"You're not authorized to run analysis" and GitHub bots

SonarQube Cloud
1

This question is related to Github Actions. Public repo. You’re not authorized to run analysis. But instead of randoms contributors, I’m dealing with (known) bots. For example, I use Dependabot in some of my projects. When I receive a PR, the build fails with “You’re not authorized to run analysis”:

I wonder what is the “Sonar-way” to handle PRs from bots like this. Add it to the Sonar organization? Skip the analysis? (I assume this will also be addressed via MMF-1371?)

2

Hello @beatngu13 thanks for reaching us!

Can you share your GitHub Action for both scenarios: a normal one and the one which is triggered by the Dependabot? SonarCloud authorization in such scenario is based on a token you generate in SC and configure at GitHub Action. I am guessing this token is not properly configured when the action is triggered by the bot.

MMF-1371 and random contributors are a different scenario: here users are not part of the organization, don’t have a token and can’t have one as well, but must be allowed to scan. At your scenario you can provide the token to the bot.

3

Hi @Alexandre_Holzhey,

thx for the prompt feedback.

Both scenarios trigger this workflow.

Also note that in the case of Dependabot, the PRs stem from branches within the target repo, no forks involved (e.g. this branch).

Initially, I thought the SONAR_TOKEN might be an issue, so I created a dedicated repo secret for Dependabot with the same name, but it didn’t help.

4

Thanks for the information @beatngu13 .

Could you please echo the value of SONAR_TOKEN in the pipeline and run it for both a normal event and the bot? Just to make sure the token is there (just tell me that, don’t paste this info here). The message you provided is mostly related to an non-existent/invalid token. The activity on our side is minimal for such scenario (i have no much to investigate here). But please take note of the exact timestamp for these runs (you should also echo this), so i can try to find the request on our side.

5

I have added a check to the workflow. Here are the (secure) results:

Run triggered by me: https://github.com/beatngu13/pdf-zoom-wizard/runs/2432869026?check_suite_focus=true#step:10:12

Run triggered by Dependabot: https://github.com/beatngu13/pdf-zoom-wizard/runs/2433059707?check_suite_focus=true#step:10:12

This is weird, because I added SONAR_TOKEN to Settings > Secrets > Dependabot, too. (Although I don’t know why the token isn’t visible at all, since Dependabot’s PRs are not forks.)

I think I have found the issue:

Starting March 1st, 2021 workflow runs that are triggered by Dependabot […] will be treated as if they were opened from a repository fork.

The community isn’t happy about this since the only workaround seems to be to expose secrets to any fork.

In case of SonarCloud, is there a way to add a bot such as Dependabot to the organization?

8

Update: The corresponding Dependabot issue has been closed with an FAQ and a bunch of workarounds.

Personally, I currently only run the analysis step if the actor is not Dependabot:

if: ${{ github.actor != 'dependabot[bot]' }}
1 Like
9

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.