SonarSource · julien-carsique-sonarsource · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
@@ -18,7 +18,7 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - id: secrets
-        uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+        uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
         with:
           secrets: |
             development/kv/data/jira user | JIRA_USER;

@@ -17,7 +17,7 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - id: secrets
-        uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+        uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
         with:
           secrets: |
             development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;

@@ -17,7 +17,7 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - id: secrets
-        uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+        uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
         with:
           secrets: |
             development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;

@@ -20,7 +20,7 @@ jobs:
           || github.event.review.state == 'approved')
     steps:
       - id: secrets
-        uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+        uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
         with:
           secrets: |
             development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;

@@ -33,7 +33,7 @@ jobs:
           ./run_shell_tests.sh
       - name: Vault
         id: secrets
-        uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+        uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
         with:
           secrets: |
             development/kv/data/sonarcloud url | SONAR_URL;

@@ -122,7 +122,7 @@ runs:
       run: |
         echo "ARTIFACTORY_DEPLOYER_ROLE=${ARTIFACTORY_DEPLOYER_ROLE}" >> "$GITHUB_ENV"
 
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       with:
         # yamllint disable rule:line-length

@@ -127,6 +127,7 @@ runs:
       shell: bash
       id: params
       env:
+        MIXED_PRIVACY: ${{ inputs.mixed-privacy }}
         USER_MAVEN_ARGS: ${{ inputs.maven-args }}
         ARTIFACTORY_DEPLOY_REPO: ${{ inputs.artifactory-deploy-repo != '' && inputs.artifactory-deploy-repo ||
           (github.event.repository.visibility == 'public' || inputs.mixed-privacy == 'true') && 'sonarsource-public-qa' ||
@@ -137,7 +138,7 @@ runs:
       # yamllint disable rule:line-length
       run: |
         {
-          if [[ "${{ inputs.mixed-privacy }}" == 'true' ]]; then
+          if [[ "${MIXED_PRIVACY}" == 'true' ]]; then
             USER_MAVEN_ARGS="${USER_MAVEN_ARGS} -Dartifactory.publish.artifacts=false"
             echo "ARTIFACTORY_PRIVATE_DEPLOY_REPO=${ARTIFACTORY_PRIVATE_DEPLOY_REPO:=sonarsource-private-qa}"
             echo "ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN_VAULT=development/artifactory/token/{REPO_OWNER_NAME_DASH}-${ARTIFACTORY_PRIVATE_DEPLOYER_ROLE:=qa-deployer} access_token | ARTIFACTORY_PRIVATE_DEPLOY_ACCESS_TOKEN;"
@@ -150,7 +151,7 @@ runs:
         echo "SONARSOURCE_REPOSITORY_URL=${ARTIFACTORY_URL}/sonarsource" >> "$GITHUB_ENV"
       # yamllint enable rule:line-length
 
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       with:
         # yamllint disable rule:line-length

@@ -128,7 +128,7 @@ runs:
         working-directory: ${{ inputs.working-directory }}
         disable-caching: ${{ inputs.cache-npm != 'true' && 'true' || inputs.disable-caching }}
 
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       # yamllint disable rule:line-length
       with:

@@ -111,7 +111,7 @@ runs:
       with:
         host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
     - name: Cache local Poetry cache
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       if: inputs.disable-caching == 'false'
       with:
         path: ${{ github.workspace }}/${{ inputs.poetry-cache-dir }}
@@ -120,7 +120,7 @@ runs:
     - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
       with:
         version: 2026.3.7
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       # yamllint disable rule:line-length
       with:
@@ -166,8 +166,9 @@ runs:
         SONAR_PLATFORM: ${{ inputs.sonar-platform }}
         RUN_SHADOW_SCANS: ${{ inputs.run-shadow-scans }}
         JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR: ${{ runner.temp }}/jfrog-summary
+        WORKING_DIRECTORY: ${{ inputs.working-directory }}
       run: |
-        cd "${{ inputs.working-directory }}"
+        cd "${WORKING_DIRECTORY}"
         "$ACTION_PATH_BUILD_POETRY/build.sh"
 
     - name: Generate provenance attestation

@@ -122,15 +122,15 @@ runs:
         working_directory: ${{ inputs.working-directory }}
 
     - name: Cache Yarn dependencies
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       if: ${{ inputs.cache-yarn == 'true' && inputs.disable-caching != 'true' }}
       with:
         path: |
           ~/.yarn
         key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}
         restore-keys: yarn-${{ runner.os }}-
 
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       # yamllint disable rule:line-length
       with:

@@ -36,7 +36,7 @@ runs:
         echo "::warning:: This action is deprecated and will be removed in future releases." \
           "Please migrate to using the SonarSource/gh-action_cache action directly." >&2
 
-    - uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+    - uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       id: cache
       with:
         path: ${{ inputs.path }}

@@ -14,15 +14,17 @@ runs:
   steps:
     - name: Set versions and cache keys
       shell: bash
+      env:
+        JSIGN_VERSION: ${{ inputs.jsign-version }}
       run: |
-        echo "JSIGN_VERSION=${{ inputs.jsign-version }}" >> "$GITHUB_ENV"
-        echo "JSIGN_CACHE_KEY=jsign-${{ inputs.jsign-version }}-${{ runner.os }}" >> "$GITHUB_ENV"
+        echo "JSIGN_VERSION=${JSIGN_VERSION}" >> "$GITHUB_ENV"
+        echo "JSIGN_CACHE_KEY=jsign-${JSIGN_VERSION}-${{ runner.os }}" >> "$GITHUB_ENV"
         echo "SMTOOLS_CACHE_KEY=smtools-linux-x64-${{ runner.os }}" >> "$GITHUB_ENV"
         echo "SMTOOLS_PATH=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> "$GITHUB_ENV"
         echo "JSIGN_CACHE_PATH=/tmp/jsign-cache" >> "$GITHUB_ENV"
 
     - name: Cache code signing tools
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       id: tools-cache
       with:
         path: |
@@ -32,7 +34,7 @@ runs:
 
     - name: Get DigiCert secrets from Vault
       id: secrets
-      uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+      uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       with:
         secrets: |
           development/kv/data/sign/digicert apikey | SM_API_KEY;
@@ -56,6 +58,8 @@ runs:
 
     - name: Setup jsign
       shell: bash
+      env:
+        FORCE_DOWNLOAD_TOOLS: ${{ inputs.force-download-tools }}
       run: |
         echo "Setting up jsign version ${JSIGN_VERSION}..."
         java --version
@@ -64,7 +68,7 @@ runs:
         sudo apt-get update -q
         sudo apt-get install -y default-jre-headless
 
-        if [[ "${{ steps.tools-cache.outputs.cache-hit }}" == "true" && "${{ inputs.force-download-tools }}" != "true" &&
+        if [[ "${{ steps.tools-cache.outputs.cache-hit }}" == "true" && "${FORCE_DOWNLOAD_TOOLS}" != "true" &&
         -f "${JSIGN_CACHE_PATH}/jsign_${JSIGN_VERSION}_all.deb" ]]; then
           echo "Installing jsign from cache..."
           sudo dpkg --install "${JSIGN_CACHE_PATH}/jsign_${JSIGN_VERSION}_all.deb"

@@ -50,12 +50,14 @@ runs:
     - name: Set local action paths
       id: set-path
       shell: bash
+      env:
+        HOST_ACTIONS_ROOT: ${{ inputs.host-actions-root }}
       run: |
         echo "::group::Fix for using local actions"
         echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
         echo "github.action_path=${{ github.action_path }}"
         ACTION_PATH_CONFIG_GRADLE="${{ github.action_path }}"
-        host_actions_root="${{ inputs.host-actions-root }}"
+        host_actions_root="${HOST_ACTIONS_ROOT}"
         if [[ -z "$host_actions_root" ]]; then
           host_actions_root="$(dirname "$ACTION_PATH_CONFIG_GRADLE")"
         else
@@ -91,7 +93,7 @@ runs:
           (github.event.repository.visibility == 'public' && 'public-reader' || 'private-reader') }}
       run: |
         echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       if: steps.config-gradle-completed.outputs.skip != 'true'
       id: secrets
       with:
@@ -104,7 +106,9 @@ runs:
       id: develocity-hostname
       if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.use-develocity == 'true'
       shell: bash
-      run: echo "hostname=$(echo '${{ inputs.develocity-url }}' | sed -e 's|https://||' -e 's|/$||')" >> $GITHUB_OUTPUT
+      env:
+        DEVELOCITY_URL: ${{ inputs.develocity-url }}
+      run: echo "hostname=$(echo "${DEVELOCITY_URL}" | sed -e 's|https://||' -e 's|/$||')" >> $GITHUB_OUTPUT
 
     - name: Set environment variables for Artifactory authentication
       if: steps.config-gradle-completed.outputs.skip != 'true'
@@ -167,7 +171,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Gradle Cache
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       if: steps.config-gradle-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
       with:
         path: ${{ inputs.cache-paths }}

@@ -51,12 +51,14 @@ runs:
     - name: Set local action paths
       id: set-path
       shell: bash
+      env:
+        HOST_ACTIONS_ROOT: ${{ inputs.host-actions-root }}
       run: |
         echo "::group::Fix for using local actions"
         echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
         echo "github.action_path=${{ github.action_path }}"
         ACTION_PATH_CONFIG_MAVEN="${{ github.action_path }}"
-        host_actions_root="${{ inputs.host-actions-root }}"
+        host_actions_root="${HOST_ACTIONS_ROOT}"
         if [[ -z "$host_actions_root" ]]; then
           host_actions_root="$(dirname "$ACTION_PATH_CONFIG_MAVEN")"
         else
@@ -92,7 +94,7 @@ runs:
           (github.event.repository.visibility == 'public' && 'public-reader' || 'private-reader') }}
       run: |
         echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       if: steps.config-maven-completed.outputs.skip != 'true'
       id: secrets
       with:
@@ -105,7 +107,9 @@ runs:
       id: develocity-hostname
       if: steps.config-maven-completed.outputs.skip != 'true' && inputs.use-develocity == 'true'
       shell: bash
-      run: echo "hostname=$(echo '${{ inputs.develocity-url }}' | sed -e 's|https://||' -e 's|/$||')" >> $GITHUB_OUTPUT
+      env:
+        DEVELOCITY_URL: ${{ inputs.develocity-url }}
+      run: echo "hostname=$(echo "${DEVELOCITY_URL}" | sed -e 's|https://||' -e 's|/$||')" >> $GITHUB_OUTPUT
 
     - name: Set environment variables for Artifactory authentication
       if: steps.config-maven-completed.outputs.skip != 'true'
@@ -178,7 +182,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Cache local Maven repository
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       if: steps.config-maven-completed.outputs.skip != 'true' && inputs.disable-caching == 'false'
       with:
         path: ${{ inputs.cache-paths }}
@@ -210,7 +214,7 @@ runs:
         COMMON_MVN_FLAGS: ${{ inputs.common-mvn-flags }}
       run: |
         # - 'command mvn' prevents the function from calling itself in a loop.
-        echo 'mvn() { command mvn ${{ env.COMMON_MVN_FLAGS }} "$@"; }' >> "$HOME/.bash_profile"
+        echo "mvn() { command mvn ${COMMON_MVN_FLAGS} \"\$@\"; }" >> "$HOME/.bash_profile"
         echo "BASH_ENV=$HOME/.bash_profile" >> "$GITHUB_ENV"
         echo "MAVEN_OPTS=${MAVEN_OPTS:=-Xmx1536m -Xms128m}" >> "$GITHUB_ENV"
         echo "CONFIG_MAVEN_COMPLETED=$GITHUB_ACTION" >> "$GITHUB_ENV"
@@ -53,12 +53,13 @@ runs:
         ARTIFACTORY_READER_ROLE: ${{ inputs.artifactory-reader-role != '' && inputs.artifactory-reader-role ||
           (github.event.repository.visibility == 'public' && 'public-reader' || 'private-reader') }}
         CACHE_NPM: ${{ inputs.cache-npm }}
+        HOST_ACTIONS_ROOT: ${{ inputs.host-actions-root }}
       run: |
         echo "::group::Fix for using local actions"
         echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
         echo "github.action_path=${{ github.action_path }}"
         ACTION_PATH_CONFIG_NPM="${{ github.action_path }}"
-        host_actions_root="${{ inputs.host-actions-root }}"
+        host_actions_root="${HOST_ACTIONS_ROOT}"
         if [[ -z "$host_actions_root" ]]; then
           host_actions_root="$(dirname "$ACTION_PATH_CONFIG_NPM")"
         else
@@ -92,7 +93,7 @@ runs:
       with:
         version: 2026.3.7
 
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       if: steps.config-npm-completed.outputs.skip != 'true'
       id: secrets
       with:
@@ -125,7 +126,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Cache NPM dependencies
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       if: steps.config-npm-completed.outputs.skip != 'true' && inputs.disable-caching != 'true' && inputs.cache-npm == 'true'
       with:
         path: ~/.npm

@@ -37,12 +37,14 @@ runs:
     - name: Set local action paths
       id: set-path
       shell: bash
+      env:
+        HOST_ACTIONS_ROOT: ${{ inputs.host-actions-root }}
       run: |
         echo "::group::Fix for using local actions"
         echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
         echo "github.action_path=${{ github.action_path }}"
         ACTION_PATH_CONFIG_PIP="${{ github.action_path }}"
-        host_actions_root="${{ inputs.host-actions-root }}"
+        host_actions_root="${HOST_ACTIONS_ROOT}"
         if [[ -z "$host_actions_root" ]]; then
           host_actions_root="$(dirname "$ACTION_PATH_CONFIG_PIP")"
         else
@@ -73,7 +75,7 @@ runs:
       run: |
         echo "ARTIFACTORY_READER_ROLE=${ARTIFACTORY_READER_ROLE}" >> "$GITHUB_ENV"
 
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       with:
         secrets: |
@@ -100,7 +102,7 @@ runs:
       run: echo "workflow_name=${WORKFLOW_NAME// /-}" >> "$GITHUB_OUTPUT"
 
     - name: Cache pip dependencies
-      uses: SonarSource/gh-action_cache@957cb1f6f70956976b834546bf09839080b5bb00 # v1.2.3
+      uses: SonarSource/gh-action_cache@0fe268e0b670dfb7aea67a0578b317d5a2e26212 # v1.4.1
       if: inputs.disable-caching == 'false'
       with:
         path: ${{ inputs.cache-paths }}

@@ -16,12 +16,14 @@ runs:
     - name: Set local action paths
       id: set-path
       shell: bash
+      env:
+        HOST_ACTIONS_ROOT: ${{ inputs.host-actions-root }}
       run: |
         echo "::group::Fix for using local actions"
         echo "GITHUB_ACTION_PATH=$GITHUB_ACTION_PATH"
         echo "github.action_path=${{ github.action_path }}"
         ACTION_PATH_GET_BUILD_NUMBER="${{ github.action_path }}"
-        host_actions_root="${{ inputs.host-actions-root }}"
+        host_actions_root="${HOST_ACTIONS_ROOT}"
         if [[ -z "$host_actions_root" ]]; then
           host_actions_root="$(dirname "$ACTION_PATH_GET_BUILD_NUMBER")"
         else
@@ -52,7 +54,7 @@ runs:
         enableCrossOsArchive: true
 
     # Otherwise, increment the build number
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       if: steps.from-env.outputs.skip != 'true' && steps.current-build-number.outputs.cache-hit != 'true'
       with:

@@ -51,7 +51,7 @@ runs:
     - uses: ./.actions/get-build-number
       with:
         host-actions-root: ${{ steps.set-path.outputs.host_actions_root }}
-    - uses: SonarSource/vault-action-wrapper@3d5c87cb535e4a2c7a09adcbcfdefa751854dee3 # 3.3.0
+    - uses: SonarSource/vault-action-wrapper@c154b4a417b51cb98dd71137f49bf20e77c56820 # 3.4.0
       id: secrets
       with:
         secrets: |