action-allowlist-review: bump SonarSource/sonarqube-scan-action from 7.1.0 to 8.0.0 in /.github/actions/for-dependabot-triggered-reviews

[dependabot]

Bumps SonarSource/sonarqube-scan-action from 7.1.0 to 8.0.0.

Release notes

Sourced from SonarSource/sonarqube-scan-action's releases.

v8.0.0

What's Changed

Breaking change

• SQSCANGHA-145 Set skipSignatureVerification default value to false by @​antoine-vinot-sonarsource in SonarSource/sonarqube-scan-action#241

Full Changelog: SonarSource/sonarqube-scan-action@v7...v8.0.0

v7.2.1

What's Changed

• SQSCANGHA-140 Set skipSignatureVerification default value to true to avoid breaking change by @​gmmcal in SonarSource/sonarqube-scan-action#240

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.1

v7.2.0

What's Changed

• SQSCANGHA-133 Upgrade the Node version used in UTs + contribution guide by @​claire-villard-sonarsource in SonarSource/sonarqube-scan-action#226
• SC-45750 Migrate to dateless license headers by @​claire-villard-sonarsource in SonarSource/sonarqube-scan-action#229
• SQSCANGHA-134 Upgrade the libraries to latest version by @​claire-villard-sonarsource in SonarSource/sonarqube-scan-action#227
• SQSCANGHA-138 Update dist and add ci test by @​antoine-vinot-sonarsource in SonarSource/sonarqube-scan-action#233
• SQSCANGHA-140 Add OpenPGP signature verification for scanner downloads by @​claire-villard-sonarsource in SonarSource/sonarqube-scan-action#235

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.0

Commits

• 59db25f SQSCANGHA-145 Set skipSignatureVerification default value to false (#241)
• ca30b65 SQSCANGHA-143 SubmitReview: Use Vault token (#238)
• c7ee0f9 SQSCANGHA-140 Set skipSignatureVerification default value to true to avoid br...
• 55e4480 SQSCANGHA-140 Add OpenPGP signature verification for scanner downloads (#235)
• 30dbe5c SQSCANGHA-138 Update dist and add ci test (#233)
• c835722 SQSCANGHA-134 Upgrade the libraries to latest version (#227)
• f00de44 SC-45750 Migrate to dateless license headers (#229)
• f099b44 SQSCANGHA-133 Upgrade the Node version used in UTs + contribution guide (#226)
• d899ed2 BUILD-10861 Dependabot 5-day cooldown + internal excludes (#225)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[potiuk]

LGTM. The repo-side diff is just the SHA + version bump, but flagging what the verify workflow's "Source diff vs approved" surfaces, since v7.1.0 → v8.0.0 spans 9 upstream commits / 49 files and the diff looks alarmingly large at first glance.

Most of the bulk comes from v7.2.0, not from the v8.0.0 breaking change itself:

1. OpenPGP signature verification feature (v7.2.0)

• New src/main/gpg-verification.js (240 lines) + tests (~700 lines)
• Wired into install-sonar-scanner.js / run-sonar-scanner.js

2. Library upgrades + bundle reorganization (v7.2.0)

• dist/index.js re-bundled (+3950 / −2399)
• Two new code-split chunks: dist/core-DpWEmnbG.js (~30k lines) and dist/exec-zlpfwmpH.js (~32k lines) — that's bundled undici being split out. The BalancedPool / FastTimer / IMFDays strings showing up in the verify log are undici internals, not Sonar code.
• rollup.config.js updated to enable the code-split

3. "Migrate to dateless license headers" (v7.2.0)

• Adds an 18-line GNU LGPL header block to ~15 files. Explains why files like test/example-project/src/main.js (a "Hello World") show +18 lines with no real logic change.

4. Misc CI/infra (v7.2.0) — Node version bump in UTs, dependabot cooldown, Vault token for SubmitReview. Mechanical.

5. v8.0.0 itself — one-line behavior flip: skipSignatureVerification default true → false. README updated with opt-out.

Verifying mitigations:

• ✅ verify workflow's "JS build verification" passed → the giant dist/ chunks are the genuine output of rollup over the source tree, not injected.
• ✅ Lock file present.

Two things genuinely worth a closer look:

• src/main/gpg-verification.js — new security-relevant code path (worth eyeballing once)
• Behavior change in v8.0.0: signature verification is now ON by default. Consumers who relied on the old default and whose CI can't reach the keyserver will now fail. This is the more secure default; just calling it out.

[potiuk]

Reviewed both - with agent and eyeballing the changes.. Looks good.