According to the SonarQube GitHub Integration documentation the GITHUB_TOKEN must be injected as environment variable when SonarScanner is executed.
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
I would like to grant the minimal required permissions. Which permissions I should grant to the token?
The mechanism is quite confusing for me. At the beginning, I didn't add the GITHUB_TOKEN environment variable at all. My pull requests were successfully built, but the analysis of the main branch started failing. I configured token to set permissions manually and didn't grant any permissions (I omitted the permissions key in the workflow file). The built has been finished successfully. Currently my configuration looks like this:
jobs:
Build:
# ...
permissions:
checks: write
steps:
# ...
- name: Execute SonarScanner
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ${{ env.MAVEN_CMD }} sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
The checks: write permission is required by a different action (scacap/action-surefire-report@v1) used in the workflow. To be honest I have no idea why the GitHub token is needed, but with this minimal configuration it works for me.
TL;DR: It looks for me that the token must be set, but it doesn't require any permissions.