Skip to content

BUILD-11444 Replace decision file gate with CI_METRICS_ENABLED env var #286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
julien-carsique-sonarsource wants to merge 2 commits into
base: master
Choose a base branch
from
Open

BUILD-11444 Replace decision file gate with CI_METRICS_ENABLED env var #286

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6670636
BUILD-11444 Replace decision file gate with CI_METRICS_ENABLED env var
julien-carsique-sonarsource Jun 5, 2026
a7ca6a8
BUILD-11444 TEMP: pin gh-action_cache to dev branch for E2E validation
julien-carsique-sonarsource Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion build-poetry/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ runs:
with:
host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
- name: Cache local Poetry cache
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP

@gitar-bot gitar-bot Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 Security: TEMP pin of gh-action_cache to mutable feature branch must not merge

This commit (a7ca6a8, explicitly labeled "TEMP") replaces the pinned immutable SHA SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0 with a mutable branch ref SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP across all 8 affected action.yml files (build-poetry, build-yarn, cache, code-signing, config-gradle, config-maven, config-npm, config-pip).

Two problems if this reaches master:

  1. Supply-chain security: GitHub's hardening guidance is to pin third-party/first-party actions to a full commit SHA, not to a branch. A branch ref is mutable — anyone able to push to that feature branch can change the code executed by every consumer of these actions. The original SHA pin is the correct, secure form.

  2. Availability/correctness: The feature branch is ephemeral. Once it is deleted after merge, every action referencing it will fail to resolve gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate and break all dependent workflows.

This change is for E2E validation only and must be reverted (restored to the immutable SHA pin) before this PR is merged. Do not merge while the TEMP pins are present.

Revert the TEMP branch pin back to the immutable SHA pin in all 8 action.yml files before merging. Bump to the new release SHA once the gh-action_cache changes are released.:

uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
  • Apply fix

Check the box to apply the fix or reply for a change | Was this helpful? React with 👍 / 👎

if: inputs.disable-caching == 'false'
with:
path: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }}
Expand Down
2 changes: 1 addition & 1 deletion build-yarn/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ runs:
working_directory: ${{ inputs.working-directory }}

- name: Cache Yarn dependencies
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
if: ${{ inputs.cache-yarn == 'true' && inputs.disable-caching != 'true' }}
with:
path: |
Expand Down
2 changes: 1 addition & 1 deletion cache/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ runs:
echo "::warning:: This action is deprecated and will be removed in future releases." \
"Please migrate to using the SonarSource/gh-action_cache action directly." >&2

- uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
- uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
id: cache
with:
path: ${{ inputs.path }}
Expand Down
12 changes: 4 additions & 8 deletions ci-metrics/job-completed.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,7 @@
# metrics table to $GITHUB_STEP_SUMMARY.
# Fail-open: any error → exit 0 without breaking the job.
#
# Feature flag (presence-only file written by job-started.sh; may also be touched/removed by GitHub actions (i.e. gh-action_cache) to honour
# a workflow-env override:
# ${CI_METRICS_DIR}/enabled no-op early exit unless this file exists
# Feature flag: CI_METRICS_ENABLED=true written to $GITHUB_ENV by job-started.sh; no-op early exit unless this env var is true.
#
# Env overrides (used by tests; do not set in production):
# CI_METRICS_CGROUP_ROOT default /sys/fs/cgroup (mount root)
Expand All @@ -33,14 +31,12 @@ log() {
}

# ---------- Feature flag ----------
gate_file="${CI_METRICS_DIR:-/tmp/ci-metrics}/enabled"
if [[ -e "$gate_file" ]]; then
log "collecting metrics (gate: ${gate_file} present)"
if [[ "${CI_METRICS_ENABLED:-false}" == "true" ]]; then
log "collecting metrics (CI_METRICS_ENABLED=true)"
else
log "skipped: ${gate_file} is absent"
log "skipped: CI_METRICS_ENABLED is not true (value: ${CI_METRICS_ENABLED:-<unset>})"
exit 0
fi
unset gate_file

# ---------- Paths ----------
CGROUP_ROOT="${CI_METRICS_CGROUP_ROOT:-/sys/fs/cgroup}"
Expand Down
2 changes: 1 addition & 1 deletion code-signing/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ runs:
echo "JSIGN_CACHE_PATH=/tmp/jsign-cache" >> "$GITHUB_ENV"

- name: Cache code signing tools
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
id: tools-cache
with:
path: |
Expand Down
2 changes: 1 addition & 1 deletion config-gradle/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ runs:
run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"

- name: Gradle Cache
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
with:
path: ${{ inputs.cache-paths }}
Expand Down
2 changes: 1 addition & 1 deletion config-maven/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ runs:
run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"

- name: Cache local Maven repository
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
if: steps.config-maven-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
with:
path: ${{ inputs.cache-paths }}
Expand Down
2 changes: 1 addition & 1 deletion config-npm/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ runs:
run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"

- name: Cache NPM dependencies
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
if: steps.config-npm-completed.outputs.skip != 'true' && inputs.disable-caching != 'true' && inputs.cache-npm == 'true'
with:
path: ~/.npm
Expand Down
2 changes: 1 addition & 1 deletion config-pip/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ runs:
run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"

- name: Cache pip dependencies
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
uses: SonarSource/gh-action_cache@feat/jcarsique/BUILD-11444-github-env-gate # TEMP
if: inputs.disable-caching == 'false'
with:
path: ${{ inputs.cache-paths }}
Expand Down
Loading