SonarQubeCloud GitHub App reporting default branch analysis against PRs

SonarQube Cloud
,
1

Hello, I am using the sonarqube-scan-action GitHub Action to analyse my repo. I have the SonarQubeCloud GitHub App installed.

Once a PR is raised against our default branch (main), the sonarqube job is run and, once complete, the SonarQubeCloud GitHub App updates the “SonarCloud Code Analysis” check in GitHub with the correct status of the feature branch analysis.

Within 45 seconds of this, a second analysis is run against the default branch and, once complete, the “SonarCloud Code Analysis” check (within the PR) is updated to reflect the status of this second analysis.

Ideally the second analysis would not be reported in the PR as it is unrelated to the changes made.

Is this expected behaviour or is my set up incorrect?

Automatic Analysis in the SonarQube Cloud console is switched off.

Please find the GitHub workflow job and sonar-project.properties file below.

Workflow:

...
  sonarqube:
    name: SonarQube
    runs-on: ubuntu-latest
    needs: [setup, lint, unit_tests]
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Download ESLint report
        uses: actions/download-artifact@v4
        with:
          name: eslint-report
          path: reports/

      - name: Download test execution report
        uses: actions/download-artifact@v4
        with:
          name: coverage-report
          path: coverage/

      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

sonar-project.properties:

sonar.projectKey=<REDACTED>
sonar.organization=<REDACTED>
sonar.sources=src
sonar.language=js,ts

sonar.test.inclusions=**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx
sonar.test.exclusions=**/*.stories.tsx,**/*.stories.ts,**/*.stories.js,**/*.stories.jsx,src/index.js,src/App.js
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.typescript.lcov.reportPaths=coverage/lcov.info
sonar.junit.reportPaths=coverage/test-report.xml

sonar.eslint.reportPaths=reports/eslint-report.json
3

Hey there.

What’s going on above here? I’d like to see how your workflow is triggered! Usually it looks like this.

name: Build
on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
4

Hi Colin, thank you for your response!

I’ve attached the entire workflow. But yes it follows the same pattern.
ci.yml.txt (3.9 KB)

5

Hey @lukebettridge

I’ll admit that I’m stumped! Everything about this sounds weird, and I’m not sure where two analyses would come from. Is it not possible you have a second workflow lying around that’s also triggering analysis? Or maybe at some point you were using the NPM sonar-scanner package and that is also triggering analysis when you run npm ci or npm run build?

6

I appreciate you looking at this! We only have the one workflow (this is a fairly new project) and we don’t have any Sonar-related dependencies.