github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-01-04 05:30:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Set Authorization header for downloading update-job-proxy

Browse Source
This commit is contained in:
Michael B. Gale
2025-09-24 12:40:57 +01:00
parent efcf614b5d
commit d43f46c39c
2 changed files with 38 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/start-proxy-action.ts
View File

@@ -6,6 +6,7 @@ import * as toolcache from "@actions/tool-cache";
import { pki } from "node-forge";
import * as actionsUtil from "./actions-util";
import { getApiDetails, getAuthorizationHeaderFor } from "./api-client";
import { getActionsLogger, Logger } from "./logging";
import {
Credential,
@@ -192,10 +193,20 @@ async function getProxyBinaryPath(logger: Logger): Promise<string> {
let proxyBin = toolcache.find(proxyFileName, proxyInfo.version);
if (!proxyBin) {
// We only want to provide an authorization header if we are downloading
// from the same GitHub instance the Action is running on.
// This avoids leaking Enterprise tokens to dotcom.
const apiDetails = getApiDetails();
const authorization = getAuthorizationHeaderFor(
logger,
apiDetails,
proxyInfo.url,
"`update-job-proxy`",
);
const temp = await toolcache.downloadTool(
proxyInfo.url,
undefined,
undefined,
authorization,
{
accept: "application/octet-stream",
},