SonarSource/sonarqube-scan-action
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: SonarSource:v4.1.0
Branches Tags
SonarSource:master SonarSource:update-to-sonar-scanner-8.0.1.6346 SonarSource:update-to-sonar-scanner-8.0.0.6341 SonarSource:br-v4.2.1 SonarSource:br-v5.3.1 SonarSource:jh/fix_qa SonarSource:jh/update_version SonarSource:jh/SQSCANGHA-48_update_cirrus
SonarSource:v4 SonarSource:v4.2.2 SonarSource:v4.2 SonarSource:v5 SonarSource:v5.3.2 SonarSource:v5.3 SonarSource:v6.0 SonarSource:v6 SonarSource:v6.0.0 SonarSource:v5.3.1 SonarSource:v5.3.0 SonarSource:v5.2 SonarSource:v5.2.0 SonarSource:v5.1 SonarSource:v5.1.0 SonarSource:v5.0 SonarSource:v5.0.0 SonarSource:v4.2.1 SonarSource:v4.2.0 SonarSource:v4.1.0 SonarSource:v4.1 SonarSource:v4.0 SonarSource:v4.0.0 SonarSource:v3 SonarSource:v3.1 SonarSource:v3.1.0 SonarSource:v3.0 SonarSource:v3.0.0 SonarSource:v2.3 SonarSource:v2.3.0 SonarSource:v2 SonarSource:v2.2 SonarSource:v2.2.0 SonarSource:v2.1 SonarSource:v2.1.0 SonarSource:v2.0 SonarSource:v2.0.2 SonarSource:v2.0.1 SonarSource:v2.0.0 SonarSource:v1 SonarSource:v1.2 SonarSource:v1.2.0 SonarSource:v1.1.0 SonarSource:v1.0.0
...
compare: SonarSource:v5.2
Branches Tags
SonarSource:update-to-sonar-scanner-8.0.1.6346 SonarSource:update-to-sonar-scanner-8.0.0.6341 SonarSource:master SonarSource:br-v4.2.1 SonarSource:br-v5.3.1 SonarSource:jh/fix_qa SonarSource:jh/update_version SonarSource:jh/SQSCANGHA-48_update_cirrus
SonarSource:v4 SonarSource:v4.2.2 SonarSource:v4.2 SonarSource:v5 SonarSource:v5.3.2 SonarSource:v5.3 SonarSource:v6.0 SonarSource:v6 SonarSource:v6.0.0 SonarSource:v5.3.1 SonarSource:v5.3.0 SonarSource:v5.2 SonarSource:v5.2.0 SonarSource:v5.1 SonarSource:v5.1.0 SonarSource:v5.0 SonarSource:v5.0.0 SonarSource:v4.2.1 SonarSource:v4.2.0 SonarSource:v4.1.0 SonarSource:v4.1 SonarSource:v4.0 SonarSource:v4.0.0 SonarSource:v3 SonarSource:v3.1 SonarSource:v3.1.0 SonarSource:v3.0 SonarSource:v3.0.0 SonarSource:v2.3 SonarSource:v2.3.0 SonarSource:v2 SonarSource:v2.2 SonarSource:v2.2.0 SonarSource:v2.1 SonarSource:v2.1.0 SonarSource:v2.0 SonarSource:v2.0.2 SonarSource:v2.0.1 SonarSource:v2.0.0 SonarSource:v1 SonarSource:v1.2 SonarSource:v1.2.0 SonarSource:v1.1.0 SonarSource:v1.0.0

25 Commits
v4.1.0 ... v5.2

Author SHA1 Message Date
csaba-feher-sonarsource
2500896589 SQSCANGHA-92 Validate scanner version (#189) 
Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>
 2025-05-05 17:48:40 +02:00
csaba-feher-sonarsource
73bc64cb64 SQSCANGHA-94 Update version update logic (#188) 2025-05-05 17:48:00 +02:00
csaba-feher-sonarsource
7d51dd28ef SQSCANGHA-93 Fix madhead/semver-utils' version (#187) 
Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>
 2025-05-05 17:47:42 +02:00
Julien HENRY
be0a85295f SQSCANGHA-89 Fix possible command injection 
It is unlikely to be a real concern, since an attacker having the possibility to edit a pipeline can easily execute any command, but at least our step won't be involved
 2025-04-29 12:17:00 +02:00
Pierre
12d7d00f02 SQSCANGHA-90 remove mend dead conf (#184) 2025-04-24 11:33:26 +02:00
SonarTech
aa494459d7 SQSCANGHA-85 Update SonarScanner CLI to 7.1.0.4889 to support sonar.region=us 2025-03-24 15:16:27 +01:00
Aleksandra Bozhinoska
1474b34972 SQSCANGHA-87 Fix the new version in version update (#182) 2025-03-24 14:38:55 +01:00
Pavel Mikula
961628671d SQSCANGHA-86 Autoclose issues created by Jira integration (#179) 2025-03-10 10:47:13 +01:00
Maikel van den Hurk
f932b663ac NO-JIRA docs(readme): use consistently vars.SONAR_HOST_URL 2025-02-20 14:56:24 +01:00
Adam Setch
550777f6eb NO-JIRA Remove superfluous space from action description 2025-02-20 12:02:15 +01:00
SonarTech
0303d6b62e Update SonarScanner CLI to 7.0.2.4839 2025-02-14 14:05:04 +01:00
Julien HENRY
3ed7560138 SQSCANGHA-82 Automate the update of the Scanner CLI version 2025-02-14 12:33:25 +01:00
Julien HENRY
73cb22d49a Fix permission of the version_update workflow 2025-02-10 14:27:00 +01:00
github-actions[bot]
994c850d7a SQSCANGHA-81 Update SonarScanner CLI to 7.0.1.4817 (#171) 
Co-authored-by: SonarTech <sonartech@sonarsource.com>
 2025-02-10 14:25:57 +01:00
Pierre
7622374390 SQSCANGHA-79 Update CODEOWNERS (#170) 2025-02-07 16:44:54 +01:00
Julien HENRY
6bbc1364b8 SQSCANGHA-59 Use the new way of having theme sensitive images. 2025-01-21 15:25:30 +01:00
Przemek
d6b87b0feb DOC-403 Update links in the README.md file to the documentation (#167) 
Co-authored-by: Antonio Aversa <antonio.aversa@sonarsource.com>
 2025-01-08 15:22:30 +01:00
Antonio Aversa
bfd4e558cd SQSCANGHA-77 Change title back to SonarQube Scan Action (#166) 2024-12-17 10:59:50 +01:00
Antonio Aversa
26c51824c8 SQSCANGHA-76 Support self-hosted runners not clearing truststore after run (#165) 2024-12-17 09:19:42 +01:00
Antonio Aversa
0ab314b63d SQSCANGHA-75 Support self-hosted runners not clearing temp after run (#164) 2024-12-16 10:45:31 +01:00
Bilgin Aksoy
ea0362bf7b Force unzip without prompt in sonar scanner installation when files already exist (#163) 2024-12-16 10:40:37 +01:00
Talisson Galho
d1fd0ebe22 README: required programs for self-hosted and container (#162) 
Co-authored-by: Antonio Aversa <antonio.aversa@sonarsource.com>
 2024-12-16 10:32:38 +01:00
Antonio Aversa
00e62e1190 SQCPPGHA-9 Extend action to support C, C++, and Objective-C projects (#161) 2024-12-16 10:24:14 +01:00
Pavel Mikula
844ce2710b Add Jira integration 2024-12-09 11:25:32 +01:00
Antonio Aversa
a36db763ac SQSCANGHA-64 Shorten action description to respect 125 chars limit (#157) 2024-12-09 10:56:27 +01:00
31 changed files with 1617 additions and 86 deletions
Expand all files Collapse all files

4
.cirrus/wss-unified-agent.config
View File

@@ -1,4 +0,0 @@
docker.projectNameFormat=repositoryNameAndTag
docker.scanImages=true
wss.url=https://saas-eu.whitesourcesoftware.com/agent
productName=GitHubAction/SonarQubeScanAction

2
.github/CODEOWNERS vendored
View File

@@ -1 +1 @@
.github/CODEOWNERS @sonarsource/analysis-experience-squad
.github/CODEOWNERS @sonarsource/orchestration-processing-squad

7
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -1,3 +1,10 @@
<!--
Only for standalone PRs without Jira issue in the PR title:
* Replace this comment with Epic ID to create a new Task in Jira
* Replace this comment with Issue ID to create a new Sub-Task in Jira
* Ignore or delete this note to create a new Task in Jira without a parent
-->
Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:

28
.github/workflows/PullRequestClosed.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Pull Request Closed
on:
pull_request:
types: [closed]
jobs:
PullRequestClosed_job:
name: Pull Request Closed
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
# For external PR, ticket should be moved manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2
with:
github-token: ${{secrets.GITHUB_TOKEN}}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

29
.github/workflows/PullRequestCreated.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Pull Request Created
on:
pull_request:
types: ["opened"]
jobs:
PullRequestCreated_job:
name: Pull Request Created
runs-on: ubuntu-latest
permissions:
id-token: write
# For external PR, ticket should be created manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2
with:
github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
jira-project: SQSCANGHA

28
.github/workflows/RequestReview.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Request review
on:
pull_request:
types: ["review_requested"]
jobs:
RequestReview_job:
name: Request review
runs-on: ubuntu-latest
permissions:
id-token: write
# For external PR, ticket should be moved manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/RequestReview@v2
with:
github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

30
.github/workflows/SubmitReview.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
name: Submit Review
on:
pull_request_review:
types: [submitted]
jobs:
SubmitReview_job:
name: Submit Review
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
# For external PR, ticket should be moved manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
&& (github.event.review.state == 'changes_requested'
|| github.event.review.state == 'approved')
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
with:
github-token: ${{secrets.GITHUB_TOKEN}}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

87
.github/workflows/qa-deprecated-c-cpp.yml vendored Normal file
View File

@@ -0,0 +1,87 @@
name: QA Deprecated C and C++ action
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
output-test:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
- os: macos-latest
arch: ARM64
runs-on: ${{ matrix.os }}
steps:
# Specifying a specific architecture of the runner is not possible for Github hosted runners
# We can only check if the runner architecture matches the expected one
- name: check_runner_arch
shell: bash
run: |
echo "Runner architecture: ${{ runner.arch }}"
if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
echo "##[error]Runner architecture does not match the expected one"
exit 1
fi
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Run SonarQube C/C++ action
id: run-action
uses: ./deprecated-c-cpp
env:
SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
with:
cache-binaries: ${{ matrix.cache }}
- name: SONAR_HOST_URL is set
shell: bash
run: |
[[ $SONAR_HOST_URL == "https://next.sonarqube.com/sonarqube/" ]]
- name: sonar-scanner is installed and in PATH
run: |
sonar-scanner --help | grep "usage: sonar-scanner "
- name: sonar-scanner-binary output is correct
shell: bash
env:
BINARY: ${{ steps.run-action.outputs.sonar-scanner-binary }}
run: |
"$BINARY" --help | grep "usage: sonar-scanner "
# build-wrapper does not have --help or equivalent option.
# Pass to few arguments and ignore error code
- name: build-wrapper is installed and in PATH on Windows
if: runner.os == 'Windows'
shell: bash
run: |
(build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on Linux
if: runner.os == 'Linux'
shell: bash
run: |
(build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on macOS
if: runner.os == 'macOs'
shell: bash
run: |
(build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
- name: build-wrapper-binary output is correct
shell: bash
env:
BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
run: |
("$BINARY" || true) | grep "build-wrapper, version "

69
.github/workflows/qa-install-build-wrapper.yml vendored Normal file
View File

@@ -0,0 +1,69 @@
name: QA Install Build Wrapper action
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
output-test:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
- os: macos-latest
arch: ARM64
runs-on: ${{ matrix.os }}
steps:
# Specifying a specific architecture of the runner is not possible for Github hosted runners
# We can only check if the runner architecture matches the expected one
- name: check_runner_arch
shell: bash
run: |
echo "Runner architecture: ${{ runner.arch }}"
if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
echo "##[error]Runner architecture does not match the expected one"
exit 1
fi
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Run SonarQube C/C++ action
id: run-action
uses: ./install-build-wrapper
env:
SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
# build-wrapper does not have --help or equivalent option.
# Pass to few arguments and ignore error code
- name: build-wrapper is installed and in PATH on Windows
if: runner.os == 'Windows'
shell: bash
run: |
(build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on Linux
if: runner.os == 'Linux'
shell: bash
run: |
(build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on macOS
if: runner.os == 'macOs'
shell: bash
run: |
(build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
- name: build-wrapper-binary output is correct
shell: bash
env:
BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
run: |
("$BINARY" || true) | grep "build-wrapper, version "

219
.github/workflows/qa.yml → .github/workflows/qa-main.yml vendored
View File

@@ -1,4 +1,4 @@
name: QA
name: QA Main action
on:
push:
@@ -38,13 +38,39 @@ jobs:
- name: Run action with args
uses: ./
with:
args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.someArg=aValue"
./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
argsInputInjectionTest:
name: >
'args' input with command injection will fail
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.someArg=aValue && echo "Injection"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
projectBaseDirInputTest:
name: >
'projectBaseDir' input
@@ -333,7 +359,7 @@ jobs:
- name: Run action with SONARCLOUD_URL
uses: ./
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
args: -Dsonar.scanner.apiBaseUrl=api.mirror.sonarcloud.io -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
SONARCLOUD_URL: mirror.sonarcloud.io
SONAR_TOKEN: FAKE_TOKEN
@@ -449,6 +475,7 @@ jobs:
id: runTest
uses: ./
with:
scannerVersion: 6.2.1.4610
scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries
env:
NO_CACHE: true
@@ -619,3 +646,189 @@ jobs:
- name: Assert failure of previous step
if: steps.wrong_ssl_certificate.outcome == 'success'
run: exit 1
overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
name: >
'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
run: |
SCANNER_VERSION="6.2.1.4610"
SCANNER_LOCAL_FOLDER="$RUNNER_TEMP/sonar-scanner-cli-$SCANNER_VERSION-$RUNNER_OS-$RUNNER_ARCH"
# emit SCANNER_VERSION and SCANNER_LOCAL_FOLDER to be able to read them in the next steps
echo "SCANNER_VERSION=$SCANNER_VERSION" >> $GITHUB_ENV
echo "SCANNER_LOCAL_FOLDER=$SCANNER_LOCAL_FOLDER" >> $GITHUB_ENV
mkdir -p "$SCANNER_LOCAL_FOLDER"
touch "$SCANNER_LOCAL_FOLDER/some_content.txt"
- name: Assert SCANNER_LOCAL_FOLDER exists and dummy file is in it
run: |
[ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
[ -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
- name: Run action with SONAR_SCANNER_TEMP
uses: ./
env:
NO_CACHE: true # force install-sonar-scanner-cli.sh execution
SONAR_SCANNER_TEMP: /tmp/sonar-scanner
SONAR_HOST_URL: http://not_actually_used
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
scannerVersion: ${{ env.SCANNER_VERSION }}
- name: Assert SCANNER_LOCAL_FOLDER exists and dummy file is not in it
run: |
[ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
[ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
name: >
truststore.p12 is updated when present
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
run: |
SONAR_SSL_FOLDER=~/.sonar/ssl
mkdir -p "$SONAR_SSL_FOLDER"
touch "$SONAR_SSL_FOLDER/not-truststore.p12"
# emit SONAR_SSL_FOLDER to be able to read it in the next steps
echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV
- name: Assert truststore.p12 does not file exists
run: |
[ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
- name: Run action with SONAR_ROOT_CERT
uses: ./
env:
# NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed
SONAR_HOST_URL: http://not_actually_used
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx
MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu
ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE
RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77
nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3
b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup
HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq
xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+
MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6
aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G
wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH
wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM
QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W
iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG
J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+
AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP
BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe
3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5
eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC
rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK
EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP
H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/
bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb
u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE
zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm
QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td
dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI=
-----END CERTIFICATE-----
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert not-truststore.p12 file still exists
run: |
[ -f "$SONAR_SSL_FOLDER/not-truststore.p12" ] || exit 1
- name: Assert truststore.p12 file now exists and take note of modification time
run: |
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
# emit the modification time of the truststore.p12 file to be able to read it in the next steps
TRUSTSTORE_P12_MOD_TIME_T1=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
echo "TRUSTSTORE_P12_MOD_TIME_T1=$TRUSTSTORE_P12_MOD_TIME_T1" >> $GITHUB_ENV
- name: Run action a second time with a different SONAR_ROOT_CERT
uses: ./
env:
# NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed
SONAR_HOST_URL: http://not_actually_used
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
Q4/67OZfHd7R+POBXhophSMv1ZOo
-----END CERTIFICATE-----
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert truststore.p12 still exists, but it has been updated, and take note of modification time
run: |
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
TRUSTSTORE_P12_MOD_TIME_T2=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
[ "$TRUSTSTORE_P12_MOD_TIME_T1" != "$TRUSTSTORE_P12_MOD_TIME_T2" ] || exit 1
# emit the modification time of the truststore.p12 file to be able to read it in the next steps
echo "TRUSTSTORE_P12_MOD_TIME_T2=$TRUSTSTORE_P12_MOD_TIME_T2" >> $GITHUB_ENV
- name: Remove sonar alias from truststore.p12
run: keytool -delete -alias sonar -keystore "$SONAR_SSL_FOLDER/truststore.p12" -storepass changeit
- name: Run action a third time
uses: ./
env:
# NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed
SONAR_HOST_URL: http://not_actually_used
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
Q4/67OZfHd7R+POBXhophSMv1ZOo
-----END CERTIFICATE-----
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert truststore.p12 still exists, and it has been updated again
run: |
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
[ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
scannerVersionValidationTest:
name: >
'scannerVersion' input validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with invalid scannerVersion
id: invalid_version
uses: ./
continue-on-error: true
with:
scannerVersion: "7.1.0-SNAPSHOT"
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
- name: Assert failure of previous step
if: steps.invalid_version.outcome == 'success'
run: |
echo "Action with invalid scannerVersion should have failed but succeeded"
exit 1

351
.github/workflows/qa-scripts.yml vendored Normal file
View File

@@ -0,0 +1,351 @@
name: QA Scripts
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
create-install-dir-test:
name: create_install_path.sh
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Existing
shell: bash
env:
INSTALL_PATH: '.sonar'
run: |
echo "- Create dir"
mkdir -p "${INSTALL_PATH}"
echo "- Test script behavior"
./scripts/create_install_path.sh > output
grep -v "::error::" output
- name: Non-existing nested in current dir
shell: bash
env:
INSTALL_PATH: '.sonar'
run: |
./scripts/create_install_path.sh > output
grep -v "::error::" output
test -d "${INSTALL_PATH}"
- name: Nonexisting nested in home
shell: bash
env:
INSTALL_PATH: '~/third_party/.sonar'
run: |
./scripts/create_install_path.sh > output
grep -v "::error::" output
test -d "${INSTALL_PATH}"
- name: Empty install dir specified
shell: bash
env:
INSTALL_PATH: ''
run: |
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Empty installation path specified" output
grep "=== Script failed ===" output
- name: No permission to create directory
shell: bash
env:
INSTALL_PATH: '/non_creatable'
run: |
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Failed to create non-existing installation path '/non_creatable'" output
grep "=== Script failed ===" output
- name: Existing but not directory
shell: bash
env:
INSTALL_PATH: 'not_directory'
run: |
echo "- Create normal file"
echo "content" > "${INSTALL_PATH}"
echo "- Test script behavior"
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Installation path 'not_directory' is not a directory" output
grep "=== Script failed ===" output
- name: Existing but not readable
shell: bash
env:
INSTALL_PATH: 'not_readable'
run: |
echo "- Create dir and make it not readable"
mkdir -p "${INSTALL_PATH}"
chmod -r "${INSTALL_PATH}"
echo "- Test script behavior"
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Installation path 'not_readable' is not readable" output
grep "=== Script failed ===" output
- name: Existing but not writeable
shell: bash
env:
INSTALL_PATH: 'not_writeable'
run: |
echo "- Create dir and make it not writeable"
mkdir -p "${INSTALL_PATH}"
chmod -w "${INSTALL_PATH}"
echo "- Test script behavior"
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Installation path 'not_writeable' is not writeable" output
grep "=== Script failed ===" output
setup-script-test:
name: configure_paths.sh
runs-on: ubuntu-latest
env:
INSTALL_PATH: 'install-directory'
SONAR_HOST_URL: 'http://sonar-host.com'
SONAR_SCANNER_VERSION: 'vX.Y.Z.MMMM'
SONAR_SCANNER_URL_WINDOWS_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip'
SONAR_SCANNER_SHA_WINDOWS_X64: 'DOWNLOAD-SHA-WINDOWS-X64'
SONAR_SCANNER_URL_LINUX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip'
SONAR_SCANNER_SHA_LINUX_X64: 'DOWNLOAD-SHA-LINUX-X64'
SONAR_SCANNER_URL_LINUX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip'
SONAR_SCANNER_SHA_LINUX_AARCH64: 'DOWNLOAD-SHA-LINUX-AARCH64'
SONAR_SCANNER_URL_MACOSX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip'
SONAR_SCANNER_SHA_MACOSX_X64: 'DOWNLOAD-SHA-MACOSX-X64'
SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Windows
shell: bash
env:
OS: 'Windows'
ARCH: 'X64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-WINDOWS-X64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64/bin/sonar-scanner.bat" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-win-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-win-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-win-x86/build-wrapper-win-x86-64.exe" output
- name: Linux X64
shell: bash
env:
OS: 'Linux'
ARCH: 'X64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-X64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-linux-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-linux-x86/build-wrapper-linux-x86-64" output
- name: Linux ARM64
shell: bash
env:
OS: 'Linux'
ARCH: 'ARM64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-AARCH64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-aarch64.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-linux-aarch64" output
grep "build-wrapper-bin=install-directory/build-wrapper-linux-aarch64/build-wrapper-linux-aarch64" output
- name: macOSX_X64
shell: bash
env:
OS: 'macOS'
ARCH: 'X64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-X64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
- name: macOSX_ARM64
shell: bash
env:
OS: 'macOS'
ARCH: 'ARM64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-AARCH64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
- name: Unsupported OS
shell: bash
env:
OS: 'unsupportedOS'
ARCH: 'X64'
run: |
(./scripts/configure_paths.sh || echo "=== Script failed ===") > output
echo "- Check errors:"
grep "::error::Unsupported runner OS 'unsupportedOS'" output
grep "=== Script failed ===" output
- name: Unsupported architecture
shell: bash
env:
OS: 'Linux'
ARCH: 'X86'
run: |
(./scripts/configure_paths.sh || echo "=== Script failed ===") > output
echo "- Check errors:"
grep "::error::Architecture 'X86' is unsupported by build-wrapper" output
grep "=== Script failed ===" output
download-script-test:
name: download.sh
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Download test without validation
shell: bash
env:
INSTALL_PATH: 'install-directory-no-sha-validation'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: 'incorrect-sha-not-validated'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
./scripts/download.sh > output
test -f "$TMP_ZIP_PATH"
grep -v "::error::" output
- name: Download test with validation
shell: bash
env:
INSTALL_PATH: 'install-directory-sha-validation'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: '9411331814c1d002bd65d37758b872918b7602e7cf3ca5b83a3e19a729b2be05'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
./scripts/download.sh -v > output
test -f "$TMP_ZIP_PATH"
grep -v "::error::" output
- name: Incorrect install dir
shell: bash
env:
INSTALL_PATH: ''
run: |
(./scripts/download.sh || echo "=== Script failed ===") > output
grep "::error::Failed to create" output
grep "=== Script failed ===" output
- name: Incorrect download url
shell: bash
env:
INSTALL_PATH: 'install-directory-incorrect-url'
DOWNLOAD_URL: 'incorrect-url'
run: |
(./scripts/download.sh || echo "=== Script failed ===") > output
grep "::error::Failed to download 'incorrect-url'" output
grep "=== Script failed ===" output
- name: Incorrect SHA256
shell: bash
env:
INSTALL_PATH: 'install-directory-incorrect-sha'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: 'incorrect-sha256'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
(./scripts/download.sh -v || echo "=== Script failed ===") > output
grep "::error::Checking sha256 failed" output
grep "=== Script failed ===" output
- name: Mismatching SHA256
shell: bash
env:
INSTALL_PATH: 'install-directory-mismtaching-sha'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: '3e121d85a4adb1f30b917d5f3eb897966b59e02c3d6d313a78dcd964193dc963'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
(./scripts/download.sh -v || echo "=== Script failed ===") > output
grep "::error::Checking sha256 failed" output
grep "=== Script failed ===" output
fetch-latest-version-test:
name: fetch_latest_version.sh
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Test script
shell: bash
run: |
./scripts/fetch_latest_version.sh > output
echo "- Check sonar-scanner version:"
grep "sonar-scanner-version=" output
SONAR_SCANNER_VERSION=$(cat output | cut -d= -f 2)
test ! -z "${SONAR_SCANNER_VERSION}"
echo "- Check windows sonar-scanner URLs:"
grep "sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-windows-x64.zip" output
grep -e "^sonar-scanner-sha-windows-x64=[0-9A-Fa-f]\+$" output
echo "- Check linux sonar-scanner URLs:"
grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output
echo "- Check macosx sonar-scanner URLs:"
grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output

2
.github/workflows/update-tags.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
uses: actions/checkout@v4
- name: Parse semver
uses: madhead/semver-utils@v4
uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
id: version
with:
version: ${{ github.ref_name }}

78
.github/workflows/version_update.yml vendored Normal file
View File

@@ -0,0 +1,78 @@
name: sonar-scanner version check
on:
workflow_dispatch:
schedule:
- cron: '15 10 * * *'
jobs:
check-version:
name: Check for sonar-scanner version update
runs-on: ubuntu-latest
outputs:
should_update: ${{ steps.version-check.outputs.should_update }}
latest_version: ${{ steps.latest-version.outputs.latest }}
steps:
- run: sudo apt install -y jq
- run: sudo snap install yq
- uses: actions/checkout@v4
with:
ref: master
persist-credentials: true
fetch-depth: 0
- name: "Fetch currently used sonar-scanner version"
id: tagged-version
shell: bash
run: cat sonar-scanner-version >> $GITHUB_OUTPUT
- name: "Fetch latest sonar-scanner version"
id: latest-version
shell: bash
run: |
./scripts/fetch_latest_version.sh > sonar-scanner-version
echo "latest=$(cat sonar-scanner-version)" >> $GITHUB_OUTPUT
- name: "Determine if update is needed"
id: version-check
shell: bash
run: |
if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.latest }}" ]]; then
echo "should_update=true" >> $GITHUB_OUTPUT
else
echo "should_update=false" >> $GITHUB_OUTPUT
fi
update-version:
name: Prepare pull request for sonar-scanner version update
needs: check-version
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
if: needs.check-version.outputs.should_update == 'true'
steps:
- name: "Update default version"
shell: bash
env:
NEW_VERSION: ${{ needs.check-version.outputs.latest-version }}
run: |
yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
- name: "Create Pull Request for version update"
shell: bash
env:
UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.latest-version }}
TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.latest-version }}"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.name "SonarTech"
git config --global user.email "sonartech@sonarsource.com"
git checkout -b ${UPDATE_BRANCH}
git add sonar-scanner-version
git add action.yml
git commit -m "${TITLE}"
git push --force-with-lease origin ${UPDATE_BRANCH}
gh pr list
if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
fi

163
README.md
View File

@@ -1,9 +1,11 @@
# Scan your code with SonarQube [![QA](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml)
# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml)
This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
![Logo](./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png#gh-dark-mode-only)
![Logo](./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png#gh-light-mode-only)
<picture>
<source media="(prefers-color-scheme: dark)" srcset="./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png">
<img alt="SonarQube Logo" src="./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png">
</picture>
SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection.
@@ -11,6 +13,9 @@ It helps developers detect coding issues in 30+ languages, frameworks, and IaC p
The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability.
> [!NOTE]
> This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions.
## Requirements
### Server
@@ -38,7 +43,11 @@ sonar.projectKey=<replace with the key generated when setting up the project on
sonar.sources=.
```
The workflow, usually declared under `.github/workflows`, looks like:
In the following cases:
- for projects that don't have C, C++, or Objective-C in them
- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper)
the workflow, usually declared under `.github/workflows`, looks like the following:
```yaml
on:
@@ -62,12 +71,70 @@ jobs:
# Disabling shallow clones is recommended for improving the relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
```
For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
```yaml
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
env:
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
- name: Run Build Wrapper
run: |
# Here goes your compilation wrapped with Build Wrapper
# For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
# build-preparation steps
# build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
```
If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6.
It should look like this:
```yaml
with:
args: >
--define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
```
See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories).
### Cloud
```properties
@@ -79,7 +146,11 @@ sonar.projectKey=<replace with the key generated when setting up the project on
sonar.sources=.
```
The workflow, usually declared under `.github/workflows`, looks like:
In the following cases:
- for projects that don't have C, C++, or Objective-C in them
- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper)
the workflow, usually declared under `.github/workflows`, looks like the following:
```yaml
on:
@@ -103,17 +174,62 @@ jobs:
# Disabling shallow clones is recommended for improving the relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
```
For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
```yaml
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
- name: Run Build Wrapper
run: |
# Here goes your compilation wrapped with Build Wrapper
# For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper
# build-preparation steps
# build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
```
See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories).
## Action parameters
You can change the analysis base directory by using the optional input `projectBaseDir` like this:
```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
projectBaseDir: app/src
```
@@ -121,7 +237,7 @@ You can change the analysis base directory by using the optional input `projectB
In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option:
```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
scannerVersion: 6.2.0.4584
```
@@ -129,7 +245,7 @@ In case you need to specify the version of the Sonar Scanner, you can use the `s
In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option:
```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
projectBaseDir: app/src
args: >
@@ -147,7 +263,7 @@ The specified URL overrides the default address: `https://binaries.sonarsource.c
This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet:
```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
```
@@ -159,14 +275,13 @@ More information about possible analysis parameters can be found:
### Environment variables
- `SONAR_TOKEN` **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
- *`GITHUB_TOKEN` Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).*
- `SONAR_HOST_URL` this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud.
- `SONAR_ROOT_CERT` Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore:
```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
- uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
@@ -176,23 +291,35 @@ Here is an example of how you can pass a certificate (in PEM format) to the Scan
If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
```yaml
- uses: sonarsource/sonarqube-scan-action@<action version>
- uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io
LC_ALL: "ru_RU.UTF-8"
```
## Alternatives for Java, .NET, and C/C++ projects
## Alternatives for Java and .NET
This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
* Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/).
* Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/).
* You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/).
* You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to:
* the [SonarQube Server Scan for C and C++](https://github.com/marketplace/actions/sonarqube-scan-for-c-and-c) GitHub Action, for projects on SonarQube Server
* the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action, for projects on SonarQube Cloud - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=).
## Do not use this GitHub action if you are in the following situations
* You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS.
## Self-hosted runner or container
When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
* **curl** or **wget**
* **unzip**
## Additional information
The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
## Have questions or feedback?

27
action.yml
View File

@@ -1,9 +1,8 @@
name: Official SonarQube (Server, Cloud) Scan
name: Official SonarQube Scan
# Warning: changing name would change URL in the marketplace
description: >
Scan your code with SonarQube Server and Cloud to detect coding
issues in 30+ languages, frameworks, and IaC platforms.
The solution also provides fix recommendations leveraging AI with
Sonar's AI CodeFix capability. (Formerly SonarQube and SonarCloud)
Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
branding:
icon: check
color: green
@@ -17,7 +16,8 @@ inputs:
scannerVersion:
description: Version of the Sonar Scanner CLI to use
required: false
default: 6.2.1.4610
# to be kept in sync with sonar-scanner-version
default: 7.1.0.4889
scannerBinariesUrl:
description: URL to download the Sonar Scanner CLI binaries from
required: false
@@ -26,19 +26,23 @@ runs:
using: "composite"
steps:
- name: Sanity checks
run: ${GITHUB_ACTION_PATH}/sanity-checks.sh
run: ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
shell: bash
env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
- name: Load Sonar Scanner CLI from cache
id: sonar-scanner-cli
uses: actions/cache@v4.0.2
uses: actions/cache@v4
env:
# The default value is 60mins. Reaching timeout is treated the same as a cache miss.
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
with:
path: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
key: sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
- name: Install Sonar Scanner CLI
if: ${{ env.NO_CACHE == 'true' || steps.sonar-scanner-cli.outputs.cache-hit != 'true' }}
run: ${GITHUB_ACTION_PATH}/install-sonar-scanner-cli.sh
run: ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
shell: bash
env:
INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
@@ -47,7 +51,10 @@ runs:
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
shell: bash
- name: Run SonarScanner
run: ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh ${{ inputs.args }}
run: |
args=(${{ inputs.args }})
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
"${cmd[@]}"
shell: bash
env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}

134
deprecated-c-cpp/action.yml Normal file
View File

@@ -0,0 +1,134 @@
name: 'SonarQube Scan for C and C++'
description: 'Scan your C and C++ code with SonarQube to detect bugs, vulnerabilities and code smells.'
branding:
icon: check
color: green
inputs:
installation-path:
description: 'Directory where the sonar-scanner and build wrapper will be installed. Created if does not exists.'
required: false
default: '.sonar'
cache-binaries:
description: 'Controls if installed binaries are cached using GitHub cache.'
required: false
default: 'true'
outputs:
sonar-scanner-binary:
description: "Absolute path to sonar-scanner binary."
value: ${{ steps.setup-outputs.outputs.sonar-scanner-binary }}
build-wrapper-binary:
description: "Absolute path to build-wrapper binary."
value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
runs:
using: "composite"
steps:
# install packaged required for greadlink and sha256sum command on macOS
- name: Install required packages for macOS
if: runner.os == 'macOS'
shell: bash
run: brew install coreutils
- name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
if: env.SONAR_HOST_URL == ''
shell: bash
run: |
echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
- name: Verify and create installation path
shell: bash
env:
INSTALL_PATH: ${{ inputs.installation-path }}
run: ${GITHUB_ACTION_PATH}/../scripts/create_install_path.sh
- name: Set version of sonar-scanner
id: sonar-scanner-version
shell: bash
run: cat ${GITHUB_ACTION_PATH}/../sonar-scanner-version >> $GITHUB_OUTPUT
- name: Configure paths
id: configure_paths
shell: bash
env:
OS: ${{ runner.os }}
ARCH: ${{ runner.arch }}
INSTALL_PATH: ${{ inputs.installation-path }}
SONAR_SCANNER_VERSION: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
SONAR_SCANNER_URL_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-windows-x64 }}
SONAR_SCANNER_SHA_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-windows-x64 }}
SONAR_SCANNER_URL_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-x64 }}
SONAR_SCANNER_SHA_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-x64 }}
SONAR_SCANNER_URL_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-aarch64 }}
SONAR_SCANNER_SHA_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-aarch64 }}
SONAR_SCANNER_URL_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-x64 }}
SONAR_SCANNER_SHA_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-x64 }}
SONAR_SCANNER_URL_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-aarch64 }}
SONAR_SCANNER_SHA_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-aarch64 }}
run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
- name: Cache sonar-scanner installation
id: cache-sonar-tools
if: inputs.cache-binaries == 'true'
uses: actions/cache@v4
env:
# The default value is 60mins. Reaching timeout is treated the same as a cache miss.
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
with:
key: sonar-scanner-${{ runner.os }}-${{ runner.arch }}-${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
path: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
- name: Download and install sonar-scanner
if: steps.cache-sonar-tools.outputs.cache-hit != 'true'
shell: bash
env:
DOWNLOAD_URL: ${{ steps.configure_paths.outputs.sonar-scanner-url }}
EXPECTED_SHA: ${{ steps.configure_paths.outputs.sonar-scanner-sha }}
INSTALL_PATH: ${{ inputs.installation-path }}
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: ${GITHUB_ACTION_PATH}/../scripts/download.sh -v
- name: Add the custom root certificate to java certificate store
shell: bash
run: ${GITHUB_ACTION_PATH}/../scripts/cert.sh
- name: Download and install build-wrapper
shell: bash
env:
DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
INSTALL_PATH: ${{ inputs.installation-path }}
TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper.zip
run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
- name: Setup action outputs
id: setup-outputs
shell: bash
env:
SONAR_SCANNER_DIR: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
SONAR_SCANNER_BIN: ${{ steps.configure_paths.outputs.sonar-scanner-bin }}
BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
run: |
source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
echo "::group::Action outputs"
echo "SONAR_HOST_URL=${SONAR_HOST_URL}" >> $GITHUB_ENV
echo "'SONAR_HOST_URL' environment variable set to '${SONAR_HOST_URL}'"
SONAR_SCANNER_BIN_DIR=$(realpath "${SONAR_SCANNER_DIR}/bin")
echo "${SONAR_SCANNER_BIN_DIR}" >> $GITHUB_PATH
echo "'${SONAR_SCANNER_BIN_DIR}' added to the path"
SONAR_SCANNER_BIN=$(realpath "${SONAR_SCANNER_BIN}")
echo "sonar-scanner-binary=${SONAR_SCANNER_BIN}" >> $GITHUB_OUTPUT
echo "'sonar-scanner-binary' output set to '${SONAR_SCANNER_BIN}'"
BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
echo "::endgroup::"

62
install-build-wrapper/action.yml Normal file
View File

@@ -0,0 +1,62 @@
name: 'Install Build Wrapper for C and C++'
description: >
Download and install the Build Wrapper for C, C++, and Objective-C
projects analyzed with manual config.
branding:
icon: check
color: green
outputs:
build-wrapper-binary:
description: "Absolute path to Build Wrapper binary."
value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
runs:
using: "composite"
steps:
# install packaged required for greadlink and sha256sum command on macOS
- name: Install required packages for macOS
if: runner.os == 'macOS'
shell: bash
run: brew install coreutils
- name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
if: env.SONAR_HOST_URL == ''
shell: bash
run: |
echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
- name: Configure paths
id: configure_paths
shell: bash
env:
OS: ${{ runner.os }}
ARCH: ${{ runner.arch }}
INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
- name: Download and install Build Wrapper
shell: bash
env:
DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper-${{ inputs.configure_paths.sonar-scanner-version }}-${{ runner.os }}-${{ runner.arch }}.zip
INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
- name: Setup action outputs
id: setup-outputs
shell: bash
env:
BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
run: |
source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
echo "::endgroup::"

41
run-sonar-scanner.sh
View File

@@ -1,41 +0,0 @@
#!/bin/bash
set -eo pipefail
if [[ "$RUNNER_OS" == "Windows" ]]; then
SCANNER_BIN="sonar-scanner.bat"
else
SCANNER_BIN="sonar-scanner"
fi
scanner_args=()
if [[ ${SONARCLOUD_URL} ]]; then
scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
fi
if [[ "$RUNNER_DEBUG" == '1' ]]; then
scanner_args+=('--debug')
fi
if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
fi
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding SSL certificate to the Scanner truststore"
rm -f $RUNNER_TEMP/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
# keytool require a password > 6 characters, so we wan't use the default password 'sonar'
store_pass=changeit
mkdir -p ~/.sonar/ssl
$SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
fi
scanner_args+=("$@")
set -ux
$SCANNER_BIN "${scanner_args[@]}"

8
scripts/cert.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding custom root certificate to java certificate store"
rm -f /tmp/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
fi

71
scripts/configure_paths.sh Executable file
View File

@@ -0,0 +1,71 @@
#!/bin/bash
if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
exit 1
fi
case ${OS} in
Windows)
SONAR_SCANNER_SUFFIX="windows-x64"
BUILD_WRAPPER_SUFFIX="win-x86"
SONAR_SCANNER_NAME="sonar-scanner.bat"
BUILD_WRAPPER_NAME="build-wrapper-win-x86-64.exe"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_WINDOWS_X64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_WINDOWS_X64}"
;;
Linux)
case ${ARCH} in
X64)
SONAR_SCANNER_SUFFIX="linux-x64"
BUILD_WRAPPER_SUFFIX="linux-x86"
BUILD_WRAPPER_NAME="build-wrapper-linux-x86-64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_X64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_X64}"
;;
ARM64)
SONAR_SCANNER_SUFFIX="linux-aarch64"
BUILD_WRAPPER_SUFFIX="linux-aarch64"
BUILD_WRAPPER_NAME="build-wrapper-linux-aarch64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_AARCH64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_AARCH64}"
;;
esac
SONAR_SCANNER_NAME="sonar-scanner"
;;
macOS)
case ${ARCH} in
X64)
SONAR_SCANNER_SUFFIX="macosx-x64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_X64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_X64}"
;;
ARM64)
SONAR_SCANNER_SUFFIX="macosx-aarch64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_AARCH64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_AARCH64}"
;;
esac
BUILD_WRAPPER_SUFFIX="macosx-x86"
SONAR_SCANNER_NAME="sonar-scanner"
BUILD_WRAPPER_NAME="build-wrapper-macosx-x86"
;;
*)
echo "::error::Unsupported runner OS '${OS}'"
exit 1
;;
esac
echo "sonar-scanner-url=${SONAR_SCANNER_URL}"
echo "sonar-scanner-sha=${SONAR_SCANNER_SHA}"
SONAR_SCANNER_DIR="${INSTALL_PATH}/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_SUFFIX}"
echo "sonar-scanner-dir=${SONAR_SCANNER_DIR}"
echo "sonar-scanner-bin=${SONAR_SCANNER_DIR}/bin/${SONAR_SCANNER_NAME}"
BUILD_WRAPPER_DIR="${INSTALL_PATH}/build-wrapper-${BUILD_WRAPPER_SUFFIX}"
echo "build-wrapper-url=${SONAR_HOST_URL%/}/static/cpp/build-wrapper-${BUILD_WRAPPER_SUFFIX}.zip"
echo "build-wrapper-dir=${BUILD_WRAPPER_DIR}"
echo "build-wrapper-bin=${BUILD_WRAPPER_DIR}/${BUILD_WRAPPER_NAME}"

26
scripts/create_install_path.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
source "$(dirname -- "$0")/utils.sh"
echo "Installation path is '${INSTALL_PATH}'"
test ! -z "${INSTALL_PATH}"
check_status "Empty installation path specified"
if [[ ! -e "${INSTALL_PATH}" ]]; then
mkdir -p "${INSTALL_PATH}"
check_status "Failed to create non-existing installation path '${INSTALL_PATH}'"
fi
ABSOLUTE_INSTALL_PATH=$(realpath "${INSTALL_PATH}")
echo "Absolute installation path is '${ABSOLUTE_INSTALL_PATH}'"
test -d "${INSTALL_PATH}"
check_status "Installation path '${INSTALL_PATH}' is not a directory (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
test -r "${INSTALL_PATH}"
check_status "Installation path '${INSTALL_PATH}' is not readable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
test -w "${INSTALL_PATH}"
check_status "Installation path '${INSTALL_PATH}' is not writeable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"

58
scripts/download.sh Executable file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
source "$(dirname -- "$0")/utils.sh"
VERIFY_CORRECTNESS=false
help() {
cat <<EOF
Usage: ./download [-v]
-h Display help
-v Verify correctness of a download with SHA256 checksum; Optional
EOF
}
parse_arguments() {
while getopts "hv" arg; do
case $arg in
v)
VERIFY_CORRECTNESS=true
echo "Verify correctness is set to true"
;;
?)
help
exit 0
;;
esac
done
}
verify_download_correctness() {
echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
check_status "Checking sha256 failed"
}
download() {
echo "Downloading '${DOWNLOAD_URL}'"
mkdir -p "${INSTALL_PATH}"
check_status "Failed to create ${INSTALL_PATH}"
curl -sSLo "${TMP_ZIP_PATH}" "${DOWNLOAD_URL}"
check_status "Failed to download '${DOWNLOAD_URL}'"
}
decompress() {
echo "Decompressing"
unzip -o -d "${INSTALL_PATH}" "${TMP_ZIP_PATH}"
check_status "Failed to unzip the archive into '${INSTALL_PATH}'"
}
####################################################################################
echo "::group::Download ${DOWNLOAD_URL}"
parse_arguments $@
download
if [ "$VERIFY_CORRECTNESS" = true ]; then
verify_download_correctness
fi
decompress
echo "::endgroup::"

25
scripts/fetch_latest_version.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
source "$(dirname -- "$0")/utils.sh"
SONAR_SCANNER_VERSION=$(curl -sSL -H "Accept: application/vnd.github+json" \
https://api.github.com/repos/SonarSource/sonar-scanner-cli/releases/latest | jq -r '.tag_name')
check_status "Failed to fetch latest sonar-scanner version from GitHub API"
echo "sonar-scanner-version=${SONAR_SCANNER_VERSION}"
for OS in windows linux macosx; do
if [[ "$OS" == "windows" ]]; then
ARCHS=("x64")
else
ARCHS=("x64" "aarch64")
fi
for ARCH in "${ARCHS[@]}"; do
SONAR_SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${OS}-${ARCH}.zip"
SONAR_SCANNER_SHA=$(curl -sSL "${SONAR_SCANNER_URL}.sha256")
check_status "Failed to download ${OS} ${ARCH} sonar-scanner checksum from '${SONAR_SCANNER_URL}'"
echo "sonar-scanner-url-${OS}-${ARCH}=${SONAR_SCANNER_URL}"
echo "sonar-scanner-sha-${OS}-${ARCH}=${SONAR_SCANNER_SHA}"
done
done

12
install-sonar-scanner-cli.sh → scripts/install-sonar-scanner-cli.sh
View File

@@ -46,7 +46,15 @@ else
exit 1
fi
unzip -q $SCANNER_FILE_NAME
unzip -q -o $SCANNER_FILE_NAME
SCANNER_UNZIP_FOLDER="sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR"
# Folder name should correspond to the directory cached by the actions/cache
mv sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR $RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH
SCANNER_LOCAL_FOLDER="$RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH"
if [ -d "$SCANNER_LOCAL_FOLDER" ]; then
echo "::warning title=SonarScanner::Cleaning existing scanner folder: $SCANNER_LOCAL_FOLDER"
rm -rf "$SCANNER_LOCAL_FOLDER"
fi
mv -f "$SCANNER_UNZIP_FOLDER" "$SCANNER_LOCAL_FOLDER"

81
scripts/run-sonar-scanner-cli.sh Executable file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
set -eo pipefail
if [[ "$RUNNER_OS" == "Windows" ]]; then
SCANNER_BIN="sonar-scanner.bat"
else
SCANNER_BIN="sonar-scanner"
fi
scanner_args=()
if [[ ${SONARCLOUD_URL} ]]; then
scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
fi
if [[ "$RUNNER_DEBUG" == '1' ]]; then
scanner_args+=('--debug')
fi
if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
fi
# The SSL folder may exist on an uncleaned self-hosted runner
SONAR_SSL_FOLDER=~/.sonar/ssl
# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
# keytool requires a password > 6 characters, so we won't use the default password 'sonar'
KEYTOOL_MAIN_CLASS=sun.security.tools.keytool.Main
SONAR_SSL_TRUSTSTORE_FILE="$SONAR_SSL_FOLDER/truststore.p12"
SONAR_SSL_TRUSTSTORE_PASSWORD=changeit
if [ -f "$SONAR_SSL_TRUSTSTORE_FILE" ]; then
ALIAS_SONAR_IS_PRESENT=true
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-list -v -alias sonar > /dev/null 2>&1 || {
ALIAS_SONAR_IS_PRESENT=false
echo "Existing Scanner truststore $SONAR_SSL_TRUSTSTORE_FILE does not contain 'sonar' alias"
}
if [[ $ALIAS_SONAR_IS_PRESENT == "true" ]]; then
echo "Removing 'sonar' alias from already existing Scanner truststore: $SONAR_SSL_TRUSTSTORE_FILE"
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-delete \
-alias sonar
fi
fi
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding SSL certificate to the Scanner truststore"
rm -f $RUNNER_TEMP/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
mkdir -p "$SONAR_SSL_FOLDER"
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-importcert \
-alias sonar \
-file "$RUNNER_TEMP/tmpcert.pem"
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
fi
scanner_args+=("$@")
set -ux
$SCANNER_BIN "${scanner_args[@]}"

5
sanity-checks.sh → scripts/sanity-checks.sh
View File

@@ -2,6 +2,11 @@
set -eo pipefail
if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
exit 1
fi
if [[ -z "${SONAR_TOKEN}" ]]; then
echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
fi

25
scripts/utils.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
check_status() {
exit_status=$?
if [ $exit_status -ne 0 ]; then
echo "::error::$1"
exit $exit_status
fi
}
realpath() {
case ${RUNNER_OS} in
Windows)
cygpath --absolute --windows "$1"
;;
Linux)
readlink -f "$1"
;;
macOS)
# installed by coreutils package
greadlink -f "$1"
;;
esac
}

11
sonar-scanner-version Normal file
View File

@@ -0,0 +1,11 @@
sonar-scanner-version=7.1.0.4889
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip
sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip
sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip
sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip
sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449

8
test/assertFileContains
View File

@@ -1,10 +1,14 @@
#!/bin/bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
assertFileExists $1
scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
if ! grep -q $2 $1; then
$scriptDir/assertFileExists "$1"
if ! grep -q "$2" "$1"; then
error "'$2' not found in '$1'"
exit 1
fi

4
test/assertFileDoesntExist
View File

@@ -1,8 +1,10 @@
#!/bin/bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ -f $1 ]; then
if [ -f "$1" ]; then
error "File '$1' found"
exit 1
fi

4
test/assertFileExists
View File

@@ -1,8 +1,10 @@
#!/bin/bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ ! -f $1 ]; then
if [ ! -f "$1" ]; then
error "File '$1' not found"
exit 1
fi