SQSCANGHA-46 Replace the Docker action by a composite action

Author: antonioaversa

.cirrus.star

@@ -27,15 +27,18 @@ jobs:
   argsInputTest:
     name: >
       'args' input
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with args
         uses: ./
         with:
-          args: -Dsonar.someArg=aValue
+          args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
         env:
           SONAR_HOST_URL: http://not_actually_used
           SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
@@ -45,7 +48,10 @@ jobs:
   projectBaseDirInputTest:
     name: >
       'projectBaseDir' input
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -54,6 +60,7 @@ jobs:
       - name: Run action with projectBaseDir
         uses: ./
         with:
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
           projectBaseDir: ./baseDir
         env:
           SONAR_HOST_URL: http://not_actually_used
@@ -78,6 +85,7 @@ jobs:
           SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
         with:
           projectBaseDir: ./test/gradle-project
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
       - name: Assert
         run: |
           ./test/assertFileExists ./output.properties
@@ -98,6 +106,7 @@ jobs:
           SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
         with:
           projectBaseDir: ./test/gradle-project
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
       - name: Assert
         run: |
           ./test/assertFileExists ./output.properties
@@ -118,6 +127,7 @@ jobs:
           SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
         with:
           projectBaseDir: ./test/maven-project
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
       - name: Assert
         run: |
           ./test/assertFileExists ./output.properties
@@ -145,7 +155,7 @@ jobs:
         id: runTest
         uses: ./
         env:
-          SONAR_HOST_URL: http://sonarqube:9000
+          SONAR_HOST_URL: http://localhost:9000
         with:
           args: -Dsonar.login=admin -Dsonar.password=admin
           projectBaseDir: ./test/example-project
@@ -155,13 +165,18 @@ jobs:
   runnerDebugUsedTest:
     name: >
       'RUNNER_DEBUG' is used
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with debug mode
         uses: ./
+        with:
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
         env:
           RUNNER_DEBUG: 1
           SONAR_HOST_URL: http://not_actually_used
@@ -193,29 +208,34 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ${{ github.workspace }}/.sonar/cache
-          key: ${{ runner.os }}-sonar
+          key: ${{ runner.os }}-${{ runner.arch }}-sonar
       - name: Run action on sample project
         id: runTest
         uses: ./
         env:
-          SONAR_HOST_URL: http://sonarqube:9000
+          SONAR_HOST_URL: http://localhost:9000
           SONAR_USER_HOME: ${{ github.workspace }}/.sonar
         with:
           args: -Dsonar.login=admin -Dsonar.password=admin
           projectBaseDir: ./test/example-project
       - name: Assert
         run: |
-          ./test/assertFileExists ./test/example-project/.scannerwork/report-task.txt
+          ./test/assertFileExists ./test/example-project/.scannerwork/report-task.txt        
   useSslCertificate:
     name: >
       'SONAR_ROOT_CERT' is converted to truststore
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with SSL certificate
         uses: ./
+        with:
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
         env:
           SONAR_ROOT_CERT: |
             -----BEGIN CERTIFICATE-----
@@ -252,7 +272,6 @@ jobs:
             Fct6d1S08JAosVnZcP2P7Yz+TbmDRtsqCgk=
             -----END CERTIFICATE-----
           SONAR_HOST_URL: http://not_actually_used
-          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
       - name: Assert
         run: |
-          ./test/assertFileContains ./output.properties "sonar.scanner.truststorePassword=changeit"
+          ./test/assertFileExists ~/.sonar/ssl/truststore.p12

.cirrus.yml

@@ -118,25 +118,10 @@ This GitHub Action will not work for all technologies. If you are in one of the
 * You want to analyze a .NET solution. Read the documentation about our [Scanner for .NET](https://redirect.sonarsource.com/doc/install-configure-scanner-msbuild.html).
 * You want to analyze C or C++ code. Starting from SonarQube 10.6, this GitHub Action will scan C and C++ out of the box. If you want to have better control over the scan configuration/setup, you can switch to the [SonarQube C and C++](https://github.com/SonarSource/sonarqube-github-c-cpp) GitHub Action.
 
-## Error cleaning up workspace
-
-In some cases, the checkout action may fail to clean up the workspace. This is a known problem for GitHub actions implemented as a docker container (such as `sonarqube-scan-action`) when self-hosted runners are used.
-Example of the error message: `File was unable to be removed Error: EACCES: permission denied, unlink '/actions-runner/_work//project/.scannerwork/.sonar_lock'`
-To work around the problem, `sonarqube-scan-action` attempts to fix the permission of the temporary files that it creates. If that doesn't work, you can manually clean up the workspace by running the following action:
-```
-- name: Clean the workspace
-  uses: docker://alpine
-  with:
-    args: /bin/sh -c "find \"${GITHUB_WORKSPACE}\" -mindepth 1 ! -name . -prune -exec rm -rf {} +"
-```
-You can find more info [here](https://github.com/actions/runner/issues/434).
-
 ## Have questions or feedback?
 
 To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sq/github-actions).
 
 ## License
 
-The Dockerfile and associated scripts and documentation in this project are released under the LGPLv3 License.
-
 Container images built with this project include third-party materials.

.github/workflows/qa.yml

@@ -4,16 +4,42 @@ description: >
 branding:
   icon: check
   color: green
-runs:
-  using: docker
-  image: Dockerfile
-  entrypoint: "/entrypoint.sh"
-  post-entrypoint: "/cleanup.sh"
 inputs:
   args:
     description: Additional arguments to the sonar-scanner
     required: false
   projectBaseDir:
     description: Set the sonar.projectBaseDir analysis property
     required: false
-    default: .
+  scannerVersion:
+    description: Version of the Sonar Scanner CLI to use
+    required: false
+    default: 6.2.1.4610
+runs:
+  using: "composite"
+  steps:
+    - name: Sanity checks
+      run: ${GITHUB_ACTION_PATH}/sanity-checks.sh
+      shell: bash
+      env:
+        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
+    - name: Load Sonar Scanner CLI from cache
+      id: sonar-scanner-cli
+      uses: actions/[email protected]
+      with:
+        path: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
+        key: sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}
+    - name: Install Sonar Scanner CLI
+      if: steps.sonar-scanner-cli.outputs.cache-hit != 'true'
+      run: ${GITHUB_ACTION_PATH}/install-sonar-scanner-cli.sh
+      shell: bash
+      env:
+        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
+    - name: Add SonarScanner CLI to the PATH
+      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
+      shell: bash
+    - name: Run SonarScanner
+      run: ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh ${{ inputs.args }}
+      shell: bash
+      env:
+        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}

Dockerfile

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -eou pipefail
+
+#See https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables
+
+WGET=wget
+if [[ "$RUNNER_OS" == "Linux" &&  "$RUNNER_ARCH" == "X64" ]]; then
+     FLAVOR="linux-x64"
+elif [[ "$RUNNER_OS" == "Linux" &&  "$RUNNER_ARCH" == "ARM64" ]]; then
+     FLAVOR="linux-aarch64"
+elif [[ "$RUNNER_OS" == "Windows" &&  "$RUNNER_ARCH" == "X64" ]]; then
+     FLAVOR="windows-x64"
+     WGET="C:\\msys64\\usr\\bin\\wget.exe"
+elif [[ "$RUNNER_OS" == "macOS" &&  "$RUNNER_ARCH" == "X64" ]]; then
+     FLAVOR="macosx-x64"
+elif [[ "$RUNNER_OS" == "macOS" &&  "$RUNNER_ARCH" == "ARM64" ]]; then
+     FLAVOR="macosx-aarch64"
+else
+     echo "$RUNNER_OS $RUNNER_ARCH not supported"
+     exit 1
+fi
+
+set -x
+
+mkdir -p $RUNNER_TEMP/sonarscanner
+cd $RUNNER_TEMP/sonarscanner
+
+$WGET --no-verbose --user-agent="sonarqube-scan-action" https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip
+
+unzip -q sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip
+
+# Folder name should correspond to the directory cached by the actions/cache
+mv sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR $RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH