SQSCANGHA-76 Support self-hosted runners not clearing truststore after run

2025-12-15 18:46:31 +00:00 · 2024-12-16 09:42:42 +01:00 · 2024-12-16 09:42:42 +01:00 · 4d448d0963
commit 4d448d0963
parent 0ab314b63d
2 changed files with 39 additions and 5 deletions
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@ -619,9 +619,9 @@ jobs:
      - name: Assert failure of previous step
        if: steps.wrong_ssl_certificate.outcome == 'success'
        run: exit 1
-  overridesScannerLocalFolderWhenPresent:
+  overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
-      'SCANNER_LOCAL_FOLDER' is overridden with warning when present
+      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -653,4 +653,31 @@ jobs:
        run: |
          [ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
          [ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
-
+  overridesSonarSslFolderWhenPresent: # can happen in uncleaned self-hosted runners
+    name: >
+      'SONAR_SSL_FOLDER' is cleaned with warning when present
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create SONAR_SSL_FOLDER with truststore.p12 file in it
+        run: |
+          SONAR_SSL_FOLDER=~/.sonar/ssl
+          mkdir -p "$SONAR_SSL_FOLDER"
+          touch "$SONAR_SSL_FOLDER/truststore.p12"
+          # emit SONAR_SSL_FOLDER to be able to read it in the next steps
+          echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV
+      - name: Assert truststore.p12 file exists
+        run: |
+          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
+      - name: Run action
+        uses: ./
+        env:
+          # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed 
+          SONAR_HOST_URL: http://not_actually_used
+        with:
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
+      - name: Assert truststore.p12 doesn't exists anymore
+        run: |
+          [ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@ -21,6 +21,13 @@ if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
  scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
 fi

+# The SSL folder may exist on an uncleaned self-hosted runner
+SONAR_SSL_FOLDER=~/.sonar/ssl
+if [ -d "$SONAR_SSL_FOLDER" ]; then
+  echo "::warning title=SonarScanner::Cleaning existing SSL folder: $SONAR_SSL_FOLDER"
+  rm -rf "$SONAR_SSL_FOLDER"
+fi
+
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  echo "Adding SSL certificate to the Scanner truststore"
  rm -f $RUNNER_TEMP/tmpcert.pem
@ -28,8 +35,8 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
  # keytool require a password > 6 characters, so we wan't use the default password 'sonar'
  store_pass=changeit
-  mkdir -p ~/.sonar/ssl
-  $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
+  mkdir -p "$SONAR_SSL_FOLDER"
+  $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore $SONAR_SSL_FOLDER/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
  scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
 fi