Template for a good new topic, formatted with Markdown:
- ALM used (GitHub)
- CI system used (github action SonarSource/sonarcloud-github-action@master)
- Scanner command used when applicable (see details below)
- Languages of the repository: python
- Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
- Steps to reproduce
- Potential workaround: use pull model (let the Sonarcloud to initiate the scan)
Hello,
the scanning of our private repo works fine and I can see the PR decoration if it is initiated from the sonarcloud itself.
But we prefer to use pull model where we initiate the scan from the github action.
Due to secrets limitations in github (you don’t get them in users’ fork) we split the scanning into two steps: build and actual scan (as described here: Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests | GitHub Security Lab)
Build looks like this:
name: Sonarcloud build
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
build_for_sonarcloud:
name: SonarCloud build
runs-on: ubuntu-latest
steps:
- name: Store PR info for workflow_run
shell: bash
env:
PR_NUM: ${{ github.event.number }}
run: |
echo $PR_NUM
echo $PR_NUM > pr_num.txt
- name: Upload the PR info
uses: actions/upload-artifact@v3
with:
name: pr_info
path: ./pr_*.txt
And the scan is triggered by the successful build:
name: Sonarcloud scan
on:
workflow_run:
workflows: [Sonarcloud build]
types: [completed]
jobs:
sonarcloud_scan:
name: SonarCloud scan
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Show event context
uses: crazy-max/ghaction-dump-context@v1
- name: Checkout the new PR
uses: actions/checkout@v3
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
token: ${{ secrets.TOKEN_GITHUB_YENKINS }}
fetch-depth: 0
- name: Get PR artefacts
uses: dawidd6/action-download-artifact@v2.19.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
workflow: sonarcloud_build.yml
run_id: ${{ github.event.workflow_run.id }}
- name: Read the PR number
run: |
PR=$(cat pr_info/pr_num.txt)
echo "SONAR_PR_NUMBER=$PR" >> $GITHUB_ENV
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.TOKEN_ON_ORG_LEVEL }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }}
-Dsonar.pullrequest.key=${{ env.SONAR_PR_NUMBER }}
-Dsonar.pullrequest.branch=${{ github.event.workflow_run.head_branch }}
The scan works fine and the results are visible in sonarcloud.io but the PR is not commented/decorated. I was missing sonar.pullrequest.provider property in the project settings, but
it is set to sonar.pullrequest.provider=github now and still no PR decoration.
Any suggestion how to debug the issue, what can I try?
Thank you for any help.
Cheers,
Tomas Kouba
