Also look for the CodeQL bundle at the custom GitHub AE endpoint.

2021-02-11 15:13:22 +00:00 · 2021-02-11 15:13:22 +00:00 · f8c5dacab5
commit f8c5dacab5
parent 781e3bc540
27 changed files with 2159 additions and 3 deletions
--- a/lib/codeql.js
+++ b/lib/codeql.js
@ -18,6 +18,7 @@ const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const http = __importStar(require("@actions/http-client"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
+const query_string_1 = __importDefault(require("query-string"));
 const semver = __importStar(require("semver"));
 const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
@ -109,6 +110,25 @@ async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
        }
    }
+    try {
+        const release = await api
+            .getApiClient(apiDetails)
+            .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+            tag: CODEQL_BUNDLE_VERSION,
+        });
+        const assetID = release.data.assets[codeQLBundleName];
+        if (assetID !== undefined) {
+            const download = await api
+                .getApiClient(apiDetails)
+                .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
+            const downloadURL = download.data.url;
+            logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
+            return downloadURL;
+        }
+    }
+    catch (e) {
+        logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
+    }
    return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }
 // We have to download CodeQL manually because the toolcache doesn't support Accept headers.
@ -163,11 +183,15 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logge
            if (!codeqlURL) {
                codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
            }
+            const parsedCodeQLURL = new URL(codeqlURL);
+            const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
            const headers = { accept: "application/octet-stream" };
            // We only want to provide an authorization header if we are downloading
            // from the same GitHub instance the Action is running on.
            // This avoids leaking Enterprise tokens to dotcom.
-            if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
+            // We also don't want to send an authorization header if there's already a token provided in the URL.
+            if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
+                parsedQueryString["token"] === undefined) {
                logger.debug("Downloading CodeQL bundle with token.");
                headers.authorization = `token ${apiDetails.auth}`;
            }