[deps]: Update sonarsource/sonarqube-scan-action action to v6 (#449)

renovate[bot] · mandreko-bitwarden · web-flow · commit 55621d212437 · 2025-10-03T13:51:35.000-04:00
Co-authored-by: renovate[bot] &lt;29139614+renovate[bot]@users.noreply.github.com&gt;
Co-authored-by: Matt Andreko &lt;mandreko@bitwarden.com&gt;
diff --git a/.github/workflows/_sonar.yml b/.github/workflows/_sonar.yml
@@ -40,6 +40,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -60,18 +61,18 @@ jobs:
 
       - name: Scan with Sonar
         if: inputs.sonar-config == 'default'
-        uses: sonarsource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 # v5.3.1
+        uses: sonarsource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
         env:
           SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
         with:
           args: >
-            -Dsonar.organization=${{ github.repository_owner }}
-            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
-            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} 
-            ${{ inputs.sonar-test-inclusions != '' && format('-Dsonar.test.inclusions={0}', inputs.sonar-test-inclusions) || '' }}
-            ${{ inputs.sonar-exclusions != '' && format('-Dsonar.exclusions={0}', inputs.sonar-exclusions) || '' }}
-            ${{ inputs.sonar-sources != '' && format('-Dsonar.sources={0}', inputs.sonar-sources) || '' }}
-            ${{ inputs.sonar-tests != '' && format('-Dsonar.tests={0}', inputs.sonar-tests) || '' }}
+            "-Dsonar.organization=${{ github.repository_owner }}"
+            "-Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}"
+            "-Dsonar.pullrequest.key=${{ github.event.pull_request.number }}"
+            ${{ inputs.sonar-test-inclusions != '' && format('"-Dsonar.test.inclusions={0}"', inputs.sonar-test-inclusions) || '' }}
+            ${{ inputs.sonar-exclusions != '' && format('"-Dsonar.exclusions={0}"', inputs.sonar-exclusions) || '' }}
+            ${{ inputs.sonar-sources != '' && format('"-Dsonar.sources={0}"', inputs.sonar-sources) || '' }}
+            ${{ inputs.sonar-tests != '' && format('"-Dsonar.tests={0}"', inputs.sonar-tests) || '' }}
 
       - name: Set up Java
         if: inputs.sonar-config == 'maven' || inputs.sonar-config == 'dotnet'
@@ -91,28 +92,69 @@ jobs:
       - name: Scan with Sonar
         if: inputs.sonar-config == 'dotnet'
         env:
-          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
+          _SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
+          _REPOSITORY_NAME: ${{ github.event.repository.name }}
+          _REPOSITORY_OWNER: ${{ github.repository_owner }}
+          _SONAR_TEST_INCLUSIONS: ${{ inputs.sonar-test-inclusions }}
+          _SONAR_EXCLUSIONS: ${{ inputs.sonar-exclusions }}
+          _SONAR_SOURCES: ${{ inputs.sonar-sources }}
+          _SONAR_TESTS: ${{ inputs.sonar-tests }}
+          _PULL_REQUEST_KEY: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || '' }}
         run: |
-          dotnet-sonarscanner begin /k:"${{ github.repository_owner }}_${{ github.event.repository.name }}" \
-          /o:"${{ github.repository_owner }}" \
-          /d:sonar.token="${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}" \
-          /d:sonar.host.url="https://sonarcloud.io" \
-          ${{ contains(github.event_name, 'pull_request') && format('/d:sonar.pullrequest.key={0}', github.event.pull_request.number) || '' }} \
-          ${{ inputs.sonar-test-inclusions != '' && format('/d:sonar.test.inclusions={0}', inputs.sonar-test-inclusions) || '' }} \
-          ${{ inputs.sonar-exclusions != '' && format('/d:sonar.exclusions={0}', inputs.sonar-exclusions) || '' }} \
-          ${{ inputs.sonar-sources != '' && format('-Dsonar.sources={0}', inputs.sonar-sources) || '' }} \
-          ${{ inputs.sonar-tests != '' && format('-Dsonar.tests={0}', inputs.sonar-tests) || '' }}
+          set -euo pipefail
+          ARGS=()
+          if [ -n "$_PULL_REQUEST_KEY" ]; then
+            ARGS+=("/d:sonar.pullrequest.key=$_PULL_REQUEST_KEY")
+          fi
+          if [ -n "$_SONAR_TEST_INCLUSIONS" ]; then
+            ARGS+=("/d:sonar.test.inclusions=$_SONAR_TEST_INCLUSIONS")
+          fi
+          if [ -n "$_SONAR_EXCLUSIONS" ]; then
+            ARGS+=("/d:sonar.exclusions=$_SONAR_EXCLUSIONS")
+          fi
+          if [ -n "$_SONAR_SOURCES" ]; then
+            ARGS+=("-Dsonar.sources=$_SONAR_SOURCES")
+          fi
+          if [ -n "$_SONAR_TESTS" ]; then
+            ARGS+=("-Dsonar.tests=$_SONAR_TESTS")
+          fi
+
+          dotnet-sonarscanner begin \
+            /k:"${REPOSITORY_OWNER}_${REPOSITORY_NAME}" \
+            /o:"$REPOSITORY_OWNER" \
+            /d:sonar.token="$SONAR_TOKEN" \
+            /d:sonar.host.url="https://sonarcloud.io" \
+            "${ARGS[@]}"
           dotnet build
-          dotnet-sonarscanner end /d:sonar.token="${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}"
+          dotnet-sonarscanner end /d:sonar.token="$_SONAR_TOKEN"
 
       - name: Scan with Sonar
         if: inputs.sonar-config == 'maven'
         env:
-          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
-        run: >
-          mvn clean install -Dgpg.skip=true sonar:sonar 
-          ${{ inputs.sonar-test-inclusions != '' && format('-Dsonar.test.inclusions={0}', inputs.sonar-test-inclusions) || '' }} 
-          ${{ inputs.sonar-exclusions != '' && format('-Dsonar.exclusions={0}', inputs.sonar-exclusions) || '' }} 
-          ${{ inputs.sonar-sources != '' && format('-Dsonar.sources={0}', inputs.sonar-sources) || '' }}
-          ${{ inputs.sonar-tests != '' && format('-Dsonar.tests={0}', inputs.sonar-tests) || '' }}
-          ${{ contains(github.event_name, 'pull_request') && format('-Dsonar.pullrequest.key={0}', github.event.pull_request.number) || '' }}
+          _SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
+          _SONAR_TEST_INCLUSIONS: ${{ inputs.sonar-test-inclusions }}
+          _SONAR_EXCLUSIONS: ${{ inputs.sonar-exclusions }}
+          _SONAR_SOURCES: ${{ inputs.sonar-sources }}
+          _SONAR_TESTS: ${{ inputs.sonar-tests }}
+          _PULL_REQUEST_KEY: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || '' }}
+        run: |
+          set -euo pipefail
+          ARGS=()
+
+          if [ -n "$_SONAR_TEST_INCLUSIONS" ]; then
+            ARGS+=("-Dsonar.test.inclusions=$_SONAR_TEST_INCLUSIONS")
+          fi
+          if [ -n "$_SONAR_EXCLUSIONS" ]; then
+            ARGS+=("-Dsonar.exclusions=$_SONAR_EXCLUSIONS")
+          fi
+          if [ -n "$_SONAR_SOURCES" ]; then
+            ARGS+=("-Dsonar.sources=$_SONAR_SOURCES")
+          fi
+          if [ -n "$_SONAR_TESTS" ]; then
+            ARGS+=("-Dsonar.tests=$_SONAR_TESTS")
+          fi
+          if [ -n "$_PULL_REQUEST_KEY" ]; then
+            ARGS+=("-Dsonar.pullrequest.key=$_PULL_REQUEST_KEY")
+          fi
+
+          mvn clean install -Dgpg.skip=true sonar:sonar "${ARGS[@]}"
