-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upload-sarif
action seems to always use GITHUB_WORKSPACE
Git information to compute commit_oid
#952
Comments
Have you tried setting the codeql-action/upload-sarif/action.yml Lines 16 to 21 in 21c48e7
|
I have. Made no difference. Log excerpt
Also, since these are not working for PRs from forks that wouldn't be a solution, as that's the only reason I'm using this action. |
I only did fairly superficial checks before trying to work around the problem, but IIUC, PRs also fail to upload results, since the PR merge ref cannot be checked out. |
If I understand correctly, the workflow is trying to upload some SARIF to a different repository than the one currently runing the workflow? The codeql-action was not designed to operate in this manner. If this is what you are trying to do, you will need to avoid using the codeql-action at all and use the codeql CLI directly to perform the upload. essentially, you will need to treat the upload as coming from a third party CI system. There is a command, It will be a bit more finicky since you will need to specify the correct SHA, head, and base refs, and repository. But I think it should work. Also, you will need to make sure that the PAT used to upload will have enough privileges to upload security results to the appropriate repository. In order to do this, you will need to create a new repository secret for a PAT you have generated that will have upload access to this repo. Let me know if you have any difficulties with this and I can go into more detail. |
No, it's the correct destination repository, but it specifies a wrong SHA for the Basically, while a Since my use case includes scan results in PRs from forks in a workflow, this action is the only (documented and safe) solution. I don't know whether I'd violate the ToS of GitHub by just calling this API directly, so I've since completely restructured my workflow to make it work by checking out the component being scanned without a IMO this behavior is a bug: It is both unexpected (existence of |
OK. Thanks for explaining. That does sound like a bug. The That being said, my previous comment would still be a viable workaround until there is a fix. You can still call the |
I'm not that familiar with the GitHub actions security model, but AFAIUI even PR authors can edit workflows and therefore access any secrets made available to them, which is why If I wanted that I could have had it with my |
Uploading SARIF files using the
upload-sarif@v1
action can fail with:The problem here seems to be that the
commit_oid
parameter in the uploaded JSON is from an entirely different repository: the repository that's the "main" checkout (the one with emptypath
parameter toactions/checkout@v2
), even withcheckout_path
specified.Full log output
If no repository is checked out at this location (i.e. every
actions/checkout@v2
has apath
), then the error is the same as in #944 (but at least the upload still happens, at least for a non-PR upload).The text was updated successfully, but these errors were encountered: