From b2596fb84a38ac4f3a4d2bd71b6de204b64f83d1 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 7 Jul 2026 19:58:47 +0000 Subject: [PATCH 1/3] ci(security): bump sonarqube-scan-action v6.0.0 -> v8.2.0 (Node 24) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Actions warned that SonarSource/sonarqube-scan-action@v6.0.0 targets the deprecated Node.js 20 runtime (forced onto Node 24 on current runners). v8.2.0's action.yml declares `runs: using: node24`, resolving the warning. SHA-pinned per repo convention; the `with: args` interface is unchanged from v6, so this is a drop-in bump. sonarqube-quality-gate-action is left at v1.2.0 — it's a `using: composite` (bash) action with no Node runtime, so it is unaffected by the Node 20 deprecation and v1.2.0 is already its latest release. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/security-scanners.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scanners.yml b/.github/workflows/security-scanners.yml index ff85eace..98cf27f8 100644 --- a/.github/workflows/security-scanners.yml +++ b/.github/workflows/security-scanners.yml @@ -395,7 +395,7 @@ jobs: --url "http://localhost:9000/api/projects/create?project=my-project&name=MyProject" \ --header 'Authorization: Bearer ${{ env.SONAR_TOKEN }}' - - uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0 + - uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e # v8.2.0 id: sonarqube-scan-action env: SONAR_HOST_URL: http://localhost:9000 From 09396a141f7d0e44dab67c6185b246291cef414b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 7 Jul 2026 22:00:09 +0000 Subject: [PATCH 2/3] ci: allow-list LGPL-3.0 sonarqube-scan-action in dependency review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumping sonarqube-scan-action to v8.2.0 changed its pinned SHA, which caused the dependency-review job to re-evaluate it and block on its LGPL-3.0 license (the org's shared amazon-ospo config allows only permissive licenses). The license did not change — it has been LGPL-3.0 since the action's first commit in 2021 — but the SHA change triggered a fresh review. Add an `allow-dependencies-licenses` exception for this specific action. It is a CI-only action we invoke in the pipeline, not code we distribute or link into the published (Apache-2.0) plugins, so its copyleft terms do not reach our output. Pinned to the exact SHA (which is the PURL version dependency-review emits for a SHA-pinned action), so a future version bump re-triggers the license review instead of silently inheriting this exception. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/dependency-review.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 41161696..50929f46 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,3 +14,12 @@ jobs: config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@8e4c9fdde54d2b7c6a3a28b97eddd26c4cd90a66 # main # # distlib # allow-dependencies-licenses: "pkg:pypi/distlib@0.4.0" + # + # SonarSource/sonarqube-scan-action is LGPL-3.0, which is not on the + # org's permissive-only allow-licenses list. It is a CI-only action we + # invoke in the pipeline — not code we distribute or link into the + # published plugins — so its copyleft terms do not reach our Apache-2.0 + # output. Pinned to the exact SHA (= the dependency-review PURL version + # for a SHA-pinned action), so any future version bump re-triggers the + # license review rather than silently inheriting this exception. + allow-dependencies-licenses: "pkg:githubactions/SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e" From 3a8d0ba39451925609cd7ce35e638be820a71bbc Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Tue, 7 Jul 2026 22:11:48 +0000 Subject: [PATCH 3/3] ci: drop stale distlib example comment from dependency-review The commented-out distlib `allow-dependencies-licenses` example was placeholder scaffolding; now that a real allow entry (sonarqube-scan-action) documents the usage, the example is redundant noise. Remove it. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/dependency-review.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index cee4b605..147ea8db 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,9 +12,6 @@ jobs: - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 with: config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@8e4c9fdde54d2b7c6a3a28b97eddd26c4cd90a66 # main - # # distlib - # allow-dependencies-licenses: "pkg:pypi/distlib@0.4.0" - # # SonarSource/sonarqube-scan-action is LGPL-3.0, which is not on the # org's permissive-only allow-licenses list. It is a CI-only action we # invoke in the pipeline — not code we distribute or link into the