I’m facing an issue where running a CI build from a GitHub Action for a public repo, if I run it myself, it decorates the PR fine, however, external users (not belonging to the organisation or not set as repo contributors) can’t run the analysis in Pull Requests. The Sonar_token is stored as a secret in the org.
It seems the secret is not passed into the workflow when the PR is run by users who are not members or collaborators, despite the repo being public.
Any idea how to resolve this?
Template for a good new topic, formatted with Markdown:
ALM used (GitHub, Bitbucket Cloud, Azure DevOps): GitHub
CI system used (Bitbucket Cloud, Azure DevOps, Travis CI, Circle CI): GitHub Actions
Scanner command used when applicable (private details masked) (see url)
Error observed (wrap logs/code around with triple quotes ``` for proper formatting):
*** Build Succeeded :) ****
SonarScanner for MSBuild 5.13
Using the .NET Core version of the Scanner for MSBuild
The format of the analysis property sonar.login= is invalid
What do you mean by external PRs? This is a PR against our own repo, which is public, the only difference being the user who created the PR not being a member of the GitHub organisation or contributor. But the software is also public and open source, so it wouldn’t be ideal to start adding everyone as a contributor…
Is there a way to setup a dedicated , separate token with the minimum set of permissions to execute the analysis in this case (i.e. token with access to projects of public repos only).
Is there a way of having a separate permissions template to give Execute Analysis permissions to Anyone and we assign these permissions to public repos only, in a way that doesn’t require a token, or is not too bad to put is as an environment variable if it’s only scoped to public repos?
According to the Analysis Parameters in the documentation, if we give Execute Analysis permissions to the group Anyone, then there is no need to use a token for login purposes.
So I’ve tried giving Anyone permissions to execute analysis and then removed the sonar.login parameter, however it’s giving a 403 error now when trying to retrieve the quality profiles it seems.
I can’t advise granting Execute Analysis permissions to Anyone – it means somebody could run an analysis on your main branch without permission (it’s not just limited at pull requests). It’s a security risk.
Which 403 error are you talkinga bout? I see this in the logs shared:
SonarScanner for MSBuild 5.13
[185](https://github.com/DynamicsValue/fake-xrm-easy-abstractions/actions/runs/4941025532/jobs/8833230234?pr=32#step:10:186)Using the .NET Core version of the Scanner for MSBuild
[186](https://github.com/DynamicsValue/fake-xrm-easy-abstractions/actions/runs/4941025532/jobs/8833230234?pr=32#step:10:187)Post-processing started.
[187](https://github.com/DynamicsValue/fake-xrm-easy-abstractions/actions/runs/4941025532/jobs/8833230234?pr=32#step:10:188)20:28:48.641 SonarQube analysis could not be completed because the analysis configuration file could not be found: D:\a\fake-xrm-easy-abstractions\fake-xrm-easy-abstractions\.sonarqube\conf\SonarQubeAnalysisConfig.xml.
20:27:51.677 Downloading from https://sonarcloud.io/api/qualityprofiles/search?project=DynamicsValue_fake-xrm-easy-abstractions&organization=dynamicsvalue...
20:27:51.827 Response received from https://sonarcloud.io/api/qualityprofiles/search?project=DynamicsValue_fake-xrm-easy-abstractions&organization=dynamicsvalue...
Unhandled exception. System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 ().
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at SonarScanner.MSBuild.PreProcessor.WebClientDownloader.TryDownloadIfExists(String url, Boolean logPermissionDenied)
at SonarScanner.MSBuild.PreProcessor.WebServer.SonarWebServer.DownloadQualityProfile(String projectKey, String projectBranch, String language)
at SonarScanner.MSBuild.PreProcessor.PreProcessor.FetchArgumentsAndRuleSets(ISonarWebServer server, ProcessedArgs args, BuildSettings settings)
at SonarScanner.MSBuild.PreProcessor.PreProcessor.DoExecute(ProcessedArgs localSettings)
at SonarScanner.MSBuild.PreProcessor.PreProcessor.Execute(IEnumerable`1 args)
at SonarScanner.MSBuild.BootstrapperClass.PreProcess()
at SonarScanner.MSBuild.BootstrapperClass.Execute()
at SonarScanner.MSBuild.Program.Execute(String[] args, ILogger logger)
at SonarScanner.MSBuild.Program.Execute(String[] args)
at SonarScanner.MSBuild.Program.Main(String[] args)
at SonarScanner.MSBuild.Program.<Main>(String[] args)
I’m having a headache figuring out why I can only view Projects and Rules on your organization but not Quality Profiiles… I suspect it has something to do with not being a member of an organization… which begs the question why it’s possible to configure the Execute Analysis permission at all for Anyone (which is a distinct group from Members).
At the same time, I suspect it’s because we think it’s a bad idea for Anyone to be able to execute analysis (even if it would fix your current pain).
I’ll flag this for attention to see if there’s something we want to do about this, whether in behavior or making the behavior clearer.