Update sonarqube.yml and removal of gradle keys (#2866)

# Description of Changes

Please provide a summary of the changes, including:

- What was changed
- Why the change was made
- Any challenges encountered

Closes #(issue_number)

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#6-testing)
for more details.

.github/workflows/build.yml

@@ -37,12 +37,6 @@ jobs:
           java-version: ${{ matrix.jdk-version }}
           distribution: "temurin"
 
-      - name: PR | Generate verification metadata with signatures and checksums for dependabot[bot]
-        if: github.event.pull_request.user.login == 'dependabot[bot]'
-        run: |
-          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256 --refresh-dependencies help
-          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp --refresh-keys --export-keys --refresh-dependencies help
-
       - name: Build with Gradle and no spring security
         run: ./gradlew clean build
         env:

.github/workflows/sonarqube.yml

@@ -8,30 +8,71 @@ on:
 
 permissions:
   pull-requests: read
+  actions: read
 name: Run Sonarqube
 jobs:
   sonarqube:
     runs-on: ubuntu-latest
     steps:
-      - name: Analyze with SonarCloud
 
-        # You can pin the exact commit or the version.
-        # uses: SonarSource/[email protected]
-        uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 #v2.2.0
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0 
+
+      - name: Set up JDK
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Cache SonarCloud packages
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+
+      - name: Cache Gradle packages
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
+          restore-keys: ${{ runner.os }}-gradle
+
+      - name: Build and analyze with Gradle
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          DOCKER_ENABLE_SECURITY: true
+          STIRLING_PDF_DESKTOP_UI: true
+        run: |
+          ./gradlew clean build sonar \
+            -Dsonar.projectKey=Stirling-Tools_Stirling-PDF \
+            -Dsonar.organization=stirling-tools \
+            -Dsonar.host.url=https://sonarcloud.io \
+            -Dsonar.log.level=DEBUG \
+            --info
+
+      - name: Upload Problems Report on Failure
+        if: failure()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: gradle-problems-report
+          path: build/reports/problems/problems-report.html
+          retention-days: 7
+
+      - name: Upload Sonar Logs on Failure
+        if: failure()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
-          # Additional arguments for the SonarScanner CLI
-          args:
-            # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
-            # mandatory
-            -Dsonar.projectKey=Stirling-Tools_Stirling-PDF
-            -Dsonar.organization=stirling-tools
-            # Comma-separated paths to directories containing main source files.
-            #-Dsonar.sources= # optional, default is project base directory
-            # Comma-separated paths to directories containing test source files.
-            #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
-            # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
-            #-Dsonar.verbose= # optional, default is false
-          # When you need the analysis to take place in a directory other than the one from which it was launched, default is .
-          projectBaseDir: .
+          name: sonar-logs
+          path: |
+            .scannerwork/report-task.txt
+            build/sonar/
+          retention-days: 7

.github/workflows/sync_files.yml

@@ -104,16 +104,6 @@ jobs:
           git add README.md
           git diff --staged --quiet || git commit -m ":memo: Sync README.md" || echo "no changes"
 
-      - name: Generate verification metadata with signatures and checksums
-        run: |
-          set -e
-          if [ -f ./gradle/verification-metadata.xml ]; then
-            rm ./gradle/verification-metadata.xml
-          fi
-          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256 help
-          ./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp --refresh-keys --export-keys --refresh-dependencies help
-          ./gradlew clean build
-
       - name: Run git add
         run: |
           git add gradle/verification-keyring.keys

DeveloperGuide.md

@@ -585,41 +585,3 @@ In your Thymeleaf templates, use the `#{key}` syntax to reference the new transl
 ```
 
 Remember, never hard-code text in your templates or Java code. Always use translation keys to ensure proper localization.
-
-
-## Managing Dependencies
-
-When adding new dependencies or updating existing ones in Stirling-PDF, follow these steps to ensure proper verification and security:
-
-1. Update the dependency in `build.gradle`:
-```groovy
-dependencies {
-    // Add or update your dependency
-    implementation "com.example:new-library:1.2.3"
-}
-```
-
-2. Generate new verification metadata and keys:
-```bash
-# Generate verification metadata with signatures and checksums
-./gradlew clean dependencies buildEnvironment spotlessApply --write-verification-metadata sha256,pgp
-
-# Export the .keys file
-./gradlew --export-keys
-```
-
-3. Files to commit:
-   - `build.gradle` - Your dependency changes
-   - `gradle/verification-metadata.xml` - Contains verification rules and checksums
-   - `gradle/verification-keyring.keys` - Contains PGP keys in text format
-
-4. Verify the build works with the new verification:
-```bash
-./gradlew build
-```
-
-5. Before committing, check:
-   - Verify any new BOM files are properly handled in verification metadata
-   - Review the changes in `verification-metadata.xml` to ensure they match your dependency updates
-
-This ensures dependencies are properly verified and secure while maintaining transparency in the repository.

build.gradle

@@ -9,6 +9,7 @@ plugins {
     id "com.github.jk1.dependency-license-report" version "2.9"
     //id "nebula.lint" version "19.0.3"
     id("org.panteleyev.jpackageplugin") version "1.6.0"
+    id "org.sonarqube" version "6.0.1.5171"
 }
 
 import com.github.jk1.license.render.*
@@ -34,7 +35,6 @@ java {
 
 repositories {
     mavenCentral()
-    maven { url = "https://jitpack.io" }
     maven { url = "https://build.shibboleth.net/maven/releases" }
     maven { url = "https://maven.pkg.github.com/jcefmaven/jcefmaven" }
 }
@@ -269,6 +269,17 @@ spotless {
     }
 }
 
+sonar {
+    properties {
+        property "sonar.projectKey", "Stirling-Tools_Stirling-PDF"
+        property "sonar.organization", "stirling-tools"
+
+        property "sonar.exclusions", "**/build-wrapper-dump.json, src/main/java/org/apache/**, src/main/resources/static/pdfjs/**, src/main/resources/static/pdfjs-legacy/**, src/main/resources/static/js/thirdParty/**"
+        property "sonar.coverage.exclusions", "src/main/java/org/apache/**, src/main/resources/static/pdfjs/**, src/main/resources/static/pdfjs-legacy/**, src/main/resources/static/js/thirdParty/**"
+        property "sonar.cpd.exclusions", "src/main/java/org/apache/**, src/main/resources/static/pdfjs/**, src/main/resources/static/pdfjs-legacy/**, src/main/resources/static/js/thirdParty/**"
+    }
+}
+
 //gradleLint {
 //        rules=['unused-dependency']
 //    }