Code analysis on pull request from forked repository with GitHub Actions

I’m trying to run code analysis on pull requests from forked repository using GitHub Actions. I have configured the SONAR_TOKEN as a GitHub repository secret and configured the workflow as mentioned in the instructions. However, when the workflow is triggered for the PR, I’m seeing below error.

Error: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.0.2155:sonar (default-cli) on project charon-parent: You're not authorized to run analysis. Please contact the project administrator.

When I’m going through the logs, I can see below log lines.

shell: /usr/bin/bash -e {0}
env:
  JAVA_HOME: /opt/hostedtoolcache/Java_Adopt_jdk/11.0.11-9/x64
  GITHUB_TOKEN: ***
  SONAR_TOKEN: 

This indicates that the SONAR_TOKEN is not picked properly from the workflow. But seems to be this is expected according to the GitHub docs.

Note: With the exception of GITHUB_TOKEN , secrets are not passed to the runner when a workflow is triggered from a forked repository.

What is the solution for this problem?

Hello @maduranga,

Currently we don’t support the analysis of forked PRs, we recognise this is important feature and have the feature on our radar.

1 Like

Hi @TomVanBraband,

Thank you for your response. After creating the thread I found this thread and found this roadmap item. Do you have any plan on when this will be added to SonarCloud?

Regards,
Maduranga.

Hi @TomVanBraband,

In the project board item you shared, it says

Currently on open source projects, it’s not possible to analyze external pull requests (sent by contributors outside of the core development team).

Can you explain a little bit about this? Is there any way to run the analysis for PRs from forks at least from members of the organization? Or with a pain SonarCloud account?

Regards,
Maduranga.

No, we do not support analysis of forked PRs, even when those PRs come from members of the organization.

The only difference between free and paid accounts is the ability to have private projects, all the other features are exactly the same.

@TomVanBraband Did Sonar Cloud have any progress with external pull requests support?

Hello @egorodet,

Unfortunately we have not managed to prioritise this yet. It’s still pending.