We are using GitLab, GitLab CI and sonarcloud.io. Generally it is working great but there is one thing which is bugging us heavily. The GitLab User who is handling the comments etc. does need to be “Owner” and nothing else is supported.
I am curious why this is the case. So far the only thing i have seen is, that the user is commenting on Merge Requests (and this works with
Reporter role too).
The Token with API access will still work, the analysis is done via GitLab CI so there is no need for further information.
Hence that we are curious, because we figured out it is working with fewer permissions also. So we:
- elevate the permissions of our sonarcloud bot user to owner
- Update the token in sonarcloud.io
- demote the user to reporter
We might miss here an edge case or functionality, it would be good to verify what functionality we might miss with less permissions and therefore higher security. (We try to avoid as many owner as possible)
PS: the warning when adding the token states that the user has to be
admin but it actually should be
Owner as there is no such role as admin on GitLab SaaS