Document token input #2110
Document token input #2110
Conversation
|
Thank you (again!) for the contribution ✨ as this is a somewhat larger change, we're going to take a bit of time to review — but rest assured that it's on our radar and to-do lists. |
There was a problem hiding this comment.
Thank you for your contribution 💖 and your patience as we reviewed the PR! I wrote in some suggestions and specific code-related comments, but here are some other higher-level comments:
- Could we drop the
node_moduleschanges here, as they seem to be unrelated to the changes? We'd also like to make sure weSquash mergerather thanMerge commitwhen the PR is in so that the change isn't in the commit history ofmain. - We'd also like to separate out the last change (adding
${{ secrets.CODEQL_TOKEN }}to all workflows owned by us, to keep the PR simpler. We may look into a better way of auto-generating this line for steps using actions that we own. - If you could rename the PR title to be more descriptive of the changes, that would be great!
Let us know if we can clarify further!! Thanks again 😸
src/status-report.ts
Outdated
| * This API it calls is private and it is not critical that it succeed: | ||
| * https://github.com/github/codeql/issues/15462#issuecomment-1919186317 | ||
| * | ||
| * Returns true. |
There was a problem hiding this comment.
Let's have this function not return anything then as I think there's limited value in always returning true. It looks like we're not doing much with the return value in any case.
src/status-report.ts
Outdated
| 'Workflows triggered by Dependabot on the "push" event run with read-only access. ' + | ||
| "Uploading Code Scanning results requires write access. " + | ||
| 'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' + | ||
| "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.", | ||
| ); | ||
| } else { | ||
| core.setFailed(e.message || GENERIC_403_MSG); | ||
| core.warning(e.message || GENERIC_403_MSG); |
There was a problem hiding this comment.
Because we're no longer failing the entire workflow at this stage, we'd like to provide a better error when we upload SARIF if that API call returns 403/404. So perhaps we can simply do core.warning(e.message) in this file (and below, in the 404 case, and move the GENERIC_403_MSG and GENERIC_404_MSG to catch these response codes after this call:
codeql-action/src/upload-lib.ts
Line 110 in cf7e9f2
|
Thank you for splitting these up ✨ |
I can't validate this, at the moment my jobs are stuck waiting for runners for macOS. I'm assuming that's because of the PRs I've been working on for github/codeql. I filed https://support.github.com/ticket/personal/0/2568638.
Goals:
remove some trailing whitespaceresolve Workflows are missing permissions requests codeql#15462 (comment) by convertingsendStatusReportinto a function that always returnstrueand usescore.warninginstead ofcore.erroradd an optionalsecrets.CODEQL_TOKENto allow workflows in forks of this repository to try to work around github limits which result in failures due to limits (presumably on the default github-actions application) -- I can't tell if this works (see preamble)input.token.descriptiontoaction.ymlfiles to explain the purpose of the token in each case (more or less -- I'm not remotely certain about any of these)hopefully I've correctly adjusted the pr-check & workflow things -- this sync stuff is a PITA to deal with -- it'd be nice if there was autogenerated output to update pr-check, but afaict there isn'tMerge / deployment checklist