@ascheman I think there’s two things going on.
-
For either your project/organization, you probably have Execute Analysis permissions set to Anyone. This is a very bad idea, because it means that anybody (authenticated to SonarQube or not) could run an analysis against your project. Eventually, we want to get rid of this option altogether.
-
So why is it working with v5 of the Scanner for Gradle but not v6? Probably an error on our part. v6 of the Scanner for Gradle calls an API (to support JRE auto-provisioning) that requires authentication, even if you have granted the Execute Analysis permissions to Anyone.
Now, this isn’t great – SonarQube Cloud should do what it says it will do (allow anybody to execute analysis). I’ll raise that as an issue for our team to look at. With that being said, I really don’t recommend that you allow anyone to execute analysis.
Now, I still don’t know why, when you set SONAR_TOKEN, you don’t see it configured correctly. In my runs, I see the *** I expect to see.
2024-12-19T12:36:59.2206554Z ##[debug]..Evaluating String:
2024-12-19T12:36:59.2206679Z ##[debug]..=> 'GITHUB_TOKEN'
2024-12-19T12:36:59.2207163Z ##[debug]=> '***'
2024-12-19T12:36:59.2207380Z ##[debug]Result: '***'
2024-12-19T12:36:59.2208024Z ##[debug]Evaluating: secrets.SONAR_TOKEN
2024-12-19T12:36:59.2208126Z ##[debug]Evaluating Index:
2024-12-19T12:36:59.2208216Z ##[debug]..Evaluating secrets:
2024-12-19T12:36:59.2208328Z ##[debug]..=> Object
2024-12-19T12:36:59.2208433Z ##[debug]..Evaluating String:
2024-12-19T12:36:59.2208527Z ##[debug]..=> 'SONAR_TOKEN'
2024-12-19T12:36:59.2208768Z ##[debug]=> '***'
2024-12-19T12:36:59.2208938Z ##[debug]Result: '***'
If I were you, I’d try setting some other variables and seeing if you get the same results (do they show up as null or ***? Is it specific to the Gradle step or does it happen in other steps as well?)