From fcb20bf92b93d5af2252b2f864a06f329f3d7cd8 Mon Sep 17 00:00:00 2001 From: Mate Molnar Date: Mon, 8 Jun 2026 16:14:28 -0700 Subject: [PATCH] BUILD-11553: Avoid workspace pollution in CI actions Keep the GitHub workspace checkout clean so downstream steps (e.g. Docker image tagging in gitar) behave consistently regardless of whether CI actions have run. - get-build-number: write build_number.txt to ${RUNNER_TEMP} instead of the workspace; update cache paths, get_build_number.sh, and specs - config-npm, build-npm, build-yarn: use jf npm-config --global so .jfrog/projects/ is stored under the runner home, not the workspace - config-npm, build-npm, build-yarn: remove transient .actions/ symlinks after local composite action references are consumed --- build-npm/action.yml | 7 +++++++ build-npm/build.sh | 2 +- build-yarn/action.yml | 7 +++++++ build-yarn/build.sh | 4 ++-- config-npm/action.yml | 7 +++++++ config-npm/npm_config.sh | 2 +- get-build-number/action.yml | 9 +++++---- get-build-number/get_build_number.sh | 2 +- spec/config-npm_spec.sh | 2 +- spec/get_build_number_spec.sh | 4 +++- 10 files changed, 35 insertions(+), 11 deletions(-) diff --git a/build-npm/action.yml b/build-npm/action.yml index 9578e3e1..60ad46c4 100644 --- a/build-npm/action.yml +++ b/build-npm/action.yml @@ -238,3 +238,10 @@ runs: echo "🐸 [Browse build \`${build_name}:${BUILD_NUMBER}\` in Artifactory](${ARTIFACTORY_BROWSE_URL})" >> $GITHUB_STEP_SUMMARY "$ACTION_PATH_BUILD_NPM/../shared/generate-jfrog-summary.sh" repox fi + + - name: Clean up local action symlinks + if: always() + shell: bash + run: | + rm -f .actions/get-build-number .actions/config-npm .actions/shared + rmdir .actions 2>/dev/null || true diff --git a/build-npm/build.sh b/build-npm/build.sh index 12680b28..ec23b006 100755 --- a/build-npm/build.sh +++ b/build-npm/build.sh @@ -102,7 +102,7 @@ jfrog_npm_publish() { jf config remove repox > /dev/null 2>&1 || true # Ignore inexistent configuration jf config add repox --url "${ARTIFACTORY_URL%/artifactory*}" --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_DEPLOY_ACCESS_TOKEN" jf config use repox - jf npm-config --repo-resolve "npm" --repo-deploy "$ARTIFACTORY_DEPLOY_REPO" + jf npm-config --global --repo-resolve "npm" --repo-deploy "$ARTIFACTORY_DEPLOY_REPO" export PROJECT="${GITHUB_REPOSITORY#*/}" echo "PROJECT: ${PROJECT}" diff --git a/build-yarn/action.yml b/build-yarn/action.yml index 06b4caed..d2f32d72 100644 --- a/build-yarn/action.yml +++ b/build-yarn/action.yml @@ -221,3 +221,10 @@ runs: echo "🐸 [Browse build \`${build_name}:${BUILD_NUMBER}\` in Artifactory](${ARTIFACTORY_BROWSE_URL})" >> $GITHUB_STEP_SUMMARY "$ACTION_PATH_BUILD_YARN/../shared/generate-jfrog-summary.sh" repox fi + + - name: Clean up local action symlinks + if: always() + shell: bash + run: | + rm -f .actions/get-build-number .actions/shared + rmdir .actions 2>/dev/null || true diff --git a/build-yarn/build.sh b/build-yarn/build.sh index 7b521416..1263d403 100755 --- a/build-yarn/build.sh +++ b/build-yarn/build.sh @@ -106,7 +106,7 @@ EOF jf config remove repox > /dev/null 2>&1 || true # Ignore inexistent configuration jf config add repox --url "${ARTIFACTORY_URL%/artifactory*}" --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_ACCESS_TOKEN" jf config use repox - jf npm-config --repo-resolve "npm" + jf npm-config --global --repo-resolve "npm" } set_project_version() { @@ -175,7 +175,7 @@ jfrog_yarn_publish() { jf config remove repox > /dev/null 2>&1 || true # Ignore inexistent configuration jf config add repox --url "${ARTIFACTORY_URL%/artifactory*}" --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_DEPLOY_ACCESS_TOKEN" jf config use repox - jf npm-config --repo-resolve "npm" --repo-deploy "$ARTIFACTORY_DEPLOY_REPO" + jf npm-config --global --repo-resolve "npm" --repo-deploy "$ARTIFACTORY_DEPLOY_REPO" # Create a local tarball and preserve it for attestation echo "Creating local tarball for attestation..." diff --git a/config-npm/action.yml b/config-npm/action.yml index e223cac9..bcf6cbb6 100644 --- a/config-npm/action.yml +++ b/config-npm/action.yml @@ -161,3 +161,10 @@ runs: if: steps.config-npm-completed.outputs.skip != 'true' shell: bash run: echo "CONFIG_NPM_COMPLETED=$GITHUB_ACTION" >> "$GITHUB_ENV" + + - name: Clean up local action symlinks + if: always() && steps.config-npm-completed.outputs.skip != 'true' + shell: bash + run: | + rm -f .actions/get-build-number .actions/shared + rmdir .actions 2>/dev/null || true diff --git a/config-npm/npm_config.sh b/config-npm/npm_config.sh index dc66d4ba..2595ac19 100755 --- a/config-npm/npm_config.sh +++ b/config-npm/npm_config.sh @@ -21,7 +21,7 @@ EOF jf config remove repox > /dev/null 2>&1 || true # Ignore inexistent configuration jf config add repox --url "${ARTIFACTORY_URL%/artifactory*}" --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_ACCESS_TOKEN" jf config use repox - jf npm-config --repo-resolve "npm" + jf npm-config --global --repo-resolve "npm" return 0 } diff --git a/get-build-number/action.yml b/get-build-number/action.yml index 33dffded..5fc9db05 100644 --- a/get-build-number/action.yml +++ b/get-build-number/action.yml @@ -29,6 +29,7 @@ runs: fi echo "ACTION_PATH_GET_BUILD_NUMBER=$ACTION_PATH_GET_BUILD_NUMBER" echo "ACTION_PATH_GET_BUILD_NUMBER=$ACTION_PATH_GET_BUILD_NUMBER" >> "$GITHUB_ENV" + echo "BUILD_NUMBER_FILE=${RUNNER_TEMP}/build_number.txt" >> "$GITHUB_ENV" echo "::endgroup::" # Reuse build number from environment if provided (e.g. from a parent workflow) @@ -38,7 +39,7 @@ runs: shell: bash run: | echo "BUILD_NUMBER ${BUILD_NUMBER} provided from environment, skipping both increment and save to cache." - echo "${BUILD_NUMBER}" > build_number.txt + echo "${BUILD_NUMBER}" > "$BUILD_NUMBER_FILE" echo "skip=true" >> $GITHUB_OUTPUT # Reuse current build number in case of rerun @@ -47,7 +48,7 @@ runs: uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 id: current-build-number with: - path: build_number.txt + path: ${{ env.BUILD_NUMBER_FILE }} key: build-number-${{ github.run_id }} enableCrossOsArchive: true @@ -69,7 +70,7 @@ runs: id: export shell: bash run: | - BUILD_NUMBER=$(cat build_number.txt) + BUILD_NUMBER=$(cat "$BUILD_NUMBER_FILE") echo "BUILD_NUMBER: ${BUILD_NUMBER}" echo "BUILD_NUMBER=${BUILD_NUMBER}" >> "$GITHUB_ENV" echo "BUILD_NUMBER=${BUILD_NUMBER}" >> "$GITHUB_OUTPUT" @@ -78,6 +79,6 @@ runs: uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 if: steps.from-env.outputs.skip != 'true' && steps.current-build-number.outputs.cache-hit != 'true' with: - path: build_number.txt + path: ${{ env.BUILD_NUMBER_FILE }} key: build-number-${{ github.run_id }} enableCrossOsArchive: true diff --git a/get-build-number/get_build_number.sh b/get-build-number/get_build_number.sh index d7855f33..ee194d84 100755 --- a/get-build-number/get_build_number.sh +++ b/get-build-number/get_build_number.sh @@ -5,7 +5,7 @@ set -euo pipefail : "${GITHUB_REPOSITORY:?}" GH_API_VERSION_HEADER="X-GitHub-Api-Version: 2022-11-28" -CACHE_FILE="build_number.txt" +CACHE_FILE="${BUILD_NUMBER_FILE:-${RUNNER_TEMP}/build_number.txt}" echo "Fetching build number from repository properties..." PROPERTIES_API_URL="repos/${GITHUB_REPOSITORY}/properties/values" diff --git a/spec/config-npm_spec.sh b/spec/config-npm_spec.sh index 3d40b8ad..3042d2d9 100755 --- a/spec/config-npm_spec.sh +++ b/spec/config-npm_spec.sh @@ -100,7 +100,7 @@ Describe 'set_build_env()' The line 1 should include "Configuring JFrog and NPM repositories" The line 2 should equal "jf config add repox --url https://repox.jfrog.io --artifactory-url https://repox.jfrog.io/artifactory --access-token reader-token" The line 3 should equal "jf config use repox" - The line 4 should equal "jf npm-config --repo-resolve npm" + The line 4 should equal "jf npm-config --global --repo-resolve npm" End End diff --git a/spec/get_build_number_spec.sh b/spec/get_build_number_spec.sh index 1ee5fefc..5eb52c42 100755 --- a/spec/get_build_number_spec.sh +++ b/spec/get_build_number_spec.sh @@ -2,7 +2,9 @@ eval "$(shellspec - -c) exit 1" export GITHUB_REPOSITORY="my org/my-repo" -CACHE_FILE="build_number.txt" +export RUNNER_TEMP="${SHELLSPEC_TMPBASE:-/tmp}" +export BUILD_NUMBER_FILE="${RUNNER_TEMP}/build_number.txt" +CACHE_FILE="${BUILD_NUMBER_FILE}" Mock gh echo "gh $*"