GitHub Actions sonarcloud-github-action permissions issue

In trying GitHub Actions using self-hosted runners, we want to use the official sonarcloud-github-action. While it’s documented for SonarCloud, we were able to successfully get it to do a scan on a GitHub Enterprise Server self-hosted runner and publish to an internal SonarQube instance.

The only issue is that the sonarcloud-github-action leaves behind a .scannerwork directory in the repository directory, owned by root rather than our runner’s service user.

Subsequent runs on the same runner fail since the runner user can’t delete those root owned files.

This is the actions/checkout@v2 output from a subsequent run:

2021-04-13T21:59:20.0688540Z Syncing repository: test-org/test-repo
2021-04-13T21:59:20.0700408Z ##[group]Getting Git version info
2021-04-13T21:59:20.0701753Z Working directory is '/var/lib/github/work/test-org/test-repo'
2021-04-13T21:59:20.0731284Z [command]/usr/bin/git version
2021-04-13T21:59:20.0780126Z git version 2.31.1
2021-04-13T21:59:20.0798423Z ##[endgroup]
2021-04-13T21:59:20.0804852Z Deleting the contents of '/var/lib/github/work/test-repo/test-repo'
2021-04-13T21:59:20.0865829Z ##[error]Command failed: rm -rf "/var/lib/github/work/test-repo/test-repo/.scannerwork"
rm: cannot remove '/var/lib/github/work/test-repo/test-repo/.scannerwork/.sonar_lock': Permission denied
rm: cannot remove '/var/lib/github/work/test-repo/test-repo/.scannerwork/.sonartmp/eslint-bridge-bundle': Permission denied

This appears to be a bug in the action, though maybe one that doesn’t crop up on GitHub’s public hosted runners.

Can anyone confirm that this is an issue and know where I would report this as a needed fix/enhancement?


Can confirm that we are experiencing the same issue when running private github runner in azure.

My current workaround is to override the working directory to keep it inside the container:

Running into the same issue with the sonarqube-scan-action. The above does get pas this, but not sure this should be the qualified solution. The .scannerwork should use the same user as the service running it.

It works fine for me on (i think it will work with sonarqube too):

  1. Add file into repository
  2. Add into file


I had the same issue as you.
Before finding your post I made a pull request to fix the issue on the official action : fix: use post-entrypoint script to run cleanup tasks by bsvobodny · Pull Request #33 · SonarSource/sonarqube-scan-action · GitHub

Is there someone form the SonarSource Team, who can look at my pull request ?