NO-JIRA Mask proxy URL and deduplicate test helper

- Register HTTPS_PROXY as a secret via core.setSecret so embedded
  credentials (e.g. http://user:pass@proxy:8080) cannot leak to CI
  logs, and drop the URL from the info message.
- Hoist clearProxyEnv()/proxyVars to the outer describe scope in the
  GPG verification tests (Sonar S4144).

dist/ regenerated; this also drops stale chunk files that were no
longer emitted by the current rollup config.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -213,6 +213,8 @@ By default, the action verifies the OpenPGP signature of the SonarScanner CLI bi
 > [!NOTE]
 > Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not.
 >
+> If your runner accesses the internet through a proxy, the action automatically picks up the `HTTPS_PROXY` or `https_proxy` environment variable when fetching the public key from the keyserver. `HTTP_PROXY` is intentionally not used as a fallback, since keyservers are accessed over TLS (`hkps://`).
+>
 > **Version history:**
 > - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`.
 > - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly.
@@ -469,6 +471,8 @@ When running the action in a self-hosted runner or container, please ensure that
 
 * **curl** or **wget**
 * **unzip**
+* **gpg**
+* **dirmngr**
 
 ### Additional information
 

dist/exec-BeYcktvA.js

@@ -31829,5 +31829,5 @@ function requireExec () {
 
 var execExports = requireExec();
 
-export { HttpClient as H, info as a, isDebug as b, cp as c, debug as d, exists as e, execExports as f, warning as g, addPath as h, isRooted as i, getInput as j, getBooleanInput as k, core as l, mkdirP as m, setOutput as n, startGroup as o, endGroup as p, rmRF as r, setFailed as s, which as w };
-//# sourceMappingURL=exec-zlpfwmpH.js.map
+export { HttpClient as H, info as a, isDebug as b, cp as c, debug as d, exists as e, execExports as f, warning as g, addPath as h, isRooted as i, setFailed as j, getInput as k, getBooleanInput as l, mkdirP as m, core as n, setOutput as o, startGroup as p, endGroup as q, rmRF as r, setSecret as s, which as w };
+//# sourceMappingURL=exec-BeYcktvA.js.map

dist/index.js

@@ -1,4 +1,4 @@
-import { i as isRooted, w as which, e as exists, a as info, d as debug, m as mkdirP, c as cp, H as HttpClient, r as rmRF, b as isDebug, f as execExports, g as warning, h as addPath, s as setFailed, j as getInput, k as getBooleanInput, l as core } from './exec-zlpfwmpH.js';
+import { i as isRooted, w as which, e as exists, a as info, d as debug, m as mkdirP, c as cp, H as HttpClient, r as rmRF, b as isDebug, f as execExports, g as warning, s as setSecret, h as addPath, j as setFailed, k as getInput, l as getBooleanInput, n as core } from './exec-BeYcktvA.js';
 import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as os from 'os';
@@ -3977,6 +3977,18 @@ function setupGpgHome() {
   return gpgHome;
 }
 
+/**
+ * Detects HTTPS proxy from environment variables.
+ * Checks both upper and lower case variants (HTTPS_PROXY, https_proxy).
+ * Only HTTPS proxy is used since keyservers use hkps:// (TLS).
+ * HTTP_PROXY is intentionally not used as a fallback to avoid routing
+ * HTTPS traffic through a proxy not intended for TLS connections.
+ * @returns {string|undefined} Proxy URL or undefined if not set
+ */
+function getProxyFromEnv() {
+  return process.env.HTTPS_PROXY || process.env.https_proxy;
+}
+
 /**
  * Attempts to import a public key from a specific keyserver
  * @param {string} gpgHome - Path to GPG home directory
@@ -3988,6 +4000,15 @@ function setupGpgHome() {
 async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
   const gpgCommand = getGpgCommand();
   const gpgHomePath = convertToUnixPath(gpgHome);
+  const proxyUrl = getProxyFromEnv();
+
+  if (proxyUrl) {
+    // The URL may carry credentials (e.g. http://user:pass@proxy:8080).
+    // Register it as a secret so future logging (here or downstream) is
+    // automatically redacted
+    setSecret(proxyUrl);
+    info("Using HTTPS_PROXY for keyserver access");
+  }
 
   await execExports.exec(
     gpgCommand,
@@ -3997,6 +4018,7 @@ async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
       "--batch",
       "--keyserver",
       keyserver,
+      ...(proxyUrl ? ["--keyserver-options", `http-proxy=${proxyUrl}`] : []),
       "--recv-keys",
       keyFingerprint,
     ],

dist/install-build-wrapper.js

@@ -1,4 +1,4 @@
-import { f as execExports, h as addPath, a as info, n as setOutput, s as setFailed, o as startGroup, p as endGroup } from './exec-zlpfwmpH.js';
+import { f as execExports, h as addPath, a as info, o as setOutput, j as setFailed, p as startGroup, q as endGroup } from './exec-BeYcktvA.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import 'os';

rollup.config.js

@@ -16,9 +16,23 @@
 // along with this program; if not, write to the Free Software Foundation,
 // Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
+import { readFileSync } from "node:fs";
 import commonjs from "@rollup/plugin-commonjs";
 import { nodeResolve } from "@rollup/plugin-node-resolve";
 
+// Ensures CRLF line endings from a Windows checkout don't leak into the
+// bundle or the source map's sourcesContent, so the build is reproducible
+// across operating systems. Uses `load` rather than `transform` so the
+// normalized text is also what Rollup embeds in sourcesContent.
+const normalizeLineEndings = {
+  name: "normalize-line-endings",
+  load(id) {
+    if (id.startsWith("\0") || id.includes("?")) return null;
+    const code = readFileSync(id, "utf8");
+    return code.includes("\r") ? code.replaceAll("\r\n", "\n") : null;
+  },
+};
+
 const config = {
   input: [
     "src/main/index.js",
@@ -30,7 +44,7 @@ const config = {
     format: "es",
     sourcemap: true,
   },
-  plugins: [commonjs(), nodeResolve({ preferBuiltins: true })],
+  plugins: [normalizeLineEndings, commonjs(), nodeResolve({ preferBuiltins: true })],
 };
 
 export default config;

src/main/__tests__/gpg-verification-mocked.test.js

@@ -20,8 +20,8 @@
 
 import assert from "node:assert/strict";
 import * as fs from "node:fs";
-import {afterEach, describe, it, mock} from "node:test";
-import {setupGpgHome,} from "../gpg-verification.js";
+import { afterEach, describe, it, mock } from "node:test";
+import { getProxyFromEnv, setupGpgHome, } from "../gpg-verification.js";
 
 /**
  * Helper function to create a temporary GPG home directory for testing.
@@ -38,6 +38,14 @@ function createTrackedGpgHome(tempDirs) {
 describe("gpg-verification with mocked exec", () => {
   let tempDirs = [];
 
+  const proxyVars = ["HTTPS_PROXY", "https_proxy", "HTTP_PROXY", "http_proxy"];
+
+  function clearProxyEnv() {
+    for (const v of proxyVars) {
+      delete process.env[v];
+    }
+  }
+
   afterEach(() => {
     // Clean up temporary directories
     tempDirs.forEach((dir) => {
@@ -483,4 +491,215 @@ describe("gpg-verification with mocked exec", () => {
       );
     });
   });
+
+  describe("getProxyFromEnv", () => {
+    afterEach(() => {
+      clearProxyEnv();
+    });
+
+    it("should return undefined when no proxy is set", () => {
+      clearProxyEnv();
+      assert.equal(getProxyFromEnv(), undefined);
+    });
+
+    it("should prefer HTTPS_PROXY over https_proxy", () => {
+      clearProxyEnv();
+      process.env.HTTPS_PROXY = "http://proxy-https:8080";
+      process.env.https_proxy = "http://proxy-lower:8080";
+      assert.equal(getProxyFromEnv(), "http://proxy-https:8080");
+    });
+
+    it("should use https_proxy (lowercase)", () => {
+      clearProxyEnv();
+      process.env.https_proxy = "http://proxy-lower:8080";
+      assert.equal(getProxyFromEnv(), "http://proxy-lower:8080");
+    });
+
+    it("should not fall back to HTTP_PROXY", () => {
+      clearProxyEnv();
+      process.env.HTTP_PROXY = "http://proxy-http:3128";
+      assert.equal(getProxyFromEnv(), undefined);
+    });
+
+    it("should not fall back to http_proxy (lowercase)", () => {
+      clearProxyEnv();
+      process.env.http_proxy = "http://proxy-lower-http:3128";
+      assert.equal(getProxyFromEnv(), undefined);
+    });
+
+    it("should ignore HTTP_PROXY when only HTTP proxy is configured", () => {
+      clearProxyEnv();
+      process.env.HTTP_PROXY = "http://http-only-proxy:3128";
+      process.env.http_proxy = "http://http-only-proxy:3128";
+      assert.equal(getProxyFromEnv(), undefined);
+    });
+  });
+
+  describe("tryImportKey with proxy", () => {
+    afterEach(() => {
+      clearProxyEnv();
+    });
+
+    it("should not pass --keyserver-options when no proxy env is set", async (t) => {
+      clearProxyEnv();
+
+      const execCalls = [];
+      const execFn = mock.fn(async (command, args) => {
+        execCalls.push({ command, args });
+        return 0;
+      });
+
+      t.mock.module("@actions/exec", {
+        namedExports: {
+          exec: execFn,
+        },
+      });
+
+      const { importSonarSourceKey } = await import("../gpg-verification.js?test=no-proxy");
+
+      const gpgHome = createTrackedGpgHome(tempDirs);
+      const keyserver = "hkps://keyserver.ubuntu.com";
+      const keyFingerprint = "679F1EE92B19609DE816FDE81DB198F93525EC1A";
+
+      await importSonarSourceKey(gpgHome, keyFingerprint, keyserver);
+
+      assert.equal(execCalls.length, 1);
+      const args = execCalls[0].args;
+      assert.ok(!args.includes("--keyserver-options"), "Should NOT include --keyserver-options");
+    });
+
+    it("should use HTTPS_PROXY when set", async (t) => {
+      clearProxyEnv();
+      process.env.HTTPS_PROXY = "http://corporate-proxy:8080";
+
+      const execCalls = [];
+      const execFn = mock.fn(async (command, args) => {
+        execCalls.push({ command, args });
+        return 0;
+      });
+
+      t.mock.module("@actions/exec", {
+        namedExports: {
+          exec: execFn,
+        },
+      });
+
+      const { importSonarSourceKey } = await import("../gpg-verification.js?test=proxy-https-upper");
+
+      const gpgHome = createTrackedGpgHome(tempDirs);
+      await importSonarSourceKey(gpgHome, "ABCD1234", "hkps://keyserver.ubuntu.com");
+
+      const args = execCalls[0].args;
+      const optIdx = args.indexOf("--keyserver-options");
+      assert.ok(optIdx !== -1, "Should include --keyserver-options");
+      assert.equal(args[optIdx + 1], "http-proxy=http://corporate-proxy:8080");
+    });
+
+    it("should use https_proxy (lowercase) when set", async (t) => {
+      clearProxyEnv();
+      process.env.https_proxy = "http://lowercase-proxy:3128";
+
+      const execCalls = [];
+      const execFn = mock.fn(async (command, args) => {
+        execCalls.push({ command, args });
+        return 0;
+      });
+
+      t.mock.module("@actions/exec", {
+        namedExports: {
+          exec: execFn,
+        },
+      });
+
+      const { importSonarSourceKey } = await import("../gpg-verification.js?test=proxy-https-lower");
+
+      const gpgHome = createTrackedGpgHome(tempDirs);
+      await importSonarSourceKey(gpgHome, "ABCD1234", "hkps://keyserver.ubuntu.com");
+
+      const args = execCalls[0].args;
+      const optIdx = args.indexOf("--keyserver-options");
+      assert.ok(optIdx !== -1);
+      assert.equal(args[optIdx + 1], "http-proxy=http://lowercase-proxy:3128");
+    });
+
+    it("should not use proxy when only HTTP_PROXY is set", async (t) => {
+      clearProxyEnv();
+      process.env.HTTP_PROXY = "http://http-only-proxy:9090";
+
+      const execCalls = [];
+      const execFn = mock.fn(async (command, args) => {
+        execCalls.push({ command, args });
+        return 0;
+      });
+
+      t.mock.module("@actions/exec", {
+        namedExports: {
+          exec: execFn,
+        },
+      });
+
+      const { importSonarSourceKey } = await import("../gpg-verification.js?test=proxy-http-upper");
+
+      const gpgHome = createTrackedGpgHome(tempDirs);
+      await importSonarSourceKey(gpgHome, "ABCD1234", "hkps://keyserver.ubuntu.com");
+
+      const args = execCalls[0].args;
+      assert.ok(!args.includes("--keyserver-options"), "Should NOT include --keyserver-options when only HTTP_PROXY is set");
+    });
+
+    it("should not use proxy when only http_proxy (lowercase) is set", async (t) => {
+      clearProxyEnv();
+      process.env.http_proxy = "http://last-resort-proxy:1080";
+
+      const execCalls = [];
+      const execFn = mock.fn(async (command, args) => {
+        execCalls.push({ command, args });
+        return 0;
+      });
+
+      t.mock.module("@actions/exec", {
+        namedExports: {
+          exec: execFn,
+        },
+      });
+
+      const { importSonarSourceKey } = await import("../gpg-verification.js?test=proxy-http-lower");
+
+      const gpgHome = createTrackedGpgHome(tempDirs);
+      await importSonarSourceKey(gpgHome, "ABCD1234", "hkps://keyserver.ubuntu.com");
+
+      const args = execCalls[0].args;
+      assert.ok(!args.includes("--keyserver-options"), "Should NOT include --keyserver-options when only http_proxy is set");
+    });
+
+    it("should prefer HTTPS_PROXY over https_proxy and ignore HTTP variants", async (t) => {
+      clearProxyEnv();
+      process.env.HTTPS_PROXY = "http://preferred:8080";
+      process.env.https_proxy = "http://not-this-one:8080";
+      process.env.HTTP_PROXY = "http://also-not:3128";
+      process.env.http_proxy = "http://nope:1080";
+
+      const execCalls = [];
+      const execFn = mock.fn(async (command, args) => {
+        execCalls.push({ command, args });
+        return 0;
+      });
+
+      t.mock.module("@actions/exec", {
+        namedExports: {
+          exec: execFn,
+        },
+      });
+
+      const { importSonarSourceKey } = await import("../gpg-verification.js?test=proxy-precedence");
+
+      const gpgHome = createTrackedGpgHome(tempDirs);
+      await importSonarSourceKey(gpgHome, "ABCD1234", "hkps://keyserver.ubuntu.com");
+
+      const args = execCalls[0].args;
+      const optIdx = args.indexOf("--keyserver-options");
+      assert.ok(optIdx !== -1);
+      assert.equal(args[optIdx + 1], "http-proxy=http://preferred:8080");
+    });
+  });
 });

src/main/gpg-verification.js

@@ -125,6 +125,18 @@ export function setupGpgHome() {
   return gpgHome;
 }
 
+/**
+ * Detects HTTPS proxy from environment variables.
+ * Checks both upper and lower case variants (HTTPS_PROXY, https_proxy).
+ * Only HTTPS proxy is used since keyservers use hkps:// (TLS).
+ * HTTP_PROXY is intentionally not used as a fallback to avoid routing
+ * HTTPS traffic through a proxy not intended for TLS connections.
+ * @returns {string|undefined} Proxy URL or undefined if not set
+ */
+export function getProxyFromEnv() {
+  return process.env.HTTPS_PROXY || process.env.https_proxy;
+}
+
 /**
  * Attempts to import a public key from a specific keyserver
  * @param {string} gpgHome - Path to GPG home directory
@@ -136,6 +148,15 @@ export function setupGpgHome() {
 async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
   const gpgCommand = getGpgCommand();
   const gpgHomePath = convertToUnixPath(gpgHome);
+  const proxyUrl = getProxyFromEnv();
+
+  if (proxyUrl) {
+    // The URL may carry credentials (e.g. http://user:pass@proxy:8080).
+    // Register it as a secret so future logging (here or downstream) is
+    // automatically redacted
+    core.setSecret(proxyUrl);
+    core.info("Using HTTPS_PROXY for keyserver access");
+  }
 
   await exec.exec(
     gpgCommand,
@@ -145,6 +166,7 @@ async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
       "--batch",
       "--keyserver",
       keyserver,
+      ...(proxyUrl ? ["--keyserver-options", `http-proxy=${proxyUrl}`] : []),
       "--recv-keys",
       keyFingerprint,
     ],