Upload sarif report file to gh registry (#111)

* Add .idea dir to gitignore * Add a script for sending Android lint results to GH registry * Rename script to correct one, add x chmod * Rename to "upload sarif to gh" as the file doesn't have to be Android lint one * Remove removing the report file at the end - it's not needed * Use variables in path name instead of hardcoding * Remove not-so-useful comment * Rename command to more readable * Add error handling - if sarif file exists and is readable - if GITHUB_TOKEN exists * Use a temp files instead of creating files in a repo directly * Add an empty line at the end of the file * Check if sarif file exists and is a regular file * Fail the script at expected places, instead fast fail when checking for parameter existence #111 (comment) * Add changelog entry
Automattic · Sep 9, 2024 · b15c20a · b15c20a
1 parent 437cd6e
commit b15c20a
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 
 .DS_Store
+.idea/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,7 +18,7 @@ _None._
 
 ### New Features
 
-_None._
+- Introduce a command for uploading .sarif files to GitHub's registry [#111]
 
 ### Bug Fixes
 

diff --git a/bin/upload_sarif_to_github b/bin/upload_sarif_to_github
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -euo pipefail
+
+sarif_file="${1:-}"
+owner="${2:-}"
+repo="${3:-}"
+
+if [ -z "$sarif_file" ] || [ -z "$owner" ] || [ -z "$repo" ]; then
+  echo "Not enough arguments provided. Usage: ./upload_sarif_to_gh.sh <path to .sarif report> <gh owner> <gh repo>"
+  exit 1
+fi
+
+if [ ! -f "$sarif_file" ]; then
+  echo "Error: The specified sarif file '$sarif_file' does not exist or is not a regular file."
+  exit 1
+fi
+
+if [ ! -r "$sarif_file" ]; then
+  echo "Error: The specified sarif file '$sarif_file' is not readable."
+  exit 1
+fi
+
+# Check that GITHUB_TOKEN is set
+if [ -z "${GITHUB_TOKEN:-}" ]; then
+  echo "Error: GITHUB_TOKEN is not defined."
+  exit 1
+fi
+
+sarif_base64_temp_file=$(mktemp)
+
+gzip -c "$sarif_file" | base64 > "$sarif_base64_temp_file"
+
+if [[ -n $BUILDKITE_PULL_REQUEST ]]; then
+  json=$(jq -n \
+    --arg commit_sha "$BUILDKITE_COMMIT" \
+    --arg pr_number "$BUILDKITE_PULL_REQUEST" \
+    --rawfile sarif "$sarif_base64_temp_file" \
+    '{
+     "commit_sha": $commit_sha,
+     "ref": ("refs/pull/"+$pr_number+"/head"),
+     "sarif": $sarif
+   }')
+elif [[ "$BUILDKITE_BRANCH" == "$BUILDKITE_PIPELINE_DEFAULT_BRANCH" ]]; then
+  json=$(jq -n \
+    --arg commit_sha "$BUILDKITE_COMMIT" \
+    --arg branch "$BUILDKITE_BRANCH" \
+    --rawfile sarif "$sarif_base64_temp_file" \
+    '{
+     "commit_sha": $commit_sha,
+     "ref": ("refs/heads/$branch"),
+     "sarif": $sarif
+   }')
+fi
+
+sarif_json_temp_file=$(mktemp)
+echo "$json" > "$sarif_json_temp_file"
+
+curl -L \
+  -X POST \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer $GITHUB_TOKEN" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  --data-binary "@$sarif_json_temp_file" \
+  https://api.github.com/repos/"$owner"/"$repo"/code-scanning/sarifs
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,7 +18,7 @@ _None._ @@
     ### New Features
-    _None._
+    - Introduce a command for uploading .sarif files to GitHub's registry [#111]
     ### Bug Fixes
@@ Expand Down @@