SQSCANGHA-121 Add vulnerability warning

SQSCANGHA-77 Change title back to SonarQube Scan Action (#166 )
SQSCANGHA-76 Support self-hosted runners not clearing truststore after run (#165 )
2025-09-25 14:31:06 +02:00 · 2024-12-17 10:59:50 +01:00 · 2024-12-17 09:19:42 +01:00 · 2024-12-16 10:45:31 +01:00 · 2024-12-16 10:40:37 +01:00 · 2024-12-16 10:32:38 +01:00
25 changed files with 1511 additions and 72 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,3 +1,10 @@
 <!-- 
  Only for standalone PRs without Jira issue in the PR title: 
    * Replace this comment with Epic ID to create a new Task in Jira
    * Replace this comment with Issue ID to create a new Sub-Task in Jira
    * Ignore or delete this note to create a new Task in Jira without a parent 
 -->
 Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
 With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:
--- a/.github/workflows/PullRequestClosed.yml
+++ b/.github/workflows/PullRequestClosed.yml
@@ -0,0 +1,29 @@
 name: Pull Request Closed
 on:
  pull_request:
    types: [closed]
 jobs:
  PullRequestMerged_job:
    name: Pull Request Merged
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
    # For external PR, ticket should be moved manually
    if: |
        github.event.pull_request.head.repo.full_name == github.repository
        && github.event.pull_request.merged
    steps:
      - id: secrets
        uses: SonarSource/vault-action-wrapper@v3
        with:
          secrets: |
            development/kv/data/jira user | JIRA_USER;
            development/kv/data/jira token | JIRA_TOKEN;
      - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          jira-user:  ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
--- a/.github/workflows/PullRequestCreated.yml
+++ b/.github/workflows/PullRequestCreated.yml
@@ -0,0 +1,29 @@
 name: Pull Request Created
 on:
  pull_request:
    types: ["opened"]
 jobs:
  PullRequestCreated_job:
    name: Pull Request Created
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    # For external PR, ticket should be created manually
    if: |
        github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - id: secrets
        uses: SonarSource/vault-action-wrapper@v3
        with:
          secrets: |
            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
            development/kv/data/jira user | JIRA_USER;
            development/kv/data/jira token | JIRA_TOKEN;
      - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2
        with:
          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
          jira-token:   ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
          jira-project: SQSCANGHA
--- a/.github/workflows/RequestReview.yml
+++ b/.github/workflows/RequestReview.yml
@@ -0,0 +1,28 @@
 name: Request review
 on:
  pull_request:
    types: ["review_requested"]
 jobs:
  RequestReview_job:
    name: Request review
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    # For external PR, ticket should be moved manually
    if: |
        github.event.pull_request.head.repo.full_name == github.repository
    steps:
      - id: secrets
        uses: SonarSource/vault-action-wrapper@v3
        with:
          secrets: |
            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
            development/kv/data/jira user | JIRA_USER;
            development/kv/data/jira token | JIRA_TOKEN;
      - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2
        with:
          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
          jira-token:   ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
--- a/.github/workflows/SubmitReview.yml
+++ b/.github/workflows/SubmitReview.yml
@@ -0,0 +1,30 @@
 name: Submit Review
 on:
  pull_request_review:
    types: [submitted]
 jobs:
  SubmitReview_job:
    name: Submit Review
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
    # For external PR, ticket should be moved manually
    if: |
        github.event.pull_request.head.repo.full_name == github.repository
        && (github.event.review.state == 'changes_requested'
            || github.event.review.state == 'approved')
    steps:
      - id: secrets
        uses: SonarSource/vault-action-wrapper@v3
        with:
          secrets: |
            development/kv/data/jira user | JIRA_USER;
            development/kv/data/jira token | JIRA_TOKEN;
      - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
--- a/.github/workflows/qa-deprecated-c-cpp.yml
+++ b/.github/workflows/qa-deprecated-c-cpp.yml
@@ -0,0 +1,87 @@
 name: QA Deprecated C and C++ action
 on:
  push:
    branches:
      - master
  pull_request:
    types: [opened, synchronize, reopened]
 jobs:
  output-test:
    name: Action outputs
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
          - os: macos-latest
            arch: ARM64
    runs-on: ${{ matrix.os }}
    steps:
      # Specifying a specific architecture of the runner is not possible for Github hosted runners
      # We can only check if the runner architecture matches the expected one
      - name: check_runner_arch
        shell: bash
        run: |
          echo "Runner architecture: ${{ runner.arch }}"
          if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
            echo "##[error]Runner architecture does not match the expected one"
            exit 1
          fi
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Run SonarQube C/C++ action
        id: run-action
        uses: ./deprecated-c-cpp
        env:
          SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
        with:
          cache-binaries: ${{ matrix.cache }}
      - name: SONAR_HOST_URL is set
        shell: bash
        run: |
          [[ $SONAR_HOST_URL == "https://next.sonarqube.com/sonarqube/" ]]
      - name: sonar-scanner is installed and in PATH
        run: |
          sonar-scanner --help | grep "usage: sonar-scanner "
      - name: sonar-scanner-binary output is correct
        shell: bash
        env:
          BINARY: ${{ steps.run-action.outputs.sonar-scanner-binary }}
        run: |
          "$BINARY" --help | grep "usage: sonar-scanner "
      # build-wrapper does not have --help or equivalent option.
      # Pass to few arguments and ignore error code
      - name: build-wrapper is installed and in PATH on Windows
        if: runner.os == 'Windows'
        shell: bash
        run: |
          (build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
      - name: build-wrapper is installed and in PATH on Linux
        if: runner.os == 'Linux'
        shell: bash
        run: |
          (build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
      - name: build-wrapper is installed and in PATH on macOS
        if: runner.os == 'macOs'
        shell: bash
        run: |
          (build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
      - name: build-wrapper-binary output is correct
        shell: bash
        env:
          BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
        run: |
          ("$BINARY" || true) | grep "build-wrapper, version "
--- a/.github/workflows/qa-install-build-wrapper.yml
+++ b/.github/workflows/qa-install-build-wrapper.yml
@@ -0,0 +1,69 @@
 name: QA Install Build Wrapper action
 on:
  push:
    branches:
      - master
  pull_request:
    types: [opened, synchronize, reopened]
 jobs:
  output-test:
    name: Action outputs
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
          - os: macos-latest
            arch: ARM64
    runs-on: ${{ matrix.os }}
    steps:
      # Specifying a specific architecture of the runner is not possible for Github hosted runners
      # We can only check if the runner architecture matches the expected one
      - name: check_runner_arch
        shell: bash
        run: |
          echo "Runner architecture: ${{ runner.arch }}"
          if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
            echo "##[error]Runner architecture does not match the expected one"
            exit 1
          fi
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Run SonarQube C/C++ action
        id: run-action
        uses: ./install-build-wrapper
        env:
          SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
      # build-wrapper does not have --help or equivalent option.
      # Pass to few arguments and ignore error code
      - name: build-wrapper is installed and in PATH on Windows
        if: runner.os == 'Windows'
        shell: bash
        run: |
          (build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
      - name: build-wrapper is installed and in PATH on Linux
        if: runner.os == 'Linux'
        shell: bash
        run: |
          (build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
      - name: build-wrapper is installed and in PATH on macOS
        if: runner.os == 'macOs'
        shell: bash
        run: |
          (build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
      - name: build-wrapper-binary output is correct
        shell: bash
        env:
          BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
        run: |
          ("$BINARY" || true) | grep "build-wrapper, version "
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@@ -1,4 +1,4 @@
-name: QA
+name: QA Main action
 on:
  push:
@@ -619,3 +619,166 @@ jobs:
      - name: Assert failure of previous step
        if: steps.wrong_ssl_certificate.outcome == 'success'
        run: exit 1
  overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
        run: |
          SCANNER_VERSION="6.2.1.4610"
          SCANNER_LOCAL_FOLDER="$RUNNER_TEMP/sonar-scanner-cli-$SCANNER_VERSION-$RUNNER_OS-$RUNNER_ARCH"
          # emit SCANNER_VERSION and SCANNER_LOCAL_FOLDER to be able to read them in the next steps
          echo "SCANNER_VERSION=$SCANNER_VERSION" >> $GITHUB_ENV
          echo "SCANNER_LOCAL_FOLDER=$SCANNER_LOCAL_FOLDER" >> $GITHUB_ENV
          mkdir -p "$SCANNER_LOCAL_FOLDER"
          touch "$SCANNER_LOCAL_FOLDER/some_content.txt"
      - name: Assert SCANNER_LOCAL_FOLDER exists and dummy file is in it
        run: |
          [ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
          [ -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
      - name: Run action with SONAR_SCANNER_TEMP
        uses: ./
        env:
          NO_CACHE: true # force install-sonar-scanner-cli.sh execution
          SONAR_SCANNER_TEMP: /tmp/sonar-scanner
          SONAR_HOST_URL: http://not_actually_used
        with:
          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
          scannerVersion: ${{ env.SCANNER_VERSION }}
      - name: Assert SCANNER_LOCAL_FOLDER exists and dummy file is not in it
        run: |
          [ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
          [ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
  updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      truststore.p12 is updated when present
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
        run: |
          SONAR_SSL_FOLDER=~/.sonar/ssl
          mkdir -p "$SONAR_SSL_FOLDER"
          touch "$SONAR_SSL_FOLDER/not-truststore.p12"
          # emit SONAR_SSL_FOLDER to be able to read it in the next steps
          echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV
      - name: Assert truststore.p12 does not file exists
        run: |
          [ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
      - name: Run action with SONAR_ROOT_CERT
        uses: ./
        env:
          # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed 
          SONAR_HOST_URL: http://not_actually_used
          SONAR_ROOT_CERT: |
            -----BEGIN CERTIFICATE-----
            MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL
            BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
            ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx
            MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu
            ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE
            RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77
            nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3
            b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup
            HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq
            xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+
            MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6
            aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G
            wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH
            wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM
            QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W
            iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG
            J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+
            AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP
            BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
            AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe
            3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5
            eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC
            rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK
            EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP
            H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/
            bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb
            u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE
            zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm
            QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td
            dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI=
            -----END CERTIFICATE-----
        with:
          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
      - name: Assert not-truststore.p12 file still exists
        run: |
          [ -f "$SONAR_SSL_FOLDER/not-truststore.p12" ] || exit 1
      - name: Assert truststore.p12 file now exists and take note of modification time
        run: |
          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
          # emit the modification time of the truststore.p12 file to be able to read it in the next steps
          TRUSTSTORE_P12_MOD_TIME_T1=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
          echo "TRUSTSTORE_P12_MOD_TIME_T1=$TRUSTSTORE_P12_MOD_TIME_T1" >> $GITHUB_ENV
      - name: Run action a second time with a different SONAR_ROOT_CERT
        uses: ./
        env:
          # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed 
          SONAR_HOST_URL: http://not_actually_used
          SONAR_ROOT_CERT: |
            -----BEGIN CERTIFICATE-----
            MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
            Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
            VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
            9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
            MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
            ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
            aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
            MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
            NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
            KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
            1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
            BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
            bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
            Q4/67OZfHd7R+POBXhophSMv1ZOo
            -----END CERTIFICATE-----
        with:
          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
      - name: Assert truststore.p12 still exists, but it has been updated, and take note of modification time
        run: |
          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
          TRUSTSTORE_P12_MOD_TIME_T2=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
          [ "$TRUSTSTORE_P12_MOD_TIME_T1" != "$TRUSTSTORE_P12_MOD_TIME_T2" ] || exit 1
          # emit the modification time of the truststore.p12 file to be able to read it in the next steps
          echo "TRUSTSTORE_P12_MOD_TIME_T2=$TRUSTSTORE_P12_MOD_TIME_T2" >> $GITHUB_ENV
      - name: Remove sonar alias from truststore.p12
        run: keytool -delete -alias sonar -keystore "$SONAR_SSL_FOLDER/truststore.p12" -storepass changeit
      - name: Run action a third time
        uses: ./
        env:
          # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed 
          SONAR_HOST_URL: http://not_actually_used
          SONAR_ROOT_CERT: |
            -----BEGIN CERTIFICATE-----
            MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
            Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
            VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
            9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
            MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
            ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
            aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
            MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
            NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
            KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
            1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
            BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
            bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
            Q4/67OZfHd7R+POBXhophSMv1ZOo
            -----END CERTIFICATE-----
        with:
          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
      - name: Assert truststore.p12 still exists, and it has been updated again
        run: |
          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
          TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
          [ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
--- a/.github/workflows/qa-scripts.yml
+++ b/.github/workflows/qa-scripts.yml
@@ -0,0 +1,351 @@
 name: QA Scripts
 on:
  push:
    branches:
      - master
  pull_request:
    types: [opened, synchronize, reopened]
 jobs:
  create-install-dir-test:
    name: create_install_path.sh
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Existing
        shell: bash
        env:
          INSTALL_PATH: '.sonar'
        run: |
          echo "- Create dir"
          mkdir -p "${INSTALL_PATH}"
          echo "- Test script behavior"
          ./scripts/create_install_path.sh > output
          grep -v "::error::" output
      - name: Non-existing nested in current dir
        shell: bash
        env:
          INSTALL_PATH: '.sonar'
        run: |
          ./scripts/create_install_path.sh > output
          grep -v "::error::" output
          test -d "${INSTALL_PATH}"
      - name: Nonexisting nested in home
        shell: bash
        env:
          INSTALL_PATH: '~/third_party/.sonar'
        run: |
          ./scripts/create_install_path.sh > output
          grep -v "::error::" output
          test -d "${INSTALL_PATH}"
      - name: Empty install dir specified
        shell: bash
        env:
          INSTALL_PATH: ''
        run: |
          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
          grep "::error::Empty installation path specified" output
          grep "=== Script failed ===" output
      - name: No permission to create directory
        shell: bash
        env:
          INSTALL_PATH: '/non_creatable'
        run: |
          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
          grep "::error::Failed to create non-existing installation path '/non_creatable'" output
          grep "=== Script failed ===" output
      - name: Existing but not directory
        shell: bash
        env:
          INSTALL_PATH: 'not_directory'
        run: |
          echo "- Create normal file"
          echo "content" > "${INSTALL_PATH}"
          echo "- Test script behavior"
          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
          grep "::error::Installation path 'not_directory' is not a directory" output
          grep "=== Script failed ===" output
      - name: Existing but not readable
        shell: bash
        env:
          INSTALL_PATH: 'not_readable'
        run: |
          echo "- Create dir and make it not readable"
          mkdir -p "${INSTALL_PATH}"
          chmod -r "${INSTALL_PATH}"
          echo "- Test script behavior"
          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
          grep "::error::Installation path 'not_readable' is not readable" output
          grep "=== Script failed ===" output
      - name: Existing but not writeable
        shell: bash
        env:
          INSTALL_PATH: 'not_writeable'
        run: |
          echo "- Create dir and make it not writeable"
          mkdir -p "${INSTALL_PATH}"
          chmod -w "${INSTALL_PATH}"
          echo "- Test script behavior"
          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
          grep "::error::Installation path 'not_writeable' is not writeable" output
          grep "=== Script failed ===" output
  setup-script-test:
    name: configure_paths.sh
    runs-on: ubuntu-latest
    env:
      INSTALL_PATH: 'install-directory'
      SONAR_HOST_URL: 'http://sonar-host.com'
      SONAR_SCANNER_VERSION: 'vX.Y.Z.MMMM'
      SONAR_SCANNER_URL_WINDOWS_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip'
      SONAR_SCANNER_SHA_WINDOWS_X64: 'DOWNLOAD-SHA-WINDOWS-X64'
      SONAR_SCANNER_URL_LINUX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip'
      SONAR_SCANNER_SHA_LINUX_X64: 'DOWNLOAD-SHA-LINUX-X64'
      SONAR_SCANNER_URL_LINUX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip'
      SONAR_SCANNER_SHA_LINUX_AARCH64: 'DOWNLOAD-SHA-LINUX-AARCH64'
      SONAR_SCANNER_URL_MACOSX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip'
      SONAR_SCANNER_SHA_MACOSX_X64: 'DOWNLOAD-SHA-MACOSX-X64'
      SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
      SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Windows
        shell: bash
        env:
          OS: 'Windows'
          ARCH: 'X64'
        run: |
          ./scripts/configure_paths.sh > output
          grep -v "::error::" output
          echo "- Check sonar-scanner:"
          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip" output
          grep "sonar-scanner-sha=DOWNLOAD-SHA-WINDOWS-X64" output
          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64" output
          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64/bin/sonar-scanner.bat" output
          echo "- Check build-wrapper:"
          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-win-x86.zip" output
          grep "build-wrapper-dir=install-directory/build-wrapper-win-x86" output
          grep "build-wrapper-bin=install-directory/build-wrapper-win-x86/build-wrapper-win-x86-64.exe" output
      - name: Linux X64
        shell: bash
        env:
          OS: 'Linux'
          ARCH: 'X64'
        run: |
          ./scripts/configure_paths.sh > output
          grep -v "::error::" output
          echo "- Check sonar-scanner:"
          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip" output
          grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-X64" output
          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64" output
          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64/bin/sonar-scanner" output
          echo "- Check build-wrapper:"
          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-x86.zip" output
          grep "build-wrapper-dir=install-directory/build-wrapper-linux-x86" output
          grep "build-wrapper-bin=install-directory/build-wrapper-linux-x86/build-wrapper-linux-x86-64" output
      - name: Linux ARM64
        shell: bash
        env:
          OS: 'Linux'
          ARCH: 'ARM64'
        run: |
          ./scripts/configure_paths.sh > output
          grep -v "::error::" output
          echo "- Check sonar-scanner:"
          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip" output
          grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-AARCH64" output
          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64" output
          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64/bin/sonar-scanner" output
          echo "- Check build-wrapper:"
          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-aarch64.zip" output
          grep "build-wrapper-dir=install-directory/build-wrapper-linux-aarch64" output
          grep "build-wrapper-bin=install-directory/build-wrapper-linux-aarch64/build-wrapper-linux-aarch64" output
      - name: macOSX_X64
        shell: bash
        env:
          OS: 'macOS'
          ARCH: 'X64'
        run: |
          ./scripts/configure_paths.sh > output
          grep -v "::error::" output
          echo "- Check sonar-scanner:"
          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip" output
          grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-X64" output
          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64" output
          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64/bin/sonar-scanner" output
          echo "- Check build-wrapper:"
          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
          grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
          grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
      - name: macOSX_ARM64
        shell: bash
        env:
          OS: 'macOS'
          ARCH: 'ARM64'
        run: |
          ./scripts/configure_paths.sh > output
          grep -v "::error::" output
          echo "- Check sonar-scanner:"
          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip" output
          grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-AARCH64" output
          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64" output
          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64/bin/sonar-scanner" output
          echo "- Check build-wrapper:"
          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
          grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
          grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
      - name: Unsupported OS
        shell: bash
        env:
          OS: 'unsupportedOS'
          ARCH: 'X64'
        run: |
          (./scripts/configure_paths.sh  || echo "=== Script failed ===") > output
          echo "- Check errors:"
          grep "::error::Unsupported runner OS 'unsupportedOS'" output
          grep "=== Script failed ===" output
      - name: Unsupported architecture
        shell: bash
        env:
          OS: 'Linux'
          ARCH: 'X86'
        run: |
          (./scripts/configure_paths.sh  || echo "=== Script failed ===") > output
          echo "- Check errors:"
          grep "::error::Architecture 'X86' is unsupported by build-wrapper" output
          grep "=== Script failed ===" output
  download-script-test:
    name: download.sh
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Download test without validation
        shell: bash
        env:
          INSTALL_PATH: 'install-directory-no-sha-validation'
          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
          EXPECTED_SHA: 'incorrect-sha-not-validated'
          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
        run: |
          ./scripts/download.sh > output
          test -f "$TMP_ZIP_PATH"
          grep -v "::error::" output
      - name: Download test with validation
        shell: bash
        env:
          INSTALL_PATH: 'install-directory-sha-validation'
          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
          EXPECTED_SHA: '9411331814c1d002bd65d37758b872918b7602e7cf3ca5b83a3e19a729b2be05'
          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
        run: |
          ./scripts/download.sh -v > output
          test -f "$TMP_ZIP_PATH"
          grep -v "::error::" output
      - name: Incorrect install dir
        shell: bash
        env:
          INSTALL_PATH: ''
        run: |
          (./scripts/download.sh || echo "=== Script failed ===") > output
          grep "::error::Failed to create" output
          grep "=== Script failed ===" output
      - name: Incorrect download url
        shell: bash
        env:
          INSTALL_PATH: 'install-directory-incorrect-url'
          DOWNLOAD_URL: 'incorrect-url'
        run: |
          (./scripts/download.sh || echo "=== Script failed ===") > output
          grep "::error::Failed to download 'incorrect-url'" output
          grep "=== Script failed ===" output
      - name: Incorrect SHA256
        shell: bash
        env:
          INSTALL_PATH: 'install-directory-incorrect-sha'
          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
          EXPECTED_SHA: 'incorrect-sha256'
          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
        run: |
          (./scripts/download.sh -v || echo "=== Script failed ===") > output
          grep "::error::Checking sha256 failed" output
          grep "=== Script failed ===" output
      - name: Mismatching SHA256
        shell: bash
        env:
          INSTALL_PATH: 'install-directory-mismtaching-sha'
          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
          EXPECTED_SHA: '3e121d85a4adb1f30b917d5f3eb897966b59e02c3d6d313a78dcd964193dc963'
          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
        run: |
          (./scripts/download.sh -v || echo "=== Script failed ===") > output
          grep "::error::Checking sha256 failed" output
          grep "=== Script failed ===" output
  fetch-latest-version-test:
    name: fetch_latest_version.sh
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Test script
        shell: bash
        run: |
          ./scripts/fetch_latest_version.sh > output
          echo "- Check sonar-scanner version:"
          grep  "sonar-scanner-version=" output
          SONAR_SCANNER_VERSION=$(cat output | cut -d= -f 2)
          test ! -z "${SONAR_SCANNER_VERSION}"
          echo "- Check windows sonar-scanner URLs:"
          grep "sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-windows-x64.zip" output
          grep -e "^sonar-scanner-sha-windows-x64=[0-9A-Fa-f]\+$" output
          echo "- Check linux sonar-scanner URLs:"
          grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
          grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
          grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
          grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output
          echo "- Check macosx sonar-scanner URLs:"
          grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
          grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
          grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
          grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output
--- a/.github/workflows/version_update.yml
+++ b/.github/workflows/version_update.yml
@@ -0,0 +1,50 @@
 name: sonar-scanner version check
 on:
  workflow_dispatch:
  schedule:
    - cron: '15 10 * * *'
 jobs:
  update-version:
    name: Prepare pull request for sonar-scanner version update
    runs-on: ubuntu-latest
    steps:
      - run: sudo apt install -y jq
      - uses: actions/checkout@v4
        with:
          ref: master
          persist-credentials: true
          fetch-depth: 0
      - name: "Fetch currently used sonar-scanner version"
        id: tagged-version
        shell: bash
        run: cat sonar-scanner-version >> $GITHUB_OUTPUT
      - name: "Fetch lastest sonar-scanner version"
        id: latest-version
        shell: bash
        run: |
          ./scripts/fetch_latest_version.sh > sonar-scanner-version
          cat sonar-scanner-version >> $GITHUB_OUTPUT
      - name: "Create Pull Request for version update"
        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
        shell: bash
        env:
          UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
          TITLE: "Update sonar-scanner-version to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --global user.name "SonarTech"
          git config --global user.email "sonartech@sonarsource.com"
          git checkout -b ${UPDATE_BRANCH}
          git add sonar-scanner-version
          git commit -m "${TITLE}"
          git push --force-with-lease origin ${UPDATE_BRANCH}
          gh pr list
          if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
          fi
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Scan your code with SonarQube [![QA](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml)
+# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml)
 This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
@@ -11,6 +11,9 @@ It helps developers detect coding issues in 30+ languages, frameworks, and IaC p
 The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability.
 > [!NOTE]  
 > This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions.
 ## Requirements
 ### Server
@@ -38,7 +41,11 @@ sonar.projectKey=<replace with the key generated when setting up the project on
 sonar.sources=.
 ```
-The workflow, usually declared under `.github/workflows`, looks like:
+In the following cases:
 - for projects that don't have C, C++, or Objective-C in them
 - for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper)
 the workflow, usually declared under `.github/workflows`, looks like the following:
 ```yaml
 on:
@@ -62,12 +69,69 @@ jobs:
        # Disabling shallow clones is recommended for improving the relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
-      uses: sonarsource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
+      uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
 ```
 For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
 ```yaml
 # Trigger analysis when pushing to your main branches, and when creating a pull request.
  push:
    branches:
      - main
      - master
      - develop
      - 'releases/**'
  pull_request:
      types: [opened, synchronize, reopened]
 name: Main Workflow
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    env:
      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
    steps:
    - uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: Install Build Wrapper
      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
      env:
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
    - name: Run Build Wrapper
      run: |
        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
        # build-preparation steps
        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version>
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
      with:
        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
        args: >
          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
 If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6.
 It should look like this:
 ```yaml
 with:  
  args: >
    --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
 ```
 See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories).
 ### Cloud
 ```properties
@@ -79,7 +143,11 @@ sonar.projectKey=<replace with the key generated when setting up the project on
 sonar.sources=.
 ```
-The workflow, usually declared under `.github/workflows`, looks like:
+In the following cases:
 - for projects that don't have C, C++, or Objective-C in them
 - for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper)
 the workflow, usually declared under `.github/workflows`, looks like the following:
 ```yaml
 on:
@@ -103,17 +171,61 @@ jobs:
        # Disabling shallow clones is recommended for improving the relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
-      uses: sonarsource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
+      uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 ```
 For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
 ```yaml
 # Trigger analysis when pushing to your main branches, and when creating a pull request.
  push:
    branches:
      - main
      - master
      - develop
      - 'releases/**'
  pull_request:
      types: [opened, synchronize, reopened]
 name: Main Workflow
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    env:
      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
    steps:
    - uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: Install Build Wrapper
      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
    - name: Run Build Wrapper
      run: |
        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
        # build-preparation steps
        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version>
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
      with:
        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
        args: >
          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
 See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories).
 ## Action parameters
 You can change the analysis base directory by using the optional input `projectBaseDir` like this:
 ```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    projectBaseDir: app/src
 ```
@@ -121,7 +233,7 @@ You can change the analysis base directory by using the optional input `projectB
 In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option:
 ```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    scannerVersion: 6.2.0.4584
 ```
@@ -129,7 +241,7 @@ In case you need to specify the version of the Sonar Scanner, you can use the `s
 In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option:
 ```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    projectBaseDir: app/src
    args: >
@@ -147,7 +259,7 @@ The specified URL overrides the default address: `https://binaries.sonarsource.c
 This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet:
 ```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
 ```
@@ -159,14 +271,13 @@ More information about possible analysis parameters can be found:
 ### Environment variables
 - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 - *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).*
 - `SONAR_HOST_URL` – this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud.
 - `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore:
 ```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
@@ -176,23 +287,35 @@ Here is an example of how you can pass a certificate (in PEM format) to the Scan
 If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
 ```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io
    LC_ALL: "ru_RU.UTF-8"
 ```
-## Alternatives for Java, .NET, and C/C++ projects
+## Alternatives for Java and .NET
 This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
 * Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/).
 * Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/).
 * You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/).
-* You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to:
+
-  * the [SonarQube Server Scan for C and C++](https://github.com/marketplace/actions/sonarqube-scan-for-c-and-c) GitHub Action, for projects on SonarQube Server
+## Do not use this GitHub action if you are in the following situations
-  * the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action, for projects on SonarQube Cloud - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=).
+
 * You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS.
 ## Self-hosted runner or container
 When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
 * **curl** or **wget**
 * **unzip**
 ## Additional information
 The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
 ## Have questions or feedback?
--- a/action.yml
+++ b/action.yml
@@ -1,9 +1,8 @@
-name: Official SonarQube (Server, Cloud) Scan
+name: Official SonarQube Scan
 # Warning: changing name would change URL in the marketplace
 description: >
-  Scan your code with SonarQube Server and Cloud to detect coding 
+  Scan your code with SonarQube Server and Cloud to detect 
-  issues in 30+ languages, frameworks, and IaC platforms. 
+  issues in 30+ languages. (Formerly SonarQube and SonarCloud)
  The solution also provides fix recommendations leveraging AI with 
  Sonar's AI CodeFix capability. (Formerly SonarQube and SonarCloud)
 branding:
  icon: check
  color: green
@@ -17,7 +16,7 @@ inputs:
  scannerVersion:
    description: Version of the Sonar Scanner CLI to use
    required: false
-    default: 6.2.1.4610
+    default: 6.2.1.4610 # to be kept in sync with sonar-scanner-version
  scannerBinariesUrl:
    description: URL to download the Sonar Scanner CLI binaries from
    required: false
@@ -26,19 +25,25 @@ runs:
  using: "composite"
  steps:
    - name: Sanity checks
-      run: ${GITHUB_ACTION_PATH}/sanity-checks.sh
+      run: ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
    - name: Vulnerability warning
      shell: bash
      run: echo "::warning title=Vulnerability warning::This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update"
    - name: Load Sonar Scanner CLI from cache
      id: sonar-scanner-cli
-      uses: actions/cache@v4.0.2
+      uses: actions/cache@v4
      env:
        # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
        SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
      with:
        path: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
        key: sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
    - name: Install Sonar Scanner CLI
      if: ${{ env.NO_CACHE == 'true' || steps.sonar-scanner-cli.outputs.cache-hit != 'true' }}
-      run: ${GITHUB_ACTION_PATH}/install-sonar-scanner-cli.sh
+      run: ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
      shell: bash
      env:
        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
@@ -47,7 +52,7 @@ runs:
      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
      shell: bash
    - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh ${{ inputs.args }}
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
--- a/deprecated-c-cpp/action.yml
+++ b/deprecated-c-cpp/action.yml
@@ -0,0 +1,134 @@
 name: 'SonarQube Scan for C and C++'
 description: 'Scan your C and C++ code with SonarQube to detect bugs, vulnerabilities and code smells.'
 branding:
  icon: check
  color: green
 inputs:
  installation-path:
    description: 'Directory where the sonar-scanner and build wrapper will be installed. Created if does not exists.'
    required: false
    default: '.sonar'
  cache-binaries:
    description: 'Controls if installed binaries are cached using GitHub cache.'
    required: false
    default: 'true'
 outputs:
  sonar-scanner-binary:
    description: "Absolute path to sonar-scanner binary."
    value: ${{ steps.setup-outputs.outputs.sonar-scanner-binary }}
  build-wrapper-binary:
    description: "Absolute path to build-wrapper binary."
    value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
 runs:
  using: "composite"
  steps:
    # install packaged required for greadlink and sha256sum command on macOS
    - name: Install required packages for macOS
      if: runner.os == 'macOS'
      shell: bash
      run: brew install coreutils
    - name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
      if: env.SONAR_HOST_URL == ''
      shell: bash
      run: |
        echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
        echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
    - name: Verify and create installation path
      shell: bash
      env:
        INSTALL_PATH: ${{ inputs.installation-path }}
      run: ${GITHUB_ACTION_PATH}/../scripts/create_install_path.sh
    - name: Set version of sonar-scanner
      id: sonar-scanner-version
      shell: bash
      run: cat ${GITHUB_ACTION_PATH}/../sonar-scanner-version >> $GITHUB_OUTPUT
    - name: Configure paths
      id: configure_paths
      shell: bash
      env:
        OS: ${{ runner.os }}
        ARCH: ${{ runner.arch }}
        INSTALL_PATH: ${{ inputs.installation-path }}
        SONAR_SCANNER_VERSION: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
        SONAR_SCANNER_URL_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-windows-x64 }}
        SONAR_SCANNER_SHA_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-windows-x64 }}
        SONAR_SCANNER_URL_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-x64 }}
        SONAR_SCANNER_SHA_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-x64 }}
        SONAR_SCANNER_URL_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-aarch64 }}
        SONAR_SCANNER_SHA_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-aarch64 }}
        SONAR_SCANNER_URL_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-x64 }}
        SONAR_SCANNER_SHA_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-x64 }}
        SONAR_SCANNER_URL_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-aarch64 }}
        SONAR_SCANNER_SHA_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-aarch64 }}
      run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
    - name: Cache sonar-scanner installation
      id: cache-sonar-tools
      if: inputs.cache-binaries == 'true'
      uses: actions/cache@v4
      env:
        # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
        SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
      with:
        key: sonar-scanner-${{ runner.os }}-${{ runner.arch }}-${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
        path: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
    - name: Download and install sonar-scanner
      if: steps.cache-sonar-tools.outputs.cache-hit != 'true'
      shell: bash
      env:
        DOWNLOAD_URL: ${{ steps.configure_paths.outputs.sonar-scanner-url }}
        EXPECTED_SHA: ${{ steps.configure_paths.outputs.sonar-scanner-sha }}
        INSTALL_PATH: ${{ inputs.installation-path }}
        TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
      run: ${GITHUB_ACTION_PATH}/../scripts/download.sh -v
    - name: Add the custom root certificate to java certificate store
      shell: bash
      run: ${GITHUB_ACTION_PATH}/../scripts/cert.sh
    - name: Download and install build-wrapper
      shell: bash
      env:
        DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
        INSTALL_PATH: ${{ inputs.installation-path }}
        TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper.zip
      run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
    - name: Setup action outputs
      id: setup-outputs
      shell: bash
      env:
        SONAR_SCANNER_DIR: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
        SONAR_SCANNER_BIN: ${{ steps.configure_paths.outputs.sonar-scanner-bin }}
        BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
        BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
      run: |
        source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
        echo "::group::Action outputs"
        echo "SONAR_HOST_URL=${SONAR_HOST_URL}" >> $GITHUB_ENV
        echo "'SONAR_HOST_URL' environment variable set to '${SONAR_HOST_URL}'"
        SONAR_SCANNER_BIN_DIR=$(realpath "${SONAR_SCANNER_DIR}/bin")
        echo "${SONAR_SCANNER_BIN_DIR}" >> $GITHUB_PATH
        echo "'${SONAR_SCANNER_BIN_DIR}' added to the path"
        SONAR_SCANNER_BIN=$(realpath "${SONAR_SCANNER_BIN}")
        echo "sonar-scanner-binary=${SONAR_SCANNER_BIN}" >> $GITHUB_OUTPUT
        echo "'sonar-scanner-binary' output set to '${SONAR_SCANNER_BIN}'"
        BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
        echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
        echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
        BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
        echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
        echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
        echo "::endgroup::"
--- a/install-build-wrapper/action.yml
+++ b/install-build-wrapper/action.yml
@@ -0,0 +1,62 @@
 name: 'Install Build Wrapper for C and C++'
 description: >
  Download and install the Build Wrapper for C, C++, and Objective-C
  projects analyzed with manual config.
 branding:
  icon: check
  color: green
 outputs:
  build-wrapper-binary:
    description: "Absolute path to Build Wrapper binary."
    value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
 runs:
  using: "composite"
  steps:
    # install packaged required for greadlink and sha256sum command on macOS
    - name: Install required packages for macOS
      if: runner.os == 'macOS'
      shell: bash
      run: brew install coreutils
    - name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
      if: env.SONAR_HOST_URL == ''
      shell: bash
      run: |
        echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
        echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
    - name: Configure paths
      id: configure_paths
      shell: bash
      env:
        OS: ${{ runner.os }}
        ARCH: ${{ runner.arch }}
        INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
      run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
    - name: Download and install Build Wrapper
      shell: bash
      env:
        DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
        TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper-${{ inputs.configure_paths.sonar-scanner-version }}-${{ runner.os }}-${{ runner.arch }}.zip
        INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
      run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
    - name: Setup action outputs
      id: setup-outputs
      shell: bash
      env:
        BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
        BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
      run: |
        source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
        BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
        echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
        echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
        BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
        echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
        echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
        echo "::endgroup::"
--- a/run-sonar-scanner.sh
+++ b/run-sonar-scanner.sh
@@ -1,41 +0,0 @@
 #!/bin/bash
 set -eo pipefail
 if [[ "$RUNNER_OS" == "Windows" ]]; then
  SCANNER_BIN="sonar-scanner.bat"
 else
  SCANNER_BIN="sonar-scanner"
 fi
 scanner_args=()
 if [[ ${SONARCLOUD_URL} ]]; then
  scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
 fi
 if [[ "$RUNNER_DEBUG" == '1' ]]; then
  scanner_args+=('--debug')
 fi
 if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
  scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
 fi
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  echo "Adding SSL certificate to the Scanner truststore"
  rm -f $RUNNER_TEMP/tmpcert.pem
  echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
  # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
  # keytool require a password > 6 characters, so we wan't use the default password 'sonar'
  store_pass=changeit
  mkdir -p ~/.sonar/ssl
  $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
  scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
 fi
 scanner_args+=("$@")
 set -ux
 $SCANNER_BIN "${scanner_args[@]}"
--- a/scripts/cert.sh
+++ b/scripts/cert.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  echo "Adding custom root certificate to java certificate store"
  rm -f /tmp/tmpcert.pem
  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
 fi
--- a/scripts/configure_paths.sh
+++ b/scripts/configure_paths.sh
@@ -0,0 +1,71 @@
 #!/bin/bash
 if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
  echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
  exit 1
 fi
 case ${OS} in
  Windows)
    SONAR_SCANNER_SUFFIX="windows-x64"
    BUILD_WRAPPER_SUFFIX="win-x86"
    SONAR_SCANNER_NAME="sonar-scanner.bat"
    BUILD_WRAPPER_NAME="build-wrapper-win-x86-64.exe"
    SONAR_SCANNER_URL="${SONAR_SCANNER_URL_WINDOWS_X64}"
    SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_WINDOWS_X64}"
    ;;
  Linux)  
    case ${ARCH} in
      X64)
        SONAR_SCANNER_SUFFIX="linux-x64"
        BUILD_WRAPPER_SUFFIX="linux-x86"
        BUILD_WRAPPER_NAME="build-wrapper-linux-x86-64"
        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_X64}"
        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_X64}"
        ;;
      ARM64)
        SONAR_SCANNER_SUFFIX="linux-aarch64"
        BUILD_WRAPPER_SUFFIX="linux-aarch64"
        BUILD_WRAPPER_NAME="build-wrapper-linux-aarch64"
        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_AARCH64}"
        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_AARCH64}"
        ;;
    esac
    SONAR_SCANNER_NAME="sonar-scanner"
    ;;
  macOS)
    case ${ARCH} in
      X64)
        SONAR_SCANNER_SUFFIX="macosx-x64"
        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_X64}"
        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_X64}"
        ;;
      ARM64)
        SONAR_SCANNER_SUFFIX="macosx-aarch64"
        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_AARCH64}"
        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_AARCH64}"
        ;;
    esac
    BUILD_WRAPPER_SUFFIX="macosx-x86"
    SONAR_SCANNER_NAME="sonar-scanner"
    BUILD_WRAPPER_NAME="build-wrapper-macosx-x86"
    ;;
  *)
    echo "::error::Unsupported runner OS '${OS}'"
    exit 1
    ;;
 esac
 echo "sonar-scanner-url=${SONAR_SCANNER_URL}"
 echo "sonar-scanner-sha=${SONAR_SCANNER_SHA}"
 SONAR_SCANNER_DIR="${INSTALL_PATH}/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_SUFFIX}"
 echo "sonar-scanner-dir=${SONAR_SCANNER_DIR}"
 echo "sonar-scanner-bin=${SONAR_SCANNER_DIR}/bin/${SONAR_SCANNER_NAME}"
 BUILD_WRAPPER_DIR="${INSTALL_PATH}/build-wrapper-${BUILD_WRAPPER_SUFFIX}"
 echo "build-wrapper-url=${SONAR_HOST_URL%/}/static/cpp/build-wrapper-${BUILD_WRAPPER_SUFFIX}.zip"
 echo "build-wrapper-dir=${BUILD_WRAPPER_DIR}"
 echo "build-wrapper-bin=${BUILD_WRAPPER_DIR}/${BUILD_WRAPPER_NAME}"
--- a/scripts/create_install_path.sh
+++ b/scripts/create_install_path.sh
@@ -0,0 +1,26 @@
 #!/bin/bash
 source "$(dirname -- "$0")/utils.sh"
 echo "Installation path is '${INSTALL_PATH}'"
 test ! -z "${INSTALL_PATH}"
 check_status "Empty installation path specified"
 if [[ ! -e "${INSTALL_PATH}" ]]; then
  mkdir -p "${INSTALL_PATH}"
  check_status "Failed to create non-existing installation path '${INSTALL_PATH}'"
 fi  
 ABSOLUTE_INSTALL_PATH=$(realpath "${INSTALL_PATH}")
 echo "Absolute installation path is '${ABSOLUTE_INSTALL_PATH}'"
 test -d "${INSTALL_PATH}"
 check_status "Installation path '${INSTALL_PATH}' is not a directory (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
 test -r "${INSTALL_PATH}"
 check_status "Installation path '${INSTALL_PATH}' is not readable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
 test -w "${INSTALL_PATH}"
 check_status "Installation path '${INSTALL_PATH}' is not writeable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
--- a/scripts/download.sh
+++ b/scripts/download.sh
@@ -0,0 +1,58 @@
 #!/bin/bash
 source "$(dirname -- "$0")/utils.sh"
 VERIFY_CORRECTNESS=false
 help() {
  cat <<EOF
 Usage: ./download [-v]
 -h              Display help
 -v              Verify correctness of a download with SHA256 checksum; Optional
 EOF
 }
 parse_arguments() {
  while getopts "hv" arg; do
    case $arg in
    v)
      VERIFY_CORRECTNESS=true
      echo "Verify correctness is set to true"
      ;;
    ?)
      help
      exit 0
      ;;
    esac
  done
 }
 verify_download_correctness() {
  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
  check_status "Checking sha256 failed"
 }
 download() {
  echo "Downloading '${DOWNLOAD_URL}'"
  mkdir -p "${INSTALL_PATH}"
  check_status "Failed to create ${INSTALL_PATH}"
  curl -sSLo "${TMP_ZIP_PATH}" "${DOWNLOAD_URL}"
  check_status "Failed to download '${DOWNLOAD_URL}'"
 }
 decompress() {
  echo "Decompressing"
  unzip -o -d "${INSTALL_PATH}" "${TMP_ZIP_PATH}"
  check_status "Failed to unzip the archive into '${INSTALL_PATH}'"
 }
 ####################################################################################
 echo "::group::Download ${DOWNLOAD_URL}"
 parse_arguments $@
 download
 if [ "$VERIFY_CORRECTNESS" = true ]; then
  verify_download_correctness
 fi
 decompress
 echo "::endgroup::"
--- a/scripts/fetch_latest_version.sh
+++ b/scripts/fetch_latest_version.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 source "$(dirname -- "$0")/utils.sh"
 SONAR_SCANNER_VERSION=$(curl -sSL -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/SonarSource/sonar-scanner-cli/releases/latest | jq -r '.tag_name')
 check_status "Failed to fetch latest sonar-scanner version from GitHub API"
 echo "sonar-scanner-version=${SONAR_SCANNER_VERSION}"
 for OS in windows linux macosx; do
  if [[ "$OS" == "windows" ]]; then
    ARCHS=("x64")
  else
    ARCHS=("x64" "aarch64")
  fi
  for ARCH in "${ARCHS[@]}"; do
    SONAR_SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${OS}-${ARCH}.zip"
    SONAR_SCANNER_SHA=$(curl -sSL "${SONAR_SCANNER_URL}.sha256")
    check_status "Failed to download ${OS} ${ARCH} sonar-scanner checksum from '${SONAR_SCANNER_URL}'"
    echo "sonar-scanner-url-${OS}-${ARCH}=${SONAR_SCANNER_URL}"
    echo "sonar-scanner-sha-${OS}-${ARCH}=${SONAR_SCANNER_SHA}"
  done
 done
--- a/scripts/install-sonar-scanner-cli.sh
+++ b/scripts/install-sonar-scanner-cli.sh
@@ -46,7 +46,15 @@ else
    exit 1
 fi
-unzip -q $SCANNER_FILE_NAME
+unzip -q -o $SCANNER_FILE_NAME
 SCANNER_UNZIP_FOLDER="sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR"
 # Folder name should correspond to the directory cached by the actions/cache
-mv sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR $RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH
+SCANNER_LOCAL_FOLDER="$RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH"
 if [ -d "$SCANNER_LOCAL_FOLDER" ]; then
     echo "::warning title=SonarScanner::Cleaning existing scanner folder: $SCANNER_LOCAL_FOLDER"
     rm -rf "$SCANNER_LOCAL_FOLDER"
 fi
 mv -f "$SCANNER_UNZIP_FOLDER" "$SCANNER_LOCAL_FOLDER"
--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@@ -0,0 +1,81 @@
 #!/bin/bash
 set -eo pipefail
 if [[ "$RUNNER_OS" == "Windows" ]]; then
  SCANNER_BIN="sonar-scanner.bat"
 else
  SCANNER_BIN="sonar-scanner"
 fi
 scanner_args=()
 if [[ ${SONARCLOUD_URL} ]]; then
  scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
 fi
 if [[ "$RUNNER_DEBUG" == '1' ]]; then
  scanner_args+=('--debug')
 fi
 if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
  scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
 fi
 # The SSL folder may exist on an uncleaned self-hosted runner
 SONAR_SSL_FOLDER=~/.sonar/ssl
 # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
 # keytool requires a password > 6 characters, so we won't use the default password 'sonar'
 KEYTOOL_MAIN_CLASS=sun.security.tools.keytool.Main
 SONAR_SSL_TRUSTSTORE_FILE="$SONAR_SSL_FOLDER/truststore.p12"
 SONAR_SSL_TRUSTSTORE_PASSWORD=changeit
 if [ -f "$SONAR_SSL_TRUSTSTORE_FILE" ]; then
  ALIAS_SONAR_IS_PRESENT=true
  "$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
    -storetype PKCS12 \
    -keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
    -storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
    -noprompt \
    -trustcacerts \
    -list -v -alias sonar > /dev/null 2>&1 || {
      ALIAS_SONAR_IS_PRESENT=false
      echo "Existing Scanner truststore $SONAR_SSL_TRUSTSTORE_FILE does not contain 'sonar' alias"
    }
  if [[ $ALIAS_SONAR_IS_PRESENT == "true" ]]; then
    echo "Removing 'sonar' alias from already existing Scanner truststore: $SONAR_SSL_TRUSTSTORE_FILE"
    "$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
      -storetype PKCS12 \
      -keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
      -storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
      -noprompt \
      -trustcacerts \
      -delete \
      -alias sonar
  fi
 fi
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  echo "Adding SSL certificate to the Scanner truststore"
  rm -f $RUNNER_TEMP/tmpcert.pem
  echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
  mkdir -p "$SONAR_SSL_FOLDER"
  "$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
    -storetype PKCS12 \
    -keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
    -storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
    -noprompt \
    -trustcacerts \
    -importcert \
    -alias sonar \
    -file "$RUNNER_TEMP/tmpcert.pem"
  scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
 fi
 scanner_args+=("$@")
 set -ux
 $SCANNER_BIN "${scanner_args[@]}"
--- a/scripts/sanity-checks.sh
+++ b/scripts/sanity-checks.sh
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 check_status() {
  exit_status=$?
  if [ $exit_status -ne 0 ]; then
    echo "::error::$1"
    exit $exit_status
  fi
 }
 realpath() {
  case ${RUNNER_OS} in
    Windows)
      cygpath --absolute --windows "$1"
    ;;
    Linux)
      readlink -f "$1"
    ;;
    macOS)
      # installed by coreutils package
      greadlink -f "$1"
    ;;
  esac
 }
--- a/11
+++ b/11
@@ -0,0 +1,11 @@
 sonar-scanner-version=6.2.1.4610
 sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-windows-x64.zip
 sonar-scanner-sha-windows-x64=b7de8d75c43093e0353e6a3147c3720cafac1c38da96bc61123657197086a1c9
 sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-x64.zip
 sonar-scanner-sha-linux-x64=0b8a3049f0bd5de7abc1582c78c233960d3d4ed7cc983a1d1635e8552f8bb439
 sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-aarch64.zip
 sonar-scanner-sha-linux-aarch64=f67819e7a52ed4c28b541baa5bca0621446314de148f889d7d2d7ff239808f0c
 sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-x64.zip
 sonar-scanner-sha-macosx-x64=471348fcb912584f093cebf28114322455979d2cceb1654e0a7990da50add94f
 sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-aarch64.zip
 sonar-scanner-sha-macosx-aarch64=583b1ed386b6f61ddfbb39c0ae169355e96a8e1852b0210a5a5ca4f7487347c1
Author	SHA1	Message	Date
Aleksandra Bozhinoska	689fb39b34	SQSCANGHA-121 Add vulnerability warning	2025-09-25 14:31:06 +02:00
Antonio Aversa	bfd4e558cd	SQSCANGHA-77 Change title back to SonarQube Scan Action (#166 )	2024-12-17 10:59:50 +01:00
Antonio Aversa	26c51824c8	SQSCANGHA-76 Support self-hosted runners not clearing truststore after run (#165 )	2024-12-17 09:19:42 +01:00
Antonio Aversa	0ab314b63d	SQSCANGHA-75 Support self-hosted runners not clearing temp after run (#164 )	2024-12-16 10:45:31 +01:00
Bilgin Aksoy	ea0362bf7b	Force unzip without prompt in sonar scanner installation when files already exist (#163 )	2024-12-16 10:40:37 +01:00
Talisson Galho	d1fd0ebe22	README: required programs for self-hosted and container (#162 ) Co-authored-by: Antonio Aversa <antonio.aversa@sonarsource.com>	2024-12-16 10:32:38 +01:00
Antonio Aversa	00e62e1190	SQCPPGHA-9 Extend action to support C, C++, and Objective-C projects (#161 )	2024-12-16 10:24:14 +01:00
Pavel Mikula	844ce2710b	Add Jira integration	2024-12-09 11:25:32 +01:00
Antonio Aversa	a36db763ac	SQSCANGHA-64 Shorten action description to respect 125 chars limit (#157 )	2024-12-09 10:56:27 +01:00