Ensure artifacts are only uploaded in safe situations

This commit: Turns on uploading of artifacts again but only if CLI version is >= 2.20.3. I implemented the check using our feature flag functionality. I was on the fence about this since it makes the PR more complex. However, it does give us more flexibility when controlling artifact uploads. Also, I renamed the two workflows that were previously disabled. This way we will not accidentally enable the old workflows for previous versions of the action.
2025-01-25 15:31:35 -08:00 · 2025-01-25 15:31:35 -08:00 · 2bab9f7984
commit 2bab9f7984
parent e7c0c9d71b
17 changed files with 264 additions and 39 deletions
--- a/src/debug-artifacts.ts
+++ b/src/debug-artifacts.ts
@ -7,11 +7,17 @@ import * as core from "@actions/core";
 import AdmZip from "adm-zip";
 import del from "del";

-import { getRequiredInput, getTemporaryDirectory } from "./actions-util";
+import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
 import { getCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
+import {
+  Feature,
+  featureConfig,
+  FeatureEnablement,
+  Features,
+} from "./feature-flags";
 import { Language } from "./languages";
 import { Logger, withGroup } from "./logging";
 import {
@ -34,6 +40,7 @@ export function sanitizeArtifactName(name: string): string {
 export async function uploadCombinedSarifArtifacts(
  logger: Logger,
  gitHubVariant: GitHubVariant,
+  features: Features | boolean,
 ) {
  const tempDir = getTemporaryDirectory();

@ -68,6 +75,7 @@ export async function uploadCombinedSarifArtifacts(
        baseTempDir,
        "combined-sarif-artifacts",
        gitHubVariant,
+        features,
      );
    } catch (e) {
      logger.warning(
@ -160,6 +168,7 @@ async function tryBundleDatabase(
 export async function tryUploadAllAvailableDebugArtifacts(
  config: Config,
  logger: Logger,
+  features: FeatureEnablement,
 ) {
  const filesToUpload: string[] = [];
  try {
@ -223,6 +232,7 @@ export async function tryUploadAllAvailableDebugArtifacts(
        config.dbLocation,
        config.debugArtifactName,
        config.gitHubVersion.type,
+        features,
      ),
    );
  } catch (e) {
@ -238,15 +248,30 @@ export async function uploadDebugArtifacts(
  rootDir: string,
  artifactName: string,
  ghVariant: GitHubVariant,
-) {
+  features: FeatureEnablement | boolean,
+): Promise<
+  | "no-artifacts-to-upload"
+  | "upload-successful"
+  | "upload-failed"
+  | "upload-not-supported"
+> {
  if (toUpload.length === 0) {
-    return;
+    return "no-artifacts-to-upload";
+  }
+  const uploadSupported =
+    typeof features === "boolean"
+      ? features
+      : await features.getValue(Feature.SafeArtifactUpload);
+
+  if (!uploadSupported) {
+    core.info(
+      `Skipping debug artifact upload because the current CLI does not support safe upload. Please upgrade to CLI v${featureConfig.safe_artifact_upload.minimumVersion} or later.`,
+    );
+    return "upload-not-supported";
  }
-  logger.info("Uploading debug artifacts is temporarily disabled");
-  return;

  let suffix = "";
-  const matrix = getRequiredInput("matrix");
+  const matrix = getOptionalInput("matrix");
  if (matrix) {
    try {
      for (const [, matrixVal] of Object.entries(
@ -272,9 +297,11 @@ export async function uploadDebugArtifacts(
        retentionDays: 7,
      },
    );
+    return "upload-successful";
  } catch (e) {
    // A failure to upload debug artifacts should not fail the entire action.
    core.warning(`Failed to upload debug artifacts: ${e}`);
+    return "upload-failed";
  }
 }