SC-32878 Migrate SQCB Cirrus Tasks to GHA (#3507)

GitOrigin-RevId: 0b024c615cbf049bdd4233aa53cc4b5ffddecdb6

Author: gregaubert

.cirrus/Dockerfile

@@ -4,12 +4,6 @@ description: Install dependencies using Yarn and cache them
 runs:
   using: composite
   steps:
-    - id: secrets
-      uses: SonarSource/vault-action-wrapper@v3
-      with:
-        secrets: |
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader username | ARTIFACTORY_USERNAME;
-          development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
     - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3
       with:
         version: 2025.9.12
@@ -18,16 +12,8 @@ runs:
       with:
         path: |
           .yarn
-        key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}
-        restore-keys: yarn-${{ runner.os }}-
+        key: yarn-${{ runner.os }}
     - name: Yarn install dependencies
       shell: bash
-      env:
-        ARTIFACTORY_URL: 'https://repox.jfrog.io/artifactory'
-        ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }}
-        ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
       run: |
-        yarn config set npmRegistryServer "${ARTIFACTORY_URL}/api/npm/npm"
-        yarn config set npmAlwaysAuth true
-        yarn config set npmAuthIdent ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_ACCESS_TOKEN}
-        yarn install --immutable
+        CI=false yarn install

.github/actions/yarn-install/action.yml

@@ -18,6 +18,20 @@ core.workflow(
             [core.move(".github-public/", ".github", overwrite=True)],
             reversal=[core.move(".github/", ".github-public/", overwrite=True)],
             noop_behavior = "IGNORE_NOOP"),
+        core.replace(
+            before = '"~sq-server-addons/*": ["private/libs/sq-server-addons/src/*", "libs/sq-server-addons/src/*"]',
+            after = '"~sq-server-addons/*": ["libs/sq-server-addons/src/*"]',
+            paths = ["./tsconfig.base.json"],
+        ),
+        core.replace(
+            before = "${x}",
+            after = "",
+            multiline = True,
+            regex_groups = {
+                "x": "(?m)^.*BEGIN-PRIVATE-FEATURE-TESTS[\\w\\W]*?END-PRIVATE-FEATURE-TESTS.*$\\n",
+            },
+            paths = glob(["**-it.tsx?", "**-test.tsx?"]),
+        ),
     ],
     mode = "ITERATIVE"
 )

.github/copybara/copy.bara.sky

@@ -1,38 +1,50 @@
 #!/bin/bash
+
+# The following environment variables are expected to be set:
+#  SONAR_HOST_URL
+#  SONARQUBE_NEXT_URL
+#  SONAR_TOKEN
+#  SONARQUBE_NEXT_TOKEN
+#  PROJECT_KEY
+#  VERSION
+
+# The following are Github Actions default environment variables:
+#  GITHUB_SHA
+#  GITHUB_BASE_REF
+#  GITHUB_REPOSITORY
+#  GITHUB_RUN_ID
+
 set -euo pipefail
 
-export GIT_SHA1=${CIRRUS_CHANGE_IN_REPO?}
-export GITHUB_BASE_BRANCH=${CIRRUS_BASE_BRANCH:-}
-export GITHUB_BRANCH=${CIRRUS_BRANCH?}
-export GITHUB_REPO=${CIRRUS_REPO_FULL_NAME?}
-export BUILD_NUMBER=${CI_BUILD_NUMBER?}
-export PULL_REQUEST=${CIRRUS_PR:-false}
-export PULL_REQUEST_SHA=${CIRRUS_BASE_SHA:-}
-export PIPELINE_ID=${CIRRUS_BUILD_ID?}
+export SONAR_HOST_URL=${SONAR_HOST_URL:-$SONARQUBE_NEXT_URL}
+export SONAR_TOKEN=${SONAR_TOKEN:-$SONARQUBE_NEXT_TOKEN}
+export PROJECT_KEY=${PROJECT_KEY:-sonarqube-webapp
 
-: "${SONAR_HOST_URL?}" "${SONAR_TOKEN?}"
+echo "[DEBUG] GITHUB_SHA: ${GITHUB_SHA}"
+echo "[DEBUG] GITHUB_BASE_REF: ${GITHUB_BASE_REF}"
+echo "[DEBUG] GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}"
+echo "[DEBUG] SONAR_HOST_URL: ${SONAR_HOST_URL}"
+echo "[DEBUG] PROJECT_KEY: ${PROJECT_KEY}"
 
 git fetch --unshallow || true
-if [ -n "${GITHUB_BASE_BRANCH:-}" ]; then
-  git fetch origin "${GITHUB_BASE_BRANCH}"
+if [ -n "${GITHUB_BASE_REF:-}" ]; then
+  git fetch origin "${GITHUB_BASE_REF}"
 fi
 
 PROJECT_VERSION=$(jq -r .version "apps/sq-server/package.json")
-ESLINT_REPORT_PATH=$(find ./ -name eslint-report.json -type f -not -path "**/.nx/*" -not -path "**/node_modules/*" | paste -sd ',')
+ESLINT_REPORT_PATH=$(find build/reports/ -name eslint-report.json -type f | paste -sd ',')
 
 scanner_params=(
-    "-DbuildNumber=${BUILD_NUMBER}"
-    "-Dsonar.projectKey=sonarqube-webapp"
+    "-Dsonar.projectKey=${PROJECT_KEY}"
     "-Dsonar.projectName=SonarQube Webapp"
     "-Dsonar.projectVersion=${PROJECT_VERSION}"
     "-Dsonar.host.url=${SONAR_HOST_URL}"
     "-Dsonar.token=${SONAR_TOKEN}"
-    "-Dsonar.analysis.buildNumber=${BUILD_NUMBER}"
-    "-Dsonar.analysis.pipeline=${PIPELINE_ID}"
-    "-Dsonar.analysis.repository=${GITHUB_REPO}"
-    "-Dsonar.analysis.sha1=${GIT_SHA1}"
+    "-Dsonar.analysis.pipeline=${GITHUB_RUN_ID}"
+    "-Dsonar.analysis.repository=${GITHUB_REPOSITORY}"
+    "-Dsonar.analysis.sha1=${GITHUB_SHA}"
     "-Dsonar.eslint.reportPaths=${ESLINT_REPORT_PATH}"
-    "-Dsonar.javascript.lcov.reportPaths=apps/sq-server/build/reports/coverage/lcov.info"
+    "-Dsonar.javascript.lcov.reportPaths=build/reports/coverage/lcov.info"
     "-Dsonar.sources=apps/sq-server/,libs/",
     "-Dsonar.inclusions=**/src/**"
     "-Dsonar.exclusions=**/__tests__/**"
@@ -65,4 +77,4 @@ scanner_params=(
                                 **/helpers/cookies.ts,
                                 **/*Legacy.*")
 
-sonar-scanner "${scanner_params[@]}"
+yarn run sonar-scanner "${scanner_params[@]}"

.cirrus/scan-sq-server.sh renamed to .github/scripts/scan-sq-cb.sh

@@ -15,6 +15,7 @@
 #  GITHUB_SHA
 #  GITHUB_BASE_REF
 #  GITHUB_REPOSITORY
+#  GITHUB_RUN_ID
 
 set -euo pipefail
 

.github/scripts/scan-sq-cloud.sh

@@ -15,6 +15,7 @@
 #  GITHUB_SHA
 #  GITHUB_BASE_REF
 #  GITHUB_REPOSITORY
+#  GITHUB_RUN_ID
 
 set -euo pipefail
 

.github/scripts/scan-sq-server.sh

@@ -0,0 +1,149 @@
+name: Build SQ-Community Build Webapp
+on:
+  push:
+    branches:
+      - master
+      - branch-sqs-*
+
+permissions:
+  id-token: write # OIDC auth for vault
+  contents: read # Checkout
+
+env:
+  ARTIFACTORY_URL: "https://repox.jfrog.io/artifactory"
+  ARTIFACTORY_DEPLOY_REPO: "sonarsource-private-qa"
+  ARTIFACTORY_DEPLOY_REPO_PUBLIC: "sonarsource-public-qa"
+  REPORTS_PATH: apps/sq-server/build/reports
+  DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+  GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build SQ-Community Build
+    runs-on: github-ubuntu-latest-s
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: ./.github/actions/yarn-install
+      - name: Build SQ-Community Build
+        id: build-sq-cb
+        shell: bash
+        run: |
+          yarn nx build sq-server --output-style=static
+      - name: Upload build results
+        if: success()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: sq-community-build
+          path: |
+            apps/sq-server/build/**
+          if-no-files-found: warn
+
+  lint:
+    name: Lint SQ-Community Build
+    runs-on: github-ubuntu-latest-s
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: ./.github/actions/yarn-install
+      - name: Lint SQ-Community Build
+        id: lint-sq-cb
+        shell: bash
+        env:
+          NODE_OPTIONS: --max-old-space-size=4096
+        run: |
+          yarn nx run-many -t lint-report -p sq-server,tag:scope:shared,tag:scope:server --output-style=static
+      - name: Upload lint results
+        if: success()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: sq-cb-results-scan-lint
+          path: |
+            **/build/reports/**
+            !**/node_modules/**
+          if-no-files-found: warn
+
+  unit-test:
+    name: Unit tests SQ-Community Build
+    runs-on: github-ubuntu-latest-l
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: ./.github/actions/yarn-install
+      - name: Unit tests SQ-Community Build
+        id: unit-tests-sq-community-build
+        shell: bash
+        env:
+          NODE_OPTIONS: --max-old-space-size=8192
+          SHARD_VALUE: 1
+          SHARD_TOTAL: 1
+        run: |
+          yarn nx test-ci-shard sq-server --output-style=static
+      - name: Upload unit test results
+        if: success()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: sq-cb-results-scan-coverage
+          path: |
+            ${{ env.REPORTS_PATH }}/**
+          if-no-files-found: warn
+
+  scan:
+    name: Scan SQ-Community Build
+    needs: [build, lint, unit-test]
+    runs-on: github-ubuntu-latest-s
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/next url | NEXT_URL;
+            development/kv/data/next token | NEXT_TOKEN;
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          # Disabling shallow clones is recommended for improving the relevance of reporting
+          fetch-depth: 0
+      - uses: ./.github/actions/yarn-install
+      - name: Download coverage and lint reports
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+        with:
+          pattern: sq-cb-results-scan-*
+          path: build/reports/
+          merge-multiple: true
+      - name: Scan SQ-Community Build on Next
+        shell: bash
+        env:
+          SONAR_HOST_URL: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_URL }}
+          SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).NEXT_TOKEN }}
+        run: |
+          ls -la build/reports/
+          .github/scripts/scan-sq-cb.sh
+
+  slack-notifications:
+    runs-on: github-ubuntu-latest-s # Public GH runner is required, runners starting with sonar-* do not support this action
+    if: failure() && github.ref_name == 'master'
+    needs: [build, scan]
+    permissions:
+      id-token: write
+    steps:
+      - name: Vault Secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/slack token | SLACK_TOKEN;
+
+      - name: Slack Notification rtCamp
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_TOKEN }}
+          SLACK_CHANNEL: ops-sonarqube-webapp
+          SLACK_TITLE: SQ-Community Build failed 🚨
+          SLACK_ICON_EMOJI: ":github:"
+          SLACK_USERNAME: BuildBot
+          SLACK_COLOR: danger
+          SLACK_MESSAGE: |
+            Workflow failed in ${{ github.repository }}
+            ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+            Branch: ${{ github.head_ref || github.ref_name }}

.github/workflows/build-sq-cb.yml

@@ -47,9 +47,9 @@ module.exports = {
     '~adapters/(.+)': '<rootDir>/libs/sq-server-commons/src/sq-server-adapters/$1',
 
     // sq-server specific modules aliases
-    '~sq-server-addons': isPrivateEdition
-      ? '<rootDir>/private/libs/sq-server-addons/src/index.ts'
-      : '<rootDir>/libs/sq-server-addons/src/index.ts',
+    '~sq-server-addons/(.+)': isPrivateEdition
+      ? '<rootDir>/private/libs/sq-server-addons/src/$1'
+      : '<rootDir>/libs/sq-server-addons/src/$1',
     '~sq-server-features/(.+)': '<rootDir>/private/libs/sq-server-features/src/$1',
     '~sq-server-commons/(.+)': '<rootDir>/libs/sq-server-commons/src/$1',