Pin external GitHub Actions to SHA #3

Workflow file for this run

.github/workflows/docker-a3s-repox.yml at 684fbb1

	name: Build A3S Docker Image (Repox)

	on:
	push:
	branches:
	- docker-a3s-repox-workflow # Temporary: for testing, remove before merge
	workflow_dispatch:
	inputs:
	branch:
	description: 'Branch to build from'
	required: true
	type: string
	default: master

	env:
	DOCKER_REPOX_BUILDS_REGISTRY: repox-sonarsource-docker-builds.jfrog.io
	DOCKER_IMAGE: "a3s/analysis/javascript"

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	get_build_number:
	runs-on: github-ubuntu-latest-s
	name: Get build number
	permissions:
	id-token: write
	contents: read
	outputs:
	BUILD_NUMBER: ${{ steps.get-build-number.outputs.BUILD_NUMBER }}
	steps:
	- uses: SonarSource/ci-github-actions/get-build-number@master
	id: get-build-number

	build_and_publish:
	name: Build and publish Docker image
	runs-on: github-ubuntu-latest-m
	needs: get_build_number
	permissions:
	id-token: write
	contents: read
	env:
	BUILD_NUMBER: ${{ needs.get_build_number.outputs.BUILD_NUMBER }}
	steps:
	- name: Checkout source code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	ref: ${{ inputs.branch \|\| github.ref }}

	- uses: jdx/mise-action@v3.6.1
	with:
	version: 2025.11.2
	mise_toml: \|
	[tools]
	node = "24.11.0"

	- name: Access vault secrets
	id: secrets
	uses: SonarSource/vault-action-wrapper@v3
	with:
	secrets: \|
	development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token \| ARTIFACTORY_ACCESS_TOKEN;
	development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release access_token \| ARTIFACTORY_DEPLOY_PASSWORD;
	development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release username \| ARTIFACTORY_DEPLOY_USERNAME;

	- name: Configure npm registry
	run: \|
	npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
	npm config set registry https://repox.jfrog.io/artifactory/api/npm/npm/

	- name: Install NPM dependencies
	run: npm ci

	- name: Build bundle for Docker
	run: npm run grpc:build

	- name: Docker login to Repox registry
	uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
	with:
	registry: ${{ env.DOCKER_REPOX_BUILDS_REGISTRY }}
	username: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
	password: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_PASSWORD }}

	- name: Setup Docker image
	shell: bash
	id: docker-image-setup
	run: \|
	DOCKER_IMAGE_BUILD_NUMBER="${DOCKER_REPOX_BUILDS_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}"
	echo "docker-image=${DOCKER_IMAGE_BUILD_NUMBER}" >> $GITHUB_OUTPUT

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

	- name: Build and push Docker image
	shell: bash
	env:
	DOCKER_IMAGE_BUILD_NUMBER: ${{ steps.docker-image-setup.outputs.docker-image }}
	run: \|
	docker buildx build --platform linux/arm64 --tag "${DOCKER_IMAGE_BUILD_NUMBER}" --push .

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin external GitHub Actions to SHA #3

Workflow file

Pin external GitHub Actions to SHA #3

Uh oh!

Workflow file for this run