Revert test to show expected behavior (USER-933)

Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>

.github/workflows/PullRequestClosed.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestClosed_job:
     name: Pull Request Closed
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/PullRequestCreated.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestCreated_job:
     name: Pull Request Created
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
     # For external PR, ticket should be created manually

.github/workflows/RequestReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   RequestReview_job:
     name: Request review
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
     # For external PR, ticket should be moved manually

.github/workflows/SubmitReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   SubmitReview_job:
     name: Submit Review
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/qa-deprecated-c-cpp.yml

@@ -12,7 +12,7 @@ jobs:
     name: Action outputs
     strategy:
       matrix:
-        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
+        os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest, macos-13]
         cache: [true, false]
         include:
           - arch: X64

.github/workflows/qa-install-build-wrapper.yml

@@ -12,7 +12,7 @@ jobs:
     name: Action outputs
     strategy:
       matrix:
-        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
+        os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest, macos-13]
         cache: [true, false]
         include:
           - arch: X64

.github/workflows/qa-main.yml

@@ -12,8 +12,9 @@ jobs:
     name: >
       No inputs
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -31,8 +32,9 @@ jobs:
     name: >
       'args' input
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -48,14 +50,15 @@ jobs:
       - name: Assert
         run: |
           ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
-          ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
-          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
+          ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
+          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes=Another Value"
   argsInputInjectionTest:
     name: >
       'args' input with command injection will fail
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
         args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
     runs-on: ${{ matrix.os }}
     steps:
@@ -63,6 +66,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with args
+        id: runTest
         uses: ./
         continue-on-error: true
         with:
@@ -80,8 +84,9 @@ jobs:
     name: >
       'args' input with backticks injection does not execute command
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -109,7 +114,7 @@ jobs:
       'args' input with dollar command injection does not execute command
     strategy:
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -136,7 +141,7 @@ jobs:
       'args' input with other command injection variants does not execute command
     strategy:
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -166,7 +171,7 @@ jobs:
       'projectBaseDir' input
     strategy:
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -187,7 +192,7 @@ jobs:
   scannerVersionTest:
     name: >
       'scannerVersion' input
-    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
+    runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
     steps:
       - uses: actions/checkout@v5
         with:
@@ -207,7 +212,7 @@ jobs:
   scannerBinariesUrlTest:
     name: >
       'scannerBinariesUrl' input with invalid URL
-    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
+    runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
     steps:
       - uses: actions/checkout@v5
         with:
@@ -235,7 +240,7 @@ jobs:
   scannerBinariesUrlIsEscapedWithWget:
     name: >
       'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -256,7 +261,7 @@ jobs:
   scannerBinariesUrlIsEscapedWithCurl:
     name: >
       'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -285,7 +290,7 @@ jobs:
   dontFailGradleTest:
     name: >
       Don't fail on Gradle project
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -306,7 +311,7 @@ jobs:
   dontFailGradleKotlinTest:
     name: >
       Don't fail on Kotlin Gradle project
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -327,7 +332,7 @@ jobs:
   dontFailMavenTest:
     name: >
       Don't fail on Maven project
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -346,7 +351,7 @@ jobs:
         run: |
           ./test/assertFileExists ./output.properties
   runAnalysisTest:
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     services:
       sonarqube:
         image: sonarqube:lts-community
@@ -380,8 +385,9 @@ jobs:
     name: >
       'RUNNER_DEBUG' is used
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -399,7 +405,7 @@ jobs:
         run: |
           ./test/assertFileContains ./output.properties "sonar.verbose=true"
   runAnalysisWithCacheTest:
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     services:
       sonarqube:
         image: sonarqube:lts-community
@@ -439,8 +445,9 @@ jobs:
     name: >
       'SONARCLOUD_URL' is used
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -459,7 +466,7 @@ jobs:
           ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" 
   dontFailWhenMissingWgetButCurlAvailable:
     name: Don't fail when missing wget but curl available
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -485,7 +492,7 @@ jobs:
           ./test/assertFileExists ./output.properties
   dontFailWhenMissingCurlButWgetAvailable:
     name: Don't fail when missing curl but wget available
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -512,7 +519,7 @@ jobs:
           ./test/assertFileExists ./output.properties
   failWhenBothWgetAndCurlMissing:
     name: Fail when both wget and curl are missing
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -545,7 +552,7 @@ jobs:
   curlPerformsRedirect:
     name: >
       curl performs redirect when scannerBinariesUrl returns 3xx
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -578,8 +585,9 @@ jobs:
     name: >
       'SONAR_ROOT_CERT' is converted to truststore
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
@@ -631,7 +639,7 @@ jobs:
   analysisWithSslCertificate:
     name: >
       Analysis takes into account 'SONAR_ROOT_CERT'
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -739,7 +747,7 @@ jobs:
   overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
     name: >
       'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -773,7 +781,7 @@ jobs:
   updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
     name: >
       truststore.p12 is updated when present
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -902,7 +910,7 @@ jobs:
   scannerVersionValidationTest:
     name: >
       'scannerVersion' input validation
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:

.github/workflows/qa-scripts.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   create-install-dir-test:
     name: create_install_path.sh
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -107,7 +107,7 @@ jobs:
           grep "=== Script failed ===" output
   setup-script-test:
     name: configure_paths.sh
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     env:
       INSTALL_PATH: 'install-directory'
       SONAR_HOST_URL: 'http://sonar-host.com'
@@ -250,7 +250,7 @@ jobs:
           grep "=== Script failed ===" output
   download-script-test:
     name: download.sh
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:
@@ -319,7 +319,7 @@ jobs:
           grep "=== Script failed ===" output
   fetch-latest-version-test:
     name: fetch_latest_version.sh
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@v5
         with:

.github/workflows/update-tags.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   generate:
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       contents: write
 

.github/workflows/version_update.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   check-version:
     name: Check for sonar-scanner version update
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     outputs:
       should_update: ${{ steps.version-check.outputs.should_update }}
       new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
@@ -43,7 +43,7 @@ jobs:
   update-version:
     name: Prepare pull request for sonar-scanner version update
     needs: check-version
-    runs-on: ubuntu-latest-large
+    runs-on: github-ubuntu-latest-s
     permissions:
       contents: write
       pull-requests: write

action.yml

@@ -31,9 +31,6 @@ runs:
       env:
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
         INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
-    - name: Vulnerability warning
-      shell: bash
-      run: echo "::warning title=Vulnerability warning::This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update"
     - name: Load Sonar Scanner CLI from cache
       id: sonar-scanner-cli
       uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
@@ -54,9 +51,19 @@ runs:
       run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
       shell: bash
     - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
-      shell: bash
+      uses: satackey/action-js-inline@v0.0.2
+      with:
+        required-packages: "string-argv"
+        script: |
+          const core = require('@actions/core')
+          const exec = require('@actions/exec')
+          const { parseArgsStringToArgv } = require('string-argv');
+          
+          const IS_WINDOWS = process.platform === 'win32'
+          const runnerTemp = process.env.RUNNER_TEMP
+          
+          var args = parseArgsStringToArgv(core.getInput('args'));
+          
+          exec.exec(IS_WINDOWS ? 'sonar-scanner.bat' : 'sonar-scanner', args);
       env:
         INPUT_ARGS: ${{ inputs.args }}
-        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
-        SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre