We’ve been using the sonarcloud-github-action version 1.6 for a while now to handle our SonarCloud analyses, which are then sent to the SonarCloud platform.
This has always worked fine. Upon completion of the analysis, SonarCloud would also post a comment with the analysis results. We explicitly have enabled this feature for each project under Administration → Pull Requests → Integration with GitHub → Enable summary content.
Due to the way GitHub handles Dependabot pull requests, we were recently forced to use the pull_request_target instead of the pull_request event to trigger the workflow. After doing so, the SonarCloud analysis still works fine. However, we no longer receive the comment. We’re not sure what has caused this, but the most likely cause is switching to the _target event.
The question: What could be the reason that SonarCloud no longer posts a comment on the pull request being analyzed? Is it somehow tied to the workflow, or perhaps the workflow’s GITHUB_TOKEN permissions?
This is what the relevant jobs of the workflow look like:
Apologies for the delayed answer. Can you provide a background task id that is connected with the analysis that comment was not delivered to the pull request? You can find it in the Administration -> Background tasks. This would help me to narrow down the problem. If the SC analysis still works, there may be some SC <-> GitHub permission issue here.
I took a look, and the reason you are not getting comments is indeed the fact that you switched to pull_request_target. We are only supporting pull_request event. The reason for it, is the fact that when there is event: pull_request_target, the code that is being analyzed is the base of the branch, not the additions done by the PR in question, then there is no point in analysing it.
Thank you for looking into it! That’s what I was afraid of. I guess there’s nothing that can be done in that case. We manually checkout the HEAD of the pull request in the workflow so the correct code is analyzed.
Is there a chance that support for pull_request_target will be added in the future? Or perhaps a way of manually passing which pull request is being analyzed?
Thanks to your suggestion, we’ve managed to resolve the issue! Although the key for pull requests seems to be sonar.pullrequest.key instead of sonar.pull.request.key.
I’ll post the workflow here in case anyone else experiences this issue:
Apologies for re-opening this ticket, but another issue came up which most likely has the same cause. The “SonarCloud Code Analysis” check is not being added to the pull request after a succesful analysis.
I’m guessing this is also caused by the use of pull_request_target, as after a master branch push the checks do show up.
Is there a workaround available for this as well? I’m guessing the check is actually added by the SonarCloud GitHub Integration, rather than the workflow.
An example of a background task with this issue is AXlgvR8bgWS7PWpEFT11.
The check is added for the specific commit analyzed. You could use the property: sonar.scm.revision to point to which revision you want the check to appear.