Are GITHUB_TOKEN and SONAR_TOKEN environment variables necessary in sonar-scanner-msbuild?

I’m onboarding SonarCloud code coverage for my GitHub Actions-powered .NET project and exposing GITHUB_TOKEN and SONAR_TOKEN as environment variables to the entire build process makes me worried.

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

I searched the GITHUB_TOKEN and SONAR_TOKEN strings in the sonar-scanner-msbuild repo and they only showed up in non-code files. Does that mean that these environment variables are unused and that I can just not use them?

Hey there.

GITHUB_TOKEN is no longer needed – and, it’s a work in progress to remove it from our tutorials.

Strictly speaking SONAR_TOKEN isn’t required, but you’ll have to find a way to pass a token to /d:sonar.login for the dotnet-sonarscanner begin and dotnet-sonarscanner end steps… and we think encrypted secrets are the way to go.

So just removing the envs is fine, thanks!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.