GitHub Actions sonarcloud-github-action permissions issue

In trying GitHub Actions using self-hosted runners, we want to use the official sonarcloud-github-action. While it’s documented for SonarCloud, we were able to successfully get it to do a scan on a GitHub Enterprise Server self-hosted runner and publish to an internal SonarQube instance.

The only issue is that the sonarcloud-github-action leaves behind a .scannerwork directory in the repository directory, owned by root rather than our runner’s service user.

Subsequent runs on the same runner fail since the runner user can’t delete those root owned files.

This is the actions/checkout@v2 output from a subsequent run:

2021-04-13T21:59:20.0688540Z Syncing repository: test-org/test-repo
2021-04-13T21:59:20.0700408Z ##[group]Getting Git version info
2021-04-13T21:59:20.0701753Z Working directory is '/var/lib/github/work/test-org/test-repo'
2021-04-13T21:59:20.0731284Z [command]/usr/bin/git version
2021-04-13T21:59:20.0780126Z git version 2.31.1
2021-04-13T21:59:20.0798423Z ##[endgroup]
2021-04-13T21:59:20.0804852Z Deleting the contents of '/var/lib/github/work/test-repo/test-repo'
2021-04-13T21:59:20.0865829Z ##[error]Command failed: rm -rf "/var/lib/github/work/test-repo/test-repo/.scannerwork"
rm: cannot remove '/var/lib/github/work/test-repo/test-repo/.scannerwork/.sonar_lock': Permission denied
rm: cannot remove '/var/lib/github/work/test-repo/test-repo/.scannerwork/.sonartmp/eslint-bridge-bundle': Permission denied

This appears to be a bug in the action, though maybe one that doesn’t crop up on GitHub’s public hosted runners.

Can anyone confirm that this is an issue and know where I would report this as a needed fix/enhancement?

2 Likes

Can confirm that we are experiencing the same issue when running private github runner in azure.

My current workaround is to override the working directory to keep it inside the container:

-Dsonar.working.directory=/tmp/sonar