Merge branch 'main' into dependabot/npm_and_yarn/ava/typescript-3.0.1

src/actions-util.test.ts

@@ -65,6 +65,57 @@ test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (
   callback.restore();
 });
 
+test("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+  getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+
+  // These values are be ignored
+  process.env["GITHUB_REF"] = "refs/pull/1/merge";
+  process.env["GITHUB_SHA"] = "a".repeat(40);
+
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+  callback.withArgs("HEAD").resolves("b".repeat(40));
+
+  const actualRef = await actionsutil.getRef();
+  t.deepEqual(actualRef, "refs/pull/2/merge");
+  callback.restore();
+  getAdditionalInputStub.restore();
+});
+
+test("getRef() throws an error if only `ref` is provided as an input", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+
+  await t.throwsAsync(
+    async () => {
+      await actionsutil.getRef();
+    },
+    {
+      instanceOf: Error,
+      message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    }
+  );
+  getAdditionalInputStub.restore();
+});
+
+test("getRef() throws an error if only `sha` is provided as an input", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+
+  await t.throwsAsync(
+    async () => {
+      await actionsutil.getRef();
+    },
+    {
+      instanceOf: Error,
+      message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    }
+  );
+  getAdditionalInputStub.restore();
+});
+
 test("computeAutomationID()", async (t) => {
   let actualAutomationID = actionsutil.computeAutomationID(
     ".github/workflows/codeql-analysis.yml:analyze",

src/actions-util.ts

@@ -33,10 +33,10 @@ export function getRequiredInput(name: string): string {
  * This allows us to get stronger type checking of required/optional inputs
  * and make behaviour more consistent between actions and the runner.
  */
-export function getOptionalInput(name: string): string | undefined {
+export const getOptionalInput = function (name: string): string | undefined {
   const value = core.getInput(name);
   return value.length > 0 ? value : undefined;
-}
+};
 
 export function getTemporaryDirectory(): string {
   const value = process.env["CODEQL_ACTION_TEMP"];
@@ -83,10 +83,10 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
     return commitOid.trim();
   } catch (e) {
     core.info(
-      `Failed to call git to get current commit. Continuing with data from environment: ${e}`
+      `Failed to call git to get current commit. Continuing with data from environment or input: ${e}`
     );
     core.info((e as Error).stack || "NO STACK");
-    return getRequiredEnvParam("GITHUB_SHA");
+    return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA");
   }
 };
 
@@ -431,8 +431,26 @@ export function computeAutomationID(
 export async function getRef(): Promise<string> {
   // Will be in the form "refs/heads/master" on a push event
   // or in the form "refs/pull/N/merge" on a pull_request event
-  const ref = getRequiredEnvParam("GITHUB_REF");
-  const sha = getRequiredEnvParam("GITHUB_SHA");
+  const refInput = getOptionalInput("ref");
+  const shaInput = getOptionalInput("sha");
+
+  const hasRefInput = !!refInput;
+  const hasShaInput = !!shaInput;
+  // If one of 'ref' or 'sha' are provided, both are required
+  if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
+    throw new Error(
+      "Both 'ref' and 'sha' are required if one of them is provided."
+    );
+  }
+
+  const ref = refInput || getRequiredEnvParam("GITHUB_REF");
+  const sha = shaInput || getRequiredEnvParam("GITHUB_SHA");
+
+  // If the ref is a user-provided input, we have to skip logic
+  // and assume that it is really where they want to upload the results.
+  if (refInput) {
+    return refInput;
+  }
 
   // For pull request refs we want to detect whether the workflow
   // has run `git checkout HEAD^2` to analyze the 'head' ref rather
@@ -520,7 +538,7 @@ export async function createStatusReportBase(
   cause?: string,
   exception?: string
 ): Promise<StatusReportBase> {
-  const commitOid = process.env["GITHUB_SHA"] || "";
+  const commitOid = getOptionalInput("sha") || process.env["GITHUB_SHA"] || "";
   const ref = await getRef();
   const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
   let workflowRunID = -1;
@@ -580,7 +598,7 @@ export async function createStatusReportBase(
 const GENERIC_403_MSG =
   "The repo on which this action is running is not opted-in to CodeQL code scanning.";
 const GENERIC_404_MSG =
-  "Not authorized to used the CodeQL code scanning feature on this repo.";
+  "Not authorized to use the CodeQL code scanning feature on this repo.";
 const OUT_OF_DATE_MSG =
   "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
 const INCOMPATIBLE_MSG =

src/analyze-action.ts

@@ -187,6 +187,7 @@ async function run() {
         apiDetails,
         logger
       );
+      core.setOutput("sarif-id", uploadResult.sarifID);
     } else {
       logger.info("Not uploading results");
     }

src/upload-sarif-action.ts

@@ -63,6 +63,7 @@ async function run() {
       apiDetails,
       getActionsLogger()
     );
+    core.setOutput("sarif-id", uploadResult.sarifID);
     if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
       await upload_lib.waitForProcessing(
         parseRepositoryNwo(getRequiredEnvParam("GITHUB_REPOSITORY")),