Open MichaelBlake-gingerio opened 1 month ago
Apologies that the docs are unclear. Here is the information you are looking for. You need to set the GITHUB_TOKEN
environment variable to the secret.
Hi @aeisenberg
Thank you for the quick reply. We already have GITHUB_TOKEN
set to a secret. Do we need to replace that secret with a secret that has read:packages
permission as well? I thought it'd be possible to supply a different token for pulling down the package.
Thanks!
Apologies. I was mistaken. Using the token
input should work as well. So, I'm not sure what is happening here. Would you be able to share your full debug logs?
Also (unrelated), the autobuild
step is not necessary since neither of your scanned languages require a build.
@aeisenberg
Thank you. That's helpful to know. Here's the full debug log...
##[debug]Evaluating condition for step: 'Initialize CodeQL'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Initialize CodeQL
##[debug]Register post job cleanup for action: github/codeql-action/init@v3
##[debug]Loading inputs
##[debug]Evaluating: matrix.language
##[debug]Evaluating Index:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'language'
##[debug]=> 'python'
##[debug]Result: 'python'
##[debug]Evaluating: secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'CUSTOM_CODEQL_SCAN_GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: toJson(matrix)
##[debug]Evaluating toJson:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]=> '{
##[debug] "language": "python"
##[debug]}'
##[debug]Result: '{
##[debug] "language": "python"
##[debug]}'
##[debug]Loading env
Run github/codeql-action/init@v3
with:
languages: python
packs: redacted/python-queries@0.0.1
token: ***
debug: true
matrix: {
"language": "python"
}
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
Error: Encountered an error while trying to determine feature enablement: HttpError: Not Found
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='3.[2](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:2)5.15'
##[debug]JOB_RUN_UUID='dc2ed5fb-c226-4a42-901b-d9dc772a2[3](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:3)4d'
##[debug]CODEQL_ACTION_INIT_HAS_RUN='true'
##[debug]Finishing: Initialize CodeQL
Thanks for this. The logs are showing that the error is not happening due to package downloads at all. It's due to not being able to access the endpoint that exposes feature flags. This is a different kind of permissions problem. I'm guessing that the token you are using in the CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
has a very restricted set of permissions. I'll have to get back to you on exactly which permissions are required, but you can try by changing the set of permissions so that they match the permissions you have in the workflow. Eg-
permissions:
actions: read
contents: read
packages: read
security-events: write
That makes perfect sense. I'll try that out. Thanks!
We're trying to reference a private CodeQL pack when running
init
. When this runs in Github actions, we getHttpError: Not Found
.codeql package download companyname/python-queries --github-auth-stdin
and supply the value ofsecrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
exists as an organization secret.Is there anything I'm missing or is there a bug with the
init
script? I'm having trouble finding any documentation around referencing private packs for CodeQL Github actions.Thank you.