Merge pull request #48 from github/allow_pull_requests

Allow pull requests, and report correct commit oid and ref

.github/workflows/codeql.yml

@@ -1,6 +1,6 @@
 name: "CodeQL action"
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   build:
@@ -11,6 +11,16 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
+       with:
+         # Must fetch at least the immediate parents so that if this is
+         # a pull request then we can checkout the head of the pull request.
+         fetch-depth: 2
+
+    # If this run was triggered by a pull request event then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
     - uses: ./init
       with:
         languages: javascript

.github/workflows/integration-testing.yml

@@ -1,6 +1,6 @@
 name: "Integration Testing"
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   multi-language-repo_test-autodetect-languages:
@@ -16,9 +16,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
+        mv * .github ../action/
-        mv * ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/tests/multi-language-repo/* .
     - uses: ./../action/init
     - name: Build code
       shell: bash
@@ -40,9 +39,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
+        mv * .github ../action/
-        mv * ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/tests/multi-language-repo/* .
     - uses: ./../action/init
       with:
         languages: cpp,csharp,java,javascript,python
@@ -72,9 +70,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
+        mv * .github ../action/
-        mv * ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/tests/multi-language-repo/* .
     - uses: ./../action/init
       with:
         languages: go
@@ -96,9 +93,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
+        mv * .github ../action/
-        mv * ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
-        mv ../action/tests/multi-language-repo/* .
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
@@ -117,4 +113,4 @@ jobs:
       with:
         sarif_file: rubocop.sarif
       env:
-        TEST_MODE: true
+        TEST_MODE: true

README.md

@@ -18,6 +18,7 @@ name: "Code Scanning - Action"
 
 on:
   push:
+  pull_request:
   schedule:
     - cron: '0 0 * * 0'
 
@@ -33,6 +34,17 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          # Must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head of the pull request.
+          # Only include this option if you are running this workflow on pull requests.
+          fetch-depth: 2
+
+      # If this run was triggered by a pull request event then checkout
+      # the head of the pull request instead of the merge commit.
+      # Only include this step if you are running this workflow on pull requests.
+      - run: git checkout HEAD^2
+        if: ${{ github.event_name == 'pull_request' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

lib/upload-lib.js

@@ -133,7 +133,7 @@ async function uploadFiles(sarifFiles) {
             return false;
         }
         core.exportVariable(sentinelEnvVar, sentinelEnvVar);
-        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
+        const commitOid = await util.getCommitOid();
         const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
         const ref = util.getRef();
         const analysisKey = await util.getAnalysisKey();

lib/util.js

@@ -11,6 +11,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
+const exec = __importStar(require("@actions/exec"));
 const http = __importStar(require("@actions/http-client"));
 const auth = __importStar(require("@actions/http-client/auth"));
 const octokit = __importStar(require("@octokit/rest"));
@@ -33,12 +34,6 @@ function should_abort(actionName, requireInitActionHasRun) {
         core.setFailed('GITHUB_REF must be set.');
         return true;
     }
-    // Should abort if called on a merge commit for a pull request.
-    if (ref.startsWith('refs/pull/')) {
-        core.warning('The CodeQL ' + actionName + ' action is intended for workflows triggered on `push` events, '
-            + 'but the current workflow is running on a pull request. Aborting.');
-        return true;
-    }
     // If the init action is required, then check the it completed successfully.
     if (requireInitActionHasRun && process.env[sharedEnv.CODEQL_ACTION_INIT_COMPLETED] === undefined) {
         core.setFailed('The CodeQL ' + actionName + ' action cannot be used unless the CodeQL init action is run first. Aborting.');
@@ -151,6 +146,21 @@ async function getLanguages() {
     return languages;
 }
 exports.getLanguages = getLanguages;
+/**
+ * Gets the SHA of the commit that is currently checked out.
+ */
+async function getCommitOid() {
+    let commitOid = '';
+    await exec.exec('git', ['rev-parse', 'HEAD'], {
+        silent: true,
+        listeners: {
+            stdout: (data) => { commitOid += data.toString(); },
+            stderr: (data) => { process.stderr.write(data); }
+        }
+    });
+    return commitOid.trim();
+}
+exports.getCommitOid = getCommitOid;
 /**
  * Get the path of the currently executing workflow.
  */
@@ -196,8 +206,20 @@ exports.getAnalysisKey = getAnalysisKey;
  * Get the ref currently being analyzed.
  */
 function getRef() {
-    // it's in the form "refs/heads/master"
+    // Will be in the form "refs/heads/master" on a push event
-    return getRequiredEnvParam('GITHUB_REF');
+    // or in the form "refs/pull/N/merge" on a pull_request event
+    const ref = getRequiredEnvParam('GITHUB_REF');
+    // For pull request refs we want to convert from the 'merge' ref
+    // to the 'head' ref, as that is what we want to analyse.
+    // There should have been some code earlier in the workflow to do
+    // the checkout, but we have no way of verifying that here.
+    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
+    if (pull_ref_regex.test(ref)) {
+        return ref.replace(pull_ref_regex, 'refs/pull/$1/head');
+    }
+    else {
+        return ref;
+    }
 }
 exports.getRef = getRef;
 /**

src/upload-lib.ts

@@ -136,7 +136,7 @@ async function uploadFiles(sarifFiles: string[]): Promise<boolean> {
         }
         core.exportVariable(sentinelEnvVar, sentinelEnvVar);
 
-        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
+        const commitOid = await util.getCommitOid();
         const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
         const ref = util.getRef();
         const analysisKey = await util.getAnalysisKey();

src/util.ts

@@ -1,4 +1,5 @@
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
 import * as http from '@actions/http-client';
 import * as auth from '@actions/http-client/auth';
 import * as octokit from '@octokit/rest';
@@ -25,13 +26,6 @@ export function should_abort(actionName: string, requireInitActionHasRun: boolea
         return true;
     }
 
-    // Should abort if called on a merge commit for a pull request.
-    if (ref.startsWith('refs/pull/')) {
-        core.warning('The CodeQL ' + actionName + ' action is intended for workflows triggered on `push` events, '
-            + 'but the current workflow is running on a pull request. Aborting.');
-        return true;
-    }
-
     // If the init action is required, then check the it completed successfully.
     if (requireInitActionHasRun && process.env[sharedEnv.CODEQL_ACTION_INIT_COMPLETED] === undefined) {
         core.setFailed('The CodeQL ' + actionName + ' action cannot be used unless the CodeQL init action is run first. Aborting.');
@@ -152,6 +146,21 @@ export async function getLanguages(): Promise<string[]> {
     return languages;
 }
 
+/**
+ * Gets the SHA of the commit that is currently checked out.
+ */
+export async function getCommitOid(): Promise<string> {
+    let commitOid = '';
+    await exec.exec('git', ['rev-parse', 'HEAD'], {
+        silent: true,
+        listeners: {
+            stdout: (data) => { commitOid += data.toString(); },
+            stderr: (data) => { process.stderr.write(data); }
+        }
+    });
+    return commitOid.trim();
+}
+
 /**
  * Get the path of the currently executing workflow.
  */
@@ -204,8 +213,20 @@ export async function getAnalysisKey(): Promise<string> {
  * Get the ref currently being analyzed.
  */
 export function getRef(): string {
-    // it's in the form "refs/heads/master"
+    // Will be in the form "refs/heads/master" on a push event
-    return getRequiredEnvParam('GITHUB_REF');
+    // or in the form "refs/pull/N/merge" on a pull_request event
+    const ref = getRequiredEnvParam('GITHUB_REF');
+
+    // For pull request refs we want to convert from the 'merge' ref
+    // to the 'head' ref, as that is what we want to analyse.
+    // There should have been some code earlier in the workflow to do
+    // the checkout, but we have no way of verifying that here.
+    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
+    if (pull_ref_regex.test(ref)) {
+        return ref.replace(pull_ref_regex, 'refs/pull/$1/head');
+    } else {
+        return ref;
+    }
 }
 
 interface StatusReport {