Skip to content

Fix assumption that all CodeQL bundle URLs contain the tag name of the bundle#1517

Merged
henrymercer merged 5 commits intomainfrom
henrymercer/fix/not-all-bundle-urls-contain-tag
Feb 6, 2023
Merged

Fix assumption that all CodeQL bundle URLs contain the tag name of the bundle#1517
henrymercer merged 5 commits intomainfrom
henrymercer/fix/not-all-bundle-urls-contain-tag

Conversation

@henrymercer
Copy link
Contributor

@henrymercer henrymercer commented Feb 3, 2023

While implementing controlled switchover, we inadvertently introduced an assumption that all CodeQL bundle URLs contain the tag name of the bundle, for example codeql-bundle-2020230120. This is in fact not the case on GHES, where the bundle URL may be https://example.githubenterprise.com/api/v3/repos/github/codeql-action/releases/assets/1 when the CodeQL sync tool has been used to sync the CodeQL bundle to the GHES instance.

This PR adds a regression test and fixes that assumption.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@henrymercer henrymercer requested a review from a team as a code owner February 3, 2023 19:16
aeisenberg
aeisenberg reviewed Feb 3, 2023
View reviewed changes
@aibaars aibaars mentioned this pull request Feb 6, 2023
Closed
@aeisenberg
Copy link
Contributor

aeisenberg commented Feb 6, 2023
edited
Loading

I tried to download an untagged dev CLI instance: https://github.com/dsp-testing/aeisenberg-sarif-upload/actions/runs/4106366120/jobs/7084499130 The job failed. Here is the commit sha I am working with (private repository). dsp-testing/aeisenberg-sarif-upload@0576bc5

Note that the failure reason is a 404 during download, which is strange since the URL https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/untagged-9b0f002edc6e08260e8f/codeql-bundle-linux64.tar.gz works for me when I access it from the browser.

@aeisenberg
Copy link
Contributor

aeisenberg commented Feb 6, 2023

OK, So I tried again, but this time with a publicly available CLI version that has a non-standard tag. The download worked, but it looks like the tool wasn't cached in the toolcache. I don't think that's a problem.

aeisenberg
aeisenberg approved these changes Feb 6, 2023
View reviewed changes
Copy link
Contributor

@aeisenberg aeisenberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I've convinced myself that this fix will correctly download codeqls from arbitrary github releases.

@henrymercer
Copy link
Contributor Author

henrymercer commented Feb 6, 2023

👍, to summarize:

  • Draft releases are not publicly accessible, so the Actions GitHub token did not have access to the bundle from the draft release
  • Passing a PAT as the token input to init causes problems since the status API only accepts an Actions PAT
  • Working around by publishing the release to make it publicly accessible allows us to download tools from another release.
  • If there is no codeql-bundle-* tag in the URL, the bundle does not get cached. We think this is acceptable since (a) we don't yet have reason to recommend this, and (b) we have an internal issue for the more general issue of how we version the CodeQL Bundle that will also fix this.

@henrymercer henrymercer merged commit d396227 into main Feb 6, 2023
@henrymercer henrymercer deleted the henrymercer/fix/not-all-bundle-urls-contain-tag branch February 6, 2023 18:20
@github-actions github-actions bot mentioned this pull request Feb 6, 2023
Merged
6 tasks
@coderabbitai coderabbitai bot mentioned this pull request Mar 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aeisenberg aeisenberg aeisenberg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henrymercer @aeisenberg