PR decoration missing in github private repo

Template for a good new topic, formatted with Markdown:

  • ALM used (GitHub)
  • CI system used (github action SonarSource/sonarcloud-github-action@master)
  • Scanner command used when applicable (see details below)
  • Languages of the repository: python
  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
  • Steps to reproduce
  • Potential workaround: use pull model (let the Sonarcloud to initiate the scan)

the scanning of our private repo works fine and I can see the PR decoration if it is initiated from the sonarcloud itself.
But we prefer to use pull model where we initiate the scan from the github action.
Due to secrets limitations in github (you don’t get them in users’ fork) we split the scanning into two steps: build and actual scan (as described here: Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests | GitHub Security Lab)

Build looks like this:

name: Sonarcloud build
    types: [opened, synchronize, reopened]
    name: SonarCloud build
    runs-on: ubuntu-latest
      - name: Store PR info for workflow_run
        shell: bash
          PR_NUM: ${{ github.event.number }}
        run: |
          echo $PR_NUM
          echo $PR_NUM > pr_num.txt
      - name: Upload the PR info
        uses: actions/upload-artifact@v3
          name: pr_info
          path: ./pr_*.txt

And the scan is triggered by the successful build:

name: Sonarcloud scan
    workflows: [Sonarcloud build]
    types: [completed]
    name: SonarCloud scan
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
      - name: Show event context
        uses: crazy-max/ghaction-dump-context@v1
      - name: Checkout the new PR
        uses: actions/checkout@v3
          repository: ${{ github.event.workflow_run.head_repository.full_name }}
          ref: ${{ github.event.workflow_run.head_branch }}
          token: ${{ secrets.TOKEN_GITHUB_YENKINS }}
          fetch-depth: 0
      - name: Get PR artefacts
        uses: dawidd6/action-download-artifact@v2.19.0
          github_token: ${{ secrets.GITHUB_TOKEN }}
          workflow: sonarcloud_build.yml
          run_id: ${{ }}
      - name: Read the PR number
        run: |
          PR=$(cat pr_info/pr_num.txt)
          echo "SONAR_PR_NUMBER=$PR" >> $GITHUB_ENV
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
          GITHUB_TOKEN: ${{ secrets.TOKEN_ON_ORG_LEVEL }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          args: >
            -Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
            -Dsonar.pullrequest.key=${{ env.SONAR_PR_NUMBER }}
            -Dsonar.pullrequest.branch=${{ github.event.workflow_run.head_branch }}

The scan works fine and the results are visible in but the PR is not commented/decorated. I was missing sonar.pullrequest.provider property in the project settings, but
it is set to sonar.pullrequest.provider=github now and still no PR decoration.

Any suggestion how to debug the issue, what can I try?
Thank you for any help.

Tomas Kouba

Hi @Tomas_Kouba

If I understand correctly, you are using forks and external pull requests, do you?

Do you see the SonarCloud Code Analysis check appearing on the PR? Or do you miss both the comment and the check?



Hi @Claire_Villard
yes I miss both. There is no trace of the scan except when I go to //actions/workflows/sonarcloud_scan.yaml (the second step of our scan action).
I realize this may be an over complicated setup but we need it due to the security reasons (see the link in my original post).
I am not saying there is no better solution but I’d like to keep the setup secure (so the forked repo can initate the scan but cannot steal the SONAR_TOKEN secret).


Thanks for your answer @Tomas_Kouba !

Sadly, we don’t support scanning pull requests from forks when the scan is not triggered by the automatic analysis.
I understand that it is an important feature for you, I invite you to vote on the item to help us prioritize the next features we will work on: