Only delete SARIF in PR check if not running on a fork (#2084)

2024-01-16 16:07:58 -08:00 · 2024-01-16 16:07:58 -08:00 · f65ecd09c7
commit f65ecd09c7
parent 4d75a10efa
6 changed files with 26 additions and 12 deletions
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@ -50,7 +50,6 @@ const status_report_1 = require("./status-report");
 const trap_caching_1 = require("./trap-caching");
 const uploadLib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
-const util_1 = require("./util");
 async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger) {
    const status = (0, status_report_1.getActionsStatus)(error, stats?.analyze_failure_language);
    const statusReportBase = await (0, status_report_1.createStatusReportBase)("finish", status, startedAt, await util.checkDiskUsage(), error?.message, error?.stack);
@ -228,7 +227,7 @@ async function run() {
        core.exportVariable(environment_1.EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
    }
    catch (unwrappedError) {
-        const error = (0, util_1.wrapError)(unwrappedError);
+        const error = util.wrapError(unwrappedError);
        if (actionsUtil.getOptionalInput("expect-error") !== "true" ||
            hasBadExpectErrorInput()) {
            core.setFailed(error.message);
@ -261,9 +260,9 @@ async function runWrapper() {
        await exports.runPromise;
    }
    catch (error) {
-        core.setFailed(`analyze action failed: ${(0, util_1.wrapError)(error).message}`);
+        core.setFailed(`analyze action failed: ${util.wrapError(error).message}`);
    }
-    await (0, util_1.checkForTimeout)();
+    await util.checkForTimeout();
 }
 void runWrapper();
 //# sourceMappingURL=analyze-action.js.map
--- a/lib/analyze-action.js.map
+++ b/lib/analyze-action.js.map
--- a/lib/init-action-post-helper.js
+++ b/lib/init-action-post-helper.js
@ -24,6 +24,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.run = exports.tryUploadSarifIfRunFailed = void 0;
+const github = __importStar(require("@actions/github"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
@ -115,7 +116,13 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
            `but the result was instead ${error}.`);
    }
    if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
-        await removeUploadedSarif(uploadFailedSarifResult, logger);
+        if (!github.context.payload.pull_request?.head.repo.fork) {
+            await removeUploadedSarif(uploadFailedSarifResult, logger);
+        }
+        else {
+            logger.info("Skipping deletion of failed SARIF because the workflow was triggered from a fork of " +
+                "codeql-action and doesn't have the appropriate permissions for deletion.");
+        }
    }
    // Upload appropriate Actions artifacts for debugging
    if (config.debugMode) {
--- a/lib/init-action-post-helper.js.map
+++ b/lib/init-action-post-helper.js.map
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@ -36,7 +36,6 @@ import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
 import * as util from "./util";
-import { checkForTimeout, wrapError } from "./util";

 interface AnalysisStatusReport
  extends uploadLib.UploadStatusReport,
@ -355,7 +354,7 @@ async function run() {
    }
    core.exportVariable(EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
  } catch (unwrappedError) {
-    const error = wrapError(unwrappedError);
+    const error = util.wrapError(unwrappedError);
    if (
      actionsUtil.getOptionalInput("expect-error") !== "true" ||
      hasBadExpectErrorInput()
@ -436,9 +435,9 @@ async function runWrapper() {
  try {
    await runPromise;
  } catch (error) {
-    core.setFailed(`analyze action failed: ${wrapError(error).message}`);
+    core.setFailed(`analyze action failed: ${util.wrapError(error).message}`);
  }
-  await checkForTimeout();
+  await util.checkForTimeout();
 }

 void runWrapper();
--- a/src/init-action-post-helper.ts
+++ b/src/init-action-post-helper.ts
@ -1,3 +1,5 @@
+import * as github from "@actions/github";
+
 import * as actionsUtil from "./actions-util";
 import { getApiClient } from "./api-client";
 import { getCodeQL } from "./codeql";
@ -183,7 +185,14 @@ export async function run(
  }

  if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
-    await removeUploadedSarif(uploadFailedSarifResult, logger);
+    if (!github.context.payload.pull_request?.head.repo.fork) {
+      await removeUploadedSarif(uploadFailedSarifResult, logger);
+    } else {
+      logger.info(
+        "Skipping deletion of failed SARIF because the workflow was triggered from a fork of " +
+          "codeql-action and doesn't have the appropriate permissions for deletion.",
+      );
+    }
  }

  // Upload appropriate Actions artifacts for debugging