Bump SonarSource/sonarqube-scan-action from 5 to 6 in /.github/workflows in the github_actions group across 1 directory

[dependabot]

Bumps the github_actions group with 1 update in the /.github/workflows directory: SonarSource/sonarqube-scan-action.

Updates SonarSource/sonarqube-scan-action from 5 to 6

Release notes

Sourced from SonarSource/sonarqube-scan-action's releases.

v6.0.0

BREAKING CHANGE!

In order to prevent command-line injection, the actions has been rewritten from Bash to JS, and the args input is now parsed differently. When updating to v6, you might have to update your workflow to change how arguments are quoted. For example, if you were previously passing:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      -Dsonar.projectName="My Project"

you should now pass:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      "-Dsonar.projectName=My Project"

For more args passing examples, please refer to the README file

What's Changed

• SQSCANGHA-106 Migrate from Bash to JS by @​jeremy-davis-sonarsource in SonarSource/sonarqube-scan-action#208

Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v6.0.0

v5.3.2

Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v5.3.2

v5.3.1

OVERLOOKED BREAKING CHANGE!

In order to prevent command-line injection, the way to parse the args input has been changed, but this is possibly a breaking change regarding support of quotes.

For example, if you were previously passing:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      -Dsonar.projectName="My Project"

you should now pass:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      "-Dsonar.projectName=My Project"

... (truncated)

Commits

• fd88b7d SQSCANGHA-119 New Readme structure
• 27a157d SQSCANGHA-118 Update the README to document the breaking change for args parsing
• e327da8 NO-JIRA Add documentation for contribution
• ff001fd SQSCANGHA-107 Migrate install-build-wrapper
• a88c96d SQSCANGHA-107 Make room for install-build-wrapper action
• a642810 SQSCANGHA-112 SQSCANGHA-113 Fixes from review and keytool refactor
• 60aee70 NO-JIRA Disable fail fast on matrix jobs
• 502204e NO-JIRA Fix test assertion
• 0b794a0 SQSCANGHA-112 Delete legacy shell script
• ece10df SQSCANGHA-112 Extract installation step and other fixes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
airmerge	Ready	Preview	Comment	Oct 12, 2025 11:54pm

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Upgraded code quality scanning in the build pipeline to the latest scanner for improved reliability and compatibility. This change is limited to internal CI processes and does not alter app behavior, features, or performance for end users. No UI updates, data changes, or configuration required; the release remains functionally identical.

Walkthrough

Updated the GitHub Actions build workflow to use SonarSource/sonarqube-scan-action v6 instead of v5, with no other workflow logic changes.

Changes

Cohort / File(s)	Summary
CI workflow .github/workflows/build.yml	Bump SonarQube scan action from v5 to v6; no other workflow steps or logic changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I twitch my whiskers—version six arrives,
A tidy hop in CI hives.
From five to six, no extra tricks,
The pipeline hums with nimble clicks.
I thump in joy—scan on, scan true,
Carrots for code, and metrics too! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly identifies the primary change of upgrading the SonarSource/sonarqube-scan-action from version 5 to 6, matching the modifications in the workflow. The mention of the directory and group is related but verbose, yet it does not misrepresent the change. Therefore, it succinctly captures the main update.
Description Check	✅ Passed	The description clearly outlines the dependency bump of SonarSource/sonarqube-scan-action from v5 to v6, includes relevant release notes and context for the breaking change, and provides links for further details. It directly relates to the changeset and supports reviewer understanding. Therefore it satisfies the requirements for a valid PR description.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/github_actions/dot-github/workflows/github_actions-3e76b0ee14

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 162caa9 and 40dd7b6.

📒 Files selected for processing (1)

• .github/workflows/build.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[deepsource-io]

Here's the code health analysis summary for commits 162caa9..40dd7b6. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Ruby	✅ Success		View Check ↗
Rust	✅ Success		View Check ↗
JavaScript	✅ Success		View Check ↗
Scala	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
Terraform	✅ Success		View Check ↗
Swift	✅ Success		View Check ↗
SQL	✅ Success		View Check ↗
Test coverage	⚠️ Artifact not reported	Timed out: Artifact was never reported	View Check ↗
C & C++	✅ Success		View Check ↗
C#	✅ Success		View Check ↗
Ansible	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[LCSOGthb]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.