Warning on GitHub PR decoration, but it actually works

SonarQube version: 10.1.0 (Developer Edition)
Deployed with Helm chart 10.1.0+628

On every analysis, either on main branch or PR branches, we get a couple of warnings that read the following:

Failed to report status to Devops platform because the GitHub App doesn't have the checks:write permission. Please read "Activating pull request decoration" section in the "Get Started > GitHub" documentation page to fix your setup.

However:

  • The GitHub app we use already has the checks:write permission
  • And PR decoration + check status reporting actually works
  • The “DevOps integration > GitHub > Check Configuration” doesn’t yield any error

We use the GitHub action for decoration (sonarsource/sonarqube-scan-action@master) without the Quality Gate Action as we’re only using SonarQube to assist on code quality at the moment in a non-blocking manner.

Relevant logs from the server:

2023.06.30 16:26:13 WARN  ce[XXXXXXXXX][c.s.F.D.G.N] Pull request decoration failed
java.lang.IllegalStateException: GitHub App doesn't have the checks:write permission
	at com.sonarsource.F.D.G.N.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Unknown Source)
	at com.sonarsource.F.D.G.N.A(Unknown Source)
	at com.sonarsource.F.D.G.N.F(Unknown Source)
	at com.sonarsource.F.D.G.N.D(Unknown Source)
	at com.sonarsource.F.D.G.N.B(Unknown Source)
	at com.sonarsource.F.D.G.B.A.A.A(Unknown Source)
	at com.sonarsource.F.D.G.J.A(Unknown Source)
	at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline$Head.forEach(Unknown Source)
	at com.sonarsource.F.D.G.J.A(Unknown Source)
	at com.sonarsource.F.D.c.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Unknown Source)
	at com.sonarsource.F.D.c.A(Unknown Source)
	at com.sonarsource.F.D.c.B(Unknown Source)
	at org.sonar.ce.async.SynchronousAsyncExecution.addToQueue(SynchronousAsyncExecution.java:27)
	at com.sonarsource.F.D.c.A(Unknown Source)
	at java.base/java.util.Optional.ifPresent(Unknown Source)
	at com.sonarsource.F.D.c.finished(Unknown Source)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.executeTask(PostProjectAnalysisTasksExecutor.java:102)
	at org.sonar.ce.task.projectanalysis.api.posttask.PostProjectAnalysisTasksExecutor.finished(PostProjectAnalysisTasksExecutor.java:93)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeListener(ComputationStepExecutor.java:89)
	at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:61)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
2023.06.30 16:26:13 INFO  ce[XXXXXXXXX][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Pull Request decoration | status=SUCCESS | time=3233ms
2023.06.30 16:26:13 INFO  ce[XXXXXXXXX][o.s.c.t.p.a.p.PostProjectAnalysisTasksExecutor] Report branch Quality Gate status to devops platforms | status=SUCCESS | time=0ms
2023.06.30 16:26:14 INFO  ce[XXXXXXXXX][o.s.c.t.CeWorkerImpl] Executed task | project=XXXXXXXXX | type=REPORT | pullRequest=XXXXXXXXX | id=XXXXXXXXX | submitter=XXXXXXXXX | status=SUCCESS | time=5797ms

Did I miss anything obvious ? I’m new to SonarQube so that’s entirely possible

Many thanks !

Hi @lelithium

Welcome to the community!

I could not reproduce this, but if your GitHub app has the checks:write permission, this warning should definitely not appear.

Does it appear every time, or is it a bit random? One thing that could happen is that, for some reason, SQ cannot correctly retrieve the App permissions through GitHub APIs.
Do you maybe have another warning before the one you shared: Like “Failed to request /app/installations” or something similar?

One last question is your GitHub project private or public? If public, could you try with a private project and see if you also have some warning?

Best,

Hi Antoine Vinot, thanks for your help, sorry about the late answer, I was taking some PTO

  • The GitHub app definitely has the checks:write trait, it is configured as RW.
  • It appears every time
  • There’s no other warning, but this same warning does appear twice.
  • The project is private

Is there anything else I can do to help troubleshoot this relatively minor annoyance ? Thanks !

Hi @lelithium

I also just came back from some PTO today.

My bad because when investigating this, I thought that some recent changes from this ticket were already included in 10.1, which is not the case as they will only be included in 10.2.

By the way, since your project is private, do you have the contents:read permission on your app?

I will try to reproduce it on 10.1 later this week. However, there is a chance that recent changes will fix this in 10.2, or at least allow us to understand better what is happening.

do you have the contents:read permission on your app

Just confirmed that this is indeed the case

10.2 [SONAR-15075] - Jira

Sounds like this may be a step in the right direction !

Thanks for taking the time to go through this