We recently upgraded from 8.9.6 LTS to 9.9.0 LTS, using the docker-sonarqube enterprise installation. We are using GitHub Enterprise and Jenkins CI.
Ever since the upgrade our Quality Gate reporting to PRs has not functioned. We believe the root cause is due to an authentication issue with the DevOps Platform Integration settings.
We were using a GitHub App and registered it with SonarQube under Configuration → General Settings → DevOps Platform Integration → GitHub as per this documentation.
I am consistently seeing “Authentication failed, verify the Client Id, Client Secret and Private Key fields” when clicking on “check configuration”
I have done the following:
- Regenerated the client secret and private key multiple times (key added both with and without the ‘begin key’ header/footers and terminating newline)
- Double checked the App ID and Client ID
- Ensured using correct GitHub API URL (is https://<instance URL>/api/v3 )
- Ensured using HTTPS protocol
- The Callback URL is now the base URL and we removed the “/oauth2/callback” suffix, as per the docs
- Updated the permissions required as per the docs
- Removed the Webhook URL as per the docs
- Created a new GitHub App from scratch (also fails with the same error)
We can log in using our GitHub credentials so authentication isn’t an issue for devs to connect to the server.
Quality Gate reporting and authentication with the GitHub App worked fine on 8.9.6 LTS.
Any insights on what else I can try or what terms I can search in the logs for clues?
Many thanks in advance
Is there anything “helpful” on your network between SonarQube and GitHub that might be interfering?
No, there isn’t anything between SonarQube and GitHub that could be interfering.
More things we’ve tried:
- Re-enabled the webhook and added a webhook secret since the logs in web.log stated “2023.03.14 17:33:47 WARN web[AYbcRuoL0yMVBBdKCF/k][o.s.s.a.GithubWebhookAuthentication] Unauthenticated calls from GitHub are forbidden. A webhook secret must be defined in the GitHub App with Id 16.”
Looking at the LTS to LTS Upgrade notes, I’m reminded of this:
Reporting Quality Gate status on GitHub branches requires an additional permission (9.0)
When working in private GitHub repositories, you need to grant read-only access to the Contents permission on the GitHub application that you’re using for SonarQube integration. See the GitHub integration documentation for more information.
So I need to double-check: did you grant all perms listed in the docs you linked to?
Yes, all permissions listed were added to the GitHub App
Thanks for verifying. I’ve flagged this for the team.
PR decorations suddenly started working again and the DevOps Platform Integration for GitHub is now reporting that the authentication succeeds.
I have done nothing to change the SonarQube server or GitHub App settings since my last message. I have confirmed that the settings have remained the same.
I wish I knew what was wrong and how it was fixed, this is frustrating.
I’ve got a similar issue were the logs have a bunch of these:
[o.s.s.a.GithubWebhookAuthentication] Failed to authenticate payload from Github webhook. Either the webhook was called by unexpected clients or the webhook secret set in SonarQube does not match the one from Github.
We have had it for some time and are now running 10.1.
I though it was the same issue as yours at first, but I am not sure if that is the case.
Please create a new thread with all your details.