Merge pull request #904 from cw-acroteau/add-ref-input

Add ref input

.github/workflows/__analyze-ref-input.yml

@@ -0,0 +1,65 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - v1
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  analyze-ref-input:
+    strategy:
+      matrix:
+        version:
+        - stable-20201028
+        - stable-20210319
+        - stable-20210809
+        - cached
+        - latest
+        - nightly-latest
+        os:
+        - ubuntu-latest
+        - macos-latest
+        - windows-latest
+    name: "Analyze: 'ref' and 'sha' from inputs"
+    permissions:
+      security-events: write
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v2
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      env:
+        TEST_MODE: true
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__debug-artifacts.yml

@@ -32,6 +32,8 @@ jobs:
         - nightly-latest
         os: [ubuntu-latest, macos-latest]
     name: Debug artifact upload
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__extractor-ram-threads.yml

@@ -26,6 +26,8 @@ jobs:
         version: [latest]
         os: [ubuntu-latest]
     name: Extractor ram and threads options test
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__go-custom-queries.yml

@@ -35,6 +35,8 @@ jobs:
         - macos-latest
         - windows-latest
     name: 'Go: Custom queries'
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__go-custom-tracing-autobuild.yml

@@ -32,6 +32,8 @@ jobs:
         - nightly-latest
         os: [ubuntu-latest, macos-latest]
     name: 'Go: Autobuild custom tracing'
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__go-custom-tracing.yml

@@ -35,6 +35,8 @@ jobs:
         - macos-latest
         - windows-latest
     name: 'Go: Custom tracing'
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__javascript-source-root.yml

@@ -26,6 +26,8 @@ jobs:
         version: [latest, cached, nightly-latest] # This feature is not compatible with old CLIs
         os: [ubuntu-latest]
     name: Custom source root
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__multi-language-autodetect.yml

@@ -32,6 +32,8 @@ jobs:
         - nightly-latest
         os: [ubuntu-latest, macos-latest]
     name: Multi-language repository
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__packaging-config-inputs-js.yml

@@ -26,6 +26,8 @@ jobs:
         version: [nightly-20210831] # This CLI version is known to work with package used in this test
         os: [ubuntu-latest, macos-latest]
     name: 'Packaging: Config and input'
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__packaging-config-js.yml

@@ -26,6 +26,8 @@ jobs:
         version: [nightly-20210831] # This CLI version is known to work with package used in this test
         os: [ubuntu-latest, macos-latest]
     name: 'Packaging: Config file'
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__packaging-inputs-js.yml

@@ -26,6 +26,8 @@ jobs:
         version: [nightly-20210831] # This CLI version is known to work with package used in this test
         os: [ubuntu-latest, macos-latest]
     name: 'Packaging: Action input'
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__remote-config.yml

@@ -35,6 +35,8 @@ jobs:
         - macos-latest
         - windows-latest
     name: Remote config file
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
@@ -48,7 +50,7 @@ jobs:
       with:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
         languages: cpp,csharp,java,javascript,python
-        config-file: github/codeql-action/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
           github.sha }}
     - name: Build code
       shell: bash

.github/workflows/__rubocop-multi-language.yml

@@ -32,6 +32,8 @@ jobs:
         - nightly-latest
         os: [ubuntu-latest]
     name: RuboCop multi-language
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__split-workflow.yml

@@ -26,6 +26,8 @@ jobs:
         version: [nightly-20210831] # This CLI version is known to work with package used in this test
         os: [ubuntu-latest, macos-latest]
     name: Split workflow
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__test-local-codeql.yml

@@ -26,6 +26,8 @@ jobs:
         version: [nightly-latest]
         os: [ubuntu-latest]
     name: Local CodeQL bundle
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__test-proxy.yml

@@ -26,6 +26,8 @@ jobs:
         version: [latest]
         os: [ubuntu-latest]
     name: Proxy test
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__test-ruby.yml

@@ -26,6 +26,8 @@ jobs:
         version: [latest, cached, nightly-latest]
         os: [ubuntu-latest, macos-latest]
     name: Ruby analysis
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__unset-environment.yml

@@ -32,6 +32,8 @@ jobs:
         - nightly-latest
         os: [ubuntu-latest]
     name: Test unsetting environment variables
+    permissions:
+      security-events: write
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository

.github/workflows/__upload-ref-sha-input.yml

@@ -0,0 +1,72 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - v1
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  upload-ref-sha-input:
+    strategy:
+      matrix:
+        version:
+        - stable-20201028
+        - stable-20210319
+        - stable-20210809
+        - cached
+        - latest
+        - nightly-latest
+        os:
+        - ubuntu-latest
+        - macos-latest
+        - windows-latest
+    name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    permissions:
+      security-events: write
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v2
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        languages: cpp,csharp,java,javascript,python
+        config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
+          github.sha }}
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+        upload: false
+      env:
+        TEST_MODE: true
+    - uses: ./../action/upload-sarif
+      with:
+        ref: refs/heads/main
+        sha: 5e235361806c361d4d3f8859e3c897658025a9a2
+      env:
+        TEST_MODE: true
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

CHANGELOG.md

@@ -2,10 +2,13 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Add sarif-id as an output for upload-sarif action and analyze action (if uploading)
+- Accept ref and hash as inputs to override the ones provided by the runner
 
 ## 1.0.31 - 31 Jan 2022
 
+- Add `sarif-id` as an output for the `upload-sarif` and `analyze` actions. [#889](https://github.com/github/codeql-action/pull/889)
+- Add `ref` and `sha` inputs to the `analyze` action, which override the defaults provided by the GitHub Action context. [#889](https://github.com/github/codeql-action/pull/889)
 - Remove `experimental` message when using custom CodeQL packages. [#888](https://github.com/github/codeql-action/pull/888)
 - Add a better warning message stating that experimental features will be disabled if the workflow has been triggered by a pull request from a fork or the `security-events: write` permission is not present. [#882](https://github.com/github/codeql-action/pull/882)
 

analyze/action.yml

@@ -45,6 +45,12 @@ inputs:
     description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
     required: false
     default: ${{ github.workspace }}
+  ref:
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
+    required: false
+  sha:
+    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is not available in pull requests from forks."
+    required: false
   category:
     description: String used by Code Scanning for matching the analyses
     required: false
@@ -63,6 +69,8 @@ inputs:
 outputs:
   db-locations:
     description: A map from language to absolute path for each database created by CodeQL.
+  sarif-id:
+    description: The ID of the uploaded SARIF file.
 runs:
   using: "node12"
   main: "../lib/analyze-action.js"

lib/actions-util.js

@@ -51,10 +51,10 @@ exports.getRequiredInput = getRequiredInput;
  * This allows us to get stronger type checking of required/optional inputs
  * and make behaviour more consistent between actions and the runner.
  */
-function getOptionalInput(name) {
+const getOptionalInput = function (name) {
     const value = core.getInput(name);
     return value.length > 0 ? value : undefined;
-}
+};
 exports.getOptionalInput = getOptionalInput;
 function getTemporaryDirectory() {
     const value = process.env["CODEQL_ACTION_TEMP"];
@@ -97,9 +97,9 @@ const getCommitOid = async function (ref = "HEAD") {
         return commitOid.trim();
     }
     catch (e) {
-        core.info(`Failed to call git to get current commit. Continuing with data from environment: ${e}`);
+        core.info(`Failed to call git to get current commit. Continuing with data from environment or input: ${e}`);
         core.info(e.stack || "NO STACK");
-        return (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
+        return (0, exports.getOptionalInput)("sha") || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
     }
 };
 exports.getCommitOid = getCommitOid;
@@ -373,8 +373,21 @@ exports.computeAutomationID = computeAutomationID;
 async function getRef() {
     // Will be in the form "refs/heads/master" on a push event
     // or in the form "refs/pull/N/merge" on a pull_request event
-    const ref = (0, util_1.getRequiredEnvParam)("GITHUB_REF");
+    const refInput = (0, exports.getOptionalInput)("ref");
-    const sha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
+    const shaInput = (0, exports.getOptionalInput)("sha");
+    const hasRefInput = !!refInput;
+    const hasShaInput = !!shaInput;
+    // If one of 'ref' or 'sha' are provided, both are required
+    if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
+        throw new Error("Both 'ref' and 'sha' are required if one of them is provided.");
+    }
+    const ref = refInput || (0, util_1.getRequiredEnvParam)("GITHUB_REF");
+    const sha = shaInput || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
+    // If the ref is a user-provided input, we have to skip logic
+    // and assume that it is really where they want to upload the results.
+    if (refInput) {
+        return refInput;
+    }
     // For pull request refs we want to detect whether the workflow
     // has run `git checkout HEAD^2` to analyze the 'head' ref rather
     // than the 'merge' ref. If so, we want to convert the ref that
@@ -412,7 +425,7 @@ exports.getRef = getRef;
  * @param exception Exception (only supply if status is 'failure')
  */
 async function createStatusReportBase(actionName, status, actionStartedAt, cause, exception) {
-    const commitOid = process.env["GITHUB_SHA"] || "";
+    const commitOid = (0, exports.getOptionalInput)("sha") || process.env["GITHUB_SHA"] || "";
     const ref = await getRef();
     const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
     let workflowRunID = -1;

lib/actions-util.test.js

@@ -71,6 +71,43 @@ function errorCodes(actual, expected) {
     t.deepEqual(actualRef, "refs/pull/1/head");
     callback.restore();
 });
+(0, ava_1.default)("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+    getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+    // These values are be ignored
+    process.env["GITHUB_REF"] = "refs/pull/1/merge";
+    process.env["GITHUB_SHA"] = "a".repeat(40);
+    const callback = sinon.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+    callback.withArgs("HEAD").resolves("b".repeat(40));
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, "refs/pull/2/merge");
+    callback.restore();
+    getAdditionalInputStub.restore();
+});
+(0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+    await t.throwsAsync(async () => {
+        await actionsutil.getRef();
+    }, {
+        instanceOf: Error,
+        message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    });
+    getAdditionalInputStub.restore();
+});
+(0, ava_1.default)("getRef() throws an error if only `sha` is provided as an input", async (t) => {
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+    await t.throwsAsync(async () => {
+        await actionsutil.getRef();
+    }, {
+        instanceOf: Error,
+        message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    });
+    getAdditionalInputStub.restore();
+});
 (0, ava_1.default)("computeAutomationID()", async (t) => {
     let actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", '{"language": "javascript", "os": "linux"}');
     t.deepEqual(actualAutomationID, ".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/");

lib/analyze-action.js

@@ -109,6 +109,7 @@ async function run() {
         core.setOutput("db-locations", dbLocations);
         if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
             uploadResult = await upload_lib.uploadFromActions(outputDir, config.gitHubVersion, apiDetails, logger);
+            core.setOutput("sarif-id", uploadResult.sarifID);
         }
         else {
             logger.info("Not uploading results");

lib/upload-sarif-action.js

@@ -48,6 +48,7 @@ async function run() {
         };
         const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
         const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), gitHubVersion, apiDetails, (0, logging_1.getActionsLogger)());
+        core.setOutput("sarif-id", uploadResult.sarifID);
         if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
             await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY")), uploadResult.sarifID, apiDetails, (0, logging_1.getActionsLogger)());
         }

lib/upload-sarif-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,uBAAgB,EAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,SAAS,EACT,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,uBAAgB,EAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,SAAS,EACT,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

pr-checks/checks/analyze-ref-input.yml

@@ -0,0 +1,17 @@
+name: "Analyze: 'ref' and 'sha' from inputs"
+description: "Checks that specifying 'ref' and 'sha' as inputs works"
+steps:
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: cpp,csharp,java,javascript,python
+      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+  - name: Build code
+    shell: bash
+    run: ./build.sh
+  - uses: ./../action/analyze
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+    env:
+      TEST_MODE: true

pr-checks/checks/remote-config.yml

@@ -5,7 +5,7 @@ steps:
     with:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
       languages: cpp,csharp,java,javascript,python
-      config-file: github/codeql-action/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
   - name: Build code
     shell: bash
     run: ./build.sh

pr-checks/checks/upload-ref-sha-input.yml

@@ -0,0 +1,24 @@
+name: "Upload-sarif: 'ref' and 'sha' from inputs"
+description: "Checks that specifying 'ref' and 'sha' as inputs works"
+steps:
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: cpp,csharp,java,javascript,python
+      config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }}
+  - name: Build code
+    shell: bash
+    run: ./build.sh
+  - uses: ./../action/analyze
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+      upload: false
+    env:
+      TEST_MODE: true
+  - uses: ./../action/upload-sarif
+    with:
+      ref: 'refs/heads/main'
+      sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
+    env:
+      TEST_MODE: true

pr-checks/sync.py

@@ -23,7 +23,6 @@ header = """# Warning: This file is generated automatically, and should not be m
 
 """
 
-
 class NonAliasingRTRepresenter(ruamel.yaml.representer.RoundTripRepresenter):
     def ignore_aliases(self, data):
         return True
@@ -71,6 +70,9 @@ for file in os.listdir('checks'):
             }
         },
         'name': checkSpecification['name'],
+        'permissions': {
+            'security-events': 'write'
+        },
         'runs-on': '${{ matrix.os }}',
         'steps': steps
     }

src/actions-util.test.ts

@@ -65,6 +65,57 @@ test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (
   callback.restore();
 });
 
+test("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+  getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+
+  // These values are be ignored
+  process.env["GITHUB_REF"] = "refs/pull/1/merge";
+  process.env["GITHUB_SHA"] = "a".repeat(40);
+
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+  callback.withArgs("HEAD").resolves("b".repeat(40));
+
+  const actualRef = await actionsutil.getRef();
+  t.deepEqual(actualRef, "refs/pull/2/merge");
+  callback.restore();
+  getAdditionalInputStub.restore();
+});
+
+test("getRef() throws an error if only `ref` is provided as an input", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+
+  await t.throwsAsync(
+    async () => {
+      await actionsutil.getRef();
+    },
+    {
+      instanceOf: Error,
+      message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    }
+  );
+  getAdditionalInputStub.restore();
+});
+
+test("getRef() throws an error if only `sha` is provided as an input", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+
+  await t.throwsAsync(
+    async () => {
+      await actionsutil.getRef();
+    },
+    {
+      instanceOf: Error,
+      message: "Both 'ref' and 'sha' are required if one of them is provided.",
+    }
+  );
+  getAdditionalInputStub.restore();
+});
+
 test("computeAutomationID()", async (t) => {
   let actualAutomationID = actionsutil.computeAutomationID(
     ".github/workflows/codeql-analysis.yml:analyze",

src/actions-util.ts

@@ -33,10 +33,10 @@ export function getRequiredInput(name: string): string {
  * This allows us to get stronger type checking of required/optional inputs
  * and make behaviour more consistent between actions and the runner.
  */
-export function getOptionalInput(name: string): string | undefined {
+export const getOptionalInput = function (name: string): string | undefined {
   const value = core.getInput(name);
   return value.length > 0 ? value : undefined;
-}
+};
 
 export function getTemporaryDirectory(): string {
   const value = process.env["CODEQL_ACTION_TEMP"];
@@ -83,10 +83,10 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
     return commitOid.trim();
   } catch (e) {
     core.info(
-      `Failed to call git to get current commit. Continuing with data from environment: ${e}`
+      `Failed to call git to get current commit. Continuing with data from environment or input: ${e}`
     );
     core.info((e as Error).stack || "NO STACK");
-    return getRequiredEnvParam("GITHUB_SHA");
+    return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA");
   }
 };
 
@@ -431,8 +431,26 @@ export function computeAutomationID(
 export async function getRef(): Promise<string> {
   // Will be in the form "refs/heads/master" on a push event
   // or in the form "refs/pull/N/merge" on a pull_request event
-  const ref = getRequiredEnvParam("GITHUB_REF");
+  const refInput = getOptionalInput("ref");
-  const sha = getRequiredEnvParam("GITHUB_SHA");
+  const shaInput = getOptionalInput("sha");
+
+  const hasRefInput = !!refInput;
+  const hasShaInput = !!shaInput;
+  // If one of 'ref' or 'sha' are provided, both are required
+  if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
+    throw new Error(
+      "Both 'ref' and 'sha' are required if one of them is provided."
+    );
+  }
+
+  const ref = refInput || getRequiredEnvParam("GITHUB_REF");
+  const sha = shaInput || getRequiredEnvParam("GITHUB_SHA");
+
+  // If the ref is a user-provided input, we have to skip logic
+  // and assume that it is really where they want to upload the results.
+  if (refInput) {
+    return refInput;
+  }
 
   // For pull request refs we want to detect whether the workflow
   // has run `git checkout HEAD^2` to analyze the 'head' ref rather
@@ -520,7 +538,7 @@ export async function createStatusReportBase(
   cause?: string,
   exception?: string
 ): Promise<StatusReportBase> {
-  const commitOid = process.env["GITHUB_SHA"] || "";
+  const commitOid = getOptionalInput("sha") || process.env["GITHUB_SHA"] || "";
   const ref = await getRef();
   const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
   let workflowRunID = -1;

src/analyze-action.ts

@@ -187,6 +187,7 @@ async function run() {
         apiDetails,
         logger
       );
+      core.setOutput("sarif-id", uploadResult.sarifID);
     } else {
       logger.info("Not uploading results");
     }

src/upload-sarif-action.ts

@@ -63,6 +63,7 @@ async function run() {
       apiDetails,
       getActionsLogger()
     );
+    core.setOutput("sarif-id", uploadResult.sarifID);
     if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
       await upload_lib.waitForProcessing(
         parseRepositoryNwo(getRequiredEnvParam("GITHUB_REPOSITORY")),

upload-sarif/action.yml

@@ -13,6 +13,12 @@ inputs:
     description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
     required: false
     default: ${{ github.workspace }}
+  ref:
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable. If provided, the sha input must be provided as well. This input is not available in pull requests from forks."
+    required: false
+  sha:
+    description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is not available in pull requests from forks."
+    required: false
   token:
     default: ${{ github.token }}
   matrix:
@@ -24,6 +30,9 @@ inputs:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true
     default: "false"
+outputs:
+  sarif-id:
+    description: The ID of the uploaded SARIF file.
 runs:
   using: 'node12'
   main: '../lib/upload-sarif-action.js'