BUILD-9877 Rework config-pip action

- Fix usage of overridden HOME directory in tests
- Add caching and working-directory parameter
- Configure build-number

Author: matemoln

README.md

@@ -24,6 +24,7 @@ for details on how to use it.
 - [`config-npm`](#config-npm)
 - [`build-npm`](#build-npm)
 - [`build-yarn`](#build-yarn)
+- [`config-pip`](#config-pip)
 - [`promote`](#promote)
 - [`pr_cleanup`](#pr_cleanup)
 - [`cache`](#cache)
@@ -1058,6 +1059,107 @@ jobs:
 - Support for different branch types (default, maintenance, PR, dogfood, long-lived feature)
 - Comprehensive build logging and error handling
 
+## `config-pip`
+
+Configure pip build environment with build number, authentication, and default settings.
+
+This action configures pip to pull packages from the internal JFrog Artifactory registry instead of the default PyPI.
+
+> **Note:** This action automatically calls [`get-build-number`](#get-build-number) to manage the build number.
+> **Note:** This action replaces the deprecated `configure-pipx-repox` action from `sonarqube-cloud-github-actions` repository.
+
+### Requirements
+
+#### Required GitHub Permissions
+
+- `id-token: write`
+- `contents: read`
+
+#### Required Vault Permissions
+
+- `public-reader` or `private-reader`: Artifactory role for reading dependencies.
+
+### Usage
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+steps:
+  - uses: actions/checkout@v5
+  - uses: actions/setup-python@v5
+    with:
+      python-version: 3.12
+  - uses: SonarSource/ci-github-actions/config-pip@v1
+  - run: pip install pipenv
+```
+
+### With Custom Artifactory Reader Role
+
+```yaml
+steps:
+  - uses: SonarSource/ci-github-actions/config-pip@v1
+    with:
+      artifactory-reader-role: custom-reader
+```
+
+### With Working Directory and Caching Options
+
+```yaml
+steps:
+  - uses: SonarSource/ci-github-actions/config-pip@v1
+    with:
+      working-directory: ./python-project
+      disable-caching: false
+```
+
+### Inputs
+
+| Input                     | Description                                                                 | Default                                                              |
+|---------------------------|-----------------------------------------------------------------------------|----------------------------------------------------------------------|
+| `working-directory`       | Relative path under github.workspace to execute the build in                | `.`                                                                  |
+| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault                             | `private-reader` for private repos, `public-reader` for public repos |
+| `repox-url`               | URL for Repox                                                               | `https://repox.jfrog.io`                                             |
+| `repox-artifactory-url`   | URL for Repox Artifactory API (overrides repox-url/artifactory if provided) | (optional)                                                           |
+| `cache-paths`             | Cache paths to use (multiline)                                              | `~/.cache/pip`                                                       |
+| `disable-caching`         | Whether to disable pip caching entirely                                     | `false`                                                              |
+
+### Outputs
+
+| Output         | Description                                                               |
+|----------------|---------------------------------------------------------------------------|
+| `BUILD_NUMBER` | The current build number. Also set as environment variable `BUILD_NUMBER` |
+
+### Output Environment Variables
+
+| Environment Variable | Description              |
+|----------------------|--------------------------|
+| `BUILD_NUMBER`       | The current build number |
+
+See also [`get-build-number`](#get-build-number) output environment variables.
+
+### Features
+
+- Build number management via [`get-build-number`](#get-build-number)
+- Automatic Artifactory authentication via Vault
+- Auto-detection of reader role based on repository visibility
+- Pip dependency caching with customization options
+- Global pip configuration for all subsequent `pip install` commands
+
+### Migration from configure-pipx-repox
+
+If you're currently using `SonarSource/sonarqube-cloud-github-actions/configure-pipx-repox@master`, you can replace it with:
+
+```yaml
+# Old
+- uses: SonarSource/sonarqube-cloud-github-actions/configure-pipx-repox@master
+
+# New
+- uses: SonarSource/ci-github-actions/config-pip@v1
+```
+
+Both actions produce the same configuration and are functionally equivalent.
+
 ## `promote`
 
 This action promotes a build in JFrog Artifactory and updates the GitHub status check accordingly.

config-pip/README.md

@@ -1,7 +1,10 @@
 ---
 name: Config Pip
-description: GitHub Action to configure pip build environment with authentication for Artifactory
+description: GitHub Action to configure pip build environment with build number, authentication, and default settings
 inputs:
+  working-directory:
+    description: Relative path under github.workspace to execute the build in
+    default: .
   artifactory-reader-role:
     description:
       Suffix for the Artifactory reader role in Vault. Defaults to `private-reader` for private repositories, and `public-reader`
@@ -13,31 +16,54 @@ inputs:
   repox-artifactory-url:
     description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
     default: ''
+  cache-paths:
+    description: Cache paths to use (multiline).
+    default: ~/.cache/pip
+  disable-caching:
+    description: Whether to disable pip caching entirely
+    default: 'false'
   host-actions-root:
     description: Path to the actions folder on the host (used when called from another local action)
     default: ''
 
+outputs:
+  BUILD_NUMBER:
+    description: The current build number. Also set as environment variable BUILD_NUMBER
+    value: ${{ steps.get-build-number.outputs.BUILD_NUMBER }}
+
 runs:
   using: composite
   steps:
     - name: Set local action paths
       id: set-path
       shell: bash
       run: |
-        echo "::group::Set local action paths"
+        echo "::group::Fix for using local actions"
         echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
         echo "github.action_path=${{ github.action_path }}"
-
         ACTION_PATH_CONFIG_PIP="${{ github.action_path }}"
-        HOST_ACTIONS_ROOT="${{ inputs.host-actions-root }}"
-        if [ -n "$HOST_ACTIONS_ROOT" ]; then
-          ACTION_PATH_CONFIG_PIP="$HOST_ACTIONS_ROOT/config-pip"
+        host_actions_root="${{ inputs.host-actions-root }}"
+        if [ -z "$host_actions_root" ]; then
+          host_actions_root="$(dirname "$ACTION_PATH_CONFIG_PIP")"
+        else
+          ACTION_PATH_CONFIG_PIP="$host_actions_root/config-pip"
         fi
-
         echo "ACTION_PATH_CONFIG_PIP=$ACTION_PATH_CONFIG_PIP"
         echo "ACTION_PATH_CONFIG_PIP=$ACTION_PATH_CONFIG_PIP" >> "$GITHUB_ENV"
+        echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"
+
+        mkdir -p ".actions"
+        ln -sf "$host_actions_root/get-build-number" .actions/get-build-number
+        ln -sf "$host_actions_root/cache" .actions/cache
+        ln -sf "$host_actions_root/shared" .actions/shared
+        ls -la .actions/*
         echo "::endgroup::"
 
+    - uses: ./.actions/get-build-number
+      id: get-build-number
+      with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
+
     - name: Set Artifactory reader role
       shell: bash
       env:
@@ -59,6 +85,7 @@ runs:
     - name: Run pip configuration script
       id: config
       shell: bash
+      working-directory: ${{ inputs.working-directory }}
       env:
         # Use custom Artifactory URL if provided, otherwise construct from repox-url
         ARTIFACTORY_URL:
@@ -67,3 +94,13 @@ runs:
         ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }}
         ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
       run: $ACTION_PATH_CONFIG_PIP/config.sh
+
+    - name: Cache pip dependencies
+      uses: ./.actions/cache
+      if: inputs.disable-caching == 'false'
+      with:
+        path: ${{ inputs.cache-paths }}
+        key: pip-${{ runner.os }}-${{ github.workflow }}-${{ hashFiles(format('{0}/requirements*.txt', inputs.working-directory),
+          format('{0}/Pipfile.lock', inputs.working-directory), format('{0}/poetry.lock', inputs.working-directory),
+          format('{0}/pyproject.toml', inputs.working-directory)) }}
+        restore-keys: pip-${{ runner.os }}-${{ github.workflow }}-

config-pip/action.yml

@@ -38,7 +38,7 @@ configure_pip() {
   echo "Repox host: $repox_host"
 
   # Create pip config directory
-  mkdir -p ~/.pip
+  mkdir -p "$HOME/.pip"
 
   # Write pip configuration with Artifactory credentials
   cat > ~/.pip/pip.conf <<EOF

config-pip/config.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 LANG=
-shellspec --kcov spec "$@"
+shellspec --kcov spec "$@" --shell bash