SQSCANGHA-76 Support self-hosted runners not clearing truststore afte…

…r run

.github/workflows/qa-main.yml

@@ -619,9 +619,9 @@ jobs:
       - name: Assert failure of previous step
         if: steps.wrong_ssl_certificate.outcome == 'success'
         run: exit 1
-  overridesScannerLocalFolderWhenPresent:
+  overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
     name: >
-      'SCANNER_LOCAL_FOLDER' is overridden with warning when present
+      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -653,4 +653,31 @@ jobs:
         run: |
           [ -d "$SCANNER_LOCAL_FOLDER" ] || exit 1
           [ ! -f "$SCANNER_LOCAL_FOLDER/some_content.txt" ] || exit 1
-
+  overridesSonarSslFolderWhenPresent: # can happen in uncleaned self-hosted runners
+    name: >
+      'SONAR_SSL_FOLDER' is cleaned with warning when present
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create SONAR_SSL_FOLDER with truststore.p12 file in it
+        run: |
+          SONAR_SSL_FOLDER=~/.sonar/ssl
+          mkdir -p "$SONAR_SSL_FOLDER"
+          touch "$SONAR_SSL_FOLDER/truststore.p12"
+          # emit SONAR_SSL_FOLDER to be able to read it in the next steps
+          echo "SONAR_SSL_FOLDER=$SONAR_SSL_FOLDER" >> $GITHUB_ENV
+      - name: Assert truststore.p12 file exists
+        run: |
+          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
+      - name: Run action
+        uses: ./
+        env:
+          # NO_CACHE not needed, as SONAR_SSL_FOLDER is setup when the Sonar Scanner is run, not installed 
+          SONAR_HOST_URL: http://not_actually_used
+        with:
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
+      - name: Assert truststore.p12 doesn't exists anymore
+        run: |
+          [ ! -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1

scripts/run-sonar-scanner-cli.sh

@@ -21,15 +21,22 @@ if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
   scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
 fi
 
+# The SSL folder may exist on an uncleaned self-hosted runner
+SONAR_SSL_FOLDER=~/.sonar/ssl
+if [ -d "$SONAR_SSL_FOLDER" ]; then
+  echo "::warning title=SonarScanner::Cleaning existing SSL folder: $SONAR_SSL_FOLDER"
+  rm -rf "$SONAR_SSL_FOLDER"
+fi
+
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
   echo "Adding SSL certificate to the Scanner truststore"
   rm -f $RUNNER_TEMP/tmpcert.pem
   echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
   # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
   # keytool require a password > 6 characters, so we wan't use the default password 'sonar'
   store_pass=changeit
-  mkdir -p ~/.sonar/ssl
-  $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
+  mkdir -p "$SONAR_SSL_FOLDER"
+  $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore $SONAR_SSL_FOLDER/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
   scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
 fi