Prefer GITHUB_REF to CODE_SCANNING_REF

Given that the GITHUB_REF is a protected variable, we want to prefer it to CODE_SCANNING_REF. This should prevent accidentally overwriting these values. The logic is a bit more involved, as I think it makes sense to raise the error about GITHUB_REF not being set, rather than mentioning CODE_SCANNING_REF if both are not set.
2022-11-16 10:28:27 +01:00 · 2022-11-16 10:28:27 +01:00 · 0a76b97b28
commit 0a76b97b28
parent f8b607edaa
3 changed files with 43 additions and 10 deletions
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@ -513,11 +513,7 @@ export async function getRef(): Promise<string> {
    );
  }

-  // Workaround for a limitation of Actions dynamic workflows not setting
-  // the GITHUB_REF in some cases
-  const maybeCSRef = process.env["CODE_SCANNING_REF"];
-
-  const ref = refInput || maybeCSRef || getRequiredEnvParam("GITHUB_REF");
+  const ref = refInput || getRefFromEnv();
  const sha = shaInput || getRequiredEnvParam("GITHUB_SHA");

  // If the ref is a user-provided input, we have to skip logic
@ -560,6 +556,26 @@ export async function getRef(): Promise<string> {
  }
 }

+function getRefFromEnv(): string {
+  // To workaround a limitation of Actions dynamic workflows not setting
+  // the GITHUB_REF in some cases, we accept also the ref within the
+  // CODE_SCANNING_REF variable. When possible, however, we prefer to use
+  // the GITHUB_REF as that is a protected variable and cannot be overwritten.
+  let refEnv: string;
+  try {
+    refEnv = getRequiredEnvParam("GITHUB_REF");
+  } catch (e) {
+    // If the GITHUB_REF is not set, we try to rescue by getting the
+    // CODE_SCANNING_REF.
+    const maybeRef = process.env["CODE_SCANNING_REF"];
+    if (maybeRef === undefined || maybeRef.length === 0) {
+      throw e;
+    }
+    refEnv = maybeRef;
+  }
+  return refEnv;
+}
+
 type ActionName = "init" | "autobuild" | "finish" | "upload-sarif";
 type ActionStatus =
  | "starting"