Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling zstd bundles for GHES seems to have broken proxy support on Enterprise Cloud with self-hosted runners #2593

Closed
vyadh opened this issue Nov 12, 2024 · 4 comments · Fixed by #2599
Closed

Enabling zstd bundles for GHES seems to have broken proxy support on Enterprise Cloud with self-hosted runners #2593

vyadh opened this issue Nov 12, 2024 · 4 comments · Fixed by #2599
Assignees
@NlightNFotis
Labels
bug Something isn't working

Comments

@vyadh
Copy link

vyadh commented Nov 12, 2024

It looks like a recent change to enable zstd bundles on GHES has broken CodeQL scanning for anyone on Enterprise Cloud with self-hosted runners that are behind a proxy that is configured by the normal https_proxy type system variables.

I did some investigation to understand why, and it appears that in the commit 33f2dc5 the code path used now always uses the streaming version as the feature flag that previously prevented it has been removed.

The main problem seems to be that the change from v3.27.0 to v3.27.1 has switched http libraries and broken the previous proxy support.

Specifically, in the working v3.27.0 version, the feature flag checked here:
https://github.com/github/codeql-action/blob/v3.27.0/lib/tools-download.js#L59
wasn't triggered and therefore it used this code path:
https://github.com/github/codeql-action/blob/v3.27.0/lib/tools-download.js#L73
which downloads via the tool-cache:
https://github.com/actions/toolkit/blob/main/packages/tool-cache/src/tool-cache.ts
and this respects the system proxy variables as you can see in:
https://github.com/actions/toolkit/blob/main/packages/http-client/src/proxy.ts

Unfortunately, now the feature flag is removed in v3.27.1:
https://github.com/github/codeql-action/blob/v3.27.1/lib/tools-download.js#L62
it always uses the streaming method, but this does not use the toolkit http-client that includes system proxy support but instead appears to use the follow_directs library here:
https://github.com/github/codeql-action/blob/v3.27.1/lib/tools-download.js#L62
which appears to be a small wrapper over the basic node fetch functionality and does not support proxies as far as I can make out.

This ultimately has meant that we've had to revert to v3.27.0 functionality to get CodeQL scanning in our Enterprise Cloud self-hosted runners working again.

As a short term fix, is it possible this feature flag can be brought back until proxy support has been added to the new streaming method?
@aeisenberg aeisenberg added the bug Something isn't working label Nov 12, 2024
@aeisenberg
Copy link
Contributor

Thanks for reporting this issue and for doing a deep dive into the cause of this. We'll take a look and I hope to have a fix shortly.

This was referenced Nov 12, 2024
Merged
Open
@aeisenberg
Copy link
Contributor

@NlightNFotis has pushed a fix for this and made a new release. Would you be able to verify the fix by updating to the latest version of the codeql action?

@i-cannot-figure-out-a-good-nick
Copy link

Thanks for the prompt fix!

@vyadh
Copy link
Author

vyadh commented Nov 13, 2024
edited
Loading

@aeisenberg @NlightNFotis I can confirm it is now fixed for us. Hugely appreciate the super quick turn around on this. Thanks so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NlightNFotis NlightNFotis

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

workaround: disable streaming when downloading codeql bundle github/codeql-action
4 participants
@aeisenberg @NlightNFotis @vyadh @i-cannot-figure-out-a-good-nick