Skip to content

Pin sonarqube-scan-action to a full commit SHA (v8.2.1)#10154

Open
kobihikri wants to merge 1 commit into
pgadmin-org:masterfrom
kobihikri:ci/pin-sonarqube-scan-action
Open

Pin sonarqube-scan-action to a full commit SHA (v8.2.1)#10154
kobihikri wants to merge 1 commit into
pgadmin-org:masterfrom
kobihikri:ci/pin-sonarqube-scan-action

Conversation

@kobihikri

@kobihikri kobihikri commented Jul 15, 2026

Copy link
Copy Markdown

Hi, and thank you for pgAdmin.

Small CI supply-chain hardening, one line. sonarqube-scan.yml runs the scanner from a mutable branch ref, in the step that holds the SonarQube credentials:

uses: sonarsource/sonarqube-scan-action@master
env:
  SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
  SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}

Whatever master happens to point at executes with those secrets in scope; a branch can move after review, a full commit SHA cannot. This PR pins to the commit behind the current release, keeping the version visible:

uses: sonarsource/sonarqube-scan-action@22918119ff8e1ca75a623e15c8296b6ea4fbe28f # v8.2.1

Verified: gh api repos/sonarsource/sonarqube-scan-action/git/ref/tags/v8.2.12291811…. It's the only workflow ref in the repo on a branch rather than a tag, so behavior today is unchanged. (If you'd rather discuss on pgadmin-hackers first, happy to take it there — filing here since small workflow PRs have been merged from GitHub recently.)

For transparency: I used AI assistance to spot and draft this; I verified the workflow content and the release SHA myself.

Summary by CodeRabbit

  • Chores
    • Pinned the SonarQube scanning action to a specific version for more consistent and reliable code-quality scans.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b20b370-cbdc-451e-b95b-f22d9914360e

📥 Commits

Reviewing files that changed from the base of the PR and between dfc4ef3 and 0b89176.

📒 Files selected for processing (1)
  • .github/workflows/sonarqube-scan.yml

Walkthrough

The SonarQube GitHub Actions workflow now uses a pinned commit for the scan action instead of the master branch, while retaining its existing environment variables.

Changes

SonarQube action pinning

Layer / File(s) Summary
Pin SonarQube scan action
.github/workflows/sonarqube-scan.yml
The SonarQube Scan step references the pinned v8.2.1 commit instead of @master.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: pinning sonarqube-scan-action to a specific commit SHA.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant