SONARRUBY-102 Migrate CI pipeline to GHA on branch-1.18

.github/workflows/build.yml

@@ -0,0 +1,111 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+      - dogfood-*
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "45 0 * * *" # Run daily at 0:45 AM UTC
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: github-ubuntu-latest-s  # Public repository runner
+    name: Build
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access and tagging
+    outputs:
+      build-number: ${{ steps.build-step.outputs.BUILD_NUMBER }}
+      deployed: ${{ steps.build-step.outputs.deployed }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
+        with:
+          version: 2025.7.12
+      - uses: SonarSource/ci-github-actions/build-gradle@v1
+        id: build-step
+        with:
+          deploy-pull-request: true
+          artifactory-reader-role: private-reader    # Override for public repo using private access
+          artifactory-deployer-role: qa-deployer     # Override for public repo using private access
+
+  qa:
+    needs: [build]
+    if: ${{ needs.build.outputs.deployed }}
+    runs-on: github-ubuntu-latest-s  # Public repository runner
+    name: QA Tests
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: read  # Required for repository access
+    strategy:
+      fail-fast: false
+      matrix:
+        # Plugin tests check API compatibility, so they should run against all supported versions.
+        # Ruling tests check only that the results of analysis have not changed,
+        # so one sonar.runtimeVersion is enough.
+        item:
+          - { suite: "plugin", sq_version: "DEV" }
+          - { suite: "plugin", sq_version: "LATEST_RELEASE" }
+          - { suite: "ruling", sq_version: "LATEST_RELEASE" }
+    env:
+      BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: ${{ matrix.item.suite == 'ruling' }}
+      - name: Remove kotlin ITs as they are not relevant for ruling tests (and cause issues with wrapper validation)
+        if: ${{ matrix.item.suite == 'ruling' }}
+        run: rm -r ./its/sources/kotlin
+      - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
+        with:
+          version: 2025.7.12
+      - name: Get Vault secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/github/token/licenses-ro token | GITHUB_TOKEN;
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+      - name: Configure Gradle
+        uses: SonarSource/ci-github-actions/build-gradle@v1
+        with:
+          gradle-args: "-x build -x sonar -x artifactoryPublish"  # Skip everything to only configure Gradle and Artifactory access
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+      - name: Run QA Tests
+        env:
+          GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+          SUITE: ${{ matrix.item.suite }}
+          SQ_VERSION: ${{ matrix.item.sq_version }}
+        run: |
+          ./gradlew ":its:${SUITE}:test" "-P${SUITE}" \
+            "-Dsonar.runtimeVersion=${SQ_VERSION}" \
+            "-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" \
+            "-DbuildNumber=${BUILD_NUMBER}" \
+            -Pqa --info --stacktrace --console plain --no-daemon --build-cache
+
+  promote:
+    name: Promote
+    needs:
+      - build
+      - qa
+    runs-on: github-ubuntu-latest-s  # Public repository runner
+    if: ${{ needs.build.outputs.deployed }}
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access and tagging
+    env:
+      BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+    steps:
+      - uses: SonarSource/ci-github-actions/promote@v1
+        with:
+          promote-pull-request: true  # Enable PR artifact promotion

.github/workflows/pr-cleanup.yml

@@ -0,0 +1,13 @@
+name: Cleanup PR Resources
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      actions: write
+    steps:
+      - uses: SonarSource/ci-github-actions/pr_cleanup@v1

.github/workflows/releasability.yaml

@@ -44,7 +44,7 @@ jobs:
             echo "LATEST_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
           fi
 
-      - uses: SonarSource/gh-action_releasability@v2
+      - uses: SonarSource/gh-action_releasability@v3
         id: releasability
         with:
           branch: ${{ github.ref_name }}

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
-    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v5
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v6
     with:
       publishToBinaries: true
       mavenCentralSync: true

.github/workflows/unified-dogfooding.yml

@@ -0,0 +1,29 @@
+name: Unified Dogfooding scans
+on:
+  schedule:
+    - cron: '0 4 * * *' # Run the workflow every day at 04:00 UTC
+  workflow_dispatch:
+
+jobs:
+  unified-platform-dogfooding:
+    runs-on: github-ubuntu-latest-s
+    name: Unified Platform Dogfooding
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: SonarSource/ci-github-actions/build-gradle@v1
+        with:
+          run-shadow-scans: true
+          artifactory-reader-role: private-reader
+          artifactory-deployer-role: qa-deployer
+      - name: Run IRIS Analysis
+        uses: SonarSource/unified-dogfooding-actions/run-iris@v1
+        with:
+          primary_project_key: SonarSource_sonar-ruby
+          primary_platform: "SQC-EU"
+          shadow1_project_key: SonarSource_sonar-ruby
+          shadow1_platform: "Next"
+          shadow2_project_key: SonarSource_sonar-ruby
+          shadow2_platform: "SQC-US"

README.md

@@ -1,6 +1,6 @@
 # sonar-ruby
 
-[![Build Status](https://api.cirrus-ci.com/github/SonarSource/sonar-ruby.svg?branch=master)](https://cirrus-ci.com/github/SonarSource/sonar-ruby)
+[![Build Status](https://github.com/SonarSource/sonar-ruby/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-ruby/actions/workflows/build.yml)
 [![Quality Gate Status](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=SonarSource_sonar-ruby&metric=alert_status&token=sqb_a78a1551add08b844fb442b01edcb5cc144ed1cb)](https://next.sonarqube.com/sonarqube/dashboard?id=SonarSource_sonar-ruby)
 [![Coverage](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=SonarSource_sonar-ruby&metric=coverage&token=sqb_a78a1551add08b844fb442b01edcb5cc144ed1cb)](https://next.sonarqube.com/sonarqube/dashboard?id=SonarSource_sonar-ruby)
 

build.gradle

@@ -29,7 +29,7 @@ allprojects {
     ext {
         buildNumber = System.getProperty("buildNumber")
 
-        sonarLinksCi = 'https://cirrus-ci.com/github/SonarSource/sonar-ruby'
+        sonarLinksCi = 'https://github.com/SonarSource/sonar-ruby/actions/workflows/build.yml'
         sonarLinksScm = 'https://github.com/SonarSource/sonar-ruby'
 
         artifactsToPublish = ''
@@ -173,7 +173,7 @@ subprojects {
         def signingPassword = findProperty("signingPassword")
         useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword)
         required {
-            def branch = System.getenv()["CIRRUS_BRANCH"]
+            def branch = System.getenv()["GITHUB_REF_NAME"]
             return (branch == 'master' || branch ==~ 'branch-[\\d.]+') &&
               gradle.taskGraph.hasTask(":artifactoryPublish")
         }
@@ -182,7 +182,7 @@ subprojects {
 
     tasks.withType(Sign) {
         onlyIf {
-            def branch = System.getenv()["CIRRUS_BRANCH"]
+            def branch = System.getenv()["GITHUB_REF_NAME"]
             return !artifactoryPublish.skip &&
               (branch == 'master' || branch ==~ 'branch-[\\d.]+') &&
               gradle.taskGraph.hasTask(":artifactoryPublish")

mise.toml

@@ -0,0 +1,3 @@
+[tools]
+java = "17.0"
+gradle = "7.6"