-
-
Notifications
You must be signed in to change notification settings - Fork 777
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update codeql.yml to automatically create new CodeQL issues #6503
Update codeql.yml to automatically create new CodeQL issues #6503
Conversation
Want to review this pull request? Take a look at this documentation for a step by step guide! From your project repository, check out a new branch and test the changes.
Note that CONTRIBUTING.md cannot previewed locally; rather it should be previewed at this URL:
|
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
ETA: EOD Thursday |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @gaylem -
Sincere kudos for working on this GHA and getting the code to this point, especially for your first time! GHAs can be tricky, and I know you have reworked this once already.
I see the convo with Mario above regarding the setup/ architecture of the of GHA. It is not my decision to make, but I feel that this likely needs to be rewritten using the same architecture that we use on our other GHAs- ie., what is described in Hack for LA’s GitHub Actions. I think there is a benefit to having consistency and interchangeability in the codebase. For example, since most of our GHAs use the actions/github-script
workflow context, it is fairly simple to modularize repetitive functions (in the /utils/) to use in multiple workflows. I also believe it would be helpful to break the step “Check for CodeQL Alerts” down into 2 or more discrete steps.
I am able to get this GHA running and generating new issues, but I am seeing the same problem with the issue-trigger.yml
workflow failing due to missing or bad credentials. I have not spent much time trying to figure out why the credentials are not being passed - but I can say that handling credentials using the actions/github-script
context is straightforward and I think reformatting the code would clear up these errors because the context includes the credentials.
I believe that your workflow’s structure is sound. I think that refactoring this using the HfLA wiki guide (hopefully) shouldn’t be too painful- of course keep asking questions.
PS- the Wiki guide, Tip 7.5 is wrong regarding the token scopes and needs to be fixed (I am writing an issue for it). HfLA’s HACKFORLA_BOT_PA_TOKEN
only has “public_repo” and “admin:org_hook” scopes, so I would recommend creating another token with these scopes. Keep using your other token and when everything is working, substitute the new token at the end to make sure that the GHA doesn’t need a token with additional scopes. If so there is also a HACKFORLA_ADMIN_TOKEN
that has the admin “write:org” scope.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Hey @t-will-gillis and @aidanwsimmons, This should be my final update. If you could both take one last look and give your approval, that would be awesome. Here's a summary of how we resolved the issues:
Thanks everyone for your help and patience with this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @gaylem Fantastic job! I ran this one more time and everything appears to be working as expected. Thanks for all of your work on this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job Gayle! pulled your most recent changes and configured tokens per your instructions. Successfully generated issues and they appeared on my project board. Approved!
Fixes #5059
What changes did you make?
.github/workflows/codeql.yml
:github-actions/trigger-issue/create-codeql-issues
Why did you make the changes (we will use this info to test)?
Screenshots of Proposed Changes Of The Website (if any, please do not screen shot code changes)
CodeQL workflow completed
Issue Trigger workflow completed
38 issues created automatically by codeql.yml
38 issues added to project board
Testing Notes
codeql.yml
workflow. You will need to do the following:Project Board
(instructions)HACKFORLA_ADMIN_TOKEN
for thecodeql.yml
file. Choose these scopes:- public_repo (under 'repo')
- admin:org_hook
- write:org (under 'admin:org')
TEAMS
for theissue-trigger.yml
file. Choose these scopes:- 'read:org' (under 'admin:org')
- 'read:user' (under 'user')
HACKFORLA_BOT_PA_TOKEN
for theissue-trigger.yml
file. Choose these scopes:- public_repo (under 'repo')
- admin:org_hook
is:open branch:YOUR-BRANCH