SONARJAVA-5850 Migrate Windows Build from Cirrus to GitHub action (#5346)

Author: tomasz-tylenda-sonarsource

.cirrus.yml

@@ -51,8 +51,7 @@ log_develocity_url_script: &log_develocity_url_script |
 
 common_build_definition: &COMMON_BUILD_DEFINITION
   eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j23-latest
+    <<: *CONTAINER_WITH_DOCKER_DEFINITION
     cpu: 4
     memory: 4G
   env:
@@ -63,6 +62,7 @@ common_build_definition: &COMMON_BUILD_DEFINITION
     SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
     #allow deployment of pull request artifacts to repox
     DEPLOY_PULL_REQUEST: true
+    JAVA_HOME: /opt/java/openjdk-latest
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
 
@@ -86,7 +86,33 @@ build_task:
   build_script:
     - *log_develocity_url_script
     - source cirrus-env BUILD
-    - regular_mvn_build_deploy_analyze -Dmaven.test.skip=true -Dsonar.skip=true -pl '!java-checks-test-sources/default,!java-checks-test-sources/aws'
+    - regular_mvn_build_deploy_analyze -Dmaven.test.skip=true -Dsonar.skip=true -pl '!java-checks-test-sources/default,!java-checks-test-sources/aws,!java-checks-test-sources/spring-web-4.0'
+  cleanup_before_cache_script: cleanup_maven_repository
+
+sonar_shadow_scan_and_issue_replication_task:
+  <<: *COMMON_BUILD_DEFINITION
+  depends_on:
+    - build
+  # Only run when triggered by the cirrus-ci cron job named "nightly"
+  only_if: $CIRRUS_CRON == "nightly"
+  env:
+    SONAR_PROJECT_KEY: "org.sonarsource.java:java"
+    SHADOW_ORGANIZATION: "sonarsource"
+    SHADOW_PROJECT_KEY: "SonarSource_sonar-java"
+    # to replicate issue states from next
+    SONAR_TOKEN: VAULT[development/kv/data/next data.token]
+    SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
+    matrix:
+      - name: "sonarcloud.io"
+        SHADOW_SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
+        SHADOW_SONAR_HOST_URL: "https://sonarcloud.io"
+      - name: "sonarqube.us"
+        SHADOW_SONAR_TOKEN: VAULT[development/kv/data/sonarqube-us data.token]
+        SHADOW_SONAR_HOST_URL: "https://sonarqube.us"
+  build_and_shadow_scan_script:
+    - *log_develocity_url_script
+    - source cirrus-env BUILD
+    - ./shadow-scan-and-issue-replication.sh -Dsonar.analysisCache.enabled=true -Dsonar.sca.exclusions="**/test/files/**, **/test/resources/**, its/plugin/projects/**, java-checks-test-sources/**, its/sources/**,"
   cleanup_before_cache_script: cleanup_maven_repository
 
 # Migrated to GHA.
@@ -96,36 +122,14 @@ test_analyze_task:
     - *log_develocity_url_script
     - source cirrus-env BUILD
     # ignore duplications in the SE engine plugin, as it will be moved away from sonar-java at some point
-    - PULL_REQUEST_SHA=$GIT_SHA1 regular_mvn_build_deploy_analyze -P-deploy-sonarsource,-release,-sign -Dmaven.deploy.skip=true -Dsonar.analysisCache.enabled=true -Dsonar.cpd.exclusions=java-symbolic-execution/**
+    - PULL_REQUEST_SHA=$GIT_SHA1 regular_mvn_build_deploy_analyze -P-deploy-sonarsource,-release,-sign -Dmaven.deploy.skip=true -Dsonar.analysisCache.enabled=true -Dsonar.sca.exclusions="**/test/files/**, **/test/resources/**, its/plugin/projects/**, java-checks-test-sources/**, its/sources/**,"
     - cd docs/java-custom-rules-example
     - mvn clean package -f pom_SQ_10_6_LATEST.xml --batch-mode
     - cd "${CIRRUS_WORKING_DIR}"
     - ./check-license-compliance.sh
   cleanup_before_cache_script: cleanup_maven_repository
 
-ws_scan_task:
-  <<: *ONLY_SONARSOURCE_QA
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
-    cpu: 4
-    memory: 4G
-  # run only on master and long-term branches
-  only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "mend-.*")
-  env:
-    WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
-  maven_cache:
-    folder: ${CIRRUS_WORKING_DIR}/.m2/repository
-  whitesource_script:
-    - source cirrus-env QA
-    - source set_maven_build_version $BUILD_NUMBER
-    - mvn clean install --batch-mode -Dmaven.test.skip=true -pl '!java-checks-test-sources,!java-checks-test-sources/default,!java-checks-test-sources/aws,!java-checks-test-sources/spring-3.2'
-    - source ws_scan.sh
-  allow_failures: "true"
-  always:
-    ws_artifacts:
-      path: "whitesource/**/*"
-
+# Migrated to GHA.
 qa_os_win_task:
   ec2_instance:
     image: base-windows-jdk21-v*
@@ -146,13 +150,19 @@ plugin_qa_task:
     - build
   <<: *ONLY_SONARSOURCE_QA
   eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
+    <<: *CONTAINER_WITH_DOCKER_DEFINITION
     cpu: 14
-    memory: 6G
+    memory: 16G
   <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
-  orchestrator_LATEST_RELEASE_cache:
-    <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
+  matrix:
+    - env:
+        SQ_VERSION: LATEST_RELEASE
+      orchestrator_LATEST_RELEASE_cache:
+        <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
+    - env:
+        SQ_VERSION: DEV
+      orchestrator_DEV_cache:
+        <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
 
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
@@ -163,7 +173,7 @@ plugin_qa_task:
     - source cirrus-env QA
     - source set_maven_build_version $BUILD_NUMBER
     - cd its/plugin
-    - mvn package --batch-mode -Pit-plugin -Dsonar.runtimeVersion=LATEST_RELEASE[2025.1] -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=classes -DuseUnlimitedThreads=true
+    - mvn package --batch-mode -Pit-plugin -Dsonar.runtimeVersion=${SQ_VERSION} -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=classes -DuseUnlimitedThreads=true
   cleanup_before_cache_script: cleanup_maven_repository
 
 # Migrated to GHA.
@@ -172,12 +182,13 @@ sanity_task:
     - build
   <<: *ONLY_SONARSOURCE_QA
   eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j23-latest
+    <<: *CONTAINER_WITH_DOCKER_DEFINITION
     cpu: 4
-    memory: 4G
+    memory: 16G
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
+  env:
+    JAVA_HOME: /opt/java/openjdk-latest
   sanity_script:
     - *log_develocity_url_script
     - source cirrus-env QA
@@ -194,10 +205,9 @@ ruling_task:
     - build
   <<: *ONLY_SONARSOURCE_QA
   eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
+    <<: *CONTAINER_WITH_DOCKER_DEFINITION
     cpu: 14
-    memory: 6G
+    memory: 16G
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
@@ -215,7 +225,7 @@ ruling_task:
     - source cirrus-env QA
     - source set_maven_build_version $BUILD_NUMBER
     - cd its/ruling
-    - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.runtimeVersion=LATEST_RELEASE[2025.1] -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
+    - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
   cleanup_before_cache_script: cleanup_maven_repository
   on_failure:
     actual_artifacts:
@@ -246,7 +256,7 @@ ruling_win_task:
     - init_git_submodules its/sources
     - git submodule update --init --recursive
     - cd its/ruling
-    - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.runtimeVersion=LATEST_RELEASE[2025.1] -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
+    - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
   cleanup_before_cache_script: cleanup_maven_repository
 
 # Migrated to GHA.
@@ -257,11 +267,11 @@ autoscan_task:
   eks_container:
     <<: *CONTAINER_WITH_DOCKER_DEFINITION
     # For now, this autoscan_task need to execute two mvn commands:
-    # * The build of java-checks-test-sources module which requires Java 23.
-    # * The tests using Orchestrator and SonarQube that, for now, fail to work using Java 23
-    # This is why we have a local Dockerfile that provide the 2 versions of Java, 17 and 23.
+    # * The build of java-checks-test-sources module which requires Java 24.
+    # * The tests using Orchestrator and SonarQube that, for now, fail to work using Java 24
+    # This is why we have a local Dockerfile that provide the 2 versions of Java, 17 and 24.
     cpu: 14
-    memory: 6G
+    memory: 16G
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
@@ -272,9 +282,9 @@ autoscan_task:
     - source cirrus-env QA
     - source set_maven_build_version $BUILD_NUMBER
     - cd java-checks-test-sources
-    - JAVA_HOME="${JAVA_LATEST_HOME}" mvn clean compile test-compile --batch-mode
+    - JAVA_HOME=/opt/java/openjdk-latest mvn clean compile test-compile --batch-mode
     - cd ../its/autoscan
-    - mvn clean package --batch-mode --errors --show-version --activate-profiles it-autoscan -Dsonar.runtimeVersion=LATEST_RELEASE[25.1] -Dmaven.test.redirectTestOutputToFile=false -Dparallel=methods -DuseUnlimitedThreads=true
+    - mvn clean package --batch-mode --errors --show-version --activate-profiles it-autoscan -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -Dparallel=methods -DuseUnlimitedThreads=true
   cleanup_before_cache_script: cleanup_maven_repository
   on_failure:
     actual_artifacts:
@@ -283,18 +293,17 @@ autoscan_task:
 promote_task:
   depends_on:
     - build
+    - sonar_shadow_scan_and_issue_replication
     - test_analyze
     - qa_os_win
     - sanity
     - ruling
     - ruling_win
     - plugin_qa
-    - ws_scan
     - autoscan
   <<: *ONLY_SONARSOURCE_QA
   eks_container:
-    <<: *CONTAINER_DEFINITION
-    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
+    <<: *CONTAINER_WITH_DOCKER_DEFINITION
     cpu: 2
     memory: 1G
   env:

.github/workflows/build.yml

@@ -271,3 +271,42 @@ jobs:
           -Dmaven.test.redirectTestOutputToFile=false
           -Dparallel=methods
           -DuseUnlimitedThreads=true
+
+  qa-os-win:
+    name: Build and Unit Test on Windows
+    # No dependency on build step, because we do not need the build number.
+    runs-on: github-windows-latest-m
+    permissions:
+      id-token: write  # Required for Vault OIDC authentication
+      contents: write  # Required for repository access and tagging
+    steps:
+      - name: Config Git
+        run: git config --global core.autocrlf input
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
+        with:
+          version: 2025.7.12
+      - name: Run Maven
+        run: mvn clean verify --batch-mode
+
+  promote:
+    needs:
+      - build
+      - ruling-qa
+      - plugin-qa
+      - sanity
+      - test-analyze
+      - autoscan
+      - qa-os-win
+    if: ${{ needs.build.outputs.deployed }}
+    runs-on: github-ubuntu-latest-s  # Public repo uses custom GitHub-hosted runners
+    name: Promote
+    permissions:
+      id-token: write
+      contents: write
+    env:
+      BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+    steps:
+      - uses: SonarSource/ci-github-actions/promote@v1
+        with:
+          promote-pull-request: true

java-checks-test-sources/pom.xml

@@ -40,8 +40,7 @@
               <fileSeparator>/</fileSeparator>
               <pathSeparator>:${line.separator}</pathSeparator>
               <includeScope>test</includeScope>
-              <!-- $$ to not evaluate M2_REPO now, this will become ${M2_REPO} in the output file -->
-              <localRepoProperty>$${M2_REPO}</localRepoProperty>
+              <localRepoProperty>M2_REPO</localRepoProperty>
               <outputEncoding>UTF-8</outputEncoding>
               <outputFile>${project.build.directory}/test-classpath.txt</outputFile>
             </configuration>

java-checks-test-sources/test-classpath-reader/src/main/java/org/sonar/java/test/classpath/TestClasspathUtils.java

@@ -96,11 +96,12 @@ public static List<File> loadFromFile(String classpathTextFilePath) {
     String mavenRepository = findMavenLocalRepository(System::getenv, System::getProperty);
     try {
       String content = Files.readString(toPath(classpathTextFilePath), UTF_8);
-      Arrays.stream(content.split(":"))
+      // Split on ":", but not when it follows Windows drive letter (e.g. "C:\").
+      Arrays.stream(content.split("(?<![A-Z]):"))
         .map(String::trim)
         .filter(line -> !line.isBlank())
         .map(TestClasspathUtils::fixSeparator)
-        .map(line -> line.replace("${M2_REPO}", mavenRepository))
+        .map(line -> line.replace("M2_REPO", mavenRepository))
         .map(Paths::get)
         .forEach(dependencyPath -> {
           if (!Files.exists(dependencyPath)) {

java-checks-test-sources/test-classpath-reader/src/test/resources/classpath-example.txt

@@ -1,2 +1,2 @@
-${M2_REPO}/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar:
+M2_REPO/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar:
 

java-checks-test-sources/test-classpath-reader/src/test/resources/invalid-classpath-example.txt

@@ -1,2 +1,2 @@
-${M2_REPO}/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar:
-${M2_REPO}/org/bad/luck/missing-artifact/666/missing-artifact-666.jar:
+M2_REPO/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar:
+M2_REPO/org/bad/luck/missing-artifact/666/missing-artifact-666.jar: