Hello all–
After much struggle, we now have a Github repo that can run SonarCloud analysis on pull requests from forks.
The trick is the “workflow_run” feature from Github Actions:
In short, you need 2 separate Github Actions:
- Build step - Build your project, run tests, upload code coverage. This step does not have access to any Github secrets such as SONAR_TOKEN.
- Sonar step - Download code coverage from previous step, and run the SonarCloud analysis. This step does have access to SONAR_TOKEN.
The reason this works is because the 2nd step uses Github Actions from main/master, not from the pull request. That way you can be confident that the PR didn’t modify the build scripts, and leak all of your secrets.
Our repo here:
Build action here:
Sonar action here:
Here is some excellent background reading from the Github security team about why all of this is so complicated:
If folks are interested, I can write up a more detailed explanation. Hope this helps someone. Today is the first day we ran Sonar analysis on a PR from a fork, and it felt great.