secrets.SONAR_TOKEN not read when accessed from PR


i’ve setup a sonar cloud check using sonar maven plugin, and passing to sonar cloud sonar.login
problem is if it work nicely when direct commit is done, it does when not triggered from PR
any idea on what i’m doing wrong?


Secrets are not passed to the runner when a workflow is triggered from a forked repository (see GitHub doc).

That’s why your job works on your commit on master, but not on your PR, which comes from a forked repository.

You can watch this ticket to track progress on that feature.

Thanks Benoit for the quick reply!

will definitely watch it. So this would be the same problem if was using github action (i can’t right now as pom is detected at the root)?
Workaround then i guess would be to use another CI tool :-/


AFAIK, all CI tools have the same safety mechanism as GitHub Action has. So I’m afraid using another CI tool won’t work.
The only way to analyze PR from forked repository is to use Automatic Analysis. But unfortunately it doesn’t support Java, so it’s not suitable for your project.

Thanks, but Apache own Jenkins instance is able to do that it seems, see:
that is i guess because sonar secret is hidden together with the pipeline description outside of the repository that is PRed.
hence my interrogation with github actions here

also i’m wondering: an acceptable solution for us would be that the user has a SONAR secret him self on that project, looks like adding SONAR_TOKEN to fork repo is not enough though, i guess it’s stored elsewhere

This is a blocker issue for OSS projects. It makes sonarcloud useless as many OSS repos mainly relay on the PR raised through forks, in which case the secrets does not get passed and sonar scan is not executed.

There are many alternative product which has resolved this issue (codecov) for example.

One thing I don’t understand is why does it requires token for public repos which I already authorised access to sonarcloud app.

Please take this on priority otherwise people will find and move to alternative services which does not have this problem

Hello @vivekweb2013 ,

Unfortunately there is no update on our side yet. You can follow the following card on our roadmap for updates: SonarCloud analyzes external Pull Request - SonarCloud | Product Roadmap . Please feel free to share your feedback around this feature on the card as well.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.