Build

SONARPHP-1775 Update and simplify build workflow #592

Workflow file for this run

	name: Build
	on:
	push:
	branches:
	- master
	- branch-*
	pull_request:
	workflow_dispatch:
	schedule:
	- cron: '0 17 * * *'

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}

	jobs:
	build:
	runs-on: sonar-m-public
	name: Build
	permissions:
	id-token: write
	contents: write
	steps:
	- &checkout-simple
	uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
	- &mise-install
	uses: jdx/mise-action@9dc7d5dd454262207dea3ab5a06a3df6afc8ff26 # v3.4.1
	with:
	version: 2025.7.12
	- &checkout-build-logic
	name: Checkout build logic
	run: \|
	git submodule update --init --depth 1 -- build-logic/common
	- uses: SonarSource/ci-github-actions/build-gradle@v1
	with:
	deploy-pull-request: true
	skip-tests: true
	# There might be a warning: Warning: Failed to fetch short-lived token for Develocity
	# it will be addressed in BUILD-8926
	use-develocity: true
	gradle-args: >
	--parallel
	-x sonar

	build_test_analyze:
	needs: [build]
	runs-on: sonar-m-public
	name: Build Test Analyze
	permissions:
	id-token: write
	contents: write
	steps:
	- *checkout-simple
	- *mise-install
	- *checkout-build-logic
	- uses: SonarSource/ci-github-actions/build-gradle@v1
	with:
	deploy-pull-request: false
	skip-tests: false
	use-develocity: true
	gradle-args: >
	--parallel
	-x artifactoryPublish
	- name: Upload test results
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: test-results
	path: '/test-results//*.xml'

	qa_os_win:
	needs: [build]
	runs-on: github-windows-latest-s
	name: QA OS Windows
	if: &skip-qa-jobs \|
	!(github.event_name == 'pull_request' &&
	contains(github.event.pull_request.changed_files, '*/src/main/resources/org/sonar/l10n//rules/**') &&
	contains(github.event.pull_request.changed_files, '*/src/main/resources/com/sonar/l10n//rules/**') &&
	contains(github.event.pull_request.changed_files, '**sonarpedia.json') &&
	contains(github.event.pull_request.changed_files, '**.md'))
	permissions:
	id-token: write
	contents: write
	steps:
	- name: Configure git
	# Without this, on Windows, git will check out files with CRLF endings, which will cause PhpTestFileTest to fail
	run: \|
	git config --global core.autocrlf false
	git config --global core.eol lf
	- *checkout-simple
	- *mise-install
	- *checkout-build-logic
	- uses: SonarSource/ci-github-actions/build-gradle@v1
	with:
	deploy-pull-request: false
	skip-tests: false
	use-develocity: true
	gradle-args: >
	--parallel
	-x artifactoryPublish
	-x sonar
	- name: Upload test results
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-os-win-test-results
	path: '/test-results//*.xml'
	- name: Upload reports
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-os-win-reports
	path: '/build/reports//*'

	qa_plugin:
	needs: [build]
	runs-on: sonar-m-public
	name: QA Plugin
	if: *skip-qa-jobs
	permissions:
	id-token: write
	contents: write
	strategy:
	matrix:
	SQ_VERSION: [LATEST_RELEASE, DEV]
	steps:
	- &checkout-submodules
	uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
	with:
	submodules: true
	- *mise-install
	- &setup-orchestator-home
	name: Setup Orchestrator Home
	run: \|
	echo "ORCHESTRATOR_HOME=${GITHUB_WORKSPACE}/orchestrator/${TODAY}" >> $GITHUB_ENV
	mkdir -p "${GITHUB_WORKSPACE}/orchestrator/${TODAY}"
	- &cache-orchestrator
	name: Cache Orchestrator
	uses: SonarSource/ci-github-actions/cache@v1
	with:
	path: ${{ env.ORCHESTRATOR_HOME }}
	key: orchestrator-${{ env.TODAY }}
	enableCrossOsArchive: true
	- &orchestrator-tokens
	uses: SonarSource/vault-action-wrapper@v3
	id: secrets
	with:
	secrets: \|
	development/artifactory/token/{REPO_OWNER_NAME_DASH}-public-reader access_token \| ARTIFACTORY_ACCESS_TOKEN;
	development/github/token/licenses-ro token \| GITHUB_TOKEN;
	- name: Run QA Plugin Tests
	uses: SonarSource/ci-github-actions/build-gradle@v1
	env:
	ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
	GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
	KEEP_ORCHESTRATOR_RUNNING: "true"
	with:
	deploy-pull-request: false
	skip-tests: false
	use-develocity: true
	gradle-args: >
	:its:plugin:integrationTest
	-Dsonar.runtimeVersion=${{ matrix.SQ_VERSION }}
	-x sonar
	-x artifactoryPublish
	- name: Upload test results
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-plugin-test-results-${{ matrix.SQ_VERSION }}
	path: '/test-results//*.xml'
	- name: Upload reports
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-plugin-reports-${{ matrix.SQ_VERSION }}
	path: '/build/reports//*'

	qa_ruling:
	needs: [build]
	runs-on: sonar-l-public
	name: QA Ruling
	if: *skip-qa-jobs
	permissions:
	id-token: write
	contents: write
	strategy:
	matrix:
	PHP_PROJECT: [Flysystem, Monica, PhpCodeSniffer, PhpMailer, Psysh, PhpWord, RubixML, PhpSpreadsheet]
	steps:
	- *checkout-submodules
	- *mise-install
	- *setup-orchestator-home
	- *cache-orchestrator
	- *orchestrator-tokens
	- name: Run QA Ruling Tests
	uses: SonarSource/ci-github-actions/build-gradle@v1
	env:
	ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
	GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
	KEEP_ORCHESTRATOR_RUNNING: "true"
	PHP_PROJECT: ${{ matrix.PHP_PROJECT }}
	with:
	deploy-pull-request: false
	skip-tests: false
	use-develocity: true
	gradle-args: >
	its:ruling:integrationTest
	-Dsonar.runtimeVersion=LATEST_RELEASE
	--tests "PhpGeneralRulingTest.test${PHP_PROJECT}"
	-x sonar
	-x artifactoryPublish
	- name: Upload test results
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-ruling-test-results-${{ matrix.PHP_PROJECT }}
	path: '/test-results//*.xml'
	- name: Upload reports
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-ruling-reports-${{ matrix.PHP_PROJECT }}
	path: '/build/reports//*'

	qa_pr_analysis:
	needs: [build]
	runs-on: sonar-m-public
	name: QA PR Analysis
	if: *skip-qa-jobs
	permissions:
	id-token: write
	contents: write
	steps:
	- *checkout-submodules
	- *mise-install
	- *setup-orchestator-home
	- *cache-orchestrator
	- *orchestrator-tokens
	- name: Run PR Analysis Integration Tests
	uses: SonarSource/ci-github-actions/build-gradle@v1
	env:
	ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
	GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
	KEEP_ORCHESTRATOR_RUNNING: "true"
	with:
	deploy-pull-request: false
	skip-tests: false
	use-develocity: true
	gradle-args: >
	its:ruling:integrationTest
	-Dsonar.runtimeVersion=LATEST_RELEASE
	--tests "PhpPrAnalysisTest"
	-x sonar
	-x artifactoryPublish
	- name: Upload test results
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-pr-analysis-test-results
	path: '/test-results//*.xml'
	- name: Upload reports
	if: always() && ! cancelled()
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	name: qa-pr-analysis-reports
	path: '/build/reports//*'

	promote:
	needs: [build, build_test_analyze, qa_os_win, qa_plugin, qa_ruling, qa_pr_analysis]
	runs-on: sonar-xs-public
	name: Promote
	permissions:
	id-token: write
	contents: write
	steps:
	- uses: SonarSource/ci-github-actions/promote@v1
	with:
	promote-pull-request: true

	notify:
	runs-on: github-ubuntu-latest-s # Public GH runner is required, runners starting with sonar-* do not support this action
	if: failure() && (contains(fromJSON('["main", "master"]'), github.event.check_suite.head_branch) \|\| startsWith(github.event.check_suite.head_branch, 'branch-'))
	needs: [ build, build_test_analyze, qa_os_win, qa_plugin, qa_ruling, qa_pr_analysis, promote ]
	permissions:
	id-token: write
	steps:
	- name: Vault Secrets
	id: secrets
	uses: SonarSource/vault-action-wrapper@v3
	with:
	secrets: \|
	development/kv/data/slack token \| SLACK_BOT_TOKEN;

	- name: Slack Notification rtCamp
	uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
	env:
	SLACK_TOKEN: >-
	${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }}
	SLACK_CHANNEL: squad-security-taint-notifs
	SLACK_TITLE: Build Failed
	SLACK_MESSAGE: \|
	Workflow failed in ${{ github.repository }} 🚨
	${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
	Branch: ${{ github.head_ref \|\| github.ref_name }}
	Author: ${{ github.event.pull_request.user.login }}

	SLACK_USERNAME: BuildBot
	SLACK_COLOR: danger

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SONARPHP-1775 Update and simplify build workflow #592

Workflow file

SONARPHP-1775 Update and simplify build workflow #592

Uh oh!

Jobs

Run details

Workflow file for this run