actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-12 17:31:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #1 from zendesk/zendesk-shehata/rebase_to_upstream

Browse source 
zendesk-shehata/rebase_to_upstream
This commit is contained in:
Shehata Ibrahim 2025-03-26 11:37:22 +01:00 committed by GitHub
commit 3e30ce1f41
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
44 changed files with 2516 additions and 255 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.cirrus/wss-unified-agent.config Normal file
View file

@ -0,0 +1,4 @@
docker.projectNameFormat=repositoryNameAndTag
docker.scanImages=true
wss.url=https://saas-eu.whitesourcesoftware.com/agent
productName=GitHubAction/SonarQubeScanAction

2
.github/CODEOWNERS vendored
View file

@ -1 +1 @@
.github/CODEOWNERS @sonarsource/sonarqube-team
.github/CODEOWNERS @sonarsource/orchestration-processing-squad

7
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -1,3 +1,10 @@
<!--
Only for standalone PRs without Jira issue in the PR title:
* Replace this comment with Epic ID to create a new Task in Jira
* Replace this comment with Issue ID to create a new Sub-Task in Jira
* Ignore or delete this note to create a new Task in Jira without a parent
-->
Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:

13
.github/qa-nginx-redirecting/compose.yml vendored Normal file
View file

@ -0,0 +1,13 @@
services:
https-proxy:
image: nginx
ports:
- 8080:8080
volumes:
- $GITHUB_WORKSPACE/.github/qa-nginx-redirecting/nginx.conf:/etc/nginx/nginx.conf:ro
healthcheck:
test: ["CMD", "curl", "--fail", "localhost:8080/health"]
interval: 10s
timeout: 5s
retries: 20
start_period: 2m

32
.github/qa-nginx-redirecting/nginx.conf vendored Normal file
View file

@ -0,0 +1,32 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
server {
listen 8080;
location /health {
add_header 'Content-Type' 'text/plain';
return 200 "healthy\n";
}
location ~ /clientRedirectToSonarBinaries/(.*) {
return 301 "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/$1";
}
}
}

26
.github/qa-sq-behind-ngix/compose.yml vendored Normal file
View file

@ -0,0 +1,26 @@
services:
sonarqube:
image: sonarqube:lts-community
ports:
- 9000:9000
healthcheck:
test: 'grep -Fq "SonarQube is operational" /opt/sonarqube/logs/sonar.log'
interval: 10s
timeout: 5s
retries: 20
start_period: 2m
https-proxy:
image: nginx
ports:
- 4443:4443
volumes:
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/nginx.conf:/etc/nginx/nginx.conf:ro
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.crt:/etc/nginx/server.crt:ro
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.key:/etc/nginx/server.key:ro
healthcheck:
test: ["CMD", "curl", "--fail", "localhost:8080/health"]
interval: 10s
timeout: 5s
retries: 20
start_period: 2m

43
.github/qa-sq-behind-ngix/nginx.conf vendored Normal file
View file

@ -0,0 +1,43 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
server {
listen 8080;
location /health {
add_header 'Content-Type' 'text/plain';
return 200 "healthy\n";
}
}
server {
listen 4443 ssl;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
location / {
proxy_pass http://sonarqube:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
}
}

28
.github/workflows/PullRequestClosed.yml vendored Normal file
View file

@ -0,0 +1,28 @@
name: Pull Request Closed
on:
pull_request:
types: [closed]
jobs:
PullRequestClosed_job:
name: Pull Request Closed
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
# For external PR, ticket should be moved manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2
with:
github-token: ${{secrets.GITHUB_TOKEN}}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

29
.github/workflows/PullRequestCreated.yml vendored Normal file
View file

@ -0,0 +1,29 @@
name: Pull Request Created
on:
pull_request:
types: ["opened"]
jobs:
PullRequestCreated_job:
name: Pull Request Created
runs-on: ubuntu-latest
permissions:
id-token: write
# For external PR, ticket should be created manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2
with:
github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
jira-project: SQSCANGHA

28
.github/workflows/RequestReview.yml vendored Normal file
View file

@ -0,0 +1,28 @@
name: Request review
on:
pull_request:
types: ["review_requested"]
jobs:
RequestReview_job:
name: Request review
runs-on: ubuntu-latest
permissions:
id-token: write
# For external PR, ticket should be moved manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/RequestReview@v2
with:
github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

30
.github/workflows/SubmitReview.yml vendored Normal file
View file

@ -0,0 +1,30 @@
name: Submit Review
on:
pull_request_review:
types: [submitted]
jobs:
SubmitReview_job:
name: Submit Review
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
# For external PR, ticket should be moved manually
if: |
github.event.pull_request.head.repo.full_name == github.repository
&& (github.event.review.state == 'changes_requested'
|| github.event.review.state == 'approved')
steps:
- id: secrets
uses: SonarSource/vault-action-wrapper@v3
with:
secrets: |
development/kv/data/jira user | JIRA_USER;
development/kv/data/jira token | JIRA_TOKEN;
- uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
with:
github-token: ${{secrets.GITHUB_TOKEN}}
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

87
.github/workflows/qa-deprecated-c-cpp.yml vendored Normal file
View file

@ -0,0 +1,87 @@
name: QA Deprecated C and C++ action
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
output-test:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
- os: macos-latest
arch: ARM64
runs-on: ${{ matrix.os }}
steps:
# Specifying a specific architecture of the runner is not possible for Github hosted runners
# We can only check if the runner architecture matches the expected one
- name: check_runner_arch
shell: bash
run: |
echo "Runner architecture: ${{ runner.arch }}"
if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
echo "##[error]Runner architecture does not match the expected one"
exit 1
fi
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Run SonarQube C/C++ action
id: run-action
uses: ./deprecated-c-cpp
env:
SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
with:
cache-binaries: ${{ matrix.cache }}
- name: SONAR_HOST_URL is set
shell: bash
run: |
[[ $SONAR_HOST_URL == "https://next.sonarqube.com/sonarqube/" ]]
- name: sonar-scanner is installed and in PATH
run: |
sonar-scanner --help | grep "usage: sonar-scanner "
- name: sonar-scanner-binary output is correct
shell: bash
env:
BINARY: ${{ steps.run-action.outputs.sonar-scanner-binary }}
run: |
"$BINARY" --help | grep "usage: sonar-scanner "
# build-wrapper does not have --help or equivalent option.
# Pass to few arguments and ignore error code
- name: build-wrapper is installed and in PATH on Windows
if: runner.os == 'Windows'
shell: bash
run: |
(build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on Linux
if: runner.os == 'Linux'
shell: bash
run: |
(build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on macOS
if: runner.os == 'macOs'
shell: bash
run: |
(build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
- name: build-wrapper-binary output is correct
shell: bash
env:
BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
run: |
("$BINARY" || true) | grep "build-wrapper, version "

69
.github/workflows/qa-install-build-wrapper.yml vendored Normal file
View file

@ -0,0 +1,69 @@
name: QA Install Build Wrapper action
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
output-test:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
- os: macos-latest
arch: ARM64
runs-on: ${{ matrix.os }}
steps:
# Specifying a specific architecture of the runner is not possible for Github hosted runners
# We can only check if the runner architecture matches the expected one
- name: check_runner_arch
shell: bash
run: |
echo "Runner architecture: ${{ runner.arch }}"
if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then
echo "##[error]Runner architecture does not match the expected one"
exit 1
fi
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Run SonarQube C/C++ action
id: run-action
uses: ./install-build-wrapper
env:
SONAR_HOST_URL: 'https://next.sonarqube.com/sonarqube/'
# build-wrapper does not have --help or equivalent option.
# Pass to few arguments and ignore error code
- name: build-wrapper is installed and in PATH on Windows
if: runner.os == 'Windows'
shell: bash
run: |
(build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on Linux
if: runner.os == 'Linux'
shell: bash
run: |
(build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version "
- name: build-wrapper is installed and in PATH on macOS
if: runner.os == 'macOs'
shell: bash
run: |
(build-wrapper-macosx-x86 || true) | grep "build-wrapper, version "
- name: build-wrapper-binary output is correct
shell: bash
env:
BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }}
run: |
("$BINARY" || true) | grep "build-wrapper, version "

785
.github/workflows/qa-main.yml vendored Normal file
View file

@ -0,0 +1,785 @@
name: QA Main action
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
noInputsTest:
name: >
No inputs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.projectBaseDir=."
argsInputTest:
name: >
'args' input
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
with:
args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.someArg=aValue"
projectBaseDirInputTest:
name: >
'projectBaseDir' input
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: mkdir -p ./baseDir
- name: Run action with projectBaseDir
uses: ./
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
projectBaseDir: ./baseDir
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.projectBaseDir=.*/baseDir"
scannerVersionTest:
name: >
'scannerVersion' input
runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerVersion
uses: ./
with:
scannerVersion: 6.1.0.4477
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
NO_CACHE: true # force install-sonar-scanner-cli.sh execution
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.1.0.4477-linux-x64.zip"
scannerBinariesUrlTest:
name: >
'scannerBinariesUrl' input with invalid URL
runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
continue-on-error: true
with:
scannerVersion: 6.2.1.4610
scannerBinariesUrl: https://invalid_uri/Distribution/sonar-scanner-cli
env:
NO_CACHE: true # force install-sonar-scanner-cli.sh execution
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert Sonar Scanner CLI was not downloaded
run: |
./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip"
- name: Assert Sonar Scanner CLI was not executed
run: |
./test/assertFileDoesntExist ./output.properties
scannerBinariesUrlIsEscapedWithWget:
name: >
'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
continue-on-error: true
with:
scannerBinariesUrl: 'http://some_uri;touch file.txt;'
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
- name: Assert file.txt does not exist
run: |
./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
scannerBinariesUrlIsEscapedWithCurl:
name: >
'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
run: sudo apt-get remove -y wget
- name: Assert wget is not available
run: |
if command -v wget 2>&1 >/dev/null
then
exit 1
fi
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
continue-on-error: true
with:
scannerBinariesUrl: 'http://some_uri http://another_uri''; touch file.txt;'
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
- name: Assert file.txt does not exist
run: |
./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
dontFailGradleTest:
name: >
Don't fail on Gradle project
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Gradle project
id: runTest
uses: ./
continue-on-error: true
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
with:
projectBaseDir: ./test/gradle-project
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert
run: |
./test/assertFileExists ./output.properties
dontFailGradleKotlinTest:
name: >
Don't fail on Kotlin Gradle project
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Kotlin Gradle project
id: runTest
uses: ./
continue-on-error: true
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
with:
projectBaseDir: ./test/gradle-project
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert
run: |
./test/assertFileExists ./output.properties
dontFailMavenTest:
name: >
Don't fail on Maven project
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Maven project
id: runTest
uses: ./
continue-on-error: true
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
with:
projectBaseDir: ./test/maven-project
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert
run: |
./test/assertFileExists ./output.properties
runAnalysisTest:
runs-on: ubuntu-latest
services:
sonarqube:
image: sonarqube:lts-community
ports:
- 9000:9000
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_logs:/opt/sonarqube/logs
- sonarqube_extensions:/opt/sonarqube/extensions
options: >-
--health-cmd "grep -Fq \"SonarQube is operational\" /opt/sonarqube/logs/sonar.log"
--health-interval 10s
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on sample project
id: runTest
uses: ./
env:
SONAR_HOST_URL: http://localhost:9000
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Assert
run: |
./test/assertFileExists ./test/example-project/.scannerwork/report-task.txt
runnerDebugUsedTest:
name: >
'RUNNER_DEBUG' is used
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with debug mode
uses: ./
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
RUNNER_DEBUG: 1
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.verbose=true"
runAnalysisWithCacheTest:
runs-on: ubuntu-latest
services:
sonarqube:
image: sonarqube:lts-community
ports:
- 9000:9000
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_logs:/opt/sonarqube/logs
- sonarqube_extensions:/opt/sonarqube/extensions
options: >-
--health-cmd "grep -Fq \"SonarQube is operational\" /opt/sonarqube/logs/sonar.log"
--health-interval 10s
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: SonarQube Cache
uses: actions/cache@v4
with:
path: ${{ github.workspace }}/.sonar/cache
key: ${{ runner.os }}-${{ runner.arch }}-sonar
- name: Run action on sample project
id: runTest
uses: ./
env:
SONAR_HOST_URL: http://localhost:9000
SONAR_USER_HOME: ${{ github.workspace }}/.sonar
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Assert
run: |
./test/assertFileExists ./test/example-project/.scannerwork/report-task.txt
overrideSonarcloudUrlTest:
name: >
'SONARCLOUD_URL' is used
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SONARCLOUD_URL
uses: ./
with:
args: -Dsonar.scanner.apiBaseUrl=api.mirror.sonarcloud.io -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
SONARCLOUD_URL: mirror.sonarcloud.io
SONAR_TOKEN: FAKE_TOKEN
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io"
./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
dontFailWhenMissingWgetButCurlAvailable:
name: Don't fail when missing wget but curl available
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
run: sudo apt-get remove -y wget
- name: Assert wget is not available
run: |
if command -v wget 2>&1 >/dev/null
then
exit 1
fi
- name: Run action
uses: ./
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert
run: |
./test/assertFileExists ./output.properties
dontFailWhenMissingCurlButWgetAvailable:
name: Don't fail when missing curl but wget available
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove curl
run: sudo apt-get remove -y curl
- name: Assert curl is not available
run: |
if command -v curl 2>&1 >/dev/null
then
exit 1
fi
- name: Run action
id: runTest
uses: ./
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert
run: |
./test/assertFileExists ./output.properties
failWhenBothWgetAndCurlMissing:
name: Fail when both wget and curl are missing
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget and curl
run: sudo apt-get remove -y wget curl
- name: Assert wget and curl are not available
run: |
if command -v wget 2>&1 >/dev/null
then
exit 1
fi
if command -v curl 2>&1 >/dev/null
then
exit 1
fi
- name: Run action
id: runTest
uses: ./
continue-on-error: true
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert failure of previous step
if: steps.runTest.outcome == 'success'
run: exit 1
curlPerformsRedirect:
name: >
curl performs redirect when scannerBinariesUrl returns 3xx
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
run: sudo apt-get remove -y wget
- name: Assert wget is not available
run: |
if command -v wget 2>&1 >/dev/null
then
exit 1
fi
- name: Start nginx via Docker Compose
run: docker compose up -d --wait
working-directory: .github/qa-nginx-redirecting
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
with:
scannerVersion: 6.2.1.4610
scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
- name: Assert Sonar Scanner CLI was downloaded
run: |
./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip"
useSslCertificate:
name: >
'SONAR_ROOT_CERT' is converted to truststore
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SSL certificate
uses: ./
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIIFtjCCA56gAwIBAgIULroxFuPWyNOiQtAVPS/XFFMXp6owDQYJKoZIhvcNAQEL
BQAwXDELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
ZXZhMRcwFQYDVQQKDA5Tb25hclNvdXJjZSBTQTESMBAGA1UEAwwJbG9jYWxob3N0
MB4XDTI0MDQxNjA4NDUyMVoXDTM0MDQxNDA4NDUyMVowXDELMAkGA1UEBhMCQ0gx
DzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2VuZXZhMRcwFQYDVQQKDA5Tb25h
clNvdXJjZSBTQTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEArRRQF25E5NCgXdoEBU2SWyAoyOWMGVT1Ioltnr3sJP6L
MjjfozK5YgaRn504291lwlG+k6tvzTSR9HB8q3ITa8AdnwMiL7jzbveYKWIlLQ7k
dHKXWbiaIjTaZCyfnWUlDFIuR7BHwOXVwyLrBQfhoyDVaaoyowQEsUro3okIR/kB
sqM+KH8bcdl06DMMppZ8Qy1DYvPodhnNRyOSSpfbIoodE1fju+5U0OKzvGIc9WpG
5pKIysaW3whOa/ieb02SXrgoiHnYPpmmGzm4u/Wn8jGwhYQJSQT10yjMacGHwmBE
q7FUr854cVd+eend056P6pwUukdNeVHCFjYRkmWCNzIxV+sS9PPtDs77/bLFIItr
nBMHVsId38tPoru/z1S1p2dzCX3Nq09aJFF/vH2u9Sg5aerHJ7xnRroR1jIrAZtc
jBkJHEiTlG+WaavP4j6oym+lvHvgHHL3Qwhh8emg0JiLYExVV7ma70aRDh8yoQtS
zAUDMVfhVPKd92MS+7DC2pv2KviUNKqbHDFadl01JN3t+17/gstUNSk1jpoUfUhK
BeUQxVEdVUy2p0HeD/TYpRvF2FEsWneq3+ZbnRp17I/uEQOck0LP2tkzAd4tmRgH
+95yyB8MgbAfvyKWkB4+3BhtdfoYDe1asqR6z43mejDHHqgBXn+u3UKjPypKfPEC
AwEAAaNwMG4wHwYDVR0jBBgwFoAUINXfg3fn6/RUenW3EobpMoP8wDQwCQYDVR0T
BAIwADALBgNVHQ8EBAMCBPAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQW
BBRX4bsny+8GQcFpM10jtAfFxzNxzzANBgkqhkiG9w0BAQsFAAOCAgEAa+Myw6li
Fme95cPpINTite/9LXk+TlHHnXiV5Z+Um3NTLSllX3zPuRFiOE71OKFrWQPqH2N/
85l6h19G9xQsaqkkVFyQENkNzykZpJL/jU4+wgRtwcEDkaRGGURZacz3vfLTc1HX
tPDNv/JsZ5HE2d7cF5YhN4UahtxS2lvarrSujaOBpFZTT6PbEYX9EnwCdapORHOh
wKMc3OGGOiGWvRlVaWu/Huq2HvXXcK0pmaYWWKX3u21evthSYOu9U4Rk0z1y7m3/
CIYaIrvSbkzq2KKXMn7lr26bv2cthAQrPAjb2ILPUoyzKa3wEK3lkhanM6PN9CMH
y5KRTpqwV45Qr6BAVY1bP67pEkay2T31chIVKds6dkx9b2/bWpW9PWuymsbWX2vO
Q1MiaPkXKSTgCRwQUR0SNbPHw3X+VhrKKJB+beX8Bh2fcKw3jGGM8oHiA1hpdnbg
Y5fW7EupF5gabf2jNB1XJ4gowlpB3nTooKFgbcgsvi68MRdBno2TWUhsZ3zCVyaH
KFdDV0f78Fg7oL79K3kBL/iqr+jsb8sFHKIS4Dyyz2rDJrE0q0xAPes+Bu75R3/5
M/s2H7KuLqLdDYsCsMeMqOVuIcAyPp2MFWInYPyi0zY4fwKwm8f/Kv8Lzb+moxqI
Fct6d1S08JAosVnZcP2P7Yz+TbmDRtsqCgk=
-----END CERTIFICATE-----
SONAR_HOST_URL: http://not_actually_used
- name: Assert
run: |
./test/assertFileExists ~/.sonar/ssl/truststore.p12
analysisWithSslCertificate:
name: >
Analysis takes into account 'SONAR_ROOT_CERT'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate server certificate
run: |
openssl req \
-newkey rsa:4096 \
-x509 \
-sha256 \
-addext "subjectAltName = DNS:localhost" \
-days 3650 \
-nodes \
-out server.crt \
-subj "/C=CH/ST=Geneva/L=Geneva/O=Server/OU=Dept" \
-keyout server.key
working-directory: .github/qa-sq-behind-ngix
- name: Start nginx and SonarQube via Docker Compose
run: docker compose up -d --wait
working-directory: .github/qa-sq-behind-ngix
- name: Read correct server certificate
run: |
# read server.crt from .github/qa-sq-behind-ngix/ and store into the SONAR_ROOT_CERT_VALID
# environment variable, to be able to read it in the next step
{
echo 'SONAR_ROOT_CERT_VALID<<=========='
cat .github/qa-sq-behind-ngix/server.crt
echo ==========
} >> $GITHUB_ENV
- name: Run action with the correct SSL certificate
uses: ./
env:
SONAR_ROOT_CERT: ${{ env.SONAR_ROOT_CERT_VALID }}
SONAR_HOST_URL: https://localhost:4443
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Clear imported SSL certificates
run: |
rm -f ~/.sonar/ssl/truststore.p12
- name: Run action with an invalid SSL certificate
id: invalid_ssl_certificate
continue-on-error: true
uses: ./
env:
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
INVALID
-----END CERTIFICATE-----
SONAR_HOST_URL: https://localhost:4443
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Assert failure of previous step
if: steps.invalid_ssl_certificate.outcome == 'success'
run: exit 1
- name: Clear imported SSL certificates
run: |
rm -f ~/.sonar/ssl/truststore.p12
- name: Run action with the wrong SSL certificate
id: wrong_ssl_certificate
continue-on-error: true
uses: ./
env:
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx
MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu
ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE
RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77
nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3
b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup
HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq
xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+
MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6
aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G
wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH
wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM
QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W
iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG
J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+
AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP
BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe
3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5
eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC
rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK
EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP
H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/
bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb
u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE
zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm
QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td
dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI=
-----END CERTIFICATE-----
SONAR_HOST_URL: https://localhost:4443
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Assert failure of previous step
if: steps.wrong_ssl_certificate.outcome == 'success'
run: exit 1
overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
name: >
'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
run: |
SCANNER_VERSION="6.2.1.4610"
SCANNER_LOCAL_FOLDER="$RUNNER_TEMP/sonar-scanner-cli-$SCANNER_VERSION-$RUNNER_OS-$RUNNER_ARCH"
# emit SCANNER_VERSION and SCANNER_LOCAL_FOLDER to be able to read them in the next steps
echo "SCANNER_VERSION=$SCANNER_VERSION" >> $GITHUB_ENV
echo "SCANNER_LOCAL_FOLDER=$SCANNER_LOCAL_FOLDER" >> $GITHUB_ENV
mkdir -p "$SCANNER_LOCAL_FOLDER"
touch "$SCANNER_LOCAL_FOLDER/some_content.txt"
- name: Assert SCANNER_LOCAL_FOLDER exists and dummy file is in it
run: |
[ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
[ -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
- name: Run action with SONAR_SCANNER_TEMP
uses: ./
env:
NO_CACHE: true # force install-sonar-scanner-cli.sh execution
SONAR_SCANNER_TEMP: /tmp/sonar-scanner
SONAR_HOST_URL: http://not_actually_used
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
scannerVersion: ${{ env.SCANNER_VERSION }}
- name: Assert SCANNER_LOCAL_FOLDER exists and dummy file is not in it
run: |
[ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
[ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
name: >
truststore.p12 is updated when present
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
run: |
SONAR_SSL_FOLDER=~/.sonar/ssl
mkdir -p "$SONAR_SSL_FOLDER"
touch "$SONAR_SSL_FOLDER/not-truststore.p12"
# emit SONAR_SSL_FOLDER to be able to read it in the next steps
echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV
- name: Assert truststore.p12 does not file exists
run: |
[ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
- name: Run action with SONAR_ROOT_CERT
uses: ./
env:
# NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed
SONAR_HOST_URL: http://not_actually_used
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx
MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu
ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE
RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77
nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3
b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup
HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq
xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+
MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6
aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G
wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH
wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM
QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W
iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG
J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+
AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP
BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe
3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5
eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC
rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK
EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP
H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/
bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb
u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE
zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm
QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td
dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI=
-----END CERTIFICATE-----
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert not-truststore.p12 file still exists
run: |
[ -f "$SONAR_SSL_FOLDER/not-truststore.p12" ] || exit 1
- name: Assert truststore.p12 file now exists and take note of modification time
run: |
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
# emit the modification time of the truststore.p12 file to be able to read it in the next steps
TRUSTSTORE_P12_MOD_TIME_T1=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
echo "TRUSTSTORE_P12_MOD_TIME_T1=$TRUSTSTORE_P12_MOD_TIME_T1" >> $GITHUB_ENV
- name: Run action a second time with a different SONAR_ROOT_CERT
uses: ./
env:
# NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed
SONAR_HOST_URL: http://not_actually_used
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
Q4/67OZfHd7R+POBXhophSMv1ZOo
-----END CERTIFICATE-----
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert truststore.p12 still exists, but it has been updated, and take note of modification time
run: |
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
TRUSTSTORE_P12_MOD_TIME_T2=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
[ "$TRUSTSTORE_P12_MOD_TIME_T1" != "$TRUSTSTORE_P12_MOD_TIME_T2" ] || exit 1
# emit the modification time of the truststore.p12 file to be able to read it in the next steps
echo "TRUSTSTORE_P12_MOD_TIME_T2=$TRUSTSTORE_P12_MOD_TIME_T2" >> $GITHUB_ENV
- name: Remove sonar alias from truststore.p12
run: keytool -delete -alias sonar -keystore "$SONAR_SSL_FOLDER/truststore.p12" -storepass changeit
- name: Run action a third time
uses: ./
env:
# NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed
SONAR_HOST_URL: http://not_actually_used
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
Q4/67OZfHd7R+POBXhophSMv1ZOo
-----END CERTIFICATE-----
with:
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
- name: Assert truststore.p12 still exists, and it has been updated again
run: |
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
[ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1

351
.github/workflows/qa-scripts.yml vendored Normal file
View file

@ -0,0 +1,351 @@
name: QA Scripts
on:
push:
branches:
- master
pull_request:
types: [opened, synchronize, reopened]
jobs:
create-install-dir-test:
name: create_install_path.sh
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Existing
shell: bash
env:
INSTALL_PATH: '.sonar'
run: |
echo "- Create dir"
mkdir -p "${INSTALL_PATH}"
echo "- Test script behavior"
./scripts/create_install_path.sh > output
grep -v "::error::" output
- name: Non-existing nested in current dir
shell: bash
env:
INSTALL_PATH: '.sonar'
run: |
./scripts/create_install_path.sh > output
grep -v "::error::" output
test -d "${INSTALL_PATH}"
- name: Nonexisting nested in home
shell: bash
env:
INSTALL_PATH: '~/third_party/.sonar'
run: |
./scripts/create_install_path.sh > output
grep -v "::error::" output
test -d "${INSTALL_PATH}"
- name: Empty install dir specified
shell: bash
env:
INSTALL_PATH: ''
run: |
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Empty installation path specified" output
grep "=== Script failed ===" output
- name: No permission to create directory
shell: bash
env:
INSTALL_PATH: '/non_creatable'
run: |
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Failed to create non-existing installation path '/non_creatable'" output
grep "=== Script failed ===" output
- name: Existing but not directory
shell: bash
env:
INSTALL_PATH: 'not_directory'
run: |
echo "- Create normal file"
echo "content" > "${INSTALL_PATH}"
echo "- Test script behavior"
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Installation path 'not_directory' is not a directory" output
grep "=== Script failed ===" output
- name: Existing but not readable
shell: bash
env:
INSTALL_PATH: 'not_readable'
run: |
echo "- Create dir and make it not readable"
mkdir -p "${INSTALL_PATH}"
chmod -r "${INSTALL_PATH}"
echo "- Test script behavior"
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Installation path 'not_readable' is not readable" output
grep "=== Script failed ===" output
- name: Existing but not writeable
shell: bash
env:
INSTALL_PATH: 'not_writeable'
run: |
echo "- Create dir and make it not writeable"
mkdir -p "${INSTALL_PATH}"
chmod -w "${INSTALL_PATH}"
echo "- Test script behavior"
(./scripts/create_install_path.sh || echo "=== Script failed ===") > output
grep "::error::Installation path 'not_writeable' is not writeable" output
grep "=== Script failed ===" output
setup-script-test:
name: configure_paths.sh
runs-on: ubuntu-latest
env:
INSTALL_PATH: 'install-directory'
SONAR_HOST_URL: 'http://sonar-host.com'
SONAR_SCANNER_VERSION: 'vX.Y.Z.MMMM'
SONAR_SCANNER_URL_WINDOWS_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip'
SONAR_SCANNER_SHA_WINDOWS_X64: 'DOWNLOAD-SHA-WINDOWS-X64'
SONAR_SCANNER_URL_LINUX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip'
SONAR_SCANNER_SHA_LINUX_X64: 'DOWNLOAD-SHA-LINUX-X64'
SONAR_SCANNER_URL_LINUX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip'
SONAR_SCANNER_SHA_LINUX_AARCH64: 'DOWNLOAD-SHA-LINUX-AARCH64'
SONAR_SCANNER_URL_MACOSX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip'
SONAR_SCANNER_SHA_MACOSX_X64: 'DOWNLOAD-SHA-MACOSX-X64'
SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Windows
shell: bash
env:
OS: 'Windows'
ARCH: 'X64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-WINDOWS-X64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64/bin/sonar-scanner.bat" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-win-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-win-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-win-x86/build-wrapper-win-x86-64.exe" output
- name: Linux X64
shell: bash
env:
OS: 'Linux'
ARCH: 'X64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-X64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-linux-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-linux-x86/build-wrapper-linux-x86-64" output
- name: Linux ARM64
shell: bash
env:
OS: 'Linux'
ARCH: 'ARM64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-AARCH64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-aarch64.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-linux-aarch64" output
grep "build-wrapper-bin=install-directory/build-wrapper-linux-aarch64/build-wrapper-linux-aarch64" output
- name: macOSX_X64
shell: bash
env:
OS: 'macOS'
ARCH: 'X64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-X64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
- name: macOSX_ARM64
shell: bash
env:
OS: 'macOS'
ARCH: 'ARM64'
run: |
./scripts/configure_paths.sh > output
grep -v "::error::" output
echo "- Check sonar-scanner:"
grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip" output
grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-AARCH64" output
grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64" output
grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64/bin/sonar-scanner" output
echo "- Check build-wrapper:"
grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output
grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output
grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output
- name: Unsupported OS
shell: bash
env:
OS: 'unsupportedOS'
ARCH: 'X64'
run: |
(./scripts/configure_paths.sh || echo "=== Script failed ===") > output
echo "- Check errors:"
grep "::error::Unsupported runner OS 'unsupportedOS'" output
grep "=== Script failed ===" output
- name: Unsupported architecture
shell: bash
env:
OS: 'Linux'
ARCH: 'X86'
run: |
(./scripts/configure_paths.sh || echo "=== Script failed ===") > output
echo "- Check errors:"
grep "::error::Architecture 'X86' is unsupported by build-wrapper" output
grep "=== Script failed ===" output
download-script-test:
name: download.sh
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Download test without validation
shell: bash
env:
INSTALL_PATH: 'install-directory-no-sha-validation'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: 'incorrect-sha-not-validated'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
./scripts/download.sh > output
test -f "$TMP_ZIP_PATH"
grep -v "::error::" output
- name: Download test with validation
shell: bash
env:
INSTALL_PATH: 'install-directory-sha-validation'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: '9411331814c1d002bd65d37758b872918b7602e7cf3ca5b83a3e19a729b2be05'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
./scripts/download.sh -v > output
test -f "$TMP_ZIP_PATH"
grep -v "::error::" output
- name: Incorrect install dir
shell: bash
env:
INSTALL_PATH: ''
run: |
(./scripts/download.sh || echo "=== Script failed ===") > output
grep "::error::Failed to create" output
grep "=== Script failed ===" output
- name: Incorrect download url
shell: bash
env:
INSTALL_PATH: 'install-directory-incorrect-url'
DOWNLOAD_URL: 'incorrect-url'
run: |
(./scripts/download.sh || echo "=== Script failed ===") > output
grep "::error::Failed to download 'incorrect-url'" output
grep "=== Script failed ===" output
- name: Incorrect SHA256
shell: bash
env:
INSTALL_PATH: 'install-directory-incorrect-sha'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: 'incorrect-sha256'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
(./scripts/download.sh -v || echo "=== Script failed ===") > output
grep "::error::Checking sha256 failed" output
grep "=== Script failed ===" output
- name: Mismatching SHA256
shell: bash
env:
INSTALL_PATH: 'install-directory-mismtaching-sha'
DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip'
EXPECTED_SHA: '3e121d85a4adb1f30b917d5f3eb897966b59e02c3d6d313a78dcd964193dc963'
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: |
(./scripts/download.sh -v || echo "=== Script failed ===") > output
grep "::error::Checking sha256 failed" output
grep "=== Script failed ===" output
fetch-latest-version-test:
name: fetch_latest_version.sh
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Test script
shell: bash
run: |
./scripts/fetch_latest_version.sh > output
echo "- Check sonar-scanner version:"
grep "sonar-scanner-version=" output
SONAR_SCANNER_VERSION=$(cat output | cut -d= -f 2)
test ! -z "${SONAR_SCANNER_VERSION}"
echo "- Check windows sonar-scanner URLs:"
grep "sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-windows-x64.zip" output
grep -e "^sonar-scanner-sha-windows-x64=[0-9A-Fa-f]\+$" output
echo "- Check linux sonar-scanner URLs:"
grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output
echo "- Check macosx sonar-scanner URLs:"
grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output
grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output
grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output
grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output

18
.github/workflows/qa.yml vendored
View file

@ -1,18 +0,0 @@
name: QA
on: [push, pull_request]
jobs:
run_qa:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: ./test/run-qa.sh
timeout-minutes: 5
services:
sonarqube:
image: sonarqube:8.9-community
ports:
- 9000:9000

6
.github/workflows/update-tags.yml vendored
View file

@ -13,10 +13,10 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Parse semver
uses: madhead/semver-utils@latest
uses: madhead/semver-utils@v4
id: version
with:
version: ${{ github.ref_name }}
@ -24,7 +24,7 @@ jobs:
- name: Update tags
run: |
TAGS='v${{ steps.version.outputs.major }} v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}'
for t in $TAGS; do
git tag -f "$t"
git push origin ":$t" 2>/dev/null || true

60
.github/workflows/version_update.yml vendored Normal file
View file

@ -0,0 +1,60 @@
name: sonar-scanner version check
on:
workflow_dispatch:
schedule:
- cron: '15 10 * * *'
jobs:
update-version:
name: Prepare pull request for sonar-scanner version update
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- run: sudo apt install -y jq
- run: sudo snap install yq
- uses: actions/checkout@v4
with:
ref: master
persist-credentials: true
fetch-depth: 0
- name: "Fetch currently used sonar-scanner version"
id: tagged-version
shell: bash
run: cat sonar-scanner-version >> $GITHUB_OUTPUT
- name: "Fetch lastest sonar-scanner version"
id: latest-version
shell: bash
run: |
./scripts/fetch_latest_version.sh > sonar-scanner-version
cat sonar-scanner-version >> $GITHUB_OUTPUT
- name: "Update default version"
if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
shell: bash
env:
NEW_VERSION: ${{ steps.latest-version.outputs.sonar-scanner-version }}
run: |
yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
- name: "Create Pull Request for version update"
if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
shell: bash
env:
UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
TITLE: "Update SonarScanner CLI to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.name "SonarTech"
git config --global user.email "sonartech@sonarsource.com"
git checkout -b ${UPDATE_BRANCH}
git add sonar-scanner-version
git add action.yml
git commit -m "${TITLE}"
git push --force-with-lease origin ${UPDATE_BRANCH}
gh pr list
if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
fi

17
Dockerfile
View file

@ -1,17 +0,0 @@
FROM sonarsource/sonar-scanner-cli:5.0
LABEL version="2.0.0" \
repository="https://github.com/sonarsource/sonarqube-scan-action" \
homepage="https://github.com/sonarsource/sonarqube-scan-action" \
maintainer="SonarSource" \
com.github.actions.name="SonarQube Scan" \
com.github.actions.description="Scan your code with SonarQube to detect Bugs, Vulnerabilities and Code Smells in up to 27 programming languages!" \
com.github.actions.icon="check" \
com.github.actions.color="green"
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
COPY cleanup.sh /cleanup.sh
RUN chmod +x /cleanup.sh
ENTRYPOINT ["/entrypoint.sh"]

308
README.md
View file

@ -1,30 +1,53 @@
# Scan your code with SonarQube [![QA](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa.yml)
# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml)
Using this GitHub Action, scan your code with [SonarQube](https://www.sonarqube.org/) to detects Bugs, Vulnerabilities and Code Smells in up to 27 programming languages!
This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
<img src="./images/SonarQube-72px.png">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png">
<img alt="SonarQube Logo" src="./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png">
</picture>
SonarQube is the leading product for Continuous Code Quality & Code Security. It supports most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and many more.
SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection.
It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/).
The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability.
> [!NOTE]
> This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions.
## Requirements
To run an analysis on your code, you first need to set up your project on SonarQube. Your SonarQube instance must be accessible from GitHub, and you will need an access token to run the analysis (more information below under **Environment variables**).
### Server
Read more information on how to analyze your code [here](https://docs.sonarqube.org/latest/analysis/github-integration/).
To run an analysis on your code, you first need to set up your project on SonarQube Server. Your SonarQube Server instance must be accessible from GitHub, and you will need an access token to run the analysis (more information below under **Environment variables**).
Read more information on how to analyze your code [here](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/github-integration/introduction/).
### Cloud
* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case!
* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click.
## Usage
Project metadata, including the location to the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory:
Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory:
### Server
```properties
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube>
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Server>
# relative paths to source directories. More details and properties are described
# in https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus/
# at https://docs.sonarsource.com/sonarqube-server/latest/project-administration/analysis-scope/
sonar.sources=.
```
The workflow YAML file will usually look something like this:
In the following cases:
- for projects that don't have C, C++, or Objective-C in them
- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper)
the workflow, usually declared under `.github/workflows`, looks like the following:
```yaml
on:
@ -43,84 +66,265 @@ jobs:
sonarqube:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
# Disabling shallow clones is recommended for improving the relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
```
For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
```yaml
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
env:
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
- name: Run Build Wrapper
run: |
# Here goes your compilation wrapped with Build Wrapper
# For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
# build-preparation steps
# build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
```
If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
```yaml
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
LC_ALL: "ru_RU.UTF-8"
```
If your SonarQube server uses a self-signed certificate, you can pass a root certificate (in PEM format) to the java certificate store:
```yaml
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
```
If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6.
It should look like this:
```yaml
with:
args: >
--define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
```
See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories).
### Cloud
```properties
sonar.organization=<replace with your SonarQube Cloud organization key>
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Cloud>
# relative paths to source directories. More details and properties are described
# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/
sonar.sources=.
```
In the following cases:
- for projects that don't have C, C++, or Objective-C in them
- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper)
the workflow, usually declared under `.github/workflows`, looks like the following:
```yaml
on:
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clones is recommended for improving the relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
```
For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
```yaml
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
- name: Run Build Wrapper
run: |
# Here goes your compilation wrapped with Build Wrapper
# For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper
# build-preparation steps
# build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
```
See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories).
## Action parameters
You can change the analysis base directory by using the optional input `projectBaseDir` like this:
```yaml
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
projectBaseDir: app/src
```
In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
scannerVersion: 6.2.0.4584
```
In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option:
```yaml
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
projectBaseDir: app/src
args: >
-Dsonar.organization=my-organization # For SonarQube Cloud only
-Dsonar.projectKey=my-projectkey
-Dsonar.python.coverage.reportPaths=coverage.xml
-Dsonar.sources=lib/
-Dsonar.tests=tests/
-Dsonar.test.exclusions=tests/**
-Dsonar.verbose=true
```
More information about possible analysis parameters can be found in [the documentation](https://redirect.sonarsource.com/doc/analysis-parameters.html).
You can also specify the URL where to retrieve the SonarScanner CLI from.
The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`.
This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
```
More information about possible analysis parameters can be found:
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
### Environment variables
- `SONAR_TOKEN` **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens [here](https://docs.sonarqube.org/latest/user-guide/user-token/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
- `SONAR_HOST_URL` **Required** this tells the scanner where SonarQube is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
- `SONAR_ROOT_CERT` Holds an additional root certificate (in PEM format) that is used to validate the SonarQube server certificate. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
- `SONAR_TOKEN` **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
- `SONAR_HOST_URL` this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud.
- `SONAR_ROOT_CERT` Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
## Alternatives for Java, .NET, and C/C++ projects
Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
```
If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io
LC_ALL: "ru_RU.UTF-8"
```
## Alternatives for Java and .NET
This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
* Your code is built with Maven. Read the documentation about our [Scanner for Maven](https://redirect.sonarsource.com/doc/install-configure-scanner-maven.html).
* Your code is built with Gradle. Read the documentation about our [Scanner for Gradle](https://redirect.sonarsource.com/doc/gradle.html).
* You want to analyze a .NET solution. Read the documentation about our [Scanner for .NET](https://redirect.sonarsource.com/doc/install-configure-scanner-msbuild.html).
* You want to analyze C/C++ code. Read the documentation on [analyzing C/C++ code](https://docs.sonarqube.org/latest/analysis/languages/cfamily/).
* Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/).
* Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/).
* You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/).
## Have question or feedback?
## Do not use this GitHub action if you are in the following situations
To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sq/github-actions).
* You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS.
## Self-hosted runner or container
When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
* **curl** or **wget**
* **unzip**
## Additional information
The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
## Have questions or feedback?
To provide feedback (requesting a feature or reporting a bug) please post on the SonarSource Community Forum page for SonarQube [Server](https://community.sonarsource.com/tags/c/help/sq/github-actions) or [Cloud](https://community.sonarsource.com/tags/c/help/sc/9/github-actions).
## License
The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License.
Container images built with this project include third party materials.
Container images built with this project include third-party materials.

13
SECURITY.md Normal file
View file

@ -0,0 +1,13 @@
# Reporting Security Issues
A mature software vulnerability treatment process is a cornerstone of a robust information security management system. Contributions from the community play an important role in the evolution and security of our products, and in safeguarding the security and privacy of our users.
If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately.
To responsibly report a security issue, please email us at [security@sonarsource.com](mailto:security@sonarsource.com). Sonars security team will acknowledge your report, guide you through the next steps, or request additional information if necessary. Customers with a support contract can also report the vulnerability directly through the support channel.
For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly.
## Responsible Disclosure Policy
For more information about disclosing a security vulnerability to Sonar, please refer to our community post: [Responsible Vulnerability Disclosure](https://community.sonarsource.com/t/responsible-vulnerability-disclosure/9317).

54
action.yml
View file

@ -1,19 +1,57 @@
name: Official SonarQube Scan
# Warning: changing name would change URL in the marketplace
description: >
Scan your code with SonarQube to detect Bugs, Vulnerabilities and Code Smells in up to 27 programming languages!
Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
branding:
icon: check
color: green
runs:
using: docker
image: Dockerfile
entrypoint: "/entrypoint.sh"
post-entrypoint: "/cleanup.sh"
inputs:
args:
description: Additional arguments to the sonar-scanner
description: Additional arguments to the Sonar Scanner CLI
required: false
projectBaseDir:
description: Set the sonar.projectBaseDir analysis property
required: false
default: .
scannerVersion:
description: Version of the Sonar Scanner CLI to use
required: false
# to be kept in sync with sonar-scanner-version
default: 7.1.0.4889
scannerBinariesUrl:
description: URL to download the Sonar Scanner CLI binaries from
required: false
default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
runs:
using: "composite"
steps:
- name: Sanity checks
run: ${GITHUB_ACTION_PATH}/scripts/sanity-checks.sh
shell: bash
env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
- name: Load Sonar Scanner CLI from cache
id: sonar-scanner-cli
uses: actions/cache@v4
env:
# The default value is 60mins. Reaching timeout is treated the same as a cache miss.
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
with:
path: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
key: sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
- name: Install Sonar Scanner CLI
if: ${{ env.NO_CACHE == 'true' || steps.sonar-scanner-cli.outputs.cache-hit != 'true' }}
run: ${GITHUB_ACTION_PATH}/scripts/install-sonar-scanner-cli.sh
shell: bash
env:
INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
INPUT_SCANNERBINARIESURL: ${{ inputs.scannerBinariesUrl }}
- name: Add SonarScanner CLI to the PATH
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
shell: bash
- name: Run SonarScanner
run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
shell: bash
env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre

8
cleanup.sh
View file

@ -1,8 +0,0 @@
#!/bin/bash
set -e
_tmp_file=$(ls "${INPUT_PROJECTBASEDIR}/" | head -1)
PERM=$(stat -c "%u:%g" "${INPUT_PROJECTBASEDIR}/$_tmp_file")
chown -R $PERM "${INPUT_PROJECTBASEDIR}/"

134
deprecated-c-cpp/action.yml Normal file
View file

@ -0,0 +1,134 @@
name: 'SonarQube Scan for C and C++'
description: 'Scan your C and C++ code with SonarQube to detect bugs, vulnerabilities and code smells.'
branding:
icon: check
color: green
inputs:
installation-path:
description: 'Directory where the sonar-scanner and build wrapper will be installed. Created if does not exists.'
required: false
default: '.sonar'
cache-binaries:
description: 'Controls if installed binaries are cached using GitHub cache.'
required: false
default: 'true'
outputs:
sonar-scanner-binary:
description: "Absolute path to sonar-scanner binary."
value: ${{ steps.setup-outputs.outputs.sonar-scanner-binary }}
build-wrapper-binary:
description: "Absolute path to build-wrapper binary."
value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
runs:
using: "composite"
steps:
# install packaged required for greadlink and sha256sum command on macOS
- name: Install required packages for macOS
if: runner.os == 'macOS'
shell: bash
run: brew install coreutils
- name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
if: env.SONAR_HOST_URL == ''
shell: bash
run: |
echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
- name: Verify and create installation path
shell: bash
env:
INSTALL_PATH: ${{ inputs.installation-path }}
run: ${GITHUB_ACTION_PATH}/../scripts/create_install_path.sh
- name: Set version of sonar-scanner
id: sonar-scanner-version
shell: bash
run: cat ${GITHUB_ACTION_PATH}/../sonar-scanner-version >> $GITHUB_OUTPUT
- name: Configure paths
id: configure_paths
shell: bash
env:
OS: ${{ runner.os }}
ARCH: ${{ runner.arch }}
INSTALL_PATH: ${{ inputs.installation-path }}
SONAR_SCANNER_VERSION: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
SONAR_SCANNER_URL_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-windows-x64 }}
SONAR_SCANNER_SHA_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-windows-x64 }}
SONAR_SCANNER_URL_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-x64 }}
SONAR_SCANNER_SHA_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-x64 }}
SONAR_SCANNER_URL_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-aarch64 }}
SONAR_SCANNER_SHA_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-aarch64 }}
SONAR_SCANNER_URL_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-x64 }}
SONAR_SCANNER_SHA_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-x64 }}
SONAR_SCANNER_URL_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-aarch64 }}
SONAR_SCANNER_SHA_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-aarch64 }}
run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
- name: Cache sonar-scanner installation
id: cache-sonar-tools
if: inputs.cache-binaries == 'true'
uses: actions/cache@v4
env:
# The default value is 60mins. Reaching timeout is treated the same as a cache miss.
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
with:
key: sonar-scanner-${{ runner.os }}-${{ runner.arch }}-${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }}
path: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
- name: Download and install sonar-scanner
if: steps.cache-sonar-tools.outputs.cache-hit != 'true'
shell: bash
env:
DOWNLOAD_URL: ${{ steps.configure_paths.outputs.sonar-scanner-url }}
EXPECTED_SHA: ${{ steps.configure_paths.outputs.sonar-scanner-sha }}
INSTALL_PATH: ${{ inputs.installation-path }}
TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip
run: ${GITHUB_ACTION_PATH}/../scripts/download.sh -v
- name: Add the custom root certificate to java certificate store
shell: bash
run: ${GITHUB_ACTION_PATH}/../scripts/cert.sh
- name: Download and install build-wrapper
shell: bash
env:
DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
INSTALL_PATH: ${{ inputs.installation-path }}
TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper.zip
run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
- name: Setup action outputs
id: setup-outputs
shell: bash
env:
SONAR_SCANNER_DIR: ${{ steps.configure_paths.outputs.sonar-scanner-dir }}
SONAR_SCANNER_BIN: ${{ steps.configure_paths.outputs.sonar-scanner-bin }}
BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
run: |
source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
echo "::group::Action outputs"
echo "SONAR_HOST_URL=${SONAR_HOST_URL}" >> $GITHUB_ENV
echo "'SONAR_HOST_URL' environment variable set to '${SONAR_HOST_URL}'"
SONAR_SCANNER_BIN_DIR=$(realpath "${SONAR_SCANNER_DIR}/bin")
echo "${SONAR_SCANNER_BIN_DIR}" >> $GITHUB_PATH
echo "'${SONAR_SCANNER_BIN_DIR}' added to the path"
SONAR_SCANNER_BIN=$(realpath "${SONAR_SCANNER_BIN}")
echo "sonar-scanner-binary=${SONAR_SCANNER_BIN}" >> $GITHUB_OUTPUT
echo "'sonar-scanner-binary' output set to '${SONAR_SCANNER_BIN}'"
BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
echo "::endgroup::"

36
entrypoint.sh
View file

@ -1,36 +0,0 @@
#!/bin/bash
set -e
if [[ -z "${SONAR_TOKEN}" ]]; then
echo "============================ WARNING ============================"
echo "Running this GitHub Action without SONAR_TOKEN is not recommended"
echo "============================ WARNING ============================"
fi
if [[ -z "${SONAR_HOST_URL}" ]]; then
echo "This GitHub Action requires the SONAR_HOST_URL env variable."
exit 1
fi
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding custom root certificate to java certificate store"
rm -f /tmp/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
fi
if [[ -f "${INPUT_PROJECTBASEDIR%/}pom.xml" ]]; then
echo "Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
exit 1
fi
if [[ -f "${INPUT_PROJECTBASEDIR%/}build.gradle" ]]; then
echo "Gradle project detected. You should use the SonarQube plugin for Gradle during build rather than using this GitHub Action."
exit 1
fi
unset JAVA_HOME
sonar-scanner -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} ${INPUT_ARGS}

BIN
images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
images/SQ_Logo_Server_Cloud_Light_Backgrounds.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
images/SonarQube-72px.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 9.7 KiB

62
install-build-wrapper/action.yml Normal file
View file

@ -0,0 +1,62 @@
name: 'Install Build Wrapper for C and C++'
description: >
Download and install the Build Wrapper for C, C++, and Objective-C
projects analyzed with manual config.
branding:
icon: check
color: green
outputs:
build-wrapper-binary:
description: "Absolute path to Build Wrapper binary."
value: ${{ steps.setup-outputs.outputs.build-wrapper-binary }}
runs:
using: "composite"
steps:
# install packaged required for greadlink and sha256sum command on macOS
- name: Install required packages for macOS
if: runner.os == 'macOS'
shell: bash
run: brew install coreutils
- name: Set SONAR_HOST_URL to 'https://sonarcloud.io'
if: env.SONAR_HOST_URL == ''
shell: bash
run: |
echo "Setting SONAR_HOST_URL to 'https://sonarcloud.io'"
echo "SONAR_HOST_URL=https://sonarcloud.io" >> $GITHUB_ENV
- name: Configure paths
id: configure_paths
shell: bash
env:
OS: ${{ runner.os }}
ARCH: ${{ runner.arch }}
INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
run: ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
- name: Download and install Build Wrapper
shell: bash
env:
DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }}
TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper-${{ inputs.configure_paths.sonar-scanner-version }}-${{ runner.os }}-${{ runner.arch }}.zip
INSTALL_PATH: ${{ runner.temp }} # TODO: or .sonar, if RUNNER_TEMP creates problem with caching and self-hosted runners
run: ${GITHUB_ACTION_PATH}/../scripts/download.sh
- name: Setup action outputs
id: setup-outputs
shell: bash
env:
BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }}
BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }}
run: |
source ${GITHUB_ACTION_PATH}/../scripts/utils.sh
BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}")
echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH
echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path"
BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}")
echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT
echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'"
echo "::endgroup::"

8
scripts/cert.sh Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding custom root certificate to java certificate store"
rm -f /tmp/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
fi

71
scripts/configure_paths.sh Executable file
View file

@ -0,0 +1,71 @@
#!/bin/bash
if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
exit 1
fi
case ${OS} in
Windows)
SONAR_SCANNER_SUFFIX="windows-x64"
BUILD_WRAPPER_SUFFIX="win-x86"
SONAR_SCANNER_NAME="sonar-scanner.bat"
BUILD_WRAPPER_NAME="build-wrapper-win-x86-64.exe"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_WINDOWS_X64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_WINDOWS_X64}"
;;
Linux)
case ${ARCH} in
X64)
SONAR_SCANNER_SUFFIX="linux-x64"
BUILD_WRAPPER_SUFFIX="linux-x86"
BUILD_WRAPPER_NAME="build-wrapper-linux-x86-64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_X64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_X64}"
;;
ARM64)
SONAR_SCANNER_SUFFIX="linux-aarch64"
BUILD_WRAPPER_SUFFIX="linux-aarch64"
BUILD_WRAPPER_NAME="build-wrapper-linux-aarch64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_AARCH64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_AARCH64}"
;;
esac
SONAR_SCANNER_NAME="sonar-scanner"
;;
macOS)
case ${ARCH} in
X64)
SONAR_SCANNER_SUFFIX="macosx-x64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_X64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_X64}"
;;
ARM64)
SONAR_SCANNER_SUFFIX="macosx-aarch64"
SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_AARCH64}"
SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_AARCH64}"
;;
esac
BUILD_WRAPPER_SUFFIX="macosx-x86"
SONAR_SCANNER_NAME="sonar-scanner"
BUILD_WRAPPER_NAME="build-wrapper-macosx-x86"
;;
*)
echo "::error::Unsupported runner OS '${OS}'"
exit 1
;;
esac
echo "sonar-scanner-url=${SONAR_SCANNER_URL}"
echo "sonar-scanner-sha=${SONAR_SCANNER_SHA}"
SONAR_SCANNER_DIR="${INSTALL_PATH}/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_SUFFIX}"
echo "sonar-scanner-dir=${SONAR_SCANNER_DIR}"
echo "sonar-scanner-bin=${SONAR_SCANNER_DIR}/bin/${SONAR_SCANNER_NAME}"
BUILD_WRAPPER_DIR="${INSTALL_PATH}/build-wrapper-${BUILD_WRAPPER_SUFFIX}"
echo "build-wrapper-url=${SONAR_HOST_URL%/}/static/cpp/build-wrapper-${BUILD_WRAPPER_SUFFIX}.zip"
echo "build-wrapper-dir=${BUILD_WRAPPER_DIR}"
echo "build-wrapper-bin=${BUILD_WRAPPER_DIR}/${BUILD_WRAPPER_NAME}"

26
scripts/create_install_path.sh Executable file
View file

@ -0,0 +1,26 @@
#!/bin/bash
source "$(dirname -- "$0")/utils.sh"
echo "Installation path is '${INSTALL_PATH}'"
test ! -z "${INSTALL_PATH}"
check_status "Empty installation path specified"
if [[ ! -e "${INSTALL_PATH}" ]]; then
mkdir -p "${INSTALL_PATH}"
check_status "Failed to create non-existing installation path '${INSTALL_PATH}'"
fi
ABSOLUTE_INSTALL_PATH=$(realpath "${INSTALL_PATH}")
echo "Absolute installation path is '${ABSOLUTE_INSTALL_PATH}'"
test -d "${INSTALL_PATH}"
check_status "Installation path '${INSTALL_PATH}' is not a directory (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
test -r "${INSTALL_PATH}"
check_status "Installation path '${INSTALL_PATH}' is not readable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
test -w "${INSTALL_PATH}"
check_status "Installation path '${INSTALL_PATH}' is not writeable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"

58
scripts/download.sh Executable file
View file

@ -0,0 +1,58 @@
#!/bin/bash
source "$(dirname -- "$0")/utils.sh"
VERIFY_CORRECTNESS=false
help() {
cat <<EOF
Usage: ./download [-v]
-h Display help
-v Verify correctness of a download with SHA256 checksum; Optional
EOF
}
parse_arguments() {
while getopts "hv" arg; do
case $arg in
v)
VERIFY_CORRECTNESS=true
echo "Verify correctness is set to true"
;;
?)
help
exit 0
;;
esac
done
}
verify_download_correctness() {
echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
check_status "Checking sha256 failed"
}
download() {
echo "Downloading '${DOWNLOAD_URL}'"
mkdir -p "${INSTALL_PATH}"
check_status "Failed to create ${INSTALL_PATH}"
curl -sSLo "${TMP_ZIP_PATH}" "${DOWNLOAD_URL}"
check_status "Failed to download '${DOWNLOAD_URL}'"
}
decompress() {
echo "Decompressing"
unzip -o -d "${INSTALL_PATH}" "${TMP_ZIP_PATH}"
check_status "Failed to unzip the archive into '${INSTALL_PATH}'"
}
####################################################################################
echo "::group::Download ${DOWNLOAD_URL}"
parse_arguments $@
download
if [ "$VERIFY_CORRECTNESS" = true ]; then
verify_download_correctness
fi
decompress
echo "::endgroup::"

25
scripts/fetch_latest_version.sh Executable file
View file

@ -0,0 +1,25 @@
#!/bin/bash
source "$(dirname -- "$0")/utils.sh"
SONAR_SCANNER_VERSION=$(curl -sSL -H "Accept: application/vnd.github+json" \
https://api.github.com/repos/SonarSource/sonar-scanner-cli/releases/latest | jq -r '.tag_name')
check_status "Failed to fetch latest sonar-scanner version from GitHub API"
echo "sonar-scanner-version=${SONAR_SCANNER_VERSION}"
for OS in windows linux macosx; do
if [[ "$OS" == "windows" ]]; then
ARCHS=("x64")
else
ARCHS=("x64" "aarch64")
fi
for ARCH in "${ARCHS[@]}"; do
SONAR_SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${OS}-${ARCH}.zip"
SONAR_SCANNER_SHA=$(curl -sSL "${SONAR_SCANNER_URL}.sha256")
check_status "Failed to download ${OS} ${ARCH} sonar-scanner checksum from '${SONAR_SCANNER_URL}'"
echo "sonar-scanner-url-${OS}-${ARCH}=${SONAR_SCANNER_URL}"
echo "sonar-scanner-sha-${OS}-${ARCH}=${SONAR_SCANNER_SHA}"
done
done

60
scripts/install-sonar-scanner-cli.sh Executable file
View file

@ -0,0 +1,60 @@
#!/bin/bash
set -eou pipefail
# See https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables
#
# Script-specific variables required:
# - INPUT_SCANNERVERSION: e.g. 6.2.1.4610
# - INPUT_SCANNERBINARIESURL: e.g. https://github.com/me/my-repo/raw/refs/heads/main/binaries
if [[ "$RUNNER_OS" == "Linux" && "$RUNNER_ARCH" == "X64" ]]; then
FLAVOR="linux-x64"
elif [[ "$RUNNER_OS" == "Linux" && "$RUNNER_ARCH" == "ARM64" ]]; then
FLAVOR="linux-aarch64"
elif [[ "$RUNNER_OS" == "Windows" && "$RUNNER_ARCH" == "X64" ]]; then
FLAVOR="windows-x64"
elif [[ "$RUNNER_OS" == "macOS" && "$RUNNER_ARCH" == "X64" ]]; then
FLAVOR="macosx-x64"
elif [[ "$RUNNER_OS" == "macOS" && "$RUNNER_ARCH" == "ARM64" ]]; then
FLAVOR="macosx-aarch64"
else
echo "::error title=SonarScanner::$RUNNER_OS $RUNNER_ARCH not supported"
exit 1
fi
set -x
mkdir -p $RUNNER_TEMP/sonarscanner
cd $RUNNER_TEMP/sonarscanner
SCANNER_FILE_NAME="sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip"
SCANNER_URI="${INPUT_SCANNERBINARIESURL%/}/$SCANNER_FILE_NAME"
if command -v wget &> /dev/null; then
wget --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
elif command -v curl &> /dev/null; then
curl --fail --silent --show-error --user-agent sonarqube-scan-action \
--location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\wget.exe" ]; then
"C:\\msys64\\usr\\bin\\wget.exe" --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\curl.exe" ]; then
"C:\\msys64\\usr\\bin\\curl.exe" --fail --silent --show-error --user-agent sonarqube-scan-action \
--location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
else
echo "::error title=SonarScanner::Neither wget nor curl found on the machine"
exit 1
fi
unzip -q -o $SCANNER_FILE_NAME
SCANNER_UNZIP_FOLDER="sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR"
# Folder name should correspond to the directory cached by the actions/cache
SCANNER_LOCAL_FOLDER="$RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH"
if [ -d "$SCANNER_LOCAL_FOLDER" ]; then
echo "::warning title=SonarScanner::Cleaning existing scanner folder: $SCANNER_LOCAL_FOLDER"
rm -rf "$SCANNER_LOCAL_FOLDER"
fi
mv -f "$SCANNER_UNZIP_FOLDER" "$SCANNER_LOCAL_FOLDER"

81
scripts/run-sonar-scanner-cli.sh Executable file
View file

@ -0,0 +1,81 @@
#!/bin/bash
set -eo pipefail
if [[ "$RUNNER_OS" == "Windows" ]]; then
SCANNER_BIN="sonar-scanner.bat"
else
SCANNER_BIN="sonar-scanner"
fi
scanner_args=()
if [[ ${SONARCLOUD_URL} ]]; then
scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
fi
if [[ "$RUNNER_DEBUG" == '1' ]]; then
scanner_args+=('--debug')
fi
if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
fi
# The SSL folder may exist on an uncleaned self-hosted runner
SONAR_SSL_FOLDER=~/.sonar/ssl
# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
# keytool requires a password > 6 characters, so we won't use the default password 'sonar'
KEYTOOL_MAIN_CLASS=sun.security.tools.keytool.Main
SONAR_SSL_TRUSTSTORE_FILE="$SONAR_SSL_FOLDER/truststore.p12"
SONAR_SSL_TRUSTSTORE_PASSWORD=changeit
if [ -f "$SONAR_SSL_TRUSTSTORE_FILE" ]; then
ALIAS_SONAR_IS_PRESENT=true
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-list -v -alias sonar > /dev/null 2>&1 || {
ALIAS_SONAR_IS_PRESENT=false
echo "Existing Scanner truststore $SONAR_SSL_TRUSTSTORE_FILE does not contain 'sonar' alias"
}
if [[ $ALIAS_SONAR_IS_PRESENT == "true" ]]; then
echo "Removing 'sonar' alias from already existing Scanner truststore: $SONAR_SSL_TRUSTSTORE_FILE"
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-delete \
-alias sonar
fi
fi
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding SSL certificate to the Scanner truststore"
rm -f $RUNNER_TEMP/tmpcert.pem
echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
mkdir -p "$SONAR_SSL_FOLDER"
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
-storetype PKCS12 \
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
-noprompt \
-trustcacerts \
-importcert \
-alias sonar \
-file "$RUNNER_TEMP/tmpcert.pem"
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
fi
scanner_args+=("$@")
set -ux
$SCANNER_BIN "${scanner_args[@]}"

18
scripts/sanity-checks.sh Executable file
View file

@ -0,0 +1,18 @@
#!/bin/bash
set -eo pipefail
if [[ -z "${SONAR_TOKEN}" ]]; then
echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
fi
if [[ -f "${INPUT_PROJECTBASEDIR%/}/pom.xml" ]]; then
echo "::warning title=SonarScanner::Maven project detected. Sonar recommends running the 'org.sonarsource.scanner.maven:sonar-maven-plugin:sonar' goal during the build process instead of using this GitHub Action
to get more accurate results."
fi
if [[ -f "${INPUT_PROJECTBASEDIR%/}/build.gradle" || -f "${INPUT_PROJECTBASEDIR%/}/build.gradle.kts" ]]; then
echo "::warning title=SonarScanner::Gradle project detected. Sonar recommends using the SonarQube plugin for Gradle during the build process instead of using this GitHub Action
to get more accurate results."
fi

25
scripts/utils.sh Executable file
View file

@ -0,0 +1,25 @@
#!/bin/bash
check_status() {
exit_status=$?
if [ $exit_status -ne 0 ]; then
echo "::error::$1"
exit $exit_status
fi
}
realpath() {
case ${RUNNER_OS} in
Windows)
cygpath --absolute --windows "$1"
;;
Linux)
readlink -f "$1"
;;
macOS)
# installed by coreutils package
greadlink -f "$1"
;;
esac
}

11
sonar-scanner-version Normal file
View file

@ -0,0 +1,11 @@
sonar-scanner-version=7.1.0.4889
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip
sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip
sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip
sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip
sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449

10
test/assertFileContains Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
assertFileExists $1
if ! grep -q $2 $1; then
error "'$2' not found in '$1'"
exit 1
fi

8
test/assertFileDoesntExist Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ -f $1 ]; then
error "File '$1' found"
exit 1
fi

8
test/assertFileExists Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ ! -f $1 ]; then
error "File '$1' not found"
exit 1
fi

0
test/gradle-project-kotlin/build.gradle.kts Normal file
View file

112
test/run-qa.sh
View file

@ -1,112 +0,0 @@
#!/bin/bash
# Helper functions for coloring output.
info() { echo -e "\\e[36m$*\\e[0m"; }
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
success() { echo -e "\\e[32m✔ $*\\e[0m"; }
# Helper function to check if SonarQube is up and running.
check_sq_is_up() {
local statusCall="$(curl --silent --user admin:admin http://127.0.0.1:9000/api/system/status)"
local status="$(jq -r '.status' <<< "$statusCall")"
if [[ ! $? -eq 0 ]]; then
error "Failed to check if SonarQube is up and running."
exit 1
fi
echo $status;
}
_current_perm=$(stat -c "%u:%g" $(pwd))
info "Build scanner action..."
docker build --no-cache -t sonarsource/sonarqube-scan-action .
if [[ ! $? -eq 0 ]]; then
error "Failed to build the scanner action."
exit 1
fi
success "Scanner action built."
info "Find the network SonarQube is running on..."
network=$(docker network ls -f 'name=github_network' --format "{{.Name}}")
if [[ $network != "github_network_"* ]]; then
error "Failed to find the local Docker network."
exit 1
fi
success "Found the network ($network)."
info "Wait until SonarQube is up..."
sleep 10
isUp=$(check_sq_is_up)
until [[ "$isUp" == "UP" ]]; do
sleep 1
isUp=$(check_sq_is_up)
done
success "SonarQube is up and running."
info "Generate a new token..."
tokenCall=$(curl --silent --user admin:admin -d "name=token" http://127.0.0.1:9000/api/user_tokens/generate)
token="$(jq -r '.token' <<< "$tokenCall")"
if [[ -z "$token" ]]; then
error "Failed to generate a new token."
exit 1
fi
success "New token generated."
info "Test fail-fast if SONAR_TOKEN is omitted..."
docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network sonarsource/sonarqube-scan-action
if [[ $? -eq 0 ]]; then
error "Should have failed fast."
exit 1
fi
success "Correctly failed fast."
info "Test fail-fast if SONAR_HOST_URL is omitted..."
docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env SONAR_TOKEN=$token sonarsource/sonarqube-scan-action
if [[ $? -eq 0 ]]; then
error "Should have failed fast."
exit 1
fi
success "Correctly failed fast."
info "Test fail-fast on Gradle project..."
pushd test/gradle-project/
docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
if [[ $? -eq 0 ]]; then
error "Should have failed fast."
exit 1
fi
popd
success "Correctly failed fast."
info "Test fail-fast on Maven project..."
pushd test/maven-project/
docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
if [[ $? -eq 0 ]]; then
error "Should have failed fast."
exit 1
fi
popd
success "Correctly failed fast."
info "Analyze project..."
cd test/example-project/
docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=/github/workspace --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=/github/workspace --entrypoint /cleanup.sh sonarsource/sonarqube-scan-action
if [[ ! $? -eq 0 ]]; then
error "Couldn't run the analysis."
exit 1
elif [[ ! -f ".scannerwork/report-task.txt" ]]; then
error "Couldn't find the report task file. Analysis failed."
exit 1
elif [ ! "$(stat -c "%u:%g" ".scannerwork/report-task.txt")" == "$_current_perm" ]; then
error "File permissions differ from desired once"
error "desired: $_current_perm"
error "actual: $(stat -c "%u:%g" ".scannerwork/report-task.txt")"
exit 1
fi
success "Analysis successful."
echo "" # new line
echo "============================"
echo "" # new line
success "QA successful!"