Scans failing in PR/merge

I’m just trying to setup SonarCloud to scan a new project via GitHub Actions (previously we’ve used auto analysis, or an old pipeline using azure)

I have created the project under our organization on sonar cloud at The project was initially setup with auto analysis (default) but I changed this to CI analysis.

I added new github actions following the recommended pattern (just added gradle wrapper validation & changed name). I also updated gradle to include the sonar plugin & set the project properties

The PR is at Fix name of default branch in sonar scan by planetf1 · Pull Request #34 · odpi/egeria-connector-hivemetastore · GitHub

However this is failing in the sonar action ( Fix name of default branch in sonar scan · odpi/egeria-connector-hivemetastore@0a41db7 · GitHub ) with:

> Project not found. Please check the 'sonar.projectKey' and 'sonar.organization' properties, the 'SONAR_TOKEN' environment variable, or contact the project administrator

However those properties are set ie in egeria-connector-hivemetastore/build.gradle at main · odpi/egeria-connector-hivemetastore · GitHub

sonarqube {
    properties {
        property "sonar.projectKey", "odpi_egeria-connector-hivemetastore"
        property "sonar.organization", "odpi-github"
        property "", ""

I also have the token stored as a GitHub secret (actually at the org level, as if this pattern works I’d like to use it across many repos)

Any ideas why this would fail?

Shouldn’t the project key be odpi_egeria-connector-hadoop-ecosystem if you intend to point to this project, rather than odpi_egeria-connector-hivemetastore?

Ah! you caught me - I updated the post just now – that was just an error when writing the post and copying links :wink:

So to clarify - I do have this problem - I just made an error in the post. Scan does fail

After a short holiday I realised the issue here – we use the standard fork/PR model, which is typical for open source community projects.

The action running on the PR therefore will not have access to SONAR_TOKEN, hence the failure.

Does sonar have an approach that will work for PRs? (We are able to scan with Sonatype Lift and codeQL)

Hey there.

Glad that a fresh look helped you here (and sorry that I didn’t come back to this thread earlier). Welcome back!

This is not possible out-of-the-box, but some users have found a workaround.

You may also want to vote on this roadmap item here:

Thanks - I’d forgotten about that, having responded in that thread months ago (we wanted to re-look at sonar cloud). I’ll try the community suggestion.

It may be worth adding a caveat into the sonar cloud docs for scanning as this fork/PR is extremely common for open source projects.