GHA-193 Update for sonar-java: use latest rule-api and add post-update step

[tomasz-tylenda-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

GHA-193

[nils-werner-sonarsource]

LGTM! Thanks also for the 2 hardcoded STL specific things.

[sonarqubecloud]

SonarQube reviewer guide

Summary: Enhance the update-rule-metadata action with flexible rule-api versioning, configurable RSpec token suffix, additional post-update hooks, and customizable PR labels.

Review Focus:

• The rule-api version handling now supports downloading the latest release when empty (lines 60-74 in action.yml). Ensure the jfrog CLI integration and manifest parsing are robust.
• New rspec-token-suffix input allows dynamic vault secret paths, requiring careful review of the GitHub Actions string interpolation in both files.
• The post-update script execution (lines 189-192) runs arbitrary user input—verify this doesn't introduce security risks.

Start review at: update-rule-metadata/action.yml. This file defines all new inputs and orchestrates the core workflow changes, making it essential to understand the contract and flow before reviewing the implementation details in the workflow test file.

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[tomasz-tylenda-sonarsource]

We discussed this change offline and decide to merge as is.

The action could be simplified in future if we standardize rspec token suffix.