SQSCANGHA-11 Correct label with new major version

---------

Co-authored-by: Ambroise C <ambroise.christea@sonarsource.com>

.github/CODEOWNERS

@@ -1 +1 @@
-* @sonarsource/sonarqube-team
+.github/CODEOWNERS @sonarsource/sonarqube-team

.github/dependabot.yml

@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      timezone: "CET"
+    open-pull-requests-limit: 100
+    commit-message:
+      prefix: "NO-JIRA "

.github/workflows/qa.yml

@@ -1,12 +1,12 @@
 name: QA
 
-on: push
+on: [push, pull_request]
 
 jobs:
   run_qa:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - run: ./test/run-qa.sh

.github/workflows/update-tags.yml

@@ -0,0 +1,32 @@
+name: Update Tags
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Parse semver
+        uses: madhead/semver-utils@latest
+        id: version
+        with:
+          version: ${{ github.ref_name }}
+
+      - name: Update tags
+        run: |
+          TAGS='v${{ steps.version.outputs.major }} v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}'
+          
+          for t in $TAGS; do
+            git tag -f "$t"
+            git push origin ":$t" 2>/dev/null || true
+            git push origin "$t"
+          done

Dockerfile

@@ -1,6 +1,6 @@
-FROM sonarsource/sonar-scanner-cli:4.6
+FROM sonarsource/sonar-scanner-cli:5.0
 
-LABEL version="1.0.0" \
+LABEL version="2.0.0" \
       repository="https://github.com/sonarsource/sonarqube-scan-action" \
       homepage="https://github.com/sonarsource/sonarqube-scan-action" \
       maintainer="SonarSource" \
@@ -9,9 +9,9 @@ LABEL version="1.0.0" \
       com.github.actions.icon="check" \
       com.github.actions.color="green"
 
-# https://help.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
-USER root
 
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
+COPY cleanup.sh /cleanup.sh
+RUN chmod +x /cleanup.sh
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -28,11 +28,13 @@ The workflow YAML file will usually look something like this:
 
 ```yaml
 on:
-  # Trigger analysis when pushing in master or pull requests, and when creating
+  # Trigger analysis when pushing to your main branches, and when creating a pull request.
-  # a pull request. 
   push:
     branches:
+      - main
       - master
+      - develop
+      - 'releases/**'
   pull_request:
       types: [opened, synchronize, reopened]
 
@@ -41,7 +43,7 @@ jobs:
   sonarqube:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         # Disabling shallow clone is recommended for improving relevancy of reporting
         fetch-depth: 0
@@ -63,6 +65,17 @@ If your source code file names contain special characters that are not covered b
         LC_ALL: "ru_RU.UTF-8"
 ```
 
+If your SonarQube server uses a self-signed certificate, you can pass a root certificate (in PEM format) to the java certificate store:
+
+```yaml
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
+```
+
 You can change the analysis base directory by using the optional input `projectBaseDir` like this:
 
 ```yaml
@@ -91,6 +104,7 @@ More information about possible analysis parameters can be found in [the documen
 
 - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens [here](https://docs.sonarqube.org/latest/user-guide/user-token/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 - `SONAR_HOST_URL` – **Required** this tells the scanner where SonarQube is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
+- `SONAR_ROOT_CERT` – Holds an additional root certificate (in PEM format) that is used to validate the SonarQube server certificate. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 
 ## Alternatives for Java, .NET, and C/C++ projects
 

action.yml

@@ -7,6 +7,8 @@ branding:
 runs:
   using: docker
   image: Dockerfile
+  entrypoint: "/entrypoint.sh"
+  post-entrypoint: "/cleanup.sh"
 inputs:
   args:
     description: Additional arguments to the sonar-scanner

cleanup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+_tmp_file=$(ls "${INPUT_PROJECTBASEDIR}/" | head -1)
+PERM=$(stat -c "%u:%g" "${INPUT_PROJECTBASEDIR}/$_tmp_file")
+
+chown -R $PERM "${INPUT_PROJECTBASEDIR}/"

entrypoint.sh

@@ -3,8 +3,9 @@
 set -e
 
 if [[ -z "${SONAR_TOKEN}" ]]; then
-  echo "This GitHub Action requires the SONAR_TOKEN env variable."
+  echo "============================ WARNING ============================"
-  exit 1
+  echo "Running this GitHub Action without SONAR_TOKEN is not recommended"
+  echo "============================ WARNING ============================"
 fi
 
 if [[ -z "${SONAR_HOST_URL}" ]]; then
@@ -12,6 +13,13 @@ if [[ -z "${SONAR_HOST_URL}" ]]; then
   exit 1
 fi
 
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding custom root certificate to java certificate store"
+  rm -f /tmp/tmpcert.pem
+  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
+  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+fi
+
 if [[ -f "${INPUT_PROJECTBASEDIR%/}pom.xml" ]]; then
   echo "Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
   exit 1
@@ -25,3 +33,4 @@ fi
 unset JAVA_HOME
 
 sonar-scanner -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} ${INPUT_ARGS}
+

test/run-qa.sh

@@ -16,6 +16,8 @@ check_sq_is_up() {
   echo $status;
 }
 
+_current_perm=$(stat -c "%u:%g" $(pwd))
+
 info "Build scanner action..."
 docker build --no-cache -t sonarsource/sonarqube-scan-action .
 if [[ ! $? -eq 0 ]]; then
@@ -88,13 +90,19 @@ success "Correctly failed fast."
 
 info "Analyze project..."
 cd test/example-project/
-docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
+docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=/github/workspace --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
+docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=/github/workspace --entrypoint /cleanup.sh sonarsource/sonarqube-scan-action
 if [[ ! $? -eq 0 ]]; then
   error "Couldn't run the analysis."
   exit 1
 elif [[ ! -f ".scannerwork/report-task.txt" ]]; then
   error "Couldn't find the report task file. Analysis failed."
   exit 1
+elif [ ! "$(stat -c "%u:%g" ".scannerwork/report-task.txt")" == "$_current_perm" ]; then
+  error "File permissions differ from desired once"
+  error "desired: $_current_perm"
+  error "actual: $(stat -c "%u:%g" ".scannerwork/report-task.txt")"
+  exit 1
 fi
 success "Analysis successful."