Update README.md Yaml file snippet

Users unfamiliar with GitHub actions just copy the pipeline snippets and wonder why the analysis does not trigger. Let's make sure it does by adding "main" and "develop" branch names by default.

.github/CODEOWNERS

@@ -0,0 +1 @@
+.github/CODEOWNERS @sonarsource/sonarqube-team

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
+
+With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:
+
+- [ ] Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
+- [ ] Make sure any code you changed is covered by tests
+- [ ] If there is a [JIRA](http://jira.sonarsource.com/browse/SONAR) ticket available, please make your commits and pull request start with the ticket ID (SONAR-XXXX)
+
+We will try to give you feedback on your contribution as quickly as possible.
+
+Thank You!
+The SonarSource Team

.github/workflows/qa.yml

@@ -1,6 +1,6 @@
 name: QA
 
-on: push
+on: [push, pull_request]
 
 jobs:
   run_qa:

.github/workflows/update-tags.yml

@@ -0,0 +1,32 @@
+name: Update Tags
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Parse semver
+        uses: madhead/semver-utils@v2
+        id: version
+        with:
+          version: ${{ github.ref_name }}
+
+      - name: Update tags
+        run: |
+          TAGS='v${{ steps.version.outputs.major }} v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}'
+          
+          for t in $TAGS; do
+            git tag -f "$t"
+            git push origin ":$t" 2>/dev/null || true
+            git push origin "$t"
+          done

Dockerfile

@@ -1,6 +1,6 @@
-FROM sonarsource/sonar-scanner-cli:4.6
+FROM sonarsource/sonar-scanner-cli:4.7
 
-LABEL version="1.0.0" \
+LABEL version="1.1.0" \
       repository="https://github.com/sonarsource/sonarqube-scan-action" \
       homepage="https://github.com/sonarsource/sonarqube-scan-action" \
       maintainer="SonarSource" \
@@ -9,12 +9,9 @@ LABEL version="1.0.0" \
       com.github.actions.icon="check" \
       com.github.actions.color="green"
 
-# Set up local envs in order to allow for special chars (non-asci) in filenames.
-ENV LC_ALL="C.UTF-8"
-
-# https://help.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
-USER root
 
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
+COPY cleanup.sh /cleanup.sh
+RUN chmod +x /cleanup.sh
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -28,11 +28,13 @@ The workflow YAML file will usually look something like this:
 
 ```yaml
 on:
-  # Trigger analysis when pushing in master or pull requests, and when creating
-  # a pull request. 
+  # Trigger analysis when pushing to your main branches, and when creating a pull request.
   push:
     branches:
+      - main
       - master
+      - develop
+      - 'releases/**'
   pull_request:
       types: [opened, synchronize, reopened]
 
@@ -52,6 +54,28 @@ jobs:
         SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
 ```
 
+If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
+
+```yaml
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        LC_ALL: "ru_RU.UTF-8"
+```
+
+If your SonarQube server uses a self-signed certificate, you can pass a root certificate (in PEM format) to the java certificate store:
+
+```yaml
+    - name: SonarQube Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
+```
+
 You can change the analysis base directory by using the optional input `projectBaseDir` like this:
 
 ```yaml
@@ -80,6 +104,7 @@ More information about possible analysis parameters can be found in [the documen
 
 - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens [here](https://docs.sonarqube.org/latest/user-guide/user-token/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 - `SONAR_HOST_URL` – **Required** this tells the scanner where SonarQube is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
+- `SONAR_ROOT_CERT` – Holds an additional root certificate (in PEM format) that is used to validate the SonarQube server certificate. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 
 ## Alternatives for Java, .NET, and C/C++ projects
 

action.yml

@@ -7,6 +7,8 @@ branding:
 runs:
   using: docker
   image: Dockerfile
+  entrypoint: "/entrypoint.sh"
+  post-entrypoint: "/cleanup.sh"
 inputs:
   args:
     description: Additional arguments to the sonar-scanner

cleanup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+_tmp_file=$(ls "${INPUT_PROJECTBASEDIR}/" | head -1)
+PERM=$(stat -c "%u:%g" "${INPUT_PROJECTBASEDIR}/$_tmp_file")
+
+chown -R $PERM "${INPUT_PROJECTBASEDIR}/"

contributing.md

@@ -0,0 +1,26 @@
+Contributing
+============
+
+If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
+
+Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes.
+
+## Submitting a pull request
+
+With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make.
+
+Make sure that you follow our [code style](https://github.com/SonarSource/sonar-developer-toolset#code-style) and all tests are passing (Travis build is executed for each pull request).
+
+## Next steps
+
+One of the members of our team will carefully review your pull request. You might be asked at this point for clarifications or your pull request might be rejected if we decide that it doesn't fit our roadmap and vision for the product.
+If your contribution looks promising then either we will decide:
+
+- it is good to go and merge your pull request to the master branch
+
+or
+
+- that we need to think over your change and modify it to adhere to our roadmap and internal standards. We will close your pull request at this point, but we might come back to your changes later in the future when we decide it is the right time to work on it.
+
+Thank You!  
+The SonarSource Team

entrypoint.sh

@@ -3,8 +3,9 @@
 set -e
 
 if [[ -z "${SONAR_TOKEN}" ]]; then
-  echo "This GitHub Action requires the SONAR_TOKEN env variable."
-  exit 1
+  echo "============================ WARNING ============================"
+  echo "Running this GitHub Action without SONAR_TOKEN is not recommended"
+  echo "============================ WARNING ============================"
 fi
 
 if [[ -z "${SONAR_HOST_URL}" ]]; then
@@ -12,6 +13,13 @@ if [[ -z "${SONAR_HOST_URL}" ]]; then
   exit 1
 fi
 
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding custom root certificate to java certificate store"
+  rm -f /tmp/tmpcert.pem
+  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
+  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+fi
+
 if [[ -f "${INPUT_PROJECTBASEDIR%/}pom.xml" ]]; then
   echo "Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
   exit 1
@@ -25,3 +33,4 @@ fi
 unset JAVA_HOME
 
 sonar-scanner -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} ${INPUT_ARGS}
+

test/run-qa.sh

@@ -16,6 +16,8 @@ check_sq_is_up() {
   echo $status;
 }
 
+_current_perm=$(stat -c "%u:%g" $(pwd))
+
 info "Build scanner action..."
 docker build --no-cache -t sonarsource/sonarqube-scan-action .
 if [[ ! $? -eq 0 ]]; then
@@ -88,13 +90,19 @@ success "Correctly failed fast."
 
 info "Analyze project..."
 cd test/example-project/
-docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
+docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=/github/workspace --env SONAR_TOKEN=$token --env SONAR_HOST_URL='http://sonarqube:9000' sonarsource/sonarqube-scan-action
+docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=/github/workspace --entrypoint /cleanup.sh sonarsource/sonarqube-scan-action
 if [[ ! $? -eq 0 ]]; then
   error "Couldn't run the analysis."
   exit 1
 elif [[ ! -f ".scannerwork/report-task.txt" ]]; then
   error "Couldn't find the report task file. Analysis failed."
   exit 1
+elif [ ! "$(stat -c "%u:%g" ".scannerwork/report-task.txt")" == "$_current_perm" ]; then
+  error "File permissions differ from desired once"
+  error "desired: $_current_perm"
+  error "actual: $(stat -c "%u:%g" ".scannerwork/report-task.txt")"
+  exit 1
 fi
 success "Analysis successful."