From 667063628ff74144aacc8a230ffa6315615bdbe2 Mon Sep 17 00:00:00 2001
From: Julien Carsique <julien.carsique@sonarsource.com>
Date: Fri, 5 Jun 2026 17:45:42 +0200
Subject: [PATCH 1/2] BUILD-11444 Replace decision file gate with
 CI_METRICS_ENABLED env var

The post-job completion hook no longer checks for the presence of
${CI_METRICS_DIR}/enabled.  It now reads $CI_METRICS_ENABLED which is
written to $GITHUB_ENV by the pre-job hook (job-started.sh).

Companion changes in github-runners-infra, ci-ami-images, and gh-action_cache.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 ci-metrics/job-completed.sh | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/ci-metrics/job-completed.sh b/ci-metrics/job-completed.sh
index 90aa9712..cd23dea1 100755
--- a/ci-metrics/job-completed.sh
+++ b/ci-metrics/job-completed.sh
@@ -5,9 +5,7 @@
 # metrics table to $GITHUB_STEP_SUMMARY.
 # Fail-open: any error → exit 0 without breaking the job.
 #
-# Feature flag (presence-only file written by job-started.sh; may also be touched/removed by GitHub actions (i.e. gh-action_cache) to honour
-# a workflow-env override:
-#   ${CI_METRICS_DIR}/enabled  no-op early exit unless this file exists
+# Feature flag: CI_METRICS_ENABLED=true written to $GITHUB_ENV by job-started.sh; no-op early exit unless this env var is true.
 #
 # Env overrides (used by tests; do not set in production):
 #   CI_METRICS_CGROUP_ROOT     default /sys/fs/cgroup (mount root)
@@ -33,14 +31,12 @@ log() {
 }
 
 # ---------- Feature flag ----------
-gate_file="${CI_METRICS_DIR:-/tmp/ci-metrics}/enabled"
-if [[ -e "$gate_file" ]]; then
-    log "collecting metrics (gate: ${gate_file} present)"
+if [[ "${CI_METRICS_ENABLED:-false}" == "true" ]]; then
+    log "collecting metrics (CI_METRICS_ENABLED=true)"
 else
-    log "skipped: ${gate_file} is absent"
+    log "skipped: CI_METRICS_ENABLED is not true (value: ${CI_METRICS_ENABLED:-<unset>})"
     exit 0
 fi
-unset gate_file
 
 # ---------- Paths ----------
 CGROUP_ROOT="${CI_METRICS_CGROUP_ROOT:-/sys/fs/cgroup}"

From a7ca6a8a2ee15e41be5f1ab564617c1bd3809033 Mon Sep 17 00:00:00 2001
From: Julien Carsique <julien.carsique@sonarsource.com>
Date: Tue, 9 Jun 2026 10:31:07 +0200
Subject: [PATCH 2/2] BUILD-11444 TEMP: pin gh-action_cache to dev branch for
 E2E validation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 build-poetry/action.yml  | 2 +-
 build-yarn/action.yml    | 2 +-
 cache/action.yml         | 2 +-
 code-signing/action.yml  | 2 +-
 config-gradle/action.yml | 2 +-
 config-maven/action.yml  | 2 +-
 config-npm/action.yml    | 2 +-
 config-pip/action.yml    | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/build-poetry/action.yml b/build-poetry/action.yml
index 11295471..0289bd50 100644
--- a/build-poetry/action.yml
+++ b/build-poetry/action.yml
@@ -108,7 +108,7 @@ runs:
       with:
         host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
     - name: Cache local Poetry cache
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       if: inputs.disable-caching == 'false'
       with:
         path: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }}
diff --git a/build-yarn/action.yml b/build-yarn/action.yml
index 06b4caed..ef71a19f 100644
--- a/build-yarn/action.yml
+++ b/build-yarn/action.yml
@@ -119,7 +119,7 @@ runs:
         working_directory: ${{ inputs.working-directory }}
 
     - name: Cache Yarn dependencies
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       if: ${{ inputs.cache-yarn == 'true' && inputs.disable-caching != 'true' }}
       with:
         path: |
diff --git a/cache/action.yml b/cache/action.yml
index be7ca1ed..1e124ac2 100644
--- a/cache/action.yml
+++ b/cache/action.yml
@@ -36,7 +36,7 @@ runs:
         echo "::warning:: This action is deprecated and will be removed in future releases." \
           "Please migrate to using the SonarSource/gh-action_cache action directly." >&2
 
-    - uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+    - uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       id: cache
       with:
         path: ${{ inputs.path }}
diff --git a/code-signing/action.yml b/code-signing/action.yml
index eb6a64e2..a3741347 100644
--- a/code-signing/action.yml
+++ b/code-signing/action.yml
@@ -24,7 +24,7 @@ runs:
         echo "JSIGN_CACHE_PATH=/tmp/jsign-cache" >> "$GITHUB_ENV"
 
     - name: Cache code signing tools
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       id: tools-cache
       with:
         path: |
diff --git a/config-gradle/action.yml b/config-gradle/action.yml
index a918dc67..47877437 100644
--- a/config-gradle/action.yml
+++ b/config-gradle/action.yml
@@ -173,7 +173,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Gradle Cache
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
       with:
         path: ${{ inputs.cache-paths }}
diff --git a/config-maven/action.yml b/config-maven/action.yml
index 9f2f7c04..bad41a4a 100644
--- a/config-maven/action.yml
+++ b/config-maven/action.yml
@@ -184,7 +184,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Cache local Maven repository
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       if: steps.config-maven-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
       with:
         path: ${{ inputs.cache-paths }}
diff --git a/config-npm/action.yml b/config-npm/action.yml
index e223cac9..e2a84b93 100644
--- a/config-npm/action.yml
+++ b/config-npm/action.yml
@@ -122,7 +122,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Cache NPM dependencies
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       if: steps.config-npm-completed.outputs.skip != 'true' && inputs.disable-caching != 'true' && inputs.cache-npm == 'true'
       with:
         path: ~/.npm
diff --git a/config-pip/action.yml b/config-pip/action.yml
index b601313b..f4e6bc4b 100644
--- a/config-pip/action.yml
+++ b/config-pip/action.yml
@@ -96,7 +96,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Cache pip dependencies
-      uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
+      uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
       if: inputs.disable-caching == 'false'
       with:
         path: ${{ inputs.cache-paths }}