planetf1
July 29, 2022, 1:17pm
1
I’m just trying to setup SonarCloud to scan a new project via GitHub Actions (previously we’ve used auto analysis, or an old pipeline using azure)
I have created the project under our organization on sonar cloud at https://sonarcloud.io/project/overview?id=odpi_egeria-connector-hivemetastore . The project was initially setup with auto analysis (default) but I changed this to CI analysis.
I added new github actions following the recommended pattern (just added gradle wrapper validation & changed name). I also updated gradle to include the sonar plugin & set the project properties
The PR is at Fix name of default branch in sonar scan by planetf1 · Pull Request #34 · odpi/egeria-connector-hivemetastore · GitHub
However this is failing in the sonar action ( Fix name of default branch in sonar scan · odpi/egeria-connector-hivemetastore@0a41db7 · GitHub ) with:
> Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator
However those properties are set ie in egeria-connector-hivemetastore/build.gradle at main · odpi/egeria-connector-hivemetastore · GitHub
sonarqube {
properties {
property "sonar.projectKey", "odpi_egeria-connector-hivemetastore"
property "sonar.organization", "odpi-github"
property "sonar.host.url", "https://sonarcloud.io"
}
}
I also have the token stored as a GitHub secret (actually at the org level, as if this pattern works I’d like to use it across many repos)
Any ideas why this would fail?
Colin
July 29, 2022, 1:30pm
2
Shouldn’t the project key be odpi_egeria-connector-hadoop-ecosystem if you intend to point to this project , rather than odpi_egeria-connector-hivemetastore?
planetf1
July 29, 2022, 1:32pm
3
Ah! you caught me - I updated the post just now – that was just an error when writing the post and copying links
So to clarify - I do have this problem - I just made an error in the post. Scan does fail
planetf1
August 8, 2022, 8:29am
4
After a short holiday I realised the issue here – we use the standard fork/PR model, which is typical for open source community projects.
The action running on the PR therefore will not have access to SONAR_TOKEN, hence the failure.
Does sonar have an approach that will work for PRs? (We are able to scan with Sonatype Lift and codeQL)
Colin
August 8, 2022, 8:31am
5
Hey there.
Glad that a fresh look helped you here (and sorry that I didn’t come back to this thread earlier). Welcome back!
This is not possible out-of-the-box, but some users have found a workaround.
Hello all–
After much struggle, we now have a Github repo that can run SonarCloud analysis on pull requests from forks.
The trick is the “workflow_run” feature from Github Actions:
In short, you need 2 separate Github Actions:
Build step - Build your project, run tests, upload code coverage. This step does not have access to any Github secrets such as SONAR_TOKEN.
Sonar step - Download code coverage from previous step, and run the SonarCloud analysis. This step does have access to SONAR_…
You may also want to vote on this roadmap item here: https://portal.productboard.com/sonarsource/1-sonarcloud/c/50-sonarcloud-analyzes-external-pull-request
planetf1
August 8, 2022, 8:37am
6
Thanks - I’d forgotten about that, having responded in that thread months ago (we wanted to re-look at sonar cloud). I’ll try the community suggestion.
It may be worth adding a caveat into the sonar cloud docs for scanning as this fork/PR is extremely common for open source projects.
