monta-app · tobias0106 · May 29, 2026 · May 29, 2026
@@ -46,6 +46,9 @@ on:
         default: false
         description: 'Skip PR title check'
     secrets:
+      TAILSCALE_AUTHKEY:
+        required: false
+        description: "Tailscale auth key. When set, the runner joins the tailnet so it can reach the self-hosted SonarQube. Leave unset to keep scanning SonarCloud."
       GHL_USERNAME:
         required: true
         description: "Github Username (Gradle plugin)"
@@ -54,7 +57,7 @@ on:
         description: "Github Password (Gradle plugin)"
       SONAR_TOKEN:
         required: true
-        description: "SonarCloud token"
+        description: "SonarQube token"
 jobs:
   setup:
     name: Setup
@@ -77,6 +80,8 @@ jobs:
     needs: setup
     runs-on: ${{ needs.setup.outputs.runner-name }}
     timeout-minutes: ${{ inputs.test-timeout-minutes }}
+    env:
+      TAILSCALE_AUTHKEY: ${{ secrets.TAILSCALE_AUTHKEY }}
     steps:
       # Checkout
       - name: Checkout
@@ -129,7 +134,17 @@ jobs:
             /home/runner/.gradle/daemon/**/daemon-*.out.log
           retention-days: 2
           overwrite: true
-      - name: Upload results to SonarCloud
+      # The self-hosted SonarQube lives behind the Monta VPN, so the runner
+      # needs to join the tailnet before the scan step can reach it. Skipped
+      # automatically for repos still on SonarCloud (no TAILSCALE_AUTHKEY passed).
+      - name: Tailscale
+        if: ${{ !inputs.skip-sonar && env.TAILSCALE_AUTHKEY != '' }}
+        uses: tailscale/github-action@6cae46e2d796f265265cfcf628b72a32b4d7cade # v3.3.0
+        with:
+          authkey: ${{ env.TAILSCALE_AUTHKEY }}
+          hostname: "github-${{ github.run_id }}"
+          args: "--login-server https://headscale.monta.com --accept-routes"
+      - name: Upload results to SonarQube
         if: ${{ !inputs.skip-sonar }}
         env:
           GHL_USERNAME: ${{ secrets.GHL_USERNAME }}

@@ -1,4 +1,4 @@
-name: Sonar Cloud Analysis
+name: SonarQube Analysis
 on:
   workflow_call:
     inputs:
@@ -26,6 +26,9 @@ on:
         default: "--no-daemon --parallel"
         description: 'Additional Gradle arguments'
     secrets:
+      TAILSCALE_AUTHKEY:
+        required: false
+        description: "Tailscale auth key. When set, the runner joins the tailnet so it can reach the self-hosted SonarQube. Leave unset to keep scanning SonarCloud."
       GHL_USERNAME:
         required: true
         description: "Github Username (Gradle plugin)"
@@ -49,10 +52,12 @@ jobs:
           runner-size: ${{ inputs.runner-size }}
           architecture: ${{ inputs.architecture }}
   sonar-cloud:
-    name: Sonar Cloud Analysis
+    name: SonarQube Analysis
     needs: setup
     runs-on: ${{ needs.setup.outputs.runner-name }}
     timeout-minutes: 30
+    env:
+      TAILSCALE_AUTHKEY: ${{ secrets.TAILSCALE_AUTHKEY }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -64,12 +69,22 @@ jobs:
           distribution: corretto
           java-version: ${{ inputs.java-version }}
           cache: 'gradle'
-      - name: Cache SonarCloud packages
+      - name: Cache SonarQube packages
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
+      # The self-hosted SonarQube lives behind the Monta VPN, so the runner
+      # needs to join the tailnet before the scan step can reach it. Skipped
+      # automatically for repos still on SonarCloud (no TAILSCALE_AUTHKEY passed).
+      - name: Tailscale
+        if: ${{ env.TAILSCALE_AUTHKEY != '' }}
+        uses: tailscale/github-action@6cae46e2d796f265265cfcf628b72a32b4d7cade # v3.3.0
+        with:
+          authkey: ${{ env.TAILSCALE_AUTHKEY }}
+          hostname: "github-${{ github.run_id }}"
+          args: "--login-server https://headscale.monta.com --accept-routes"
       - name: Build and analyze
         env:
           GHL_USERNAME: ${{ secrets.GHL_USERNAME }}