BUILD-9208 Exclude release and sign profiles during shadow scans#219
Conversation
Shadow scans perform analysis without deployment, so release and sign Maven profiles are unnecessary overhead. This change prevents adding these profiles when RUN_SHADOW_SCANS is enabled, making Maven builds faster and logs cleaner. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
SonarQube reviewer guide
|
julien-carsique-sonarsource
deleted the
feat/jcarsique/BUILD-9208-notNeededMvnProfiles
branch
There was a problem hiding this comment.
Pull request overview
This PR updates the build-maven GitHub Action to avoid activating Maven release/sign profiles when RUN_SHADOW_SCANS=true, reducing unnecessary work for analysis-only (non-deploying) shadow scan runs.
Changes:
- Skip
-Prelease,signon default/maintenance branches during shadow scans. - Skip
-Preleaseon dogfood branches during shadow scans. - Add/extend ShellSpec coverage to assert profiles are excluded when shadow scans are enabled.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| build-maven/build.sh | Conditionally omits release/sign profiles when RUN_SHADOW_SCANS=true for relevant branch types. |
| spec/build-maven_spec.sh | Adds test cases validating that shadow scan runs do not include release/sign profiles. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| The output should include "Maven command: mvn install -Pcoverage" | ||
| The output should not include "release" | ||
| The output should not include "sign" |
There was a problem hiding this comment.
The negative assertions are very broad ("release"/"sign" could match unrelated output like a branch name or future log text). To make the test more robust and specifically verify the behavior change, assert that the Maven command line does not contain the profile flags (e.g., "-Prelease,sign" / "-Prelease" / "-Psign") rather than the generic substrings.
| The output should include "Maven command: mvn install" | ||
| The output should not include "release" |
There was a problem hiding this comment.
This assertion checks for the substring "release" anywhere in output, which is looser than needed and may become flaky if other log lines/branch names include that word. Prefer asserting the Maven command does not include the profile flag (e.g., "-Prelease").
BUILD-9208 Exclude release and sign profiles during shadow scans
Changes
This PR modifies the
build-mavenaction to exclude thereleaseandsignMaven profiles whenrun-shadow-scansis enabled.Shadow scans perform SonarQube analysis on all three platforms (next, sqc-us, sqc-eu) without deploying artifacts. Including release and sign profiles during shadow scans is unnecessary overhead since:
Implementation
Modified
build-maven/build.shto checkRUN_SHADOW_SCANSbefore adding Maven profiles:-Prelease,signwhen shadow scans are enabled-Preleasewhen shadow scans are enabledBefore (with shadow scans on master):
After (with shadow scans on master):