Shadow scans #243
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Shadow scans | |
| on: | |
| schedule: | |
| # Run the workflow every day at 04:00 UTC | |
| - cron: '0 4 * * *' | |
| env: | |
| CACHE_BACKEND: s3 | |
| jobs: | |
| aws-auth: | |
| runs-on: github-ubuntu-latest-m | |
| permissions: | |
| id-token: write | |
| outputs: | |
| # Note: Output key names are generated by aws-actions/amazon-ecr-login and include the | |
| # registry URL (with account ID). These cannot be templated due to GitHub Actions limitations. | |
| docker_username: ${{ steps.login-ecr.outputs.docker_username_275878209202_dkr_ecr_eu_central_1_amazonaws_com }} | |
| docker_password: ${{ steps.login-ecr.outputs.docker_password_275878209202_dkr_ecr_eu_central_1_amazonaws_com }} | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 | |
| with: | |
| aws-region: eu-central-1 | |
| role-to-assume: arn:aws:iam::275878209202:role/deploymentroles/DevInfraSquadDockerImagesAccessRole | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| mask-password: 'false' | |
| scan: | |
| needs: aws-auth | |
| runs-on: github-ubuntu-latest-m | |
| container: | |
| image: 275878209202.dkr.ecr.eu-central-1.amazonaws.com/sonarlint-intellij:20260224212528 | |
| options: --user runner | |
| credentials: | |
| username: ${{ needs.aws-auth.outputs.docker_username }} | |
| password: ${{ needs.aws-auth.outputs.docker_password }} | |
| defaults: | |
| run: | |
| shell: bash | |
| name: Scan on shadow platforms | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: Vault | |
| id: secrets | |
| uses: SonarSource/vault-action-wrapper@v3 | |
| with: | |
| secrets: | | |
| development/artifactory/token/SonarSource-sonarlint-intellij-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: jdx/mise-action@c1ecc8f748cd28cdeabf76dab3cccde4ce692fe4 # v4.0.0 | |
| with: | |
| version: 2025.9.12 | |
| - uses: SonarSource/ci-github-actions/build-gradle@v1 | |
| env: | |
| IDEA_HOME: ${{ env.IDEA_2024_DIR }} | |
| CLION_HOME: ${{ env.CLION_2024_DIR }} | |
| RIDER_HOME: ${{ env.RIDER_2024_DIR }} | |
| ULTIMATE_HOME: ${{ env.IDEA_ULTIMATE_2024_DIR }} | |
| ARTIFACTORY_ACCESS_USERNAME: vault-SonarSource-sonarlint-intellij-private-reader | |
| ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} | |
| with: | |
| run-shadow-scans: true | |
| artifactory-reader-role: private-reader | |
| artifactory-deployer-role: qa-deployer | |
| gradle-args: -x :its:check -x :buildPlugin -x :cyclonedxBom check jacocoTestReport | |
| iris: | |
| needs: scan | |
| runs-on: github-ubuntu-latest-m | |
| name: Run IRIS Analysis | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Run IRIS Analysis | |
| uses: SonarSource/unified-dogfooding-actions/run-iris@v1 | |
| with: | |
| primary_project_key: "org.sonarsource.sonarlint.intellij:sonarlint-intellij" | |
| primary_platform: "Next" | |
| shadow1_project_key: "org.sonarsource.sonarlint.intellij:sonarlint-intellij" | |
| shadow1_platform: "SQC-EU" | |
| shadow2_project_key: "org.sonarsource.sonarlint.intellij:sonarlint-intellij" | |
| shadow2_platform: "SQC-US" |