SQSCANGHA-145 Set skipSignatureVerification default value to false (#241 )

SQSCANGHA-143 SubmitReview: Use Vault token (#238 )
SQSCANGHA-140 Set skipSignatureVerification default value to true to avoid breaking change (#240 )
2026-05-09 05:23:36 +03:00 · 2026-04-29 14:23:12 +02:00 · 2026-04-29 11:16:25 +02:00 · 2026-04-29 10:13:05 +02:00
2 changed files with 19 additions and 2 deletions
@@ -10,7 +10,6 @@ jobs:
    runs-on: github-ubuntu-latest-s
    permissions:
      id-token: write
-      pull-requests: read
    # For external PR, ticket should be moved manually
    if: |
        github.event.pull_request.head.repo.full_name == github.repository
@@ -21,10 +20,11 @@ jobs:
        uses: SonarSource/vault-action-wrapper@v3
        with:
          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
            development/kv/data/jira user | JIRA_USER;
            development/kv/data/jira token | JIRA_TOKEN;
      - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
@@ -200,6 +200,23 @@ This can be useful when the runner executing the action is self-hosted and has r
    scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
 ```

+#### `skipSignatureVerification`
+
+By default, the action verifies the OpenPGP signature of the SonarScanner CLI binary before executing it. You can disable this verification using the `skipSignatureVerification` option:
+
+```yaml
+- uses: SonarSource/sonarqube-scan-action@<action version>
+  with:
+    skipSignatureVerification: true
+```
+
+> [!NOTE]
+> Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not.
+>
+> **Version history:**
+> - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`.
+> - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly.
+
 More information about possible analysis parameters can be found:
 * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
 * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
Author	SHA1	Message	Date
Antoine Vinot	59db25f34e	SQSCANGHA-145 Set skipSignatureVerification default value to false (#241 )	2026-04-29 14:23:12 +02:00
Pavel Mikula	ca30b65f4e	SQSCANGHA-143 SubmitReview: Use Vault token (#238 )	2026-04-29 11:16:25 +02:00
Antoine Vinot	c7ee0f9df9	SQSCANGHA-140 Set skipSignatureVerification default value to true to avoid breaking change (#240 ) Co-authored-by: Gustavo Cunha <dev@gustavocunha.dev>	2026-04-29 10:13:05 +02:00