BUILD-10993: Migrate SonarJS workflows to sonar-m-docker and sonar-*-public runners (#6730)

Co-authored-by: Michal Zgliczynski <mzglicz@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: zglicz <michal.zgliczynski@sonarsource.com>
Co-authored-by: sonar-review-alpha[bot] <266116024+sonar-review-alpha[bot]@users.noreply.github.com>

Author: 4 people

.github/workflows/LabelEslintPlugin.yml

@@ -9,7 +9,7 @@ on:
 jobs:
   add_eslint_plugin_label:
     name: Add eslint-plugin label to Jira
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/PullRequestClosed.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestMerged_job:
     name: Pull Request Merged
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/PullRequestCreated.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestCreated_job:
     name: Pull Request Created
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     permissions:
       id-token: write
     # For external PR, ticket should be created manually

.github/workflows/RequestReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   RequestReview_job:
     name: Request review
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     permissions:
       id-token: write
     # For external PR, ticket should be moved manually

.github/workflows/SubmitReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   SubmitReview_job:
     name: Submit Review
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/build.yml

@@ -17,7 +17,7 @@ concurrency:
 
 jobs:
   setup:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Setup - Prepare Node.js versions and test hashes
     permissions: &read_permissions
       id-token: write
@@ -73,7 +73,7 @@ jobs:
           echo "Cache month: $MONTH"
 
   get_build_number:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Get build number
     needs: setup
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -85,7 +85,7 @@ jobs:
         uses: SonarSource/ci-github-actions/get-build-number@master
 
   populate_npm_cache:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Populate NPM cache for Linux
     needs: setup
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -111,14 +111,16 @@ jobs:
             java = "21.0"
             maven = "3.9"
             node = "24.11.0"
-      - if: steps.cache.outputs.cache-hit != 'true'
+      - if: steps.cache.outputs.cache-hit != 'true' && runner.os != 'Windows'
+        uses: SonarSource/ci-github-actions/config-npm@v1
+      - if: steps.cache.outputs.cache-hit != 'true' && runner.os == 'Windows'
         id: secrets
         name: Access vault secrets
         uses: SonarSource/vault-action-wrapper@v3
         with:
           secrets: |
             development/artifactory/token/${{ github.repository_owner }}-${{ github.event.repository.name }}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
-      - if: steps.cache.outputs.cache-hit != 'true'
+      - if: steps.cache.outputs.cache-hit != 'true' && runner.os == 'Windows'
         name: Configure npm registry
         run: |
           npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
@@ -136,7 +138,7 @@ jobs:
     steps: *populate_npm_cache_steps
 
   sync_rspec:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Sync RSPEC metadata
     needs: [setup, populate_npm_cache]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -183,7 +185,7 @@ jobs:
           retention-days: 1
 
   build:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-public
     name: Build SonarJS on Linux
     needs: [setup, get_build_number, populate_npm_cache, sync_rspec]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -447,7 +449,7 @@ jobs:
           npm run test
 
   knip:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Knip
     needs: [setup, populate_npm_cache, sync_rspec]
     permissions: *read_permissions
@@ -465,7 +467,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.rspec-secrets.outputs.vault).RSPEC_GITHUB_TOKEN }}
 
   test_js:
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-m-public
     name: Unit tests JavaScript/TypeScript
     needs: [setup, populate_npm_cache, sync_rspec]
     permissions: *read_permissions
@@ -571,7 +573,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.rspec-secrets.outputs.vault || '{}').RSPEC_GITHUB_TOKEN }}
 
   analyze_primary:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Analyze in SonarQube NEXT
     needs: [setup, test_js, build]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -630,7 +632,7 @@ jobs:
           mvn org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751:sonar $SONAR_ARGS
 
   analyze_shadows:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Analyze in ${{ matrix.platform }}
     needs: [setup, test_js, build]
     permissions: *read_permissions
@@ -682,7 +684,7 @@ jobs:
           mvn org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751:sonar $SONAR_ARGS
 
   plugin_qa_with_node:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-public
     name: QA with Node ${{ matrix.node-version }} on Ubuntu
     needs: [setup, build]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -727,7 +729,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }}
 
   plugin_qa_fast_with_node:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Fast QA with Node ${{ matrix.node-version }} on Ubuntu
     needs: [setup, build]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -753,7 +755,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }}
 
   plugin_qa_without_node:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-public
     name: QA without Node on Ubuntu SQ:LATEST_RELEASE
     needs: [setup, build]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -779,16 +781,14 @@ jobs:
         shell: bash
         run: |
           node --version
-          NODE_PATH=$(which node)
-          sudo mv "$NODE_PATH" "${NODE_PATH}.disabled"
 
-          # Verify node is no longer accessible
-          if which node 2>/dev/null; then
-            echo "ERROR: node is still accessible!"
-            exit 1
-          else
-            echo "SUCCESS: node is no longer accessible"
-          fi
+          function node() {
+            echo "node is disabled"
+            exit 0
+          }
+          export -f node
+
+          node
       - *orchestrator_cache
       - name: Run Plugin QA without Node
         run: |
@@ -802,7 +802,7 @@ jobs:
 
   # DEV tests run only on nightly schedule to avoid constant downloads
   plugin_qa_without_node_dev:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: QA without Node on Ubuntu SQ:DEV
     needs: [setup, build]
     if: github.event_name == 'schedule'
@@ -827,7 +827,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }}
 
   plugin_qa_without_node_alpine:
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-m-docker
     name: QA without Node on Alpine SQ:LATEST_RELEASE
     needs: [setup, get_build_number, build]
     if: github.event_name == 'schedule'
@@ -883,7 +883,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }}
 
   plugin_qa_fast_without_node:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-public
     name: Fast QA without Node on Ubuntu SQ:LATEST_RELEASE
     needs: [setup, build]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -910,7 +910,7 @@ jobs:
 
   # DEV tests run only on nightly schedule to avoid constant downloads
   plugin_qa_fast_without_node_dev:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Fast QA without Node on Ubuntu SQ:DEV
     needs: [setup, build]
     if: github.event_name == 'schedule'
@@ -934,7 +934,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }}
 
   plugin_qa_fast_without_node_alpine:
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-m-docker
     name: Fast QA without Node on Alpine SQ:LATEST_RELEASE
     needs: [setup, get_build_number, build]
     if: github.event_name == 'schedule'
@@ -1066,7 +1066,7 @@ jobs:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).licenses_token }}
 
   js_ts_ruling:
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-xl-public
     name: JS/TS Ruling
     needs: [setup, populate_npm_cache, sync_rspec]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -1240,7 +1240,7 @@ jobs:
           fi
 
   ruling:
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-xl-public
     name: Ruling Test
     needs: [setup, build]
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
@@ -1271,7 +1271,7 @@ jobs:
 
   # IRIS tasks (nightly only)
   run_iris:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: IRIS SQ NEXT -> ${{ matrix.shadow-name }}
     needs: [analyze_primary, analyze_shadows]
     if: github.event_name == 'schedule'
@@ -1294,7 +1294,7 @@ jobs:
           shadow1_platform: ${{ matrix.shadow-platform }}
 
   promote:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     needs:
       - build
       - build_win
@@ -1325,7 +1325,7 @@ jobs:
           promote-pull-request: true
 
   releasability:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     name: Releasability
     needs:
       - promote

.github/workflows/bump-versions.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   bump-version:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-xs-public
     permissions:
       contents: write
       pull-requests: write

.github/workflows/docker-a3s-repox.yml

@@ -19,7 +19,7 @@ concurrency:
 
 jobs:
   get_build_number:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-docker
     name: Get build number
     permissions:
       id-token: write
@@ -32,7 +32,7 @@ jobs:
 
   build_and_publish:
     name: Build and publish Docker image
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-m-docker
     needs: get_build_number
     permissions:
       id-token: write
@@ -52,21 +52,17 @@ jobs:
             [tools]
             node = "24.11.0"
 
+      - uses: SonarSource/ci-github-actions/config-npm@v1
+
       - name: Access vault secrets
         id: secrets
         uses: SonarSource/vault-action-wrapper@v3
         with:
           secrets: |
-            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
             development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer access_token | ARTIFACTORY_DEPLOY_PASSWORD;
             development/artifactory/token/{REPO_OWNER_NAME_DASH}-qa-deployer username | ARTIFACTORY_DEPLOY_USERNAME;
             development/github/token/{REPO_OWNER_NAME_DASH}-rspec token | RSPEC_GITHUB_TOKEN;
 
-      - name: Configure npm registry
-        run: |
-          npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
-          npm config set registry https://repox.jfrog.io/artifactory/api/npm/npm/
-
       - name: Install NPM dependencies
         run: npm ci
 

.github/workflows/docker-a3s.yml

@@ -19,7 +19,7 @@ on:
 
 jobs:
   get_build_number:
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-docker
     name: Get build number
     permissions:
       id-token: write
@@ -32,7 +32,7 @@ jobs:
 
   build_and_publish:
     name: Build and publish Docker image
-    runs-on: github-ubuntu-latest-m
+    runs-on: sonar-m-docker
     needs: get_build_number
     environment: ${{ inputs.environment == 'Prod' && 'Prod' || 'Dev5' }}
     permissions:
@@ -53,19 +53,15 @@ jobs:
             [tools]
             node = "24.11.0"
 
+      - uses: SonarSource/ci-github-actions/config-npm@v1
+
       - name: Access vault secrets
         id: secrets
         uses: SonarSource/vault-action-wrapper@v3
         with:
           secrets: |
-            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
             development/github/token/{REPO_OWNER_NAME_DASH}-rspec token | RSPEC_GITHUB_TOKEN;
 
-      - name: Configure npm registry
-        run: |
-          npm config set //repox.jfrog.io/artifactory/api/npm/:_authToken=${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
-          npm config set registry https://repox.jfrog.io/artifactory/api/npm/npm/
-
       - name: Install NPM dependencies
         run: npm ci
 

.github/workflows/dogfood.yml

@@ -15,7 +15,7 @@ jobs:
   dogfood_merge:
     # Run if triggered by push to dogfood/*, or if Build workflow succeeded on master
     if: github.event_name == 'push' || github.event.workflow_run.conclusion == 'success'
-    runs-on: github-ubuntu-latest-s
+    runs-on: sonar-m-docker
     name: Update dogfood branch
     permissions:
       id-token: write # required for SonarSource/vault-action-wrapper