Analyze your repository with GitHub Actions
To configure an analysis of your project using GitHub Actions, you should follow the in-product tutorial when creating a new project. When it's time to Choose your Analysis Method during setup, simply select With GitHub Actions. You can also access the tutorials for an existing project by going to Your Project > Administration > Analysis Method.
The tutorial will walk you through the precise steps to set up the analysis but the basic steps are these:
- Define the
SONAR_TOKEN
environment variable in your repository by setting up a GitHub Secret. TheSONAR_TOKEN
identifies and authenticates you to SonarCloud. The tutorial will provide the precise value for your specific account. - Set the essential analysis parameters,
sonar.projectKey
,sonar.organization
, andsonar.host.url
. The tutorial will be populated with the correct values for your specific account. These parameters are set differently depending on your project type:- In the
pom.xml
for Java Maven projects. - In the
build.gradle
file for Java Gradle projects. - In the SonarScanner command line for .NET projects.
- In the
sonar-project.properties
file for other types of projects. You can also add additional analysis parameters to further specify your analysis details (See Analysis Parameters).
- In the
- Create the
.github/workflows/build.yml
file that defines the steps of your build. In addition to the usual steps that build your project, you need to invoke the SonarScanner to perform the analysis of your code. This is done differently depending on your project type:- A Maven plugin for Java Maven projects.
- A Gradle plugin for Java Gradle projects.
- A dedicated .NET scanner for .NET projects.
- The SonarCloud GitHub Action for C and C++.
- The SonarCloud GitHub Action for other projects. The tutorial will provide the specific details for your project type.
The example below shows how you could set up a yml file for a single project.
GitHub Actions for Sonarcloud
The workflow, usually declared in .github/workflows/build.yml
, looks something like this:
name: My Test Single Project
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]
jobs:
sonarcloud:
name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Users have reported that when working with GitHub Actions reusable workflows, your SONAR_TOKEN
is not intrinsically passed to the reusable workflow. Even though your SONAR_TOKEN
is defined in the source repository, GitHub Actions will output the SONAR_TOKEN
value with asterisks (which make it look like it is working as expected), when in fact it is not reusing the value.
When setting up your GitHub reusable workflow, we recommend using the GitHub feature secret: inherit to completely remove the intrinsic sending of your SONAR_TOKEN
.
GitHub Actions for C and C++
This GitHub action installs the latest versions of sonar-scanner
and build-wrapper
required for C/C++ SonarCloud analysis making the workflow simpler.
name: SonarCloud
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
name: Build and analyze
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Install sonar-scanner and build-wrapper
uses: SonarSource/sonarcloud-github-c-cpp@v1
- name: Run build-wrapper
run: |
build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }}<insert_your_clean_build_command>
- name: Run sonar-scanner
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
Analyzing Monorepo Projects: Build Configuration
The example below shows how you could set up a yml file for multiple projects in a monorepo. If you want to analyze a monorepo that contains more than one project ensure that you specify the paths to each sub-project for analysis in your build file.
To ensure that your monorepo works as expected, you need to build each project in the monorepo separately with a unique project key for each one.
GitHub Actions .yml file
name: My Test Monorepo Project
on:
push:
branches:
- main
paths:
- 'lambdas/test/**'
pull_request:
types: [opened, synchronize, reopened]
jobs:
sonarcloudScan1:
name: SonarCloudScan1
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
projectBaseDir: repo1/
sonarcloudScan2:
name: SonarCloudScan2
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
projectBaseDir: repo2/