robojerk/codeql-action

Ensure artifacts are only uploaded in safe situations

Browse source 
This commit:

Turns on uploading of artifacts again but only if CLI version is
>= 2.20.3. I implemented the check using our feature flag functionality.
I was on the fence about this since it makes the PR more complex.
However, it does give us more flexibility when controlling artifact
uploads.

Also, I renamed the two workflows that were previously disabled. This
way we will not accidentally enable the old workflows for previous
versions of the action.
This commit is contained in:
Andrew Eisenberg 2025-01-25 15:31:35 -08:00
parent e7c0c9d71b
commit 2bab9f7984
17 changed files with 264 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

41
lib/debug-artifacts.test.js generated
View file

@ -38,7 +38,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true });
const ava_1 = __importDefault(require("ava"));
const debugArtifacts = __importStar(require("./debug-artifacts"));
const feature_flags_1 = require("./feature-flags");
const logging_1 = require("./logging");
const testing_utils_1 = require("./testing-utils");
const util_1 = require("./util");
(0, ava_1.default)("sanitizeArtifactName", (t) => {
t.deepEqual(debugArtifacts.sanitizeArtifactName("hello-world_"), "hello-world_");
@ -46,9 +48,44 @@ const util_1 = require("./util");
t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
});
(0, ava_1.default)("uploadDebugArtifacts", async (t) => {
(0, ava_1.default)("uploadDebugArtifacts when artifacts empty", async (t) => {
// Test that no error is thrown if artifacts list is empty.
const logger = (0, logging_1.getActionsLogger)();
await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts(logger, [], "rootDir", "artifactName", util_1.GitHubVariant.DOTCOM));
await t.notThrowsAsync(async () => {
const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, [], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, true);
t.is(uploaded, "no-artifacts-to-upload", "Should not have uploaded any artifacts");
});
});
(0, ava_1.default)("uploadDebugArtifacts when true", async (t) => {
// Test that the artifact is uploaded.
const logger = (0, logging_1.getActionsLogger)();
await t.notThrowsAsync(async () => {
const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, true);
t.is(uploaded, "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
});
});
(0, ava_1.default)("uploadDebugArtifacts when false", async (t) => {
// Test that the artifact is not uploaded.
const logger = (0, logging_1.getActionsLogger)();
await t.notThrowsAsync(async () => {
const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, false);
t.is(uploaded, "upload-not-supported", "Should not have uploaded any artifacts");
});
});
(0, ava_1.default)("uploadDebugArtifacts when feature enabled", async (t) => {
// Test that the artifact is uploaded.
const logger = (0, logging_1.getActionsLogger)();
await t.notThrowsAsync(async () => {
const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.SafeArtifactUpload]));
t.is(uploaded, "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
});
});
(0, ava_1.default)("uploadDebugArtifacts when feature disabled", async (t) => {
// Test that the artifact is not uploaded.
const logger = (0, logging_1.getActionsLogger)();
await t.notThrowsAsync(async () => {
const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, (0, testing_utils_1.createFeatures)([]));
t.is(uploaded, "upload-not-supported", "Expect failure to upload artifacts since root dir does not exist");
});
});
//# sourceMappingURL=debug-artifacts.test.js.map