BUILD-11295 test gh-action_cache@feat/.../BUILD-11295-metricsFeatureFlag by julien-carsique-sonarsource · Pull Request #267 · SonarSource/ci-github-actions

julien-carsique-sonarsource · 2026-05-21T13:58:23Z

Purpose

TEST ONLY — DO NOT MERGE. Resurrection of #262 (closed), retargeted to the BUILD-11295 branch of gh-action_cache so we can validate the new CI-metrics gate end-to-end through sonar-dummy CI on sonar-dev runners.

Changes

8 sub-action action.yml files updated:

SonarSource/gh-action_cache@bdecdb71... # v1.5.0
  → SonarSource/gh-action_cache@feat/jcarsique/BUILD-11295-metricsFeatureFlag # TEST ONLY — BUILD-11295

Affected: cache, build-poetry, build-yarn, code-signing, config-gradle, config-maven, config-npm, config-pip.

Validation chain

end-to-end validator (TEST, DO NOT MERGE): https://github.com/SonarSource/sonar-dummy/pull/592
- transitive pin (TEST, DO NOT MERGE): BUILD-11295 test gh-action_cache@feat/.../BUILD-11295-metricsFeatureFlag #267 — this PR
- cache-action gate: BUILD-11295 Gate cache-metrics on layered decision file (workflow env > pre-job file) gh-action_cache#71
- runner pre-job hook (deployed with deploy-dev label): https://github.com/SonarSource/github-runners-infra/pull/410

Links

Jira: https://sonarsource.atlassian.net/browse/BUILD-11295
Design comment: https://sonarsource.atlassian.net/browse/BUILD-11295?focusedCommentId=919695

Summary by Gitar

CI Configuration:
- Updated gh-action_cache reference across eight sub-actions to use the feat/jcarsique/BUILD-11417-extract-symlink-keeper branch.

_{This will update automatically on new commits.}

hashicorp-vault-sonar-prod · 2026-05-21T13:59:01Z

BUILD-11295
BUILD-11295

gitar-bot · 2026-05-25T08:24:18Z

Code Review ⚠️ Changes requested 0 resolved / 1 findings

Updates 8 sub-action files to pin gh-action_cache to a mutable @master branch reference instead of a locked commit SHA, which risks breaking CI if the upstream branch changes. This is marked as test-only but the mutable pin should be replaced with a fixed commit hash before merge.

⚠️

Security: Pinned SHA replaced with mutable @master branch ref

📄 cache/action.yml:39 📄 build-poetry/action.yml:114

All 8 action files replace a pinned commit SHA (@bdecdb71…) with a mutable branch reference (@master). Mutable refs are vulnerable to supply-chain attacks — if the upstream branch is force-pushed or compromised, CI pipelines silently pick up arbitrary code.

The PR description and title say this targets feat/jcarsique/BUILD-11295-metricsFeatureFlag, but the actual diff pins to @master, which is a discrepancy.

Since this is a test-only draft PR labeled DO NOT MERGE, the risk is contained — but ensure the mutable ref is never merged to master. Before merging any follow-up PR, restore SHA-pinned references (pointing to the new release commit of gh-action_cache).

🤖 Prompt for agents

Code Review: Updates 8 sub-action files to pin gh-action_cache to a mutable `@master` branch reference instead of a locked commit SHA, which risks breaking CI if the upstream branch changes. This is marked as test-only but the mutable pin should be replaced with a fixed commit hash before merge.

1. ⚠️ Security: Pinned SHA replaced with mutable `@master` branch ref
   Files: cache/action.yml:39, build-poetry/action.yml:114

   All 8 action files replace a pinned commit SHA (`@bdecdb71…`) with a mutable branch reference (`@master`). Mutable refs are vulnerable to supply-chain attacks — if the upstream branch is force-pushed or compromised, CI pipelines silently pick up arbitrary code.
   
   The PR description and title say this targets `feat/jcarsique/BUILD-11295-metricsFeatureFlag`, but the actual diff pins to `@master`, which is a discrepancy.
   
   Since this is a test-only draft PR labeled DO NOT MERGE, the risk is contained — but ensure the mutable ref is never merged to `master`. Before merging any follow-up PR, restore SHA-pinned references (pointing to the new release commit of `gh-action_cache`).

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.
Unblock → Override a blocking verdict and allow merging.

Comment with these commands to change:

`Auto-apply`	`Compact`	`Unblock`
`gitar auto-apply:on`	`gitar display:verbose`	`gitar unblock`

_{Was this helpful? React with 👍 / 👎 | Gitar}

DO NOT MERGE — bump back to a tagged version before merging.

Switches the 8 dogfood pins from gh-action_cache@master to the BUILD-11417 feature branch so this PR exercises the symlink-keeper extraction end-to-end alongside sonar-dummy#592. TEST ONLY — do not merge.

sonarqubecloud · 2026-05-25T08:38:32Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

julien-carsique-sonarsource temporarily deployed to sca-checking May 21, 2026 13:58 — with GitHub Actions Inactive

julien-carsique-sonarsource added the DO NOT MERGE label May 21, 2026

julien-carsique-sonarsource mentioned this pull request May 21, 2026

BUILD-11295 Gate cache-metrics on layered decision file (workflow env > pre-job file) SonarSource/gh-action_cache#71

Merged

6 tasks

julien-carsique-sonarsource force-pushed the test/jcarsique/BUILD-11295-cacheMetrics branch from 2aadd0e to 4918825 Compare May 22, 2026 10:19

julien-carsique-sonarsource temporarily deployed to sca-checking May 22, 2026 10:19 — with GitHub Actions Inactive

gitar-bot Bot reviewed May 22, 2026

View reviewed changes

Comment thread cache/action.yml Outdated

julien-carsique-sonarsource mentioned this pull request May 25, 2026

BUILD-11417 Extract symlink keeper into its own sub-action SonarSource/gh-action_cache#73

Merged

6 tasks

julien-carsique-sonarsource temporarily deployed to sca-checking May 25, 2026 08:23 — with GitHub Actions Inactive

julien-carsique-sonarsource added 2 commits May 25, 2026 10:31

BUILD-11295 test gh-action_cache@master

f6305f2

DO NOT MERGE — bump back to a tagged version before merging.

BUILD-11417 Re-pin gh-action_cache to extract-symlink-keeper branch

e8e4a3e

Switches the 8 dogfood pins from gh-action_cache@master to the BUILD-11417 feature branch so this PR exercises the symlink-keeper extraction end-to-end alongside sonar-dummy#592. TEST ONLY — do not merge.

julien-carsique-sonarsource force-pushed the test/jcarsique/BUILD-11295-cacheMetrics branch from 820ef4d to e8e4a3e Compare May 25, 2026 08:31

julien-carsique-sonarsource temporarily deployed to sca-checking May 25, 2026 08:32 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUILD-11295 test gh-action_cache@feat/.../BUILD-11295-metricsFeatureFlag#267

BUILD-11295 test gh-action_cache@feat/.../BUILD-11295-metricsFeatureFlag#267
julien-carsique-sonarsource wants to merge 2 commits into
masterfrom
test/jcarsique/BUILD-11295-cacheMetrics

julien-carsique-sonarsource commented May 21, 2026 •

edited by gitar-bot Bot

Loading

Uh oh!

hashicorp-vault-sonar-prod Bot commented May 21, 2026 •

edited by atlassian Bot

Loading

Uh oh!

Uh oh!

gitar-bot Bot commented May 25, 2026

Uh oh!

sonarqubecloud Bot commented May 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

julien-carsique-sonarsource commented May 21, 2026 • edited by gitar-bot Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Purpose

Changes

Validation chain

Links

Summary by Gitar

Uh oh!

hashicorp-vault-sonar-prod Bot commented May 21, 2026 • edited by atlassian Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

gitar-bot Bot commented May 25, 2026

Uh oh!

sonarqubecloud Bot commented May 25, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

julien-carsique-sonarsource commented May 21, 2026 •

edited by gitar-bot Bot

Loading

hashicorp-vault-sonar-prod Bot commented May 21, 2026 •

edited by atlassian Bot

Loading