GitHub comments stopped working in GitHub action after switch to pull_request_target

We’ve been using the sonarcloud-github-action version 1.6 for a while now to handle our SonarCloud analyses, which are then sent to the SonarCloud platform.

This has always worked fine. Upon completion of the analysis, SonarCloud would also post a comment with the analysis results. We explicitly have enabled this feature for each project under Administration → Pull Requests → Integration with GitHub → Enable summary content.

Due to the way GitHub handles Dependabot pull requests, we were recently forced to use the pull_request_target instead of the pull_request event to trigger the workflow. After doing so, the SonarCloud analysis still works fine. However, we no longer receive the comment. We’re not sure what has caused this, but the most likely cause is switching to the _target event.

The question: What could be the reason that SonarCloud no longer posts a comment on the pull request being analyzed? Is it somehow tied to the workflow, or perhaps the workflow’s GITHUB_TOKEN permissions?

This is what the relevant jobs of the workflow look like:

on:
  pull_request_target:
    paths-ignore:
      - '.github/**'
      - 'terraform/**'

permissions:
  contents: read
  packages: read
  pull-requests: write

jobs:

  # Previous jobs go here...

  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-20.04
    needs: unit-tests
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Download LCOV Report
        uses: actions/download-artifact@v2
        with:
          name: lcov-report
          path: coverage
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@v1.6
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}```

Bump. I haven’t been able to figure this out yet sadly enough.

Hey @MarkvA,

Apologies for the delayed answer. Can you provide a background task id that is connected with the analysis that comment was not delivered to the pull request? You can find it in the Administration -> Background tasks. This would help me to narrow down the problem. If the SC analysis still works, there may be some SC <-> GitHub permission issue here.

Best,
Marcin

Hello @Marcin_Majewski,

No worries and thank you for taking the time to investigate. One background task where the issue occurred is AXkxn4ontU69DbCNTznN.

Thanks again.

Hey @MarkvA,

I took a look, and the reason you are not getting comments is indeed the fact that you switched to pull_request_target. We are only supporting pull_request event. The reason for it, is the fact that when there is event: pull_request_target, the code that is being analyzed is the base of the branch, not the additions done by the PR in question, then there is no point in analysing it.

Best,
Marcin

Hello @Marcin_Majewski,

Thank you for looking into it! That’s what I was afraid of. I guess there’s nothing that can be done in that case. We manually checkout the HEAD of the pull request in the workflow so the correct code is analyzed.

Is there a chance that support for pull_request_target will be added in the future? Or perhaps a way of manually passing which pull request is being analyzed?

Either way, thank you nonetheless!

Hey @MarkvA,

You could probably still pass manually the pull request key (if you would be able to extract it) by adding the property like this:

      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        with:
          args: >
            -Dsonar.pull.request.key=14

This should work for the pull-requests, although this is not recommended way.

Best,
Marcin

Hello @Marcin_Majewski,

Thanks to your suggestion, we’ve managed to resolve the issue! Although the key for pull requests seems to be sonar.pullrequest.key instead of sonar.pull.request.key.

I’ll post the workflow here in case anyone else experiences this issue:

name: Test

on:
  pull_request_target:
    paths-ignore:
      - '.github/**'
      - 'terraform/**'

jobs:
  
  # Previous jobs go here...

  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-20.04
    needs: unit-tests
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Download LCOV Report
        uses: actions/download-artifact@v2
        with:
          name: lcov-report
          path: coverage
      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@v1.6
        with:
          args: -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Thanks @MarkvA for sharing the solution and apologies for the typo.

Hello @Marcin_Majewski,

Apologies for re-opening this ticket, but another issue came up which most likely has the same cause. The “SonarCloud Code Analysis” check is not being added to the pull request after a succesful analysis.

I’m guessing this is also caused by the use of pull_request_target, as after a master branch push the checks do show up.

Is there a workaround available for this as well? I’m guessing the check is actually added by the SonarCloud GitHub Integration, rather than the workflow.

An example of a background task with this issue is AXlgvR8bgWS7PWpEFT11.

The check I mean is the following:

image752×630 25.5 KB

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Hey @MarkvA,

The check is added for the specific commit analyzed. You could use the property: sonar.scm.revision to point to which revision you want the check to appear.

Best,
Marcin