Skip to content

SQSCANGHA-135 Fix scanner binaries always re-downloaded due to incompatible 4-part version#250

Merged
henryju merged 3 commits into
masterfrom
worktree-SQSCANGHA-135
Jun 8, 2026
Merged

SQSCANGHA-135 Fix scanner binaries always re-downloaded due to incompatible 4-part version#250
henryju merged 3 commits into
masterfrom
worktree-SQSCANGHA-135

Conversation

@henryju

@henryju henryju commented Jun 4, 2026

Copy link
Copy Markdown
Member

Summary

  • Scanner binaries were re-downloaded on every run since v7.0.0 because GitHub's @actions/tool-cache library requires SemVer 2.0 version strings, but the scanner uses a 4-part format (e.g. 8.0.1.6346)
  • tc.find() calls semver.clean('8.0.1.6346')null → empty string, so findAllVersions() filters out the cached directory and every lookup is a miss
  • Fix: convert X.Y.Z.WX.Y.Z-build.W (valid SemVer pre-release) for tool-cache operations; download URL and zip extraction still use the original version string

Test plan

  • All existing unit tests pass (npm test)
  • New toSemVer unit tests added in utils.test.js
  • New integration test in install-sonar-scanner.test.js verifies tc.find and tc.cacheDir receive the semver-compatible version
  • Manual: confirm scanner is cached and reused across runs when RUNNER_TOOL_CACHE is configured

Fixes SQSCANGHA-135

🤖 Generated with Claude Code


Summary by Gitar

  • Tooling configuration:
    • Added mise.toml to specify Node.js version 24 environment.
  • Version handling:
    • Added toSemVer utility to convert 4-part scanner versions to SemVer-compatible strings.
    • Updated install-sonar-scanner to use the converted version for tool-cache operations.

This will update automatically on new commits.

@sonarqubecloud

sonarqubecloud Bot commented Jun 4, 2026

Copy link
Copy Markdown

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

4 issue(s) found across 2 file(s):

Rule File Line Message
javascript:S5443 src/main/__tests__/install-sonar-scanner.test.js 178 Make sure publicly writable directories are used safely here.
javascript:S5443 src/main/__tests__/install-sonar-scanner.test.js 185 Make sure publicly writable directories are used safely here.
javascript:S5443 src/main/__tests__/install-sonar-scanner.test.js 186 Make sure publicly writable directories are used safely here.
javascript:S109 src/main/utils.js 63 No magic number: 3.

Analyzed by SonarQube Agentic Analysis in 2.8 s

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jun 4, 2026

Copy link
Copy Markdown

SQSCANGHA-135

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

henryju and others added 3 commits June 8, 2026 10:28
…atible 4-part version

GitHub's tool-cache library uses semver.clean() to look up cached tools, which
returns null for 4-part version strings like "8.0.1.6346". This caused
findAllVersions() to filter out any cached directory, resulting in a cache miss
on every run.

The fix converts the 4-part version to a semver pre-release format
(e.g. "8.0.1-build.6346") for tool-cache operations, while keeping the original
version string for download URLs and zip extraction.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Built from worktree with local node_modules so source map paths match
CI build environment (../node_modules/ instead of ../../../../node_modules/).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@henryju henryju force-pushed the worktree-SQSCANGHA-135 branch from 0368e05 to 33f22e5 Compare June 8, 2026 08:28
@sonarqubecloud

sonarqubecloud Bot commented Jun 8, 2026

Copy link
Copy Markdown

@henryju henryju merged commit 3581139 into master Jun 8, 2026
74 checks passed
@henryju henryju deleted the worktree-SQSCANGHA-135 branch June 8, 2026 08:53
@gitar-bot

gitar-bot Bot commented Jun 8, 2026

Copy link
Copy Markdown
Code Review ✅ Approved

Normalizes 4-part scanner versions to SemVer-compatible strings to prevent unnecessary re-downloads and transitions the development environment to use mise for Node.js 24. No issues found.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

luketainton pushed a commit to luketainton/repos_epage-go that referenced this pull request Jun 9, 2026
…(#12)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [SonarSource/sonarqube-scan-action](https://github.com/SonarSource/sonarqube-scan-action) | action | minor | `v8.1` → `v8.2` |

---

### Release Notes

<details>
<summary>SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)</summary>

### [`v8.2.0`](https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v8.2.0)

[Compare Source](SonarSource/sonarqube-scan-action@v8.2.0...v8.2.0)

#### What's Changed

- SQSCANGHA-149 Add scannerBinariesAuthHeader input by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;246](SonarSource/sonarqube-scan-action#246)
- SQSCANGHA-88 Deprecate the SONARCLOUD\_URL env variable support by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;249](SonarSource/sonarqube-scan-action#249)
- SQSCANGHA-84 Remove outdated wget/curl references by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;248](SonarSource/sonarqube-scan-action#248)
- SQSCANGHA-135 Fix scanner binaries always re-downloaded due to incompatible 4-part version by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;250](SonarSource/sonarqube-scan-action#250)
- SQSCANGHA-127 Rename downloaded file to .zip before extraction on Windows by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;251](SonarSource/sonarqube-scan-action#251)

**Full Changelog**: <SonarSource/sonarqube-scan-action@v8...v8.2.0>

### [`v8.2`](SonarSource/sonarqube-scan-action@v8.1.0...v8.2.0)

[Compare Source](SonarSource/sonarqube-scan-action@v8.1.0...v8.2.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTYuMiIsInVwZGF0ZWRJblZlciI6IjQzLjIxNi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL2RlcGVuZGVuY2llcyJdfQ==-->

Reviewed-on: https://git.tainton.uk/repos/epage-go/pulls/12
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
luketainton pushed a commit to luketainton/repos_roboluke that referenced this pull request Jun 9, 2026
…(#455)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [SonarSource/sonarqube-scan-action](https://github.com/SonarSource/sonarqube-scan-action) | action | minor | `v8.1` → `v8.2` |

---

### Release Notes

<details>
<summary>SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)</summary>

### [`v8.2.0`](https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v8.2.0)

[Compare Source](SonarSource/sonarqube-scan-action@v8.2.0...v8.2.0)

#### What's Changed

- SQSCANGHA-149 Add scannerBinariesAuthHeader input by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;246](SonarSource/sonarqube-scan-action#246)
- SQSCANGHA-88 Deprecate the SONARCLOUD\_URL env variable support by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;249](SonarSource/sonarqube-scan-action#249)
- SQSCANGHA-84 Remove outdated wget/curl references by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;248](SonarSource/sonarqube-scan-action#248)
- SQSCANGHA-135 Fix scanner binaries always re-downloaded due to incompatible 4-part version by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;250](SonarSource/sonarqube-scan-action#250)
- SQSCANGHA-127 Rename downloaded file to .zip before extraction on Windows by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;251](SonarSource/sonarqube-scan-action#251)

**Full Changelog**: <SonarSource/sonarqube-scan-action@v8...v8.2.0>

### [`v8.2`](SonarSource/sonarqube-scan-action@v8.1.0...v8.2.0)

[Compare Source](SonarSource/sonarqube-scan-action@v8.1.0...v8.2.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTYuMiIsInVwZGF0ZWRJblZlciI6IjQzLjIxNi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL2RlcGVuZGVuY2llcyJdfQ==-->

Reviewed-on: https://git.tainton.uk/repos/roboluke/pulls/455
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
luketainton pushed a commit to luketainton/repos_pypilot that referenced this pull request Jun 18, 2026
…(#453)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [SonarSource/sonarqube-scan-action](https://github.com/SonarSource/sonarqube-scan-action) | action | minor | `v8.1` → `v8.2` |

---

### Release Notes

<details>
<summary>SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)</summary>

### [`v8.2.0`](https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v8.2.0)

[Compare Source](SonarSource/sonarqube-scan-action@v8.2.0...v8.2.0)

#### What's Changed

- SQSCANGHA-149 Add scannerBinariesAuthHeader input by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;246](SonarSource/sonarqube-scan-action#246)
- SQSCANGHA-88 Deprecate the SONARCLOUD\_URL env variable support by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;249](SonarSource/sonarqube-scan-action#249)
- SQSCANGHA-84 Remove outdated wget/curl references by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;248](SonarSource/sonarqube-scan-action#248)
- SQSCANGHA-135 Fix scanner binaries always re-downloaded due to incompatible 4-part version by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;250](SonarSource/sonarqube-scan-action#250)
- SQSCANGHA-127 Rename downloaded file to .zip before extraction on Windows by [@&#8203;henryju](https://github.com/henryju) in [#&#8203;251](SonarSource/sonarqube-scan-action#251)

**Full Changelog**: <SonarSource/sonarqube-scan-action@v8...v8.2.0>

### [`v8.2`](SonarSource/sonarqube-scan-action@v8.1.0...v8.2.0)

[Compare Source](SonarSource/sonarqube-scan-action@v8.1.0...v8.2.0)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTYuMiIsInVwZGF0ZWRJblZlciI6IjQzLjIxNi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL2RlcGVuZGVuY2llcyJdfQ==-->

Reviewed-on: https://git.tainton.uk/repos/pypilot/pulls/453
Reviewed-by: Luke Tainton <luke@tainton.uk>
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants