Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document token input #2110

Merged
merged 1 commit into from
Feb 8, 2024
Merged

Document token input #2110

merged 1 commit into from
Feb 8, 2024

Conversation

jsoref
Copy link
Contributor

@jsoref jsoref commented Feb 1, 2024

I can't validate this, at the moment my jobs are stuck waiting for runners for macOS. I'm assuming that's because of the PRs I've been working on for github/codeql. I filed https://support.github.com/ticket/personal/0/2568638.

Goals:

  • remove some trailing whitespace
  • resolve Workflows are missing permissions requests codeql#15462 (comment) by converting sendStatusReport into a function that always returns true and uses core.warning instead of core.error
  • add an optional secrets.CODEQL_TOKEN to allow workflows in forks of this repository to try to work around github limits which result in failures due to limits (presumably on the default github-actions application) -- I can't tell if this works (see preamble)
  • add input.token.description to action.yml files to explain the purpose of the token in each case (more or less -- I'm not remotely certain about any of these)
  • hopefully I've correctly adjusted the pr-check & workflow things -- this sync stuff is a PITA to deal with -- it'd be nice if there was autogenerated output to update pr-check, but afaict there isn't

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@angelapwen
Copy link
Contributor

Thank you (again!) for the contribution ✨ as this is a somewhat larger change, we're going to take a bit of time to review — but rest assured that it's on our radar and to-do lists.

Copy link
Contributor

@angelapwen angelapwen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution 💖 and your patience as we reviewed the PR! I wrote in some suggestions and specific code-related comments, but here are some other higher-level comments:

  • Could we drop the node_modules changes here, as they seem to be unrelated to the changes? We'd also like to make sure we Squash merge rather than Merge commit when the PR is in so that the change isn't in the commit history of main.
  • We'd also like to separate out the last change (adding ${{ secrets.CODEQL_TOKEN }} to all workflows owned by us, to keep the PR simpler. We may look into a better way of auto-generating this line for steps using actions that we own.
  • If you could rename the PR title to be more descriptive of the changes, that would be great!

Let us know if we can clarify further!! Thanks again 😸

* This API it calls is private and it is not critical that it succeed:
* https://github.com/github/codeql/issues/15462#issuecomment-1919186317
*
* Returns true.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have this function not return anything then as I think there's limited value in always returning true. It looks like we're not doing much with the return value in any case.

autobuild/action.yml Outdated Show resolved Hide resolved
analyze/action.yml Outdated Show resolved Hide resolved
'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
"Uploading Code Scanning results requires write access. " +
'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
"See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.",
);
} else {
core.setFailed(e.message || GENERIC_403_MSG);
core.warning(e.message || GENERIC_403_MSG);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we're no longer failing the entire workflow at this stage, we'd like to provide a better error when we upload SARIF if that API call returns 403/404. So perhaps we can simply do core.warning(e.message) in this file (and below, in the 404 case, and move the GENERIC_403_MSG and GENERIC_404_MSG to catch these response codes after this call:

const response = await client.request(
?

resolve-environment/action.yml Outdated Show resolved Hide resolved
upload-sarif/action.yml Outdated Show resolved Hide resolved
@jsoref jsoref changed the title Adjust Tokens Document token input Feb 8, 2024
@angelapwen
Copy link
Contributor

Thank you for splitting these up ✨

@angelapwen angelapwen enabled auto-merge (squash) February 8, 2024 09:36
@angelapwen angelapwen merged commit 9e39a05 into github:main Feb 8, 2024
301 checks passed
@jsoref jsoref deleted the tokens branch February 8, 2024 13:20
@github-actions github-actions bot mentioned this pull request Feb 13, 2024
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Workflows are missing permissions requests
2 participants