Send the external repository token to the CLI

This commit does a few related things: 1. Bumps the minimum version for cli config parsing to 2.10.6 2. Ensures that if cli config parsing is enabled, then remove repos are _not_ downloaded by the action. It happens in the CLI. 3. Passes the `--external-repository-token-stdin` option to the CLI and passes the appropriate token via stdin if cli config parsing is enabled.
2023-01-05 17:34:59 -08:00 · 2023-01-05 17:34:59 -08:00 · 4023575d64
commit 4023575d64
parent cf1437a514
14 changed files with 102 additions and 72 deletions
--- a/src/codeql.ts
+++ b/src/codeql.ts
@ -9,7 +9,7 @@ import * as yaml from "js-yaml";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";

-import { isRunningLocalAction } from "./actions-util";
+import { getOptionalInput, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import { Config } from "./config-utils";
 import * as defaults from "./defaults.json"; // Referenced from codeql-action-sync-tool!
@ -252,7 +252,6 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
 */
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
-export const CODEQL_VERSION_CONFIG_FILES = "2.10.1";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 export const CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
 const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
@ -885,6 +884,9 @@ async function getCodeQLForCmd(
        }
      }

+      // A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
+      // Only pass external repository token if a config file is
+      let externalRepositoryToken: string | undefined;
      const configLocation = await generateCodeScanningConfig(
        codeql,
        config,
@ -892,17 +894,25 @@ async function getCodeQLForCmd(
      );
      if (configLocation) {
        extraArgs.push(`--codescanning-config=${configLocation}`);
+        externalRepositoryToken = getOptionalInput("external-repository-token");
+        if (externalRepositoryToken) {
+          extraArgs.push("--external-repository-token-stdin");
+        }
      }

-      await runTool(cmd, [
-        "database",
-        "init",
-        "--db-cluster",
-        config.dbLocation,
-        `--source-root=${sourceRoot}`,
-        ...extraArgs,
-        ...getExtraOptionsFromEnv(["database", "init"]),
-      ]);
+      await runTool(
+        cmd,
+        [
+          "database",
+          "init",
+          "--db-cluster",
+          config.dbLocation,
+          `--source-root=${sourceRoot}`,
+          ...extraArgs,
+          ...getExtraOptionsFromEnv(["database", "init"]),
+        ],
+        externalRepositoryToken
+      );
    },
    async runAutobuild(language: Language) {
      const cmdName =
@ -1335,7 +1345,7 @@ export function getExtraOptions(
 */
 const maxErrorSize = 20_000;

-async function runTool(cmd: string, args: string[] = []) {
+async function runTool(cmd: string, args: string[] = [], stdin?: string) {
  let output = "";
  let error = "";
  const exitCode = await new toolrunner.ToolRunner(cmd, args, {
@ -1354,6 +1364,7 @@ async function runTool(cmd: string, args: string[] = []) {
      },
    },
    ignoreReturnCode: true,
+    input: Buffer.from(stdin || ""),
  }).exec();
  if (exitCode !== 0)
    throw new CommandInvocationError(cmd, args, exitCode, error, output);