Hi @vhsantos26,
Both of these warnings are very much relevant. (We really try to make our warnings relevant. When you don’t fully understand what they mean, and their implications, it’s important to get a full understanding before proceeding, because otherwise you may see many inexplicable things that don’t make sense.)
The first warning means that the scanner couldn’t find the development
branch in the Git working tree where it was executed. Without the development
branch, it’s not possible to identify the files and the lines that changed between the development
branch and the current working tree. We have a fallback behavior based on timestamps, but that typically won’t match perfectly the actual changes that happened in the Git repo. The consequence is precisely what you are experiencing: there are issues reported on files that haven’t changed, as per Git. The scanner couldn’t know that, because it couldn’t get the development
ref.
The second warning is closely related. The scanner detected a shallow clone. In a shallow clone, git blame
annotation information is typically incomplete, and also if the shallow clone doesn’t have enough depth to include the common ancestor commit of the current working tree and the development
branch, then again it won’t be possible to identify the changed files and lines, resulting in the same effect as I explained for the other warning.
The typical solution for both of these warnings when using GitHub Actions is to activate fetch-depth: 0
, as in your last post. With this parameter in place, the scenario you described, and the warnings, should not be possible. The fetch-depth: 0
parameter ensures the clone is not shallow, and it fetches all branches, therefore development
should be found at origin/development
.
Are you sure that fetch-depth: 0
is in the action description of the analyses where you get these warnings? If yes, then it seems it’s not effective somehow. If it was, you wouldn’t have the issue. Keep in mind that the action description is in a file that’s part of the repository, so you may have different content in different branches. I suggest to check the log output of the action, I think it should be visible if it’s really a shallow clone or not. To verify that the development
branch was fetched, you could temporarily add a git branch -r
command. If you can fix your build scripts so that origin/development
shows up in the output, then the scanner should be able to find what it needs, the warnings should go away, and you should see expected results on SonarCloud.