Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update codeql.yml to automatically create new CodeQL issues #6503

Merged
merged 109 commits into from
Apr 17, 2024

Conversation

gaylem
Copy link
Member

@gaylem gaylem commented Mar 22, 2024

Fixes #5059

What changes did you make?

  • Added the following steps to .github/workflows/codeql.yml:
    • Setup Node.js (needed to use @actions/core)
    • Install @actions/core (needed to use @actions/core)
    • Fetch Alerts
    • Check Existing Issues
    • Create New Issues
  • Created a folder github-actions/trigger-issue/create-codeql-issues
  • Created the following files inside the above folder:
    • issue-body.md
    • fetch-alerts.js
    • check-existing-issues.js
    • create-new-issues.js

Why did you make the changes (we will use this info to test)?

  • We need to automatically to create GitHub issues when new CodeQL alerts are detected so that we may respond in a prompt manner and ensure the security and quality of our codebase.
  • The new updates will (1) query the GitHub API to find any open CodeQL alerts, (2) check if there are existing tracking issues for the alerts, and (3) if any issues are missing, it creates them automatically.

Screenshots of Proposed Changes Of The Website (if any, please do not screen shot code changes)

CodeQL workflow completed
Screenshot 2024-03-30 at 3 42 20 PM Screenshot 2024-03-30 at 3 36 46 PM
Issue Trigger workflow completed
Screenshot 2024-03-30 at 3 37 20 PM
38 issues created automatically by codeql.yml
Screenshot 2024-03-30 at 3 36 59 PM Screenshot 2024-03-30 at 3 50 42 PM
38 issues added to project board
Screenshot 2024-03-30 at 3 38 08 PM

Testing Notes

  • Test your solution by running the codeql.yml workflow. You will need to do the following:
    • Enable Issues your private repo so that you see an Issues tab at the top (instructions)
    • Enable CodeQL alerts Security tab (GitHub CodeQL Documentation)
    • Copy the Hack for LA Project Board in your private repo and make sure the title says Project Board (instructions)
    • Create the following tokens in your GitHub account and add them to your private repo:
      • HACKFORLA_ADMIN_TOKEN for the codeql.yml file. Choose these scopes:
        - public_repo (under 'repo')
        - admin:org_hook
        - write:org (under 'admin:org')
      • TEAMS for the issue-trigger.yml file. Choose these scopes:
        - 'read:org' (under 'admin:org')
        - 'read:user' (under 'user')
      • HACKFORLA_BOT_PA_TOKEN for the issue-trigger.yml file. Choose these scopes:
        - public_repo (under 'repo')
        - admin:org_hook
    • Push to your branch on your own repo to test.
    • You should see code scanning alerts in your Security tab for your branch after you push to your repo (it'll take a minute). You will need to switch branches inside your Security tab to see them (there is a search bar above the alerts): is:open branch:YOUR-BRANCH
    • Once the security alerts are created, you should see the CodeQL workflow running under your last commit message in the Actions tab.
    • This will also trigger the Issues Trigger workflow in your Actions tab, and you will see workflows with the titles of each new issue.
    • When it's all done, you should also see the issues appear in your Issues tab and on the Project Board in the New Issue Approval column.

Copy link

Want to review this pull request? Take a look at this documentation for a step by step guide!

From your project repository, check out a new branch and test the changes.

git checkout -b gaylem-create-new-codeql-issues-5059 gh-pages
git pull https://github.com/gaylem/hackforla-website.git create-new-codeql-issues-5059

Note that CONTRIBUTING.md cannot previewed locally; rather it should be previewed at this URL:

https://github.com/gaylem/website/blob/create-new-codeql-issues-5059/CONTRIBUTING.md  

@github-actions github-actions bot added role: back end/devOps Tasks for back-end developers Complexity: Large size: 5pt Can be done in 19-30 hours Feature: Code Alerts labels Mar 22, 2024
@marioantonini

This comment was marked as resolved.

@gaylem

This comment was marked as resolved.

@marioantonini

This comment was marked as resolved.

@gaylem

This comment was marked as resolved.

@marioantonini marioantonini self-requested a review March 25, 2024 00:31
@marioantonini

This comment was marked as resolved.

@marioantonini

This comment was marked as resolved.

@marioantonini marioantonini removed their request for review March 25, 2024 01:35
@t-will-gillis t-will-gillis self-requested a review March 26, 2024 22:30
@t-will-gillis

This comment was marked as resolved.

@aidanwsimmons
Copy link
Member

aidanwsimmons commented Mar 27, 2024

ETA: EOD Thursday
Availability: Weekday afternoons

Copy link
Member

@t-will-gillis t-will-gillis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @gaylem -

Sincere kudos for working on this GHA and getting the code to this point, especially for your first time! GHAs can be tricky, and I know you have reworked this once already.

I see the convo with Mario above regarding the setup/ architecture of the of GHA. It is not my decision to make, but I feel that this likely needs to be rewritten using the same architecture that we use on our other GHAs- ie., what is described in Hack for LA’s GitHub Actions. I think there is a benefit to having consistency and interchangeability in the codebase. For example, since most of our GHAs use the actions/github-script workflow context, it is fairly simple to modularize repetitive functions (in the /utils/) to use in multiple workflows. I also believe it would be helpful to break the step “Check for CodeQL Alerts” down into 2 or more discrete steps.

I am able to get this GHA running and generating new issues, but I am seeing the same problem with the issue-trigger.yml workflow failing due to missing or bad credentials. I have not spent much time trying to figure out why the credentials are not being passed - but I can say that handling credentials using the actions/github-script context is straightforward and I think reformatting the code would clear up these errors because the context includes the credentials.

I believe that your workflow’s structure is sound. I think that refactoring this using the HfLA wiki guide (hopefully) shouldn’t be too painful- of course keep asking questions.

PS- the Wiki guide, Tip 7.5 is wrong regarding the token scopes and needs to be fixed (I am writing an issue for it). HfLA’s HACKFORLA_BOT_PA_TOKEN only has “public_repo” and “admin:org_hook” scopes, so I would recommend creating another token with these scopes. Keep using your other token and when everything is working, substitute the new token at the end to make sure that the GHA doesn’t need a token with additional scopes. If so there is also a HACKFORLA_ADMIN_TOKEN that has the admin “write:org” scope.

@gaylem

This comment was marked as resolved.

@gaylem

This comment was marked as resolved.

@gaylem gaylem mentioned this pull request Apr 14, 2024
2 tasks
@github-actions github-actions bot removed the Status: Help Wanted Internal assistance is required to make progress label Apr 15, 2024
@gaylem
Copy link
Member Author

gaylem commented Apr 15, 2024

Hey @t-will-gillis and @aidanwsimmons,

This should be my final update. If you could both take one last look and give your approval, that would be awesome. Here's a summary of how we resolved the issues:

  1. Updated Problem: I updated my tokens to match the scopes listed in this issue. I used HACKFORLA_ADMIN_TOKEN for the Create New Issues step and it worked perfectly in my personal repo (GITHUB_TOKEN did not). So that token should work in production as well. But the Create New Issues step was still failing when this PR ran it as part of the standard checks.
  2. Explanation: After much digging and theorizing, @t-will-gillis and I came up with the answer: workflows triggered by Dependabot PRs will run with read-only permissions. So that's why the Create New Issues step was failing. Which means if I deployed the original changes I made, then the codeql.yml workflow would have always failed on every PR.
  3. Solution: I added the following code to all three of the new steps I built on the codeql.yml fileso they don't run on PRs: if: github.event_name != 'pull_request'. I tested it locally and it creates the issues as expected. And as you can see in the workflow logs on this PR, those steps are being skipped as expected.
  4. Request @t-will-gillis and @aidanwsimmons Could you review this (and test with the updated instructions in the PR description) one last time and give your approval (or request more changes if you notice something is wrong)? The only change I made other than adding the if condition to the codeql.yml file was refactoring the post requests on create-new-issues.yml.

Thanks everyone for your help and patience with this!

t-will-gillis
t-will-gillis previously approved these changes Apr 15, 2024
Copy link
Member

@t-will-gillis t-will-gillis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @gaylem Fantastic job! I ran this one more time and everything appears to be working as expected. Thanks for all of your work on this!

@gaylem
Copy link
Member Author

gaylem commented Apr 15, 2024

FYI, I did some regression testing because I wanted to confirm that the workflow still picks up errors and throws alerts on PR requests. It does! I added an unused variable to the fetch-alerts.js file and it threw an alert. (I also reverted the changes I made to test this.)
Screenshot 2024-04-15 at 5 57 53 PM

  1. Also, I double checked and the fetch-alerts step should not pick up on alerts created by PR checks because the state is set to open:
Screenshot 2024-04-15 at 6 08 52 PM
  1. Lastly, I updated my TEAMS test token with the correct scope and it still added labels correctly.

Copy link
Member

@aidanwsimmons aidanwsimmons left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job Gayle! pulled your most recent changes and configured tokens per your instructions. Successfully generated issues and they appeared on my project board. Approved!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Complexity: Large Feature: Code Alerts role: back end/devOps Tasks for back-end developers size: 5pt Can be done in 19-30 hours
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Create GHA to create issues when new CodeQL alerts are detected
5 participants