Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for downloading packs from GHES #1221

Merged
merged 14 commits into from
Sep 8, 2022
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions .github/workflows/__init-with-registries.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ No user facing changes.
## 2.1.22 - 01 Sep 2022

- Downloading CodeQL packs has been moved to the `init` step. Previously, CodeQL packs were downloaded during the `analyze` step. [#1218](https://github.com/github/codeql-action/pull/1218)
- Allow CodeQL packs to be downloaded from GitHub Enterprise Server instances. [#1221](https://github.com/github/codeql-action/pull/1221)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we mention the registries field here briefly?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this entry is in the wrong version. I'll change that, too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also like to link to the documentation when it is available, but that won't be out for a while.

- Update default CodeQL bundle version to 2.10.4. [#1224](https://github.com/github/codeql-action/pull/1224)
- The newly released [Poetry 1.2](https://python-poetry.org/blog/announcing-poetry-1.2.0) is not yet supported. In the most common case where the CodeQL Action is automatically installing Python dependencies, it will continue to install and use Poetry 1.1 on its own. However, in certain cases such as with self-hosted runners, you may need to ensure Poetry 1.1 is installed yourself.

Expand Down
30 changes: 28 additions & 2 deletions init/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,35 @@ inputs:
description: The languages to be analysed
required: false
token:
description: GitHub token to use for authenticating with this instance of GitHub. To download custom packs from multiple registries, use the registries input.
default: ${{ github.token }}
required: false
registries:
description: |
A YAML string that defines the list of GitHub container registries to use for downloading packs. The string is in the following forma (the | is required on the first line):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
A YAML string that defines the list of GitHub container registries to use for downloading packs. The string is in the following forma (the | is required on the first line):
A YAML string that defines the list of GitHub container registries to use for downloading packs. The string is in the following form (the | is required on the first line):


registries: |
- url: https://containers.GHEHOSTNAME1/v2/
packages:
- my-company/*
- my-company2/*
token: ${{ secrets.GHEHOSTNAME1_TOKEN }}

- url: https://ghcr.io/v2/
packages: */*
token: ${{ secrets.GHCR_TOKEN }}

The url property contains the url to the container registry you want to connect to.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The url property contains the url to the container registry you want to connect to.
The url property contains the URL to the container registry you want to connect to.


The packages property contains a single entry or a list of globs specifying packages that can be found in the container registry. Order is important. Earlier entries will match before later entries.

The token property contains a connection token for this registry.

If this input is missing, the `token` input is used for all pack downloads.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised to read this — shouldn't we ensure that the token input is only ever passed to the current GitHub instance?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure what you mean here. If the registries input is missing, then we only connect to the current GitHub instance and we always use the token input to connect.

Would it be sufficient to say something like:

If you only need to download packages from this GitHub instance, use the token input instead.

?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification. I originally interpreted "the token input is used for all pack downloads" to mean that we would pass the token input to the registry for each pack. Your suggestion sounds a lot clearer 👍

required: false
matrix:
default: ${{ toJson(matrix) }}
required: false
config-file:
description: Path of the config file to use
required: false
Expand All @@ -32,7 +58,7 @@ inputs:
analyses, you must specify packs in the codeql-config.yml file.
required: false
external-repository-token:
description: A token for fetching external config files and queries if they reside in a private repository.
description: A token for fetching external config files and queries if they reside in a private repository in the same GitHub instance that is running this action.
required: false
setup-python-dependencies:
description: Try to auto-install your python dependencies
Expand Down Expand Up @@ -82,4 +108,4 @@ outputs:
runs:
using: 'node16'
main: '../lib/init-action.js'
post: '../lib/init-action-post.js'
post: '../lib/init-action-post.js'
9 changes: 8 additions & 1 deletion lib/codeql.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/codeql.js.map

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions lib/codeql.test.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/codeql.test.js.map

Large diffs are not rendered by default.

97 changes: 77 additions & 20 deletions lib/config-utils.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/config-utils.js.map

Large diffs are not rendered by default.

Loading