Working with Dependabot Pull Requests

[Ne0nd0g]

When Dependabot makes a pull request & commit, GitHub Actions does not seem to have access the QODANA_TOKEN (see output below). When I personally make a push, the Qodana workflow functions as normal and has access to QODANA_TOKEN. Is there a way to perform a Qodana scan without a token?

Pulling the image jetbrains/qodana-go:2023.2...
✓  Finished pulling the latest version of linter
/opt/hostedtoolcache/qodana/2023.2.8/x64/qodana scan --cache-dir /home/runner/work/_temp/qodana/caches --results-dir /home/runner/work/_temp/qodana/results --skip-pull  --commit CIe80c47a7e441e39615d54368b871d004b3b698d3
2023/11/28 12:31:55 
Starting from version 2023.2 release versions of Qodana Linters require connection to Qodana Cloud. 
To continue using Qodana, please ensure you have an access token and provide the token as the QODANA_TOKEN environment variable.
Obtain your token by registering at https://qodana.cloud/
For more details, please visit: https://www.jetbrains.com/help/qodana/project-token.html
We also offer Community versions as an alternative. You can find them here: https://www.jetbrains.com/help/qodana/linters.html
✗  Qodana exited with code 1

!  Check ./logs/ in the results directory for more information
Error: qodana scan failed with exit code 1

[Orange23333]

I just got the same error message. I checked each configure files.
Finally, I found this line: linter: jetbrains/qodana-<linter>:latest. As you can see, in the last line of the default qodana.yaml Jet Brain gave you, you have to fill a linter.
To me, I just commented that line and the QA works.
Hope my report is useful to you.

[zeusfly-spb]

Good!

[Ne0nd0g]

@Orange23333 Thanks for following up. I don't have a qodana.yaml file at all in my project. I just have a GitHub action code_quality.yml like this one https://www.jetbrains.com/help/qodana/2023.2/github.html#Usage .

It seems like Qodana is automatically determining the linter:

No cache found for input keys: qodana-2023.2-refs/heads/dev-4b8f253c54f737059aa36fe33940f385c2dcce27, qodana-2023.2-refs/heads/dev.
          With cache the pipeline would be faster.
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/185c36e9-0d75-4241-b456-23c6b8622b7e -f /home/runner/work/_temp/0dabb9f6-9726-477d-b73b-8fda1dd5796b
/opt/hostedtoolcache/qodana/2023.2.9/x64/qodana pull

!  No valid qodana.yaml found. Have you run qodana init? Running that for you...
Scanning project...

!  Detected technologies: Go, Makefile

✓  Added jetbrains/qodana-go:2023.2

Pulling the image jetbrains/qodana-go:2023.2...
✓  Finished pulling the latest version of linter

[qodana-bot]

There's no way to perform a scan with a paid linter without a token, but it's possible to share the token with @dependabot https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#adding-a-repository-secret-for-dependabot

[zeusfly-spb]

Нихрена нет