Also look for the CodeQL bundle at the custom GitHub AE endpoint.

2025-12-28 02:00:12 +08:00 · 2021-02-11 15:13:22 +00:00
parent 781e3bc540
commit f8c5dacab5
27 changed files with 2159 additions and 3 deletions
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -8,6 +8,7 @@ import * as http from "@actions/http-client";
 import { IHeaders } from "@actions/http-client/interfaces";
 import * as toolcache from "@actions/tool-cache";
 import { default as deepEqual } from "fast-deep-equal";
+import { default as queryString } from "query-string";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

@@ -212,6 +213,31 @@ async function getCodeQLBundleDownloadURL(
      );
    }
  }
+  try {
+    const release = await api
+      .getApiClient(apiDetails)
+      .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+        tag: CODEQL_BUNDLE_VERSION,
+      });
+    const assetID = release.data.assets[codeQLBundleName];
+    if (assetID !== undefined) {
+      const download = await api
+        .getApiClient(apiDetails)
+        .request(
+          "GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}",
+          { asset_id: assetID }
+        );
+      const downloadURL = download.data.url;
+      logger.info(
+        `Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`
+      );
+      return downloadURL;
+    }
+  } catch (e) {
+    logger.info(
+      `Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`
+    );
+  }
  return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }

@@ -291,11 +317,17 @@ export async function setupCodeQL(
        codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
      }

+      const parsedCodeQLURL = new URL(codeqlURL);
+      const parsedQueryString = queryString.parse(parsedCodeQLURL.search);
      const headers: IHeaders = { accept: "application/octet-stream" };
      // We only want to provide an authorization header if we are downloading
      // from the same GitHub instance the Action is running on.
      // This avoids leaking Enterprise tokens to dotcom.
-      if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
+      // We also don't want to send an authorization header if there's already a token provided in the URL.
+      if (
+        codeqlURL.startsWith(`${apiDetails.url}/`) &&
+        parsedQueryString["token"] === undefined
+      ) {
        logger.debug("Downloading CodeQL bundle with token.");
        headers.authorization = `token ${apiDetails.auth}`;
      } else {