From 35454d39b2aec0272d179a012ad48997417c0638 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 13:50:53 +0100 Subject: [PATCH 01/10] Refactor CQ SARIF upload in `upload-sarif` into a function --- lib/upload-sarif-action.js | 35 ++++++++++++++-------- src/upload-sarif-action.ts | 59 +++++++++++++++++++++++++++++--------- 2 files changed, 69 insertions(+), 25 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index f603d0aa17..f98e2e221c 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93358,6 +93358,23 @@ function filterAlertsByDiffRange(logger, sarif) { } // src/upload-sarif-action.ts +async function findAndUpload(logger, features, sarifPath, checkoutPath, analysis, category) { + const sarifFiles = findSarifFilesInDir( + sarifPath, + analysis.sarifPredicate + ); + if (sarifFiles.length !== 0) { + return await uploadSpecifiedFiles( + sarifFiles, + checkoutPath, + category, + features, + logger, + analysis + ); + } + return void 0; +} async function sendSuccessStatusReport(startedAt, uploadStats, logger) { const statusReportBase = await createStatusReportBase( "upload-sarif" /* UploadSarif */, @@ -93414,20 +93431,14 @@ async function run() { ); core13.setOutput("sarif-id", uploadResult.sarifID); if (fs15.lstatSync(sarifPath).isDirectory()) { - const qualitySarifFiles = findSarifFilesInDir( + await findAndUpload( + logger, + features, sarifPath, - CodeQuality.sarifPredicate + checkoutPath, + CodeQuality, + fixCodeQualityCategory(logger, category) ); - if (qualitySarifFiles.length !== 0) { - await uploadSpecifiedFiles( - qualitySarifFiles, - checkoutPath, - fixCodeQualityCategory(logger, category), - features, - logger, - CodeQuality - ); - } } if (isInTestMode()) { core13.debug("In test mode. Waiting for processing is disabled."); diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index a193e242a6..7881232d3b 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -32,6 +32,45 @@ interface UploadSarifStatusReport extends StatusReportBase, upload_lib.UploadStatusReport {} +/** + * Searches for SARIF files for the given `analysis` in the given `sarifPath`. + * If any are found, then they are uploaded to the appropriate endpoint for the given `analysis`. + * + * @param logger The logger to use. + * @param features Information about FFs. + * @param sarifPath The path to a directory containing SARIF files. + * @param checkoutPath The checkout path. + * @param analysis The configuration of the analysis we should upload SARIF files for. + * @param category The SARIF category to use for the upload. + * @returns The result of uploading the SARIF file(s) or `undefined` if there are none. + */ +async function findAndUpload( + logger: Logger, + features: Features, + sarifPath: string, + checkoutPath: string, + analysis: analyses.AnalysisConfig, + category?: string, +): Promise { + const sarifFiles = upload_lib.findSarifFilesInDir( + sarifPath, + analysis.sarifPredicate, + ); + + if (sarifFiles.length !== 0) { + return await upload_lib.uploadSpecifiedFiles( + sarifFiles, + checkoutPath, + category, + features, + logger, + analysis, + ); + } + + return undefined; +} + async function sendSuccessStatusReport( startedAt: Date, uploadStats: upload_lib.UploadStatusReport, @@ -86,6 +125,7 @@ async function run() { } try { + // `sarifPath` can either be a path to a single file, or a path to a directory. const sarifPath = actionsUtil.getRequiredInput("sarif_file"); const checkoutPath = actionsUtil.getRequiredInput("checkout_path"); const category = actionsUtil.getOptionalInput("category"); @@ -104,21 +144,14 @@ async function run() { // Code quality can currently only be enabled on top of security, so we'd currently always expect to // have a directory for the results here. if (fs.lstatSync(sarifPath).isDirectory()) { - const qualitySarifFiles = upload_lib.findSarifFilesInDir( + await findAndUpload( + logger, + features, sarifPath, - analyses.CodeQuality.sarifPredicate, + checkoutPath, + analyses.CodeQuality, + actionsUtil.fixCodeQualityCategory(logger, category), ); - - if (qualitySarifFiles.length !== 0) { - await upload_lib.uploadSpecifiedFiles( - qualitySarifFiles, - checkoutPath, - actionsUtil.fixCodeQualityCategory(logger, category), - features, - logger, - analyses.CodeQuality, - ); - } } // We don't upload results in test mode, so don't wait for processing From a6161a80921e4b05a98e41c0f90bed980292263a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:09:24 +0100 Subject: [PATCH 02/10] Call `lstatSync` on `sarifPath` earlier and check that the path exists then --- lib/upload-sarif-action.js | 6 +++++- src/upload-sarif-action.ts | 7 ++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index f98e2e221c..bc908440b0 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93421,6 +93421,10 @@ async function run() { const sarifPath = getRequiredInput("sarif_file"); const checkoutPath = getRequiredInput("checkout_path"); const category = getOptionalInput("category"); + const pathStats = fs15.lstatSync(sarifPath, { throwIfNoEntry: false }); + if (pathStats === void 0) { + throw new ConfigurationError(`Path does not exist: ${sarifPath}.`); + } const uploadResult = await uploadFiles( sarifPath, checkoutPath, @@ -93430,7 +93434,7 @@ async function run() { CodeScanning ); core13.setOutput("sarif-id", uploadResult.sarifID); - if (fs15.lstatSync(sarifPath).isDirectory()) { + if (pathStats.isDirectory()) { await findAndUpload( logger, features, diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index 7881232d3b..ee7cd6ad35 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -129,6 +129,11 @@ async function run() { const sarifPath = actionsUtil.getRequiredInput("sarif_file"); const checkoutPath = actionsUtil.getRequiredInput("checkout_path"); const category = actionsUtil.getOptionalInput("category"); + const pathStats = fs.lstatSync(sarifPath, { throwIfNoEntry: false }); + + if (pathStats === undefined) { + throw new ConfigurationError(`Path does not exist: ${sarifPath}.`); + } const uploadResult = await upload_lib.uploadFiles( sarifPath, @@ -143,7 +148,7 @@ async function run() { // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service. // Code quality can currently only be enabled on top of security, so we'd currently always expect to // have a directory for the results here. - if (fs.lstatSync(sarifPath).isDirectory()) { + if (pathStats.isDirectory()) { await findAndUpload( logger, features, From c8e017d3e778faac9a5b2898085a763c1198b3d1 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:10:54 +0100 Subject: [PATCH 03/10] Move `isDirectory` check into `findAndUpload` --- lib/upload-sarif-action.js | 47 ++++++++++++++++++------------------ src/upload-sarif-action.ts | 49 ++++++++++++++++++++------------------ 2 files changed, 50 insertions(+), 46 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index bc908440b0..3a5044a3c9 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93358,20 +93358,22 @@ function filterAlertsByDiffRange(logger, sarif) { } // src/upload-sarif-action.ts -async function findAndUpload(logger, features, sarifPath, checkoutPath, analysis, category) { - const sarifFiles = findSarifFilesInDir( - sarifPath, - analysis.sarifPredicate - ); - if (sarifFiles.length !== 0) { - return await uploadSpecifiedFiles( - sarifFiles, - checkoutPath, - category, - features, - logger, - analysis +async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPath, analysis, category) { + if (pathStats.isDirectory()) { + const sarifFiles = findSarifFilesInDir( + sarifPath, + analysis.sarifPredicate ); + if (sarifFiles.length !== 0) { + return await uploadSpecifiedFiles( + sarifFiles, + checkoutPath, + category, + features, + logger, + analysis + ); + } } return void 0; } @@ -93434,16 +93436,15 @@ async function run() { CodeScanning ); core13.setOutput("sarif-id", uploadResult.sarifID); - if (pathStats.isDirectory()) { - await findAndUpload( - logger, - features, - sarifPath, - checkoutPath, - CodeQuality, - fixCodeQualityCategory(logger, category) - ); - } + await findAndUpload( + logger, + features, + sarifPath, + pathStats, + checkoutPath, + CodeQuality, + fixCodeQualityCategory(logger, category) + ); if (isInTestMode()) { core13.debug("In test mode. Waiting for processing is disabled."); } else if (getRequiredInput("wait-for-processing") === "true") { diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index ee7cd6ad35..3d0fd55c59 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -39,6 +39,7 @@ interface UploadSarifStatusReport * @param logger The logger to use. * @param features Information about FFs. * @param sarifPath The path to a directory containing SARIF files. + * @param pathStats Information about `sarifPath`. * @param checkoutPath The checkout path. * @param analysis The configuration of the analysis we should upload SARIF files for. * @param category The SARIF category to use for the upload. @@ -48,24 +49,27 @@ async function findAndUpload( logger: Logger, features: Features, sarifPath: string, + pathStats: fs.Stats, checkoutPath: string, analysis: analyses.AnalysisConfig, category?: string, ): Promise { - const sarifFiles = upload_lib.findSarifFilesInDir( - sarifPath, - analysis.sarifPredicate, - ); - - if (sarifFiles.length !== 0) { - return await upload_lib.uploadSpecifiedFiles( - sarifFiles, - checkoutPath, - category, - features, - logger, - analysis, + if (pathStats.isDirectory()) { + const sarifFiles = upload_lib.findSarifFilesInDir( + sarifPath, + analysis.sarifPredicate, ); + + if (sarifFiles.length !== 0) { + return await upload_lib.uploadSpecifiedFiles( + sarifFiles, + checkoutPath, + category, + features, + logger, + analysis, + ); + } } return undefined; @@ -148,16 +152,15 @@ async function run() { // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service. // Code quality can currently only be enabled on top of security, so we'd currently always expect to // have a directory for the results here. - if (pathStats.isDirectory()) { - await findAndUpload( - logger, - features, - sarifPath, - checkoutPath, - analyses.CodeQuality, - actionsUtil.fixCodeQualityCategory(logger, category), - ); - } + await findAndUpload( + logger, + features, + sarifPath, + pathStats, + checkoutPath, + analyses.CodeQuality, + actionsUtil.fixCodeQualityCategory(logger, category), + ); // We don't upload results in test mode, so don't wait for processing if (isInTestMode()) { From 696b4676543386871f518582b965dcb2baef5c3b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:19:41 +0100 Subject: [PATCH 04/10] Handle single file case in `findAndUpload` --- lib/upload-sarif-action.js | 27 ++++++++++++++++----------- src/upload-sarif-action.ts | 30 ++++++++++++++++++------------ 2 files changed, 34 insertions(+), 23 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 3a5044a3c9..eb67a1367a 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93359,21 +93359,26 @@ function filterAlertsByDiffRange(logger, sarif) { // src/upload-sarif-action.ts async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPath, analysis, category) { + let sarifFiles; if (pathStats.isDirectory()) { - const sarifFiles = findSarifFilesInDir( + sarifFiles = findSarifFilesInDir( sarifPath, analysis.sarifPredicate ); - if (sarifFiles.length !== 0) { - return await uploadSpecifiedFiles( - sarifFiles, - checkoutPath, - category, - features, - logger, - analysis - ); - } + } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) { + sarifFiles = [sarifPath]; + } else { + return void 0; + } + if (sarifFiles.length !== 0) { + return await uploadSpecifiedFiles( + sarifFiles, + checkoutPath, + category, + features, + logger, + analysis + ); } return void 0; } diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index 3d0fd55c59..8fb8c35c3b 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -38,7 +38,7 @@ interface UploadSarifStatusReport * * @param logger The logger to use. * @param features Information about FFs. - * @param sarifPath The path to a directory containing SARIF files. + * @param sarifPath The path to a SARIF file or directory containing SARIF files. * @param pathStats Information about `sarifPath`. * @param checkoutPath The checkout path. * @param analysis The configuration of the analysis we should upload SARIF files for. @@ -54,22 +54,28 @@ async function findAndUpload( analysis: analyses.AnalysisConfig, category?: string, ): Promise { + let sarifFiles: string[] | undefined; + if (pathStats.isDirectory()) { - const sarifFiles = upload_lib.findSarifFilesInDir( + sarifFiles = upload_lib.findSarifFilesInDir( sarifPath, analysis.sarifPredicate, ); + } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) { + sarifFiles = [sarifPath]; + } else { + return undefined; + } - if (sarifFiles.length !== 0) { - return await upload_lib.uploadSpecifiedFiles( - sarifFiles, - checkoutPath, - category, - features, - logger, - analysis, - ); - } + if (sarifFiles.length !== 0) { + return await upload_lib.uploadSpecifiedFiles( + sarifFiles, + checkoutPath, + category, + features, + logger, + analysis, + ); } return undefined; From a2ce09906026433a0016470fbff9fcf2dec97807 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:23:11 +0100 Subject: [PATCH 05/10] Use `findAndUpload` for Code Scanning --- lib/upload-sarif-action.js | 64 +++++++++++++------------------------- src/upload-sarif-action.ts | 31 +++++++++++------- 2 files changed, 41 insertions(+), 54 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index eb67a1367a..5f86c63962 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -92985,23 +92985,6 @@ function findSarifFilesInDir(sarifPath, isSarif) { walkSarifFiles(sarifPath); return sarifFiles; } -function getSarifFilePaths(sarifPath, isSarif) { - if (!fs14.existsSync(sarifPath)) { - throw new ConfigurationError(`Path does not exist: ${sarifPath}`); - } - let sarifFiles; - if (fs14.lstatSync(sarifPath).isDirectory()) { - sarifFiles = findSarifFilesInDir(sarifPath, isSarif); - if (sarifFiles.length === 0) { - throw new ConfigurationError( - `No SARIF files found to upload in "${sarifPath}".` - ); - } - } else { - sarifFiles = [sarifPath]; - } - return sarifFiles; -} function countResultsInSarif(sarif) { let numResults = 0; const parsedSarif = JSON.parse(sarif); @@ -93097,20 +93080,6 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo } return payloadObj; } -async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) { - const sarifPaths = getSarifFilePaths( - inputSarifPath, - uploadTarget.sarifPredicate - ); - return uploadSpecifiedFiles( - sarifPaths, - checkoutPath, - category, - features, - logger, - uploadTarget - ); -} async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features, logger, uploadTarget) { logger.startGroup(`Uploading ${uploadTarget.name} results`); logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`); @@ -93432,15 +93401,18 @@ async function run() { if (pathStats === void 0) { throw new ConfigurationError(`Path does not exist: ${sarifPath}.`); } - const uploadResult = await uploadFiles( + const uploadResult = await findAndUpload( + logger, + features, sarifPath, + pathStats, checkoutPath, - category, - features, - logger, - CodeScanning + CodeScanning, + category ); - core13.setOutput("sarif-id", uploadResult.sarifID); + if (uploadResult !== void 0) { + core13.setOutput("sarif-id", uploadResult.sarifID); + } await findAndUpload( logger, features, @@ -93453,13 +93425,19 @@ async function run() { if (isInTestMode()) { core13.debug("In test mode. Waiting for processing is disabled."); } else if (getRequiredInput("wait-for-processing") === "true") { - await waitForProcessing( - getRepositoryNwo(), - uploadResult.sarifID, - logger - ); + if (uploadResult !== void 0) { + await waitForProcessing( + getRepositoryNwo(), + uploadResult.sarifID, + logger + ); + } } - await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger); + await sendSuccessStatusReport( + startedAt, + uploadResult?.statusReport || {}, + logger + ); } catch (unwrappedError) { const error2 = isThirdPartyAnalysis("upload-sarif" /* UploadSarif */) && unwrappedError instanceof InvalidSarifUploadError ? new ConfigurationError(unwrappedError.message) : wrapError(unwrappedError); const message = error2.message; diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index 8fb8c35c3b..29f998e813 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -145,15 +145,18 @@ async function run() { throw new ConfigurationError(`Path does not exist: ${sarifPath}.`); } - const uploadResult = await upload_lib.uploadFiles( + const uploadResult = await findAndUpload( + logger, + features, sarifPath, + pathStats, checkoutPath, - category, - features, - logger, analyses.CodeScanning, + category, ); - core.setOutput("sarif-id", uploadResult.sarifID); + if (uploadResult !== undefined) { + core.setOutput("sarif-id", uploadResult.sarifID); + } // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service. // Code quality can currently only be enabled on top of security, so we'd currently always expect to @@ -172,15 +175,21 @@ async function run() { if (isInTestMode()) { core.debug("In test mode. Waiting for processing is disabled."); } else if (actionsUtil.getRequiredInput("wait-for-processing") === "true") { - await upload_lib.waitForProcessing( - getRepositoryNwo(), - uploadResult.sarifID, - logger, - ); + if (uploadResult !== undefined) { + await upload_lib.waitForProcessing( + getRepositoryNwo(), + uploadResult.sarifID, + logger, + ); + } // The code quality service does not currently have an endpoint to wait for SARIF processing, // so we can't wait for that here. } - await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger); + await sendSuccessStatusReport( + startedAt, + uploadResult?.statusReport || {}, + logger, + ); } catch (unwrappedError) { const error = isThirdPartyAnalysis(ActionName.UploadSarif) && From d378195403bf7cd9c9b55e4713ede0962aa58b83 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:46:05 +0100 Subject: [PATCH 06/10] Add new `sarif-ids` output to `upload-sarif` action Unlike `sarif-id` which is for the single Code Scanning SARIF id, `sarif-ids` contains stringified JSON object with details of all SARIF ids. --- lib/upload-sarif-action.js | 14 +++++++++++++- src/upload-sarif-action.ts | 14 +++++++++++++- upload-sarif/action.yml | 7 ++++++- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 5f86c63962..b482d9d3d5 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93401,6 +93401,7 @@ async function run() { if (pathStats === void 0) { throw new ConfigurationError(`Path does not exist: ${sarifPath}.`); } + const sarifIds = []; const uploadResult = await findAndUpload( logger, features, @@ -93412,8 +93413,12 @@ async function run() { ); if (uploadResult !== void 0) { core13.setOutput("sarif-id", uploadResult.sarifID); + sarifIds.push({ + analysis: "code-scanning" /* CodeScanning */, + id: uploadResult.sarifID + }); } - await findAndUpload( + const qualityUploadResult = await findAndUpload( logger, features, sarifPath, @@ -93422,6 +93427,13 @@ async function run() { CodeQuality, fixCodeQualityCategory(logger, category) ); + if (qualityUploadResult !== void 0) { + sarifIds.push({ + analysis: "code-quality" /* CodeQuality */, + id: qualityUploadResult.sarifID + }); + } + core13.setOutput("sarif-ids", JSON.stringify(sarifIds)); if (isInTestMode()) { core13.debug("In test mode. Waiting for processing is disabled."); } else if (getRequiredInput("wait-for-processing") === "true") { diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index 29f998e813..4f527b0b6c 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -145,6 +145,7 @@ async function run() { throw new ConfigurationError(`Path does not exist: ${sarifPath}.`); } + const sarifIds: Array<{ analysis: string; id: string }> = []; const uploadResult = await findAndUpload( logger, features, @@ -156,12 +157,16 @@ async function run() { ); if (uploadResult !== undefined) { core.setOutput("sarif-id", uploadResult.sarifID); + sarifIds.push({ + analysis: analyses.AnalysisKind.CodeScanning, + id: uploadResult.sarifID, + }); } // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service. // Code quality can currently only be enabled on top of security, so we'd currently always expect to // have a directory for the results here. - await findAndUpload( + const qualityUploadResult = await findAndUpload( logger, features, sarifPath, @@ -170,6 +175,13 @@ async function run() { analyses.CodeQuality, actionsUtil.fixCodeQualityCategory(logger, category), ); + if (qualityUploadResult !== undefined) { + sarifIds.push({ + analysis: analyses.AnalysisKind.CodeQuality, + id: qualityUploadResult.sarifID, + }); + } + core.setOutput("sarif-ids", JSON.stringify(sarifIds)); // We don't upload results in test mode, so don't wait for processing if (isInTestMode()) { diff --git a/upload-sarif/action.yml b/upload-sarif/action.yml index 15ff9eeff3..cd61886c69 100644 --- a/upload-sarif/action.yml +++ b/upload-sarif/action.yml @@ -34,7 +34,12 @@ inputs: default: "true" outputs: sarif-id: - description: The ID of the uploaded SARIF file. + description: The ID of the uploaded Code Scanning SARIF file, if any. + sarif-ids: + description: | + A stringified JSON object containing the SARIF ID for each kind of analysis. For example: + + { "code-scanning": "some-id", "code-quality": "some-other-id" } runs: using: node20 main: '../lib/upload-sarif-action.js' From 7bea0e2e1249aa7a0da99bb5f14fd151a64a3edb Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:46:46 +0100 Subject: [PATCH 07/10] Fix outdated comment --- src/upload-sarif-action.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index 4f527b0b6c..aa1a5a4443 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -164,8 +164,6 @@ async function run() { } // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service. - // Code quality can currently only be enabled on top of security, so we'd currently always expect to - // have a directory for the results here. const qualityUploadResult = await findAndUpload( logger, features, From e33b0ab3ac30b90dff43239fd6ba035a77c2fed2 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 14:52:50 +0100 Subject: [PATCH 08/10] Update `upload-quality-sarif` check to only use `code-quality` --- .github/workflows/__upload-quality-sarif.yml | 8 +++++--- pr-checks/checks/upload-quality-sarif.yml | 7 +++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index ca3ffb9881..41611260a5 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -74,9 +74,7 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python - config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ - github.sha }} - analysis-kinds: code-scanning,code-quality + analysis-kinds: code-quality - name: Build code run: ./build.sh # Generate some SARIF we can upload with the upload-sarif step @@ -86,8 +84,12 @@ jobs: sha: 5e235361806c361d4d3f8859e3c897658025a9a2 upload: never - uses: ./../action/upload-sarif + id: upload-sarif with: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + - name: Check output from `upload-sarif` step + if: fromJSON(steps.upload-sarif.sarif-ids)[0].analysis != 'code-quality' + run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/upload-quality-sarif.yml b/pr-checks/checks/upload-quality-sarif.yml index 9538505af2..4c6ae27f3c 100644 --- a/pr-checks/checks/upload-quality-sarif.yml +++ b/pr-checks/checks/upload-quality-sarif.yml @@ -7,8 +7,7 @@ steps: with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python - config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} - analysis-kinds: code-scanning,code-quality + analysis-kinds: code-quality - name: Build code run: ./build.sh # Generate some SARIF we can upload with the upload-sarif step @@ -18,6 +17,10 @@ steps: sha: '5e235361806c361d4d3f8859e3c897658025a9a2' upload: never - uses: ./../action/upload-sarif + id: upload-sarif with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + - name: "Check output from `upload-sarif` step" + if: fromJSON(steps.upload-sarif.sarif-ids)[0].analysis != 'code-quality' + run: exit 1 From 624979323326c4b47e21cae17d381156312aea5d Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 15:18:11 +0100 Subject: [PATCH 09/10] Disable `cpp` in `upload-quality-sarif` check --- .github/workflows/__upload-quality-sarif.yml | 2 +- pr-checks/checks/upload-quality-sarif.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index 41611260a5..a33ca03344 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -73,7 +73,7 @@ jobs: - uses: ./../action/init with: tools: ${{ steps.prepare-test.outputs.tools-url }} - languages: cpp,csharp,java,javascript,python + languages: csharp,java,javascript,python analysis-kinds: code-quality - name: Build code run: ./build.sh diff --git a/pr-checks/checks/upload-quality-sarif.yml b/pr-checks/checks/upload-quality-sarif.yml index 4c6ae27f3c..6e912fa3c3 100644 --- a/pr-checks/checks/upload-quality-sarif.yml +++ b/pr-checks/checks/upload-quality-sarif.yml @@ -6,7 +6,7 @@ steps: - uses: ./../action/init with: tools: ${{ steps.prepare-test.outputs.tools-url }} - languages: cpp,csharp,java,javascript,python + languages: csharp,java,javascript,python analysis-kinds: code-quality - name: Build code run: ./build.sh From db37d924ee12001550ef7bcdac9a640c49a8e281 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 18 Sep 2025 15:34:31 +0100 Subject: [PATCH 10/10] Fix condition --- .github/workflows/__upload-quality-sarif.yml | 2 +- pr-checks/checks/upload-quality-sarif.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index a33ca03344..e2a2701489 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -89,7 +89,7 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 - name: Check output from `upload-sarif` step - if: fromJSON(steps.upload-sarif.sarif-ids)[0].analysis != 'code-quality' + if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality' run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/upload-quality-sarif.yml b/pr-checks/checks/upload-quality-sarif.yml index 6e912fa3c3..cc4786735b 100644 --- a/pr-checks/checks/upload-quality-sarif.yml +++ b/pr-checks/checks/upload-quality-sarif.yml @@ -22,5 +22,5 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' - name: "Check output from `upload-sarif` step" - if: fromJSON(steps.upload-sarif.sarif-ids)[0].analysis != 'code-quality' + if: fromJSON(steps.upload-sarif.outputs.sarif-ids)[0].analysis != 'code-quality' run: exit 1