upload-sarif action seems to always use GITHUB_WORKSPACE Git information to compute commit_oid #952
Description
Uploading SARIF files using the upload-sarif@v1 action can fail with:
Processing sarif files: ["scan.sarif"]
Uploading results
Error: commit not found
RequestError [HttpError]: commit not found
The problem here seems to be that the commit_oid parameter in the uploaded JSON is from an entirely different repository: the repository that's the "main" checkout (the one with empty path parameter to actions/checkout@v2), even with checkout_path specified.
Full log output
Processing sarif files: ["jenkins-security-scan.sarif"]
Uploading results
Error: commit not found
RequestError [HttpError]: commit not found
at /home/runner/work/_actions/github/codeql-action/v1/node_modules/@octokit/request/dist-node/index.js:66:23
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v1/node_modules/bottleneck/light.js:405:18) {
name: 'HttpError',
status: 404,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Fri, 25 Feb 2022 10:29:15 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '0403:3D83:83138D:1507C61:6218AF7B',
'x-ratelimit-limit': '1000',
'x-ratelimit-remaining': '995',
'x-ratelimit-reset': '1645785350',
'x-ratelimit-resource': 'code_scanning_upload',
'x-ratelimit-used': '5',
'x-xss-protection': '0'
},
request: {
method: 'PUT',
url: 'https://api.github.com/repos/daniel-beck-org/sample-plugin/code-scanning/analysis',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'CodeQL-Action/1.1.3 octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"commit_oid":"92e0b0945a6334eeeb4c65a78c2be5a7767e3cc9","ref":"refs/heads/main","analysis_key":".github/workflows/jss.yaml:scan","analysis_name":"Jenkins Security Scan","sarif":"...","workflow_run_id":1898119060,"checkout_uri":"file:///home/runner/work/sample-plugin/sample-plugin","environment":"null","started_at":"2022-02-25T10:29:14.509Z","tool_names":["Jenkins Security Scan"]}',
request: { agent: [Agent], hook: [Function: bound bound register] }
},
documentation_url: 'https://docs.github.com/rest'
}
If no repository is checked out at this location (i.e. every actions/checkout@v2 has a path), then the error is the same as in #944 (but at least the upload still happens, at least for a non-PR upload).
Metadata
Metadata
Assignees
Labels
No labels