-number || steps.mvn-config.outputs.BUILD_NUMBER }}
diff --git a/pom.xml b/pom.xml
@@ -76,7 +76,7 @@
     <sonar.pluginClass>org.sonar.plugins.python.PythonPlugin</sonar.pluginClass>
     <sonar.pluginName>Python</sonar.pluginName>
     <!-- Used as the build name when deployed to Artifactory -->
-    <gitRepositoryName>sonar-python</gitRepositoryName>
+    <gitRepositoryName>sonar-python-enterprise</gitRepositoryName>
     <!-- Release: enable publication to Bintray -->
     <artifactsToPublish>${project.groupId}:sonar-python-plugin:jar</artifactsToPublish>
     <!-- we depend on API ${sonar.version} but we keep backward compatibility with LTS -->
