Skip to content

Pin external GitHub Actions to SHA #3

Pin external GitHub Actions to SHA

Pin external GitHub Actions to SHA #3

name: Build A3S Docker Image (Repox)
on:
push:
branches:
- docker-a3s-repox-workflow # Temporary: for testing, remove before merge
workflow_dispatch:
inputs:
branch:
description: 'Branch to build from'
required: true
type: string
default: master
env:
DOCKER_REPOX_BUILDS_REGISTRY: repox-sonarsource-docker-builds.jfrog.io
DOCKER_IMAGE: "a3s/analysis/javascript"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
get_build_number:
runs-on: github-ubuntu-latest-s
name: Get build number
permissions:
id-token: write
contents: read
outputs:
BUILD_NUMBER: ${{ steps.get-build-number.outputs.BUILD_NUMBER }}
steps:
- uses: SonarSource/ci-github-actions/get-build-number@master
id: get-build-number
build_and_publish:
name: Build and publish Docker image
runs-on: github-ubuntu-latest-m
needs: get_build_number
permissions:
id-token: write
contents: read
env:
BUILD_NUMBER: ${{ needs.get_build_number.outputs.BUILD_NUMBER }}
steps:
- name: Checkout source code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.branch || github.ref }}
- uses: jdx/mise-action@v3.6.1
with:
version: 2025.11.2
mise_toml: |
[tools]
node = "24.11.0"
- name: Access vault secrets
id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release access_token | ARTIFACTORY_DEPLOY_PASSWORD;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release username | ARTIFACTORY_DEPLOY_USERNAME;
- name: Configure npm registry
run: |
npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
npm config set registry https://repox.jfrog.io/artifactory/api/npm/npm/
- name: Install NPM dependencies
run: npm ci
- name: Build bundle for Docker
run: npm run grpc:build
- name: Docker login to Repox registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ${{ env.DOCKER_REPOX_BUILDS_REGISTRY }}
username: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_USERNAME }}
password: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_DEPLOY_PASSWORD }}
- name: Setup Docker image
shell: bash
id: docker-image-setup
run: |
DOCKER_IMAGE_BUILD_NUMBER="${DOCKER_REPOX_BUILDS_REGISTRY}/${DOCKER_IMAGE}:${BUILD_NUMBER}"
echo "docker-image=${DOCKER_IMAGE_BUILD_NUMBER}" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Build and push Docker image
shell: bash
env:
DOCKER_IMAGE_BUILD_NUMBER: ${{ steps.docker-image-setup.outputs.docker-image }}
run: |
docker buildx build --platform linux/arm64 --tag "${DOCKER_IMAGE_BUILD_NUMBER}" --push .