github-actions[bot]
commented
4 days ago @c71n93 thanks for the report, here is a feedback:
Problems
- The report does not contain explicit steps to reproduce the issue.
- There is a lack of precise description of the encountered problem, the report only touches on the issues in a broad sense.
- The user does not distinctly delineate the expected behavior and the actual behavior.
I would recommend using headers to structure the report, making it easier to follow and understand.
Please fix the bug report in order it to get resolved faster.
Analyzed with gpt-4
I faced several problems while fixing issues with Sonar Cloud. The main problem is that Sonar Cloud doesn't fit in our organization's workflow. We can't use it to check new code from PRs, because of the problem with repository secrets and forks. According to https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions: "With the exception of
GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository."So now, we have situation, where Sonar analysis is running in new code only after it is merged into master. It means, that we will find out about the bugs when they are already in the master. So this problem is obvious.
Another problem appears when someone is trying to fix such bugs. This person need to make sure, that problem is actually fixed, but the only straightforward way to do it is merge code fixes this problems (or not). In my case I created new account on Sonar Cloud and ran analysis on my forked repo with the changes I need to test (example: https://github.com/c71n93/eo/pull/5). It's an ugly way, but I haven't found another one.
Thus, currently all new Sonar violations are simply ignored. Getting rid of Sonar is definitely not the way. I think the only way to overcome this problems is to add some other static analysis checks on PR, that will cover most of Sonar checks (because the Sonar analysis violations are really useful).