lindluni
commented
6 months ago This is unfortunately not something that can be helped. We had to upgrade to the latest version of actions/upload-artifact@v4 because v3 had a dependency which had a 0-day vulnerability in it that we were mandated to patch immediately.
v4 of upload-artifact uses an entirely new storage system that provides 100x performance on uplaods, but it also requires the we deduplicate results, so we have to handle mono-repos that might have multiple jobs scanning javascript in parallel where both jobs would have the same codeql-scan-results-javascript key. We need to make sure we deduplicate the key on the job ID. You can read more about this here.
It's worth mentioning that the Actions provided in this repo are essentially deprecated by the VA now, we are only maintaining them on a best effort basis until we can move everyone off of it. Teams can move to using CodeQL's native GitHub Actions available from GitHub: https://github.com/github/codeql-action. If you switch to using that and then generating your own CSV like we do in this Action here: https://github.com/department-of-veterans-affairs/codeql-tools/blob/main/codeql-analysis/action.yml#L127
Then you can upload it yourself with whatever key you want to use.
If you point me to one of your repos, I'd be happy to submit a PR showing you what this would look like end-to-end as an example.
lbenhartVA
We have several verification processes which have now broken as a result of the renaming of the output file name: codeql-scan-results-${{ inputs.language }}-${{ github.job }}
This was checked in as part of https://github.com/department-of-veterans-affairs/codeql-tools/pull/125/