Can you tell me what permissions are requested from the “GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}” so I can create a new private token using only the needed permissions.
Hi @szlatkow and welcome to the community !
Well the user that will host the token should have at least the “Execute analysis” permission on the project you want to scan.
HTH,
Mickaël
Hi @mickaelcaro. The question is about GITHUB_TOKEN, not SONAR_TOKEN. According to the SonarCloud documentation when SonarScanner is executed by using GitHub Actions, GITHUB_TOKEN must be added:
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
I didn’t find in the documentation to which aspects the mentioned token requires permissions. More about available permissions: Permissions for the GITHUB_TOKEN .
Hi @szlatkow. At the beginning I didn’t add the GITHUB_TOKEN environment variable. My pull requests were successfully built, but the analysis of the main branch started failing. I configured token to set permissions manually and didn’t grant any permissions (I omitted the permissions key in the workflow file). The built has been finished successfully. Currently my configuration looks like this:
jobs:
Build:
# ...
permissions:
checks: write
steps:
# ...
- name: Execute SonarScanner
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ${{ env.MAVEN_CMD }} sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
The checks: write permission is required by a different action (scacap/action-surefire-report@v1) used in the workflow. To be honest I have no idea why the GitHub token is needed, but with this minimal configuration it works for me.
Hi @agabrys
Indeed, sorry about that.
We used to select the “repo” permission while creating an access token, i’ll check whether we need less or not. In the mean time, we’ll update the docs as well.
Thanks !
1 Like
Is there any update on this? What is the requirement of the token / what is it needed for?
Reason
Because in a github pull_request workflow from a fork i cant use secrets and pull_request_target is to insecure for gradle sonarqube as it would allow attackers to change the gradle script and read my gh token.
Hi @Niton @agabrys ,
You need to use a read permission for pull_requests for the GITHUB_TOKEN. This allows us to determine on which PR you are running the action to be able to decorate them.
permissions:
pull-requests: read # allows SonarCloud to decorate PRs with analysis results
Hope this help 
Christophe
1 Like
I’m interested in these explicit permissions as well.
I notice that permissions can only be set per workflow or per job:
https://docs.github.com/en/actions/security-guides/automatic-token-authentication
It would be great if someone provided an example consisting of two jobs, one that needs write perms (e.g., to publish a new package), and one that only needs read perms (e.g., to publish test coverage).
If other parts of the workflow or job need additional read permissions, the following shorthand is convenient:
permissions: read-all
1 Like
Useful shortcut, thanks for sharing @joebowbeer 
It would be great if someone provided an example consisting of two jobs, one that needs write perms (e.g., to publish a new package), and one that only needs read perms (e.g., to publish test coverage).
Btw, did you figure out a way to pass different permissions in two different jobs?