JAVASE-160 Prepare sign key rotation release 8.16.3

.cirrus.yml

@@ -1,136 +0,0 @@
-env:
-  CIRRUS_CLONE_DEPTH: 20
-  ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
-  ARTIFACTORY_PRIVATE_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader username]
-  ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
-  ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
-  ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
-  #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
-  ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
-  ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
-  # Use bash (instead of sh on linux or cmd.exe on windows)
-  CIRRUS_SHELL: bash
-
-container_definition: &CONTAINER_DEFINITION
-  image: "${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j23-latest"
-  cluster_name: ${CIRRUS_CLUSTER_NAME}
-  region: eu-central-1
-  namespace: default
-
-orchestrator_cache_preparation_definition: &ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
-  set_orchestrator_home_script: |
-    export TODAY=$(date '+%Y-%m-%d')
-    echo "TODAY=${TODAY}" >> $CIRRUS_ENV
-    echo "ORCHESTRATOR_HOME=${CIRRUS_WORKING_DIR}/orchestrator/${TODAY}" >> $CIRRUS_ENV
-  mkdir_orchestrator_home_script: |
-    echo "Create dir ${ORCHESTRATOR_HOME} if needed"
-    mkdir -p ${ORCHESTRATOR_HOME}
-
-orchestrator_cache_elements_definition: &ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
-  folder: ${ORCHESTRATOR_HOME}
-  fingerprint_script: echo ${TODAY}
-  reupload_on_changes: "true"
-
-only_sonarsource_qa: &ONLY_SONARSOURCE_QA
-  only_if: ${CIRRUS_USER_COLLABORATOR} == 'true' && ${CIRRUS_TAG} == "" && (${CIRRUS_PR} != "" || ${CIRRUS_BRANCH} == "master" || ${CIRRUS_BRANCH} =~ "branch-.*" || ${CIRRUS_BRANCH} =~ "dogfood-on-.*")
-
-build_task:
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    cpu: 4
-    memory: 4G
-  env:
-    # analysis on next
-    SONAR_TOKEN: VAULT[development/kv/data/next data.token]
-    SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
-    #allow deployment of pull request artifacts to repox
-    DEPLOY_PULL_REQUEST: true
-    # signing artifacts
-    SIGN_KEY: VAULT[development/kv/data/sign data.key]
-    PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
-  maven_cache:
-    folder: ${CIRRUS_WORKING_DIR}/.m2/repository
-  build_script:
-    - source cirrus-env BUILD
-    - regular_mvn_build_deploy_analyze
-  cleanup_before_cache_script: cleanup_maven_repository
-
-ws_scan_task:
-  <<: *ONLY_SONARSOURCE_QA
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
-    cpu: 4
-    memory: 4G
-  # run only on master and long-term branches
-  only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "mend-.*")
-  env:
-    WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
-  maven_cache:
-    folder: ${CIRRUS_WORKING_DIR}/.m2/repository
-  whitesource_script:
-    - source cirrus-env QA
-    - source set_maven_build_version $BUILD_NUMBER
-    - mvn clean install --batch-mode -Dmaven.test.skip=true -pl '!java-symbolic-execution/java-symbolic-execution-checks-test-sources'
-    - source ws_scan.sh
-  allow_failures: "true"
-  always:
-    ws_artifacts:
-      path: "whitesource/**/*"
-
-ruling_task:
-  depends_on:
-    - build
-  <<: *ONLY_SONARSOURCE_QA
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
-    cpu: 14
-    memory: 8G
-  maven_cache:
-    folder: ${CIRRUS_WORKING_DIR}/.m2/repository
-  <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
-  orchestrator_LATEST_RELEASE_cache:
-    <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
-  submodules_script:
-    - git submodule update --init --recursive
-  env:
-    MAVEN_OPTS: "-Xmx3g"
-    GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
-    matrix:
-      # Supported values for JAVA_PLUGIN_VERSION:
-      # LATEST_RELEASE, LATEST_MASTER, LATEST_DOGFOOD, POM_PROPERTY or a fixed version like 8.15.0.39249
-      - PROFILE: without-sonarqube-project
-        JAVA_PLUGIN_VERSION: LATEST_MASTER
-      - PROFILE: without-sonarqube-project
-        JAVA_PLUGIN_VERSION: POM_PROPERTY
-      - PROFILE: only-sonarqube-project
-        JAVA_PLUGIN_VERSION: LATEST_MASTER
-  ruling_script:
-    - source cirrus-env QA
-    - source set_maven_build_version $BUILD_NUMBER
-    - export SONAR_JAVA_VERSION="$(.cirrus/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
-    - echo "Using SONAR_JAVA_VERSION=${SONAR_JAVA_VERSION}"
-    - cd its/ruling
-    - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.java.version="$SONAR_JAVA_VERSION" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
-  cleanup_before_cache_script: cleanup_maven_repository
-  on_failure:
-    actual_artifacts:
-      path: "${CIRRUS_WORKING_DIR}/its/ruling/target/actual/**/*"
-
-promote_task:
-  depends_on:
-    - build
-    - ws_scan
-    - ruling
-  <<: *ONLY_SONARSOURCE_QA
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    cpu: 2
-    memory: 1G
-  env:
-    ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
-  maven_cache:
-    folder: ${CIRRUS_WORKING_DIR}/.m2/repository
-  main_script:  cirrus_promote_maven
-  cleanup_before_cache_script:  cleanup_maven_repository

.github/workflows/PrepareNextIteration.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   Next-Iteration-Job:
     name: Next Iteration Job
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       pull-requests: write
       contents: write
@@ -23,11 +23,12 @@ jobs:
       - name: Update Version Number
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEXT_VERSION: ${{ inputs.nextVersion }}
         run: |
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
           git checkout -b gh-action/next-iteration
-          mvn versions:set --batch-mode -DgenerateBackupPoms=false -DnewVersion="${{ inputs.nextVersion }}"
+          mvn versions:set --batch-mode -DgenerateBackupPoms=false -DnewVersion="${NEXT_VERSION}"
           git commit -m 'Prepare next development iteration' -a
           git push --set-upstream origin gh-action/next-iteration
           gh pr create -B master --title 'Prepare next development iteration' --body ''

.github/workflows/PullRequestClosed.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestMerged_job:
     name: Pull Request Merged
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/PullRequestCreated.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestCreated_job:
     name: Pull Request Created
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
     # For external PR, ticket should be created manually

.github/workflows/RequestReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   RequestReview_job:
     name: Request review
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
     # For external PR, ticket should be moved manually

.github/workflows/SubmitReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   SubmitReview_job:
     name: Submit Review
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/ToggleLockBranch.yml

@@ -6,7 +6,7 @@ on:
 jobs:
   ToggleLockBranch_job:
     name: Toggle lock branch
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
     steps:

.github/workflows/UpdateRuleMetadata.yml

@@ -8,7 +8,7 @@ env:
 jobs:
   UpdateRuleMetadata_job:
     name: Update Rule Metadata
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       pull-requests: write
       contents: write

.github/workflows/build.yml

@@ -0,0 +1,118 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+      - dogfood-*
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 1 * * *" # Run daily at 1:30 AM UTC
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    outputs:
+      build-number: ${{ steps.build-step.outputs.BUILD_NUMBER }}
+      deployed: ${{ steps.build-step.outputs.deployed }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+        with:
+          version: 2025.7.12
+      - uses: SonarSource/ci-github-actions/build-maven@v1
+        id: build-step
+        with:
+          deploy-pull-request: true
+          artifactory-reader-role: private-reader    # Override default public-reader
+          artifactory-deployer-role: qa-deployer     # Override default public-deployer
+
+  qa:
+    needs: [build]
+    if: ${{ needs.build.outputs.deployed }}
+    runs-on: github-ubuntu-latest-l
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        item:
+          - { name: "with Lastest SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
+          - { name: "for SonarQube Project Only", profile: "only-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
+          - { name: "with Prod SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "POM_PROPERTY" }
+    name: "QA Tests ${{ matrix.item.name }}"
+    env:
+      BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+      - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+        with:
+          working-directory: its/ruling
+          version: 2025.7.12
+      - name: Get GitHub Token for QA Licenses
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/github/token/licenses-ro token | GITHUB_TOKEN;
+      - name: Configure Maven
+        id: configure-maven
+        uses: SonarSource/ci-github-actions/config-maven@v1
+        with:
+          artifactory-reader-role: private-reader    # Override default public-reader
+      - name: Get Sonar Java plugin version
+        id: resolve-sonar-java-plugin-version
+        run: |
+          VERSION=$(.github/scripts/resolve-sonar-java-plugin-version.sh "${{ matrix.item.java_plugin_version }}")
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Run QA Tests
+        working-directory: its/ruling
+        env:
+          GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+          MAVEN_OPTS: "-Xmx3g"
+          SONAR_JAVA_VERSION: ${{ steps.resolve-sonar-java-plugin-version.outputs.version }}
+        run: |
+          mvn package --batch-mode \
+            "-Pit-ruling,${{ matrix.item.profile }}" \
+            "-Dsonar.java.version=${SONAR_JAVA_VERSION}" \
+            "-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" \
+            "-Dsonar.runtimeVersion=LATEST_RELEASE" \
+            "-Dmaven.test.redirectTestOutputToFile=false" \
+            "-DbuildNumber=${BUILD_NUMBER}" \
+            -B -e -V \
+            "-Dparallel=methods" \
+            "-DuseUnlimitedThreads=true"
+      - name: Upload ruling artifacts on failure
+        if: failure()
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.5.0
+        with:
+          name: ruling-actual-${{ matrix.item.profile }}-${{ matrix.item.java_plugin_version }}
+          path: its/ruling/target/actual/**/*
+
+  promote:
+    name: Promote
+    if: ${{ needs.build.outputs.deployed }}
+    needs:
+      - build
+      - qa
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+    env:
+      BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+    steps:
+      - name: Promote artifacts
+        uses: SonarSource/ci-github-actions/promote@v1

.github/workflows/dogfood.yml

@@ -12,7 +12,7 @@ on:
 
 jobs:
   dogfood_merge:
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     name: Update dogfood branch
     permissions:
       id-token: write # required for SonarSource/vault-action-wrapper

.github/workflows/mark-prs-stale.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   stale:
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       issues: write
       pull-requests: write

.github/workflows/pr-cleanup.yml

@@ -0,0 +1,13 @@
+name: Cleanup PR Resources
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      actions: write
+    steps:
+      - uses: SonarSource/ci-github-actions/pr_cleanup@v1

.github/workflows/releasability.yaml

@@ -11,7 +11,7 @@ on:
 jobs:
   releasability-job:
     name: Releasability check
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write      # required by SonarSource/vault-action-wrapper
       contents: read       # required by checkout
@@ -44,7 +44,7 @@ jobs:
             echo "LATEST_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
           fi
 
-      - uses: SonarSource/gh-action_releasability@v2
+      - uses: SonarSource/gh-action_releasability@v3
         id: releasability
         with:
           branch: ${{ github.ref_name }}

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
-    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v5
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v6
     with:
       publishToBinaries: true
       mavenCentralSync: true