SonarCloud with GitHub actions

amrsamii · April 7, 2020, 12:03pm

Hello,
I use GitHub actions to automate build process for simple Kotlin Repo, and when build and tests are finished, I trigger SonarCloud analysis. I use maven for my project. The problem is, SCM id disabled in my project settings on SonarCloud, but when I push a new change to the Repo, SCM runs and gives me warning, here it is:

[INFO] SCM Publisher SCM provider for this project is: git
[INFO] SCM Publisher 3 source files to be analyzed
[WARNING] Shallow clone detected, no blame information will be provided. You can convert to non-shallow with 'git fetch --unshallow'.
[INFO] SCM Publisher 0/3 source files have been analyzed (done) | time=1ms
[WARNING] Missing blame information for the following files:
[WARNING]   * src/test/kotlin/main/MainTest.kt
[WARNING]   * pom.xml
[WARNING]   * src/main/kotlin/main/Main.kt
[WARNING] This may lead to missing/broken features in SonarCloud

It gives me a warning and it’s annoying for me. I used Travis CI before and it didn’t have this problem.
my workaround was to disable SCM explicitly when trigger SonarCloud from workflow, here it is:

name: build

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Set up JDK 1.8
      uses: actions/setup-java@v1
      with:
        java-version: 1.8
    - name: Build with Maven
      run: >
          ./mvnw clean verify
          sonar:sonar
          -Pcoverage
          -Dsonar.host.url=https://sonarcloud.io
          -Dsonar.organization=amrsamii
          -Dsonar.projectKey=amrsamii_Kotlin-GitHub-actions
          -Dsonar.scm.disabled=True
      env:
        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
        SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}

Is it a bug or am I missing something?

TomVanBraband · April 8, 2020, 8:03am

Hello @amrsamii,

This is not a bug. The actions/checkout step uses a fetch-depth of 1 by default. This means that not all blame information is present, this means that some features like automatically assigning bugs won’t work. You can get rid of this warning by using

- uses: actions/checkout@v2
  with:
    fetch-depth: 0

This will fetch the whole history of the project (and might thus be quite a bit slower). You can find the documentation here.

Hope that helps,
Tom

amrsamii · April 8, 2020, 1:38pm

Thanks for your reply. but what about my solution, is it correct?

TomVanBraband · April 8, 2020, 2:59pm

It is correct, you won’t get the warning you mentioned again but you will be missing all blame information for new issues on SonarCloud, so they won’t automatically be assigned anymore.
If you are fine with that then your solution will work fine.

simon.brandhof · April 28, 2020, 1:00pm

For reference, https://github.com/sonarsource/sonarcloud-github-action-samples defines a few project samples that correctly disable shallow clones.