SONARIAC-2502 Gradle builds should use Repox when authentication is available (#665)

SONARIAC-2503 Use master branch for build-logic/common (#667)

GitOrigin-RevId: 97d3929f40727a2df9a60b81210dcbffd98e607b

Author: petertrr

build-logic/common/.cirrus.star

@@ -0,0 +1,41 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0
+        with:
+          version: 2025.7.12
+      - name: get secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/develocity token | DEVELOCITY_TOKEN;
+
+      # The SonarSource/ci-github-actions/build-gradle fails because of no access to ARTIFACTORY_DEPLOY_USERNAME
+      # it is not needed in this case, so the Gradle is called directly
+      - name: Build with Gradle
+        env:
+          DEVELOCITY_ACCESS_KEY: develocity-public.sonar.build=${{ fromJSON(steps.secrets.outputs.vault).DEVELOCITY_TOKEN }}
+        run: |
+          ./gradlew build

build-logic/common/.github/workflows/build.yml

@@ -0,0 +1,13 @@
+name: Cleanup PR Resources
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  cleanup:
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      actions: write
+    steps:
+      - uses: SonarSource/ci-github-actions/pr_cleanup@v1
+

build-logic/common/.github/workflows/pr-cleanup.yml

@@ -15,6 +15,7 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 import org.sonarsource.cloudnative.gradle.RuleApiExtension
+import org.sonarsource.cloudnative.gradle.ifAuthenticatedOrElse
 import org.sonarsource.cloudnative.gradle.registerRuleApiGenerateTask
 import org.sonarsource.cloudnative.gradle.registerRuleApiUpdateTask
 import org.sonarsource.cloudnative.gradle.repox
@@ -23,12 +24,15 @@ val ruleApi: Configuration = configurations.create("ruleApi")
 val ruleApiExtension = extensions.create<RuleApiExtension>("ruleApi")
 
 repositories {
-    repox("sonarsource-private-releases", providers, ruleApiExtension.fileOperations)
-    mavenCentral()
+    ifAuthenticatedOrElse(providers, { artifactoryUsername, artifactoryPassword ->
+        repox("sonarsource-private-releases", artifactoryUsername, artifactoryPassword, ruleApiExtension.fileOperations)
+    }) {
+        error("Downloading dependencies from sonarsource-private-releases requires authentication.")
+    }
 }
 
 dependencies {
-    ruleApi("com.sonarsource.rule-api:rule-api:2.16.0.5596")
+    ruleApi("com.sonarsource.rule-api:rule-api:2.17.0.5605")
     ruleApi("org.slf4j:slf4j-nop:1.7.36") {
         because(
             "To get rid of a warning. A logging backend is not needed, because the rule API logs everything important to stdout. " +

build-logic/common/gradle-modules/src/main/kotlin/org.sonarsource.cloud-native.rule-api.gradle.kts

@@ -17,7 +17,6 @@
 package org.sonarsource.cloudnative.gradle
 
 import java.io.File
-import java.util.HashSet
 import java.util.Locale
 import java.util.jar.JarInputStream
 import org.gradle.api.GradleException
@@ -40,27 +39,18 @@ fun Project.signingCondition(): Boolean {
 
 internal fun RepositoryHandler.repox(
     repository: String,
-    providers: ProviderFactory,
+    artifactoryUsername: String,
+    artifactoryPassword: String,
     fileOperations: FileOperations,
 ): MavenArtifactRepository =
     maven {
         name = "artifactory"
         url = fileOperations.uri("https://repox.jfrog.io/repox/$repository")
 
-        // This authentication relies on env vars configured on Cirrus CI or on Gradle properties (`-P<prop>` flags or `gradle.properties` file)
-        val artifactoryUsername = providers.environmentVariable("ARTIFACTORY_PRIVATE_USERNAME")
-            .orElse(providers.environmentVariable("ARTIFACTORY_USERNAME"))
-            .orElse(providers.gradleProperty("artifactoryUsername"))
-        val artifactoryPassword = providers.environmentVariable("ARTIFACTORY_PRIVATE_PASSWORD")
-            .orElse(providers.environmentVariable("ARTIFACTORY_ACCESS_TOKEN"))
-            .orElse(providers.gradleProperty("artifactoryPassword"))
-
-        if (artifactoryUsername.isPresent && artifactoryPassword.isPresent) {
-            authentication {
-                credentials {
-                    username = artifactoryUsername.get()
-                    password = artifactoryPassword.get()
-                }
+        authentication {
+            credentials {
+                username = artifactoryUsername
+                password = artifactoryPassword
             }
         }
     }
@@ -129,3 +119,23 @@ fun getArchitecture(): String {
         else -> "amd64"
     }
 }
+
+internal fun ifAuthenticatedOrElse(
+    providers: ProviderFactory,
+    onAuthenticated: (artifactoryUsername: String, artifactoryPassword: String) -> Unit,
+    onNotAuthenticated: () -> Unit,
+) {
+    // This authentication relies on env vars configured on Cirrus CI or on Gradle properties (`-P<prop>` flags or `gradle.properties` file)
+    val artifactoryUsername = providers.environmentVariable("ARTIFACTORY_PRIVATE_USERNAME")
+        .orElse(providers.environmentVariable("ARTIFACTORY_USERNAME"))
+        .orElse(providers.gradleProperty("artifactoryUsername"))
+    val artifactoryPassword = providers.environmentVariable("ARTIFACTORY_PRIVATE_PASSWORD")
+        .orElse(providers.environmentVariable("ARTIFACTORY_ACCESS_TOKEN"))
+        .orElse(providers.gradleProperty("artifactoryPassword"))
+
+    if (artifactoryUsername.isPresent && artifactoryPassword.isPresent) {
+        onAuthenticated(artifactoryUsername.get(), artifactoryPassword.get())
+    } else {
+        onNotAuthenticated()
+    }
+}

build-logic/common/gradle-modules/src/main/kotlin/org/sonarsource/cloudnative/gradle/BuildUtils.kt

@@ -75,21 +75,31 @@ open class CommonSettingsPlugin
         private fun Settings.configureRepositories() {
             pluginManagement {
                 repositories {
-                    mavenCentral()
-                    gradlePluginPortal()
-                    repox("sonarsource", settings.providers, fileOperations)
+                    ifAuthenticatedOrElse(providers, { artifactoryUsername, artifactoryPassword ->
+                        repox("sonarsource", artifactoryUsername, artifactoryPassword, fileOperations)
+                    }) {
+                        mavenCentral()
+                        gradlePluginPortal()
+                    }
                 }
             }
 
             dependencyResolutionManagement {
                 repositories {
-                    mavenCentral()
-                    repox("sonarsource", settings.providers, fileOperations)
+                    ifAuthenticatedOrElse(providers, { artifactoryUsername, artifactoryPassword ->
+                        repox("sonarsource", artifactoryUsername, artifactoryPassword, fileOperations)
+                    }) {
+                        mavenCentral()
+                    }
                 }
             }
 
             buildscript.repositories {
-                gradlePluginPortal()
+                ifAuthenticatedOrElse(providers, { artifactoryUsername, artifactoryPassword ->
+                    repox("plugins.gradle.org", artifactoryUsername, artifactoryPassword, fileOperations)
+                }) {
+                    gradlePluginPortal()
+                }
             }
         }
 

build-logic/common/gradle-modules/src/main/kotlin/org/sonarsource/cloudnative/gradle/CommonSettingsPlugin.kt

@@ -1,5 +1,5 @@
 [versions]
-spotless-gradle = "8.0.0"
+spotless-gradle = "8.1.0"
 blowdryer-gradle = "1.7.1"
 develocity = "4.0.3"
 jackson = "2.20.1"

build-logic/common/gradle/libs.versions.toml

@@ -0,0 +1,3 @@
+[tools]
+java = "21.0"
+

build-logic/common/mise.toml

@@ -1,3 +1,5 @@
+import java.net.URI
+
 /*
  * SonarSource Cloud Native Gradle Modules
  * Copyright (C) 2024-2025 SonarSource Sàrl
@@ -15,9 +17,31 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 pluginManagement {
+    // Note: because of the way how settings are initialized, we cannot reuse functions defined later in this file.
+    val artifactoryUsername = providers.environmentVariable("ARTIFACTORY_PRIVATE_USERNAME")
+        .orElse(providers.environmentVariable("ARTIFACTORY_USERNAME"))
+        .orElse(providers.gradleProperty("artifactoryUsername"))
+    val artifactoryPassword = providers.environmentVariable("ARTIFACTORY_PRIVATE_PASSWORD")
+        .orElse(providers.environmentVariable("ARTIFACTORY_ACCESS_TOKEN"))
+        .orElse(providers.gradleProperty("artifactoryPassword"))
+
     repositories {
-        mavenCentral()
-        gradlePluginPortal()
+        if (artifactoryUsername.isPresent && artifactoryPassword.isPresent) {
+            maven {
+                name = "artifactory"
+                url = uri("https://repox.jfrog.io/repox/plugins.gradle.org")
+
+                authentication {
+                    credentials {
+                        username = artifactoryUsername.get()
+                        password = artifactoryPassword.get()
+                    }
+                }
+            }
+        } else {
+            mavenCentral()
+            gradlePluginPortal()
+        }
     }
 }
 
@@ -30,13 +54,18 @@ include("gradle-modules")
 
 dependencyResolutionManagement {
     repositories {
-        mavenCentral()
-        gradlePluginPortal()
+        ifAuthenticatedOrElse(providers, { artifactoryUsername, artifactoryPassword ->
+            repox("sonarsource", artifactoryUsername, artifactoryPassword, ::uri)
+            repox("plugins.gradle.org", artifactoryUsername, artifactoryPassword, ::uri)
+        }) {
+            mavenCentral()
+            gradlePluginPortal()
+        }
     }
 }
 
 develocity {
-    server.set("https://develocity.sonar.build")
+    server.set("https://develocity-public.sonar.build/")
 }
 
 val isCI = System.getenv("CI") != null
@@ -49,3 +78,41 @@ buildCache {
         isPush = isCI
     }
 }
+
+internal fun RepositoryHandler.repox(
+    repository: String,
+    artifactoryUsername: String,
+    artifactoryPassword: String,
+    uri: (Any) -> URI,
+): MavenArtifactRepository =
+    maven {
+        name = "artifactory"
+        url = uri("https://repox.jfrog.io/repox/$repository")
+
+        authentication {
+            credentials {
+                username = artifactoryUsername
+                password = artifactoryPassword
+            }
+        }
+    }
+
+internal fun ifAuthenticatedOrElse(
+    providers: ProviderFactory,
+    onAuthenticated: (artifactoryUsername: String, artifactoryPassword: String) -> Unit,
+    onNotAuthenticated: () -> Unit,
+) {
+    // This authentication relies on env vars configured on Cirrus CI or on Gradle properties (`-P<prop>` flags or `gradle.properties` file)
+    val artifactoryUsername = providers.environmentVariable("ARTIFACTORY_PRIVATE_USERNAME")
+        .orElse(providers.environmentVariable("ARTIFACTORY_USERNAME"))
+        .orElse(providers.gradleProperty("artifactoryUsername"))
+    val artifactoryPassword = providers.environmentVariable("ARTIFACTORY_PRIVATE_PASSWORD")
+        .orElse(providers.environmentVariable("ARTIFACTORY_ACCESS_TOKEN"))
+        .orElse(providers.gradleProperty("artifactoryPassword"))
+
+    if (artifactoryUsername.isPresent && artifactoryPassword.isPresent) {
+        onAuthenticated(artifactoryUsername.get(), artifactoryPassword.get())
+    } else {
+        onNotAuthenticated()
+    }
+}

build-logic/common/settings.gradle.kts

@@ -14,11 +14,15 @@
  * You should have received a copy of the Sonar Source-Available License
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
+pluginManagement {
+    includeBuild("../common")
+}
+
+plugins {
+    id("org.sonarsource.cloud-native.common-settings")
+}
+
 dependencyResolutionManagement {
-    repositories {
-        mavenCentral()
-        gradlePluginPortal()
-    }
     versionCatalogs {
         create("libs") {
             from(files("../../gradle/libs.versions.toml"))