SonarSource · zglicz · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -64,10 +64,33 @@ jobs:
           echo "hash=$HASH" >> $GITHUB_OUTPUT
           echo "Computed NPM hash: $HASH"
 
+  config_maven:
+    runs-on: github-ubuntu-latest-s
+    name: Configure Maven
+    needs: setup
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    permissions: *read_permissions
+    steps:
+      - *checkout
+      - &mise_java_maven
+        name: Setup Java and Maven
+        uses: jdx/[email protected]
+        with:
+          version: 2025.11.2
+          mise_toml: |
+            [tools]
+            java = "17.0"
+            maven = "3.9"
+      - name: Configure Maven
+        id: config-maven
+        uses: SonarSource/ci-github-actions/config-maven@master
+        with:
+          artifactory-reader-role: private-reader
+
   populate_maven_cache:
     runs-on: github-ubuntu-latest-m
     name: Populate Maven cache for Linux
-    needs: setup
+    needs: [setup, config_maven]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     permissions: *read_permissions
     steps: &populate_maven_cache_steps
@@ -91,28 +114,10 @@ jobs:
             java = "17.0"
             maven = "3.9"
       - if: steps.cache.outputs.cache-hit != 'true'
-        name: Access Artifactory credentials
-        uses: SonarSource/vault-action-wrapper@v3
-        id: secrets
+        name: Configure Maven
+        uses: SonarSource/ci-github-actions/config-maven@master
         with:
-          secrets: |
-            development/artifactory/token/${{ github.repository_owner }}-${{ github.event.repository.name }}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
-            development/artifactory/token/${{ github.repository_owner }}-${{ github.event.repository.name }}-private-reader username | ARTIFACTORY_USERNAME;
-      - if: steps.cache.outputs.cache-hit != 'true'
-        name: Configure Maven settings
-        run: |
-          mkdir -p ~/.m2
-          cat > ~/.m2/settings.xml <<EOF
-          <settings>
-            <servers>
-              <server>
-                <id>sonarsource</id>
-                <username>${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }}</username>
-                <password>${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}</password>
-              </server>
-            </servers>
-          </settings>
-          EOF
+          artifactory-reader-role: private-reader
       - if: steps.cache.outputs.cache-hit != 'true'
         name: Populate Maven dependencies
         run: |
@@ -122,7 +127,7 @@ jobs:
   populate_maven_cache_win:
     runs-on: github-windows-latest-s
     name: Populate Maven cache for Windows
-    needs: setup
+    needs: [setup, config_maven]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     permissions: *read_permissions
     steps: *populate_maven_cache_steps