Skip to content

BUILD-8956 Extract config-poetry action from build-poetry #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hedinasr wants to merge 1 commit into
base: master
Choose a base branch
from
Open

BUILD-8956 Extract config-poetry action from build-poetry #292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .shellspec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# kcov (coverage) options
--kcov-options "--include-pattern=build-poetry,get-build-number,pr_cleanup,promote,build-gradle,config-maven,build-maven,config-npm,build-npm,build-yarn,shared,config-gradle,config-pip,update-release-channel"
--kcov-options "--include-pattern=build-poetry,config-poetry,get-build-number,pr_cleanup,promote,build-gradle,config-maven,build-maven,config-npm,build-npm,build-yarn,shared,config-gradle,config-pip,update-release-channel"
# --kcov-options "--exclude-pattern=.github,.idea,.git"

# define minimum coverage (fail otherwise)
Expand Down
68 changes: 68 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ These badges show the status of workflows in dummy repositories that use (or sho
- [`get-build-number`](#get-build-number)
- [`config-maven`](#config-maven)
- [`build-maven`](#build-maven)
- [`config-poetry`](#config-poetry)
- [`build-poetry`](#build-poetry)
- [`config-gradle`](#config-gradle)
- [`build-gradle`](#build-gradle)
Expand Down Expand Up @@ -364,10 +365,77 @@ See also [`config-maven`](#config-maven) output environment variables.

---

## `config-poetry`

Configure Poetry build environment with build number, JFrog authentication, and caching.

This action configures Poetry to pull packages from the internal JFrog Artifactory registry instead of the public PyPI.

> **Note:** This action automatically calls [`get-build-number`](#get-build-number) to manage the build number.

### Requirements

#### Required GitHub Permissions

- `id-token: write`
- `contents: write`

#### Required Vault Permissions

- `public-reader` or `private-reader`: Artifactory role for reading dependencies

#### Other Dependencies

The Python and Poetry tools must be pre-installed. Use of `mise` is recommended.

### Usage

```yaml
permissions:
id-token: write
contents: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: SonarSource/ci-github-actions/config-poetry@v1
- run: poetry install
```

### Inputs

| Input | Description | Default |
|---------------------------|-----------------------------------------------------------------------------|----------------------------------------------------------------------|
| `working-directory` | Relative path under github.workspace to execute the build in | `.` |
| `artifactory-reader-role` | Suffix for the Artifactory reader role in Vault | `private-reader` for private repos, `public-reader` for public repos |
| `artifactory-pypi-repo` | PyPI virtual repository to resolve dependencies from | `sonarsource-pypi` |
| `repox-url` | URL for Repox | `https://repox.jfrog.io` |
| `poetry-virtualenvs-path` | Path to the Poetry virtual environments, relative to GitHub workspace | `.cache/pypoetry/virtualenvs` |
| `poetry-cache-dir` | Path to the Poetry cache directory, relative to GitHub workspace | `.cache/pypoetry` |
| `disable-caching` | Whether to disable Poetry caching entirely | `false` |

### Outputs

| Output | Description |
|----------------|---------------------------------------------------------------------------|
| `BUILD_NUMBER` | The current build number. Also set as environment variable `BUILD_NUMBER` |

### Output Environment Variables

| Environment Variable | Description |
|------------------------------------|--------------------------|
| `BUILD_NUMBER` | The current build number |
| `POETRY_HTTP_BASIC_REPOX_USERNAME` | Repox username for Poetry |
| `POETRY_HTTP_BASIC_REPOX_PASSWORD` | Repox access token for Poetry |

See also [`get-build-number`](#get-build-number) output environment variables.

---

## `build-poetry`

Build, analyze, and publish a Python project using Poetry with SonarQube integration and Artifactory deployment.

> **Note:** This action automatically calls [`config-poetry`](#config-poetry) to set up the Poetry environment.

### Requirements

#### Required GitHub Permissions
Expand Down
46 changes: 27 additions & 19 deletions build-poetry/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ outputs:
value: ${{ steps.build.outputs.project-version }}

@julien-carsique-sonarsource julien-carsique-sonarsource Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
value: ${{ steps.build.outputs.project-version }}
value: ${{ steps.config.outputs.project-version }}

?

If moving the set_project_version() function to the config action. See following related comment.

BUILD_NUMBER:
description: The build number, incremented or reused if already cached
value: ${{ steps.get_build_number.outputs.BUILD_NUMBER }}
value: ${{ steps.config.outputs.BUILD_NUMBER }}
deployed:
description: Whether artifacts were deployed
value: ${{ steps.build.outputs.deployed }}
Expand All @@ -87,6 +87,7 @@ runs:

mkdir -p ".actions"
ln -sf "$host_actions_root/get-build-number" .actions/get-build-number
ln -sf "$host_actions_root/config-poetry" .actions/config-poetry
ln -sf "$host_actions_root/shared" .actions/shared
ls -la .actions/*
echo "::endgroup::"
Expand All @@ -103,29 +104,29 @@ runs:
echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
cp "$ACTION_PATH_BUILD_POETRY/mise.local.toml" mise.local.toml

- uses: ./.actions/get-build-number
id: get_build_number
with:
host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
- name: Cache local Poetry cache
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
if: inputs.disable-caching == 'false'
with:
path: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }}
key: poetry-${{ runner.os }}-${{ hashFiles('poetry.lock') }}
restore-keys: poetry-${{ runner.os }}-
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
version: 2026.5.9

- uses: ./.actions/config-poetry
id: config
with:
host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
artifactory-reader-role: ${{ env.ARTIFACTORY_READER_ROLE }}
repox-url: ${{ inputs.repox-url }}
working-directory: ${{ inputs.working-directory }}
poetry-cache-dir: ${{ inputs.poetry-cache-dir }}
poetry-virtualenvs-path: ${{ inputs.poetry-virtualenvs-path }}
disable-caching: ${{ inputs.disable-caching }}

- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
if: inputs.deploy != 'false' && inputs.run-shadow-scans != 'true'
id: artifactory
with:
url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }}
# yamllint disable rule:line-length
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME;
${{ inputs.deploy != 'false' && inputs.run-shadow-scans != 'true' && format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) || '' }}
${{ format('development/artifactory/token/{{REPO_OWNER_NAME_DASH}}-{0} access_token | ARTIFACTORY_DEPLOY_ACCESS_TOKEN;', env.ARTIFACTORY_DEPLOYER_ROLE) }}
# yamllint enable rule:line-length
- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
id: secrets
Expand All @@ -152,12 +153,12 @@ runs:
ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }}
DEPLOY: ${{ inputs.deploy }}
DEPLOY_PULL_REQUEST: ${{ inputs.deploy-pull-request }}
ARTIFACTORY_PYPI_REPO: ${{ inputs.public == 'true' && 'sonarsource-pypi' || 'sonarsource-pypi' }} # FIXME: sonarsource-pypi-public
ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo ||
github.event.repository.visibility == 'public' && 'sonarsource-pypi-public-qa' || 'sonarsource-pypi-private-qa' }}
ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
ARTIFACTORY_USERNAME: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_USERNAME }}
ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN }}
# yamllint disable rule:line-length
ARTIFACTORY_DEPLOY_ACCESS_TOKEN: ${{ steps.artifactory.outputs.vault &&
fromJSON(steps.artifactory.outputs.vault).ARTIFACTORY_DEPLOY_ACCESS_TOKEN || '' }}
# yamllint enable rule:line-length
POETRY_VIRTUALENVS_PATH: ${{ github.workspace }}/${{ inputs.poetry-virtualenvs-path }}
POETRY_CACHE_DIR: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }}

Expand Down Expand Up @@ -215,3 +216,10 @@ runs:
echo "🐸 [Browse build \`${build_name}:${BUILD_NUMBER}\` in Artifactory](${ARTIFACTORY_BROWSE_URL})" >> $GITHUB_STEP_SUMMARY
"$ACTION_PATH_BUILD_POETRY/../shared/generate-jfrog-summary.sh" repox
fi

- name: Clean up local action symlinks
if: always()
shell: bash
run: |
rm -f .actions/get-build-number .actions/config-poetry .actions/shared
rmdir .actions 2>/dev/null || true
14 changes: 3 additions & 11 deletions build-poetry/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@
# Required inputs (must be explicitly provided):
# - BUILD_NUMBER: Build number for versioning
# - ARTIFACTORY_URL: URL to Artifactory repository
# - ARTIFACTORY_PYPI_REPO: Repository to install dependencies from
# - ARTIFACTORY_ACCESS_TOKEN: Access token to read Repox repositories
# - ARTIFACTORY_DEPLOY_REPO: Deployment repository name
# - ARTIFACTORY_DEPLOY_ACCESS_TOKEN: Access token to deploy to the repository
# - DEFAULT_BRANCH: Default branch name (e.g. main)
Expand Down Expand Up @@ -45,7 +43,7 @@ set -euo pipefail
# shellcheck source=../shared/common-functions.sh
source "$(dirname "${BASH_SOURCE[0]}")/../shared/common-functions.sh"

: "${ARTIFACTORY_URL:?}" "${ARTIFACTORY_PYPI_REPO:?}" "${ARTIFACTORY_ACCESS_TOKEN:?}" "${ARTIFACTORY_USERNAME:?}" "${RUN_SHADOW_SCANS:?}"
: "${ARTIFACTORY_URL:?}" "${RUN_SHADOW_SCANS:?}"
: "${ARTIFACTORY_DEPLOY_REPO:?}" "${DEPLOY_PULL_REQUEST:=false}"
: "${GITHUB_REF_NAME:?}" "${BUILD_NUMBER:?}" "${GITHUB_REPOSITORY:?}" "${GITHUB_EVENT_NAME:?}" "${GITHUB_EVENT_PATH:?}"
: "${PULL_REQUEST?}" "${DEFAULT_BRANCH:?}" "${GITHUB_ENV:?}" "${GITHUB_OUTPUT:?}" "${GITHUB_SHA:?}" "${GITHUB_RUN_ID:?}"
Expand Down Expand Up @@ -262,13 +260,7 @@ get_build_config() {
export BUILD_SONAR_ARGS="${sonar_args[*]:-}"
}

jfrog_poetry_install() {
jf config remove repox > /dev/null 2>&1 || true # Ignore inexistent configuration
jf config add repox --url "${ARTIFACTORY_URL%/artifactory*}" --artifactory-url "$ARTIFACTORY_URL" --access-token "$ARTIFACTORY_ACCESS_TOKEN"
jf config use repox
jf poetry-config --server-id-resolve repox --repo-resolve "$ARTIFACTORY_PYPI_REPO"
export POETRY_HTTP_BASIC_REPOX_USERNAME="$ARTIFACTORY_USERNAME"
export POETRY_HTTP_BASIC_REPOX_PASSWORD="$ARTIFACTORY_ACCESS_TOKEN"
poetry_install_dependencies() {
poetry install
}
Comment on lines +263 to 265

@julien-carsique-sonarsource julien-carsique-sonarsource Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove the function, it's empty.

Suggested change
poetry_install_dependencies() {
poetry install
}


Expand Down Expand Up @@ -302,7 +294,7 @@ build_poetry() {

echo "::group::Install dependencies"
echo "Installing dependencies..."
jfrog_poetry_install
poetry_install_dependencies

@julien-carsique-sonarsource julien-carsique-sonarsource Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
poetry_install_dependencies
poetry install

echo "::endgroup::"

echo "::group::Build project"
Expand Down
145 changes: 145 additions & 0 deletions config-poetry/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
---
name: Config Poetry
description: GitHub Action to configure Poetry build environment with build number, JFrog authentication, and caching
inputs:
working-directory:
description: Relative path under github.workspace to execute the build in
default: .
artifactory-reader-role:
description: Suffix for the Artifactory reader role in Vault. Defaults to `private-reader` for private repositories, and `public-reader`
for public repositories.
default: ''
artifactory-pypi-repo:
description: PyPI virtual repository to resolve dependencies from
default: sonarsource-pypi
repox-url:
description: URL for Repox
default: https://repox.jfrog.io
poetry-virtualenvs-path:
description: Path to the Poetry virtual environments, relative to GitHub workspace. The folder is cached only if it is a subdirectory of
`poetry-cache-dir`.
default: .cache/pypoetry/virtualenvs
poetry-cache-dir:
description: Path to the Poetry cache directory, relative to GitHub workspace
default: .cache/pypoetry
disable-caching:
description: Whether to disable Poetry caching entirely
default: 'false'
host-actions-root:
description: Path to the actions folder on the host (used when called from another local action)
default: ''

outputs:
BUILD_NUMBER:
description: The current build number. Also set as environment variable BUILD_NUMBER
value: ${{ steps.get-build-number.outputs.BUILD_NUMBER }}

runs:
using: composite
steps:
- id: config-poetry-completed
if: env.CONFIG_POETRY_COMPLETED != ''
shell: bash
run: |
echo "Action already called by $CONFIG_POETRY_COMPLETED, execution skipped."
echo "skip=true" >> "$GITHUB_OUTPUT"

- name: Set local action paths
id: set-path
if: steps.config-poetry-completed.outputs.skip != 'true'
shell: bash
run: |
echo "::group::Fix for using local actions"
echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
echo "github.action_path=${{ github.action_path }}"
ACTION_PATH_CONFIG_POETRY="${{ github.action_path }}"
host_actions_root="${{ inputs.host-actions-root }}"
if [[ -z "$host_actions_root" ]]; then
host_actions_root="$(dirname "$ACTION_PATH_CONFIG_POETRY")"
else
ACTION_PATH_CONFIG_POETRY="$host_actions_root/config-poetry"
fi
Comment on lines +47 to +61

@gitar-bot gitar-bot Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Bug: mise restore runs in wrong dir when working-directory != '.'

In config-poetry/action.yml, the mise.local.toml file and the MISE_BACKUP temp dir are created by the "Set local action paths" step (lines 47-77), which has NO working-directory, so they live in the GitHub workspace root. But the "Configure Poetry authentication" step (line 120) sets working-directory: ${{ inputs.working-directory }} and then runs the restore logic:

rm mise.local.toml
mv "$MISE_BACKUP"/* ... ./ ...

When working-directory is not ., this runs inside the subdirectory:

  • rm mise.local.toml fails because the file is in the workspace root, not the subdir. GitHub Actions runs bash steps with -e, so the step fails and breaks the build.
  • Even if it didn't fail, the user's original mise files would be restored into the subdirectory (./) instead of the workspace root, leaving the root in an inconsistent state with config-poetry's mise.local.toml never removed.

Note this diverges from config-npm/action.yml, whose "Configure NPM authentication" step (line 101-114) does the same backup/restore but does NOT set working-directory, keeping creation and restore in the same (root) directory. build-poetry exposes a working-directory input and passes it through, so any consumer using a non-root working directory will hit this regression (previously build-poetry never rm'd the file).

Fix: keep working-directory only for the poetry_config.sh invocation (which needs the project dir) and perform the mise restore relative to the workspace root, or split the restore into a separate step without working-directory (matching config-npm).

Run poetry_config.sh in the working-directory, but restore mise files in the workspace root (no working-directory) and guard with always() so the backup is restored even if poetry_config.sh fails.:

- name: Configure Poetry authentication
  if: steps.config-poetry-completed.outputs.skip != 'true'
  shell: bash
  working-directory: ${{ inputs.working-directory }}
  env:
    ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }}
    ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }}
    ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
    ARTIFACTORY_PYPI_REPO: ${{ inputs.artifactory-pypi-repo }}
  run: $ACTION_PATH_CONFIG_POETRY/poetry_config.sh

- name: Restore mise files
  if: always() && steps.config-poetry-completed.outputs.skip != 'true'
  shell: bash
  run: |
    echo "::group::Restore mise files"
    rm -f mise.local.toml
    mv "${{ steps.set-path.outputs.MISE_BACKUP }}"/* "${{ steps.set-path.outputs.MISE_BACKUP }}"/.* ./ 2>/dev/null || true
    rmdir "${{ steps.set-path.outputs.MISE_BACKUP }}" 2>/dev/null || true
    echo "::endgroup::"
  • Apply fix

Check the box to apply the fix or reply for a change | Was this helpful? React with 👍 / 👎

echo "ACTION_PATH_CONFIG_POETRY=$ACTION_PATH_CONFIG_POETRY"
echo "ACTION_PATH_CONFIG_POETRY=$ACTION_PATH_CONFIG_POETRY" >> "$GITHUB_ENV"
echo "host_actions_root=$host_actions_root" >> "$GITHUB_OUTPUT"

mkdir -p ".actions"
ln -sf "$host_actions_root/get-build-number" .actions/get-build-number
ln -sf "$host_actions_root/shared" .actions/shared
ls -la .actions/*
echo "::endgroup::"

echo "::group::Backup mise files to configure Poetry without interference"
mise_backup=$(mktemp -d)
echo "MISE_BACKUP=$mise_backup" >> "$GITHUB_OUTPUT"
mv mise.* .mise.* mise/ .mise/ .tool-versions "$mise_backup/" 2>/dev/null || true
cp "$ACTION_PATH_CONFIG_POETRY/mise.local.toml" mise.local.toml
echo "::endgroup::"
Comment on lines +72 to +77

@gitar-bot gitar-bot Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Bug: mise files not restored if a step fails before restore

In config-poetry/action.yml, the "Set local action paths" step moves the user's real mise files into a temp backup and substitutes config-poetry's mise.local.toml. The restore happens inside the "Configure Poetry authentication" step, which is NOT marked always() and only runs after several intermediate steps (get-build-number, cache, mise-action, vault). If any of those steps fails, the restore never runs: the user's mise files remain stranded in the temp directory and config-poetry's mise.local.toml is left in place. For standalone config-poetry usage, this leaves the checkout in an inconsistent state for any downstream steps. Consider performing the restore in a dedicated if: always() step (see the suggested fix for the working-directory finding, which also addresses this).

Was this helpful? React with 👍 / 👎


- name: Set Artifactory reader role
if: steps.config-poetry-completed.outputs.skip != 'true'
shell: bash
env:
ARTIFACTORY_READER_ROLE:
${{ inputs.artifactory-reader-role != '' && inputs.artifactory-reader-role ||
(github.event.repository.visibility == 'public' && 'public-reader' || 'private-reader') }}
run: |
echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
Comment on lines +79 to +87

@julien-carsique-sonarsource julien-carsique-sonarsource Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for a separate step, this can be merged with the above set-path step, renamed setup. It also adds values to GITHUB_ENV.


- uses: ./.actions/get-build-number
id: get-build-number
if: steps.config-poetry-completed.outputs.skip != 'true'
with:
host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}

- name: Cache local Poetry cache
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
if: steps.config-poetry-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
with:
path: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }}
key: poetry-${{ runner.os }}-${{ hashFiles('poetry.lock') }}
restore-keys: poetry-${{ runner.os }}-
Comment on lines +95 to +101

@julien-carsique-sonarsource julien-carsique-sonarsource Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other config actions seem to have an improved cache key that includes the workflow name:

ci-github-actions/config-gradle/action.yml

Lines 193 to 207 in 136be4d

- name: Sanitize workflow name for cache key
id: sanitize_workflow
if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
shell: bash
env:
WORKFLOW_NAME: ${{ github.workflow }}
run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
- name: Gradle Cache
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
with:
path: ${{ inputs.cache-paths }}
key: gradle-${{ runner.os }}-${{ steps.sanitize_workflow.outputs.workflow_name }}-${{ env.GRADLE_CACHE_KEY }}
restore-keys: gradle-${{ runner.os }}-${{ steps.sanitize_workflow.outputs.workflow_name }}-

This looks like a debt in the Poetry action.
It will be a breaking change for the existing Poetry caches, but a also a fix to avoid cache collisions.

Either implement now, or consider as out of scope and create a ticket for this specific debt.


- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
if: steps.config-poetry-completed.outputs.skip != 'true'
with:
version: 2026.5.9

- uses: SonarSource/vault-action-wrapper@0a3114fe1230b784c35b53b099f9ab1f1e538cc7 # 3.5.0
if: steps.config-poetry-completed.outputs.skip != 'true'
id: secrets
with:
url: ${{ contains(inputs.repox-url, 'dev.sonar.build') && 'https://vault.dev.sonar.build' || 'https://vault.sonar.build' }}
secrets: |
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} username | ARTIFACTORY_USERNAME;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-${{ env.ARTIFACTORY_READER_ROLE }} access_token | ARTIFACTORY_ACCESS_TOKEN;

- name: Configure Poetry authentication
if: steps.config-poetry-completed.outputs.skip != 'true'
shell: bash
working-directory: ${{ inputs.working-directory }}
env:
ARTIFACTORY_URL: ${{ format('{0}/artifactory', inputs.repox-url) }}
ARTIFACTORY_USERNAME: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_USERNAME }}
ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
ARTIFACTORY_PYPI_REPO: ${{ inputs.artifactory-pypi-repo }}
run: |
$ACTION_PATH_CONFIG_POETRY/poetry_config.sh

echo "::group::Restore mise files"
rm mise.local.toml
mv "${{ steps.set-path.outputs.MISE_BACKUP }}"/* "${{ steps.set-path.outputs.MISE_BACKUP }}"/.* ./ 2>/dev/null || true
rmdir "${{ steps.set-path.outputs.MISE_BACKUP }}"
echo "::endgroup::"

- name: Set Config Poetry completed
if: steps.config-poetry-completed.outputs.skip != 'true'
shell: bash
run: echo "CONFIG_POETRY_COMPLETED=$GITHUB_ACTION" >> "$GITHUB_ENV"

- name: Clean up local action symlinks
if: always() && steps.config-poetry-completed.outputs.skip != 'true'
shell: bash
run: |
rm -f .actions/get-build-number .actions/shared
rmdir .actions 2>/dev/null || true
6 changes: 6 additions & 0 deletions config-poetry/mise.local.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[tools]
jfrog-cli = "2.96.0"

[env]
JFROG_CLI_AVOID_NEW_VERSION_WARNING = "true"
JFROG_CLI_ENV_EXCLUDE = "*password*;*secret*;*key*;*token*;*auth*;*credential*"
Loading
Loading