Github Action CI Build Fail with set the SONAR_TOKEN env variable

rcmlee99 · February 20, 2021, 9:13pm

I am using Github Actions to configure sonar cloud

Following is snippet of the code
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ env.SONAR_TOKEN }}

Following is the sonar-project.propertiest
sonar.organization=“react-hook-form”
sonar.projectKey=“react-hook-form_error-message”
sonar.sources="./src"

Available on this PR

The Build Fail but I can see Sonar cloud being analyse on
https://sonarcloud.io/dashboard?id=react-hook-form_error-message&pullRequest=31

The reason fail is because in entry point.sh, it is checking for variable SONAR_TOKEN

I think there is an error there, it should be env.SONAR_TOKEN. I create a PR to fix this error

Gregoire_Aubert · February 22, 2021, 9:50am

Hello and welcome to the community forum!

I think the issue comes from how you setup your action, the SONAR_TOKEN should come from secrets.SONAR_TOKEN and not from env.SONAR_TOKEN. Also the SONAR_TOKEN secret should correctly be defined in your repositories secrets: https://github.com/react-hook-form/error-message/settings/secrets/actions

Also thanks for your PR, but we can’t accept it, the issue is with your configuration, not the action.

rcmlee99 · February 22, 2021, 9:56am

I have another PR based on Secret. Please have a look. Fix Set SONAR_TOKEN env variable error by rcmlee99 · Pull Request #16 · SonarSource/sonarcloud-github-action · GitHub

rcmlee99 · February 22, 2021, 10:10am

@Gregoire_Aubert Please have a look at previous PR using secret Fix Set SONAR_TOKEN env variable error by rcmlee99 · Pull Request #16 · SonarSource/sonarcloud-github-action · GitHub

Our build CI cannot complete due to this bug.
Thanks.

Gregoire_Aubert · February 22, 2021, 10:31am

This PR: update with properties file by bluebill1049 · Pull Request #29 · react-hook-form/error-message · GitHub that you last shared withj me seems to be correctly setup.
We can see the PR decoration from SonarCloud in there, so it means the token was correctly used:

But you didn’t merge this PR, just closed it.

rcmlee99 · February 22, 2021, 10:33am

We could not merge it because the Build CI is complaining the Set SONAR TOKEN and it failed it !

Gregoire_Aubert · February 22, 2021, 10:52am

Looking again at your PR I think your problem is that you are trying to use both the Automatic Analysis and the Github Action, I don’t see any error related to SONAR_TOKEN, here is what I see:

You should try again with this PR, disable the Automatic Analysis in your project settings on SonarCloud and make sure your SONAR_TOKEN secret is well defined in your Github Repository settings.

rcmlee99 · February 22, 2021, 10:55am

@Gregoire_Aubert If you look at my latest PR Bugfix/remove set sonar token by rcmlee99 · Pull Request #18 · SonarSource/sonarcloud-github-action · GitHub. Remove the check, the Builld CI will pass and merge successfully. The check Sonar_Token is not needed because we already define.

rcmlee99 · February 22, 2021, 10:58am

@Gregoire_Aubert Please look at this Updated yaml by rcmlee99 · Pull Request #30 · react-hook-form/error-message · GitHub.

Thank you.

rcmlee99 · February 22, 2021, 11:09am

@Gregoire_Aubert Let’s try one more time fresh PR for react-hook-form/error-message.

This new PR Implement Sonar Cloud by rcmlee99 · Pull Request #32 · react-hook-form/error-message · GitHub

as you can see, all pass except building CI part

And successful sonar cloud analysis
https://sonarcloud.io/dashboard?id=react-hook-form_error-message&pullRequest=32

our yaml file

name: CI
on: 
  push:
    branches: 
      - master
      - feature/*
  pull_request:
    # The branches below must be a subset of the branches above
    branches:
      - master
      - feature/*
jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [12.x]
    steps:
      - uses: actions/checkout@v2
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Gregoire_Aubert · February 22, 2021, 11:16am

On your last try, you still have the Automatic Analysis enabled, you should disable it.

Also in your check that fail I can indeed now see the missing SONAR_TOKEN value:

Can you please double check that it’s defined in your repository settings like this:

rcmlee99 · February 22, 2021, 11:22am

What do you mean disable automatic analysis one or the other?

rcmlee99 · February 22, 2021, 11:32am

@Gregoire_Aubert yes, it has been set. Our secrets SONAR_TOKEN has been set correctly otherwise the sonar cloud analyse wouldn’t be succesful. You need to modify entrypoint.sh to reflect the correct token or remove it altogether.

TomVanBraband · February 22, 2021, 1:20pm

The proposed changes in your PR will not work @rcmlee99. Passing secrets to a GitHub action is always done by using the with or env clauses when invoking an action (see GitHub documentation here). Otherwise any GitHub action could read whichever encrypted secret it wants to, which is obviously not secure.

The configuration described here works for all of our users, there is no change needed on our side. Please read our comments carefully.

There are two issues as reported by @Gregoire_Aubert:

You currently have Automatic Analysis enabled for your repository. This means that on every commit on your main branch or PR we will run an analysis for you. This means you do not have to launch an analysis with GitHub actions. We do not support having Automatic Analysis enabled and simultaneously running an analysis in your CI. Please read the Automatic Analysis documentation page carefully and see if this fits your use case. If so, you do not have make any more changes on your side.
This indicates that the SONAR_TOKEN secret is very probably not correctly set-up on your side, otherwise it would have shown *** instead.

Could you please decide if you want to use Automatic Analysis or not, and we’ll take further from there.

rcmlee99 · February 24, 2021, 10:14pm

We set the secret SONAR_TOKEN. It is still not working.

TomVanBraband · February 25, 2021, 7:13am

I just noticed that you are working with external (forked) PRs. As mentioned in the GitHub screenshot you shared:

Secrets are not passed to workflows that are triggered by a pull request from a fork

jayfray12 · March 1, 2021, 2:06pm

Tom,
I’m seeing the same thing in my REPO and I have the following in my git action:

name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@v1.4
env:
SONAR_TOKEN: {{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: {{ secrets.GITHUB_TOKEN }}

So are you saying that if a workflow is triggered by a pull request from a fork (which is how must opensource projects work) that we cannot use ANY secret?? That seems very limiting

Malena_Ebert · March 8, 2021, 10:00am

GitHub allows to change this default behavior.

LorenzoBettini · July 27, 2021, 12:25pm

Just to make sure I understand: you’re saying that now it’s possible to run SonarCloud analysis on an external PR?

RCheesley · February 4, 2022, 9:35am

I came across this post as we have the same issue with our GitHub repo - we operate an external fork model for contributions and as a result the token is not being picked up.

Example here. This worked fine on a forked repo but as soon as the PR is made, it’s failing the tests despite the token being present in the repo.

In the post mentioned above, it seems that there are new options for public repos to use pull_request_target rather than pull_request - should we explore this route?