BUILD-8677 Simplify README by removing redundant Features sections

Remove all ### Features sections that were either redundant with the action description or contained generic boilerplate. Rescue the
branch-strategy information from build-maven as a proper Deployment Strategy table, and rescue the build-gradle gradlew fallback note
into the action description.

Move Deployment Strategy to standalone section and fix inaccuracies

Move the deployment strategy table out of build-maven into a shared standalone section (grouped with Provenance Attestation) since it applies
to all build actions.

Fix inaccuracies verified against implementation:
- feature/long/* branches DO deploy (was incorrectly marked as no)
- "master" renamed to "Default branch" (configured via DEFAULT_BRANCH)
- Remove Maven-specific "Notes" column that did not apply to other actions
- Add build-gradle exception: sonar analysis not branch-filtered in Gradle

Note build-gradle sonar branch filtering as a known bug

Add a TODO comment in build-gradle/build.sh and update the README to flag that sonar analysis is not filtered by branch type in build-gradle,
unlike all other build actions. Should add a should_scan() guard to skip sonar on dogfood/other branches consistently.

Fix deploy input verification: document inconsistencies and add TODOs

- Fix README Deployment Strategy table: long-lived feature branches only deploy for build-maven and build-gradle, not for build-npm/build-yarn/build-poetry
- Add note that deploy:'false' override is only supported by build-maven and build-gradle
- Add TODO comments to build-npm, build-yarn, build-poetry noting the missing DEPLOY env var support and long-lived feature branch deploy discrepancy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: julien-carsique-sonarsource

README.md

@@ -43,15 +43,6 @@ These badges show the status of workflows in dummy repositories that use (or sho
 [![Pre-commit checks](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/pre-commit.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/pre-commit.yml)
 [![Unified Dogfooding scans](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/unified-dogfooding.yml/badge.svg?branch=master)](https://github.com/SonarSource/sonar-dummy-yarn/actions/workflows/unified-dogfooding.yml)
 
-## Using AI for Cirrus CI to GitHub Actions Migration
-
-It is recommended to use AI tools like Cursor or Claude code to assist with Cirrus CI to GitHub actions migration.
-This repository contains a comprehensive guide to be passed as a context to AI. The guide is shared with Sonar developers using Cursor,
-accessible using `@Doc` tag.
-
-See the [documentation](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4232970266/Migration+From+Cirrus+CI+-+GitHub)
-for details on how to use it.
-
 ---
 
 ## Actions provided in this repository
@@ -70,6 +61,8 @@ for details on how to use it.
 - [`pr_cleanup`](#pr_cleanup)
 - [`code-signing`](#code-signing)
 
+---
+
 ## `get-build-number`
 
 Manage the build number in GitHub Actions.
@@ -125,12 +118,7 @@ No inputs are required for this action.
 |----------------------|--------------------------|
 | `BUILD_NUMBER`       | The current build number |
 
-### Features
-
-- Automatic build number management with GitHub repository properties
-- Build number uniqueness per workflow run ID
-- No increment on workflow reruns
-- Sets both environment variable and output variable
+---
 
 ## `config-maven`
 
@@ -250,6 +238,8 @@ steps:
 
 See also [`get-build-number`](#get-build-number) output environment variables.
 
+---
+
 ## `build-maven`
 
 Build and deploy a Maven project with SonarQube analysis and Artifactory deployment.
@@ -372,23 +362,7 @@ for the public values, and by setting the environment variables for the private
 
 See also [`config-maven`](#config-maven) output environment variables.
 
-### Features
-
-- Build context detection with automatic deployment strategies
-- SonarQube analysis for code quality
-- Artifact signing with GPG keys
-- Conditional deployment based on branch patterns
-- Develocity integration for build optimization (optional)
-- Maven local repository caching with customization options
-- Support for different branch types:
-  - **master**: Deploy + SonarQube analysis with full profiles
-  - **maintenance** (`branch-*`): Deploy with full profiles + separate SonarQube analysis
-  - **pr**: Conditional deployment with SonarQube analysis
-  - **dogfood** (`dogfood-on-*`): Deploy only with dogfood profiles
-  - **feature** (`feature/long/*`): Verify + SonarQube analysis only
-  - **default**: Basic verify goal only
-- Mixed privacy repository support for combined public and private artifacts
-- GitHub workflow job summary with build information and deployment status
+---
 
 ## `build-poetry`
 
@@ -486,6 +460,8 @@ jobs:
 | `project-version` | The project version from pyproject.toml with build number. Also set as environment variable `PROJECT_VERSION` |
 | `deployed`        | `true` if the build succeed and was supposed to deploy                                                        |
 
+---
+
 ## `config-gradle`
 
 Configure Gradle build environment with build number, authentication, and default settings.
@@ -610,11 +586,14 @@ If provided, `SONARSOURCE_REPOSITORY` is used at runtime by the Gradle init scri
 
 See also [`get-build-number`](#get-build-number) output environment variables.
 
+---
+
 ## `build-gradle`
 
 Build and publish a Gradle project with SonarQube analysis and Artifactory deployment.
 
 > **Note:** This action automatically calls [`config-gradle`](#config-gradle) to set up the Gradle environment.
+> **Note:** Uses the Gradle wrapper (`./gradlew`) by default, falling back to the `gradle` binary if not found.
 
 ### Requirements
 
@@ -741,21 +720,6 @@ See also [`config-gradle`](#config-gradle) input environment variables.
 | `BUILD_NUMBER`    | The current build number. Also set as environment variable `BUILD_NUMBER` |
 | `deployed`        | `true` if the build succeed and was supposed to deploy                    |
 
-### Features
-
-- Uses the gradle wrapper (`./gradlew`) by default and falls back to the `gradle` binary in case it is not found
-- Automated version management with build numbers
-- SonarQube analysis for code quality with multi-platform support
-- Unified platform dogfooding - analyze across all 3 SonarQube platforms (next, sqc-eu, sqc-us)
-- Automatic deployment prevention during shadow scans to avoid duplicate artifacts
-- Conditional deployment based on branch patterns
-- Automatic artifact signing with credentials from Vault
-- Pull request support with optional deployment
-- Develocity integration for build scans
-- Gradle caching with customization options
-- Comprehensive build logging and error handling
-- GitHub workflow job summary with build information and deployment status
-
 ### Caching Configuration
 
 By default, Gradle caches `~/.gradle/caches` and `~/.gradle/wrapper`. You can customize this behavior:
@@ -849,6 +813,8 @@ artifactory {
 }
 ```
 
+---
+
 ## `config-npm`
 
 Configure NPM and JFrog build environment with build number, authentication, and settings.
@@ -922,6 +888,8 @@ See also [`get-build-number`](#get-build-number) input environment variables.
 
 See also [`get-build-number`](#get-build-number) output environment variables.
 
+---
+
 ## `build-npm`
 
 Build, test, analyze with SonarQube, and deploy an NPM project to JFrog Artifactory.
@@ -1023,19 +991,7 @@ See also [`config-npm`](#config-npm) input environment variables.
 
 See also [`config-npm`](#config-npm) output environment variables.
 
-### Features
-
-- Automated version management with build numbers and SNAPSHOT handling
-- SonarQube analysis for code quality with multi-platform support
-- Unified platform dogfooding - analyze across all 3 SonarQube platforms (next, sqc-eu, sqc-us)
-- Automatic deployment prevention during shadow scans to avoid duplicate artifacts
-- Conditional deployment based on branch patterns
-- NPM dependency caching for faster builds (configurable)
-- Pull request support with optional deployment
-- JFrog build info publishing with UI links
-- Support for different branch types (default, maintenance, PR, dogfood, long-lived feature)
-- Comprehensive build logging and error handling
-- GitHub workflow job summary with build information and deployment status
+---
 
 ## `build-yarn`
 
@@ -1125,19 +1081,7 @@ jobs:
 | `project-version` | The project version from package.json                                     |
 | `deployed`        | `true` if the build succeed and was supposed to deploy                    |
 
-### Features
-
-- Automated version management with build numbers and SNAPSHOT handling
-- SonarQube analysis for code quality with multi-platform support
-- Unified platform dogfooding - analyze across all 3 SonarQube platforms (next, sqc-eu, sqc-us)
-- Automatic deployment prevention during shadow scans to avoid duplicate artifacts
-- Conditional deployment based on branch patterns
-- Yarn dependency caching for faster builds (configurable)
-- Pull request support with optional deployment
-- JFrog build info publishing with UI links
-- Support for different branch types (default, maintenance, PR, dogfood, long-lived feature)
-- Comprehensive build logging and error handling
-- GitHub workflow job summary with build information and deployment status
+---
 
 ## `config-pip`
 
@@ -1218,14 +1162,6 @@ steps:
 
 See also [`get-build-number`](#get-build-number) output environment variables.
 
-### Features
-
-- Build number management via [`get-build-number`](#get-build-number)
-- Automatic Artifactory authentication via Vault
-- Auto-detection of reader role based on repository visibility
-- Pip dependency caching with customization options
-- Global pip configuration for all subsequent `pip install` commands
-
 ### Migration from configure-pipx-repox
 
 If you're currently using `SonarSource/sonarqube-cloud-github-actions/configure-pipx-repox@master`, you can replace it with:
@@ -1240,6 +1176,8 @@ If you're currently using `SonarSource/sonarqube-cloud-github-actions/configure-
 
 Both actions produce the same configuration and are functionally equivalent.
 
+---
+
 ## `promote`
 
 This action promotes a build in JFrog Artifactory and updates the GitHub status check accordingly.
@@ -1320,15 +1258,6 @@ promote:
 
 This action does not provide any outputs.
 
-### Features
-
-- Automatic promotion of build artifacts in JFrog Artifactory
-- GitHub status check updates with promotion status
-- Support for both single and multi-repository promotions
-- Automatic target repository determination based on branch type
-- Pull request artifact promotion support
-- GitHub workflow job summary with promotion information and deployment link
-
 ---
 
 ## `pr_cleanup`
@@ -1367,13 +1296,7 @@ No inputs are required for this action.
 
 No outputs are provided by this action.
 
-### Features
-
-- Remove GitHub Actions caches associated with the PR
-- Clean up artifacts created during PR workflows
-- Provide detailed output of the deleted resources
-- Show before/after state of caches and artifacts
-- Automatic triggering on PR closure
+---
 
 ## `code-signing`
 
@@ -1435,12 +1358,32 @@ After running this action, the following environment variables are available:
 - `SM_CODE_SIGNING_CERT_SHA1_HASH`: Certificate fingerprint for signing
 - `SMTOOLS_PATH`: Path where SMTools are installed, certificate and `.cfg` file is stored.
 
-### Features
+---
+
+## Deployment Strategy
+
+All build actions (`build-maven`, `build-gradle`, `build-npm`, `build-yarn`, `build-poetry`) share the same branch-based deployment and
+SonarQube analysis strategy. Shared helper predicates and orchestration utilities are provided by `shared/common-functions.sh`, while the
+concrete deploy and scan behavior is implemented in each build script:
+
+| Branch                                | Deploy   | SonarQube |
+|---------------------------------------|----------|-----------|
+| Default branch (`master`, `main`)     | yes      | yes       |
+| Maintenance (`branch-*`)              | yes      | yes       |
+| Pull request                          | optional | yes       |
+| Dogfood (`dogfood-on-*`)              | yes      | no        |
+| Long-lived feature (`feature/long/*`) | yes ¹    | yes       |
+| Other branches                        | no       | no        |
+
+- Pull request deployment requires `deploy-pull-request: 'true'`.
+- SonarQube analysis also requires `sonar-platform` to be set (not `none`).
+- ¹ `build-maven` and `build-gradle` only; `build-npm`, `build-yarn`, and `build-poetry` do not deploy on long-lived feature branches.
+- `build-maven` and `build-gradle` support a `deploy: 'false'` input to override deployment regardless of branch. `build-npm`,
+  `build-yarn`, and `build-poetry` do not have this input (TODO: add for consistency).
+- **`build-gradle` known bug**: SonarQube analysis is not filtered by branch type. When `sonar-platform ≠ none`, analysis runs on all
+  branches, including dogfood and other branches (unlike all other build actions).
 
-- **Official DigiCert Integration**: Uses the official DigiCert `ssm-code-signing` action for reliable smctl installation
-- **Unified Caching Strategy**: Single cache key for both smctl and jsign tools to optimize cache efficiency
-- **Smart Cache Management**: Caches smctl installation directory and jsign .deb package for faster subsequent runs
-- **Automatic Setup**: Handles all DigiCert authentication and environment configuration
+---
 
 ## Provenance Attestation
 
@@ -1588,3 +1531,29 @@ improvements, fixes, documentation, and **breaking changes**).
     Communicate major updates, changes and migrations that require action from users following as indicated in
     the [Updates, Changes and Migrations for Squads - Platform](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4385374219/Updates+Changes+and+Migrations+for+Squads+-+Platform#Usage-of-Communication-Channels)
     xtranet page.
+
+---
+
+## Using AI for Cirrus CI to GitHub Actions Migration
+
+It is recommended to use AI tools like Cursor or Claude code to assist with Cirrus CI to GitHub actions migration.
+
+This repository contains a comprehensive guide to be passed as a context to
+AI: [.cursor/cirrus-github-migration.md](.cursor/cirrus-github-migration.md). Here are some example prompts:
+
+```md
+Refer @https://github.com/SonarSource/ci-github-actions/blob/master/.cursor/cirrus-github-migration.md
+Migrate @.cirrus.yml to GitHub Actions
+```
+
+Or, in the [re-terraform-aws-vault](https://github.com/SonarSource/re-terraform-aws-vault) repository, you can use it to check for missing
+vault secrets before migration:
+
+```md
+Refer @https://github.com/SonarSource/ci-github-actions/blob/master/.cursor/cirrus-github-migration.md
+Give me a report of the missing vault secrets for the repository `sonar-dummy`
+```
+
+See
+the ["Migration From Cirrus CI - GitHub" xtranet documentation](https://xtranet-sonarsource.atlassian.net/wiki/spaces/Platform/pages/4232970266/Migration+From+Cirrus+CI+-+GitHub)
+for more details.

build-gradle/build.sh

@@ -223,6 +223,10 @@ gradle_build() {
     echo "::endgroup::"
   else
     # Build with sonar analysis via orchestrator
+    # TODO BUILD-10586: sonar analysis is not filtered by branch type here — it runs on all branches
+    # (including dogfood and other branches) when sonar-platform != none. This differs from
+    # build-maven/build-npm/build-yarn/build-poetry which skip sonar on dogfood/other branches.
+    # Should add a should_scan() guard consistent with the other build scripts.
     # shellcheck disable=SC2119
     orchestrate_sonar_platforms
   fi

build-npm/build.sh

@@ -123,6 +123,9 @@ jfrog_npm_publish() {
 }
 
 # Determine build configuration based on branch type
+# TODO BUILD-10586: this function does not support a DEPLOY env var to override deployment (unlike build-maven and build-gradle).
+# Should add a DEPLOY=${DEPLOY:=true} check consistent with those build scripts.
+# Note: unlike build-maven and build-gradle, long-lived feature branches (feature/long/*) do not deploy here.
 get_build_config() {
   local enable_sonar enable_deploy
   local sonar_args=()

build-poetry/build.sh

@@ -193,6 +193,9 @@ set_project_version() {
 }
 
 # Determine build configuration based on branch type
+# TODO BUILD-10586: this function does not support a DEPLOY env var to override deployment (unlike build-maven and build-gradle).
+# Should add a DEPLOY=${DEPLOY:=true} check consistent with those build scripts.
+# Note: unlike build-maven and build-gradle, long-lived feature branches (feature/long/*) do not deploy here.
 get_build_config() {
   local enable_sonar enable_deploy
   local sonar_args=()

build-yarn/build.sh

@@ -193,6 +193,9 @@ jfrog_yarn_publish() {
 }
 
 # Determine build configuration based on branch type
+# TODO BUILD-10586: this function does not support a DEPLOY env var to override deployment (unlike build-maven and build-gradle).
+# Should add a DEPLOY=${DEPLOY:=true} check consistent with those build scripts.
+# Note: unlike build-maven and build-gradle, long-lived feature branches (feature/long/*) do not deploy here.
 get_build_config() {
   local enable_sonar enable_deploy
   local sonar_args=()