SonarSource · tomasz-tylenda-sonarsource · Sep 29, 2025 · Sep 29, 2025
diff --git a/.cirrus.star b/.cirrus.star
diff --git a/.cirrus.yml b/.cirrus.yml
diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml
@@ -0,0 +1,29 @@
+name: Windows Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+      - dogfood-*
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-windows:
+    runs-on: github-windows-latest-s  # Custom GitHub-hosted Windows runner
+    name: Windows Build
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
+        with:
+          version: 2025.7.12
+      - name: Run tests
+        run: mvn test -B -e -V
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,49 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+      - dogfood-*
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: github-ubuntu-latest-s  # Custom GitHub-hosted runner for public repos
+    name: Build
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access and tagging
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
+        with:
+          version: 2025.7.12
+      - uses: SonarSource/ci-github-actions/build-maven@v1
+        with:
+          deploy-pull-request: true
+          artifactory-reader-role: private-reader    # Override for public repo with private access
+          artifactory-deployer-role: qa-deployer     # Override for public repo with private access
+
+  promote:
+    needs: [build]
+    runs-on: github-ubuntu-latest-s  # Custom GitHub-hosted runner for public repos
+    name: Promote
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access and tagging
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
+        with:
+          cache_save: false
+          version: 2025.7.12
+      - uses: SonarSource/ci-github-actions/promote@v1
+        with:
+          promote-pull-request: true
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -0,0 +1,49 @@
+name: Nightly
+on:
+  schedule:
+    - cron: "0 2 * * *"  # Run daily at 2 AM UTC (equivalent to nightly cron)
+  workflow_dispatch:  # Allow manual triggering
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  shadow-scan:
+    runs-on: github-ubuntu-latest-s  # Custom GitHub-hosted runner for public repos
+    name: Shadow Scan and Issue Replication (${{ matrix.platform }})
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access
+    strategy:
+      matrix:
+        include:
+          - platform: "sonarcloud.io"
+            shadow_host_url: "https://sonarcloud.io"
+            vault_path: "development/kv/data/sonarcloud"
+          - platform: "sonarqube.us"  
+            shadow_host_url: "https://sonarqube.us"
+            vault_path: "development/kv/data/sonarqube-us"
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
+        with:
+          version: 2025.7.12
+      - name: Vault
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@320bd31b03e5dacaac6be51bbbb15adf7caccc32 # v3.1.0
+        with:
+          secrets: |
+            development/kv/data/next token | SONAR_TOKEN;
+            development/kv/data/next url | SONAR_HOST_URL;
+            ${{ matrix.vault_path }} token | SHADOW_SONAR_TOKEN;
+      - name: Shadow Scan and Issue Replication
+        env:
+          SONAR_PROJECT_KEY: "org.sonarsource.xml:xml"
+          SHADOW_ORGANIZATION: "sonarsource"
+          SHADOW_PROJECT_KEY: "SonarSource_sonar-xml"
+          SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).SONAR_HOST_URL }}
+          SHADOW_SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SHADOW_SONAR_TOKEN }}
+          SHADOW_SONAR_HOST_URL: ${{ matrix.shadow_host_url }}
+        run: ./shadow-scan-and-issue-replication.sh
diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml
@@ -0,0 +1,13 @@
+name: Cleanup PR Resources
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  cleanup:
+    runs-on: github-ubuntu-latest-s  # Custom GitHub-hosted runner for public repos
+    name: Cleanup
+    permissions:
+      actions: write  # Required for cleaning up caches and artifacts
+    steps:
+      - uses: SonarSource/ci-github-actions/pr_cleanup@v1