SonarCloud+GitHub=No PR check

I am migrating from Jenkins to GitHub Actions.

  • ALM used: GitHub
  • CI system used : GitHub Actions
  • Scanner command used when applicable (private details masked)
  • Languages of the repository: Typescript
    My PR build script:
name: Pull Request Builder

    types: [ opened, edited, reopened, synchronize ]
      - develop
    types: [ opened, edited, reopened, synchronize ]
      - develop

    runs-on: ubuntu-latest


      - name: 'Checkout repository on branch: ${{github.event.pull_request.head.ref}} ${{github.event.pull_request.head.repo.full_name}}'
        uses: actions/checkout@v3
          ref: ${{github.event.pull_request.head.ref}}
          repository: ${{github.event.pull_request.head.repo.full_name}}
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - name: 'Checkout repository on branch: ${{github.event.pull_request.base.ref}} ${{github.event.pull_request.base.repo.full_name}}'
        run: |
          git remote add upstream${{github.event.pull_request.base.repo.full_name}}
          git fetch upstream ${{github.event.pull_request.base.ref}}

      - uses: actions/setup-node@v3
          node-version: 16
          cache: 'yarn'

      - name: yarn
        run: yarn

      - name: sonar-lint
        run: yarn eslint "src/**/*.{js,ts,tsx}" --format json --output-file "coverage/eslint-report.json"

      - name: coverage
        run: yarn cross-env CI=true react-scripts test --silent --env=jsdom --coverage  --coverageDirectory=coverage --testResultsProcessor jest-sonar-reporter

      - name: Run sonarqube
        run: yarn run sonar-scanner

          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.projectVersion=0.2.0.${{ github.event.pull_request.number }}
          -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}

This code worked as expected on Jenkins, but fails to mark PR check as passed.
PR gots comment about scan status, but PR check is not marked:

What am I doing wrong?

Background Tasks from do not show any problems.
Task status:

  "task": {
    "id": "AYISGdxrAz8mfJ5rkvgZ",
    "type": "REPORT",
    "componentId": "AYICpiomSm0Ow34ROkfg",
    "componentKey": "************",
    "componentName": "************",
    "componentQualifier": "TRK",
    "analysisId": "AYISGeBV3KLZ22nHpdNY",
    "status": "SUCCESS",
    "submittedAt": "2022-07-18T18:17:41+0200",
    "submitterLogin": "PavelA85@github",
    "startedAt": "2022-07-18T18:17:41+0200",
    "executedAt": "2022-07-18T18:17:43+0200",
    "executionTimeMs": 1931,
    "logs": false,
    "hasScannerContext": true,
    "organization": "************",
    "pullRequest": "1335",
    "warningCount": 0,
    "warnings": []

Hello @PavelA85 ,

Thank you for reaching out.
Have you tried to rerun the analysis on the pull request?
Do you still have this issue after the retry?
I cannot find a related error on our side for the given analysis. so I estimate that a network issue may be related.


not sure why not all my answers are visible here, but I tried Sonar with GH actions again and I see same issue.
Please check my answer at

Thank you @PavelA85 for your reply.
I checked the logs and I find that the last analysis done with a pull request is below:

pull_request_key: 1383
revision: d92e0755b7ca5e72bcb388973db11a5a43bb5514
date: 2022-08-01T13:47:53.521Z
status: 201

The decoration happened for the pull request 1383 on the commit SHA d92e0755b7ca5e72bcb388973db11a5a43bb5514.
Do you confirm the pull request id with the same commit SHA value as the last commit on the related branch?

Yeah, it looks like the wrong SHA.
How can I see SHA that Sonar is using to decorate PR?
And it would be nice to get failure feedback somewhere in SonarCloud.

You can find the commit SHA related to your PR in SonarCloud “Pull requests” interface for your project as below:

You can also find the commit SHA on the PR summary page.

Kindly note that the SonarCloud scanner gets the commit SHA from the git side when the analysis starts.
So if the commit SHA for the given branch is changed after the analysis started due to rebasing on the branch or any other reason, it will not be considered a failure from the SonarCloud side.

I hope that my answer is helpful!


1 Like

Thanks. Your answer makes sense, but I can not fix my issue.
I rewrote git checkout code to include my required ref.
Now it looks like this:

          git fetch --depth=1 \
            --force \
            --progress \
            -- https://user:${{ secrets.GITHUB_TOKEN }}***/****-ui \
            +refs/heads/release:refs/remotes/origin/release \
            +refs/heads/develop:refs/remotes/origin/develop \
            +refs/pull/${{ github.event.pull_request.number }}/*:refs/remotes/origin/pr/${{ github.event.pull_request.number }}/*
          git checkout origin/pr/${{ github.event.pull_request.number }}/head 

It works as expected:

It checkout PR head and runs as expected, but when I execute the sonar scanner, provide a link to commit in the develop branch.
I tried to use different SonarQube lib GitHub - SonarSource/sonarqube-scan-action to execute the analysis, but the same result.
I thought I was working on the wrong branch, but I pushed the failing test to my PR branch, and the Github action failed on the test step. So I can conclude that GitHub Action checkout is the right commit.
I have added a git log message just before and after sonar scanning, and I see the expected commit sha.
I have outputted the github variable with

      - name: Dump GitHub context
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: |
          echo "$GITHUB_CONTEXT"

And I see that is using commit sha from
github.sha: "e4f2ba913c28b64d8a103f2f49fd7482d0b4597b"

What do I miss here?


The last check analysis in SonarCloud related to PR 1394 has data below:

analysis_id: AYJn1tMSVPGaWzl8dAKL
branch_name: setup_github_actions_on_dev
branch_type: PULL_REQUEST
date: 2022-08-04T07:51:51.706Z
pull_request_key:1 394
revision: 4fd49393c944b609450a1421c8fb02f2097acbc6
status: 201

Kindly note that for the PR 1394, analyzed branch is “setup_github_actions_on_dev” and commit SHA is 4fd49393c944b609450a1421c8fb02f2097acbc6 and not e4f2ba913c28b64d8a103f2f49fd7482d0b4597b

The commit SHA e4f2ba913c28b64d8a103f2f49fd7482d0b4597b matches pull_request_key
1411on the branch setup_github_actions_on_dev on 2022-08-04T07:51:51.706Z.

Ok, thanks.
Can you please explain how sonar scanner gets commit sha?

Scanner gets the commit SHA value from the environment variable GITHUB_SHA in GH run time environment.


1 Like

ok, I think this is my problem.
Can I specify the scanner with my real commit SHA?
According to GH documentation REF:

Note that GITHUB_SHA for this event is the last merge commit of the pull request merge branch. If you want to get the commit ID for the last commit to the head branch of the pull request, use github.event.pull_request.head.sha instead.

I will try to use sonar.scm.revision

I don’t think that you can specify the commit SHA for the scanner. because the scanner always takes into account the HEAD commit. Maybe the only way is to check out your PR with the specific commit and start analysis then.

Thanks for your reply.
I have just tried to run scanner with -Dsonar.scm.revision=${{github.event.pull_request.head.sha}} and it worked as expected.
Not sure if it is connected by we are building PRs from forks.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.