.github/workflows/SubmitReview.yml

@@ -10,6 +10,7 @@ jobs:
     runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
+      pull-requests: read
     # For external PR, ticket should be moved manually
     if: |
         github.event.pull_request.head.repo.full_name == github.repository
@@ -20,11 +21,10 @@ jobs:
         uses: SonarSource/vault-action-wrapper@v3
         with:
           secrets: |
-            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
             development/kv/data/jira user | JIRA_USER;
             development/kv/data/jira token | JIRA_TOKEN;
       - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
         with:
-          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          github-token: ${{secrets.GITHUB_TOKEN}}
           jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
           jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

README.md

@@ -200,23 +200,6 @@ This can be useful when the runner executing the action is self-hosted and has r
     scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
 ```
 
-#### `skipSignatureVerification`
-
-By default, the action verifies the OpenPGP signature of the SonarScanner CLI binary before executing it. You can disable this verification using the `skipSignatureVerification` option:
-
-```yaml
-- uses: SonarSource/sonarqube-scan-action@<action version>
-  with:
-    skipSignatureVerification: true
-```
-
-> [!NOTE]
-> Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not.
->
-> **Version history:**
-> - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`.
-> - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly.
-
 More information about possible analysis parameters can be found:
 * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
 * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
@@ -469,8 +452,6 @@ When running the action in a self-hosted runner or container, please ensure that
 
 * **curl** or **wget**
 * **unzip**
-* **gpg**
-* **dirmngr**
 
 ### Additional information
 

action.yml

@@ -25,9 +25,9 @@ inputs:
     required: false
     default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
   skipSignatureVerification:
-    description: Skip GPG signature verification (not recommended for security)
+    description: Skip GPG signature verification (defaults to true temporarily while dirmngr dependency is resolved; set to false to enable verification)
     required: false
-    default: "false"
+    default: "true"
 runs:
   using: node24
   main: dist/index.js