robojerk/codeql-action

Warn when workflow analyzes the same language twice

Browse source
This commit is contained in:
Henry Mercer 2023-09-22 14:54:03 +01:00
parent 01b8760f90
commit d0c18ba23e
9 changed files with 576 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/init-action.js generated
View file

@ -121,8 +121,7 @@ async function run() {
const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger); const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
core.exportVariable(environment_1.EnvVar.JOB_RUN_UUID, (0, uuid_1.v4)()); core.exportVariable(environment_1.EnvVar.JOB_RUN_UUID, (0, uuid_1.v4)());
try { try {
const workflowErrors = await (0, workflow_1.validateWorkflow)(logger); if (!(await (0, status_report_1.sendStatusReport)(await (0, status_report_1.createStatusReportBase)("init", "starting", startedAt, await (0, util_1.checkDiskUsage)(logger))))) {
if (!(await (0, status_report_1.sendStatusReport)(await (0, status_report_1.createStatusReportBase)("init", "starting", startedAt, await (0, util_1.checkDiskUsage)(logger), workflowErrors)))) {
return; return;
} }
const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(gitHubVersion.type); const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(gitHubVersion.type);
@ -132,6 +131,7 @@ async function run() {
toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs; toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs;
toolsVersion = initCodeQLResult.toolsVersion; toolsVersion = initCodeQLResult.toolsVersion;
toolsSource = initCodeQLResult.toolsSource; toolsSource = initCodeQLResult.toolsSource;
await (0, workflow_1.validateWorkflow)(codeql, logger);
config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), registriesInput, (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), (0, actions_util_1.getOptionalInput)("config"), getTrapCachingEnabled(), config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), registriesInput, (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), (0, actions_util_1.getOptionalInput)("config"), getTrapCachingEnabled(),
// Debug mode is enabled if: // Debug mode is enabled if:
// - The `init` Action is passed `debug: true`. // - The `init` Action is passed `debug: true`.

2
lib/init-action.js.map
View file

File diff suppressed because one or more lines are too long

38
lib/workflow.js generated
View file

@ -78,11 +78,43 @@ exports.WorkflowErrors = toCodedErrors({
MissingPushHook: `Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.`, MissingPushHook: `Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`, CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
}); });
function getWorkflowErrors(doc) { async function getWorkflowErrors(doc, codeql) {
const errors = []; const errors = [];
const jobName = process.env.GITHUB_JOB; const jobName = process.env.GITHUB_JOB;
if (jobName) { if (jobName) {
const job = doc?.jobs?.[jobName]; const job = doc?.jobs?.[jobName];
if (job?.strategy?.matrix?.language) {
const matrixLanguages = job.strategy.matrix.language;
if (Array.isArray(matrixLanguages)) {
const resolveResult = await codeql.betterResolveLanguages();
if (resolveResult.aliases) {
const aliases = resolveResult.aliases;
// Map extractors to entries in the `language` matrix parameter. This will allow us to
// detect languages which are analyzed in more than one job.
const matrixLanguagesByExtractor = {};
for (const language of matrixLanguages) {
const extractorName = aliases[language] || language;
if (!matrixLanguagesByExtractor[extractorName]) {
matrixLanguagesByExtractor[extractorName] = [];
}
matrixLanguagesByExtractor[extractorName].push(language);
}
// Check for duplicate languages in the matrix
for (const [extractor, languages] of Object.entries(matrixLanguagesByExtractor)) {
if (languages.length > 1) {
errors.push({
message: `CodeQL language '${extractor}' is referenced by more than one entry in the ` +
`'language' matrix parameter for job '${jobName}'. This may result in duplicate alerts. ` +
`Please edit the 'language' matrix parameter to keep only one of the following: ${languages
.map((language) => `'${language}'`)
.join(", ")}.`,
code: "DuplicateLanguageInMatrix",
});
}
}
}
}
}
const steps = job?.steps; const steps = job?.steps;
if (Array.isArray(steps)) { if (Array.isArray(steps)) {
for (const step of steps) { for (const step of steps) {
@ -127,7 +159,7 @@ function getWorkflowErrors(doc) {
return errors; return errors;
} }
exports.getWorkflowErrors = getWorkflowErrors; exports.getWorkflowErrors = getWorkflowErrors;
async function validateWorkflow(logger) { async function validateWorkflow(codeql, logger) {
let workflow; let workflow;
try { try {
workflow = await getWorkflow(logger); workflow = await getWorkflow(logger);
@ -137,7 +169,7 @@ async function validateWorkflow(logger) {
} }
let workflowErrors; let workflowErrors;
try { try {
workflowErrors = getWorkflowErrors(workflow); workflowErrors = await getWorkflowErrors(workflow, codeql);
} }
catch (e) { catch (e) {
return `error: getWorkflowErrors() failed: ${String(e)}`; return `error: getWorkflowErrors() failed: ${String(e)}`;

2
lib/workflow.js.map
View file

File diff suppressed because one or more lines are too long

231
lib/workflow.test.js generated
View file

@ -28,119 +28,114 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
const ava_1 = __importDefault(require("ava")); const ava_1 = __importDefault(require("ava"));
const yaml = __importStar(require("js-yaml")); const yaml = __importStar(require("js-yaml"));
const sinon = __importStar(require("sinon"));
const codeql_1 = require("./codeql");
const testing_utils_1 = require("./testing-utils"); const testing_utils_1 = require("./testing-utils");
const workflow_1 = require("./workflow"); const workflow_1 = require("./workflow");
function errorCodes(actual, expected) { function errorCodes(actual, expected) {
return [actual.map(({ code }) => code), expected.map(({ code }) => code)]; return [actual.map(({ code }) => code), expected.map(({ code }) => code)];
} }
(0, testing_utils_1.setupTests)(ava_1.default); (0, testing_utils_1.setupTests)(ava_1.default);
(0, ava_1.default)("getWorkflowErrors() when on is empty", (t) => { (0, ava_1.default)("getWorkflowErrors() when on is empty", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: {} }); const errors = await (0, workflow_1.getWorkflowErrors)({ on: {} }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: ["push"] }); const errors = await (0, workflow_1.getWorkflowErrors)({ on: ["push"] }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: ["pull_request"] }); const errors = await (0, workflow_1.getWorkflowErrors)({ on: ["pull_request"] }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.MissingPushHook])); t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.MissingPushHook]));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is valid", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is valid", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"], on: ["push", "pull_request"],
}); }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request", "schedule"], on: ["push", "pull_request", "schedule"],
}); }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } }, on: {
}); push: { branches: ["main"] },
pull_request: { branches: ["main"] },
},
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: "*" }, pull_request: { branches: "*" } }, on: { push: { branches: "*" }, pull_request: { branches: "*" } },
}); }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(` const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
on: on:
push: push:
pull_request: pull_request:
`)); `), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: { on: {
push: { branches: ["main", "feature"] }, push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] }, pull_request: { branches: ["main"] },
}, },
}); }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", (t) => { (0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", async (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({ t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: { on: {
push: 1, push: 1,
pull_request: 1, pull_request: 1,
}, },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({ t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes( t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: 1, jobs: 1,
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes( t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: [1], jobs: [1],
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({ t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: { 1: 1 }, jobs: { 1: 1 },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({ t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: { test: 1 }, jobs: { test: 1 },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({ t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: { test: [1] }, jobs: { test: [1] },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes( t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: { test: { steps: 1 } }, jobs: { test: { steps: 1 } },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes( t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } }, jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({ t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1, on: 1,
jobs: { test: [undefined] }, jobs: { test: [undefined] },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(1), [])); t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(1, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes( t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
on: { on: {
push: { push: {
branches: 1, branches: 1,
@ -149,25 +144,77 @@ function errorCodes(actual, expected) {
branches: 1, branches: 1,
}, },
}, },
}), [])); }, await (0, codeql_1.getCodeQLForTesting)()), []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: { on: {
push: { branches: ["feature/*"] }, push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" }, pull_request: { branches: "feature/moose" },
}, },
}); }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", (t) => { (0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", async (t) => {
process.env.GITHUB_JOB = "test"; process.env.GITHUB_JOB = "test";
const errors = (0, workflow_1.getWorkflowErrors)({ const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"], on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } }, jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
}); }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead])); t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead]));
}); });
(0, ava_1.default)("getWorkflowErrors() for workflow with language name and its alias", async (t) => {
await testLanguageAliases(t, ["java", "kotlin"], "java", ["java-kotlin", "kotlin"], [
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java', 'kotlin'.",
]);
});
(0, ava_1.default)("getWorkflowErrors() for workflow with two aliases same language", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], "java", ["java-kotlin", "kotlin"], [
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java-kotlin', 'kotlin'.",
]);
});
(0, ava_1.default)("getWorkflowErrors() does not produce error if codeql doesn't support language aliases", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], "java", undefined, []);
});
async function testLanguageAliases(t, matrixLanguages, languageName, aliases, expectedErrorMessages) {
process.env.GITHUB_JOB = "test";
const codeql = await (0, codeql_1.getCodeQLForTesting)();
sinon.stub(codeql, "betterResolveLanguages").resolves({
aliases: aliases !== undefined
? Object.assign({}, ...aliases.map((alias) => ({ [alias]: languageName })))
: undefined,
extractors: {
java: [
{
extractor_root: "",
},
],
},
});
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
jobs: {
test: {
strategy: {
matrix: {
language: matrixLanguages,
},
},
steps: [
{ uses: "actions/checkout@v2" },
{ uses: "github/codeql-action/init@v2" },
{ uses: "github/codeql-action/analyze@v2" },
],
},
},
}, codeql);
t.is(errors.length, expectedErrorMessages.length);
t.deepEqual(errors.map((e) => e.message), expectedErrorMessages);
}
(0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => { (0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => {
const message = (0, workflow_1.formatWorkflowErrors)([workflow_1.WorkflowErrors.CheckoutWrongHead]); const message = (0, workflow_1.formatWorkflowErrors)([workflow_1.WorkflowErrors.CheckoutWrongHead]);
t.true(message.startsWith("1 issue was detected with this workflow:")); t.true(message.startsWith("1 issue was detected with this workflow:"));
@ -213,19 +260,19 @@ function errorCodes(actual, expected) {
t.true((0, workflow_1.patternIsSuperset)("/robin/*/release/*", "/robin/moose/release/goose")); t.true((0, workflow_1.patternIsSuperset)("/robin/*/release/*", "/robin/moose/release/goose"));
t.false((0, workflow_1.patternIsSuperset)("/robin/moose/release/goose", "/robin/*/release/*")); t.false((0, workflow_1.patternIsSuperset)("/robin/moose/release/goose", "/robin/*/release/*"));
}); });
(0, ava_1.default)("getWorkflowErrors() when branches contain dots", (t) => { (0, ava_1.default)("getWorkflowErrors() when branches contain dots", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(` const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
on: on:
push: push:
branches: [4.1, master] branches: [4.1, master]
pull_request: pull_request:
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
branches: [4.1, master] branches: [4.1, master]
`)); `), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", (t) => { (0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(` const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
push: push:
@ -233,12 +280,12 @@ function errorCodes(actual, expected) {
pull_request: pull_request:
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
branches: [master] branches: [master]
`)); `), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => { (0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test"; process.env.GITHUB_JOB = "test";
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(` const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
push: push:
@ -257,12 +304,12 @@ function errorCodes(actual, expected) {
test3: test3:
steps: [] steps: []
`)); `), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead])); t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead]));
}); });
(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => { (0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test3"; process.env.GITHUB_JOB = "test3";
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(` const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
push: push:
@ -281,41 +328,41 @@ function errorCodes(actual, expected) {
test3: test3:
steps: [] steps: []
`)); `), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() when on is missing", (t) => { (0, ava_1.default)("getWorkflowErrors() when on is missing", async (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(` const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
`)); `), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
(0, ava_1.default)("getWorkflowErrors() with a different on setup", (t) => { (0, ava_1.default)("getWorkflowErrors() with a different on setup", async (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(` t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: "workflow_dispatch" on: "workflow_dispatch"
`)), [])); `), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(` t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: [workflow_dispatch] on: [workflow_dispatch]
`)), [])); `), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(` t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
workflow_dispatch: {} workflow_dispatch: {}
`)), [])); `), await (0, codeql_1.getCodeQLForTesting)()), []));
}); });
(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => { (0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", async (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(` t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
push: push:
branches: [master] branches: [master]
`)), [])); `), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(` t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL" name: "CodeQL"
on: ["push"] on: ["push"]
`)), [])); `), await (0, codeql_1.getCodeQLForTesting)()), []));
}); });
(0, ava_1.default)("getCategoryInputOrThrow returns category for simple workflow with category", (t) => { (0, ava_1.default)("getCategoryInputOrThrow returns category for simple workflow with category", (t) => {
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository"; process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

2
lib/workflow.test.js.map
View file

File diff suppressed because one or more lines are too long

5
src/init-action.ts
View file

@ -217,8 +217,6 @@ async function run() {
core.exportVariable(EnvVar.JOB_RUN_UUID, uuidV4()); core.exportVariable(EnvVar.JOB_RUN_UUID, uuidV4());
try { try {
const workflowErrors = await validateWorkflow(logger);
if ( if (
!(await sendStatusReport( !(await sendStatusReport(
await createStatusReportBase( await createStatusReportBase(
@ -226,7 +224,6 @@ async function run() {
"starting", "starting",
startedAt, startedAt,
await checkDiskUsage(logger), await checkDiskUsage(logger),
workflowErrors,
), ),
)) ))
) { ) {
@ -250,6 +247,8 @@ async function run() {
toolsVersion = initCodeQLResult.toolsVersion; toolsVersion = initCodeQLResult.toolsVersion;
toolsSource = initCodeQLResult.toolsSource; toolsSource = initCodeQLResult.toolsSource;
await validateWorkflow(codeql, logger);
config = await initConfig( config = await initConfig(
getOptionalInput("languages"), getOptionalInput("languages"),
getOptionalInput("queries"), getOptionalInput("queries"),

524
src/workflow.test.ts
View file

@ -1,6 +1,8 @@
import test from "ava"; import test, { ExecutionContext } from "ava";
import * as yaml from "js-yaml"; import * as yaml from "js-yaml";
import * as sinon from "sinon";
import { getCodeQLForTesting } from "./codeql";
import { setupTests } from "./testing-utils"; import { setupTests } from "./testing-utils";
import { import {
CodedError, CodedError,
@ -22,227 +24,387 @@ function errorCodes(
setupTests(test); setupTests(test);
test("getWorkflowErrors() when on is empty", (t) => { test("getWorkflowErrors() when on is empty", async (t) => {
const errors = getWorkflowErrors({ on: {} }); const errors = await getWorkflowErrors(
{ on: {} },
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push is an array missing pull_request", (t) => { test("getWorkflowErrors() when on.push is an array missing pull_request", async (t) => {
const errors = getWorkflowErrors({ on: ["push"] }); const errors = await getWorkflowErrors(
{ on: ["push"] },
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push is an array missing push", (t) => { test("getWorkflowErrors() when on.push is an array missing push", async (t) => {
const errors = getWorkflowErrors({ on: ["pull_request"] }); const errors = await getWorkflowErrors(
{ on: ["pull_request"] },
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [WorkflowErrors.MissingPushHook])); t.deepEqual(...errorCodes(errors, [WorkflowErrors.MissingPushHook]));
}); });
test("getWorkflowErrors() when on.push is valid", (t) => { test("getWorkflowErrors() when on.push is valid", async (t) => {
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: ["push", "pull_request"], {
}); on: ["push", "pull_request"],
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push is a valid superset", (t) => { test("getWorkflowErrors() when on.push is a valid superset", async (t) => {
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: ["push", "pull_request", "schedule"], {
}); on: ["push", "pull_request", "schedule"],
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push is a correct object", (t) => { test("getWorkflowErrors() when on.push is a correct object", async (t) => {
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } }, {
}); on: {
push: { branches: ["main"] },
pull_request: { branches: ["main"] },
},
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => { test("getWorkflowErrors() when on.pull_requests is a string and correct", async (t) => {
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: { push: { branches: "*" }, pull_request: { branches: "*" } }, {
}); on: { push: { branches: "*" }, pull_request: { branches: "*" } },
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push is correct with empty objects", (t) => { test("getWorkflowErrors() when on.push is correct with empty objects", async (t) => {
const errors = getWorkflowErrors( const errors = await getWorkflowErrors(
yaml.load(` yaml.load(`
on: on:
push: push:
pull_request: pull_request:
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
); );
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push is not mismatched", (t) => { test("getWorkflowErrors() when on.push is not mismatched", async (t) => {
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: { {
push: { branches: ["main", "feature"] }, on: {
pull_request: { branches: ["main"] }, push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
}, },
}); await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() for a range of malformed workflows", (t) => { test("getWorkflowErrors() for a range of malformed workflows", async (t) => {
t.deepEqual( t.deepEqual(
...errorCodes( ...errorCodes(
getWorkflowErrors({ await getWorkflowErrors(
on: { {
push: 1, on: {
pull_request: 1, push: 1,
}, pull_request: 1,
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: 1,
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: [1],
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { 1: 1 },
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { test: 1 },
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { test: [1] },
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: { test: { steps: 1 } },
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { test: [undefined] },
} as Workflow),
[],
),
);
t.deepEqual(...errorCodes(getWorkflowErrors(1 as Workflow), []));
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: {
push: {
branches: 1,
}, },
pull_request: { } as Workflow,
branches: 1, await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: 1,
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: [1],
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { 1: 1 },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: 1 },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: [1] },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: { steps: 1 } },
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: [undefined] },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(1 as Workflow, await getCodeQLForTesting()),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: {
push: {
branches: 1,
},
pull_request: {
branches: 1,
},
}, },
}, } as unknown as Workflow,
} as any), await getCodeQLForTesting(),
),
[], [],
), ),
); );
}); });
test("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => { test("getWorkflowErrors() when on.pull_request for wildcard branches", async (t) => {
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: { {
push: { branches: ["feature/*"] }, on: {
pull_request: { branches: "feature/moose" }, push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" },
},
}, },
}); await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when HEAD^2 is checked out", (t) => { test("getWorkflowErrors() when HEAD^2 is checked out", async (t) => {
process.env.GITHUB_JOB = "test"; process.env.GITHUB_JOB = "test";
const errors = getWorkflowErrors({ const errors = await getWorkflowErrors(
on: ["push", "pull_request"], {
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } }, on: ["push", "pull_request"],
}); jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [WorkflowErrors.CheckoutWrongHead])); t.deepEqual(...errorCodes(errors, [WorkflowErrors.CheckoutWrongHead]));
}); });
test("getWorkflowErrors() for workflow with language name and its alias", async (t) => {
await testLanguageAliases(
t,
["java", "kotlin"],
"java",
["java-kotlin", "kotlin"],
[
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java', 'kotlin'.",
],
);
});
test("getWorkflowErrors() for workflow with two aliases same language", async (t) => {
await testLanguageAliases(
t,
["java-kotlin", "kotlin"],
"java",
["java-kotlin", "kotlin"],
[
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java-kotlin', 'kotlin'.",
],
);
});
test("getWorkflowErrors() does not produce error if codeql doesn't support language aliases", async (t) => {
await testLanguageAliases(
t,
["java-kotlin", "kotlin"],
"java",
undefined,
[],
);
});
async function testLanguageAliases(
t: ExecutionContext<unknown>,
matrixLanguages: string[],
languageName: string,
aliases: string[] | undefined,
expectedErrorMessages: string[],
) {
process.env.GITHUB_JOB = "test";
const codeql = await getCodeQLForTesting();
sinon.stub(codeql, "betterResolveLanguages").resolves({
aliases:
aliases !== undefined
? Object.assign(
{},
...aliases.map((alias) => ({ [alias]: languageName })),
)
: undefined,
extractors: {
java: [
{
extractor_root: "",
},
],
},
});
const errors = await getWorkflowErrors(
{
on: ["push", "pull_request"],
jobs: {
test: {
strategy: {
matrix: {
language: matrixLanguages,
},
},
steps: [
{ uses: "actions/checkout@v2" },
{ uses: "github/codeql-action/init@v2" },
{ uses: "github/codeql-action/analyze@v2" },
],
},
},
} as Workflow,
codeql,
);
t.is(errors.length, expectedErrorMessages.length);
t.deepEqual(
errors.map((e) => e.message),
expectedErrorMessages,
);
}
test("formatWorkflowErrors() when there is one error", (t) => { test("formatWorkflowErrors() when there is one error", (t) => {
const message = formatWorkflowErrors([WorkflowErrors.CheckoutWrongHead]); const message = formatWorkflowErrors([WorkflowErrors.CheckoutWrongHead]);
t.true(message.startsWith("1 issue was detected with this workflow:")); t.true(message.startsWith("1 issue was detected with this workflow:"));
@ -297,8 +459,8 @@ test("patternIsSuperset()", (t) => {
); );
}); });
test("getWorkflowErrors() when branches contain dots", (t) => { test("getWorkflowErrors() when branches contain dots", async (t) => {
const errors = getWorkflowErrors( const errors = await getWorkflowErrors(
yaml.load(` yaml.load(`
on: on:
push: push:
@ -307,13 +469,14 @@ test("getWorkflowErrors() when branches contain dots", (t) => {
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
branches: [4.1, master] branches: [4.1, master]
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
); );
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on.push has a trailing comma", (t) => { test("getWorkflowErrors() when on.push has a trailing comma", async (t) => {
const errors = getWorkflowErrors( const errors = await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
@ -323,15 +486,16 @@ test("getWorkflowErrors() when on.push has a trailing comma", (t) => {
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
branches: [master] branches: [master]
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
); );
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => { test("getWorkflowErrors() should only report the current job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test"; process.env.GITHUB_JOB = "test";
const errors = getWorkflowErrors( const errors = await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
@ -352,15 +516,16 @@ test("getWorkflowErrors() should only report the current job's CheckoutWrongHead
test3: test3:
steps: [] steps: []
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
); );
t.deepEqual(...errorCodes(errors, [WorkflowErrors.CheckoutWrongHead])); t.deepEqual(...errorCodes(errors, [WorkflowErrors.CheckoutWrongHead]));
}); });
test("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => { test("getWorkflowErrors() should not report a different job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test3"; process.env.GITHUB_JOB = "test3";
const errors = getWorkflowErrors( const errors = await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
@ -381,29 +546,32 @@ test("getWorkflowErrors() should not report a different job's CheckoutWrongHead"
test3: test3:
steps: [] steps: []
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
); );
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() when on is missing", (t) => { test("getWorkflowErrors() when on is missing", async (t) => {
const errors = getWorkflowErrors( const errors = await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
); );
t.deepEqual(...errorCodes(errors, [])); t.deepEqual(...errorCodes(errors, []));
}); });
test("getWorkflowErrors() with a different on setup", (t) => { test("getWorkflowErrors() with a different on setup", async (t) => {
t.deepEqual( t.deepEqual(
...errorCodes( ...errorCodes(
getWorkflowErrors( await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: "workflow_dispatch" on: "workflow_dispatch"
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
), ),
[], [],
), ),
@ -411,11 +579,12 @@ test("getWorkflowErrors() with a different on setup", (t) => {
t.deepEqual( t.deepEqual(
...errorCodes( ...errorCodes(
getWorkflowErrors( await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: [workflow_dispatch] on: [workflow_dispatch]
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
), ),
[], [],
), ),
@ -423,28 +592,30 @@ test("getWorkflowErrors() with a different on setup", (t) => {
t.deepEqual( t.deepEqual(
...errorCodes( ...errorCodes(
getWorkflowErrors( await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
workflow_dispatch: {} workflow_dispatch: {}
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
), ),
[], [],
), ),
); );
}); });
test("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => { test("getWorkflowErrors() should not report an error if PRs are totally unconfigured", async (t) => {
t.deepEqual( t.deepEqual(
...errorCodes( ...errorCodes(
getWorkflowErrors( await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: on:
push: push:
branches: [master] branches: [master]
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
), ),
[], [],
), ),
@ -452,11 +623,12 @@ test("getWorkflowErrors() should not report an error if PRs are totally unconfig
t.deepEqual( t.deepEqual(
...errorCodes( ...errorCodes(
getWorkflowErrors( await getWorkflowErrors(
yaml.load(` yaml.load(`
name: "CodeQL" name: "CodeQL"
on: ["push"] on: ["push"]
`) as Workflow, `) as Workflow,
await getCodeQLForTesting(),
), ),
[], [],
), ),

49
src/workflow.ts
View file

@ -6,6 +6,7 @@ import * as core from "@actions/core";
import * as yaml from "js-yaml"; import * as yaml from "js-yaml";
import * as api from "./api-client"; import * as api from "./api-client";
import { CodeQL } from "./codeql";
import { EnvVar } from "./environment"; import { EnvVar } from "./environment";
import { Logger } from "./logging"; import { Logger } from "./logging";
import { getRequiredEnvParam, isInTestMode } from "./util"; import { getRequiredEnvParam, isInTestMode } from "./util";
@ -21,6 +22,7 @@ interface WorkflowJob {
name?: string; name?: string;
"runs-on"?: string; "runs-on"?: string;
steps?: WorkflowJobStep[]; steps?: WorkflowJobStep[];
strategy?: { matrix: { [key: string]: string[] } };
uses?: string; uses?: string;
} }
@ -104,7 +106,10 @@ export const WorkflowErrors = toCodedErrors({
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`, CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
}); });
export function getWorkflowErrors(doc: Workflow): CodedError[] { export async function getWorkflowErrors(
doc: Workflow,
codeql: CodeQL,
): Promise<CodedError[]> {
const errors: CodedError[] = []; const errors: CodedError[] = [];
const jobName = process.env.GITHUB_JOB; const jobName = process.env.GITHUB_JOB;
@ -112,6 +117,45 @@ export function getWorkflowErrors(doc: Workflow): CodedError[] {
if (jobName) { if (jobName) {
const job = doc?.jobs?.[jobName]; const job = doc?.jobs?.[jobName];
if (job?.strategy?.matrix?.language) {
const matrixLanguages = job.strategy.matrix.language;
if (Array.isArray(matrixLanguages)) {
const resolveResult = await codeql.betterResolveLanguages();
if (resolveResult.aliases) {
const aliases = resolveResult.aliases;
// Map extractors to entries in the `language` matrix parameter. This will allow us to
// detect languages which are analyzed in more than one job.
const matrixLanguagesByExtractor: {
[extractorName: string]: string[];
} = {};
for (const language of matrixLanguages) {
const extractorName = aliases[language] || language;
if (!matrixLanguagesByExtractor[extractorName]) {
matrixLanguagesByExtractor[extractorName] = [];
}
matrixLanguagesByExtractor[extractorName].push(language);
}
// Check for duplicate languages in the matrix
for (const [extractor, languages] of Object.entries(
matrixLanguagesByExtractor,
)) {
if (languages.length > 1) {
errors.push({
message:
`CodeQL language '${extractor}' is referenced by more than one entry in the ` +
`'language' matrix parameter for job '${jobName}'. This may result in duplicate alerts. ` +
`Please edit the 'language' matrix parameter to keep only one of the following: ${languages
.map((language) => `'${language}'`)
.join(", ")}.`,
code: "DuplicateLanguageInMatrix",
});
}
}
}
}
}
const steps = job?.steps; const steps = job?.steps;
if (Array.isArray(steps)) { if (Array.isArray(steps)) {
@ -163,6 +207,7 @@ export function getWorkflowErrors(doc: Workflow): CodedError[] {
} }
export async function validateWorkflow( export async function validateWorkflow(
codeql: CodeQL,
logger: Logger, logger: Logger,
): Promise<undefined | string> { ): Promise<undefined | string> {
let workflow: Workflow; let workflow: Workflow;
@ -173,7 +218,7 @@ export async function validateWorkflow(
} }
let workflowErrors: CodedError[]; let workflowErrors: CodedError[];
try { try {
workflowErrors = getWorkflowErrors(workflow); workflowErrors = await getWorkflowErrors(workflow, codeql);
} catch (e) { } catch (e) {
return `error: getWorkflowErrors() failed: ${String(e)}`; return `error: getWorkflowErrors() failed: ${String(e)}`;
} }