GitHub PR Status Checks - 1 GitHub Org -> Several SonarCloud Orgs

Here’s my setup:

  • Azure DevOps Pipelines for builds
  • GitHub Enterprise for source control
  • SonarCloud CI tasks defined in build YAMLs

Here’s my problem:

  • One GitHub Enterprise organization is shared by several business units and managed by Share Services
  • However, each business unit has its own SonarCloud organization (all paid)

I want the SonarCloud CI tasks running in ADO to be able to post to the status checks of our GitHub pull requests. From looking at the documentation, this seems to require binding the one SonarCloud app for GitHub to a single SonarCloud organization.

If I was using ADO git, I would use a PAT token at the project level as a workaround. However, it seems that there’s no comparable configuration for GitHub.

How do I configure SonarCloud and/or my CI tasks to post statuses to GitHub PRs in this configuration?

Hi @jcgould ,
I am not sure that I fully understand your use case. Can you confirm that you want to “connect” one single GitHub Organisation to multiple SonarCloud organisation?
Also, in this GitHub organisation, do you need to decorate a single repo or multiple repo?

Kind regards,

We want multiple SonarCloud orgs to be able to decorate PRs in multiple repositories in a single GitHub organization. We use teams as a boundary in our single GitHub organization similar to how you’d use team projects as a boundary in a single Azure DevOps organization.

Our single GitHub organization is managed by a shared service organization. It contains repositories belonging to multiple business units. When a developer creates a repository, they invite their team (business unit) to that repository. However, each business unit has its own SonarCloud organization. This is partly because of politics but partly also because we don’t want to add the friction of a shared services organization managing Sonar for all business units.

Right now, I think this is supported in ADO - each team project could have its own SonarCloud org, because you can provide an ADO PAT at the Sonar org or project level. I think it’s even supported for GitHub in SonarQube, which takes the GitHub PAT as a parameter for the prepare task at CI time.

If I can’t make SonarCloud work this way, I’ll be forced to fall back to something ugly like using a build breaker to synchronously fail builds on quality gate failures.

I’ll add here that I’d be perfectly happy to run the Sonar scan with a GitHub Action instead of ADO CI, but I set that up and it doesn’t post back the status either.