BUILD-8099 add promote action

.github/workflows/test-shell-scripts.yml

@@ -25,8 +25,6 @@ jobs:
           sudo dpkg -i kcov_38+dfsg-1_amd64.deb
           rm kcov_38+dfsg-1_amd64.deb
 
-          pwd
-          ls -la
           ./run_shell_tests.sh
       - name: Vault
         id: secrets

.gitignore

@@ -2,3 +2,4 @@
 /coverage/
 /.scannerwork/
 /build_number.txt
+/.shellspec-quick.log

.shellspec

@@ -1,5 +1,5 @@
 # kcov (coverage) options
---kcov-options "--include-pattern=build-poetry,get-build-number,pr_cleanup"
+--kcov-options "--include-pattern=build-poetry,get-build-number,pr_cleanup,promote"
 # --kcov-options "--exclude-pattern=.github,.idea,.git"
 
 # define minimum coverage (fail otherwise)

CONTRIBUTE.md

@@ -50,6 +50,18 @@ The coverage report is available here: `coverage/index.html`
 
 Use `Dump` in the spec file to print the variables and their values during the test execution.
 
+Use ShellSpec options like `-x`, `-X` to run the tests in debug mode.
+
+Use ShellSpec options like `-q` (`--quick`), `-n` (`--next-failure`)... to iterate on the tests and debug them.
+
+```shell
+# List all examples in the spec files, with IDs
+shellspec --kcov --list examples
+
+# List all examples in the spec files, with line numbers
+shellspec --kcov --list examples:lineno
+```
+
 ## Project structure
 
 ```text
@@ -73,10 +85,12 @@ Add a section in the README.md file to document the new action, including its us
 
 Add the action folder to the `.shellspec` configuration file to include it in the tests.
 
+Also add the action to the `sonar-project.properties` file to include its coverage in the SonarQube analysis.
+
 Add a new spec file in the `spec` directory for the action. Use the existing tests as examples for writing your own tests.
 
-Only create Action test workflow when it completes the ShellSpec tests, and does not require complex setup or external dependencies.
-The actions are used in the dummy repositories, so they are tested in the CI/CD environment.
+Only create an Action test workflow when it completes the ShellSpec tests, and does not require complex setup or external dependencies.
+The actions are used in the dummy repositories, so they are tested for real in the CI/CD environment.
 
 ### Test Guidelines
 

README.md

@@ -91,6 +91,41 @@ jobs:
 - `public-deployer` or `qa-deployer` Artifactory roles for the deployment.
 - `qa-deployer` Artifactory role for the QA deploy.
 
+## `promote`
+
+This action promotes a build in JFrog Artifactory and updates the GitHub status check accordingly.
+
+The GitHub status check is named `repox-${GITHUB_REF_NAME}`.
+
+### Usage
+
+```yaml
+  promote:
+    needs:
+      - build
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
+    runs-on: ubuntu-24.04-large
+    name: Promote
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: SonarSource/ci-github-actions/get-build-number@v1
+      - uses: SonarSource/ci-github-actions/promote@v1
+```
+
+⚠️ Required GitHub permissions:
+
+- `id-token: write`
+- `contents: write`
+
+⚠️ Required Vault permissions:
+
+- `promoter` Artifactory role for the promotion.
+- `promotion` GitHub token.
+
 ## `pr-cleanup`
 
 Automatically clean up caches and artifacts associated with a pull request when it is closed.

build-poetry/action.yml

@@ -3,8 +3,7 @@ name: Build Poetry
 description: GitHub Action to build, analyze, and deploy a Python project using Poetry
 inputs:
   public:
-    description: Whether to build and deploy with/to public repositories. Defaults to `true` for public repositories (OSS), and `false` for
-      private repositories.
+    description: Whether to build and deploy with/to public repositories. Set to `true` for public repositories (OSS), `false` for private.
     default: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }}
   artifactory-reader-role:
     description: Suffix for the Artifactory reader role in Vault. Defaults to `private-reader` for private repositories, and `public-reader`

build-poetry/build.sh

@@ -1,27 +1,28 @@
 #!/bin/bash
 # Regular way to build and deploy a SonarSource Poetry project.
 # Environment variables:
-# - ARTIFACTORY_URL: Repox URL
-# - ARTIFACTORY_PYPI_REPO: repository to install dependencies from (sonarsource-pypi)
-# - ARTIFACTORY_ACCESS_TOKEN: access token to access the repository
-# - ARTIFACTORY_DEPLOY_REPO: deployment repository (sonarsource-pypi-public-qa or sonarsource-pypi-private-qa)
-# - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: access token to deploy to the repository
-# - GITHUB_REF_NAME: the short ref name of the branch or tag (e.g. main, branch-123, dogfood-on-123)
-# - DEFAULT_BRANCH: default branch (e.g. main), defaults to the repository configuration
-# - BUILD_NUMBER: build number (e.g. 42)
-# - GITHUB_REPOSITORY: repository name (e.g. sonarsource/sonar-dummy-poetry)
-# - GITHUB_EVENT_NAME: event name (e.g. push, pull_request)
-# - GITHUB_EVENT_PATH: The path to the event webhook payload file. For example, /github/workflow/event.json.
+# - ARTIFACTORY_URL: Repox URL.
+# - ARTIFACTORY_PYPI_REPO: Repository to install dependencies from (sonarsource-pypi)
+# - ARTIFACTORY_ACCESS_TOKEN: Access token to access the repository
+# - ARTIFACTORY_DEPLOY_REPO: Deployment repository (sonarsource-pypi-public-qa or sonarsource-pypi-private-qa)
+# - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: Access token to deploy to the repository
+# - GITHUB_REF_NAME: Short ref name of the branch or tag (e.g. main, branch-123, dogfood-on-123)
+# - DEFAULT_BRANCH: Default branch (e.g. main), defaults to the repository configuration
+# - BUILD_NUMBER: Build number (e.g. 42)
+# - GITHUB_REPOSITORY: Repository name (e.g. sonarsource/sonar-dummy-poetry)
+# - GITHUB_EVENT_NAME: Event name (e.g. push, pull_request)
+# - GITHUB_EVENT_PATH: Path to the event webhook payload file. For example, /github/workflow/event.json.
 # shellcheck source-path=SCRIPTDIR
 
 set -euo pipefail
 
 : "${ARTIFACTORY_URL:="https://repox.jfrog.io/artifactory"}"
 : "${ARTIFACTORY_PYPI_REPO:?}" "${ARTIFACTORY_ACCESS_TOKEN:?}" "${ARTIFACTORY_DEPLOY_REPO:?}" "${ARTIFACTORY_DEPLOY_ACCESS_TOKEN:?}"
-: "${GITHUB_REF_NAME:?}" "${BUILD_NUMBER:?}" "${GITHUB_REPOSITORY:?}"
-: "${GITHUB_EVENT_NAME:?}" "${GITHUB_EVENT_PATH:?}"
+: "${GITHUB_REF_NAME:?}" "${BUILD_NUMBER:?}" "${GITHUB_REPOSITORY:?}" "${GITHUB_EVENT_NAME:?}" "${GITHUB_EVENT_PATH:?}"
+: "${GITHUB_ENV:?}" # "${GITHUB_OUTPUT:?}"
 
 check_tool() {
+  # Check if a command is available and runs it, typically: 'some_tool --version'
   if ! command -v "$1"; then
     echo "$1 is not installed." >&2
     return 1
@@ -85,12 +86,13 @@ jfrog_poetry_publish() {
   popd
   jf rt build-collect-env "$PROJECT" "$BUILD_NUMBER"
   jf rt build-publish "$PROJECT" "$BUILD_NUMBER" \
-    --env-include 'PROJECT;GIT_*;*VERSION*;BUILD_*;GITHUB_*;*BRANCH*;*ID;PULL_REQUEST*' \
+    --env-include 'PROJECT;GIT_*;*VERSION*;BUILD_*;GITHUB_*;*BRANCH*;*ID;PULL_REQUEST*;ARTIFACTORY*' \
     --env-exclude "*login*;*pass*;*psw*;*pwd*;*secret*;*key*;*token*;*auth*" \
     --overwrite # avoid duplicate builds on re-runs
 }
 
-main() {
+build-poetry() {
+  check_tool jq --version
   check_tool python --version
   check_tool poetry --version
   check_tool jf --version
@@ -122,5 +124,5 @@ main() {
 }
 
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
-  main
+  build-poetry
 fi

promote/action.yml

@@ -0,0 +1,31 @@
+---
+name: Promote
+description: GitHub Action to promote a project
+inputs:
+  public:
+    description: Whether to build and deploy with/to public repositories. Set to `true` for public repositories (OSS), `false` for private.
+    default: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }}
+
+runs:
+  using: composite
+  steps:
+    - name: Set build parameters
+      shell: bash
+      run: |
+        cp ${GITHUB_ACTION_PATH}/mise.local.toml mise.local.toml
+    - name: Vault
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@d6d745ffdbc82b040df839b903bc33b5592cd6b0 # 3.0.2
+      with:
+        secrets: |
+          development/artifactory/token/{REPO_OWNER_NAME_DASH}-promoter access_token | ARTIFACTORY_PROMOTE_ACCESS_TOKEN;
+          development/github/token/{REPO_OWNER_NAME_DASH}-promotion token | GITHUB_TOKEN;
+    - uses: jdx/mise-action@5cb1df66ed5e1fb3c670ea0b62fd17a76979826a # v2.3.1
+    - name: Promote artifacts
+      shell: bash
+      env:
+        ARTIFACTORY_PROMOTE_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_PROMOTE_ACCESS_TOKEN }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+        DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+      run: |
+        ${GITHUB_ACTION_PATH}/promote.sh

promote/mise.local.toml

@@ -0,0 +1,2 @@
+[tools]
+jfrog-cli = "2.77.0"