SQCPPGHA-9 Extend action to support C, C++, and Objective-C projects (#161)

.github/workflows/qa-deprecated-c-cpp.yml

@@ -0,0 +1,87 @@
+name: QA Deprecated C and C++ action
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  output-test:
+    name: Action outputs
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
+        cache: [true, false]
+        include:
+          - arch: X64
+          - os: macos-latest
+            arch: ARM64
+    runs-on: ${{ matrix.os }}
+    steps:
+      # Specifying a specific architecture of the runner is not possible for Github hosted runners
+      # We can only check if the runner architecture matches the expected one
+      - name: check_runner_arch
+        shell: bash
+        run: |
+          echo "Runner architecture: ${{ runner.arch }}"
+          if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
+            echo "##[error]Runner architecture does not match the expected one"
+            exit 1
+          fi
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Run SonarQube C/C++ action
+        id: run-action
+        uses: ./deprecated-c-cpp
+        env:
+          SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
+        with:
+          cache-binaries: ${{ matrix.cache }}
+
+      - name: SONAR_HOST_URL is set
+        shell: bash
+        run: |
+          [[ $SONAR_HOST_URL == "https://next.sonarqube.com/sonarqube/" ]]
+
+      - name: sonar-scanner is installed and in PATH
+        run: |
+          sonar-scanner --help | grep "usage: sonar-scanner "
+
+      - name: sonar-scanner-binary output is correct
+        shell: bash
+        env:
+          BINARY: ${{ steps.run-action.outputs.sonar-scanner-binary }}
+        run: |
+          "$BINARY" --help | grep "usage: sonar-scanner "
+
+      # build-wrapper does not have --help or equivalent option.
+      # Pass to few arguments and ignore error code
+      - name: build-wrapper is installed and in PATH on Windows
+        if: runner.os == 'Windows'
+        shell: bash
+        run: |
+          (build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
+
+      - name: build-wrapper is installed and in PATH on Linux
+        if: runner.os == 'Linux'
+        shell: bash
+        run: |
+          (build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
+
+      - name: build-wrapper is installed and in PATH on macOS
+        if: runner.os == 'macOs'
+        shell: bash
+        run: |
+          (build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
+
+      - name: build-wrapper-binary output is correct
+        shell: bash
+        env:
+          BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
+        run: |
+          ("$BINARY" || true) | grep "build-wrapper, version "

.github/workflows/qa-install-build-wrapper.yml

@@ -0,0 +1,69 @@
+name: QA Install Build Wrapper action
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  output-test:
+    name: Action outputs
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
+        cache: [true, false]
+        include:
+          - arch: X64
+          - os: macos-latest
+            arch: ARM64
+    runs-on: ${{ matrix.os }}
+    steps:
+      # Specifying a specific architecture of the runner is not possible for Github hosted runners
+      # We can only check if the runner architecture matches the expected one
+      - name: check_runner_arch
+        shell: bash
+        run: |
+          echo "Runner architecture: ${{ runner.arch }}"
+          if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
+            echo "##[error]Runner architecture does not match the expected one"
+            exit 1
+          fi
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Run SonarQube C/C++ action
+        id: run-action
+        uses: ./install-build-wrapper
+        env:
+          SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
+
+      # build-wrapper does not have --help or equivalent option.
+      # Pass to few arguments and ignore error code
+      - name: build-wrapper is installed and in PATH on Windows
+        if: runner.os == 'Windows'
+        shell: bash
+        run: |
+          (build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
+
+      - name: build-wrapper is installed and in PATH on Linux
+        if: runner.os == 'Linux'
+        shell: bash
+        run: |
+          (build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
+
+      - name: build-wrapper is installed and in PATH on macOS
+        if: runner.os == 'macOs'
+        shell: bash
+        run: |
+          (build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
+
+      - name: build-wrapper-binary output is correct
+        shell: bash
+        env:
+          BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
+        run: |
+          ("$BINARY" || true) | grep "build-wrapper, version "

.github/workflows/qa-main.yml

@@ -1,4 +1,4 @@
-name: QA
+name: QA Main action
 
 on:
   push:

.github/workflows/qa-scripts.yml

@@ -0,0 +1,351 @@
+name: QA Scripts
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  create-install-dir-test:
+    name: create_install_path.sh
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Existing
+        shell: bash
+        env:
+          INSTALL_PATH: '.sonar'
+        run: |
+          echo "- Create dir"
+          mkdir -p "${INSTALL_PATH}"
+
+          echo "- Test script behavior"
+          ./scripts/create_install_path.sh > output
+          grep -v "::error::" output
+
+      - name: Non-existing nested in current dir
+        shell: bash
+        env:
+          INSTALL_PATH: '.sonar'
+        run: |
+          ./scripts/create_install_path.sh > output
+          grep -v "::error::" output
+          test -d "${INSTALL_PATH}"
+
+      - name: Nonexisting nested in home
+        shell: bash
+        env:
+          INSTALL_PATH: '~/third_party/.sonar'
+        run: |
+          ./scripts/create_install_path.sh > output
+          grep -v "::error::" output
+          test -d "${INSTALL_PATH}"
+
+      - name: Empty install dir specified
+        shell: bash
+        env:
+          INSTALL_PATH: ''
+        run: |
+          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
+          grep "::error::Empty installation path specified" output
+          grep "=== Script failed ===" output
+
+      - name: No permission to create directory
+        shell: bash
+        env:
+          INSTALL_PATH: '/non_creatable'
+        run: |
+          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
+          grep "::error::Failed to create non-existing installation path '/non_creatable'" output
+          grep "=== Script failed ===" output
+
+      - name: Existing but not directory
+        shell: bash
+        env:
+          INSTALL_PATH: 'not_directory'
+        run: |
+          echo "- Create normal file"
+          echo "content" > "${INSTALL_PATH}"
+
+          echo "- Test script behavior"
+          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
+          grep "::error::Installation path 'not_directory' is not a directory" output
+          grep "=== Script failed ===" output
+
+
+      - name: Existing but not readable
+        shell: bash
+        env:
+          INSTALL_PATH: 'not_readable'
+        run: |
+          echo "- Create dir and make it not readable"
+          mkdir -p "${INSTALL_PATH}"
+          chmod -r "${INSTALL_PATH}"
+
+          echo "- Test script behavior"
+          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
+          grep "::error::Installation path 'not_readable' is not readable" output
+          grep "=== Script failed ===" output
+
+      - name: Existing but not writeable
+        shell: bash
+        env:
+          INSTALL_PATH: 'not_writeable'
+        run: |
+          echo "- Create dir and make it not writeable"
+          mkdir -p "${INSTALL_PATH}"
+          chmod -w "${INSTALL_PATH}"
+
+          echo "- Test script behavior"
+          (./scripts/create_install_path.sh || echo "=== Script failed ===") > output
+          grep "::error::Installation path 'not_writeable' is not writeable" output
+          grep "=== Script failed ===" output
+  setup-script-test:
+    name: configure_paths.sh
+    runs-on: ubuntu-latest
+    env:
+      INSTALL_PATH: 'install-directory'
+      SONAR_HOST_URL: 'http://sonar-host.com'
+      SONAR_SCANNER_VERSION: 'vX.Y.Z.MMMM'
+      SONAR_SCANNER_URL_WINDOWS_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip'
+      SONAR_SCANNER_SHA_WINDOWS_X64: 'DOWNLOAD-SHA-WINDOWS-X64'
+      SONAR_SCANNER_URL_LINUX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip'
+      SONAR_SCANNER_SHA_LINUX_X64: 'DOWNLOAD-SHA-LINUX-X64'
+      SONAR_SCANNER_URL_LINUX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip'
+      SONAR_SCANNER_SHA_LINUX_AARCH64: 'DOWNLOAD-SHA-LINUX-AARCH64'
+      SONAR_SCANNER_URL_MACOSX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip'
+      SONAR_SCANNER_SHA_MACOSX_X64: 'DOWNLOAD-SHA-MACOSX-X64'
+      SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
+      SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Windows
+        shell: bash
+        env:
+          OS: 'Windows'
+          ARCH: 'X64'
+        run: |
+          ./scripts/configure_paths.sh > output
+          grep -v "::error::" output
+
+          echo "- Check sonar-scanner:"
+          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip" output
+          grep "sonar-scanner-sha=DOWNLOAD-SHA-WINDOWS-X64" output
+          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64" output
+          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64/bin/sonar-scanner.bat" output
+
+          echo "- Check build-wrapper:"
+          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-win-x86.zip" output
+          grep "build-wrapper-dir=install-directory/build-wrapper-win-x86" output
+          grep "build-wrapper-bin=install-directory/build-wrapper-win-x86/build-wrapper-win-x86-64.exe" output
+
+      - name: Linux X64
+        shell: bash
+        env:
+          OS: 'Linux'
+          ARCH: 'X64'
+        run: |
+          ./scripts/configure_paths.sh > output
+          grep -v "::error::" output
+
+          echo "- Check sonar-scanner:"
+          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip" output
+          grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-X64" output
+          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64" output
+          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64/bin/sonar-scanner" output
+
+          echo "- Check build-wrapper:"
+          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-x86.zip" output
+          grep "build-wrapper-dir=install-directory/build-wrapper-linux-x86" output
+          grep "build-wrapper-bin=install-directory/build-wrapper-linux-x86/build-wrapper-linux-x86-64" output
+
+      - name: Linux ARM64
+        shell: bash
+        env:
+          OS: 'Linux'
+          ARCH: 'ARM64'
+        run: |
+          ./scripts/configure_paths.sh > output
+          grep -v "::error::" output
+          echo "- Check sonar-scanner:"
+          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip" output
+          grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-AARCH64" output
+          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64" output
+          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64/bin/sonar-scanner" output
+          echo "- Check build-wrapper:"
+          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-aarch64.zip" output
+          grep "build-wrapper-dir=install-directory/build-wrapper-linux-aarch64" output
+          grep "build-wrapper-bin=install-directory/build-wrapper-linux-aarch64/build-wrapper-linux-aarch64" output
+
+      - name: macOSX_X64
+        shell: bash
+        env:
+          OS: 'macOS'
+          ARCH: 'X64'
+        run: |
+          ./scripts/configure_paths.sh > output
+          grep -v "::error::" output
+
+          echo "- Check sonar-scanner:"
+          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip" output
+          grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-X64" output
+          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64" output
+          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64/bin/sonar-scanner" output
+
+          echo "- Check build-wrapper:"
+          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
+          grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
+          grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
+
+      - name: macOSX_ARM64
+        shell: bash
+        env:
+          OS: 'macOS'
+          ARCH: 'ARM64'
+        run: |
+          ./scripts/configure_paths.sh > output
+          grep -v "::error::" output
+
+          echo "- Check sonar-scanner:"
+          grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip" output
+          grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-AARCH64" output
+          grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64" output
+          grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64/bin/sonar-scanner" output
+
+          echo "- Check build-wrapper:"
+          grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
+          grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
+          grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
+
+      - name: Unsupported OS
+        shell: bash
+        env:
+          OS: 'unsupportedOS'
+          ARCH: 'X64'
+        run: |
+          (./scripts/configure_paths.sh  || echo "=== Script failed ===") > output
+
+          echo "- Check errors:"
+          grep "::error::Unsupported runner OS 'unsupportedOS'" output
+          grep "=== Script failed ===" output
+
+      - name: Unsupported architecture
+        shell: bash
+        env:
+          OS: 'Linux'
+          ARCH: 'X86'
+        run: |
+          (./scripts/configure_paths.sh  || echo "=== Script failed ===") > output
+
+          echo "- Check errors:"
+          grep "::error::Architecture 'X86' is unsupported by build-wrapper" output
+          grep "=== Script failed ===" output
+  download-script-test:
+    name: download.sh
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Download test without validation
+        shell: bash
+        env:
+          INSTALL_PATH: 'install-directory-no-sha-validation'
+          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
+          EXPECTED_SHA: 'incorrect-sha-not-validated'
+          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
+        run: |
+          ./scripts/download.sh > output
+          test -f "$TMP_ZIP_PATH"
+          grep -v "::error::" output
+      - name: Download test with validation
+        shell: bash
+        env:
+          INSTALL_PATH: 'install-directory-sha-validation'
+          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
+          EXPECTED_SHA: '9411331814c1d002bd65d37758b872918b7602e7cf3ca5b83a3e19a729b2be05'
+          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
+        run: |
+          ./scripts/download.sh -v > output
+          test -f "$TMP_ZIP_PATH"
+          grep -v "::error::" output
+      - name: Incorrect install dir
+        shell: bash
+        env:
+          INSTALL_PATH: ''
+        run: |
+          (./scripts/download.sh || echo "=== Script failed ===") > output
+          grep "::error::Failed to create" output
+          grep "=== Script failed ===" output
+      - name: Incorrect download url
+        shell: bash
+        env:
+          INSTALL_PATH: 'install-directory-incorrect-url'
+          DOWNLOAD_URL: 'incorrect-url'
+        run: |
+          (./scripts/download.sh || echo "=== Script failed ===") > output
+          grep "::error::Failed to download 'incorrect-url'" output
+          grep "=== Script failed ===" output
+      - name: Incorrect SHA256
+        shell: bash
+        env:
+          INSTALL_PATH: 'install-directory-incorrect-sha'
+          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
+          EXPECTED_SHA: 'incorrect-sha256'
+          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
+        run: |
+          (./scripts/download.sh -v || echo "=== Script failed ===") > output
+          grep "::error::Checking sha256 failed" output
+          grep "=== Script failed ===" output
+      - name: Mismatching SHA256
+        shell: bash
+        env:
+          INSTALL_PATH: 'install-directory-mismtaching-sha'
+          DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
+          EXPECTED_SHA: '3e121d85a4adb1f30b917d5f3eb897966b59e02c3d6d313a78dcd964193dc963'
+          TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
+        run: |
+          (./scripts/download.sh -v || echo "=== Script failed ===") > output
+          grep "::error::Checking sha256 failed" output
+          grep "=== Script failed ===" output
+  fetch-latest-version-test:
+    name: fetch_latest_version.sh
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Test script
+        shell: bash
+        run: |
+          ./scripts/fetch_latest_version.sh > output
+         
+          echo "- Check sonar-scanner version:"
+          grep  "sonar-scanner-version=" output
+          SONAR_SCANNER_VERSION=$(cat output | cut -d= -f 2)
+          test ! -z "${SONAR_SCANNER_VERSION}"
+
+          echo "- Check windows sonar-scanner URLs:"
+          grep "sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-windows-x64.zip" output
+          grep -e "^sonar-scanner-sha-windows-x64=[0-9A-Fa-f]\+$" output
+
+          echo "- Check linux sonar-scanner URLs:"
+          grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
+          grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
+          grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
+          grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output
+
+          echo "- Check macosx sonar-scanner URLs:"
+          grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
+          grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
+          grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
+          grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output

.github/workflows/version_update.yml

@@ -0,0 +1,50 @@
+name: sonar-scanner version check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '15 10 * * *'
+
+jobs:
+  update-version:
+    name: Prepare pull request for sonar-scanner version update
+    runs-on: ubuntu-latest
+    steps:
+      - run: sudo apt install -y jq
+
+      - uses: actions/checkout@v4
+        with:
+          ref: master
+          persist-credentials: true
+          fetch-depth: 0
+
+      - name: "Fetch currently used sonar-scanner version"
+        id: tagged-version
+        shell: bash
+        run: cat sonar-scanner-version >> $GITHUB_OUTPUT
+
+      - name: "Fetch lastest sonar-scanner version"
+        id: latest-version
+        shell: bash
+        run: |
+          ./scripts/fetch_latest_version.sh > sonar-scanner-version
+          cat sonar-scanner-version >> $GITHUB_OUTPUT
+
+      - name: "Create Pull Request for version update"
+        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
+        shell: bash
+        env:
+          UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
+          TITLE: "Update sonar-scanner-version to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config --global user.name "SonarTech"
+          git config --global user.email "sonartech@sonarsource.com"
+          git checkout -b ${UPDATE_BRANCH}
+          git add sonar-scanner-version
+          git commit -m "${TITLE}"
+          git push --force-with-lease origin ${UPDATE_BRANCH}
+          gh pr list
+
+          if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
+            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
+          fi

README.md

@@ -1,4 +1,4 @@
-# Scan your code with SonarQube [![QA](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml)
+# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml)
 
 This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
 
@@ -11,6 +11,9 @@ It helps developers detect coding issues in 30+ languages, frameworks, and IaC p
 
 The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability.
 
+> [!NOTE]  
+> This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions.
+
 ## Requirements
 
 ### Server
@@ -38,7 +41,11 @@ sonar.projectKey=<replace with the key generated when setting up the project on
 sonar.sources=.
 ```
 
-The workflow, usually declared under `.github/workflows`, looks like:
+In the following cases:
+- for projects that don't have C, C++, or Objective-C in them
+- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper)
+
+the workflow, usually declared under `.github/workflows`, looks like the following:
 
 ```yaml
 on:
@@ -62,12 +69,69 @@ jobs:
         # Disabling shallow clones is recommended for improving the relevancy of reporting
         fetch-depth: 0
     - name: SonarQube Scan
-      uses: sonarsource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
+      uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
       env:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
 ```
 
+For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
+
+```yaml
+# Trigger analysis when pushing to your main branches, and when creating a pull request.
+  push:
+    branches:
+      - main
+      - master
+      - develop
+      - 'releases/**'
+  pull_request:
+      types: [opened, synchronize, reopened]
+
+name: Main Workflow
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    env:
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        # Disabling shallow clone is recommended for improving relevancy of reporting
+        fetch-depth: 0
+    - name: Install Build Wrapper
+      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
+      env:
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+    - name: Run Build Wrapper
+      run: |
+        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
+        # build-preparation steps
+        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
+    - name: SonarQube Scan
+      uses: SonarSource/sonarqube-scan-action@<action version>
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
+      with:
+        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
+        args: >
+          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
+```
+
+If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6.
+
+It should look like this:
+
+```yaml
+with:  
+  args: >
+    --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
+```
+
+See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories).
+
 ### Cloud
 
 ```properties
@@ -79,7 +143,11 @@ sonar.projectKey=<replace with the key generated when setting up the project on
 sonar.sources=.
 ```
 
-The workflow, usually declared under `.github/workflows`, looks like:
+In the following cases:
+- for projects that don't have C, C++, or Objective-C in them
+- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper)
+
+the workflow, usually declared under `.github/workflows`, looks like the following:
 
 ```yaml
 on:
@@ -103,17 +171,61 @@ jobs:
         # Disabling shallow clones is recommended for improving the relevancy of reporting
         fetch-depth: 0
     - name: SonarQube Scan
-      uses: sonarsource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
+      uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
       env:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 ```
 
+For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
+
+```yaml
+# Trigger analysis when pushing to your main branches, and when creating a pull request.
+  push:
+    branches:
+      - main
+      - master
+      - develop
+      - 'releases/**'
+  pull_request:
+      types: [opened, synchronize, reopened]
+
+name: Main Workflow
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    env:
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        # Disabling shallow clone is recommended for improving relevancy of reporting
+        fetch-depth: 0
+    - name: Install Build Wrapper
+      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
+    - name: Run Build Wrapper
+      run: |
+        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
+        # build-preparation steps
+        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
+    - name: SonarQube Scan
+      uses: SonarSource/sonarqube-scan-action@<action version>
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
+      with:
+        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
+        args: >
+          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
+```
+
+See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories).
+
 ## Action parameters
 
 You can change the analysis base directory by using the optional input `projectBaseDir` like this:
 
 ```yaml
-- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
   with:
     projectBaseDir: app/src
 ```
@@ -121,7 +233,7 @@ You can change the analysis base directory by using the optional input `projectB
 In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option:
 
 ```yaml
-- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
   with:
     scannerVersion: 6.2.0.4584
 ```
@@ -129,7 +241,7 @@ In case you need to specify the version of the Sonar Scanner, you can use the `s
 In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option:
 
 ```yaml
-- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
   with:
     projectBaseDir: app/src
     args: >
@@ -147,7 +259,7 @@ The specified URL overrides the default address: `https://binaries.sonarsource.c
 This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet:
 
 ```yaml
-- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
   with:
     scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
 ```
@@ -159,14 +271,13 @@ More information about possible analysis parameters can be found:
 ### Environment variables
 
 - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
-- *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).*
 - `SONAR_HOST_URL` – this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud.
 - `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 
 Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore:
 
 ```yaml
-- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
   env:
     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
     SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
@@ -176,7 +287,7 @@ Here is an example of how you can pass a certificate (in PEM format) to the Scan
 If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
 
 ```yaml
-- uses: sonarsource/sonarqube-scan-action@<action version>
+- uses: SonarSource/sonarqube-scan-action@<action version>
   env:
     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
     SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io
@@ -190,9 +301,14 @@ This GitHub Action will not work for all technologies. If you are in one of the
 * Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/).
 * Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/).
 * You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/).
-* You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to:
+
-  * the [SonarQube Server Scan for C and C++](https://github.com/marketplace/actions/sonarqube-scan-for-c-and-c) GitHub Action, for projects on SonarQube Server
+## Do not use this GitHub action if you are in the following situations
-  * the [SonarQube Cloud Scan for C and C++](https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c) GitHub Action, for projects on SonarQube Cloud - look at [our sample C and C++ project](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=).
+
+* You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS.
+
+## Additional information
+
+The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
 
 ## Have questions or feedback?
 

action.yml

@@ -15,7 +15,7 @@ inputs:
   scannerVersion:
     description: Version of the Sonar Scanner CLI to use
     required: false
-    default: 6.2.1.4610
+    default: 6.2.1.4610 # to be kept in sync with sonar-scanner-version
   scannerBinariesUrl:
     description: URL to download the Sonar Scanner CLI binaries from
     required: false
@@ -24,19 +24,22 @@ runs:
   using: "composite"
   steps:
     - name: Sanity checks
-      run: ${GITHUB_ACTION_PATH}/sanity-checks.sh
+      run: ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
       shell: bash
       env:
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
     - name: Load Sonar Scanner CLI from cache
       id: sonar-scanner-cli
-      uses: actions/cache@v4.0.2
+      uses: actions/cache@v4
+      env:
+        # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
+        SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
       with:
         path: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
         key: sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
     - name: Install Sonar Scanner CLI
       if: ${{ env.NO_CACHE == 'true' || steps.sonar-scanner-cli.outputs.cache-hit != 'true' }}
-      run: ${GITHUB_ACTION_PATH}/install-sonar-scanner-cli.sh
+      run: ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
       shell: bash
       env:
         INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
@@ -45,7 +48,7 @@ runs:
       run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
       shell: bash
     - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh ${{ inputs.args }}
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
       shell: bash
       env:
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}

deprecated-c-cpp/action.yml

@@ -0,0 +1,134 @@
+name: 'SonarQube Scan for C and C++'
+description: 'Scan your C and C++ code with SonarQube to detect bugs, vulnerabilities and code smells.'
+branding:
+  icon: check
+  color: green
+inputs:
+  installation-path:
+    description: 'Directory where the sonar-scanner and build wrapper will be installed. Created if does not exists.'
+    required: false
+    default: '.sonar'
+  cache-binaries:
+    description: 'Controls if installed binaries are cached using GitHub cache.'
+    required: false
+    default: 'true'
+
+outputs:
+  sonar-scanner-binary:
+    description: "Absolute path to sonar-scanner binary."
+    value: ${{ steps.setup-outputs.outputs.sonar-scanner-binary }}
+  build-wrapper-binary:
+    description: "Absolute path to build-wrapper binary."
+    value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
+
+runs:
+  using: "composite"
+  steps:
+    # install packaged required for greadlink and sha256sum command on macOS
+    - name: Install required packages for macOS
+      if: runner.os == 'macOS'
+      shell: bash
+      run: brew install coreutils
+
+    - name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
+      if: env.SONAR_HOST_URL == ''
+      shell: bash
+      run: |
+        echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
+        echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
+
+    - name: Verify and create installation path
+      shell: bash
+      env:
+        INSTALL_PATH: ${{ inputs.installation-path }}
+      run: ${GITHUB_ACTION_PATH}/../scripts/create_install_path.sh
+
+    - name: Set version of sonar-scanner
+      id: sonar-scanner-version
+      shell: bash
+      run: cat ${GITHUB_ACTION_PATH}/../sonar-scanner-version >> $GITHUB_OUTPUT
+
+    - name: Configure paths
+      id: configure_paths
+      shell: bash
+      env:
+        OS: ${{ runner.os }}
+        ARCH: ${{ runner.arch }}
+        INSTALL_PATH: ${{ inputs.installation-path }}
+        SONAR_SCANNER_VERSION: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
+        SONAR_SCANNER_URL_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-windows-x64 }}
+        SONAR_SCANNER_SHA_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-windows-x64 }}
+        SONAR_SCANNER_URL_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-x64 }}
+        SONAR_SCANNER_SHA_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-x64 }}
+        SONAR_SCANNER_URL_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-aarch64 }}
+        SONAR_SCANNER_SHA_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-aarch64 }}
+        SONAR_SCANNER_URL_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-x64 }}
+        SONAR_SCANNER_SHA_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-x64 }}
+        SONAR_SCANNER_URL_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-aarch64 }}
+        SONAR_SCANNER_SHA_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-aarch64 }}
+      run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
+
+    - name: Cache sonar-scanner installation
+      id: cache-sonar-tools
+      if: inputs.cache-binaries == 'true'
+      uses: actions/cache@v4
+      env:
+        # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
+        SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
+      with:
+        key: sonar-scanner-${{ runner.os }}-${{ runner.arch }}-${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
+        path: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
+
+    - name: Download and install sonar-scanner
+      if: steps.cache-sonar-tools.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        DOWNLOAD_URL: ${{ steps.configure_paths.outputs.sonar-scanner-url }}
+        EXPECTED_SHA: ${{ steps.configure_paths.outputs.sonar-scanner-sha }}
+        INSTALL_PATH: ${{ inputs.installation-path }}
+        TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
+      run: ${GITHUB_ACTION_PATH}/../scripts/download.sh -v
+
+    - name: Add the custom root certificate to java certificate store
+      shell: bash
+      run: ${GITHUB_ACTION_PATH}/../scripts/cert.sh
+
+    - name: Download and install build-wrapper
+      shell: bash
+      env:
+        DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
+        INSTALL_PATH: ${{ inputs.installation-path }}
+        TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper.zip
+      run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
+
+    - name: Setup action outputs
+      id: setup-outputs
+      shell: bash
+      env:
+        SONAR_SCANNER_DIR: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
+        SONAR_SCANNER_BIN: ${{ steps.configure_paths.outputs.sonar-scanner-bin }}
+        BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
+        BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
+      run: |
+        source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
+
+        echo "::group::Action outputs"
+        echo "SONAR_HOST_URL=${SONAR_HOST_URL}" >> $GITHUB_ENV
+        echo "'SONAR_HOST_URL' environment variable set to '${SONAR_HOST_URL}'"
+
+        SONAR_SCANNER_BIN_DIR=$(realpath "${SONAR_SCANNER_DIR}/bin")
+        echo "${SONAR_SCANNER_BIN_DIR}" >> $GITHUB_PATH
+        echo "'${SONAR_SCANNER_BIN_DIR}' added to the path"
+
+        SONAR_SCANNER_BIN=$(realpath "${SONAR_SCANNER_BIN}")
+        echo "sonar-scanner-binary=${SONAR_SCANNER_BIN}" >> $GITHUB_OUTPUT
+        echo "'sonar-scanner-binary' output set to '${SONAR_SCANNER_BIN}'"
+
+        BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
+        echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
+        echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
+
+        BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
+        echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
+        echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
+        echo "::endgroup::"

install-build-wrapper/action.yml

@@ -0,0 +1,62 @@
+name: 'Install Build Wrapper for C and C++'
+description: >
+  Download and install the Build Wrapper for C, C++, and Objective-C
+  projects analyzed with manual config.
+branding:
+  icon: check
+  color: green
+outputs:
+  build-wrapper-binary:
+    description: "Absolute path to Build Wrapper binary."
+    value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
+runs:
+  using: "composite"
+
+  steps:
+    # install packaged required for greadlink and sha256sum command on macOS
+    - name: Install required packages for macOS
+      if: runner.os == 'macOS'
+      shell: bash
+      run: brew install coreutils
+
+    - name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
+      if: env.SONAR_HOST_URL == ''
+      shell: bash
+      run: |
+        echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
+        echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
+
+    - name: Configure paths
+      id: configure_paths
+      shell: bash
+      env:
+        OS: ${{ runner.os }}
+        ARCH: ${{ runner.arch }}
+        INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
+      run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
+
+    - name: Download and install Build Wrapper
+      shell: bash
+      env:
+        DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
+        TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper-${{ inputs.configure_paths.sonar-scanner-version }}-${{ runner.os }}-${{ runner.arch }}.zip
+        INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
+      run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
+
+    - name: Setup action outputs
+      id: setup-outputs
+      shell: bash
+      env:
+        BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
+        BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
+      run: |
+        source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
+
+        BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
+        echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
+        echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
+
+        BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
+        echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
+        echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
+        echo "::endgroup::"

scripts/cert.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding custom root certificate to java certificate store"
+  rm -f /tmp/tmpcert.pem
+  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
+  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+fi

scripts/configure_paths.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
+  echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
+  exit 1
+fi
+
+case ${OS} in
+  Windows)
+    SONAR_SCANNER_SUFFIX="windows-x64"
+    BUILD_WRAPPER_SUFFIX="win-x86"
+    SONAR_SCANNER_NAME="sonar-scanner.bat"
+    BUILD_WRAPPER_NAME="build-wrapper-win-x86-64.exe"
+    SONAR_SCANNER_URL="${SONAR_SCANNER_URL_WINDOWS_X64}"
+    SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_WINDOWS_X64}"
+    ;;
+  Linux)  
+    case ${ARCH} in
+      X64)
+        SONAR_SCANNER_SUFFIX="linux-x64"
+        BUILD_WRAPPER_SUFFIX="linux-x86"
+        BUILD_WRAPPER_NAME="build-wrapper-linux-x86-64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_X64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_X64}"
+        ;;
+      ARM64)
+        SONAR_SCANNER_SUFFIX="linux-aarch64"
+        BUILD_WRAPPER_SUFFIX="linux-aarch64"
+        BUILD_WRAPPER_NAME="build-wrapper-linux-aarch64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_AARCH64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_AARCH64}"
+        ;;
+    esac
+    SONAR_SCANNER_NAME="sonar-scanner"
+    ;;
+  macOS)
+    case ${ARCH} in
+      X64)
+        SONAR_SCANNER_SUFFIX="macosx-x64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_X64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_X64}"
+        ;;
+      ARM64)
+        SONAR_SCANNER_SUFFIX="macosx-aarch64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_AARCH64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_AARCH64}"
+        ;;
+    esac
+    BUILD_WRAPPER_SUFFIX="macosx-x86"
+    SONAR_SCANNER_NAME="sonar-scanner"
+    BUILD_WRAPPER_NAME="build-wrapper-macosx-x86"
+    ;;
+  *)
+    echo "::error::Unsupported runner OS '${OS}'"
+    exit 1
+    ;;
+esac
+
+
+echo "sonar-scanner-url=${SONAR_SCANNER_URL}"
+echo "sonar-scanner-sha=${SONAR_SCANNER_SHA}"
+
+SONAR_SCANNER_DIR="${INSTALL_PATH}/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_SUFFIX}"
+echo "sonar-scanner-dir=${SONAR_SCANNER_DIR}"
+echo "sonar-scanner-bin=${SONAR_SCANNER_DIR}/bin/${SONAR_SCANNER_NAME}"
+
+BUILD_WRAPPER_DIR="${INSTALL_PATH}/build-wrapper-${BUILD_WRAPPER_SUFFIX}"
+echo "build-wrapper-url=${SONAR_HOST_URL%/}/static/cpp/build-wrapper-${BUILD_WRAPPER_SUFFIX}.zip"
+echo "build-wrapper-dir=${BUILD_WRAPPER_DIR}"
+echo "build-wrapper-bin=${BUILD_WRAPPER_DIR}/${BUILD_WRAPPER_NAME}"
+

scripts/create_install_path.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+source "$(dirname -- "$0")/utils.sh"
+
+echo "Installation path is '${INSTALL_PATH}'"
+
+test ! -z "${INSTALL_PATH}"
+check_status "Empty installation path specified"
+
+if [[ ! -e "${INSTALL_PATH}" ]]; then
+  mkdir -p "${INSTALL_PATH}"
+  check_status "Failed to create non-existing installation path '${INSTALL_PATH}'"
+fi  
+
+ABSOLUTE_INSTALL_PATH=$(realpath "${INSTALL_PATH}")
+echo "Absolute installation path is '${ABSOLUTE_INSTALL_PATH}'"
+
+test -d "${INSTALL_PATH}"
+check_status "Installation path '${INSTALL_PATH}' is not a directory (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
+
+test -r "${INSTALL_PATH}"
+check_status "Installation path '${INSTALL_PATH}' is not readable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
+
+test -w "${INSTALL_PATH}"
+check_status "Installation path '${INSTALL_PATH}' is not writeable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
+

scripts/download.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+source "$(dirname -- "$0")/utils.sh"
+
+VERIFY_CORRECTNESS=false
+
+help() {
+  cat <<EOF
+Usage: ./download [-v]
+-h              Display help
+-v              Verify correctness of a download with SHA256 checksum; Optional
+EOF
+}
+
+parse_arguments() {
+  while getopts "hv" arg; do
+    case $arg in
+    v)
+      VERIFY_CORRECTNESS=true
+      echo "Verify correctness is set to true"
+      ;;
+    ?)
+      help
+      exit 0
+      ;;
+    esac
+  done
+}
+
+verify_download_correctness() {
+  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
+  check_status "Checking sha256 failed"
+}
+
+download() {
+  echo "Downloading '${DOWNLOAD_URL}'"
+  mkdir -p "${INSTALL_PATH}"
+  check_status "Failed to create ${INSTALL_PATH}"
+  curl -sSLo "${TMP_ZIP_PATH}" "${DOWNLOAD_URL}"
+  check_status "Failed to download '${DOWNLOAD_URL}'"
+}
+
+decompress() {
+  echo "Decompressing"
+  unzip -o -d "${INSTALL_PATH}" "${TMP_ZIP_PATH}"
+  check_status "Failed to unzip the archive into '${INSTALL_PATH}'"
+}
+
+####################################################################################
+
+echo "::group::Download ${DOWNLOAD_URL}"
+parse_arguments $@
+download
+if [ "$VERIFY_CORRECTNESS" = true ]; then
+  verify_download_correctness
+fi
+decompress
+echo "::endgroup::"

scripts/fetch_latest_version.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+source "$(dirname -- "$0")/utils.sh"
+
+SONAR_SCANNER_VERSION=$(curl -sSL -H "Accept: application/vnd.github+json" \
+  https://api.github.com/repos/SonarSource/sonar-scanner-cli/releases/latest | jq -r '.tag_name')
+check_status "Failed to fetch latest sonar-scanner version from GitHub API"
+
+echo "sonar-scanner-version=${SONAR_SCANNER_VERSION}"
+
+for OS in windows linux macosx; do
+  if [[ "$OS" == "windows" ]]; then
+    ARCHS=("x64")
+  else
+    ARCHS=("x64" "aarch64")
+  fi
+  for ARCH in "${ARCHS[@]}"; do
+    SONAR_SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${OS}-${ARCH}.zip"
+    SONAR_SCANNER_SHA=$(curl -sSL "${SONAR_SCANNER_URL}.sha256")
+    check_status "Failed to download ${OS} ${ARCH} sonar-scanner checksum from '${SONAR_SCANNER_URL}'"
+
+    echo "sonar-scanner-url-${OS}-${ARCH}=${SONAR_SCANNER_URL}"
+    echo "sonar-scanner-sha-${OS}-${ARCH}=${SONAR_SCANNER_SHA}"
+  done
+done

scripts/utils.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+check_status() {
+  exit_status=$?
+  if [ $exit_status -ne 0 ]; then
+    echo "::error::$1"
+    exit $exit_status
+  fi
+}
+
+realpath() {
+  case ${RUNNER_OS} in
+    Windows)
+      cygpath --absolute --windows "$1"
+    ;;
+    Linux)
+      readlink -f "$1"
+    ;;
+    macOS)
+      # installed by coreutils package
+      greadlink -f "$1"
+    ;;
+  esac
+}
+

sonar-scanner-version

@@ -0,0 +1,11 @@
+sonar-scanner-version=6.2.1.4610
+sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-windows-x64.zip
+sonar-scanner-sha-windows-x64=b7de8d75c43093e0353e6a3147c3720cafac1c38da96bc61123657197086a1c9
+sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-x64.zip
+sonar-scanner-sha-linux-x64=0b8a3049f0bd5de7abc1582c78c233960d3d4ed7cc983a1d1635e8552f8bb439
+sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-aarch64.zip
+sonar-scanner-sha-linux-aarch64=f67819e7a52ed4c28b541baa5bca0621446314de148f889d7d2d7ff239808f0c
+sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-x64.zip
+sonar-scanner-sha-macosx-x64=471348fcb912584f093cebf28114322455979d2cceb1654e0a7990da50add94f
+sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-aarch64.zip
+sonar-scanner-sha-macosx-aarch64=583b1ed386b6f61ddfbb39c0ae169355e96a8e1852b0210a5a5ca4f7487347c1