Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
2500896589 | ||
|
|
73bc64cb64 | ||
|
|
7d51dd28ef | ||
|
be0a85295f | ||
|
12d7d00f02 | ||
|
aa494459d7 | ||
|
1474b34972 | ||
|
961628671d | ||
|
f932b663ac | ||
|
550777f6eb |
@@ -1,4 +0,0 @@
|
||||
docker.projectNameFormat=repositoryNameAndTag
|
||||
docker.scanImages=true
|
||||
wss.url=https://saas-eu.whitesourcesoftware.com/agent
|
||||
productName=GitHubAction/SonarQubeScanAction
|
||||
5
.github/workflows/PullRequestClosed.yml
vendored
5
.github/workflows/PullRequestClosed.yml
vendored
@@ -5,8 +5,8 @@ on:
|
||||
types: [closed]
|
||||
|
||||
jobs:
|
||||
PullRequestMerged_job:
|
||||
name: Pull Request Merged
|
||||
PullRequestClosed_job:
|
||||
name: Pull Request Closed
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
id-token: write
|
||||
@@ -14,7 +14,6 @@ jobs:
|
||||
# For external PR, ticket should be moved manually
|
||||
if: |
|
||||
github.event.pull_request.head.repo.full_name == github.repository
|
||||
&& github.event.pull_request.merged
|
||||
steps:
|
||||
- id: secrets
|
||||
uses: SonarSource/vault-action-wrapper@v3
|
||||
|
||||
53
.github/workflows/qa-main.yml
vendored
53
.github/workflows/qa-main.yml
vendored
@@ -38,13 +38,39 @@ jobs:
|
||||
- name: Run action with args
|
||||
uses: ./
|
||||
with:
|
||||
args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
|
||||
args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
|
||||
env:
|
||||
SONAR_HOST_URL: http://not_actually_used
|
||||
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
|
||||
- name: Assert
|
||||
run: |
|
||||
./test/assertFileContains ./output.properties "sonar.someArg=aValue"
|
||||
./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
|
||||
argsInputInjectionTest:
|
||||
name: >
|
||||
'args' input with command injection will fail
|
||||
strategy:
|
||||
matrix:
|
||||
os: [ ubuntu-latest, windows-latest, macos-latest ]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with args
|
||||
uses: ./
|
||||
continue-on-error: true
|
||||
with:
|
||||
args: -Dsonar.someArg=aValue && echo "Injection"
|
||||
env:
|
||||
SONAR_HOST_URL: http://not_actually_used
|
||||
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
|
||||
- name: Fail if action succeeded
|
||||
if: steps.runTest.outcome == 'success'
|
||||
run: exit 1
|
||||
- name: Assert the scanner was not called
|
||||
run: |
|
||||
./test/assertFileDoesntExist ./output.properties
|
||||
projectBaseDirInputTest:
|
||||
name: >
|
||||
'projectBaseDir' input
|
||||
@@ -333,7 +359,7 @@ jobs:
|
||||
- name: Run action with SONARCLOUD_URL
|
||||
uses: ./
|
||||
with:
|
||||
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
|
||||
args: -Dsonar.scanner.apiBaseUrl=api.mirror.sonarcloud.io -Dsonar.scanner.internal.dumpToFile=./output.properties
|
||||
env:
|
||||
SONARCLOUD_URL: mirror.sonarcloud.io
|
||||
SONAR_TOKEN: FAKE_TOKEN
|
||||
@@ -783,3 +809,26 @@ jobs:
|
||||
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
|
||||
TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
|
||||
[ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
|
||||
scannerVersionValidationTest:
|
||||
name: >
|
||||
'scannerVersion' input validation
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with invalid scannerVersion
|
||||
id: invalid_version
|
||||
uses: ./
|
||||
continue-on-error: true
|
||||
with:
|
||||
scannerVersion: "7.1.0-SNAPSHOT"
|
||||
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
|
||||
env:
|
||||
NO_CACHE: true
|
||||
SONAR_HOST_URL: http://not_actually_used
|
||||
- name: Assert failure of previous step
|
||||
if: steps.invalid_version.outcome == 'success'
|
||||
run: |
|
||||
echo "Action with invalid scannerVersion should have failed but succeeded"
|
||||
exit 1
|
||||
2
.github/workflows/update-tags.yml
vendored
2
.github/workflows/update-tags.yml
vendored
@@ -16,7 +16,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Parse semver
|
||||
uses: madhead/semver-utils@v4
|
||||
uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
|
||||
id: version
|
||||
with:
|
||||
version: ${{ github.ref_name }}
|
||||
|
||||
50
.github/workflows/version_update.yml
vendored
50
.github/workflows/version_update.yml
vendored
@@ -5,12 +5,12 @@ on:
|
||||
- cron: '15 10 * * *'
|
||||
|
||||
jobs:
|
||||
update-version:
|
||||
name: Prepare pull request for sonar-scanner version update
|
||||
check-version:
|
||||
name: Check for sonar-scanner version update
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
outputs:
|
||||
should_update: ${{ steps.version-check.outputs.should_update }}
|
||||
latest_version: ${{ steps.latest-version.outputs.latest }}
|
||||
steps:
|
||||
- run: sudo apt install -y jq
|
||||
- run: sudo snap install yq
|
||||
@@ -25,25 +25,43 @@ jobs:
|
||||
shell: bash
|
||||
run: cat sonar-scanner-version >> $GITHUB_OUTPUT
|
||||
|
||||
- name: "Fetch lastest sonar-scanner version"
|
||||
- name: "Fetch latest sonar-scanner version"
|
||||
id: latest-version
|
||||
shell: bash
|
||||
run: |
|
||||
./scripts/fetch_latest_version.sh > sonar-scanner-version
|
||||
cat sonar-scanner-version >> $GITHUB_OUTPUT
|
||||
- name: "Update default version"
|
||||
if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
|
||||
echo "latest=$(cat sonar-scanner-version)" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: "Determine if update is needed"
|
||||
id: version-check
|
||||
shell: bash
|
||||
env:
|
||||
NEW_VERSION: ${{ steps.latest-version.outputs.sonar-scanner-version }}
|
||||
run: |
|
||||
yq -i '.inputs.scannerVersion.default = "$NEW_VERSION"' action.yml
|
||||
- name: "Create Pull Request for version update"
|
||||
if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
|
||||
if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.latest }}" ]]; then
|
||||
echo "should_update=true" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "should_update=false" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
update-version:
|
||||
name: Prepare pull request for sonar-scanner version update
|
||||
needs: check-version
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
if: needs.check-version.outputs.should_update == 'true'
|
||||
steps:
|
||||
- name: "Update default version"
|
||||
shell: bash
|
||||
env:
|
||||
UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
|
||||
TITLE: "Update SonarScanner CLI to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
|
||||
NEW_VERSION: ${{ needs.check-version.outputs.latest-version }}
|
||||
run: |
|
||||
yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
|
||||
- name: "Create Pull Request for version update"
|
||||
shell: bash
|
||||
env:
|
||||
UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.latest-version }}
|
||||
TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.latest-version }}"
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
git config --global user.name "SonarTech"
|
||||
|
||||
@@ -104,7 +104,7 @@ jobs:
|
||||
- name: Install Build Wrapper
|
||||
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
|
||||
env:
|
||||
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
||||
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
|
||||
- name: Run Build Wrapper
|
||||
run: |
|
||||
# Here goes your compilation wrapped with Build Wrapper
|
||||
@@ -115,7 +115,7 @@ jobs:
|
||||
uses: SonarSource/sonarqube-scan-action@<action version>
|
||||
env:
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
|
||||
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
|
||||
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
|
||||
with:
|
||||
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
|
||||
|
||||
10
action.yml
10
action.yml
@@ -1,7 +1,7 @@
|
||||
name: Official SonarQube Scan
|
||||
# Warning: changing name would change URL in the marketplace
|
||||
description: >
|
||||
Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
|
||||
Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
|
||||
|
||||
branding:
|
||||
icon: check
|
||||
@@ -17,7 +17,7 @@ inputs:
|
||||
description: Version of the Sonar Scanner CLI to use
|
||||
required: false
|
||||
# to be kept in sync with sonar-scanner-version
|
||||
default: 7.0.2.4839
|
||||
default: 7.1.0.4889
|
||||
scannerBinariesUrl:
|
||||
description: URL to download the Sonar Scanner CLI binaries from
|
||||
required: false
|
||||
@@ -30,6 +30,7 @@ runs:
|
||||
shell: bash
|
||||
env:
|
||||
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
|
||||
INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
|
||||
- name: Load Sonar Scanner CLI from cache
|
||||
id: sonar-scanner-cli
|
||||
uses: actions/cache@v4
|
||||
@@ -50,7 +51,10 @@ runs:
|
||||
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
|
||||
shell: bash
|
||||
- name: Run SonarScanner
|
||||
run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
|
||||
run: |
|
||||
args=(${{ inputs.args }})
|
||||
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
|
||||
"${cmd[@]}"
|
||||
shell: bash
|
||||
env:
|
||||
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
|
||||
|
||||
@@ -2,6 +2,11 @@
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||||
echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "${SONAR_TOKEN}" ]]; then
|
||||
echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
|
||||
fi
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
sonar-scanner-version=7.0.2.4839
|
||||
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.0.2.4839-windows-x64.zip
|
||||
sonar-scanner-sha-windows-x64=ecb5410e607e171fc43be4246f31e5432d796ac85372a5e68d6a8210197f5ca1
|
||||
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.0.2.4839-linux-x64.zip
|
||||
sonar-scanner-sha-linux-x64=87f80a41ad861c3d0eb2c00a1268e77ab5f93b83c17c816318ddecb0911baeb0
|
||||
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.0.2.4839-linux-aarch64.zip
|
||||
sonar-scanner-sha-linux-aarch64=567b391cb0e94c16fef558de909851a1a5b332f337f09ce12f863d7b3c633908
|
||||
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.0.2.4839-macosx-x64.zip
|
||||
sonar-scanner-sha-macosx-x64=221be67f88f4fcbc464a7946879062a82f392a6c9a676d3a7eaa5c299df3894c
|
||||
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.0.2.4839-macosx-aarch64.zip
|
||||
sonar-scanner-sha-macosx-aarch64=4106d482c00935817feda88466b64d2c02718277c31a5323f1984f8610f3ac45
|
||||
sonar-scanner-version=7.1.0.4889
|
||||
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip
|
||||
sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555
|
||||
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
|
||||
sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484
|
||||
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip
|
||||
sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c
|
||||
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip
|
||||
sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d
|
||||
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip
|
||||
sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449
|
||||
|
||||
@@ -1,10 +1,14 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eou pipefail
|
||||
|
||||
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
|
||||
|
||||
assertFileExists $1
|
||||
scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
|
||||
|
||||
if ! grep -q $2 $1; then
|
||||
$scriptDir/assertFileExists "$1"
|
||||
|
||||
if ! grep -q "$2" "$1"; then
|
||||
error "'$2' not found in '$1'"
|
||||
exit 1
|
||||
fi
|
||||
@@ -1,8 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eou pipefail
|
||||
|
||||
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
|
||||
|
||||
if [ -f $1 ]; then
|
||||
if [ -f "$1" ]; then
|
||||
error "File '$1' found"
|
||||
exit 1
|
||||
fi
|
||||
@@ -1,8 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eou pipefail
|
||||
|
||||
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
|
||||
|
||||
if [ ! -f $1 ]; then
|
||||
if [ ! -f "$1" ]; then
|
||||
error "File '$1' not found"
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user