feat(BUILD-2144): Make release workflow use Vault

Replace release and maven sync with `SonarSource/gh-action_release`

Also fix secrets for Github release token and Slack, now using Vault.

Replace slack action with `slackapi/slack-github-action`

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 38556ba54225b4c8f452f088f7bfdf4d13493776..6b442105d24cb889da0731a77444a73b19beebad 100644 (file)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,58 +5,34 @@ on:
     types:
     - published
 
-env:
-  PYTHONUNBUFFERED: 1
-
 jobs:
-  run_release:
+  release:
+    permissions:
+      id-token: write
+      contents: write
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@5.0.1
+    with:
+      publishToBinaries: true
+      mavenCentralSync: true
+      slackChannel: sonarqube-build
+  release_docker:
     runs-on: ubuntu-latest
-    name: Start release process
+    name: Start Docker release process
+    needs: release
     timeout-minutes: 60
     steps:
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1
-      with:
-        aws-access-key-id: ${{ secrets.BINARIES_AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.BINARIES_AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ secrets.BINARIES_AWS_REGION }}
-    - name: Run release action
-      id: run_release
-      uses: SonarSource/gh-action_release/main@v4
-      with:
-        distribute: true
-        publish_to_binaries: true
-        attach_artifacts_to_github_release: true
-        run_rules_cov: false
-        slack_channel: sonarqube-build
-      env:
-        ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
-        BINARIES_AWS_DEPLOY: ${{ secrets.BINARIES_AWS_DEPLOY }}
-        BURGRX_USER: ${{ secrets.BURGRX_USER }}
-        BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }}
-        CIRRUS_TOKEN: ${{ secrets.CIRRUS_TOKEN }}
-        PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }}
-        GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-        RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }}
-        RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }}
-        SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }}
-    - name: Log outputs
-      if: always()
-      run: |
-        echo "${{ steps.run_release.outputs.releasability }}"
-        echo "${{ steps.run_release.outputs.release }}"
-        echo "${{ steps.run_release.outputs.distribute_release }}"
-    - name: Notify success on Slack
-      uses: Ilshidur/action-slack@2.0.0
-      env:
-        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+    - name: get secrets
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@8e22afd670393ed80f489f5dbd517d09ea21d75b
       with:
-        args: "Release successful for {{ GITHUB_REPOSITORY }} by {{ GITHUB_ACTOR }}"
+        secrets: |
+          development/github/token/SonarSource-sonar-scanner-cli-release token | GITHUB_TOKEN_RELEASE;
+          development/kv/data/slack token | SLACK_BOT_TOKEN;
     - name: Create Release for Docker Image
       id: create_release
       uses: softprops/action-gh-release@v1
       env:
-        GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN_RELEASE }}
         GITHUB_REPOSITORY: SonarSource/sonar-scanner-cli-docker
       with:
         tag_name: ${{ github.event.release.tag_name }}
@@ -64,50 +40,10 @@ jobs:
         draft: false
         prerelease: false
     - name: Notify failures on Slack
-      uses: Ilshidur/action-slack@2.0.0
+      uses: slackapi/slack-github-action@v1.23.0
       if: failure()
-      env:
-        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
       with:
-        args: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}"
-  maven-central-sync:
-    runs-on: ubuntu-latest
-    needs:
-      - run_release
-    steps:
-      - name: Setup JFrog CLI
-        uses: jfrog/setup-jfrog-cli@v1
-      - name: JFrog config
-        run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only
-        env:
-          ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
-      - name: Get the version
-        id: get_version
-        run: |
-          IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}"
-          echo ::set-output name=build::"${build}"
-      - name: Create local repository directory
-        id: local_repo
-        run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)"
-      - name: Download Artifacts
-        uses: SonarSource/gh-action_release/download-build@v4
-        with:
-          build-number: ${{ steps.get_version.outputs.build }}
-          local-repo-dir: ${{ steps.local_repo.outputs.dir }}
-      - name: Maven Central Sync
-        id: maven-central-sync
-        continue-on-error: true
-        uses: SonarSource/gh-action_release/maven-central-sync@v4
-        with:
-          local-repo-dir: ${{ steps.local_repo.outputs.dir }}
-        env:
-          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-      - name: Notify on failure
-        if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }}
-        uses: 8398a7/action-slack@v3
-        with:
-          status: failure
-          fields: repo,author,eventName
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }}
+        channel-id: sonarqube-build
+        slack-message: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}"
+      env:
+        SLACK_BOT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }}