Merge pull request #2221 from github/nickfyson/upload-logging

improve logging coverage during sarif upload

src/actions-util.test.ts

@@ -286,14 +286,17 @@ test("determineMergeBaseCommitOid no error", async (t) => {
 
   process.env["GITHUB_EVENT_NAME"] = "pull_request";
   process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
-  await actionsUtil.determineMergeBaseCommitOid(path.join(__dirname, "../.."));
+
+  await withTmpDir(async (tmpDir) => {
+    await actionsUtil.determineMergeBaseCommitOid(tmpDir);
+  });
+
   t.deepEqual(1, infoStub.callCount);
   t.assert(
     infoStub.firstCall.args[0].startsWith(
       "The checkout path provided to the action does not appear to be a git repository.",
     ),
   );
-
   infoStub.restore();
 });
 

src/fingerprints.ts

@@ -259,6 +259,9 @@ export async function addFingerprints(
   sourceRoot: string,
   logger: Logger,
 ): Promise<SarifFile> {
+  logger.info(
+    "Adding fingerprints to SARIF file. For more information, see https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs",
+  );
   // Gather together results for the same file and construct
   // callbacks to accept hashes for that file and update the location
   const callbacksByFile: { [filename: string]: hashCallback[] } = {};

src/upload-lib.test.ts

@@ -42,6 +42,7 @@ test("validate correct payload used for push, PR merge commit, and PR head", asy
     undefined,
     ["CodeQL", "eslint"],
     "mergeBaseCommit",
+    getRunnerLogger(true),
   );
   // Not triggered by a pull request
   t.falsy(pushPayload.base_ref);
@@ -65,6 +66,7 @@ test("validate correct payload used for push, PR merge commit, and PR head", asy
     undefined,
     ["CodeQL", "eslint"],
     "mergeBaseCommit",
+    getRunnerLogger(true),
   );
   // Uploads for a merge commit use the merge base
   t.deepEqual(prMergePayload.base_ref, "refs/heads/master");
@@ -82,6 +84,7 @@ test("validate correct payload used for push, PR merge commit, and PR head", asy
     undefined,
     ["CodeQL", "eslint"],
     "mergeBaseCommit",
+    getRunnerLogger(true),
   );
   // Uploads for the head use the PR base
   t.deepEqual(prHeadPayload.base_ref, "refs/heads/master");
@@ -317,9 +320,9 @@ test("accept results with invalid artifactLocation.uri value", (t) => {
   const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
   uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
 
-  t.deepEqual(loggedMessages.length, 1);
+  t.deepEqual(loggedMessages.length, 2);
   t.deepEqual(
-    loggedMessages[0],
+    loggedMessages[1],
     "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.",
   );
 });

src/upload-lib.ts

@@ -36,13 +36,15 @@ const GENERIC_404_MSG =
 
 // Takes a list of paths to sarif files and combines them together,
 // returning the contents of the combined sarif file.
-function combineSarifFiles(sarifFiles: string[]): SarifFile {
+function combineSarifFiles(sarifFiles: string[], logger: Logger): SarifFile {
+  logger.info(`Loading SARIF file(s)`);
   const combinedSarif: SarifFile = {
     version: null,
     runs: [],
   };
 
   for (const sarifFile of sarifFiles) {
+    logger.debug(`Loading SARIF file: ${sarifFile}`);
     const sarifObject = JSON.parse(
       fs.readFileSync(sarifFile, "utf8"),
     ) as SarifFile;
@@ -87,6 +89,7 @@ async function combineSarifFilesUsingCLI(
   features: Features,
   logger: Logger,
 ): Promise<SarifFile> {
+  logger.info("Combining SARIF files using the CodeQL CLI");
   if (sarifFiles.length === 1) {
     return JSON.parse(fs.readFileSync(sarifFiles[0], "utf8")) as SarifFile;
   }
@@ -97,7 +100,7 @@ async function combineSarifFilesUsingCLI(
     );
 
     // If not, use the naive method of combining the files.
-    return combineSarifFiles(sarifFiles);
+    return combineSarifFiles(sarifFiles, logger);
   }
 
   // Initialize CodeQL, either by using the config file from the 'init' step,
@@ -146,7 +149,7 @@ async function combineSarifFilesUsingCLI(
       "The CodeQL CLI does not support merging SARIF files. Merging files in the action.",
     );
 
-    return combineSarifFiles(sarifFiles);
+    return combineSarifFiles(sarifFiles, logger);
   }
 
   const baseTempDir = path.resolve(tempDir, "combined-sarif");
@@ -356,6 +359,7 @@ function countResultsInSarif(sarif: string): number {
 // Validates that the given file path refers to a valid SARIF file.
 // Throws an error if the file is invalid.
 export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
+  logger.info(`Validating ${sarifFilePath}`);
   let sarif;
   try {
     sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8")) as SarifFile;
@@ -415,7 +419,9 @@ export function buildPayload(
   environment: string | undefined,
   toolNames: string[],
   mergeBaseCommitOid: string | undefined,
+  logger: Logger,
 ) {
+  logger.info(`Combining SARIF files using CLI`);
   const payloadObj = {
     commit_oid: commitOid,
     ref,
@@ -497,7 +503,7 @@ async function uploadFiles(
         features,
         logger,
       )
-    : combineSarifFiles(sarifFiles);
+    : combineSarifFiles(sarifFiles, logger);
   sarif = await fingerprints.addFingerprints(sarif, sourceRoot, logger);
 
   sarif = populateRunAutomationDetails(
@@ -509,8 +515,11 @@ async function uploadFiles(
 
   const toolNames = util.getToolNames(sarif);
 
+  logger.debug(`Validating that each SARIF run has a unique category`);
   validateUniqueCategory(sarif);
+  logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = fileUrl(sourceRoot);
 
@@ -526,6 +535,7 @@ async function uploadFiles(
     environment,
     toolNames,
     await actionsUtil.determineMergeBaseCommitOid(),
+    logger,
   );
 
   // Log some useful debug info about the info