Bump artifact dependencies if CODEQL_ACTION_ARTIFACT_V2_UPGRADE enabled (#2482)

Co-authored-by: Andrew Eisenberg <aeisenberg@github.com> Co-authored-by: Henry Mercer <henrymercer@github.com>
2024-10-01 09:59:05 -07:00 · 2024-10-01 09:59:05 -07:00 · a196a714b8
commit a196a714b8
parent cf5b0a9041
5388 changed files with 2176737 additions and 71701 deletions
--- a/src/analyze-action-post.ts
+++ b/src/analyze-action-post.ts
@ -5,21 +5,48 @@
 */
 import * as core from "@actions/core";

+import { getTemporaryDirectory } from "./actions-util";
+import { getGitHubVersion } from "./api-client";
+import { getConfig } from "./config-utils";
 import * as debugArtifacts from "./debug-artifacts";
 import { EnvVar } from "./environment";
+import { Features } from "./feature-flags";
 import { getActionsLogger, withGroup } from "./logging";
-import { getErrorMessage } from "./util";
+import { parseRepositoryNwo } from "./repository";
+import {
+  checkGitHubVersionInRange,
+  getErrorMessage,
+  getRequiredEnvParam,
+} from "./util";

 async function runWrapper() {
  try {
    const logger = getActionsLogger();
+    const gitHubVersion = await getGitHubVersion();
+    checkGitHubVersionInRange(gitHubVersion, logger);
+    const repositoryNwo = parseRepositoryNwo(
+      getRequiredEnvParam("GITHUB_REPOSITORY"),
+    );
+    const features = new Features(
+      gitHubVersion,
+      repositoryNwo,
+      getTemporaryDirectory(),
+      logger,
+    );

    // Upload SARIF artifacts if we determine that this is a first-party analysis run.
    // For third-party runs, this artifact will be uploaded in the `upload-sarif-post` step.
    if (process.env[EnvVar.INIT_ACTION_HAS_RUN] === "true") {
-      await withGroup("Uploading combined SARIF debug artifact", () =>
-        debugArtifacts.uploadCombinedSarifArtifacts(logger),
-      );
+      const config = await getConfig(getTemporaryDirectory(), logger);
+      if (config !== undefined) {
+        await withGroup("Uploading combined SARIF debug artifact", () =>
+          debugArtifacts.uploadCombinedSarifArtifacts(
+            logger,
+            config.gitHubVersion.type,
+            features,
+          ),
+        );
+      }
    }
  } catch (error) {
    core.setFailed(
--- a/src/debug-artifacts.test.ts
+++ b/src/debug-artifacts.test.ts
@ -1,6 +1,10 @@
 import test from "ava";

 import * as debugArtifacts from "./debug-artifacts";
+import { Feature } from "./feature-flags";
+import { getActionsLogger } from "./logging";
+import { createFeatures } from "./testing-utils";
+import { GitHubVariant } from "./util";

 test("sanitizeArtifactName", (t) => {
  t.deepEqual(
@ -20,7 +24,16 @@ test("sanitizeArtifactName", (t) => {

 test("uploadDebugArtifacts", async (t) => {
  // Test that no error is thrown if artifacts list is empty.
+  const logger = getActionsLogger();
+  const mockFeature = createFeatures([Feature.ArtifactV4Upgrade]);
  await t.notThrowsAsync(
-    debugArtifacts.uploadDebugArtifacts([], "rootDir", "artifactName"),
+    debugArtifacts.uploadDebugArtifacts(
+      logger,
+      [],
+      "rootDir",
+      "artifactName",
+      GitHubVariant.DOTCOM,
+      mockFeature,
+    ),
  );
 });
--- a/src/debug-artifacts.ts
+++ b/src/debug-artifacts.ts
@ -2,6 +2,7 @@ import * as fs from "fs";
 import * as path from "path";

 import * as artifact from "@actions/artifact";
+import * as artifactLegacy from "@actions/artifact-legacy";
 import * as core from "@actions/core";
 import AdmZip from "adm-zip";
 import del from "del";
@ -11,6 +12,7 @@ import { dbIsFinalized } from "./analyze";
 import { getCodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
+import { Feature, FeatureEnablement } from "./feature-flags";
 import { Language } from "./languages";
 import { Logger, withGroup } from "./logging";
 import {
@ -18,6 +20,7 @@ import {
  doesDirectoryExist,
  getCodeQLDatabasePath,
  getErrorMessage,
+  GitHubVariant,
  listFolder,
 } from "./util";

@ -29,7 +32,11 @@ export function sanitizeArtifactName(name: string): string {
 * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
 * environment variable is set
 */
-export async function uploadCombinedSarifArtifacts(logger: Logger) {
+export async function uploadCombinedSarifArtifacts(
+  logger: Logger,
+  gitHubVariant: GitHubVariant,
+  features: FeatureEnablement,
+) {
  const tempDir = getTemporaryDirectory();

  // Upload Actions SARIF artifacts for debugging when environment variable is set
@ -58,9 +65,12 @@ export async function uploadCombinedSarifArtifacts(logger: Logger) {

    try {
      await uploadDebugArtifacts(
+        logger,
        toUpload,
        baseTempDir,
        "combined-sarif-artifacts",
+        gitHubVariant,
+        features,
      );
    } catch (e) {
      logger.warning(
@ -153,6 +163,7 @@ async function tryBundleDatabase(
 export async function tryUploadAllAvailableDebugArtifacts(
  config: Config,
  logger: Logger,
+  features: FeatureEnablement,
 ) {
  const filesToUpload: string[] = [];
  try {
@ -211,9 +222,12 @@ export async function tryUploadAllAvailableDebugArtifacts(
  try {
    await withGroup("Uploading debug artifacts", async () =>
      uploadDebugArtifacts(
+        logger,
        filesToUpload,
        config.dbLocation,
        config.debugArtifactName,
+        config.gitHubVersion.type,
+        features,
      ),
    );
  } catch (e) {
@ -224,9 +238,12 @@ export async function tryUploadAllAvailableDebugArtifacts(
 }

 export async function uploadDebugArtifacts(
+  logger: Logger,
  toUpload: string[],
  rootDir: string,
  artifactName: string,
+  ghVariant: GitHubVariant,
+  features: FeatureEnablement,
 ) {
  if (toUpload.length === 0) {
    return;
@ -246,16 +263,53 @@ export async function uploadDebugArtifacts(
    }
  }

-  await artifact.create().uploadArtifact(
-    sanitizeArtifactName(`${artifactName}${suffix}`),
-    toUpload.map((file) => path.normalize(file)),
-    path.normalize(rootDir),
-    {
-      continueOnError: true,
-      // ensure we don't keep the debug artifacts around for too long since they can be large.
-      retentionDays: 7,
-    },
+  const artifactUploader = await getArtifactUploaderClient(
+    logger,
+    ghVariant,
+    features,
  );
+
+  try {
+    await artifactUploader.uploadArtifact(
+      sanitizeArtifactName(`${artifactName}${suffix}`),
+      toUpload.map((file) => path.normalize(file)),
+      path.normalize(rootDir),
+      {
+        // ensure we don't keep the debug artifacts around for too long since they can be large.
+        retentionDays: 7,
+      },
+    );
+  } catch (e) {
+    // A failure to upload debug artifacts should not fail the entire action.
+    core.warning(`Failed to upload debug artifacts: ${e}`);
+  }
+}
+
+// `@actions/artifact@v2` is not yet supported on GHES so the legacy version of the client will be used on GHES
+// until it is supported. We also use the legacy version of the client if the feature flag is disabled.
+// The feature flag is named `ArtifactV4Upgrade` to reduce customer confusion; customers are primarily affected by
+// `actions/download-artifact`, whose upgrade to v4 must be accompanied by the `@actions/artifact@v2` upgrade.
+export async function getArtifactUploaderClient(
+  logger: Logger,
+  ghVariant: GitHubVariant,
+  features: FeatureEnablement,
+): Promise<artifact.ArtifactClient | artifactLegacy.ArtifactClient> {
+  if (ghVariant === GitHubVariant.GHES) {
+    logger.info(
+      "Debug artifacts can be consumed with `actions/download-artifact@v3` because the `v4` version is not yet compatible on GHES.",
+    );
+    return artifactLegacy.create();
+  } else if (!(await features.getValue(Feature.ArtifactV4Upgrade))) {
+    logger.info(
+      "Debug artifacts can be consumed with `actions/download-artifact@v3`. To use the `actions/download-artifact@v4`, set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to true.",
+    );
+    return artifactLegacy.create();
+  } else {
+    logger.info(
+      "Debug artifacts can be consumed with `actions/download-artifact@v4`.",
+    );
+    return new artifact.DefaultArtifactClient();
+  }
 }

 /**
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@ -45,6 +45,7 @@ export interface FeatureEnablement {
 * Legacy features should end with `_enabled`.
 */
 export enum Feature {
+  ArtifactV4Upgrade = "artifact_v4_upgrade",
  CleanupTrapCaches = "cleanup_trap_caches",
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
  DisableCsharpBuildless = "disable_csharp_buildless",
@ -86,6 +87,11 @@ export const featureConfig: Record<
    toolsFeature?: ToolsFeature;
  }
 > = {
+  [Feature.ArtifactV4Upgrade]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_ARTIFACT_V4_UPGRADE",
+    minimumVersion: undefined,
+  },
  [Feature.CleanupTrapCaches]: {
    defaultValue: false,
    envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
--- a/src/init-action-post-helper.ts
+++ b/src/init-action-post-helper.ts
@ -161,6 +161,7 @@ export async function run(
  uploadAllAvailableDebugArtifacts: (
    config: Config,
    logger: Logger,
+    features: FeatureEnablement,
  ) => Promise<void>,
  printDebugLogs: (config: Config) => Promise<void>,
  config: Config,
@ -210,7 +211,7 @@ export async function run(
    logger.info(
      "Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...",
    );
-    await uploadAllAvailableDebugArtifacts(config, logger);
+    await uploadAllAvailableDebugArtifacts(config, logger, features);
    await printDebugLogs(config);
  }

--- a/src/start-proxy-action-post.ts
+++ b/src/start-proxy-action-post.ts
@ -3,12 +3,20 @@
 * It will run after the all steps in this job, in reverse order in relation to
 * other `post:` hooks.
 */
-import * as artifact from "@actions/artifact";
 import * as core from "@actions/core";

 import * as actionsUtil from "./actions-util";
+import { getGitHubVersion } from "./api-client";
 import * as configUtils from "./config-utils";
-import { getErrorMessage } from "./util";
+import { getArtifactUploaderClient } from "./debug-artifacts";
+import { Features } from "./feature-flags";
+import { getActionsLogger } from "./logging";
+import { parseRepositoryNwo } from "./repository";
+import {
+  checkGitHubVersionInRange,
+  getErrorMessage,
+  getRequiredEnvParam,
+} from "./util";

 async function runWrapper() {
  try {
@ -31,18 +39,42 @@ async function runWrapper() {
    core.info(
      "Debug mode is on. Uploading proxy log as Actions debugging artifact...",
    );
+    if (config?.gitHubVersion.type === undefined) {
+      core.warning(
+        `Did not upload debug artifacts because cannot determine the GitHub variant running.`,
+      );
+      return;
+    }
+
+    const logger = getActionsLogger();
+    const gitHubVersion = await getGitHubVersion();
+    checkGitHubVersionInRange(gitHubVersion, logger);
+    const repositoryNwo = parseRepositoryNwo(
+      getRequiredEnvParam("GITHUB_REPOSITORY"),
+    );
+    const features = new Features(
+      gitHubVersion,
+      repositoryNwo,
+      actionsUtil.getTemporaryDirectory(),
+      logger,
+    );
+
    try {
-      await artifact
-        .create()
-        .uploadArtifact(
-          "proxy-log-file",
-          [logFilePath],
-          actionsUtil.getTemporaryDirectory(),
-          {
-            continueOnError: true,
-            retentionDays: 7,
-          },
-        );
+      const artifactUploader = await getArtifactUploaderClient(
+        logger,
+        gitHubVersion.type,
+        features,
+      );
+
+      await artifactUploader.uploadArtifact(
+        "proxy-log-file",
+        [logFilePath],
+        actionsUtil.getTemporaryDirectory(),
+        {
+          // ensure we don't keep the debug artifacts around for too long since they can be large.
+          retentionDays: 7,
+        },
+      );
    } catch (e) {
      // A failure to upload debug artifacts should not fail the entire action.
      core.warning(`Failed to upload debug artifacts: ${e}`);
--- a/src/upload-sarif-action-post.ts
+++ b/src/upload-sarif-action-post.ts
@ -5,19 +5,49 @@
 */
 import * as core from "@actions/core";

+import { getTemporaryDirectory } from "./actions-util";
+import { getGitHubVersion } from "./api-client";
 import * as debugArtifacts from "./debug-artifacts";
 import { EnvVar } from "./environment";
+import { Features } from "./feature-flags";
 import { getActionsLogger, withGroup } from "./logging";
-import { getErrorMessage } from "./util";
+import { parseRepositoryNwo } from "./repository";
+import {
+  checkGitHubVersionInRange,
+  getErrorMessage,
+  getRequiredEnvParam,
+} from "./util";

 async function runWrapper() {
  try {
    const logger = getActionsLogger();
+    const gitHubVersion = await getGitHubVersion();
+    checkGitHubVersionInRange(gitHubVersion, logger);
+    const repositoryNwo = parseRepositoryNwo(
+      getRequiredEnvParam("GITHUB_REPOSITORY"),
+    );
+    const features = new Features(
+      gitHubVersion,
+      repositoryNwo,
+      getTemporaryDirectory(),
+      logger,
+    );
+
    // Upload SARIF artifacts if we determine that this is a third-party analysis run.
    // For first-party runs, this artifact will be uploaded in the `analyze-post` step.
    if (process.env[EnvVar.INIT_ACTION_HAS_RUN] !== "true") {
+      if (gitHubVersion.type === undefined) {
+        core.warning(
+          `Did not upload debug artifacts because cannot determine the GitHub variant running.`,
+        );
+        return;
+      }
      await withGroup("Uploading combined SARIF debug artifact", () =>
-        debugArtifacts.uploadCombinedSarifArtifacts(logger),
+        debugArtifacts.uploadCombinedSarifArtifacts(
+          logger,
+          gitHubVersion.type,
+          features,
+        ),
      );
    }
  } catch (error) {