mirror of
https://github.com/SonarSource/sonarqube-scan-action.git
synced 2026-05-14 14:45:53 +00:00
Compare commits
3 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c444753899 | ||
|
|
59db25f34e | ||
|
|
ca30b65f4e |
3 changed files with 23 additions and 4 deletions
4
.github/workflows/SubmitReview.yml
vendored
4
.github/workflows/SubmitReview.yml
vendored
|
|
@ -10,7 +10,6 @@ jobs:
|
|||
runs-on: github-ubuntu-latest-s
|
||||
permissions:
|
||||
id-token: write
|
||||
pull-requests: read
|
||||
# For external PR, ticket should be moved manually
|
||||
if: |
|
||||
github.event.pull_request.head.repo.full_name == github.repository
|
||||
|
|
@ -21,10 +20,11 @@ jobs:
|
|||
uses: SonarSource/vault-action-wrapper@v3
|
||||
with:
|
||||
secrets: |
|
||||
development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
|
||||
development/kv/data/jira user | JIRA_USER;
|
||||
development/kv/data/jira token | JIRA_TOKEN;
|
||||
- uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
|
||||
with:
|
||||
github-token: ${{secrets.GITHUB_TOKEN}}
|
||||
github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
|
||||
jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
|
||||
jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
|
||||
|
|
|
|||
19
README.md
19
README.md
|
|
@ -200,6 +200,23 @@ This can be useful when the runner executing the action is self-hosted and has r
|
|||
scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
|
||||
```
|
||||
|
||||
#### `skipSignatureVerification`
|
||||
|
||||
By default, the action verifies the OpenPGP signature of the SonarScanner CLI binary before executing it. You can disable this verification using the `skipSignatureVerification` option:
|
||||
|
||||
```yaml
|
||||
- uses: SonarSource/sonarqube-scan-action@<action version>
|
||||
with:
|
||||
skipSignatureVerification: true
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not.
|
||||
>
|
||||
> **Version history:**
|
||||
> - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`.
|
||||
> - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly.
|
||||
|
||||
More information about possible analysis parameters can be found:
|
||||
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
|
||||
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
|
||||
|
|
@ -452,6 +469,8 @@ When running the action in a self-hosted runner or container, please ensure that
|
|||
|
||||
* **curl** or **wget**
|
||||
* **unzip**
|
||||
* **gpg**
|
||||
* **dirmngr**
|
||||
|
||||
### Additional information
|
||||
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ inputs:
|
|||
required: false
|
||||
default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli
|
||||
skipSignatureVerification:
|
||||
description: Skip GPG signature verification (defaults to true temporarily while dirmngr dependency is resolved; set to false to enable verification)
|
||||
description: Skip GPG signature verification (not recommended for security)
|
||||
required: false
|
||||
default: "true"
|
||||
default: "false"
|
||||
runs:
|
||||
using: node24
|
||||
main: dist/index.js
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue