BUILD-10503 Sanitize workflow name in cache keys

[mikolaj-matuszny-ext-sonarsource]

Problem

Spaces in GitHub workflow names cause cache save/restore failures. The workflow name is included in the S3 cache key, and spaces in the key result in malformed pre-signed URLs — the request hits an error response instead of the actual S3 object, which doesn't support HTTP range requests:

Warning: Download attempt 1 failed: Range request not supported by server.
Warning: Download attempt 2 failed: Range request not supported by server.
Warning: Failed to restore: Range request not supported by server

Fix

Added a sanitize step before each cache step that replaces spaces in the workflow name with - before it is used in the cache key. The step uses an explicit WORKFLOW_NAME env var sourced from github.workflow (rather than $GITHUB_WORKFLOW) to ensure the value is consistent with what would have been interpolated directly.

All four actions use the same pattern: the sanitize step outputs workflow_name, which is then referenced directly in the key: and restore-keys: expressions of the cache step. For actions where the resulting key: line exceeds the 140-character yamllint limit (config-maven, config-pip), a # yamllint disable/enable rule:line-length block is used.

Changes

• config-npm/action.yml — sanitize workflow name in NPM cache key
• config-maven/action.yml — sanitize workflow name in Maven cache key
• config-gradle/action.yml — sanitize workflow name in Gradle cache key
• config-pip/action.yml — sanitize workflow name in Pip cache key

Jira

https://sonarsource.atlassian.net/browse/BUILD-10503

Testing

https://github.com/SonarSource/sonar-dummy/actions/runs/22349083633/job/64671224433#step:4:740 after
https://github.com/SonarSource/sonar-dummy/actions/runs/22348992658/job/64670914225#step:4:717 before

[hashicorp-vault-sonar-prod]

BUILD-10503

[matemoln]

What about https://github.com/SonarSource/ci-github-actions/blob/master/config-gradle/action.yml#L165 and https://github.com/SonarSource/ci-github-actions/blob/master/config-pip/action.yml#L99?

[mikolaj-matuszny-ext-sonarsource]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[sonarqubecloud]

SonarQube reviewer guide

Summary: Sanitize workflow names in cache keys across all package manager actions to replace spaces with hyphens, ensuring valid cache key formatting.

Review Focus: Verify that the sanitization logic (${WORKFLOW_NAME// /-}) correctly handles all edge cases of workflow names. Ensure the new step's conditional logic aligns with each action's caching requirements and that no cache invalidation issues arise from this change.

Start review at: config-gradle/action.yml. This file contains the simplest implementation and establishes the pattern used across all other actions, making it the ideal baseline for understanding the approach before reviewing the more complex Maven and pip configurations.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud