From 4e820a4ca43a039f7a611deeaee1e484f9abd9f2 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Wed, 24 Sep 2025 15:50:19 +0100 Subject: [PATCH] Apply review feedback --- lib/analyze-action.js | 6 +++--- lib/init-action-post.js | 6 +++--- lib/init-action.js | 6 +++--- lib/start-proxy-action.js | 9 ++++----- lib/upload-lib.js | 6 +++--- lib/upload-sarif-action.js | 6 +++--- src/api-client.ts | 12 +++++++----- src/setup-codeql.ts | 6 ++---- src/start-proxy-action.ts | 4 ---- 9 files changed, 28 insertions(+), 33 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 49f3b4539..cb366248c 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90198,12 +90198,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 3fb9af143..6bd6b0666 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -128417,12 +128417,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/init-action.js b/lib/init-action.js index 08a67d16e..275814297 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86053,12 +86053,12 @@ function getApiClient() { function getApiClientWithExternalAuth(apiDetails) { return createApiClientWithDetails(apiDetails, { allowExternal: true }); } -function getAuthorizationHeaderFor(logger, apiDetails, url, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url) { if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index e0568fa95..cdd24f132 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -49382,12 +49382,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url) { if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url}' without an authorization token.`); return void 0; } @@ -49694,8 +49694,7 @@ async function getProxyBinaryPath(logger) { const authorization = getAuthorizationHeaderFor( logger, apiDetails, - proxyInfo.url, - "`update-job-proxy`" + proxyInfo.url ); const temp = await toolcache.downloadTool( proxyInfo.url, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index aee61387c..098e658da 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88544,12 +88544,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index f9de677a5..fe51a2785 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88796,12 +88796,12 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } -function getAuthorizationHeaderFor(logger, apiDetails, url2, purpose = "CodeQL tools") { +function getAuthorizationHeaderFor(logger, apiDetails, url2) { if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url2}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url2}' without an authorization token.`); return void 0; } var cachedGitHubVersion = void 0; diff --git a/src/api-client.ts b/src/api-client.ts index baef744c9..3ab3db47f 100644 --- a/src/api-client.ts +++ b/src/api-client.ts @@ -74,30 +74,32 @@ export function getApiClientWithExternalAuth( } /** - * Gets a value for the `Authorization` header to download `url` or `undefined` if the + * Gets a value for the `Authorization` header for a request to `url`; or `undefined` if the * `Authorization` header should not be set for `url`. * * @param logger The logger to use for debugging messages. * @param apiDetails Details of the GitHub API we are using. * @param url The URL for which we want to add an `Authorization` header. - * @param purpose A description of what we want to download, for debug messages. + * * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated. */ export function getAuthorizationHeaderFor( logger: Logger, apiDetails: GitHubApiDetails, url: string, - purpose: string = "CodeQL tools", ): string | undefined { + // We only want to provide an authorization header if we are downloading + // from the same GitHub instance the Action is running on. + // This avoids leaking Enterprise tokens to dotcom. if ( url.startsWith(`${apiDetails.url}/`) || (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) ) { - logger.debug(`Providing an authorization token to download ${purpose}.`); + logger.debug(`Providing an authorization token for '${url}'.`); return `token ${apiDetails.auth}`; } - logger.debug(`Downloading ${purpose} without an authorization token.`); + logger.debug(`Requesting '${url}' without an authorization token.`); return undefined; } diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 1bdaf8685..e147a3112 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -567,11 +567,9 @@ export const downloadCodeQL = async function ( const headers: OutgoingHttpHeaders = { accept: "application/octet-stream", }; - // We only want to provide an authorization header if we are downloading - // from the same GitHub instance the Action is running on. - // This avoids leaking Enterprise tokens to dotcom. - // We also don't want to send an authorization header if there's already a token provided in the URL. let authorization: string | undefined = undefined; + + // We don't want to send an authorization header if there's already a token provided in the URL. if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); } else { diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index 6413b0b17..9592b904b 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -193,15 +193,11 @@ async function getProxyBinaryPath(logger: Logger): Promise { let proxyBin = toolcache.find(proxyFileName, proxyInfo.version); if (!proxyBin) { - // We only want to provide an authorization header if we are downloading - // from the same GitHub instance the Action is running on. - // This avoids leaking Enterprise tokens to dotcom. const apiDetails = getApiDetails(); const authorization = getAuthorizationHeaderFor( logger, apiDetails, proxyInfo.url, - "`update-job-proxy`", ); const temp = await toolcache.downloadTool( proxyInfo.url,