Quality gate status not appearing in Azure DevOps suddenly

We’ve had SonarCloud analysis running and sending quality gate updates to Azure DevOps for some time now without issue. Today, the “quality gate” status stopped being sent and we can’t work out why. No configuration changes were made.

The logs for the static analysis build show it completing correctly, and the analysis and quality gate show in the SonarCloud site.

The “Publish Quality Gate Result” step completes without error.

I’ve updated the Azure DevOps token in SonarCloud to a fresh one in case it had expired and was causing this, but this has not resolved it. The UI in SonarCloud says the token is valid and I’ve manually tested it and it works. The token has full code access.

Is there anywhere we can look to find out what’s happening here? This issue appears to be affecting all of our projects.

Hi Martin,

I will have a look into your issue.
Can you share with me your organization and one of your project key so I can have a look in our logs ?

Best regards,

Organisation: prospect
Project key: PS-CRM

I’ve had to disable the quality gate status check on the PRs to get around this, but it should still be publishing them.

Hi Martin,

Thanks for sharing.
I’ve had a look into our logs, and I can see that we have many times the error “The Azure Devops Access Token is invalid” between the 11th and the 14th of November.

Can you do some steps to confirm the new token is valid ?

Please create a new access token following the tutorial here : Azure DevOps | SonarCloud Docs
(Make sure to follow all the step, and to read whats written in the yellow / orange box).
Then click “Update” or “Continue” to save the token, so the new one is being used.

You can also test your token using this CLI :

curl --request GET \
  --url 'https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0' \
  --header 'Accept: application/json' \
  --header 'Authorization: BASIC $BASE64_ENCODED_PAT' 

To replace $BASE64_ENCODED_PAT with the correct data you need to base64 encode the following string : ‘accessToken:$PAT’ and replace $PAT with your Personal Access Token value.

Let me know how this goes :slight_smile:

Hi,

I’ve updated the access token with a new one and the UI says “Status of you current token: is valid.” with a little green tick, as it did before but the issue is still present.

The new token has “Full Access” instead of just code read/write, in case that was an issue.

This new PAT token works fine when I try it against the actual devops api, for example:

https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0

The above URL is the one used in the microsoft documentation.

However, I get a 401 if I attempt to use the token against the URL in your curl example. If I directly access that URL I can see it (it authenticates via oauth) so I’m not sure exactly what that means. Are you certain that URL should work with the PAT token?

Looking into this further, I’ve found that if I call the API using our PAT token to get the build properties of one of the static analysis builds that didn’t report a quality gate to the PR, I can see this

	"sonarglobalqualitygate": {
		"$type": "System.String",
		"$value": "ok"
	},

So that shows that our current configuration is successfully updating the static analysis build with the quality gate result.

But still the PR itself shows “Waiting” next to “SonarCloud/quality gate”. The issue is presumably in whatever mechanism links these parts of the process, but I don’t know enough to investigate further.

Hi Martin,

Thanks for sharing the info.
I’ve had a deeper look in your organization and settings, I see that there are 2 accounts with your name, it might be helpful to remove the one you are not using to avoid any confusion.

The other thing I see is that the project PS-CRM is not “bound” to Azure Devops, it has been manually imported. What that means is that you have to be carreful to update the token both in your organization but at the project level as well.
I can’t see the token used at the project level but maybe the token is expired ?
Can you confirm you updated both tokens (project and organization) ?

Best regards,

1 Like

Thank you, that was the issue! Once the project level token was replaced this works again. Can I ask, is there any way to make the PS-CRM project “bound” so that it operates on the same token as other things?

1 Like

I’m glad we managed to fix your issue together.

Unfortunately there is no way currently to bind a project that has been manually imported.
What you can do is that you can delete the project from SonarCloud and import it again from your organization (if the organization is bound), this will create a new project that is bound by default.