Configure SonarCloud

[nejch]

Suggested in sonarcloud settings:

pom.xml

<properties>
  <sonar.organization>siemens</sonar.organization>
  <sonar.host.url>https://sonarcloud.io</sonar.host.url>
</properties>

.github/workflows/build.yml or similar:

name: SonarCloud
on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  build:
    name: Build and analyze
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: Set up JDK 11
        uses: actions/setup-java@v1
        with:
          java-version: 11
      - name: Cache SonarCloud packages
        uses: actions/cache@v1
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar
      - name: Cache Maven packages
        uses: actions/cache@v1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
          restore-keys: ${{ runner.os }}-m2
      - name: Build and analyze
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=siemens_cmp-ra-component

[ralienpp]

It seems that the SONAR_TOKEN environment variable hasn't been defined, based on this log output:

https://github.com/siemens/cmp-ra-component/actions/runs/4105274548/jobs/7081902882#step:6:2011

[nejch]

It seems that the SONAR_TOKEN environment variable hasn't been defined, based on this log output:

https://github.com/siemens/cmp-ra-component/actions/runs/4105274548/jobs/7081902882#step:6:2011

@ralienpp the token is there, but only available for actions in this project, not forks. This is by design in GitHub Secrets. Sorry, thought you had Collaborator access here - you can still request that in oss-community-management.

GitHub secrets:

Anyone with collaborator access to this repository can use these secrets and variables for actions. They are not passed to workflows that are triggered by a pull request from a fork.

So this will not work for external contributions. I'm not sure if this is still useful to you in that case. See also https://community.sonarsource.com/t/sonar-cannot-be-run-on-pr-from-a-fork/69229 if you'd like to track it upstream in SonarCloud.

[ralienpp]

Resolved in #10

[nejch]

@ralienpp @Akretsch just a note - this is not actually solved now, it will only work for PRs from this repo but always fail for external PRs (as you can see with failing dependabot PRs).

I'd say you could either restrict the sonar job to just run on main, configure it to run only on PRs from this project, or use the workaround linked in the comment above if you want to really use this.

[ralienpp]

You're right, I need to think about it more.

[Akretsch]

closed as requested by @ralienpp

[Akretsch]

reopened as requested by @ralienpp