BUILD-9765 cleanup & aligment *-gradle *-maven

Author: julien-carsique-sonarsource

README.md

@@ -288,11 +288,12 @@ See also [`config-maven`](#config-maven) input environment variables.
 
 ### Outputs
 
-| Output           | Description                                                               |
-|------------------|---------------------------------------------------------------------------|
-| `BUILD_NUMBER`   | The current build number. Also set as environment variable `BUILD_NUMBER` |
-| `deployed`       | `true` if the build succeed and was supposed to deploy                    |
-| `artifact-paths` | Newline-separated list of artifact paths for provenance attestation       |
+| Output            | Description                                                                                                   |
+|-------------------|---------------------------------------------------------------------------------------------------------------|
+| `project-version` | The project version with build number (after replacement). Also set as environment variable `PROJECT_VERSION` |
+| `BUILD_NUMBER`    | The current build number. Also set as environment variable `BUILD_NUMBER`                                     |
+| `deployed`        | `true` if the build succeed and was supposed to deploy                                                        |
+| `artifact-paths`  | Newline-separated list of artifact paths for provenance attestation                                           |
 
 ### Output Environment Variables
 
@@ -496,11 +497,11 @@ steps:
 
 ### Outputs
 
-| Output            | Description                                                                                                     |
-|-------------------|-----------------------------------------------------------------------------------------------------------------|
-| `BUILD_NUMBER`    | The current build number. Also set as environment variable `BUILD_NUMBER`                                       |
+| Output            | Description                                                                                                           |
+|-------------------|-----------------------------------------------------------------------------------------------------------------------|
+| `BUILD_NUMBER`    | The current build number. Also set as environment variable `BUILD_NUMBER`                                             |
 | `current-version` | The project version set in gradle.properties (before replacement). Also set as environment variable `CURRENT_VERSION` |
-| `project-version` | The project version with build number (after replacement). Also set as environment variable `PROJECT_VERSION`   |
+| `project-version` | The project version with build number (after replacement). Also set as environment variable `PROJECT_VERSION`         |
 
 ### Output Environment Variables
 
@@ -604,7 +605,6 @@ jobs:
 
 | Input                       | Description                                                                               | Default                                                                                     |
 |-----------------------------|-------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|
-| `public`                    | Deprecated                                                                                | Repository visibility                                                                       |
 | `artifactory-deploy-repo`   | Deployment repository                                                                     | `sonarsource-private-qa` for private repositories, `sonarsource-public-qa` for public repos |
 | `artifactory-reader-role`   | Suffix for the Artifactory reader role in Vault                                           | `private-reader` for private repos, `public-reader` for public repos                        |
 | `artifactory-deployer-role` | Suffix for the Artifactory deployer role in Vault                                         | `qa-deployer` for private repos, `public-deployer` for public repos                         |

build-gradle/action.yml

@@ -1,22 +1,15 @@
 ---
 name: Build Gradle
-description: GitHub Action to build, analyze, and deploy a Gradle project with SonarQube integration
+description: GitHub Action to build, analyze, and deploy a Gradle project
 inputs:
-  public:
-    description: Deprecated. Use `artifactory-reader-role`, `artifactory-deployer-role`, and `artifactory-deploy-repo` instead.
-    default: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }}
-  artifactory-deploy-repo:
-    description: Deployment repository. Defaults to `sonarsource-private-qa` for private repositories, and `sonarsource-public-qa` for
-      public repositories.
-    default: ''
-  artifactory-reader-role:
-    description: Suffix for the Artifactory reader role in Vault. Defaults to `private-reader` for private repositories,
-      and `public-reader` for public repositories.
-    default: ''
   artifactory-deployer-role:
     description: Suffix for the Artifactory deployer role in Vault. Defaults to `qa-deployer` for private repositories, and
       `public-deployer` for public repositories.
     default: ''
+  artifactory-deploy-repo:
+    description: Deployment repository. Defaults to `sonarsource-private-qa` for private repositories, and `sonarsource-public-qa` for
+      public repositories.
+    default: ''
   gradle-args:
     description: Additional arguments to pass to Gradle
   deploy:
@@ -28,52 +21,57 @@ inputs:
   skip-tests:
     description: Whether to skip running tests
     default: 'false'
-  use-develocity:
-    description: Whether to use Develocity for build tracking.
+  sonar-platform:
+    description: SonarQube primary platform (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans.
+    default: next
+  run-shadow-scans:
+    description: If true, run SonarQube analysis on all three platforms (next, sqc-eu, sqc-us).
+      If false, run analysis on the platform specified with sonar-platform.
     default: 'false'
-  develocity-url:
-    description: URL for Develocity
-    default: https://develocity.sonar.build/
+  provenance:
+    description: Whether to generate provenance attestation for built artifacts
+    default: 'false'
+  provenance-artifact-paths:
+    description: >-
+      Relative paths of the artifacts for which to generate a provenance attestation (glob pattern).
+      Default is collected from '*/build/libs/*', '*/build/distributions/*', and '*/build/reports/*'
+    default: ''
+  # Inputs passed to config-gradle
+  working-directory:
+    description: Relative path under github.workspace to execute the build in
+    default: .
+  artifactory-reader-role:
+    description: Suffix for the Artifactory reader role in Vault. Defaults to `private-reader` for private repositories, and `public-reader`
+      for public repositories.
+    default: ''
   repox-url:
     description: URL for Repox
     default: https://repox.jfrog.io
   repox-artifactory-url:
     description: URL for Repox Artifactory API (overrides repox-url/artifactory if provided)
     default: ''
-  sonar-platform:
-    description: SonarQube variant (next, sqc-eu, sqc-us, or none). Use 'none' to skip sonar scans.
-    default: next
-  working-directory:
-    description: Relative path under github.workspace to execute the build in
-    default: .
-  run-shadow-scans:
-    description: If true, run sonar scanner on all 3 platforms using the provided URL and token.
-     If false, run on the platform provided by SONAR_PLATFORM.
+  use-develocity:
+    description: Whether to use Develocity for build tracking.
     default: 'false'
+  develocity-url:
+    description: URL for Develocity
+    default: https://develocity.sonar.build/
   cache-paths:
-    description: Cache paths to use (multiline). If provided, overrides the default Gradle cache directories
+    description: Cache paths to use (multiline).
     default: |-
       ~/.gradle/caches
       ~/.gradle/wrapper
   disable-caching:
     description: Whether to disable Gradle caching entirely
     default: 'false'
-  provenance:
-    description: Whether to generate provenance attestation for built artifacts
-    default: 'false'
-  provenance-artifact-paths:
-    description: >-
-      Relative paths of the artifacts for which to generate a provenance attestation (glob pattern).
-      Default is collected from '*/build/libs/*', '*/build/distributions/*', and '*/build/reports/*'
-    default: ''
 
 outputs:
   project-version:
     description: The release version set as Gradle project version in gradle.properties
-    value: ${{ steps.config-gradle.outputs.project-version }}
+    value: ${{ steps.config.outputs.project-version }}
   BUILD_NUMBER:
     description: The build number, incremented or reused if already cached
-    value: ${{ steps.config-gradle.outputs.BUILD_NUMBER }}
+    value: ${{ steps.config.outputs.BUILD_NUMBER }}
   deployed:
     description: Whether artifacts were deployed
     value: ${{ steps.build.outputs.deployed }}
@@ -103,6 +101,19 @@ runs:
         ls -la .actions/*
         echo "::endgroup::"
 
+    - uses: ./.actions/config-gradle
+      id: config
+      with:
+        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
+        working-directory: ${{ inputs.working-directory }}
+        artifactory-reader-role: ${{ inputs.artifactory-reader-role }}
+        repox-url: ${{ inputs.repox-url }}
+        repox-artifactory-url: ${{ inputs.repox-artifactory-url }}
+        use-develocity: ${{ inputs.use-develocity }}
+        develocity-url: ${{ inputs.develocity-url }}
+        cache-paths: ${{ inputs.cache-paths }}
+        disable-caching: ${{ inputs.disable-caching }}
+
     - name: Set build parameters
       shell: bash
       env:
@@ -128,38 +139,9 @@ runs:
           development/kv/data/sign key_id | SIGN_KEY_ID;
         # yamllint enable rule:line-length
 
-    - name: Setup environment for deployment
-      shell: bash
-      env:
-        # Deployment secrets
-        ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
-        ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
-        ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo ||
-          github.event.repository.visibility == 'public' && 'sonarsource-public-qa' || 'sonarsource-private-qa' }}
-      run: |
-        echo "ARTIFACTORY_DEPLOY_USERNAME=$ARTIFACTORY_DEPLOY_USERNAME" >> "$GITHUB_ENV"
-        echo "ARTIFACTORY_DEPLOY_ACCESS_TOKEN=$ARTIFACTORY_DEPLOY_ACCESS_TOKEN" >> "$GITHUB_ENV"
-        echo "ARTIFACTORY_DEPLOY_PASSWORD=$ARTIFACTORY_DEPLOY_ACCESS_TOKEN" >> "$GITHUB_ENV"  # deprecated, backward compliance
-        echo "ARTIFACTORY_DEPLOY_REPO=${ARTIFACTORY_DEPLOY_REPO}" >> "$GITHUB_ENV"
-
-    - name: Configure Gradle
-      uses: ./.actions/config-gradle
-      id: config-gradle
-      with:
-        host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
-        working-directory: ${{ inputs.working-directory }}
-        artifactory-reader-role: ${{ inputs.artifactory-reader-role }}
-        use-develocity: ${{ inputs.use-develocity }}
-        develocity-url: ${{ inputs.develocity-url }}
-        repox-url: ${{ inputs.repox-url }}
-        repox-artifactory-url: ${{ inputs.repox-artifactory-url }}
-        cache-paths: ${{ inputs.cache-paths }}
-        disable-caching: ${{ inputs.disable-caching }}
-
     - name: Build, analyze and deploy
-      id: build
       shell: bash
-      working-directory: ${{ inputs.working-directory }}
+      id: build
       env:
         # GitHub context
         PULL_REQUEST: ${{ github.event.pull_request.number || '' }}
@@ -171,20 +153,24 @@ runs:
         DEPLOY_PULL_REQUEST: ${{ inputs.deploy-pull-request }}
         SKIP_TESTS: ${{ inputs.skip-tests }}
         GRADLE_ARGS: ${{ inputs.gradle-args }}
+        SONAR_PLATFORM: ${{ inputs.sonar-platform }}
+        RUN_SHADOW_SCANS: ${{ inputs.run-shadow-scans }}
+        ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo ||
+          github.event.repository.visibility == 'public' && 'sonarsource-public-qa' || 'sonarsource-private-qa' }}
 
-        # Vault secrets - always fetch all platforms
+        # Vault secrets
+        ARTIFACTORY_DEPLOY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
+        ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
         NEXT_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }}
         NEXT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }}
-        SQC_US_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_URL }}
-        SQC_US_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_TOKEN }}
         SQC_EU_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_URL }}
         SQC_EU_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQC_EU_TOKEN }}
-        SONAR_PLATFORM: ${{ inputs.sonar-platform }}
-        RUN_SHADOW_SCANS: ${{ inputs.run-shadow-scans }}
-
+        SQC_US_URL: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_URL }}
+        SQC_US_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SQC_US_TOKEN }}
         ORG_GRADLE_PROJECT_signingKey: ${{ fromJSON(steps.secrets.outputs.vault).SIGN_KEY }}
         ORG_GRADLE_PROJECT_signingPassword: ${{ fromJSON(steps.secrets.outputs.vault).PGP_PASSPHRASE }}
         ORG_GRADLE_PROJECT_signingKeyId: ${{ fromJSON(steps.secrets.outputs.vault).SIGN_KEY_ID }}
+      working-directory: ${{ inputs.working-directory }}
       run: ${GITHUB_ACTION_PATH}/build.sh
 
     - name: Archive problems report
@@ -194,6 +180,7 @@ runs:
         name: problems-report-${{ github.job }}${{ strategy.job-index }}
         path: build/reports/problems/problems-report.html
         if-no-files-found: ignore
+
     - name: Generate provenance attestation
       if: >-
         ${{ inputs.provenance == 'true' &&
@@ -209,9 +196,6 @@ runs:
     - name: Generate workflow summary
       if: always()
       shell: bash
-      env:
-        ARTIFACTORY_URL: ${{ inputs.repox-artifactory-url != '' && inputs.repox-artifactory-url ||
-          format('{0}/artifactory', inputs.repox-url) }}
       run: |
         build_name="${GITHUB_REPOSITORY#*/}"
         echo "## 🏗️ Gradle Build Summary" >> $GITHUB_STEP_SUMMARY

build-gradle/build.sh

@@ -186,8 +186,9 @@ get_build_type() {
 
 set_gradle_cmd() {
   if [[ -f "./gradlew" ]]; then
+    check_tool ./gradlew --version
     export GRADLE_CMD="./gradlew"
-  elif check_tool gradle; then
+  elif check_tool gradle --version; then
     export GRADLE_CMD="gradle"
   else
     echo "Neither ./gradlew nor gradle command found!" >&2
@@ -246,10 +247,11 @@ export_built_artifacts() {
 
   # Find all built artifacts, excluding sources/javadoc/tests JARs
   local artifacts
-  artifacts=$(/usr/bin/find . \( -path '*/build/libs/*' -o -path '*/build/distributions/*' -o -path '*/build/reports/*' \) \
-    \( -name '*.jar' -o -name '*.war' -o -name '*.ear' -o -name '*.zip' -o -name '*.tar.gz' -o -name '*.tar' -o -name '*.json' \) \
-    ! -name '*-sources.jar' ! -name '*-javadoc.jar' ! -name '*-tests.jar' \
-    -type f 2>/dev/null)
+  local path_includes=(-path '*/build/libs/*' -o -path '*/build/distributions/*' -o -path '*/build/reports/*')
+  local name_includes=(-name '*.jar' -o -name '*.war' -o -name '*.ear' -o -name '*.zip' -o -name '*.tar.gz' -o -name '*.tar')
+  name_includes+=(-o -name '*.json')
+  local name_excludes=(! -name '*-sources.jar' ! -name '*-javadoc.jar' ! -name '*-tests.jar')
+  artifacts=$(/usr/bin/find . \( "${path_includes[@]}" \) \( "${name_includes[@]}" \) "${name_excludes[@]}" -type f 2>/dev/null)
 
   # Sort and deduplicate (avoid Windows sort.exe)
   if [[ -n "$artifacts" ]]; then