Merge branch 'main' into simon-engledew/fix-incorrect-branch-warning

src/api-client.ts

@@ -11,11 +11,19 @@ export enum DisallowedAPIVersionReason {
   ACTION_TOO_NEW,
 }
 
+export type GitHubApiCombinedDetails = GitHubApiDetails &
+  GitHubApiExternalRepoDetails;
+
 export interface GitHubApiDetails {
   auth: string;
   url: string;
 }
 
+export interface GitHubApiExternalRepoDetails {
+  externalRepoAuth: string;
+  url: string;
+}
+
 export const getApiClient = function (
   apiDetails: GitHubApiDetails,
   allowLocalRun = false

src/config-utils.test.ts

@@ -17,6 +17,7 @@ setupTests(test);
 
 const sampleApiDetails = {
   auth: "token",
+  externalRepoAuth: "token",
   url: "https://github.example.com",
 };
 

src/config-utils.ts

@@ -274,7 +274,7 @@ async function addRemoteQueries(
   resultMap: Queries,
   queryUses: string,
   tempDir: string,
-  githubUrl: string,
+  apiDetails: api.GitHubApiExternalRepoDetails,
   logger: Logger,
   configFile?: string
 ) {
@@ -302,7 +302,7 @@ async function addRemoteQueries(
   const checkoutPath = await externalQueries.checkoutExternalRepository(
     nwo,
     ref,
-    githubUrl,
+    apiDetails,
     tempDir,
     logger
   );
@@ -330,7 +330,7 @@ async function parseQueryUses(
   queryUses: string,
   tempDir: string,
   checkoutPath: string,
-  githubUrl: string,
+  apiDetails: api.GitHubApiExternalRepoDetails,
   logger: Logger,
   configFile?: string
 ) {
@@ -369,7 +369,7 @@ async function parseQueryUses(
     resultMap,
     queryUses,
     tempDir,
-    githubUrl,
+    apiDetails,
     logger,
     configFile
   );
@@ -685,7 +685,7 @@ async function addQueriesFromWorkflow(
   resultMap: Queries,
   tempDir: string,
   checkoutPath: string,
-  githubUrl: string,
+  apiDetails: api.GitHubApiExternalRepoDetails,
   logger: Logger
 ) {
   queriesInput = queriesInput.trim();
@@ -700,7 +700,7 @@ async function addQueriesFromWorkflow(
       query,
       tempDir,
       checkoutPath,
-      githubUrl,
+      apiDetails,
       logger
     );
   }
@@ -730,7 +730,7 @@ export async function getDefaultConfig(
   codeQL: CodeQL,
   checkoutPath: string,
   gitHubVersion: GitHubVersion,
-  apiDetails: api.GitHubApiDetails,
+  apiDetails: api.GitHubApiCombinedDetails,
   logger: Logger
 ): Promise<Config> {
   const languages = await getLanguages(
@@ -749,7 +749,7 @@ export async function getDefaultConfig(
       queries,
       tempDir,
       checkoutPath,
-      apiDetails.url,
+      apiDetails,
       logger
     );
   }
@@ -780,7 +780,7 @@ async function loadConfig(
   codeQL: CodeQL,
   checkoutPath: string,
   gitHubVersion: GitHubVersion,
-  apiDetails: api.GitHubApiDetails,
+  apiDetails: api.GitHubApiCombinedDetails,
   logger: Logger
 ): Promise<Config> {
   let parsedYAML: UserConfig;
@@ -838,7 +838,7 @@ async function loadConfig(
       queries,
       tempDir,
       checkoutPath,
-      apiDetails.url,
+      apiDetails,
       logger
     );
   }
@@ -863,7 +863,7 @@ async function loadConfig(
         query[QUERIES_USES_PROPERTY],
         tempDir,
         checkoutPath,
-        apiDetails.url,
+        apiDetails,
         logger,
         configFile
       );
@@ -947,7 +947,7 @@ export async function initConfig(
   codeQL: CodeQL,
   checkoutPath: string,
   gitHubVersion: GitHubVersion,
-  apiDetails: api.GitHubApiDetails,
+  apiDetails: api.GitHubApiCombinedDetails,
   logger: Logger
 ): Promise<Config> {
   let config: Config;

src/external-queries.test.ts

@@ -85,7 +85,7 @@ test("checkoutExternalQueries", async (t) => {
     await externalQueries.checkoutExternalRepository(
       repoName,
       commit1Sha,
-      `file://${testRepoBaseDir}`,
+      { url: `file://${testRepoBaseDir}`, externalRepoAuth: "" },
       tmpDir,
       getRunnerLogger(true)
     );
@@ -99,7 +99,7 @@ test("checkoutExternalQueries", async (t) => {
     await externalQueries.checkoutExternalRepository(
       repoName,
       commit2Sha,
-      `file://${testRepoBaseDir}`,
+      { url: `file://${testRepoBaseDir}`, externalRepoAuth: "" },
       tmpDir,
       getRunnerLogger(true)
     );

src/external-queries.ts

@@ -4,6 +4,7 @@ import * as path from "path";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as safeWhich from "@chrisgavin/safe-which";
 
+import { GitHubApiExternalRepoDetails } from "./api-client";
 import { Logger } from "./logging";
 
 /**
@@ -12,7 +13,7 @@ import { Logger } from "./logging";
 export async function checkoutExternalRepository(
   repository: string,
   ref: string,
-  githubUrl: string,
+  apiDetails: GitHubApiExternalRepoDetails,
   tempDir: string,
   logger: Logger
 ): Promise<string> {
@@ -28,10 +29,13 @@ export async function checkoutExternalRepository(
   }
 
   if (!fs.existsSync(checkoutLocation)) {
-    const repoURL = `${githubUrl}/${repository}`;
+    const repoCloneURL = new URL(apiDetails.url);
+    repoCloneURL.username = "x-access-token";
+    repoCloneURL.password = apiDetails.externalRepoAuth;
+    repoCloneURL.pathname += `/${repository}`;
     await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), [
       "clone",
-      repoURL,
+      repoCloneURL.toString(),
       checkoutLocation,
     ]).exec();
     await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), [

src/init-action.ts

@@ -96,6 +96,9 @@ async function run() {
 
   const apiDetails = {
     auth: actionsUtil.getRequiredInput("token"),
+    externalRepoAuth:
+      actionsUtil.getOptionalInput("external-repository-token") ??
+      actionsUtil.getRequiredInput("token"),
     url: actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
   };
 

src/init.ts

@@ -5,7 +5,7 @@ import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as safeWhich from "@chrisgavin/safe-which";
 
 import * as analysisPaths from "./analysis-paths";
-import { GitHubApiDetails } from "./api-client";
+import { GitHubApiCombinedDetails, GitHubApiDetails } from "./api-client";
 import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { Logger } from "./logging";
@@ -45,7 +45,7 @@ export async function initConfig(
   codeQL: CodeQL,
   checkoutPath: string,
   gitHubVersion: util.GitHubVersion,
-  apiDetails: GitHubApiDetails,
+  apiDetails: GitHubApiCombinedDetails,
   logger: Logger
 ): Promise<configUtils.Config> {
   logger.startGroup("Load language configuration");

src/runner.ts

@@ -96,6 +96,7 @@ interface InitArgs {
   repository: string;
   githubUrl: string;
   githubAuth: string;
+  externalRepositoryToken: string | undefined;
   debug: boolean;
 }
 
@@ -108,6 +109,10 @@ program
     "--github-auth <auth>",
     "GitHub Apps token or personal access token. (Required)"
   )
+  .option(
+    "--external-repository-token <token>",
+    "A token for fetching external config files and queries if they reside in a private repository."
+  )
   .option(
     "--languages <languages>",
     "Comma-separated list of languages to analyze. Otherwise detects and analyzes all supported languages from the repo."
@@ -150,6 +155,7 @@ program
 
       const apiDetails = {
         auth: cmd.githubAuth,
+        externalRepoAuth: cmd.externalRepositoryToken ?? cmd.githubAuth,
         url: parseGithubUrl(cmd.githubUrl),
       };
 

src/upload-lib.test.ts

@@ -73,8 +73,8 @@ test("validate correct payload used per version", async (t) => {
       version,
       "actions"
     );
-    t.truthy(payload.base_ref);
-    t.truthy(payload.base_sha);
+    t.deepEqual(payload.base_ref, "refs/heads/master");
+    t.deepEqual(payload.base_sha, "f95f852bd8fca8fcc58a9a2d6c842781e32a215e");
   }
 
   for (const version of oldVersions) {

src/upload-lib.ts

@@ -258,7 +258,7 @@ export function buildPayload(
         const githubEvent = JSON.parse(
           fs.readFileSync(process.env.GITHUB_EVENT_PATH, "utf8")
         );
-        payloadObj.base_ref = `refs/heads/$githubEvent.pull_request.base.ref`;
+        payloadObj.base_ref = `refs/heads/${githubEvent.pull_request.base.ref}`;
         payloadObj.base_sha = githubEvent.pull_request.base.sha;
       }
     }