Ensure artifacts are only uploaded in safe situations

This commit: Turns on uploading of artifacts again but only if CLI version is >= 2.20.3. I implemented the check using our feature flag functionality. I was on the fence about this since it makes the PR more complex. However, it does give us more flexibility when controlling artifact uploads. Also, I renamed the two workflows that were previously disabled. This way we will not accidentally enable the old workflows for previous versions of the action.
2025-01-25 15:31:35 -08:00 · 2025-01-25 15:31:35 -08:00 · 2bab9f7984
commit 2bab9f7984
parent e7c0c9d71b
17 changed files with 264 additions and 39 deletions
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@ -19,6 +19,14 @@ on:
  workflow_dispatch: {}
 jobs:
  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
    name: Upload debug artifacts after failure in analyze
    continue-on-error: true
    env:
@ -36,7 +44,7 @@ jobs:
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
-          version: linked
+          version: ${{ matrix.version }}
      - uses: actions/setup-go@v5
        with:
          go-version: ^1.13.1
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@ -22,11 +22,7 @@ jobs:
      fail-fast: false
      matrix:
        version:
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - stable-v2.18.4
-        - stable-v2.19.4
+        - stable-v2.20.3
        - default
        - linked
        - nightly-latest
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@ -44,7 +44,9 @@ const api_client_1 = require("./api-client");
 const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
 const environment_1 = require("./environment");
+const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const util_1 = require("./util");
 async function runWrapper() {
    try {
@ -52,12 +54,13 @@ async function runWrapper() {
        const logger = (0, logging_1.getActionsLogger)();
        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
+        const features = createFeatures(gitHubVersion, logger);
        // Upload SARIF artifacts if we determine that this is a first-party analysis run.
        // For third-party runs, this artifact will be uploaded in the `upload-sarif-post` step.
        if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
            const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
            if (config !== undefined) {
-                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type));
+                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, features));
            }
        }
    }
@ -65,5 +68,10 @@ async function runWrapper() {
        core.setFailed(`analyze post-action step failed: ${(0, util_1.getErrorMessage)(error)}`);
    }
 }
+function createFeatures(gitHubVersion, logger) {
+    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
+    return features;
+}
 void runWrapper();
 //# sourceMappingURL=analyze-action-post.js.map
--- a/lib/analyze-action-post.js.map
+++ b/lib/analyze-action-post.js.map
@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,CAC1B,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,mDAA2C;AAC3C,uCAAgE;AAChE,6CAAkD;AAClD,iCAKgB;AAEhB,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,QAAQ,GAAG,cAAc,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEvD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,QAAQ,CACT,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,aAA4B,EAAE,MAAc;IAClE,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;IACF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/lib/debug-artifacts.js
+++ b/lib/debug-artifacts.js
@ -52,6 +52,7 @@ const actions_util_1 = require("./actions-util");
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
 const environment_1 = require("./environment");
+const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
 const util_1 = require("./util");
 function sanitizeArtifactName(name) {
@ -61,7 +62,7 @@ function sanitizeArtifactName(name) {
 * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
 * environment variable is set
 */
-async function uploadCombinedSarifArtifacts(logger, gitHubVariant) {
+async function uploadCombinedSarifArtifacts(logger, gitHubVariant, features) {
    const tempDir = (0, actions_util_1.getTemporaryDirectory)();
    // Upload Actions SARIF artifacts for debugging when environment variable is set
    if (process.env["CODEQL_ACTION_DEBUG_COMBINED_SARIF"] === "true") {
@ -80,7 +81,7 @@ async function uploadCombinedSarifArtifacts(logger, gitHubVariant) {
            }
        }
        try {
-            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant);
+            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant, features);
        }
        catch (e) {
            logger.warning(`Failed to upload combined SARIF files as Actions debugging artifact. Reason: ${(0, util_1.getErrorMessage)(e)}`);
@ -140,7 +141,7 @@ async function tryBundleDatabase(config, language, logger) {
 *
 * Logs and suppresses any errors that occur.
 */
-async function tryUploadAllAvailableDebugArtifacts(config, logger) {
+async function tryUploadAllAvailableDebugArtifacts(config, logger, features) {
    const filesToUpload = [];
    try {
        for (const language of config.languages) {
@ -180,20 +181,25 @@ async function tryUploadAllAvailableDebugArtifacts(config, logger) {
        return;
    }
    try {
-        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type));
+        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type, features));
    }
    catch (e) {
        logger.warning(`Failed to upload debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
    }
 }
-async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant) {
+async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant, features) {
    if (toUpload.length === 0) {
-        return;
+        return "no-artifacts-to-upload";
+    }
+    const uploadSupported = typeof features === "boolean"
+        ? features
+        : await features.getValue(feature_flags_1.Feature.SafeArtifactUpload);
+    if (!uploadSupported) {
+        core.info(`Skipping debug artifact upload because the current CLI does not support safe upload. Please upgrade to CLI v${feature_flags_1.featureConfig.safe_artifact_upload.minimumVersion} or later.`);
+        return "upload-not-supported";
    }
-    logger.info("Uploading debug artifacts is temporarily disabled");
-    return;
    let suffix = "";
-    const matrix = (0, actions_util_1.getRequiredInput)("matrix");
+    const matrix = (0, actions_util_1.getOptionalInput)("matrix");
    if (matrix) {
        try {
            for (const [, matrixVal] of Object.entries(JSON.parse(matrix)).sort())
@ -209,10 +215,12 @@ async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghV
            // ensure we don't keep the debug artifacts around for too long since they can be large.
            retentionDays: 7,
        });
+        return "upload-successful";
    }
    catch (e) {
        // A failure to upload debug artifacts should not fail the entire action.
        core.warning(`Failed to upload debug artifacts: ${e}`);
+        return "upload-failed";
    }
 }
 // `@actions/artifact@v2` is not yet supported on GHES so the legacy version of the client will be used on GHES
--- a/lib/debug-artifacts.js.map
+++ b/lib/debug-artifacts.js.map
--- a/lib/debug-artifacts.test.js
+++ b/lib/debug-artifacts.test.js
@ -38,7 +38,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const debugArtifacts = __importStar(require("./debug-artifacts"));
+const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
+const testing_utils_1 = require("./testing-utils");
 const util_1 = require("./util");
 (0, ava_1.default)("sanitizeArtifactName", (t) => {
    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello-world_"), "hello-world_");
@ -46,9 +48,44 @@ const util_1 = require("./util");
    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
    t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
 });
-(0, ava_1.default)("uploadDebugArtifacts", async (t) => {
+(0, ava_1.default)("uploadDebugArtifacts when artifacts empty", async (t) => {
    // Test that no error is thrown if artifacts list is empty.
    const logger = (0, logging_1.getActionsLogger)();
-    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts(logger, [], "rootDir", "artifactName", util_1.GitHubVariant.DOTCOM));
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, [], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, true);
+        t.is(uploaded, "no-artifacts-to-upload", "Should not have uploaded any artifacts");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when true", async (t) => {
+    // Test that the artifact is uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, true);
+        t.is(uploaded, "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when false", async (t) => {
+    // Test that the artifact is not uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, false);
+        t.is(uploaded, "upload-not-supported", "Should not have uploaded any artifacts");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when feature enabled", async (t) => {
+    // Test that the artifact is uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.SafeArtifactUpload]));
+        t.is(uploaded, "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when feature disabled", async (t) => {
+    // Test that the artifact is not uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, (0, testing_utils_1.createFeatures)([]));
+        t.is(uploaded, "upload-not-supported", "Expect failure to upload artifacts since root dir does not exist");
+    });
 });
 //# sourceMappingURL=debug-artifacts.test.js.map
--- a/lib/debug-artifacts.test.js.map
+++ b/lib/debug-artifacts.test.js.map
@ -1 +1 @@
-{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CACjC,MAAM,EACN,EAAE,EACF,SAAS,EACT,cAAc,EACd,oBAAa,CAAC,MAAM,CACrB,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,mDAA0C;AAC1C,uCAA6C;AAC7C,mDAAiD;AACjD,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,EAAE,EACF,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,IAAI,CACL,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,wBAAwB,EACxB,wCAAwC,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,gCAAgC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjD,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,IAAI,CACL,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClD,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,KAAK,CACN,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,sBAAsB,EACtB,wCAAwC,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,IAAA,8BAAc,EAAC,CAAC,uBAAO,CAAC,kBAAkB,CAAC,CAAC,CAC7C,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,4CAA4C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC7D,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,IAAA,8BAAc,EAAC,EAAE,CAAC,CACnB,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,sBAAsB,EACtB,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
--- a/lib/feature-flags.js
+++ b/lib/feature-flags.js
@ -69,6 +69,7 @@ var Feature;
    Feature["PythonDefaultIsToNotExtractStdlib"] = "python_default_is_to_not_extract_stdlib";
    Feature["QaTelemetryEnabled"] = "qa_telemetry_enabled";
    Feature["ZstdBundleStreamingExtraction"] = "zstd_bundle_streaming_extraction";
+    Feature["SafeArtifactUpload"] = "safe_artifact_upload";
 })(Feature || (exports.Feature = Feature = {}));
 exports.featureConfig = {
    [Feature.CleanupTrapCaches]: {
@ -138,6 +139,17 @@ exports.featureConfig = {
        legacyApi: true,
        minimumVersion: undefined,
    },
+    /**
+     * The first version of the CodeQL CLI where artifact upload is safe to use
+     * for failed runs. This is not really a feature flag, but it is easiest to
+     * model the behavior as a feature flag.
+     */
+    [Feature.SafeArtifactUpload]: {
+        defaultValue: true,
+        envVar: "CODEQL_ACTION_SAFE_ARTIFACT_UPLOAD",
+        legacyApi: true,
+        minimumVersion: "2.20.3",
+    },
 };
 exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 /**
--- a/lib/feature-flags.js.map
+++ b/lib/feature-flags.js.map
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@ -59,7 +59,7 @@ async function runWrapper() {
                core.warning(`Did not upload debug artifacts because cannot determine the GitHub variant running.`);
                return;
            }
-            await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type));
+            await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type, true));
        }
    }
    catch (error) {
--- a/lib/upload-sarif-action-post.js.map
+++ b/lib/upload-sarif-action-post.js.map
@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action-post.js","sourceRoot":"","sources":["../src/upload-sarif-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,6CAA6C;QAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,mFAAmF;QACnF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,IAAI,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CACV,qFAAqF,CACtF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,yCAAyC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action-post.js","sourceRoot":"","sources":["../src/upload-sarif-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,6CAA6C;QAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,mFAAmF;QACnF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,IAAI,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CACV,qFAAqF,CACtF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,aAAa,CAAC,IAAI,EAClB,IAAI,CACL,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,yCAAyC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
--- a/src/analyze-action-post.ts
+++ b/src/analyze-action-post.ts
@ -10,8 +10,15 @@ import { getGitHubVersion } from "./api-client";
 import { getConfig } from "./config-utils";
 import * as debugArtifacts from "./debug-artifacts";
 import { EnvVar } from "./environment";
-import { getActionsLogger, withGroup } from "./logging";
-import { checkGitHubVersionInRange, getErrorMessage } from "./util";
+import { Features } from "./feature-flags";
+import { getActionsLogger, Logger, withGroup } from "./logging";
+import { parseRepositoryNwo } from "./repository";
+import {
+  checkGitHubVersionInRange,
+  getErrorMessage,
+  getRequiredEnvParam,
+  GitHubVersion,
+} from "./util";

 async function runWrapper() {
  try {
@ -20,6 +27,8 @@ async function runWrapper() {
    const gitHubVersion = await getGitHubVersion();
    checkGitHubVersionInRange(gitHubVersion, logger);

+    const features = createFeatures(gitHubVersion, logger);
+
    // Upload SARIF artifacts if we determine that this is a first-party analysis run.
    // For third-party runs, this artifact will be uploaded in the `upload-sarif-post` step.
    if (process.env[EnvVar.INIT_ACTION_HAS_RUN] === "true") {
@ -32,6 +41,7 @@ async function runWrapper() {
          debugArtifacts.uploadCombinedSarifArtifacts(
            logger,
            config.gitHubVersion.type,
+            features,
          ),
        );
      }
@ -43,4 +53,18 @@ async function runWrapper() {
  }
 }

+function createFeatures(gitHubVersion: GitHubVersion, logger: Logger) {
+  const repositoryNwo = parseRepositoryNwo(
+    getRequiredEnvParam("GITHUB_REPOSITORY"),
+  );
+
+  const features = new Features(
+    gitHubVersion,
+    repositoryNwo,
+    actionsUtil.getTemporaryDirectory(),
+    logger,
+  );
+  return features;
+}
+
 void runWrapper();
--- a/src/debug-artifacts.test.ts
+++ b/src/debug-artifacts.test.ts
@ -1,7 +1,9 @@
 import test from "ava";

 import * as debugArtifacts from "./debug-artifacts";
+import { Feature } from "./feature-flags";
 import { getActionsLogger } from "./logging";
+import { createFeatures } from "./testing-utils";
 import { GitHubVariant } from "./util";

 test("sanitizeArtifactName", (t) => {
@ -20,16 +22,102 @@ test("sanitizeArtifactName", (t) => {
  );
 });

-test("uploadDebugArtifacts", async (t) => {
+test("uploadDebugArtifacts when artifacts empty", async (t) => {
  // Test that no error is thrown if artifacts list is empty.
  const logger = getActionsLogger();
-  await t.notThrowsAsync(
-    debugArtifacts.uploadDebugArtifacts(
+  await t.notThrowsAsync(async () => {
+    const uploaded = await debugArtifacts.uploadDebugArtifacts(
      logger,
      [],
-      "rootDir",
+      "i-dont-exist",
      "artifactName",
      GitHubVariant.DOTCOM,
-    ),
-  );
+      true,
+    );
+    t.is(
+      uploaded,
+      "no-artifacts-to-upload",
+      "Should not have uploaded any artifacts",
+    );
+  });
+});
+
+test("uploadDebugArtifacts when true", async (t) => {
+  // Test that the artifact is uploaded.
+  const logger = getActionsLogger();
+  await t.notThrowsAsync(async () => {
+    const uploaded = await debugArtifacts.uploadDebugArtifacts(
+      logger,
+      ["hucairz"],
+      "i-dont-exist",
+      "artifactName",
+      GitHubVariant.DOTCOM,
+      true,
+    );
+    t.is(
+      uploaded,
+      "upload-failed",
+      "Expect failure to upload artifacts since root dir does not exist",
+    );
+  });
+});
+
+test("uploadDebugArtifacts when false", async (t) => {
+  // Test that the artifact is not uploaded.
+  const logger = getActionsLogger();
+  await t.notThrowsAsync(async () => {
+    const uploaded = await debugArtifacts.uploadDebugArtifacts(
+      logger,
+      ["hucairz"],
+      "i-dont-exist",
+      "artifactName",
+      GitHubVariant.DOTCOM,
+      false,
+    );
+    t.is(
+      uploaded,
+      "upload-not-supported",
+      "Should not have uploaded any artifacts",
+    );
+  });
+});
+
+test("uploadDebugArtifacts when feature enabled", async (t) => {
+  // Test that the artifact is uploaded.
+  const logger = getActionsLogger();
+  await t.notThrowsAsync(async () => {
+    const uploaded = await debugArtifacts.uploadDebugArtifacts(
+      logger,
+      ["hucairz"],
+      "i-dont-exist",
+      "artifactName",
+      GitHubVariant.DOTCOM,
+      createFeatures([Feature.SafeArtifactUpload]),
+    );
+    t.is(
+      uploaded,
+      "upload-failed",
+      "Expect failure to upload artifacts since root dir does not exist",
+    );
+  });
+});
+
+test("uploadDebugArtifacts when feature disabled", async (t) => {
+  // Test that the artifact is not uploaded.
+  const logger = getActionsLogger();
+  await t.notThrowsAsync(async () => {
+    const uploaded = await debugArtifacts.uploadDebugArtifacts(
+      logger,
+      ["hucairz"],
+      "i-dont-exist",
+      "artifactName",
+      GitHubVariant.DOTCOM,
+      createFeatures([]),
+    );
+    t.is(
+      uploaded,
+      "upload-not-supported",
+      "Expect failure to upload artifacts since root dir does not exist",
+    );
+  });
 });
--- a/src/debug-artifacts.ts
+++ b/src/debug-artifacts.ts
@ -7,11 +7,17 @@ import * as core from "@actions/core";
 import AdmZip from "adm-zip";
 import del from "del";

-import { getRequiredInput, getTemporaryDirectory } from "./actions-util";
+import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
 import { getCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
+import {
+  Feature,
+  featureConfig,
+  FeatureEnablement,
+  Features,
+} from "./feature-flags";
 import { Language } from "./languages";
 import { Logger, withGroup } from "./logging";
 import {
@ -34,6 +40,7 @@ export function sanitizeArtifactName(name: string): string {
 export async function uploadCombinedSarifArtifacts(
  logger: Logger,
  gitHubVariant: GitHubVariant,
+  features: Features | boolean,
 ) {
  const tempDir = getTemporaryDirectory();

@ -68,6 +75,7 @@ export async function uploadCombinedSarifArtifacts(
        baseTempDir,
        "combined-sarif-artifacts",
        gitHubVariant,
+        features,
      );
    } catch (e) {
      logger.warning(
@ -160,6 +168,7 @@ async function tryBundleDatabase(
 export async function tryUploadAllAvailableDebugArtifacts(
  config: Config,
  logger: Logger,
+  features: FeatureEnablement,
 ) {
  const filesToUpload: string[] = [];
  try {
@ -223,6 +232,7 @@ export async function tryUploadAllAvailableDebugArtifacts(
        config.dbLocation,
        config.debugArtifactName,
        config.gitHubVersion.type,
+        features,
      ),
    );
  } catch (e) {
@ -238,15 +248,30 @@ export async function uploadDebugArtifacts(
  rootDir: string,
  artifactName: string,
  ghVariant: GitHubVariant,
-) {
+  features: FeatureEnablement | boolean,
+): Promise<
+  | "no-artifacts-to-upload"
+  | "upload-successful"
+  | "upload-failed"
+  | "upload-not-supported"
+> {
  if (toUpload.length === 0) {
-    return;
+    return "no-artifacts-to-upload";
+  }
+  const uploadSupported =
+    typeof features === "boolean"
+      ? features
+      : await features.getValue(Feature.SafeArtifactUpload);
+
+  if (!uploadSupported) {
+    core.info(
+      `Skipping debug artifact upload because the current CLI does not support safe upload. Please upgrade to CLI v${featureConfig.safe_artifact_upload.minimumVersion} or later.`,
+    );
+    return "upload-not-supported";
  }
-  logger.info("Uploading debug artifacts is temporarily disabled");
-  return;

  let suffix = "";
-  const matrix = getRequiredInput("matrix");
+  const matrix = getOptionalInput("matrix");
  if (matrix) {
    try {
      for (const [, matrixVal] of Object.entries(
@ -272,9 +297,11 @@ export async function uploadDebugArtifacts(
        retentionDays: 7,
      },
    );
+    return "upload-successful";
  } catch (e) {
    // A failure to upload debug artifacts should not fail the entire action.
    core.warning(`Failed to upload debug artifacts: ${e}`);
+    return "upload-failed";
  }
 }

--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@ -54,6 +54,7 @@ export enum Feature {
  PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
  QaTelemetryEnabled = "qa_telemetry_enabled",
  ZstdBundleStreamingExtraction = "zstd_bundle_streaming_extraction",
+  SafeArtifactUpload = "safe_artifact_upload",
 }

 export const featureConfig: Record<
@ -154,6 +155,18 @@ export const featureConfig: Record<
    legacyApi: true,
    minimumVersion: undefined,
  },
+
+  /**
+   * The first version of the CodeQL CLI where artifact upload is safe to use
+   * for failed runs. This is not really a feature flag, but it is easiest to
+   * model the behavior as a feature flag.
+   */
+  [Feature.SafeArtifactUpload]: {
+    defaultValue: true,
+    envVar: "CODEQL_ACTION_SAFE_ARTIFACT_UPLOAD",
+    legacyApi: true,
+    minimumVersion: "2.20.3",
+  },
 };

 /**
--- a/src/upload-sarif-action-post.ts
+++ b/src/upload-sarif-action-post.ts
@ -30,7 +30,11 @@ async function runWrapper() {
        return;
      }
      await withGroup("Uploading combined SARIF debug artifact", () =>
-        debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type),
+        debugArtifacts.uploadCombinedSarifArtifacts(
+          logger,
+          gitHubVersion.type,
+          true,
+        ),
      );
    }
  } catch (error) {