I have created a SonarCloud GitHub action integration and it works fine when I push code to my repository.
But when DependaBot submits a pull-request and the scan starts , then I always get this error:
“The format of the analysis property sonar.token= is invalid”
So, apparently, after many wasted hours, the problem is in the GitHub action script you generate for me in sonarcloud:
name: SonarQube
on:
push:
branches:
- main pull_request:
types: [opened, synchronize, reopened]
A solution is to change the trigger from pull_request to pull_request_target or improve the guidance and documentation and perhaps also the generated github action template in SonarCloud.
The problem is that the SONAR_TOKEN secret not provided to the script when dependabot creates the PR.
Or perhaps, include some "helpful hints, in the error message, so guiding developers on how to troubleshoo this.
i wish I didn’t have to waste many hours on this problem.
Avoid using this event if you need to build or run code from the pull request.
So I don’t think that this is the appropriate event to trigger PR analysis, since the SonarQube Scanner should be analyzing the code in the PR.
All of that said,:
I can understand this happening if dependabot is forking the repo and making their changes in the fork before submitting a PR… but in my experience with Dependabot, a branch is created on the repo itself (no fork). And therefore the workflow has access to repo secrets (like SONAR_TOKEN). Does it work differently in your project?