Apply linter fixes to address code smells:
- Use replaceAll() instead of replace() with regex for string replacement
- Update dist files with linter changes
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fix GPG signature verification on Windows by converting Windows-style
paths to Unix-style paths that GPG expects. GPG on Windows (from Git
for Windows) is a Unix tool that requires Unix-style paths.
Issue: GPG was receiving Windows paths like C:\a\_temp\gpg-home and
attempting to use them, resulting in malformed paths like
/c/a/sonarqube-scan-action/C:\a\_temp\gpg-home and errors:
- "keyblock resource: No such file or directory"
- "can't connect to the dirmngr: No such file or directory"
- "keyserver receive failed: No dirmngr"
Solution:
- Add convertToUnixPath() function to convert Windows paths to Unix-style
(e.g., C:\a\_temp\gpg -> /c/a/_temp/gpg)
- Apply conversion in tryImportKey() and runGpgVerify() before calling GPG
- No-op on non-Windows platforms
- Add comprehensive tests for path conversion
This ensures GPG signature verification works on all platforms (Linux,
macOS, and Windows).
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add hkps://keys.openpgp.org as fallback keyserver to improve reliability
when the primary keyserver (keyserver.ubuntu.com) is unavailable due to
outages, network issues, or rate limiting.
Changes:
- Extract key import logic into tryImportKey() helper function
- Implement automatic fallback in importSonarSourceKey()
- Add comprehensive error messages showing both keyserver failures
- Add integration tests verifying fallback mechanism
- Update JSDoc to document fallback behavior
- Rebuild distribution
The implementation maintains backward compatibility with no changes to
function signatures or default behavior. Primary keyserver is always
attempted first.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add GPG signature verification to ensure downloaded Sonar Scanner CLI binaries
are authentic and haven't been tampered with. This implements supply chain
security by verifying signatures against SonarSource's public key.
Changes:
- Add gpg-verification.js module with signature verification logic
- Download and verify .asc signature files alongside scanner ZIPs
- Import SonarSource public key from keyserver.ubuntu.com
- Add skipSignatureVerification input parameter (default: false)
- Add @actions/exec dependency for cross-platform GPG execution
- Add comprehensive unit tests for verification functions
- Update dist with bundled changes
Verification is enabled by default and uses an isolated temporary GPG home
directory to avoid polluting user's keyring. All temporary files are cleaned
up properly, even on errors.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
