ci(security): bump sonarqube-scan-action to v8.2.0 (Node 24)#225
Conversation
GitHub Actions warned that SonarSource/sonarqube-scan-action@v6.0.0 targets the deprecated Node.js 20 runtime (forced onto Node 24 on current runners). v8.2.0's action.yml declares `runs: using: node24`, resolving the warning. SHA-pinned per repo convention; the `with: args` interface is unchanged from v6, so this is a drop-in bump. sonarqube-quality-gate-action is left at v1.2.0 — it's a `using: composite` (bash) action with no Node runtime, so it is unaffected by the Node 20 deprecation and v1.2.0 is already its latest release. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Bumping sonarqube-scan-action to v8.2.0 changed its pinned SHA, which caused the dependency-review job to re-evaluate it and block on its LGPL-3.0 license (the org's shared amazon-ospo config allows only permissive licenses). The license did not change — it has been LGPL-3.0 since the action's first commit in 2021 — but the SHA change triggered a fresh review. Add an `allow-dependencies-licenses` exception for this specific action. It is a CI-only action we invoke in the pipeline, not code we distribute or link into the published (Apache-2.0) plugins, so its copyleft terms do not reach our output. Pinned to the exact SHA (which is the PURL version dependency-review emits for a SHA-pinned action), so a future version bump re-triggers the license review instead of silently inheriting this exception. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The commented-out distlib `allow-dependencies-licenses` example was placeholder scaffolding; now that a real allow entry (sonarqube-scan-action) documents the usage, the example is redundant noise. Remove it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
theagenticguy
left a comment
There was a problem hiding this comment.
Approve
Verified every load-bearing claim against ground truth (not the PR body):
SHA ↔ version mapping (exact):
fd88b7d7ccbaefd23d8f36f73b59db7a3d246602=v6.0.0713881670b6b3676cda39549040e2d88c70d582e=v8.2.0
Node runtime fix confirmed: action.yml runs.using is node20 at v6.0.0 and node24 at v8.2.0. This resolves the deprecation warning.
Drop-in compatibility confirmed: v8.2.0 declares no required inputs (args, projectBaseDir, scannerVersion, scannerBinariesUrl, skipSignatureVerification, scannerBinariesAuthHeader all required: false). The workflow passes only with: args + the two SONAR_* env vars, so the interface is unchanged.
License exception is sound:
sonarqube-scan-actionisLGPL-3.0(verified via GitHub license API). The copyleft applies to distributed/linked derivative works; a CI-only action invoked in the pipeline is a build tool, not linked into the published Apache-2.0 plugins, so the terms don't reach the output. Justified.- The
allow-dependencies-licensesentry is pinned to the exact SHA PURL, so a future version bump re-triggers the license review instead of silently inheriting the exception. Good fail-safe design. - Empirical proof it's correct: the
dependency-reviewcheck is green on the final commit — a mismatched PURL would leave the LGPL-3.0 block firing and fail the job.
Sibling sweep (per our review method): sonarqube-scan-action was the only Node 20 action in security-scanners.yml. Every other uses: is Node 24-era (checkout@v7, upload-artifact@v7, setup-python@v6, codeql-action@v4), and quality-gate-action@v1.2.0 is using: composite (no Node runtime). The deprecation warning won't survive elsewhere. The distlib comment removal is clean scaffolding cleanup.
All 24 checks pass, including dependency-review, sonarqube, semgrep, codeql, checkov, bandit, grype.
Non-blocking nit: the PR body's Changes and Notes sections describe only the security-scanners.yml bump — they don't mention the dependency-review.yml LGPL-3.0 allow-list, which is a license-policy decision worth surfacing in the description for future auditors (the rationale is well-captured in commit 09396a1, just not in the PR summary). Worth a one-line addition, but doesn't block the merge.
|
@theagenticguy thanks for the approve and the thorough ground-truth verification. On your non-blocking nit — the PR body only covered the
So the rationale now lives in the PR summary as well as commit |
Bumps
SonarSource/sonarqube-scan-actionfrom v6.0.0 to v8.2.0 to stop targeting the deprecated Node.js 20 runtime.Related
sonarqubejob:Changes
.github/workflows/security-scanners.yml:sonarqube-scan-actionfd88b7d…(v6.0.0,using: node20) →713881670b6b3676cda39549040e2d88c70d582e(v8.2.0,using: node24). SHA-pinned per repo convention..github/workflows/dependency-review.yml: add anallow-dependencies-licensesentry forsonarqube-scan-action(see License note below), and remove the stale commented-outdistlibexample now that a real entry documents the usage.Notes / research
action.ymldeclaresruns: using: node24(v6.0.0 declarednode20).with: argsandenv: SONAR_HOST_URL/SONAR_TOKEN, which are unchanged across v6→v8. v7/v8 additions (e.g.scannerBinariesAuthHeader,SONARCLOUD_URLdeprecation) don't affect this workflow.sonarqube-quality-gate-actionintentionally left at v1.2.0: it's ausing: composite(bash) action with no Node runtime, so it's unaffected by the Node 20 deprecation — and v1.2.0 is already its latest release.License / dependency review
Bumping the pinned SHA caused the
dependency-reviewjob to re-evaluate the action and block on its LGPL-3.0 license (the org's sharedamazon-ospoconfig allows only permissive licenses).sonarqube-scan-actionhas been LGPL-3.0 since its first commit in 2021 —LICENSE.txtis byte-identical at v6.0.0 and v8.2.0 (same blob). The SHA change simply triggered a fresh review that the pre-existing v6.0.0 pin had never been subjected to.allow-dependencies-licenses: "pkg:githubactions/SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e"todependency-review.yml. Rationale: this is a CI-only action we invoke in the pipeline — not code we distribute or link into the published (Apache-2.0) plugins — so its copyleft terms do not reach our output.dependency-reviewemits for a SHA-pinned action, and it means any future version bump re-triggers the license review rather than silently inheriting this exception.Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.
Generated with Claude Code