GHA-114 Add cloud security workflow (#47)

yasen-pavlov-sonarsource · web-flow · commit 0e7ebec0ff70 · 2025-09-10T14:15:11.000+02:00
diff --git a/.github/workflows/cloud-security-automated-release.yml b/.github/workflows/cloud-security-automated-release.yml
diff --git a/.github/workflows/test-create-integration-ticket.yml b/.github/workflows/test-create-integration-ticket.yml
@@ -38,3 +38,53 @@ jobs:
         run: |
           cd create-integration-ticket
           python -m pytest test_create_integration_ticket.py -v --cov=create_integration_ticket --cov-report=term-missing
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Test with basic inputs
+        id: test-basic
+        uses: ./create-integration-ticket
+        with:
+          target-jira-project: 'TESTPROJ'
+          release-ticket-key: 'TEST-123'
+          ticket-summary: 'Test integration ticket'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Test with description and Jira release URL
+        id: test-with-url
+        uses: ./create-integration-ticket
+        with:
+          target-jira-project: 'TESTPROJ'
+          release-ticket-key: 'TEST-123'
+          plugin-name: 'TestPlugin'
+          release-version: '1.0.0'
+          ticket-description: 'This is a test ticket with description'
+          jira-release-url: 'https://test.atlassian.net/projects/TEST/versions/123/tab/release-report-all-issues'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Test with only Jira release URL (no description)
+        id: test-url-only
+        uses: ./create-integration-ticket
+        with:
+          target-jira-project: 'TESTPROJ'
+          release-ticket-key: 'TEST-123'
+          ticket-summary: 'Test ticket with URL only'
+          jira-release-url: 'https://test.atlassian.net/projects/TEST/versions/123/tab/release-report-all-issues'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Verify integration tests
+        run: |
+          echo "Integration tests completed:"
+          echo "- Basic test: Expected to fail due to missing credentials (normal in CI)"
+          echo "- Test with description + URL: Should format description with URL appended"
+          echo "- Test with URL only: Should format description as just the URL"
+          echo "All tests use continue-on-error since Jira credentials are not available in CI"
diff --git a/.github/workflows/test-create-jira-version.yml b/.github/workflows/test-create-jira-version.yml
@@ -38,3 +38,55 @@ jobs:
         run: |
           cd create-jira-version
           python -m pytest test_create_jira_version.py -v --cov=create_jira_version --cov-report=term-missing
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Test with explicit new version name
+        id: test-explicit
+        uses: ./create-jira-version
+        with:
+          jira-project-key: 'TESTPROJ'
+          jira-new-version-name: '1.2.3'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Verify explicit version test outputs
+        run: |
+          echo "Test with explicit new version name:"
+          echo "Expected to fail due to missing credentials (which is expected in CI)"
+          echo "Action should have determined new-version-name as: 1.2.3"
+
+      - name: Test with current version (auto-increment)
+        id: test-auto
+        uses: ./create-jira-version
+        with:
+          jira-project-key: 'TESTPROJ'
+          jira-version-name: '1.2.2'
+          use-jira-sandbox: 'true'
+        continue-on-error: true
+
+      - name: Verify auto-increment test outputs
+        run: |
+          echo "Test with current version (should auto-increment):"
+          echo "Expected to fail due to missing credentials (which is expected in CI)"
+          echo "Action should have determined new-version-name as: 1.2.3"
+
+      - name: Test with environment variables
+        uses: ./create-jira-version
+        env:
+          JIRA_PROJECT_KEY: 'TESTPROJ'
+          JIRA_VERSION_NAME: '2.0.1'
+          USE_JIRA_SANDBOX: 'true'
+        continue-on-error: true
+
+      - name: Verify environment variables test
+        run: |
+          echo "Test with environment variables:"
+          echo "Expected to fail due to missing credentials (which is expected in CI)"
+          echo "Action should have determined new-version-name as: 2.0.2"
diff --git a/create-integration-ticket/README.md b/create-integration-ticket/README.md
@@ -30,6 +30,7 @@ This action requires:
 | `release-version`     | The release version (used to generate ticket summary if ticket-summary is not provided). If not set version will be retreived from build. | No       | -            |
 | `use-jira-sandbox`    | Use the sandbox Jira server instead of production. Can also be controlled via `USE_JIRA_SANDBOX` environment variable                     | No       | -            |
 | `link-type`           | The type of link to create (e.g., "relates to", "depends on")                                                                             | No       | `relates to` |
+| `jira-release-url`    | Jira release URL to append to ticket description                                                                                          | No       | -            |
 
 **Note:** Either `ticket-summary` must be provided, or both `plugin-name` and `release-version` must be provided. If `ticket-summary` is not provided, it will be automatically generated as "Update {plugin-name} to {release-version}".
 
@@ -79,6 +80,20 @@ This action requires:
     target-jira-project: "SQS"
 ```
 
+### Example 4: Using with Jira release URL
+```yaml
+- name: Create Integration Ticket
+  id: create-ticket
+  uses: ./create-integration-ticket
+  with:
+    plugin-name: "SonarPython"
+    release-version: "5.8.0.24785"
+    ticket-description: "This release includes bug fixes and performance improvements."
+    jira-release-url: "https://sonarsource.atlassian.net/projects/SONARPY/versions/22345/tab/release-report-all-issues"
+    release-ticket-key: "REL-456"
+    target-jira-project: "SQS"
+```
+
 ### Using outputs
 ```yaml
 - name: Use ticket outputs
diff --git a/create-integration-ticket/action.yml b/create-integration-ticket/action.yml
@@ -22,6 +22,9 @@ inputs:
   link-type:
     description: 'The type of link to create (e.g., "relates to", "depends on")'
     default: 'relates to'
+  jira-release-url:
+    description: 'Jira release URL to append to ticket description'
+    required: false
 
 outputs:
   ticket-key:
@@ -53,7 +56,7 @@ runs:
         python -m pip install --upgrade pip
         pip install -r ${{ github.action_path }}/requirements.txt
 
-    - uses: ./get-release-version
+    - uses: SonarSource/release-github-actions/get-release-version@f450c1d5ec393371788f0ad9c889a82358da2b5e
       if: ${{ !inputs.ticket-summary && !inputs.release-version && !env.RELEASE_VERSION }}
 
     - name: Validate inputs and generate ticket summary
@@ -80,7 +83,10 @@ runs:
         JIRA_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
         JIRA_PROD_URL: "https://sonarsource.atlassian.net/"
         JIRA_SANDBOX_URL: "https://sonarsource-sandbox-608.atlassian.net/"
-        TICKET_DESCRIPTION: ${{ inputs.ticket-description }}
+        TICKET_DESCRIPTION: |
+          ${{ inputs.ticket-description }}${{ inputs.jira-release-url && inputs.ticket-description && '
+
+          ' || '' }}${{ inputs.jira-release-url || '' }}
       run: |
         python ${{ github.action_path }}/create_integration_ticket.py \
           --ticket-summary "${{ steps.validate_inputs.outputs.ticket_summary }}" \
diff --git a/create-integration-ticket/create_integration_ticket.py b/create-integration-ticket/create_integration_ticket.py
@@ -9,6 +9,7 @@
 import argparse
 import os
 import sys
+import time
 from jira import JIRA
 from jira.exceptions import JIRAError
 
@@ -120,6 +121,8 @@ def create_integration_ticket(jira_client, args):
         
         # Update description if provided (as a separate operation)
         if args.ticket_description:
+            eprint("Waiting 3 seconds before setting description...")
+            time.sleep(3)
             eprint("Setting description on ticket...")
             try:
                 new_ticket.update(fields={'description': args.ticket_description})
diff --git a/create-jira-version/README.md b/create-jira-version/README.md
@@ -19,37 +19,38 @@ This action depends on:
 
 ## Inputs
 
-| Input               | Description                                                                                                               | Required | Default         |
-|---------------------|---------------------------------------------------------------------------------------------------------------------------|----------|-----------------|
-| `jira-project-key`  | The key of the Jira project (e.g., SONARIAC). Can also be set via `JIRA_PROJECT_KEY` environment variable                 | No*      | -               |
-| `jira-version-name` | The name of the Jira version to create (e.g., 1.2.3). Can also be set via `JIRA_VERSION_NAME` environment variable        | No       | Auto-determined |
-| `use-jira-sandbox`  | Use the sandbox server instead of the production Jira. Can also be controlled via `USE_JIRA_SANDBOX` environment variable | No       | -               |
+| Input                   | Description                                                                                                                                                                       | Required | Default         |
+|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------|
+| `jira-project-key`      | The key of the Jira project (e.g., SONARIAC). Can also be set via `JIRA_PROJECT_KEY` environment variable                                                                         | No*      | -               |
+| `jira-version-name`     | The name of the current Jira version. Used to determine the next version if `jira-new-version-name` is not provided. Can also be set via `JIRA_VERSION_NAME` environment variable | No       | Auto-determined |
+| `jira-new-version-name` | The name of the new Jira version to create (e.g., 1.2.3). If not provided, the next version will be automatically determined by incrementing the current version                  | No       | Auto-determined |
+| `use-jira-sandbox`      | Use the sandbox server instead of the production Jira. Can also be controlled via `USE_JIRA_SANDBOX` environment variable                                                         | No       | -               |
 
 *Either the input or corresponding environment variable must be provided for jira-project-key.
 
 ## Outputs
 
-| Output              | Description                          |
-|---------------------|--------------------------------------|
-| `jira-version-id`   | The ID of the created Jira version   |
-| `jira-version-name` | The name of the created Jira version |
+| Output                  | Description                          |
+|-------------------------|--------------------------------------|
+| `jira-new-version-id`   | The ID of the created Jira version   |
+| `jira-new-version-name` | The name of the created Jira version |
 
 ## Usage
 
-### Basic usage with explicit version name
+### Basic usage with explicit new version name
 
 ```yaml
 - name: Create Jira Version
   id: create-version
   uses: SonarSource/release-github-actions/create-jira-version@master
   with:
     jira-project-key: 'SONARIAC'
-    jira-version-name: '1.2.3'
+    jira-new-version-name: '1.2.3'
 
 - name: Use created version
   run: |
-    echo "Created version ID: ${{ steps.create-version.outputs.jira-version-id }}"
-    echo "Created version name: ${{ steps.create-version.outputs.jira-version-name }}"
+    echo "Created version ID: ${{ steps.create-version.outputs.jira-new-version-id }}"
+    echo "Created version name: ${{ steps.create-version.outputs.jira-new-version-name }}"
 ```
 
 ### Auto-determine next version number
@@ -60,22 +61,21 @@ This action depends on:
   uses: SonarSource/release-github-actions/create-jira-version@master
   with:
     jira-project-key: 'SONARIAC'
-    # jira-version-name is omitted - will auto-increment from latest version
+    # jira-new-version-name is omitted - will auto-increment from current version
 
 - name: Use created version
   run: |
-    echo "Created version: ${{ steps.create-version.outputs.jira-version-name }}"
+    echo "Created version: ${{ steps.create-version.outputs.jira-new-version-name }}"
 ```
 
-### Using environment variables
+### Using environment variables and current version
 
 ```yaml
 - name: Create Jira Version
   uses: SonarSource/release-github-actions/create-jira-version@master
   env:
     JIRA_PROJECT_KEY: 'SONARIAC'
-  with:
-    jira-version: '1.2.3'
+    JIRA_VERSION_NAME: '1.2.2'  # Current version, will create 1.2.3
 ```
 
 ### Using sandbox environment
@@ -85,7 +85,7 @@ This action depends on:
   uses: SonarSource/release-github-actions/create-jira-version@master
   with:
     jira-project-key: 'TESTPROJECT'
-    jira-version-name: '1.0.0-beta'
+    jira-new-version-name: '1.0.0-beta'
     use-jira-sandbox: 'true'
 ```
 
@@ -111,7 +111,7 @@ The action uses a Python script that:
 
 - This action requires access to SonarSource's HashiCorp Vault for Jira credentials
 - Either `jira-project-key` input or `JIRA_PROJECT_KEY` environment variable must be provided
-- When `jira-version-name` is not provided, the action automatically determines the next version by incrementing the latest existing version
+- When `jira-new-version-name` is not provided, the action automatically determines the next version by incrementing the current version (from `jira-version-name` input/env or latest existing version)
 - Input parameters take precedence over environment variables when both are provided
 - The action supports both production and sandbox Jira environments
 - Version names should follow semantic versioning patterns for best results
diff --git a/create-jira-version/action.yml b/create-jira-version/action.yml
@@ -7,17 +7,20 @@ inputs:
         description: 'The key of the Jira project (e.g., SONARIAC). Required if JIRA_PROJECT_KEY env var is not set.'
         required: false
     jira-version-name:
-        description: 'The name of the Jira version to create (e.g., 1.2.3). Can also be set via JIRA_VERSION_NAME environment variable.'
+      description: 'The name of the current Jira version. Can also be set via JIRA_VERSION_NAME environment variable. Used to determine the next version if jira-new-version-name is not provided.'
+      required: false
+    jira-new-version-name:
+        description: 'The name of the new Jira version to create (e.g., 1.2.3). If not provided, the next version will be automatically determined by incrementing the current version.'
         required: false
     use-jira-sandbox:
         description: "Use the sandbox server instead of the production Jira. Can also be controlled via USE_JIRA_SANDBOX environment variable."
         required: false
 
 outputs:
-    jira-version-id:
+    jira-new-version-id:
         description: 'The ID of the created Jira version.'
         value: ${{ steps.run_python_script.outputs.new_version_id }}
-    jira-version-name:
+    jira-new-version-name:
         description: 'The name of the created Jira version.'
         value: ${{ steps.run_python_script.outputs.new_version_name }}
 
@@ -43,14 +46,30 @@ runs:
 
     - uses: SonarSource/release-github-actions/get-jira-version@f450c1d5ec393371788f0ad9c889a82358da2b5e
       id: get-jira-version
-      if: ${{ !inputs.jira-version-name && !env.JIRA_VERSION_NAME }}
+      if: ${{ !inputs.jira-version-name && !env.JIRA_VERSION_NAME && !inputs.jira-new-version-name }}
+
+    - name: Determine Current Version
+      id: determine-current-version
+      if: ${{ !inputs.jira-new-version-name }}
+      shell: bash
+      run: |
+        if [[ -n "${{ inputs.jira-version-name || env.JIRA_VERSION_NAME }}" ]]; then
+          CURRENT_VERSION="${{ inputs.jira-version-name || env.JIRA_VERSION_NAME }}"
+        else
+          CURRENT_VERSION="${{ steps.get-jira-version.outputs.jira-version-name }}"
+        fi
+        echo "current-version-name=$CURRENT_VERSION" >> $GITHUB_OUTPUT
 
     - name: Determine New Jira Version
-      id: determine-version-name
-      if: ${{ !inputs.jira-version-name && !env.JIRA_VERSION_NAME }}
+      id: determine-new-version-name
       shell: bash
       run: |
-        echo "VERSION_NAME=$(echo "${{ steps.get-jira-version.outputs.jira-version-name }}" | awk -F. '{$NF+=1; OFS="."; print $0}')" >> $GITHUB_OUTPUT
+        if [[ -n "${{ inputs.jira-new-version-name }}" ]]; then
+          NEW_VERSION="${{ inputs.jira-new-version-name }}"
+        else
+          NEW_VERSION=$(echo "${{ steps.determine-current-version.outputs.current-version-name }}" | awk -F. '{$NF+=1; print}' OFS='.')
+        fi
+        echo "new-version-name=$NEW_VERSION" >> $GITHUB_OUTPUT
 
     - name: Create Jira Version
       id: run_python_script
@@ -70,6 +89,6 @@ runs:
 
         python ${{ github.action_path }}/create_jira_version.py \
           --project-key="$PROJECT_KEY" \
-          --version-name="${{ inputs.jira-version-name || env.JIRA_VERSION_NAME }}" \
-          --jira-url="${{ ((inputs.use-jira-sandbox || env.USE_JIRA_SANDBOX) == 'true') && env.JIRA_SANDBOX_URL || env.JIRA_PROD_URL }}" 
+          --version-name="${{ steps.determine-new-version-name.outputs.new-version-name }}" \
+          --jira-url="${{ ((inputs.use-jira-sandbox || env.USE_JIRA_SANDBOX) == 'true') && env.JIRA_SANDBOX_URL || env.JIRA_PROD_URL }}" \
           >> $GITHUB_OUTPUT
diff --git a/get-jira-release-notes/README.md b/get-jira-release-notes/README.md
@@ -39,11 +39,11 @@ This action depends on:
 
 ## Environment Variables Set
 
-| Environment Variable   | Description                                                                              |
-|------------------------|------------------------------------------------------------------------------------------|
-| `RELEASE_NOTES`        | The formatted release notes as Markdown (same content as `release-notes` output)        |
-| `JIRA_RELEASE_NOTES`   | The formatted release notes in Jira wiki markup (same content as `jira-release-notes` output) |
-| `JIRA_RELEASE_URL`     | The URL to the Jira release notes page (same content as `jira-release-url` output)      |
+| Environment Variable | Description                                                                                   |
+|----------------------|-----------------------------------------------------------------------------------------------|
+| `RELEASE_NOTES`      | The formatted release notes as Markdown (same content as `release-notes` output)              |
+| `JIRA_RELEASE_NOTES` | The formatted release notes in Jira wiki markup (same content as `jira-release-notes` output) |
+| `JIRA_RELEASE_URL`   | The URL to the Jira release notes page (same content as `jira-release-url` output)            |
 
 ## Usage
 
diff --git a/publish-github-release/action.yml b/publish-github-release/action.yml
@@ -84,8 +84,8 @@ runs:
             if [[ "$EXISTING_DRAFT" == "true" ]]; then
             # If draft=false and existing release is a draft, publish it
               echo "Found existing draft release with title '$EXPECTED_TITLE'. Publishing it instead of creating a new one."
-              gh release edit "$EXISTING_TAG" --draft=false
-              echo "release-url=${EXISTING_URL}" >> $GITHUB_OUTPUT
+              UPDATED_URL=$(gh release edit "$EXISTING_TAG" --draft=false)
+              echo "release-url=${UPDATED_URL}" >> $GITHUB_OUTPUT
               echo "release-id=${EXISTING_ID}" >> $GITHUB_OUTPUT
               exit 0
             else
