So I am confused by the Github / Sonar scanner setup that pops up when I switch from automated scanning to “manual with github” (SonarCloud)
I tried to follow those instructions initially, but they don’t work for me because our project uses the general github “fork-and-pr” pull request pattern and according to Events that trigger workflows - GitHub Docs " With the exception of GITHUB_TOKEN , secrets are not passed to the runner when a workflow is triggered from a forked repository.". So the “${{ secrets.SONAR_TOKEN }}” for the maven setup is not available for any PR that comes from a forked repository.
As a result, we had to switch to “pull_request_target”, which supports secrets on workflows triggered from forked repositories.
However, in this setup, the checkout action does not check out the PR branch but the main branch when the CI pipeline runs. So I ended up with
- uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
to enforce checking out the right sha. for pull_request, I see
Checking out the ref
/usr/bin/git checkout --progress --force refs/remotes/pull/<xxx>/merge
Note: switching to 'refs/remotes/pull/<xxx>/merge'.
[...]
while pull_request_target reports
Checking out the ref
/usr/bin/git checkout --progress --force -B main refs/remotes/origin/main
Switched to a new branch 'main'
branch 'main' set up to track 'origin/main'.
The same applies to the actual sonar scanner run. I run it using Apache Maven with the sonar maven plugin but configure most of the parameters in my github workflow file. the maven plugin is not able to pick up the right branch or pull request information without defining them in my workflow:
-Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
-Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
-Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}
so I ended up with this github workflow (note the -Psonar in the maven execution activates the sonar plugin and binds it to the verify stage of the maven workflow):
on:
push:
branches:
- main
pull_request_target:
types:
- opened
- reopened
- synchronize
branches:
- main
jobs:
sonar:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-java@v3
with:
java-version: 17
distribution: temurin
cache: maven
- name: cache sonar information
id: cache-sonar
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
- name: run sonar analysis
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
MAVEN_CONFIG: >
-Psonar -B -fae
-Dsonar.organization=<... my org ...>
-Dsonar.projectKey=<... my project key ...>
-Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
-Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
-Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}
run: |
./mvnw clean install
Is that really the “best” way to do that? It feels convoluted and brittle. Surely I am not the only person that wants to run sonar for projects that support the regular fork-and-pr workflow.
Grateful for any pointers.
-h