This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
This is a collection of reusable GitHub Actions for automating SonarSource analyzer releases. Actions handle Jira integration (tickets, versions, release notes), GitHub releases, cross-repository updates, and Slack notifications.
Related Jira tickets for this project are tracked in the GHA (GitHub Automation) project. When available, use the Jira MCP to access ticket details (e.g., GHA-123).
Critical: Changes must always be made on a feature branch, never directly on master. Before any commit, verify you are not on master.
- If on
master, create a new branch using the format:<username-prefix>/<feature-name>(e.g.,ab/add-slack-notifications) - Ask for the prefix to use from the team if unsure (e.g.,
ab/for Antoine B.,js/for Jean S., etc.) - Adapt
<feature-name>based on the task/prompt (use lowercase, hyphen-separated) - If already on a feature branch, do not create a new branch—continue working on the current branch
Important: When making any code changes, check if the related README or documentation needs to be updated. Each action has its own README.md, and workflow documentation is in docs/. Keep documentation in sync with code changes.
When creating a new action:
- Add a
README.mdto the action's directory documenting inputs, outputs, and usage - Update the main
README.mdat the repository root to link to the new action
Important: When making any code changes, always check if there are related tests that need to be updated. Always run the tests after making changes to ensure nothing is broken.
Tests run automatically via GitHub Actions. To trigger manually:
- Push to
masterruns.github/workflows/test-all.yml - PRs and pushes to
branch-*run action-specific test workflows
cd <action-name>
pip install -r requirements.txt
pip install pytest pytest-cov
python -m pytest test_*.py -v --cov=<module_name> --cov-report=term-missingExample for lock-branch:
cd lock-branch
pip install -r requirements.txt
pip install pytest pytest-cov
python -m pytest test_lock_branch.py test_notify_slack.py test_utils.py -vcd <action-name>
python -m pytest test_<module>.py::TestClassName::test_method_name -v- Python-based (Jira integration):
create-jira-release-ticket/,create-jira-version/,release-jira-version/,get-jira-release-notes/,create-integration-ticket/,update-release-ticket-status/,lock-branch/ - Bash-based (GitHub/version operations):
get-release-version/,get-jira-version/,publish-github-release/,check-releasability-status/,update-analyzer/,update-rule-metadata/,notify-slack/
Each action follows this pattern:
action-name/
├── action.yml # Composite action definition
├── README.md # Documentation
├── requirements.txt # Python deps (if applicable)
├── <script>.py # Implementation
└── test_<script>.py # pytest unit tests
- All actions use
using: "composite"(not JavaScript/Docker) - Credentials from
SonarSource/vault-action-wrapper@v3 - Python actions use Python 3.10
- Error output via stderr (
eprint()), values via stdout to$GITHUB_OUTPUT - Input precedence: explicit input > environment variable > default
customfield_10146 # SHORT_DESCRIPTION
customfield_10145 # LINK_TO_RELEASE_NOTES
customfield_10147 # DOCUMENTATION_STATUS
customfield_11263 # RULE_PROPS_CHANGED
customfield_11264 # SONARLINT_CHANGELOG- Release version:
X.Y.Z.buildNumber(e.g.,11.44.2.12345) - Jira version:
X.YorX.Y.Z(trailing.0removed)
When modifying action.yml files, never interpolate user-controlled inputs directly in run: blocks. Pass them through environment variables:
# Bad - script injection risk
run: echo "${{ inputs.branch }}"
# Good - use env vars
env:
INPUT_BRANCH: ${{ inputs.branch }}
run: echo "$INPUT_BRANCH"Important: All GitHub Actions from outside the SonarSource organization must be pinned to a full commit SHA (not a tag). Add a comment with the version number for readability.
# Bad - using tag
- uses: actions/checkout@v4
# Good - pinned to commit SHA with version comment
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2This prevents tag mutation attacks where a malicious actor could change what code a tag points to.