Skip to content

BUILD-10988 Migrate GitHub Actions workflows to sonar-*-public runners#1721

Open
hedinasr wants to merge 2 commits intomasterfrom
chore/hnasr/BUILD-10988-migrateWorkflowRunners
Open

BUILD-10988 Migrate GitHub Actions workflows to sonar-*-public runners#1721
hedinasr wants to merge 2 commits intomasterfrom
chore/hnasr/BUILD-10988-migrateWorkflowRunners

Conversation

@hedinasr
Copy link
Copy Markdown

@hedinasr hedinasr commented Apr 10, 2026
edited by atlassian bot
Loading

BUILD-10988: Migrate sonarlint-intellij to sonar-*-public and sonar-m-docker runners

Replace github-ubuntu-latest-s/github-ubuntu-latest-m runners with SonarSource self-hosted runners across all workflows:

  • sonar-xs-public — all lightweight jobs: build-number, aws-auth, build-plugin, test-and-sonar, verify-plugin, promote, dogfood, plugin-verifier-nightly, shadow_scans, and all PR/review event workflows (PullRequestClosed, PullRequestCreated, RequestReview, SubmitReview, notify-failure)
  • sonar-m-docker — the qa job, which runs inside a Docker container and requires Docker-in-Docker support

Part of the Milestone 5 migration effort tracked under BUILD-10864.

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod bot commented Apr 10, 2026
edited by atlassian bot
Loading

BUILD-10988

@hedinasr hedinasr force-pushed the chore/hnasr/BUILD-10988-migrateWorkflowRunners branch 4 times, most recently from 1f4ab5b to 31b1274 Compare April 10, 2026 13:15
@hedinasr hedinasr marked this pull request as ready for review April 10, 2026 13:38
@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha bot commented Apr 10, 2026
edited
Loading

Summary

This PR completes the runner migration across all GitHub Actions workflows. Changes are straightforward but touch multiple layers:

Runner changes: Replaces all github-ubuntu-latest-s/m runners with SonarSource self-hosted runners—sonar-xs-public for lightweight jobs and sonar-m-docker for Docker-in-Docker workloads. Migration is consistently applied across 8 workflow files.

Container user UID fix: Changes Docker container user from runner to 1001 (matching the ARC runner's UID) in 5 jobs to resolve permissions issues.

Develocity endpoint migration: Updates all references from the public endpoint (develocity-public.sonar.build) to what appears to be an internal endpoint (develocity.sonar.build).

What reviewers should know

What to verify:

  • Check that all job runner assignments match the documented criteria: sonar-xs-public for non-Docker jobs, sonar-m-docker for jobs requiring Docker-in-Docker
  • The container user UID 1001 should align with the actual ARC runner configuration—this is critical for file permissions in mounted volumes and artifact handling
  • The develocity endpoint change affects build scans and caching; verify this endpoint is accessible and correctly configured in your environment

Key files to review:

  • build.yml contains the majority of changes (4 jobs migrated, develocity URL appears twice)
  • shadow_scans.yml and plugin-verifier-nightly.yml for consistency of the same pattern
  • All PR workflow files (5 files) for homogeneous changes to lightweight jobs

Non-obvious decisions:

  • build-number and aws-auth jobs downgraded from -m to sonar-xs-public despite their -m sizing—verify these lightweight jobs don't need more resources
  • The developer didn't migrate these workflows as part of a larger refactoring, suggesting this is the final batch
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next bot commented Apr 10, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

@hedinasr hedinasr force-pushed the chore/hnasr/BUILD-10988-migrateWorkflowRunners branch from 31b1274 to 22cc458 Compare April 10, 2026 14:19
@hedinasr
BUILD-10988 Migrate GitHub Actions workflows to sonar-*-public runners
88197dc 
Replace github-ubuntu-latest-s/m runners with SonarSource self-hosted runners:
- sonar-xs-public for all lightweight jobs (build-number, aws-auth, build-plugin,
  test-and-sonar, verify-plugin, promote, dogfood, plugin-verifier-nightly,
  shadow_scans, and all PR/review event workflows)
- sonar-m-docker for the qa job which runs inside a Docker container

Part of the Milestone 5 effort (BUILD-10864).
@hedinasr hedinasr force-pushed the chore/hnasr/BUILD-10988-migrateWorkflowRunners branch from 22cc458 to 88197dc Compare April 10, 2026 14:19
sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@SamirM-BE
BUILD-10988 Fix container user to match ARC runner UID
98e419a 
Replace --user runner with --user 1001 in all container jobs.
The sonarlint-intellij image resolves 'runner' to UID 1654, but the
ARC runner process runs as UID 1001 and owns the shared _work/_temp
volume. This UID mismatch causes EACCES on _runner_file_commands
writes. Pinning to 1001 aligns the container with the runner's UID.
sonar-review-alpha[bot]
sonar-review-alpha bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

🗣️ Give feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@nquinquenel nquinquenel nquinquenel approved these changes

@mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource mikolaj-matuszny-ext-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hedinasr @nquinquenel @mikolaj-matuszny-ext-sonarsource @SamirM-BE