fix: sonarqube not running for contributors

2026-01-07 14:20:31 -06:00 · 2025-03-11 13:13:14 +01:00
parent 0b9a884364
commit ec487899da
1 changed files with 8 additions and 2 deletions
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -4,7 +4,7 @@ on:
  push:
    branches:
      - main
-  pull_request:
+  pull_request_target: # Using pull_request_target to access secrets in fork PRs
    types: [opened, synchronize, reopened]
  merge_group:
 permissions:
@@ -14,9 +14,14 @@ jobs:
    name: SonarQube
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+          # For pull_request_target, we need to check out the PR head
+          ref: ${{ github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.pull_request.number) || '' }}
+          # Use GitHub's fetching instead of the action's unsafe code checkouts for PRs
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}

      - name: Setup Node.js 20.x
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
@@ -51,3 +56,4 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL || 'https://sonarcloud.io' }}