Github Action CI Build Fail with set the SONAR_TOKEN env variable

I am using Github Actions to configure sonar cloud

Following is snippet of the code
steps:
- uses: actions/checkout@v2
- name: Use Node.js {{ matrix.node-version }} uses: actions/setup-node@v1 with: node-version: {{ matrix.node-version }}
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: {{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: {{ env.SONAR_TOKEN }}

Following is the sonar-project.propertiest
sonar.organization=“react-hook-form”
sonar.projectKey=“react-hook-form_error-message”
sonar.sources="./src"

Available on this PR

The Build Fail but I can see Sonar cloud being analyse on
https://sonarcloud.io/dashboard?id=react-hook-form_error-message&pullRequest=31

The reason fail is because in entry point.sh, it is checking for variable SONAR_TOKEN

I think there is an error there, it should be env.SONAR_TOKEN. I create a PR to fix this error

Hello and welcome to the community forum!

I think the issue comes from how you setup your action, the SONAR_TOKEN should come from secrets.SONAR_TOKEN and not from env.SONAR_TOKEN. Also the SONAR_TOKEN secret should correctly be defined in your repositories secrets: https://github.com/react-hook-form/error-message/settings/secrets/actions

Also thanks for your PR, but we can’t accept it, the issue is with your configuration, not the action.

I have another PR based on Secret. Please have a look. Fix Set SONAR_TOKEN env variable error by rcmlee99 · Pull Request #16 · SonarSource/sonarcloud-github-action · GitHub

@Gregoire_Aubert Please have a look at previous PR using secret Fix Set SONAR_TOKEN env variable error by rcmlee99 · Pull Request #16 · SonarSource/sonarcloud-github-action · GitHub

Our build CI cannot complete due to this bug.
Thanks.

This PR: update with properties file by bluebill1049 · Pull Request #29 · react-hook-form/error-message · GitHub that you last shared withj me seems to be correctly setup.
We can see the PR decoration from SonarCloud in there, so it means the token was correctly used:

But you didn’t merge this PR, just closed it.

We could not merge it because the Build CI is complaining the Set SONAR TOKEN and it failed it !

Looking again at your PR I think your problem is that you are trying to use both the Automatic Analysis and the Github Action, I don’t see any error related to SONAR_TOKEN, here is what I see:

You should try again with this PR, disable the Automatic Analysis in your project settings on SonarCloud and make sure your SONAR_TOKEN secret is well defined in your Github Repository settings.

@Gregoire_Aubert If you look at my latest PR Bugfix/remove set sonar token by rcmlee99 · Pull Request #18 · SonarSource/sonarcloud-github-action · GitHub. Remove the check, the Builld CI will pass and merge successfully. The check Sonar_Token is not needed because we already define.

@Gregoire_Aubert Please look at this Updated yaml by rcmlee99 · Pull Request #30 · react-hook-form/error-message · GitHub.

Thank you.

@Gregoire_Aubert Let’s try one more time fresh PR for react-hook-form/error-message.

This new PR Implement Sonar Cloud by rcmlee99 · Pull Request #32 · react-hook-form/error-message · GitHub

as you can see, all pass except building CI part

And successful sonar cloud analysis
https://sonarcloud.io/dashboard?id=react-hook-form_error-message&pullRequest=32

our yaml file

name: CI
on: 
  push:
    branches: 
      - master
      - feature/*
  pull_request:
    # The branches below must be a subset of the branches above
    branches:
      - master
      - feature/*
jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [12.x]
    steps:
      - uses: actions/checkout@v2
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

On your last try, you still have the Automatic Analysis enabled, you should disable it.

Also in your check that fail I can indeed now see the missing SONAR_TOKEN value: image

Can you please double check that it’s defined in your repository settings like this:

What do you mean disable automatic analysis one or the other?

@Gregoire_Aubert yes, it has been set. Our secrets SONAR_TOKEN has been set correctly otherwise the sonar cloud analyse wouldn’t be succesful. You need to modify entrypoint.sh to reflect the correct token or remove it altogether.

The proposed changes in your PR will not work @rcmlee99. Passing secrets to a GitHub action is always done by using the with or env clauses when invoking an action (see GitHub documentation here). Otherwise any GitHub action could read whichever encrypted secret it wants to, which is obviously not secure.

The configuration described here works for all of our users, there is no change needed on our side. Please read our comments carefully.

There are two issues as reported by @Gregoire_Aubert:

  1. You currently have Automatic Analysis enabled for your repository. This means that on every commit on your main branch or PR we will run an analysis for you. This means you do not have to launch an analysis with GitHub actions. We do not support having Automatic Analysis enabled and simultaneously running an analysis in your CI. Please read the Automatic Analysis documentation page carefully and see if this fits your use case. If so, you do not have make any more changes on your side.
  2. image
    This indicates that the SONAR_TOKEN secret is very probably not correctly set-up on your side, otherwise it would have shown *** instead.

Could you please decide if you want to use Automatic Analysis or not, and we’ll take further from there.

3 Likes

We set the secret SONAR_TOKEN. It is still not working.

I just noticed that you are working with external (forked) PRs. As mentioned in the GitHub screenshot you shared:

Secrets are not passed to workflows that are triggered by a pull request from a fork

Tom,
I’m seeing the same thing in my REPO and I have the following in my git action:

  • name: SonarCloud Scan
    uses: sonarsource/sonarcloud-github-action@v1.4
    env:
    SONAR_TOKEN: {{ secrets.SONAR_TOKEN }} GITHUB_TOKEN: {{ secrets.GITHUB_TOKEN }}

So are you saying that if a workflow is triggered by a pull request from a fork (which is how must opensource projects work) that we cannot use ANY secret?? That seems very limiting

GitHub allows to change this default behavior.

1 Like

Just to make sure I understand: you’re saying that now it’s possible to run SonarCloud analysis on an external PR?