How to use SonarCloud with a forked repository on GitHub?

Okay, I’ve finally managed it. @codyebberson’s version didn’t work for me, cause workflow_run event data doesn’t have pull request info and pull_requests array contains pull requests to fork and not to upstream.

So, this is my version with comments.

First of all you need to save PR number from pull_request event. You can achieve this by echoing data from event to file and upload it as artifact:

And then…

In a separate workflow with workflow_run trigger you need to:

  • download artifact from workflow that triggered the current workflow
  • read it to workflow data
  • get PR data via github rest api
  • checkout repo (from fork)
  • fetch base branch from upstream - this is important step! If you won’t do it, your “new lines of code” metric will be broken if fork has not synchronized base branch (and who do it nowdays?)
  • and at last - run analysis on push or on pull request grabbing all collected data

“Java CI” workflow logs: recreate: Исправил FP · 1c-syntax/bsl-language-server@3a6192c · GitHub
“QA” workflow logs: QA · 1c-syntax/bsl-language-server@2211575 · GitHub

There is some room for improvement (fetch only selected branch from upstream, protect from pr from branch with the same name as base branch), but I hope this will help someone.

1 Like

Thanks so much for sharing this @nixel2007 as I was stuck implementing the suggestions above!

I am almost there, but I am a bit stuck with one part which maybe you can help me with.

I’ve created the sonar.yml in the default branch:

I made some tweaks as we needed to specify some args and use a properties file for that, but otherwise it’s the same as yours without the platform-specific stuff, I think (as best I can tell, I’m no expert with GitHub Actions and not a developer!)

Then I have a PR I’m using to test which introduces the properties file and adds the parts to the tests.yml file we already have:

This is working great, it’s saving the PR number to the text file, and sonar.yml is picking this up.

The bit where I am struggling is that when it runs the scan on PR for example, it’s throwing up this error:

Warning: Unexpected input(s) ‘number’, ‘full_name’, valid inputs are [‘route’, ‘mediaType’]

It seems like it’s actually getting the information but maybe not in the right order? I’m not sure:

Run octokit/request-action@v2.x
route: GET /repos/{full_name}/pulls/{number}
number: 13

full_name: RCheesley/mautic
mediaType: {}

GET /repos/{full_name}/pulls/{number}
> number: 13
> full_name: RCheesley/mautic
> mediaType: [object Object]
(node:1740) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
< 200 346ms

On the PR the GitHub Actions I have reporting are showing like this:

I think it’s running against the whole repo rather than the PR, I’m not entirely sure to be honest.

Any nudges you might be able to offer would be much appreciated!

(I haven’t yet added in the code coverage part as I didn’t want to complicate matters!)

May not be entirely the ‘right’ way but I managed to get it mostly working as follows:

I had to make the coverage report from Codecov readable by Sonar and then upload it as an archive so that we can access it in the next step.

Did the same with the PR number as suggested by @nixel2007 above:

Then grab the PR number per the example above:

Download the code coverage artifact and extract it:

Make sure that the file can be accessed within the container (hat tip to @sylfabre in this post)

Scan on PR:

We use a project properties file so I included that in the args, the file is here:

Obvs as this is running on my own fork I had to make quite some tweaks to some of the files as we restrict our actions to running only on our main repo and our private security repo, and had to hard-code a couple of path changes to work on my own fork while I figured it out.

Thanks to everyone for the help so far!