Use mise

PowerShell 5.1, used on some Windows GitHub Actions runners, requires
Expand-Archive to receive a file with a .zip extension. The @actions/tool-cache
downloadTool function saves to a temp path without any extension, causing
extraction to fail on PS 5.1. Rename the file to add .zip before calling
extractZip.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/qa-main.yml

@@ -245,9 +245,9 @@ jobs:
       - name: Assert Sonar Scanner CLI was not executed
         run: |
           ./test/assertFileDoesntExist ./output.properties
-  scannerBinariesUrlCommandInjectionTest:
+  scannerBinariesUrlIsEscapedWithWget:
     name: >
-      'scannerBinariesUrl' does not allow command injection via semicolons
+      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -266,14 +266,22 @@ jobs:
       - name: Assert file.txt does not exist
         run: |
           ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
-  scannerBinariesUrlCommandInjectionWithSpacesTest:
+  scannerBinariesUrlIsEscapedWithCurl:
     name: >
-      'scannerBinariesUrl' does not allow command injection via spaces and quotes
+      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
       - name: Run action with scannerBinariesUrl
         id: runTest
         uses: ./
@@ -464,14 +472,22 @@ jobs:
         run: |
           ./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io"
           ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
-  scannerBinariesUrlRedirectFollowed:
+  curlPerformsRedirect:
     name: >
-      scannerBinariesUrl redirect (3xx) is followed
+      curl performs redirect when scannerBinariesUrl returns 3xx
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
       - name: Generate SSL certificates for nginx
         run: ./generate-ssl.sh
         working-directory: .github/qa-nginx-redirecting
@@ -825,8 +841,8 @@ jobs:
       - projectBaseDirInputTest
       - scannerVersionTest
       - scannerBinariesUrlTest
-      - scannerBinariesUrlCommandInjectionTest
+      - scannerBinariesUrlIsEscapedWithWget
-      - scannerBinariesUrlCommandInjectionWithSpacesTest
+      - scannerBinariesUrlIsEscapedWithCurl
       - dontFailGradleTest
       - dontFailGradleKotlinTest
       - dontFailMavenTest
@@ -834,7 +850,7 @@ jobs:
       - runnerDebugUsedTest
       - runAnalysisWithCacheTest
       - overrideSonarcloudUrlTest
-      - scannerBinariesUrlRedirectFollowed
+      - curlPerformsRedirect
       - useSslCertificate
       - analysisWithSslCertificate
       - updateTruststoreWhenPresent

README.md

@@ -483,11 +483,11 @@ See also [example configurations of C++ projects for SonarQube Server](https://g
 
 When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
 
+* **curl** or **wget**
+* **unzip**
 * **gpg**
 * **dirmngr**
 
-Note: `gpg` and `dirmngr` are only required for GPG signature verification (enabled by default). They can be omitted when setting `skipSignatureVerification: true`.
-
 ### Additional information
 
 The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.

dist/index.js

@@ -10,6 +10,7 @@ import { ok } from 'assert';
 import 'string_decoder';
 import * as events from 'events';
 import { setTimeout as setTimeout$1 } from 'timers';
+import * as fs$2 from 'node:fs/promises';
 import * as os$1 from 'node:os';
 import * as path$1 from 'node:path';
 import { join } from 'node:path';
@@ -4141,6 +4142,15 @@ function cleanupGpgHome(gpgHome) {
 
 const TOOLNAME = "sonar-scanner-cli";
 
+async function ensureZipExtension(filePath) {
+  if (filePath.endsWith(".zip")) {
+    return filePath;
+  }
+  const zipPath = `${filePath}.zip`;
+  await fs$2.rename(filePath, zipPath);
+  return zipPath;
+}
+
 /**
  * Download the Sonar Scanner CLI for the current environment and cache it.
  */
@@ -4188,7 +4198,9 @@ async function installSonarScanner({
       await verifySignature(downloadPath, signaturePath);
     }
 
-    const extractedPath = await extractZip(downloadPath);
+    // PowerShell 5.1 (used on some Windows agents) requires the .zip extension for Expand-Archive
+    const extractInput = await ensureZipExtension(downloadPath);
+    const extractedPath = await extractZip(extractInput);
 
     // Find the actual scanner directory inside the extracted folder
     const scannerPath = path$1.join(

mise.toml

@@ -0,0 +1,2 @@
+[tools]
+node = "24"

src/main/__tests__/install-sonar-scanner.test.js

@@ -20,6 +20,7 @@
 
 import assert from "node:assert/strict";
 import { describe, it, mock } from "node:test";
+import nodeFsPromises from "node:fs/promises";
 
 const SCANNER_VERSION = "6.2.0.4584";
 const BINARIES_URL = "https://my.artifactory.example.com/sonar-scanner-cli";
@@ -35,6 +36,15 @@ function mockUtils(t) {
   });
 }
 
+function mockFsPromises(t) {
+  t.mock.module("node:fs/promises", {
+    namedExports: {
+      ...nodeFsPromises,
+      rename: mock.fn(async () => {}),
+    },
+  });
+}
+
 describe("installSonarScanner", () => {
   it("should forward scannerBinariesAuthHeader to both binary and signature downloads", async (t) => {
     const downloadCalls = [];
@@ -44,6 +54,7 @@ describe("installSonarScanner", () => {
     });
 
     mockUtils(t);
+    mockFsPromises(t);
 
     t.mock.module("@actions/tool-cache", {
       namedExports: {
@@ -92,6 +103,7 @@ describe("installSonarScanner", () => {
     });
 
     mockUtils(t);
+    mockFsPromises(t);
 
     t.mock.module("@actions/tool-cache", {
       namedExports: {
@@ -138,6 +150,7 @@ describe("installSonarScanner", () => {
     });
 
     mockUtils(t);
+    mockFsPromises(t);
 
     t.mock.module("@actions/tool-cache", {
       namedExports: {
@@ -171,6 +184,120 @@ describe("installSonarScanner", () => {
     assert.equal(downloadCalls[0].auth, "Bearer mytoken");
   });
 
+  it("should rename downloaded file to add .zip extension before extraction", async (t) => {
+    const renameCalls = [];
+    const extractZipCalls = [];
+
+    mockUtils(t);
+
+    t.mock.module("node:fs/promises", {
+      namedExports: {
+        ...nodeFsPromises,
+        rename: mock.fn(async (src, dest) => {
+          renameCalls.push({ src, dest });
+        }),
+      },
+    });
+
+    t.mock.module("@actions/tool-cache", {
+      namedExports: {
+        find: mock.fn(() => null),
+        downloadTool: mock.fn(async () => "/tmp/downloaded-file"),
+        extractZip: mock.fn(async (p) => {
+          extractZipCalls.push(p);
+          return "/tmp/extracted";
+        }),
+        cacheDir: mock.fn(async () => "/tmp/cached"),
+      },
+    });
+
+    t.mock.module("@actions/core", {
+      namedExports: {
+        info: mock.fn(),
+        warning: mock.fn(),
+        addPath: mock.fn(),
+      },
+    });
+
+    t.mock.module("../gpg-verification.js", {
+      namedExports: {
+        verifySignature: mock.fn(async () => {}),
+      },
+    });
+
+    const { installSonarScanner } = await import(
+      `../install-sonar-scanner.js?test=rename-zip`
+    );
+
+    await installSonarScanner({
+      scannerVersion: SCANNER_VERSION,
+      scannerBinariesUrl: BINARIES_URL,
+      skipSignatureVerification: true,
+    });
+
+    assert.equal(renameCalls.length, 1, "Should rename downloaded file");
+    assert.equal(renameCalls[0].src, "/tmp/downloaded-file");
+    assert.equal(renameCalls[0].dest, "/tmp/downloaded-file.zip");
+    assert.equal(extractZipCalls.length, 1, "Should call extractZip once");
+    assert.equal(extractZipCalls[0], "/tmp/downloaded-file.zip", "Should extract the renamed file");
+  });
+
+  it("should not rename downloaded file when it already has .zip extension", async (t) => {
+    const renameCalls = [];
+    const extractZipCalls = [];
+
+    mockUtils(t);
+
+    t.mock.module("node:fs/promises", {
+      namedExports: {
+        ...nodeFsPromises,
+        rename: mock.fn(async (src, dest) => {
+          renameCalls.push({ src, dest });
+        }),
+      },
+    });
+
+    t.mock.module("@actions/tool-cache", {
+      namedExports: {
+        find: mock.fn(() => null),
+        downloadTool: mock.fn(async () => "/tmp/downloaded-file.zip"),
+        extractZip: mock.fn(async (p) => {
+          extractZipCalls.push(p);
+          return "/tmp/extracted";
+        }),
+        cacheDir: mock.fn(async () => "/tmp/cached"),
+      },
+    });
+
+    t.mock.module("@actions/core", {
+      namedExports: {
+        info: mock.fn(),
+        warning: mock.fn(),
+        addPath: mock.fn(),
+      },
+    });
+
+    t.mock.module("../gpg-verification.js", {
+      namedExports: {
+        verifySignature: mock.fn(async () => {}),
+      },
+    });
+
+    const { installSonarScanner } = await import(
+      `../install-sonar-scanner.js?test=no-rename-zip`
+    );
+
+    await installSonarScanner({
+      scannerVersion: SCANNER_VERSION,
+      scannerBinariesUrl: BINARIES_URL,
+      skipSignatureVerification: true,
+    });
+
+    assert.equal(renameCalls.length, 0, "Should not rename when already .zip");
+    assert.equal(extractZipCalls.length, 1, "Should call extractZip once");
+    assert.equal(extractZipCalls[0], "/tmp/downloaded-file.zip", "Should extract original file");
+  });
+
   it("should use cached tool when available and skip download", async (t) => {
     const downloadToolFn = mock.fn();
 

src/main/install-sonar-scanner.js

@@ -18,6 +18,7 @@
 
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
+import * as fs from "node:fs/promises";
 import * as os from "node:os";
 import * as path from "node:path";
 import {
@@ -29,6 +30,15 @@ import { verifySignature } from "./gpg-verification.js";
 
 const TOOLNAME = "sonar-scanner-cli";
 
+async function ensureZipExtension(filePath) {
+  if (filePath.endsWith(".zip")) {
+    return filePath;
+  }
+  const zipPath = `${filePath}.zip`;
+  await fs.rename(filePath, zipPath);
+  return zipPath;
+}
+
 /**
  * Download the Sonar Scanner CLI for the current environment and cache it.
  */
@@ -76,7 +86,9 @@ export async function installSonarScanner({
       await verifySignature(downloadPath, signaturePath);
     }
 
-    const extractedPath = await tc.extractZip(downloadPath);
+    // PowerShell 5.1 (used on some Windows agents) requires the .zip extension for Expand-Archive
+    const extractInput = await ensureZipExtension(downloadPath);
+    const extractedPath = await tc.extractZip(extractInput);
 
     // Find the actual scanner directory inside the extracted folder
     const scannerPath = path.join(