From e31470d8c17ca644a1073e0a795adc3c9cbd19c3 Mon Sep 17 00:00:00 2001
From: Bart Riepe <bart@serial-experiments.com>
Date: Wed, 17 Aug 2022 14:55:06 +0900
Subject: [PATCH] feat: add ability to pass certificate to action

---
 README.md     | 12 ++++++++++++
 entrypoint.sh |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/README.md b/README.md
index b7b95af..2a04a15 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,17 @@ If your source code file names contain special characters that are not covered b
         LC_ALL: "ru_RU.UTF-8"
 ```
 
+If your sonarqube server users a self-signed certificate, you can pass a root certificate (in PEM format) to use for validation to the java certificate store:
+
+```yaml
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_ROOT_CERT: %{{ secrets.SONAR_ROOT_CERT }}
+```
+
 You can change the analysis base directory by using the optional input `projectBaseDir` like this:
 
 ```yaml
@@ -91,6 +102,7 @@ More information about possible analysis parameters can be found in [the documen
 
 - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens [here](https://docs.sonarqube.org/latest/user-guide/user-token/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 - `SONAR_HOST_URL` – **Required** this tells the scanner where SonarQube is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
+- `SONAR_ROOT_CERT` – This is used to pass the scanner a custom root certificate (in PEM format), that should be used for validating the sonarqube server certificate. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 
 ## Alternatives for Java, .NET, and C/C++ projects
 
diff --git a/entrypoint.sh b/entrypoint.sh
index ab61c98..537862a 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -13,6 +13,12 @@ if [[ -z "${SONAR_HOST_URL}" ]]; then
   exit 1
 fi
 
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding custom root certificate to java certificate store"
+  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
+  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+fi
+
 if [[ -f "${INPUT_PROJECTBASEDIR%/}pom.xml" ]]; then
   echo "Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
   exit 1