diff --git a/README.md b/README.md index 98b8903..d9887bc 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,23 @@ This can be useful when the runner executing the action is self-hosted and has r scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ ``` +#### `skipSignatureVerification` + +By default, the action verifies the OpenPGP signature of the SonarScanner CLI binary before executing it. You can disable this verification using the `skipSignatureVerification` option: + +```yaml +- uses: SonarSource/sonarqube-scan-action@ + with: + skipSignatureVerification: true +``` + +> [!NOTE] +> Signature verification requires `gpg` and `dirmngr` to be installed on the runner. GitHub-hosted runners include both, but some self-hosted runners or containers may not. +> +> **Version history:** +> - Introduced in **v7.2** with a default value of `true` to avoid breaking existing workflows on runners without `dirmngr`. +> - Changed to `false` by default in **v8** (breaking change). If your runner does not have `gpg` or `dirmngr` installed, set this option to `true` explicitly. + More information about possible analysis parameters can be found: * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation diff --git a/action.yml b/action.yml index 0693239..f636ea2 100644 --- a/action.yml +++ b/action.yml @@ -25,9 +25,9 @@ inputs: required: false default: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli skipSignatureVerification: - description: Skip GPG signature verification (defaults to true temporarily while dirmngr dependency is resolved; set to false to enable verification) + description: Skip GPG signature verification (not recommended for security) required: false - default: "true" + default: "false" runs: using: node24 main: dist/index.js