Fix upload-sarif Action failing if there are no Code Scanning SARIF files
#3123
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR fixes an issue where the upload-sarif Action fails when there are no Code Scanning SARIF files, specifically for code quality-only analysis. It refactors the upload process to handle both Code Scanning and Code Quality SARIF files more gracefully and adds new outputs for tracking uploaded SARIF IDs.
- Refactors upload logic to use a common
findAndUploadfunction for both analysis types - Adds new
sarif-idsoutput containing a JSON object with SARIF IDs for each analysis type - Combines upload status reports when both analysis kinds are enabled
- Updates test configuration to test code quality-only scenarios
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| upload-sarif/action.yml | Updates output descriptions and adds new sarif-ids output |
| src/upload-sarif-action.ts | Refactors upload logic with new findAndUpload function and combined status reporting |
| src/upload-lib.ts | Adds combineSarifUploadResults function to merge upload status reports |
| pr-checks/checks/upload-quality-sarif.yml | Updates test to use code-quality only and validates new output |
| lib/upload-sarif-action.js | Generated JavaScript code reflecting TypeScript changes |
| lib/upload-lib.js | Generated JavaScript code with new export for combine function |
| .github/workflows/__upload-quality-sarif.yml | Auto-generated workflow file updated for code-quality only testing |
mbg
force-pushed
the
mbg/fix/upload-sarif-cq-only
branch
from
00415e9 to
79b45c8
Compare
mbg
force-pushed
the
mbg/fix/upload-sarif-cq-only
branch
from
6d2c7db to
bca5bc4
Compare
| await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger); | ||
| await sendSuccessStatusReport( | ||
| startedAt, | ||
| uploadResult?.statusReport || {}, |
There was a problem hiding this comment.
Is it convention to add the empty object to these statuses by default?
There was a problem hiding this comment.
Note that this was an intermediate commit and the {} just made the type checker happy until I replaced it with the statusReport from the Code Quality upload or the combination of both uploads.
The three properties of UploadStatusReport are all of type number | undefined, but the UploadStatusReport object itself is required here by sendSuccessStatusReport.
Previously, with only Code Scanning, we only would have reached sendSuccessStatusReport if the SARIF upload to Code Scanning is successful. In that case, the UploadStatusReport object always would have been populated.
Now we also have Code Quality and Code Scanning + Code Quality. So the status report should include the results of the respective upload(s).
src/upload-lib.ts
Outdated
| for (const report of reports) { | ||
| if (report !== undefined) { | ||
| result.num_results_in_sarif = addOptional( | ||
| result.num_results_in_sarif, | ||
| report.num_results_in_sarif, | ||
| ); | ||
| result.raw_upload_size_bytes = addOptional( | ||
| result.raw_upload_size_bytes, | ||
| report.raw_upload_size_bytes, | ||
| ); | ||
| result.zipped_upload_size_bytes = addOptional( | ||
| result.zipped_upload_size_bytes, | ||
| report.zipped_upload_size_bytes, | ||
| ); | ||
| } | ||
| } |
There was a problem hiding this comment.
This is too ad hoc for my taste. Once we add a new numeric field to the type, it will get dropped when going through this function
There was a problem hiding this comment.
I.e. something like
for (const report of reports) {
if (!report) continue;
for (const key of Object.keys(report) as (keyof UploadStatusReport)[]) {
const value = report[key];
if (typeof value !== "number") continue; // Skip non-numeric / undefined
result[key] = ((result[key] ?? 0) as number) + value;
}
}
Conversely, we now risk adding things that can't be added...
Ultimately, we could do some typescript magic where we'd force ourselves to list every numerically typed property as being added or ignored, but that is complex.
There was a problem hiding this comment.
We could do something like that. Perhaps it is best if we leave sorting out the telemetry for a separate change so that we can think about this independently from the bug fix -- see my thoughts in the PR description and in #3123 (comment)
@esbena C++ has no queries in the |
Unlike `sarif-id` which is for the single Code Scanning SARIF id, `sarif-ids` contains stringified JSON object with details of all SARIF ids.
mbg
force-pushed
the
mbg/fix/upload-sarif-cq-only
branch
from
bca5bc4 to
db37d92
Compare
|
I've removed the telemetry changes, other than that in the CQ-only case we send an empty |
In #3064, we overlooked that
upload_lib.uploadFilesis called in theupload-sarifAction, which will fail if it cannot find any SARIF files matching the predicate it is given.For a Code Quality only analysis, there are no Code Scanning SARIF files and the call to
upload_lib.uploadFilestherefore fails before the Code Quality SARIF file(s) can be uploaded.This PR refactors the
upload-sarifAction so that there's common code for Code Scanning and Code Quality to upload either one file or several matching files.There are some optional, other changes in this PR as well, which I can remove if needed:
TheUploadStatusReportvalues for each SARIF upload are now combined for telemetry if both analysis kinds are enabled. Otherwise, we use the respectiveUploadStatusReport.sarif-idsoutput to theupload-sarifAction, which contains a stringified JSON object with details of the SARIF ids that we uploaded to different endpoints. Initially I went for just a comma-separated list of IDs, but I thought it would be useful to know which ID is for which service.Risk assessment
For internal use only. Please select the risk level of this change:
Merge / deployment checklist