Code analysis on pull request from forked repository with GitHub Actions

maduranga · May 29, 2021, 7:05am

I’m trying to run code analysis on pull requests from forked repository using GitHub Actions. I have configured the SONAR_TOKEN as a GitHub repository secret and configured the workflow as mentioned in the instructions. However, when the workflow is triggered for the PR, I’m seeing below error.

Error: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.0.2155:sonar (default-cli) on project charon-parent: You're not authorized to run analysis. Please contact the project administrator.

When I’m going through the logs, I can see below log lines.

shell: /usr/bin/bash -e {0}
env:
  JAVA_HOME: /opt/hostedtoolcache/Java_Adopt_jdk/11.0.11-9/x64
  GITHUB_TOKEN: ***
  SONAR_TOKEN:

This indicates that the SONAR_TOKEN is not picked properly from the workflow. But seems to be this is expected according to the GitHub docs.

Note: With the exception of GITHUB_TOKEN , secrets are not passed to the runner when a workflow is triggered from a forked repository.

What is the solution for this problem?

TomVanBraband · June 10, 2021, 6:58am

Hello @maduranga,

Currently we don’t support the analysis of forked PRs, we recognise this is important feature and have the feature on our radar.

maduranga · June 10, 2021, 8:05am

Hi @TomVanBraband,

Thank you for your response. After creating the thread I found this thread and found this roadmap item. Do you have any plan on when this will be added to SonarCloud?

Regards,
Maduranga.

maduranga · June 10, 2021, 8:55am

Hi @TomVanBraband,

In the project board item you shared, it says

Currently on open source projects, it’s not possible to analyze external pull requests (sent by contributors outside of the core development team).

Can you explain a little bit about this? Is there any way to run the analysis for PRs from forks at least from members of the organization? Or with a pain SonarCloud account?

Regards,
Maduranga.

TomVanBraband · June 10, 2021, 3:00pm

No, we do not support analysis of forked PRs, even when those PRs come from members of the organization.

The only difference between free and paid accounts is the ability to have private projects, all the other features are exactly the same.

egorodet · January 8, 2024, 10:21am

@TomVanBraband Did Sonar Cloud have any progress with external pull requests support?

TomVanBraband · January 15, 2024, 8:53am

Hello @egorodet,

Unfortunately we have not managed to prioritise this yet. It’s still pending.

mauvilsa · February 13, 2025, 6:08am

I would also like to see this feature. In case it helps on how they implemented, codecov already supports upload of coverage reports without a token, see GitHub - codecov/codecov-action: GitHub Action that uploads coverage to Codecov