Merge branch 'main' into henrymercer/update-release-process

.github/workflows/__with-checkout-path.yml

@@ -0,0 +1,145 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Use a custom `checkout_path`
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - v1
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  with-checkout-path:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20210308
+        - os: macos-latest
+          version: stable-20210308
+        - os: windows-2019
+          version: stable-20210308
+        - os: ubuntu-latest
+          version: stable-20210319
+        - os: macos-latest
+          version: stable-20210319
+        - os: windows-2019
+          version: stable-20210319
+        - os: ubuntu-latest
+          version: stable-20210809
+        - os: macos-latest
+          version: stable-20210809
+        - os: windows-2019
+          version: stable-20210809
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-2019
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-2019
+          version: latest
+        - os: windows-2022
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-2019
+          version: nightly-latest
+        - os: windows-2022
+          version: nightly-latest
+    name: Use a custom `checkout_path`
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v2
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: actions/checkout@v2
+      with:
+        ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        path: x/y/z/some-path
+    - uses: ./../action/init
+      with:
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      # it's enough to test one compiled language and one interpreted language
+        languages: csharp,javascript
+        source-path: x/y/z/some-path/tests/multi-language-repo
+        debug: true
+    - name: Build code (non-windows)
+      shell: bash
+      if: ${{ runner.os != 'Windows' }}
+      run: |
+        $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+    - name: Build code (windows)
+      shell: bash
+      if: ${{ runner.os == 'Windows' }}
+      run: |
+        x/y/z/some-path/tests/multi-language-repo/build.sh
+    - uses: ./../action/analyze
+      with:
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        upload: false
+      env:
+        TEST_MODE: true
+
+    - uses: ./../action/upload-sarif
+      with:
+        ref: v1.1.0
+        sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+        checkout_path: x/y/z/some-path/tests/multi-language-repo
+      env:
+        TEST_MODE: true
+
+    - name: Verify SARIF after upload
+      shell: bash
+      run: |
+        EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+        EXPECTED_REF="v1.1.0"
+        EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+
+        ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+        ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+        ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+
+        if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+          echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
+
+        if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+          echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
+
+        if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+          echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+          echo "$RUNNER_TEMP/payload.json"
+          exit 1
+        fi
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

CHANGELOG.md

@@ -19,7 +19,8 @@ No user facing changes.
 
 ## 1.1.3 - 23 Feb 2022
 
-- Fix bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)
+- Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)
+- Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
 
 ## 1.1.2 - 17 Feb 2022
 

lib/actions-util.js

@@ -76,7 +76,7 @@ exports.getToolCacheDirectory = getToolCacheDirectory;
 /**
  * Gets the SHA of the commit that is currently checked out.
  */
-const getCommitOid = async function (ref = "HEAD") {
+const getCommitOid = async function (checkoutPath, ref = "HEAD") {
     // Try to use git to get the current commit SHA. If that fails then
     // log but otherwise silently fall back to using the SHA from the environment.
     // The only time these two values will differ is during analysis of a PR when
@@ -96,6 +96,7 @@ const getCommitOid = async function (ref = "HEAD") {
                     process.stderr.write(data);
                 },
             },
+            cwd: checkoutPath,
         }).exec();
         return commitOid.trim();
     }
@@ -115,6 +116,7 @@ const determineMergeBaseCommitOid = async function () {
         return undefined;
     }
     const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
+    const checkoutPath = (0, exports.getOptionalInput)("checkout_path");
     try {
         let commitOid = "";
         let baseOid = "";
@@ -139,6 +141,7 @@ const determineMergeBaseCommitOid = async function () {
                     process.stderr.write(data);
                 },
             },
+            cwd: checkoutPath,
         }).exec();
         // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
         if (commitOid === mergeSha &&
@@ -427,6 +430,9 @@ async function getRef() {
     // or in the form "refs/pull/N/merge" on a pull_request event
     const refInput = (0, exports.getOptionalInput)("ref");
     const shaInput = (0, exports.getOptionalInput)("sha");
+    const checkoutPath = (0, exports.getOptionalInput)("checkout_path") ||
+        (0, exports.getOptionalInput)("source-root") ||
+        (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE");
     const hasRefInput = !!refInput;
     const hasShaInput = !!shaInput;
     // If one of 'ref' or 'sha' are provided, both are required
@@ -448,15 +454,14 @@ async function getRef() {
     if (!pull_ref_regex.test(ref)) {
         return ref;
     }
-    const head = await (0, exports.getCommitOid)("HEAD");
+    const head = await (0, exports.getCommitOid)(checkoutPath, "HEAD");
     // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
     // in actions/checkout@v1 this may not be true as it checks out the repository
     // using GITHUB_REF. There is a subtle race condition where
     // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
     // git git-parse GITHUB_REF == git rev-parse HEAD instead.
     const hasChangedRef = sha !== head &&
-        (await (0, exports.getCommitOid)(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
+        (await (0, exports.getCommitOid)(checkoutPath, ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !== head;
-            head;
     if (hasChangedRef) {
         const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
         core.debug(`No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`);

lib/actions-util.test.js

@@ -39,74 +39,93 @@ function errorCodes(actual, expected) {
     await t.throwsAsync(actionsutil.getRef);
 });
 (0, ava_1.default)("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t) => {
-    const expectedRef = "refs/pull/1/merge";
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    const currentSha = "a".repeat(40);
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    process.env["GITHUB_REF"] = expectedRef;
+        const expectedRef = "refs/pull/1/merge";
-    process.env["GITHUB_SHA"] = currentSha;
+        const currentSha = "a".repeat(40);
-    const callback = sinon.stub(actionsutil, "getCommitOid");
+        process.env["GITHUB_REF"] = expectedRef;
-    callback.withArgs("HEAD").resolves(currentSha);
+        process.env["GITHUB_SHA"] = currentSha;
-    const actualRef = await actionsutil.getRef();
+        const callback = sinon.stub(actionsutil, "getCommitOid");
-    t.deepEqual(actualRef, expectedRef);
+        callback.withArgs("HEAD").resolves(currentSha);
-    callback.restore();
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+        callback.restore();
+    });
 });
 (0, ava_1.default)("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
-    const expectedRef = "refs/pull/1/merge";
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    process.env["GITHUB_REF"] = expectedRef;
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    process.env["GITHUB_SHA"] = "b".repeat(40);
+        const expectedRef = "refs/pull/1/merge";
-    const sha = "a".repeat(40);
+        process.env["GITHUB_REF"] = expectedRef;
-    const callback = sinon.stub(actionsutil, "getCommitOid");
+        process.env["GITHUB_SHA"] = "b".repeat(40);
-    callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+        const sha = "a".repeat(40);
-    callback.withArgs("HEAD").resolves(sha);
+        const callback = sinon.stub(actionsutil, "getCommitOid");
-    const actualRef = await actionsutil.getRef();
+        callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
-    t.deepEqual(actualRef, expectedRef);
+        callback.withArgs("HEAD").resolves(sha);
-    callback.restore();
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, expectedRef);
+        callback.restore();
+    });
 });
 (0, ava_1.default)("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
-    process.env["GITHUB_REF"] = "refs/pull/1/merge";
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    process.env["GITHUB_SHA"] = "a".repeat(40);
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    const callback = sinon.stub(actionsutil, "getCommitOid");
+        process.env["GITHUB_REF"] = "refs/pull/1/merge";
-    callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
+        process.env["GITHUB_SHA"] = "a".repeat(40);
-    callback.withArgs("HEAD").resolves("b".repeat(40));
+        const callback = sinon.stub(actionsutil, "getCommitOid");
-    const actualRef = await actionsutil.getRef();
+        callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(40));
-    t.deepEqual(actualRef, "refs/pull/1/head");
+        callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(40));
-    callback.restore();
+        const actualRef = await actionsutil.getRef();
+        t.deepEqual(actualRef, "refs/pull/1/head");
+        callback.restore();
+    });
 });
 (0, ava_1.default)("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
-    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-    // These values are be ignored
+        getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
-    process.env["GITHUB_REF"] = "refs/pull/1/merge";
+        getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
-    process.env["GITHUB_SHA"] = "a".repeat(40);
+        // These values are be ignored
-    const callback = sinon.stub(actionsutil, "getCommitOid");
+        process.env["GITHUB_REF"] = "refs/pull/1/merge";
-    callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+        process.env["GITHUB_SHA"] = "a".repeat(40);
-    callback.withArgs("HEAD").resolves("b".repeat(40));
+        const callback = sinon.stub(actionsutil, "getCommitOid");
-    const actualRef = await actionsutil.getRef();
+        callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
-    t.deepEqual(actualRef, "refs/pull/2/merge");
+        callback.withArgs("HEAD").resolves("b".repeat(40));
-    callback.restore();
+        const actualRef = await actionsutil.getRef();
-    getAdditionalInputStub.restore();
+        t.deepEqual(actualRef, "refs/pull/2/merge");
+        callback.restore();
+        getAdditionalInputStub.restore();
+    });
 });
 (0, ava_1.default)("getRef() throws an error if only `ref` is provided as an input", async (t) => {
-    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    await t.throwsAsync(async () => {
+        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-        await actionsutil.getRef();
+        getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
-    }, {
+        await t.throwsAsync(async () => {
-        instanceOf: Error,
+            await actionsutil.getRef();
-        message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        }, {
+            instanceOf: Error,
+            message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        });
+        getAdditionalInputStub.restore();
     });
-    getAdditionalInputStub.restore();
 });
 (0, ava_1.default)("getRef() throws an error if only `sha` is provided as an input", async (t) => {
-    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
-    getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-    await t.throwsAsync(async () => {
+        process.env["GITHUB_WORKSPACE"] = "/tmp";
-        await actionsutil.getRef();
+        const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
-    }, {
+        getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
-        instanceOf: Error,
+        await t.throwsAsync(async () => {
-        message: "Both 'ref' and 'sha' are required if one of them is provided.",
+            await actionsutil.getRef();
+        }, {
+            instanceOf: Error,
+            message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        });
+        getAdditionalInputStub.restore();
     });
-    getAdditionalInputStub.restore();
 });
 (0, ava_1.default)("computeAutomationID()", async (t) => {
     let actualAutomationID = actionsutil.computeAutomationID(".github/workflows/codeql-analysis.yml:analyze", '{"language": "javascript", "os": "linux"}');
@@ -461,6 +480,7 @@ on: ["push"]
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
         const envFile = path.join(tmpDir, "event.json");
         fs.writeFileSync(envFile, JSON.stringify({
             repository: {

lib/testing-utils.js

@@ -90,6 +90,7 @@ exports.setupTests = setupTests;
 function setupActionsVars(tempDir, toolsDir) {
     process.env["RUNNER_TEMP"] = tempDir;
     process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+    process.env["GITHUB_WORKSPACE"] = tempDir;
 }
 exports.setupActionsVars = setupActionsVars;
 function getRecordingLogger(messages) {

lib/testing-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"testing-utils.js","sourceRoot":"","sources":["../src/testing-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,wDAA0C;AAE1C,6CAA+B;AAE/B,wDAA0C;AAC1C,iDAAmC;AAEnC,iCAAmC;AASnC,SAAS,UAAU,CAAC,OAAoB;IACtC,8CAA8C;IAC9C,gCAAgC;IAChC,2EAA2E;IAC3E,2FAA2F;IAC3F,OAAO,CACL,KAA0B,EAC1B,QAAiB,EACjB,EAA0B,EACjB,EAAE;QACX,2CAA2C;QAC3C,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YACtD,EAAE,GAAG,QAAQ,CAAC;YACd,QAAQ,GAAG,SAAS,CAAC;SACtB;QAED,oBAAoB;QACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC7B,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;SAC7B;aAAM;YACL,OAAO,CAAC,UAAU,IAAI,IAAI,WAAW,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;SAC1E;QAED,iDAAiD;QACjD,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YAChD,EAAE,EAAE,CAAC;SACN;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,IAAiB;IAC1C,MAAM,SAAS,GAAG,IAA2B,CAAC;IAE9C,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;QACzB,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAErB,iEAAiE;QACjE,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;QAC1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QACpD,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QAEpD,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,4BAA4B;QAC5B,0DAA0D;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;SAC5C;QAED,uCAAuC;QACvC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,oCAAoC;QACpC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAvCD,gCAuCC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,SAAgB,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,QAAQ,CAAC;AAC9C,CAAC;AAHD,4CAGC;AAOD,SAAgB,kBAAkB,CAAC,QAAyB;IAC1D,OAAO;QACL,KAAK,EAAE,CAAC,OAAe,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAE,EAAE;YACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,EAAE,CAAC,OAAuB,EAAE,EAAE;YACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,OAAuB,EAAE,EAAE;YACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;QACnB,UAAU,EAAE,GAAG,EAAE,CAAC,SAAS;QAC3B,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAtBD,gDAsBC;AAED,0EAA0E;AAC1E,SAAgB,0BAA0B,CACxC,kBAA0B,EAC1B,QAAyC;IAEzC,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAClC,8DAA8D,CAC/D,CAAC;IACF,IAAI,kBAAkB,GAAG,GAAG,EAAE;QAC5B,QAAQ,CAAC,QAAQ,CAAC;YAChB,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,8DAA8D;SACpE,CAAC,CAAC;KACJ;SAAM;QACL,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC,CAAC;KAC1E;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAxBD,gEAwBC"}
+{"version":3,"file":"testing-utils.js","sourceRoot":"","sources":["../src/testing-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,wDAA0C;AAE1C,6CAA+B;AAE/B,wDAA0C;AAC1C,iDAAmC;AAEnC,iCAAmC;AASnC,SAAS,UAAU,CAAC,OAAoB;IACtC,8CAA8C;IAC9C,gCAAgC;IAChC,2EAA2E;IAC3E,2FAA2F;IAC3F,OAAO,CACL,KAA0B,EAC1B,QAAiB,EACjB,EAA0B,EACjB,EAAE;QACX,2CAA2C;QAC3C,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YACtD,EAAE,GAAG,QAAQ,CAAC;YACd,QAAQ,GAAG,SAAS,CAAC;SACtB;QAED,oBAAoB;QACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC7B,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;SAC7B;aAAM;YACL,OAAO,CAAC,UAAU,IAAI,IAAI,WAAW,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;SAC1E;QAED,iDAAiD;QACjD,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YAChD,EAAE,EAAE,CAAC;SACN;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,IAAiB;IAC1C,MAAM,SAAS,GAAG,IAA2B,CAAC;IAE9C,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;QACzB,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAErB,iEAAiE;QACjE,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;QAC1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QACpD,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QAEpD,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,4BAA4B;QAC5B,0DAA0D;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;SAC5C;QAED,uCAAuC;QACvC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,oCAAoC;QACpC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAvCD,gCAuCC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,SAAgB,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,QAAQ,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC;AAC5C,CAAC;AAJD,4CAIC;AAOD,SAAgB,kBAAkB,CAAC,QAAyB;IAC1D,OAAO;QACL,KAAK,EAAE,CAAC,OAAe,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAE,EAAE;YACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,EAAE,CAAC,OAAuB,EAAE,EAAE;YACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,OAAuB,EAAE,EAAE;YACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;QACnB,UAAU,EAAE,GAAG,EAAE,CAAC,SAAS;QAC3B,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAtBD,gDAsBC;AAED,0EAA0E;AAC1E,SAAgB,0BAA0B,CACxC,kBAA0B,EAC1B,QAAyC;IAEzC,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAClC,8DAA8D,CAC/D,CAAC;IACF,IAAI,kBAAkB,GAAG,GAAG,EAAE;QAC5B,QAAQ,CAAC,QAAQ,CAAC;YAChB,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,8DAA8D;SACpE,CAAC,CAAC;KACJ;SAAM;QACL,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC,CAAC;KAC1E;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAxBD,gEAwBC"}

lib/upload-lib.js

@@ -95,7 +95,10 @@ async function uploadPayload(payload, repositoryNwo, apiDetails, logger) {
     // If in test mode we don't want to upload the results
     const testMode = process.env["TEST_MODE"] === "true" || false;
     if (testMode) {
-        logger.debug("In test mode. Results are not uploaded.");
+        const payloadSaveFile = path.join(actionsUtil.getTemporaryDirectory(), "payload.json");
+        logger.info(`In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`);
+        logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
+        fs.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
         return;
     }
     const client = api.getApiClient(apiDetails);
@@ -134,7 +137,7 @@ exports.findSarifFilesInDir = findSarifFilesInDir;
 // depending on what the path happens to refer to.
 // Returns true iff the upload occurred and succeeded
 async function uploadFromActions(sarifPath, gitHubVersion, apiDetails, logger) {
-    return await uploadFiles(getSarifFilePaths(sarifPath), (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(), await actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), actionsUtil.getOptionalInput("category"), util.getRequiredEnvParam("GITHUB_WORKFLOW"), actionsUtil.getWorkflowRunID(), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getRequiredInput("matrix"), gitHubVersion, apiDetails, logger);
+    return await uploadFiles(getSarifFilePaths(sarifPath), (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), await actionsUtil.getCommitOid(actionsUtil.getRequiredInput("checkout_path")), await actionsUtil.getRef(), await actionsUtil.getAnalysisKey(), actionsUtil.getOptionalInput("category"), util.getRequiredEnvParam("GITHUB_WORKFLOW"), actionsUtil.getWorkflowRunID(), actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getRequiredInput("matrix"), gitHubVersion, apiDetails, logger);
 }
 exports.uploadFromActions = uploadFromActions;
 // Uploads a single sarif file or a directory of sarif files

pr-checks/checks/with-checkout-path.yml

@@ -0,0 +1,75 @@
+name: "Use a custom `checkout_path`"
+description: "Checks that a custom `checkout_path` will find the proper commit_oid"
+# Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
+# `windows-latest`.
+# Must test on all three platforms since this test does path manipulation
+os: [ubuntu-latest, macos-latest, windows-2019]
+steps:
+  # Check out the actions repo again, but at a different location.
+  # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
+  - uses: actions/checkout@v2
+    with:
+      ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+      path: x/y/z/some-path
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      # it's enough to test one compiled language and one interpreted language
+      languages: csharp,javascript
+      source-path: x/y/z/some-path/tests/multi-language-repo
+      debug: true
+  - name: Build code (non-windows)
+    shell: bash
+    if: ${{ runner.os != 'Windows' }}
+    run: |
+      $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
+  - name: Build code (windows)
+    shell: bash
+    if: ${{ runner.os == 'Windows' }}
+    run: |
+      x/y/z/some-path/tests/multi-language-repo/build.sh
+  - uses: ./../action/analyze
+    with:
+      checkout_path: x/y/z/some-path/tests/multi-language-repo
+      ref: v1.1.0
+      sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+      upload: false
+    env:
+      TEST_MODE: true
+
+  - uses: ./../action/upload-sarif
+    with:
+      ref: v1.1.0
+      sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
+      checkout_path: x/y/z/some-path/tests/multi-language-repo
+    env:
+      TEST_MODE: true
+
+  - name: Verify SARIF after upload
+    shell: bash
+    run: |
+      EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
+      EXPECTED_REF="v1.1.0"
+      EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
+
+      ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
+      ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
+      ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
+
+      if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
+        echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
+        echo "$RUNNER_TEMP/payload.json"
+        exit 1
+      fi
+
+      if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
+        echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
+        echo "$RUNNER_TEMP/payload.json"
+        exit 1
+      fi
+
+      if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
+        echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
+        echo "$RUNNER_TEMP/payload.json"
+        exit 1
+      fi

src/actions-util.test.ts

@@ -6,7 +6,7 @@ import * as yaml from "js-yaml";
 import * as sinon from "sinon";
 
 import * as actionsutil from "./actions-util";
-import { setupTests } from "./testing-utils";
+import { setupActionsVars, setupTests } from "./testing-utils";
 import { getMode, initializeEnvironment, Mode, withTmpDir } from "./util";
 
 function errorCodes(
@@ -24,96 +24,117 @@ test("getRef() throws on the empty string", async (t) => {
 });
 
 test("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t) => {
-  const expectedRef = "refs/pull/1/merge";
+  await withTmpDir(async (tmpDir: string) => {
-  const currentSha = "a".repeat(40);
+    setupActionsVars(tmpDir, tmpDir);
-  process.env["GITHUB_REF"] = expectedRef;
+    const expectedRef = "refs/pull/1/merge";
-  process.env["GITHUB_SHA"] = currentSha;
+    const currentSha = "a".repeat(40);
+    process.env["GITHUB_REF"] = expectedRef;
+    process.env["GITHUB_SHA"] = currentSha;
 
-  const callback = sinon.stub(actionsutil, "getCommitOid");
+    const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("HEAD").resolves(currentSha);
+    callback.withArgs("HEAD").resolves(currentSha);
 
-  const actualRef = await actionsutil.getRef();
+    const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, expectedRef);
+    t.deepEqual(actualRef, expectedRef);
-  callback.restore();
+    callback.restore();
+  });
 });
 
 test("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
-  const expectedRef = "refs/pull/1/merge";
+  await withTmpDir(async (tmpDir: string) => {
-  process.env["GITHUB_REF"] = expectedRef;
+    setupActionsVars(tmpDir, tmpDir);
-  process.env["GITHUB_SHA"] = "b".repeat(40);
+    const expectedRef = "refs/pull/1/merge";
-  const sha = "a".repeat(40);
+    process.env["GITHUB_REF"] = expectedRef;
+    process.env["GITHUB_SHA"] = "b".repeat(40);
+    const sha = "a".repeat(40);
 
-  const callback = sinon.stub(actionsutil, "getCommitOid");
+    const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+    callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
-  callback.withArgs("HEAD").resolves(sha);
+    callback.withArgs("HEAD").resolves(sha);
 
-  const actualRef = await actionsutil.getRef();
+    const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, expectedRef);
+    t.deepEqual(actualRef, expectedRef);
-  callback.restore();
+    callback.restore();
+  });
 });
 
 test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
-  process.env["GITHUB_REF"] = "refs/pull/1/merge";
+  await withTmpDir(async (tmpDir: string) => {
-  process.env["GITHUB_SHA"] = "a".repeat(40);
+    setupActionsVars(tmpDir, tmpDir);
+    process.env["GITHUB_REF"] = "refs/pull/1/merge";
+    process.env["GITHUB_SHA"] = "a".repeat(40);
 
-  const callback = sinon.stub(actionsutil, "getCommitOid");
+    const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
+    callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(40));
-  callback.withArgs("HEAD").resolves("b".repeat(40));
+    callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(40));
 
-  const actualRef = await actionsutil.getRef();
+    const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, "refs/pull/1/head");
+    t.deepEqual(actualRef, "refs/pull/1/head");
-  callback.restore();
+    callback.restore();
+  });
 });
 
 test("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
-  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  await withTmpDir(async (tmpDir: string) => {
-  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+    setupActionsVars(tmpDir, tmpDir);
-  getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+    getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
 
-  // These values are be ignored
+    // These values are be ignored
-  process.env["GITHUB_REF"] = "refs/pull/1/merge";
+    process.env["GITHUB_REF"] = "refs/pull/1/merge";
-  process.env["GITHUB_SHA"] = "a".repeat(40);
+    process.env["GITHUB_SHA"] = "a".repeat(40);
 
-  const callback = sinon.stub(actionsutil, "getCommitOid");
+    const callback = sinon.stub(actionsutil, "getCommitOid");
-  callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+    callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
-  callback.withArgs("HEAD").resolves("b".repeat(40));
+    callback.withArgs("HEAD").resolves("b".repeat(40));
 
-  const actualRef = await actionsutil.getRef();
+    const actualRef = await actionsutil.getRef();
-  t.deepEqual(actualRef, "refs/pull/2/merge");
+    t.deepEqual(actualRef, "refs/pull/2/merge");
-  callback.restore();
+    callback.restore();
-  getAdditionalInputStub.restore();
+    getAdditionalInputStub.restore();
+  });
 });
 
 test("getRef() throws an error if only `ref` is provided as an input", async (t) => {
-  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  await withTmpDir(async (tmpDir: string) => {
-  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
+    setupActionsVars(tmpDir, tmpDir);
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("ref").resolves("refs/pull/1/merge");
 
-  await t.throwsAsync(
+    await t.throwsAsync(
-    async () => {
+      async () => {
-      await actionsutil.getRef();
+        await actionsutil.getRef();
-    },
+      },
-    {
+      {
-      instanceOf: Error,
+        instanceOf: Error,
-      message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        message:
-    }
+          "Both 'ref' and 'sha' are required if one of them is provided.",
-  );
+      }
-  getAdditionalInputStub.restore();
+    );
+    getAdditionalInputStub.restore();
+  });
 });
 
 test("getRef() throws an error if only `sha` is provided as an input", async (t) => {
-  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  await withTmpDir(async (tmpDir: string) => {
-  getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
+    setupActionsVars(tmpDir, tmpDir);
+    process.env["GITHUB_WORKSPACE"] = "/tmp";
+    const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+    getAdditionalInputStub.withArgs("sha").resolves("a".repeat(40));
 
-  await t.throwsAsync(
+    await t.throwsAsync(
-    async () => {
+      async () => {
-      await actionsutil.getRef();
+        await actionsutil.getRef();
-    },
+      },
-    {
+      {
-      instanceOf: Error,
+        instanceOf: Error,
-      message: "Both 'ref' and 'sha' are required if one of them is provided.",
+        message:
-    }
+          "Both 'ref' and 'sha' are required if one of them is provided.",
-  );
+      }
-  getAdditionalInputStub.restore();
+    );
+    getAdditionalInputStub.restore();
+  });
 });
 
 test("computeAutomationID()", async (t) => {
@@ -709,6 +730,7 @@ test("initializeEnvironment", (t) => {
 
 test("isAnalyzingDefaultBranch()", async (t) => {
   await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
     const envFile = path.join(tmpDir, "event.json");
     fs.writeFileSync(
       envFile,

src/actions-util.ts

@@ -66,7 +66,10 @@ export function getToolCacheDirectory(): string {
 /**
  * Gets the SHA of the commit that is currently checked out.
  */
-export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
+export const getCommitOid = async function (
+  checkoutPath: string,
+  ref = "HEAD"
+): Promise<string> {
   // Try to use git to get the current commit SHA. If that fails then
   // log but otherwise silently fall back to using the SHA from the environment.
   // The only time these two values will differ is during analysis of a PR when
@@ -89,6 +92,7 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
             process.stderr.write(data);
           },
         },
+        cwd: checkoutPath,
       }
     ).exec();
     return commitOid.trim();
@@ -113,6 +117,7 @@ export const determineMergeBaseCommitOid = async function (): Promise<
   }
 
   const mergeSha = getRequiredEnvParam("GITHUB_SHA");
+  const checkoutPath = getOptionalInput("checkout_path");
 
   try {
     let commitOid = "";
@@ -140,6 +145,7 @@ export const determineMergeBaseCommitOid = async function (): Promise<
             process.stderr.write(data);
           },
         },
+        cwd: checkoutPath,
       }
     ).exec();
 
@@ -504,6 +510,10 @@ export async function getRef(): Promise<string> {
   // or in the form "refs/pull/N/merge" on a pull_request event
   const refInput = getOptionalInput("ref");
   const shaInput = getOptionalInput("sha");
+  const checkoutPath =
+    getOptionalInput("checkout_path") ||
+    getOptionalInput("source-root") ||
+    getRequiredEnvParam("GITHUB_WORKSPACE");
 
   const hasRefInput = !!refInput;
   const hasShaInput = !!shaInput;
@@ -532,7 +542,7 @@ export async function getRef(): Promise<string> {
     return ref;
   }
 
-  const head = await getCommitOid("HEAD");
+  const head = await getCommitOid(checkoutPath, "HEAD");
 
   // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
   // in actions/checkout@v1 this may not be true as it checks out the repository
@@ -541,8 +551,10 @@ export async function getRef(): Promise<string> {
   // git git-parse GITHUB_REF == git rev-parse HEAD instead.
   const hasChangedRef =
     sha !== head &&
-    (await getCommitOid(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
+    (await getCommitOid(
-      head;
+      checkoutPath,
+      ref.replace(/^refs\/pull\//, "refs/remotes/pull/")
+    )) !== head;
 
   if (hasChangedRef) {
     const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");

src/testing-utils.ts

@@ -92,6 +92,7 @@ export function setupTests(test: TestFn<any>) {
 export function setupActionsVars(tempDir: string, toolsDir: string) {
   process.env["RUNNER_TEMP"] = tempDir;
   process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+  process.env["GITHUB_WORKSPACE"] = tempDir;
 }
 
 export interface LoggedMessage {

src/upload-lib.ts

@@ -100,7 +100,15 @@ async function uploadPayload(
   // If in test mode we don't want to upload the results
   const testMode = process.env["TEST_MODE"] === "true" || false;
   if (testMode) {
-    logger.debug("In test mode. Results are not uploaded.");
+    const payloadSaveFile = path.join(
+      actionsUtil.getTemporaryDirectory(),
+      "payload.json"
+    );
+    logger.info(
+      `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`
+    );
+    logger.info(`Payload: ${JSON.stringify(payload, null, 2)}`);
+    fs.writeFileSync(payloadSaveFile, JSON.stringify(payload, null, 2));
     return;
   }
 
@@ -165,7 +173,9 @@ export async function uploadFromActions(
   return await uploadFiles(
     getSarifFilePaths(sarifPath),
     parseRepositoryNwo(util.getRequiredEnvParam("GITHUB_REPOSITORY")),
-    await actionsUtil.getCommitOid(),
+    await actionsUtil.getCommitOid(
+      actionsUtil.getRequiredInput("checkout_path")
+    ),
     await actionsUtil.getRef(),
     await actionsUtil.getAnalysisKey(),
     actionsUtil.getOptionalInput("category"),