From ca30b65f4ea9f033b8a6fc0ffc9816a562d13f55 Mon Sep 17 00:00:00 2001 From: Pavel Mikula <57188685+pavel-mikula-sonarsource@users.noreply.github.com> Date: Wed, 29 Apr 2026 11:16:25 +0200 Subject: [PATCH 1/3] SQSCANGHA-143 SubmitReview: Use Vault token (#238) --- .github/workflows/SubmitReview.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml index d5b18a7..08472bd 100644 --- a/.github/workflows/SubmitReview.yml +++ b/.github/workflows/SubmitReview.yml @@ -10,7 +10,6 @@ jobs: runs-on: github-ubuntu-latest-s permissions: id-token: write - pull-requests: read # For external PR, ticket should be moved manually if: | github.event.pull_request.head.repo.full_name == github.repository @@ -21,10 +20,11 @@ jobs: uses: SonarSource/vault-action-wrapper@v3 with: secrets: | + development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; development/kv/data/jira user | JIRA_USER; development/kv/data/jira token | JIRA_TOKEN; - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2 with: - github-token: ${{secrets.GITHUB_TOKEN}} + github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} From 59db25f34e16620e48ab4bb9e4a5dce155cb5432 Mon Sep 17 00:00:00 2001 From: Antoine Vinot Date: Wed, 29 Apr 2026 14:23:12 +0200 Subject: [PATCH 2/3] SQSCANGHA-145 Set skipSignatureVerification default value to false (#241) --- README.md | 17 +++++++++++++++++ action.yml | 4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 98b8903..d9887bc 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,23 @@ This can be useful when the runner executing the action is self-hosted and has r scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ ``` +#### `skipSignatureVerification` + +By default, the action verifies the OpenPGP signature of the SonarScanner CLI binary before executing it. You can disable this verification using the `skipSignatureVerification` option: + +```yaml +- uses: SonarSource/sonarqube-scan-action@ + with: + skipSignatureVerification: true +``` + +> [!NOTE] +> Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not. +> +> **Version history:** +> - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`. +> - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly. + More information about possible analysis parameters can be found: * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation diff --git a/action.yml b/action.yml index 0693239..f636ea2 100644 --- a/action.yml +++ b/action.yml @@ -25,9 +25,9 @@ inputs: required: false default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli skipSignatureVerification: - description: Skip GPG signature verification (defaults to true temporarily while dirmngr dependency is resolved; set to false to enable verification) + description: Skip GPG signature verification (not recommended for security) required: false - default: "true" + default: "false" runs: using: node24 main: dist/index.js From c4447538999e984fe7463a8068a88b784ed06988 Mon Sep 17 00:00:00 2001 From: Claire Villard <60586848+claire-villard-sonarsource@users.noreply.github.com> Date: Mon, 11 May 2026 12:13:30 +0200 Subject: [PATCH 3/3] SQSCANGHA-140 Add the missing requirements in README.md (#243) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d9887bc..3e0f19c 100644 --- a/README.md +++ b/README.md @@ -469,6 +469,8 @@ When running the action in a self-hosted runner or container, please ensure that * **curl** or **wget** * **unzip** +* **gpg** +* **dirmngr** ### Additional information