-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document token input #2110
Document token input #2110
Conversation
Thank you (again!) for the contribution ✨ as this is a somewhat larger change, we're going to take a bit of time to review — but rest assured that it's on our radar and to-do lists. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution 💖 and your patience as we reviewed the PR! I wrote in some suggestions and specific code-related comments, but here are some other higher-level comments:
- Could we drop the
node_modules
changes here, as they seem to be unrelated to the changes? We'd also like to make sure weSquash merge
rather thanMerge commit
when the PR is in so that the change isn't in the commit history ofmain
. - We'd also like to separate out the last change (adding
${{ secrets.CODEQL_TOKEN }}
to all workflows owned by us, to keep the PR simpler. We may look into a better way of auto-generating this line for steps using actions that we own. - If you could rename the PR title to be more descriptive of the changes, that would be great!
Let us know if we can clarify further!! Thanks again 😸
src/status-report.ts
Outdated
* This API it calls is private and it is not critical that it succeed: | ||
* https://github.com/github/codeql/issues/15462#issuecomment-1919186317 | ||
* | ||
* Returns true. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's have this function not return anything then as I think there's limited value in always returning true
. It looks like we're not doing much with the return value in any case.
src/status-report.ts
Outdated
'Workflows triggered by Dependabot on the "push" event run with read-only access. ' + | ||
"Uploading Code Scanning results requires write access. " + | ||
'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' + | ||
"See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.", | ||
); | ||
} else { | ||
core.setFailed(e.message || GENERIC_403_MSG); | ||
core.warning(e.message || GENERIC_403_MSG); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because we're no longer failing the entire workflow at this stage, we'd like to provide a better error when we upload SARIF if that API call returns 403/404. So perhaps we can simply do core.warning(e.message)
in this file (and below, in the 404 case, and move the GENERIC_403_MSG
and GENERIC_404_MSG
to catch these response codes after this call:
codeql-action/src/upload-lib.ts
Line 110 in cf7e9f2
const response = await client.request( |
Thank you for splitting these up ✨ |
I can't validate this, at the moment my jobs are stuck waiting for runners for macOS. I'm assuming that's because of the PRs I've been working on for github/codeql. I filed https://support.github.com/ticket/personal/0/2568638.
Goals:
remove some trailing whitespaceresolve Workflows are missing permissions requests codeql#15462 (comment) by convertingsendStatusReport
into a function that always returnstrue
and usescore.warning
instead ofcore.error
add an optionalsecrets.CODEQL_TOKEN
to allow workflows in forks of this repository to try to work around github limits which result in failures due to limits (presumably on the default github-actions application) -- I can't tell if this works (see preamble)input.token.description
toaction.yml
files to explain the purpose of the token in each case (more or less -- I'm not remotely certain about any of these)hopefully I've correctly adjusted the pr-check & workflow things -- this sync stuff is a PITA to deal with -- it'd be nice if there was autogenerated output to update pr-check, but afaict there isn'tMerge / deployment checklist