Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix assumption that all CodeQL bundle URLs contain the tag name of the bundle #1517

Merged
merged 5 commits into from
Feb 6, 2023

Conversation

henrymercer
Copy link
Contributor

While implementing controlled switchover, we inadvertently introduced an assumption that all CodeQL bundle URLs contain the tag name of the bundle, for example codeql-bundle-2020230120. This is in fact not the case on GHES, where the bundle URL may be https://example.githubenterprise.com/api/v3/repos/github/codeql-action/releases/assets/1 when the CodeQL sync tool has been used to sync the CodeQL bundle to the GHES instance.

This PR adds a regression test and fixes that assumption.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@henrymercer henrymercer requested a review from a team as a code owner February 3, 2023 19:16
src/setup-codeql.ts Outdated Show resolved Hide resolved
src/setup-codeql.ts Outdated Show resolved Hide resolved
src/setup-codeql.ts Show resolved Hide resolved
@aeisenberg
Copy link
Contributor

aeisenberg commented Feb 6, 2023

I tried to download an untagged dev CLI instance: https://github.com/dsp-testing/aeisenberg-sarif-upload/actions/runs/4106366120/jobs/7084499130 The job failed. Here is the commit sha I am working with (private repository). https://github.com/dsp-testing/aeisenberg-sarif-upload/commit/0576bc5134025ab810bb47a6c6c67ebe1209d707

Note that the failure reason is a 404 during download, which is strange since the URL https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/untagged-9b0f002edc6e08260e8f/codeql-bundle-linux64.tar.gz works for me when I access it from the browser.

@aeisenberg
Copy link
Contributor

OK, So I tried again, but this time with a publicly available CLI version that has a non-standard tag. The download worked, but it looks like the tool wasn't cached in the toolcache. I don't think that's a problem.

Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I've convinced myself that this fix will correctly download codeqls from arbitrary github releases.

@henrymercer
Copy link
Contributor Author

👍, to summarize:

  • Draft releases are not publicly accessible, so the Actions GitHub token did not have access to the bundle from the draft release
  • Passing a PAT as the token input to init causes problems since the status API only accepts an Actions PAT
  • Working around by publishing the release to make it publicly accessible allows us to download tools from another release.
  • If there is no codeql-bundle-* tag in the URL, the bundle does not get cached. We think this is acceptable since (a) we don't yet have reason to recommend this, and (b) we have an internal issue for the more general issue of how we version the CodeQL Bundle that will also fix this.

@henrymercer henrymercer merged commit d396227 into main Feb 6, 2023
@henrymercer henrymercer deleted the henrymercer/fix/not-all-bundle-urls-contain-tag branch February 6, 2023 18:20
@github-actions github-actions bot mentioned this pull request Feb 6, 2023
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants