Add support for downloading packs from GHES

This change adds: - new `registries` block allowed in code scanning config file - new `registries-auth-tokens` input in init action - Change the downloadPacks function so that it accepts new parameters: - registries block - api auth - Generate a qlconfig.yml file with the registries block if one is supplied. Use this file when downloading packs. - temporarily set the `GITHUB_TOKEN` and `CODEQL_REGISTRIES_AUTH` based on api auth TODO: 1. integration test 2. handle pack downloads when the config is generated by the CLI
2022-08-29 12:57:46 -07:00 · 2022-08-29 12:57:46 -07:00 · 0e98efa2bb
commit 0e98efa2bb
parent c7bb8946b2
37 changed files with 428 additions and 103 deletions
--- a/init/action.yml
+++ b/init/action.yml
@ -10,9 +10,19 @@ inputs:
    description: The languages to be analysed
    required: false
  token:
+    description: GitHub token to use for authenticating with this instance of GitHub. To download custom packs from multiple registries, use registries-auth-tokens.
    default: ${{ github.token }}
+    required: false
+  registries-auth-tokens:
+    description: |
+      Authenticate to GitHub Enterprise Server Container registries by passing a comma-separated list of <registry_url>=<token> pairs.
+
+      For example, you can pass `https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2`` to authenticate to two GitHub Enterprise Server instances.
+      This overrides the `token` input for pack downloads.
+    required: false
  matrix:
    default: ${{ toJson(matrix) }}
+    required: false
  config-file:
    description: Path of the config file to use
    required: false
@ -32,7 +42,7 @@ inputs:
      analyses, you must specify packs in the codeql-config.yml file.
    required: false
  external-repository-token:
-    description: A token for fetching external config files and queries if they reside in a private repository.
+    description: A token for fetching external config files and queries if they reside in a private repository in the same GitHub instance that is running this action.
    required: false
  setup-python-dependencies:
    description: Try to auto-install your python dependencies
@ -82,4 +92,4 @@ outputs:
 runs:
  using: 'node16'
  main: '../lib/init-action.js'
-  post: '../lib/init-action-post.js'
+  post: '../lib/init-action-post.js'
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@ -95,6 +95,8 @@ async function run() {
            auth: actionsUtil.getRequiredInput("token"),
            url: util.getRequiredEnvParam("GITHUB_SERVER_URL"),
            apiURL: util.getRequiredEnvParam("GITHUB_API_URL"),
+            // not needed or available in the analize action
+            registriesAuthTokens: undefined,
        };
        const outputDir = actionsUtil.getRequiredInput("output");
        const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
--- a/lib/analyze-action.js.map
+++ b/lib/analyze-action.js.map
--- a/lib/api-client.js
+++ b/lib/api-client.js
@ -65,6 +65,8 @@ function getApiDetails() {
        auth: (0, actions_util_1.getRequiredInput)("token"),
        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
        apiURL: (0, util_1.getRequiredEnvParam)("GITHUB_API_URL"),
+        // only available in the init action
+        registriesAuthTokens: (0, actions_util_1.getOptionalInput)("registries-auth-tokens"),
    };
 }
 // Temporary function to aid in the transition to running on and off of github actions.
--- a/lib/api-client.js.map
+++ b/lib/api-client.js.map
@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAiBM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAfW,QAAA,YAAY,gBAevB;AAEF,2IAA2I;AAC3I,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAoE;AACpE,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAkBM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAfW,QAAA,YAAY,gBAevB;AAEF,2IAA2I;AAC3I,SAAS,YAAY,CAAC,SAAiB;IACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;QAE7C,oCAAoC;QACpC,oBAAoB,EAAE,IAAA,+BAAgB,EAAC,wBAAwB,CAAC;KACjE,CAAC;AACJ,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}
--- a/lib/codeql.js
+++ b/lib/codeql.js
@ -733,11 +733,18 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         * If no version is specified, then the latest version is
         * downloaded. The check to determine what the latest version is is done
         * each time this package is requested.
+         *
+         * Optionally, a `qlconfigFile` is included. If used, then this file
+         * is used to determine which registry each pack is downloaded from.
         */
-        async packDownload(packs) {
+        async packDownload(packs, qlconfigFile) {
+            const qlconfigArg = qlconfigFile
+                ? [`--qlconfig-file=${qlconfigFile}`]
+                : [];
            const codeqlArgs = [
                "pack",
                "download",
+                ...qlconfigArg,
                "--format=json",
                "--resolve-query-specs",
                ...getExtraOptionsFromEnv(["pack", "download"]),
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/codeql.test.js
+++ b/lib/codeql.test.js
@ -45,11 +45,13 @@ const sampleApiDetails = {
    auth: "token",
    url: "https://github.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 const sampleGHAEApiDetails = {
    auth: "token",
    url: "https://example.githubenterprise.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 let stubConfig;
 ava_1.default.beforeEach(() => {
--- a/lib/codeql.test.js.map
+++ b/lib/codeql.test.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@ -909,7 +909,7 @@ async function initConfig(languagesInput, queriesInput, packsInput, configFile,
    // happen in the CLI during the `database init` command, so no need
    // to download them here.
    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL))) {
-        await downloadPacks(codeQL, config.languages, config.packs, logger);
+        await downloadPacks(codeQL, config.languages, config.packs, config.originalUserInput.registries, apiDetails, config.tempDir, logger);
    }
    // Save the config so we can easily access it again in the future
    await saveConfig(config, logger);
@ -995,27 +995,62 @@ async function getConfig(tempDir, logger) {
    return JSON.parse(configString);
 }
 exports.getConfig = getConfig;
-async function downloadPacks(codeQL, languages, packs, logger) {
-    let numPacksDownloaded = 0;
-    logger.startGroup("Downloading packs");
-    for (const language of languages) {
-        const packsWithVersion = packs[language];
-        if (packsWithVersion === null || packsWithVersion === void 0 ? void 0 : packsWithVersion.length) {
-            logger.info(`Downloading custom packs for ${language}`);
-            const results = await codeQL.packDownload(packsWithVersion);
-            numPacksDownloaded += results.packs.length;
-            logger.info(`Downloaded packs: ${results.packs
-                .map((r) => `${r.name}@${r.version || "latest"}`)
-                .join(", ")}`);
+async function downloadPacks(codeQL, languages, packs, registries, apiDetails, tmpDir, logger) {
+    let qlconfigFile;
+    if (registries) {
+        // generate a qlconfig.yml file to hold the registry configs.
+        const qlconfig = {
+            registries,
+        };
+        qlconfigFile = path.join(tmpDir, "qlconfig.yml");
+        fs.writeFileSync(qlconfigFile, yaml.dump(qlconfig), "utf8");
+    }
+    await wrapEnvironment({
+        GITHUB_TOKEN: apiDetails.auth,
+        CODEQL_REGISTRIES_AUTH: apiDetails.registriesAuthTokens,
+    }, async () => {
+        let numPacksDownloaded = 0;
+        logger.startGroup("Downloading packs");
+        for (const language of languages) {
+            const packsWithVersion = packs[language];
+            if (packsWithVersion === null || packsWithVersion === void 0 ? void 0 : packsWithVersion.length) {
+                logger.info(`Downloading custom packs for ${language}`);
+                const results = await codeQL.packDownload(packsWithVersion, qlconfigFile);
+                numPacksDownloaded += results.packs.length;
+                logger.info(`Downloaded: ${results.packs
+                    .map((r) => `${r.name}@${r.version || "latest"}`)
+                    .join(", ")}`);
+            }
        }
-    }
-    if (numPacksDownloaded > 0) {
-        logger.info(`Downloaded ${numPacksDownloaded} ${packs === 1 ? "pack" : "packs"}`);
-    }
-    else {
-        logger.info("No packs to download");
-    }
-    logger.endGroup();
+        if (numPacksDownloaded > 0) {
+            logger.info(`Downloaded ${numPacksDownloaded} ${packs === 1 ? "pack" : "packs"}`);
+        }
+        else {
+            logger.info("No packs to download");
+        }
+        logger.endGroup();
+    });
 }
 exports.downloadPacks = downloadPacks;
+async function wrapEnvironment(env, operation) {
+    // Remember the original env
+    const oldEnv = { ...process.env };
+    // Set the new env
+    for (const [key, value] of Object.entries(env)) {
+        // Ignore undefined keys
+        if (value !== undefined) {
+            process.env[key] = value;
+        }
+    }
+    try {
+        // Run the operation
+        await operation();
+    }
+    finally {
+        // Restore the old env
+        for (const [key, value] of Object.entries(oldEnv)) {
+            process.env[key] = value;
+        }
+    }
+}
 //# sourceMappingURL=config-utils.js.map
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/config-utils.test.js
+++ b/lib/config-utils.test.js
@ -26,6 +26,7 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const github = __importStar(require("@actions/github"));
 const ava_1 = __importDefault(require("ava"));
+const yaml = __importStar(require("js-yaml"));
 const sinon = __importStar(require("sinon"));
 const api = __importStar(require("./api-client"));
 const codeql_1 = require("./codeql");
@ -41,6 +42,7 @@ const sampleApiDetails = {
    externalRepoAuth: "token",
    url: "https://github.example.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 const gitHubVersion = { type: util.GitHubVariant.DOTCOM };
 // Returns the filepath of the newly-created file
@ -1087,24 +1089,87 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with multiple languages", "   +  a/b, c/d ", undefined, [languages_1.Language.javascript, languages_1.Language.java], /Cannot specify a 'packs' input in a multi-language analysis/);
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Packs input with no languages", "   +  a/b, c/d ", undefined, [], /No languages specified/);
 (0, ava_1.default)(calculateAugmentationErrorMacro, "Invalid packs", " a-pack-without-a-scope ", undefined, [languages_1.Language.javascript], /"a-pack-without-a-scope" is not a valid pack/);
-(0, ava_1.default)("downloadPacks", async (t) => {
-    const packDownloadStub = sinon.stub();
-    packDownloadStub.callsFake((packs) => ({
-        packs,
-    }));
-    const codeQL = (0, codeql_1.setCodeQL)({
-        packDownload: packDownloadStub,
+(0, ava_1.default)("downloadPacks-no-registries", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const packDownloadStub = sinon.stub();
+        packDownloadStub.callsFake((packs) => ({
+            packs,
+        }));
+        const codeQL = (0, codeql_1.setCodeQL)({
+            packDownload: packDownloadStub,
+        });
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        // packs are supplied for go, java, and python
+        // analyzed languages are java, javascript, and python
+        await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {
+            java: ["a", "b"],
+            go: ["c", "d"],
+            python: ["e", "f"],
+        }, undefined, sampleApiDetails, tmpDir, logger);
+        t.deepEqual(packDownloadStub.callCount, 2);
+        // no config file was created, so pass `undefined` as the config file path
+        t.deepEqual(packDownloadStub.firstCall.args, [["a", "b"], undefined]);
+        t.deepEqual(packDownloadStub.secondCall.args, [["e", "f"], undefined]);
+    });
+});
+(0, ava_1.default)("downloadPacks-with-registries", async (t) => {
+    // same thing, but this time include a registries block and
+    // associated env vars
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env.GITHUB_TOKEN = "not-a-token";
+        process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const apiDetails = {
+            ...sampleApiDetails,
+            registriesAuthTokens: "registries-auth",
+        };
+        const registries = [
+            {
+                url: "http://ghcr.io",
+                packages: ["codeql/*", "dsp-testing/*"],
+            },
+            {
+                url: "https://containers.GHEHOSTNAME1/v2/",
+                packages: "semmle/*",
+            },
+        ];
+        const expectedConfigFile = path.join(tmpDir, "qlconfig.yml");
+        const packDownloadStub = sinon.stub();
+        packDownloadStub.callsFake((packs, configFile) => {
+            t.deepEqual(configFile, expectedConfigFile);
+            // verify the env vars were set correctly
+            t.deepEqual(process.env.GITHUB_TOKEN, "token");
+            t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "registries-auth");
+            // verify the config file contents were set correctly
+            const config = yaml.load(fs.readFileSync(configFile, "utf8"));
+            t.deepEqual(config.registries, registries);
+            return {
+                packs,
+            };
+        });
+        const codeQL = (0, codeql_1.setCodeQL)({
+            packDownload: packDownloadStub,
+        });
+        // packs are supplied for go, java, and python
+        // analyzed languages are java, javascript, and python
+        await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {
+            java: ["a", "b"],
+            go: ["c", "d"],
+            python: ["e", "f"],
+        }, registries, apiDetails, tmpDir, logger);
+        // Same packs are downloaded as in previous test
+        t.deepEqual(packDownloadStub.callCount, 2);
+        t.deepEqual(packDownloadStub.firstCall.args, [
+            ["a", "b"],
+            expectedConfigFile,
+        ]);
+        t.deepEqual(packDownloadStub.secondCall.args, [
+            ["e", "f"],
+            expectedConfigFile,
+        ]);
+        // Verify that the env vars were unset.
+        t.deepEqual(process.env.GITHUB_TOKEN, "not-a-token");
+        t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "not-a-registries-auth");
    });
-    const logger = (0, logging_1.getRunnerLogger)(true);
-    // packs are supplied for go, java, and python
-    // analyzed languages are java, javascript, and python
-    await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {
-        java: ["a", "b"],
-        go: ["c", "d"],
-        python: ["e", "f"],
-    }, logger);
-    t.deepEqual(packDownloadStub.callCount, 2);
-    t.deepEqual(packDownloadStub.firstCall.args, [["a", "b"]]);
-    t.deepEqual(packDownloadStub.secondCall.args, [["e", "f"]]);
 });
 //# sourceMappingURL=config-utils.test.js.map
--- a/lib/config-utils.test.js.map
+++ b/lib/config-utils.test.js.map
--- a/lib/database-upload.test.js
+++ b/lib/database-upload.test.js
@ -43,6 +43,7 @@ const testApiDetails = {
    auth: "1234",
    url: "https://github.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 function getTestConfig(tmpDir) {
    return {
--- a/lib/database-upload.test.js.map
+++ b/lib/database-upload.test.js.map
--- a/lib/feature-flags.test.js
+++ b/lib/feature-flags.test.js
@ -17,6 +17,7 @@ const testApiDetails = {
    auth: "1234",
    url: "https://github.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
 };
 const testRepositoryNwo = (0, repository_1.parseRepositoryNwo)("github/example");
 const ALL_FEATURE_FLAGS_DISABLED_VARIANTS = [
--- a/lib/feature-flags.test.js.map
+++ b/lib/feature-flags.test.js.map
@ -1 +1 @@
-{"version":3,"file":"feature-flags.test.js","sourceRoot":"","sources":["../src/feature-flags.test.ts"],"names":[],"mappings":";;;;;AAAA,8CAAuB;AAGvB,mDAAkE;AAClE,uCAA4C;AAC5C,6CAAkD;AAClD,mDAMyB;AAEzB,iCAAgF;AAEhF,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAC/C,CAAC,CAAC,CAAC;AAEH,MAAM,cAAc,GAAqB;IACvC,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,oBAAoB;IACzB,MAAM,EAAE,SAAS;CAClB,CAAC;AAEF,MAAM,iBAAiB,GAAG,IAAA,+BAAkB,EAAC,gBAAgB,CAAC,CAAC;AAE/D,MAAM,mCAAmC,GAGpC;IACH;QACE,WAAW,EAAE,MAAM;QACnB,aAAa,EAAE,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC9D;IACD,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,EAAE;CACrE,CAAC;AAEF,KAAK,MAAM,OAAO,IAAI,mCAAmC,EAAE;IACzD,IAAA,aAAI,EAAC,qDAAqD,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC3F,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAEjC,MAAM,cAAc,GAAG,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,OAAO,CAAC,aAAa,EACrB,cAAc,EACd,iBAAiB,EACjB,IAAA,kCAAkB,EAAC,cAAc,CAAC,CACnC,CAAC;YAEF,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,2BAAW,CAAC,EAAE;gBAC7C,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;aACzD;YAED,CAAC,CAAC,MAAM,CACN,cAAc,CAAC,IAAI,CACjB,CAAC,CAAgB,EAAE,EAAE,CACnB,CAAC,CAAC,IAAI,KAAK,OAAO;gBAClB,CAAC,CAAC,OAAO;oBACP,8DAA8D,CACnE,KAAK,SAAS,CAChB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;CACJ;AAED,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEjC,MAAM,cAAc,GAAG,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,kCAAkB,EAAC,cAAc,CAAC,CACnC,CAAC;QAEF,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,2BAAW,CAAC,EAAE;YAC7C,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;SACzD;QAED,KAAK,MAAM,WAAW,IAAI,CAAC,4BAA4B,CAAC,EAAE;YACxD,CAAC,CAAC,MAAM,CACN,cAAc,CAAC,IAAI,CACjB,CAAC,CAAgB,EAAE,EAAE,CACnB,CAAC,CAAC,IAAI,KAAK,OAAO;gBAClB,CAAC,CAAC,OAAO;oBACP,qCAAqC,WAAW,4BAA4B,CACjF,KAAK,SAAS,CAChB,CAAC;SACH;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oEAAoE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrF,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEjC,MAAM,cAAc,GAAG,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,kCAAkB,EAAC,cAAc,CAAC,CACnC,CAAC;QAEF,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,2BAAW,CAAC,EAAE;YAC7C,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;SACzD;QAED,KAAK,MAAM,WAAW,IAAI,CAAC,4BAA4B,CAAC,EAAE;YACxD,CAAC,CAAC,MAAM,CACN,cAAc,CAAC,IAAI,CACjB,CAAC,CAAgB,EAAE,EAAE,CACnB,CAAC,CAAC,IAAI,KAAK,OAAO;gBAClB,CAAC,CAAC,OAAO;oBACP,iBAAiB,WAAW,uDAAuD,CACxF,KAAK,SAAS,CAChB,CAAC;SACH;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iEAAiE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClF,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEjC,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;QAEF,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,2BAAW,CAAC,uBAAuB,CAAC,EACtE;YACE,OAAO,EACL,oFAAoF;SACvF,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG;IACpB,4BAA4B;IAC5B,2BAA2B;CAC5B,CAAC;AAEF,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE;IACvC,IAAA,aAAI,EAAC,iBAAiB,WAAW,6CAA6C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1F,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAEjC,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YAEF,MAAM,oBAAoB,GAAgC,EAAE,CAAC;YAC7D,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE;gBAC7B,oBAAoB,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;aACjC;YACD,oBAAoB,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;YACzC,IAAA,0CAA0B,EAAC,GAAG,EAAE,oBAAoB,CAAC,CAAC;YAEtD,MAAM,kBAAkB,GAAgC;gBACtD,0BAA0B,EAAE,MAAM,YAAY,CAAC,QAAQ,CACrD,2BAAW,CAAC,uBAAuB,CACpC;gBACD,yBAAyB,EAAE,MAAM,YAAY,CAAC,QAAQ,CACpD,2BAAW,CAAC,sBAAsB,CACnC;aACF,CAAC;YAEF,CAAC,CAAC,SAAS,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;CACJ"}
+{"version":3,"file":"feature-flags.test.js","sourceRoot":"","sources":["../src/feature-flags.test.ts"],"names":[],"mappings":";;;;;AAAA,8CAAuB;AAGvB,mDAAkE;AAClE,uCAA4C;AAC5C,6CAAkD;AAClD,mDAMyB;AAEzB,iCAAgF;AAEhF,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAC/C,CAAC,CAAC,CAAC;AAEH,MAAM,cAAc,GAAqB;IACvC,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,oBAAoB;IACzB,MAAM,EAAE,SAAS;IACjB,oBAAoB,EAAE,SAAS;CAChC,CAAC;AAEF,MAAM,iBAAiB,GAAG,IAAA,+BAAkB,EAAC,gBAAgB,CAAC,CAAC;AAE/D,MAAM,mCAAmC,GAGpC;IACH;QACE,WAAW,EAAE,MAAM;QACnB,aAAa,EAAE,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC9D;IACD,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,EAAE;CACrE,CAAC;AAEF,KAAK,MAAM,OAAO,IAAI,mCAAmC,EAAE;IACzD,IAAA,aAAI,EAAC,qDAAqD,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC3F,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAEjC,MAAM,cAAc,GAAG,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,OAAO,CAAC,aAAa,EACrB,cAAc,EACd,iBAAiB,EACjB,IAAA,kCAAkB,EAAC,cAAc,CAAC,CACnC,CAAC;YAEF,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,2BAAW,CAAC,EAAE;gBAC7C,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;aACzD;YAED,CAAC,CAAC,MAAM,CACN,cAAc,CAAC,IAAI,CACjB,CAAC,CAAgB,EAAE,EAAE,CACnB,CAAC,CAAC,IAAI,KAAK,OAAO;gBAClB,CAAC,CAAC,OAAO;oBACP,8DAA8D,CACnE,KAAK,SAAS,CAChB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;CACJ;AAED,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEjC,MAAM,cAAc,GAAG,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,kCAAkB,EAAC,cAAc,CAAC,CACnC,CAAC;QAEF,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,2BAAW,CAAC,EAAE;YAC7C,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;SACzD;QAED,KAAK,MAAM,WAAW,IAAI,CAAC,4BAA4B,CAAC,EAAE;YACxD,CAAC,CAAC,MAAM,CACN,cAAc,CAAC,IAAI,CACjB,CAAC,CAAgB,EAAE,EAAE,CACnB,CAAC,CAAC,IAAI,KAAK,OAAO;gBAClB,CAAC,CAAC,OAAO;oBACP,qCAAqC,WAAW,4BAA4B,CACjF,KAAK,SAAS,CAChB,CAAC;SACH;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oEAAoE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrF,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEjC,MAAM,cAAc,GAAG,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,kCAAkB,EAAC,cAAc,CAAC,CACnC,CAAC;QAEF,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,2BAAW,CAAC,EAAE;YAC7C,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC;SACzD;QAED,KAAK,MAAM,WAAW,IAAI,CAAC,4BAA4B,CAAC,EAAE;YACxD,CAAC,CAAC,MAAM,CACN,cAAc,CAAC,IAAI,CACjB,CAAC,CAAgB,EAAE,EAAE,CACnB,CAAC,CAAC,IAAI,KAAK,OAAO;gBAClB,CAAC,CAAC,OAAO;oBACP,iBAAiB,WAAW,uDAAuD,CACxF,KAAK,SAAS,CAChB,CAAC;SACH;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iEAAiE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClF,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEjC,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;QAEF,IAAA,0CAA0B,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAEpC,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,2BAAW,CAAC,uBAAuB,CAAC,EACtE;YACE,OAAO,EACL,oFAAoF;SACvF,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG;IACpB,4BAA4B;IAC5B,2BAA2B;CAC5B,CAAC;AAEF,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE;IACvC,IAAA,aAAI,EAAC,iBAAiB,WAAW,6CAA6C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1F,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAEjC,MAAM,YAAY,GAAG,IAAI,kCAAkB,CACzC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,EAC9B,cAAc,EACd,iBAAiB,EACjB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YAEF,MAAM,oBAAoB,GAAgC,EAAE,CAAC;YAC7D,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE;gBAC7B,oBAAoB,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;aACjC;YACD,oBAAoB,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;YACzC,IAAA,0CAA0B,EAAC,GAAG,EAAE,oBAAoB,CAAC,CAAC;YAEtD,MAAM,kBAAkB,GAAgC;gBACtD,0BAA0B,EAAE,MAAM,YAAY,CAAC,QAAQ,CACrD,2BAAW,CAAC,uBAAuB,CACpC;gBACD,yBAAyB,EAAE,MAAM,YAAY,CAAC,QAAQ,CACpD,2BAAW,CAAC,sBAAsB,CACnC;aACF,CAAC;YAEF,CAAC,CAAC,SAAS,CAAC,kBAAkB,EAAE,oBAAoB,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;CACJ"}
--- a/lib/init-action.js
+++ b/lib/init-action.js
@ -84,6 +84,7 @@ async function run() {
        externalRepoAuth: (0, actions_util_1.getOptionalInput)("external-repository-token"),
        url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
        apiURL: (0, util_1.getRequiredEnvParam)("GITHUB_API_URL"),
+        registriesAuthTokens: (0, actions_util_1.getOptionalInput)("registries-auth-tokens"),
    };
    const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
    (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
--- a/lib/init-action.js.map
+++ b/lib/init-action.js.map
--- a/lib/runner.js
+++ b/lib/runner.js
@ -137,6 +137,7 @@ program
            externalRepoAuth: auth,
            url: (0, util_1.parseGitHubUrl)(cmd.githubUrl),
            apiURL: undefined,
+            registriesAuthTokens: undefined,
        };
        const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.runner);
@ -279,6 +280,7 @@ program
            auth,
            url: (0, util_1.parseGitHubUrl)(cmd.githubUrl),
            apiURL: undefined,
+            registriesAuthTokens: undefined,
        };
        const outputDir = cmd.outputDir || path.join(config.tempDir, "codeql-sarif");
        let initEnv = {};
@ -325,6 +327,7 @@ program
        auth,
        url: (0, util_1.parseGitHubUrl)(cmd.githubUrl),
        apiURL: undefined,
+        registriesAuthTokens: undefined,
    };
    try {
        const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
--- a/lib/runner.js.map
+++ b/lib/runner.js.map
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@ -48,6 +48,7 @@ async function run() {
            auth: actionsUtil.getRequiredInput("token"),
            url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
            apiURL: (0, util_1.getRequiredEnvParam)("GITHUB_API_URL"),
+            registriesAuthTokens: undefined,
        };
        const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
        const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), gitHubVersion, apiDetails, (0, logging_1.getActionsLogger)());
--- a/lib/upload-sarif-action.js.map
+++ b/lib/upload-sarif-action.js.map
@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAA2D;AAC3D,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAMgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;YAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,wCAA2B,GAAE,CAAC;QAE1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,IAAA,mBAAY,GAAE,EAAE;YAClB,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;SACjE;aAAM,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YACzE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAA2D;AAC3D,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAMgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,IAAA,yBAAkB,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;YAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;YAC7C,oBAAoB,EAAE,SAAS;SAChC,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,wCAA2B,GAAE,CAAC;QAE1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,IAAA,mBAAY,GAAE,EAAE;YAClB,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;SACjE;aAAM,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YACzE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/util.test.js
+++ b/lib/util.test.js
@ -156,6 +156,7 @@ function mockGetMetaVersionHeader(versionHeader) {
        auth: "",
        url: "https://github.com",
        apiURL: undefined,
+        registriesAuthTokens: undefined,
    });
    t.deepEqual(util.GitHubVariant.DOTCOM, v.type);
    mockGetMetaVersionHeader("2.0");
@ -163,6 +164,7 @@ function mockGetMetaVersionHeader(versionHeader) {
        auth: "",
        url: "https://ghe.example.com",
        apiURL: undefined,
+        registriesAuthTokens: undefined,
    });
    t.deepEqual({ type: util.GitHubVariant.GHES, version: "2.0" }, v2);
    mockGetMetaVersionHeader("GitHub AE");
@ -170,6 +172,7 @@ function mockGetMetaVersionHeader(versionHeader) {
        auth: "",
        url: "https://example.githubenterprise.com",
        apiURL: undefined,
+        registriesAuthTokens: undefined,
    });
    t.deepEqual({ type: util.GitHubVariant.GHAE }, ghae);
    mockGetMetaVersionHeader(undefined);
@ -177,6 +180,7 @@ function mockGetMetaVersionHeader(versionHeader) {
        auth: "",
        url: "https://ghe.example.com",
        apiURL: undefined,
+        registriesAuthTokens: undefined,
    });
    t.deepEqual({ type: util.GitHubVariant.DOTCOM }, v3);
 });
--- a/lib/util.test.js.map
+++ b/lib/util.test.js.map
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@ -143,6 +143,9 @@ async function run() {
      auth: actionsUtil.getRequiredInput("token"),
      url: util.getRequiredEnvParam("GITHUB_SERVER_URL"),
      apiURL: util.getRequiredEnvParam("GITHUB_API_URL"),
+
+      // not needed or available in the analize action
+      registriesAuthTokens: undefined,
    };
    const outputDir = actionsUtil.getRequiredInput("output");
    const threads = util.getThreadsFlag(
--- a/src/api-client.ts
+++ b/src/api-client.ts
@ -4,7 +4,7 @@ import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
 import consoleLogLevel from "console-log-level";

-import { getRequiredInput } from "./actions-util";
+import { getOptionalInput, getRequiredInput } from "./actions-util";
 import * as util from "./util";
 import { getMode, getRequiredEnvParam, GitHubVersion } from "./util";

@ -23,6 +23,7 @@ export interface GitHubApiDetails {
  auth: string;
  url: string;
  apiURL: string | undefined;
+  registriesAuthTokens: string | undefined;
 }

 export interface GitHubApiExternalRepoDetails {
@ -68,6 +69,9 @@ function getApiDetails() {
    auth: getRequiredInput("token"),
    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+
+    // only available in the init action
+    registriesAuthTokens: getOptionalInput("registries-auth-tokens"),
  };
 }

--- a/src/codeql.test.ts
+++ b/src/codeql.test.ts
@ -26,12 +26,14 @@ const sampleApiDetails = {
  auth: "token",
  url: "https://github.com",
  apiURL: undefined,
+  registriesAuthTokens: undefined,
 };

 const sampleGHAEApiDetails = {
  auth: "token",
  url: "https://example.githubenterprise.com",
  apiURL: undefined,
+  registriesAuthTokens: undefined,
 };

 let stubConfig: Config;
--- a/src/codeql.ts
+++ b/src/codeql.ts
@ -134,7 +134,10 @@ export interface CodeQL {
  /**
   * Run 'codeql pack download'.
   */
-  packDownload(packs: string[]): Promise<PackDownloadOutput>;
+  packDownload(
+    packs: string[],
+    qlconfigFile: string | undefined
+  ): Promise<PackDownloadOutput>;

  /**
   * Run 'codeql database cleanup'.
@ -1086,11 +1089,22 @@ async function getCodeQLForCmd(
     * If no version is specified, then the latest version is
     * downloaded. The check to determine what the latest version is is done
     * each time this package is requested.
+     *
+     * Optionally, a `qlconfigFile` is included. If used, then this file
+     * is used to determine which registry each pack is downloaded from.
     */
-    async packDownload(packs: string[]): Promise<PackDownloadOutput> {
+    async packDownload(
+      packs: string[],
+      qlconfigFile: string | undefined
+    ): Promise<PackDownloadOutput> {
+      const qlconfigArg = qlconfigFile
+        ? [`--qlconfig-file=${qlconfigFile}`]
+        : ([] as string[]);
+
      const codeqlArgs = [
        "pack",
        "download",
+        ...qlconfigArg,
        "--format=json",
        "--resolve-query-specs",
        ...getExtraOptionsFromEnv(["pack", "download"]),
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@ -3,6 +3,7 @@ import * as path from "path";

 import * as github from "@actions/github";
 import test, { ExecutionContext } from "ava";
+import * as yaml from "js-yaml";
 import * as sinon from "sinon";

 import * as api from "./api-client";
@ -21,6 +22,7 @@ const sampleApiDetails = {
  externalRepoAuth: "token",
  url: "https://github.example.com",
  apiURL: undefined,
+  registriesAuthTokens: undefined,
 };

 const gitHubVersion = { type: util.GitHubVariant.DOTCOM } as util.GitHubVersion;
@ -2208,30 +2210,114 @@ test(
  /"a-pack-without-a-scope" is not a valid pack/
 );

-test("downloadPacks", async (t) => {
-  const packDownloadStub = sinon.stub();
-  packDownloadStub.callsFake((packs) => ({
-    packs,
-  }));
-  const codeQL = setCodeQL({
-    packDownload: packDownloadStub,
+test("downloadPacks-no-registries", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const packDownloadStub = sinon.stub();
+    packDownloadStub.callsFake((packs) => ({
+      packs,
+    }));
+    const codeQL = setCodeQL({
+      packDownload: packDownloadStub,
+    });
+    const logger = getRunnerLogger(true);
+
+    // packs are supplied for go, java, and python
+    // analyzed languages are java, javascript, and python
+    await configUtils.downloadPacks(
+      codeQL,
+      [Language.javascript, Language.java, Language.python],
+      {
+        java: ["a", "b"],
+        go: ["c", "d"],
+        python: ["e", "f"],
+      },
+      undefined,
+      sampleApiDetails,
+      tmpDir,
+      logger
+    );
+
+    t.deepEqual(packDownloadStub.callCount, 2);
+    // no config file was created, so pass `undefined` as the config file path
+    t.deepEqual(packDownloadStub.firstCall.args, [["a", "b"], undefined]);
+    t.deepEqual(packDownloadStub.secondCall.args, [["e", "f"], undefined]);
+  });
+});
+
+test("downloadPacks-with-registries", async (t) => {
+  // same thing, but this time include a registries block and
+  // associated env vars
+  return await util.withTmpDir(async (tmpDir) => {
+    process.env.GITHUB_TOKEN = "not-a-token";
+    process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+    const logger = getRunnerLogger(true);
+
+    const apiDetails = {
+      ...sampleApiDetails,
+      registriesAuthTokens: "registries-auth",
+    };
+    const registries = [
+      {
+        url: "http://ghcr.io",
+        packages: ["codeql/*", "dsp-testing/*"],
+      },
+      {
+        url: "https://containers.GHEHOSTNAME1/v2/",
+        packages: "semmle/*",
+      },
+    ];
+
+    const expectedConfigFile = path.join(tmpDir, "qlconfig.yml");
+    const packDownloadStub = sinon.stub();
+    packDownloadStub.callsFake((packs, configFile) => {
+      t.deepEqual(configFile, expectedConfigFile);
+      // verify the env vars were set correctly
+      t.deepEqual(process.env.GITHUB_TOKEN, "token");
+      t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "registries-auth");
+
+      // verify the config file contents were set correctly
+      const config = yaml.load(
+        fs.readFileSync(configFile, "utf8")
+      ) as configUtils.UserConfig;
+      t.deepEqual(config.registries, registries);
+      return {
+        packs,
+      };
+    });
+
+    const codeQL = setCodeQL({
+      packDownload: packDownloadStub,
+    });
+
+    // packs are supplied for go, java, and python
+    // analyzed languages are java, javascript, and python
+    await configUtils.downloadPacks(
+      codeQL,
+      [Language.javascript, Language.java, Language.python],
+      {
+        java: ["a", "b"],
+        go: ["c", "d"],
+        python: ["e", "f"],
+      },
+      registries,
+      apiDetails,
+      tmpDir,
+      logger
+    );
+
+    // Same packs are downloaded as in previous test
+    t.deepEqual(packDownloadStub.callCount, 2);
+    t.deepEqual(packDownloadStub.firstCall.args, [
+      ["a", "b"],
+      expectedConfigFile,
+    ]);
+    t.deepEqual(packDownloadStub.secondCall.args, [
+      ["e", "f"],
+      expectedConfigFile,
+    ]);
+
+    // Verify that the env vars were unset.
+    t.deepEqual(process.env.GITHUB_TOKEN, "not-a-token");
+    t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "not-a-registries-auth");
  });
-  const logger = getRunnerLogger(true);
-
-  // packs are supplied for go, java, and python
-  // analyzed languages are java, javascript, and python
-  await configUtils.downloadPacks(
-    codeQL,
-    [Language.javascript, Language.java, Language.python],
-    {
-      java: ["a", "b"],
-      go: ["c", "d"],
-      python: ["e", "f"],
-    },
-    logger
-  );
-
-  t.deepEqual(packDownloadStub.callCount, 2);
-  t.deepEqual(packDownloadStub.firstCall.args, [["a", "b"]]);
-  t.deepEqual(packDownloadStub.secondCall.args, [["e", "f"]]);
 });
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@ -57,10 +57,24 @@ export interface UserConfig {
  // Set of query filters to include and exclude extra queries based on
  // codeql query suite `include` and `exclude` properties
  "query-filters"?: QueryFilter[];
+
+  // Set of external registries and which packs to retrieve from each
+  registries?: RegistryConfig[];
 }

 export type QueryFilter = ExcludeQueryFilter | IncludeQueryFilter;

+/**
+ * The list of registries and the associated pack globs that determine where each pack can be downloaded from.
+ */
+export interface RegistryConfig {
+  // URL of a package registry, eg- https://ghcr.io/v2/
+  url: string;
+
+  // List of globs that determine which packs are associated with this registry.
+  packages: string[] | string;
+}
+
 interface ExcludeQueryFilter {
  exclude: Record<string, string[] | string>;
 }
@ -1686,7 +1700,15 @@ export async function initConfig(
  // happen in the CLI during the `database init` command, so no need
  // to download them here.
  if (!(await useCodeScanningConfigInCli(codeQL))) {
-    await downloadPacks(codeQL, config.languages, config.packs, logger);
+    await downloadPacks(
+      codeQL,
+      config.languages,
+      config.packs,
+      config.originalUserInput.registries,
+      apiDetails,
+      config.tempDir,
+      logger
+    );
  }

  // Save the config so we can easily access it again in the future
@ -1795,30 +1817,79 @@ export async function downloadPacks(
  codeQL: CodeQL,
  languages: Language[],
  packs: Packs,
+  registries: RegistryConfig[] | undefined,
+  apiDetails: api.GitHubApiDetails,
+  tmpDir: string,
  logger: Logger
 ) {
-  let numPacksDownloaded = 0;
-  logger.startGroup("Downloading packs");
-  for (const language of languages) {
-    const packsWithVersion = packs[language];
-    if (packsWithVersion?.length) {
-      logger.info(`Downloading custom packs for ${language}`);
-      const results = await codeQL.packDownload(packsWithVersion);
-      numPacksDownloaded += results.packs.length;
-      logger.info(
-        `Downloaded packs: ${results.packs
-          .map((r) => `${r.name}@${r.version || "latest"}`)
-          .join(", ")}`
-      );
+  let qlconfigFile: string | undefined;
+  if (registries) {
+    // generate a qlconfig.yml file to hold the registry configs.
+    const qlconfig = {
+      registries,
+    };
+    qlconfigFile = path.join(tmpDir, "qlconfig.yml");
+    fs.writeFileSync(qlconfigFile, yaml.dump(qlconfig), "utf8");
+  }
+
+  await wrapEnvironment(
+    {
+      GITHUB_TOKEN: apiDetails.auth,
+      CODEQL_REGISTRIES_AUTH: apiDetails.registriesAuthTokens,
+    },
+    async () => {
+      let numPacksDownloaded = 0;
+      logger.startGroup("Downloading packs");
+      for (const language of languages) {
+        const packsWithVersion = packs[language];
+        if (packsWithVersion?.length) {
+          logger.info(`Downloading custom packs for ${language}`);
+          const results = await codeQL.packDownload(
+            packsWithVersion,
+            qlconfigFile
+          );
+          numPacksDownloaded += results.packs.length;
+          logger.info(
+            `Downloaded: ${results.packs
+              .map((r) => `${r.name}@${r.version || "latest"}`)
+              .join(", ")}`
+          );
+        }
+      }
+      if (numPacksDownloaded > 0) {
+        logger.info(
+          `Downloaded ${numPacksDownloaded} ${packs === 1 ? "pack" : "packs"}`
+        );
+      } else {
+        logger.info("No packs to download");
+      }
+      logger.endGroup();
+    }
+  );
+}
+
+async function wrapEnvironment(
+  env: Record<string, string | undefined>,
+  operation: Function
+) {
+  // Remember the original env
+  const oldEnv = { ...process.env };
+
+  // Set the new env
+  for (const [key, value] of Object.entries(env)) {
+    // Ignore undefined keys
+    if (value !== undefined) {
+      process.env[key] = value;
    }
  }

-  if (numPacksDownloaded > 0) {
-    logger.info(
-      `Downloaded ${numPacksDownloaded} ${packs === 1 ? "pack" : "packs"}`
-    );
-  } else {
-    logger.info("No packs to download");
+  try {
+    // Run the operation
+    await operation();
+  } finally {
+    // Restore the old env
+    for (const [key, value] of Object.entries(oldEnv)) {
+      process.env[key] = value;
+    }
  }
-  logger.endGroup();
 }
--- a/src/database-upload.test.ts
+++ b/src/database-upload.test.ts
@ -39,6 +39,7 @@ const testApiDetails: GitHubApiDetails = {
  auth: "1234",
  url: "https://github.com",
  apiURL: undefined,
+  registriesAuthTokens: undefined,
 };

 function getTestConfig(tmpDir: string): Config {
--- a/src/feature-flags.test.ts
+++ b/src/feature-flags.test.ts
@ -24,6 +24,7 @@ const testApiDetails: GitHubApiDetails = {
  auth: "1234",
  url: "https://github.com",
  apiURL: undefined,
+  registriesAuthTokens: undefined,
 };

 const testRepositoryNwo = parseRepositoryNwo("github/example");
--- a/src/init-action.ts
+++ b/src/init-action.ts
@ -148,6 +148,7 @@ async function run() {
    externalRepoAuth: getOptionalInput("external-repository-token"),
    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+    registriesAuthTokens: getOptionalInput("registries-auth-tokens"),
  };

  const gitHubVersion = await getGitHubVersionActionsOnly();
--- a/src/runner.ts
+++ b/src/runner.ts
@ -203,6 +203,7 @@ program
        externalRepoAuth: auth,
        url: parseGitHubUrl(cmd.githubUrl),
        apiURL: undefined,
+        registriesAuthTokens: undefined,
      };

      const gitHubVersion = await getGitHubVersion(apiDetails);
@ -479,6 +480,7 @@ program
        auth,
        url: parseGitHubUrl(cmd.githubUrl),
        apiURL: undefined,
+        registriesAuthTokens: undefined,
      };

      const outputDir =
@ -592,6 +594,7 @@ program
      auth,
      url: parseGitHubUrl(cmd.githubUrl),
      apiURL: undefined,
+      registriesAuthTokens: undefined,
    };
    try {
      const gitHubVersion = await getGitHubVersion(apiDetails);
--- a/src/upload-sarif-action.ts
+++ b/src/upload-sarif-action.ts
@ -57,6 +57,7 @@ async function run() {
      auth: actionsUtil.getRequiredInput("token"),
      url: getRequiredEnvParam("GITHUB_SERVER_URL"),
      apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+      registriesAuthTokens: undefined,
    };

    const gitHubVersion = await getGitHubVersionActionsOnly();
--- a/src/util.test.ts
+++ b/src/util.test.ts
@ -209,6 +209,7 @@ test("getGitHubVersion", async (t) => {
    auth: "",
    url: "https://github.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
  });
  t.deepEqual(util.GitHubVariant.DOTCOM, v.type);

@ -217,6 +218,7 @@ test("getGitHubVersion", async (t) => {
    auth: "",
    url: "https://ghe.example.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
  });
  t.deepEqual(
    { type: util.GitHubVariant.GHES, version: "2.0" } as util.GitHubVersion,
@ -228,6 +230,7 @@ test("getGitHubVersion", async (t) => {
    auth: "",
    url: "https://example.githubenterprise.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
  });
  t.deepEqual({ type: util.GitHubVariant.GHAE }, ghae);

@ -236,6 +239,7 @@ test("getGitHubVersion", async (t) => {
    auth: "",
    url: "https://ghe.example.com",
    apiURL: undefined,
+    registriesAuthTokens: undefined,
  });
  t.deepEqual({ type: util.GitHubVariant.DOTCOM }, v3);
 });