Github hosted runner access to a Sonar enterprise server

Dear sonar people,

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension) : Enterprise Edition v2025.1 (102418)
• how is SonarQube deployed: no info, DevOps handles it
• what are you trying to achieve:
  Create a github-action which runs a github hosted runner:
  GitHub-hosted runners - GitHub Docs specifically ubuntu based.
  This action shall use our sonar server which is installed inside our company network.
  I want to use the following actions:

>  - name: Install Build Wrapper
>       uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
>       env:
>         SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
>     - name: Run Build Wrapper
>       run: |
>         # Here goes your compilation wrapped with Build Wrapper
>         # For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
>         # build-preparation steps
>         # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
>     - name: SonarQube Scan
>       uses: SonarSource/sonarqube-scan-action@<action version>
>       env:
>         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
>         SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
>         SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
>       with:
>         # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
>         args: >
>           --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"

• what have you tried so far to achieve this
  We followed this document:
  Global GitHub integration setup | SonarQube Server Documentation
  I am pretty sure not everything is set up here properly

I also used the following action workflow:

name: Build

on:  
  pull_request:
    branches:
      - main
      - master
      - develop
      - "release/**"
  workflow_dispatch:
    inputs:
      branch:
        description: 'Branches to run the workflow on'
        required: true
        default: 'main'
      sonar-branch:
        description: 'Sonar project branch name.'
        required: false
        default: 'default'

jobs:
  build:
    name: Build and analyze
    runs-on: ubuntu-latest
    env:
      BUILD_WRAPPER_OUT_DIR: sonar-bw # Directory where build-wrapper output will be placed
    steps:
      - name: Process branch names
        if: always()
        run: |
          echo "Determining GIT_BRANCH..."
          # Explanation: Fallback branch name determination
          # 1. priority to the input branch if provided
          # 2. if not provided, use the pull request head ref
          # 3. if not a pull request, use the head ref of the current branch
          # 4. finally, use the ref name of the current branch
          GIT_BRANCH="${{ github.event.inputs.branch || github.event.pull_request.head.ref || github.head_ref || github.ref_name }}"
          if [ "${{ github.event.inputs.sonar-branch }}" != "default" ]; then
            SONAR_BRANCH="${{ github.event.inputs.sonar-branch }}"
          else
            SONAR_BRANCH="$GIT_BRANCH"
          fi
          echo "GIT_BRANCH=$GIT_BRANCH" >> $GITHUB_ENV
          echo "SONAR_BRANCH=$SONAR_BRANCH" >> $GITHUB_ENV

      - uses: actions/checkout@v4
        with:
          submodules: true
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

      - name: Install Build Wrapper
        uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v4
        env:
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

      - name: Install Build environment
        run: |
         "here we install our tooling"

      - name: Run Build Wrapper
        run: |
          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all

      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v4
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        with:
          args: >
            -Dsonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"

I got the following output:

Run SonarSource/sonarqube-scan-action/install-build-wrapper@v4
  env:
    BUILD_WRAPPER_OUT_DIR: sonar-bw
    GIT_BRANCH: SQ-experiment
    SONAR_BRANCH: 
    SONAR_HOST_URL: ***
Run ${GITHUB_ACTION_PATH}/../scripts/configure_paths.sh >> $GITHUB_OUTPUT
Run ${GITHUB_ACTION_PATH}/../scripts/download.sh
  ${GITHUB_ACTION_PATH}/../scripts/download.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    BUILD_WRAPPER_OUT_DIR: sonar-bw
    GIT_BRANCH: SQ-experiment
    SONAR_BRANCH: 
    SONAR_HOST_URL: ***
    DOWNLOAD_URL: ***/static/cpp/build-wrapper-linux-x86.zip
    TMP_ZIP_PATH: /home/runner/work/_temp/build-wrapper--Linux-X64.zip
    INSTALL_PATH: /home/runner/work/_temp
Download ***/static/cpp/build-wrapper-linux-x86.zip
  Downloading '***/static/cpp/build-wrapper-linux-x86.zip'
  curl: (28) Failed to connect to sonarqube.ourcompanyname.net port 443 after 135861 ms: Couldn't connect to server
  Error: Failed to download '***/static/cpp/build-wrapper-linux-x86.zip'
  Error: Process completed with exit code 28.

My questions:
Is it possible to connect an on-prem sonar enterprise server with github hosted runner machine?
If yes please guide me what is the usual process.

Thanks a lot!

Best Regards,
András

Probably you need a proxy app for that,

btw about downloading buildwapper from gh public runner, I reported this ticket: