The whole background:
We moved our company to GitLab.com and to Sonarcloud.io and have a lot of different clients we are working with as implementation partners. We support them with developrment personal as well as with development infrastructure, like GitLab and Sonarcloud.
As it is adviseable to use service users for integrations, we do have currently two sonar service users. One with admin permissions, which is handling our permission synchronisation between gitlab and sonarcloud, and one with only analysis permission, to allow each project to trigger the analysis.
This analysis token is a masked CI/CD variable in GitLab, but as we all know there are always ways to get access to them, when a pipeline runs. If you want, you can retrieve them. With this token you can also query the api, and inspect which projects are available to the user. With the browse permissions the token user can gather even more information, like assignees, edit status of issues etc. Which is actually not just READ permission. This can open doors for client developers to inspect our client base. As we tend to not share this information between our clients. And worst, they could start manipulation sonarcloud information from other clients.
Token rotation will not fix this. What could fix this, would be a dedicated service user per project. But this would also end up in additional costs, which we are currently trying to prevent.
So waiting for a a quality gate to pass in GitLab CI needs not only analysis permissions but also browse permissions. Hence that it might be a nice adjustment, if a pure analysis user would be able to fetch the quality gate or at least the information if it passed or not.
Also interesting fun fact about this (it made us go nuts) the job errored with
ERROR: Error during SonarScanner execution
ERROR: You're not authorized to run analysis. Please contact the project administrator.
but the background tasks showed us that the job was processed. it was just waitForQualityGate
which was causing this trouble, and the error message is a little bit odd in this case
I hope this is enough information for now.
Sidenote: maybe i am wrong here at all, and we made a big boo boo in the setup (but it works for all other projects, the only difference is, they do not wait for the qualityGate)