-
Notifications
You must be signed in to change notification settings - Fork 319
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an option to upload some debugging artifacts #798
Conversation
What do you think about making this a catch-all |
That sounds like a sensible idea, yes. For this PR let's stick to just uploading artifacts, but we can name it Follow-up question - if it's a general debugging flag should it go in the |
@@ -106,6 +108,42 @@ async function run() { | |||
config, | |||
logger | |||
); | |||
|
|||
if (config.debugMode) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there ever a danger of running with debugMode === true
on the runner? Presumably, if so, the runner would fail on the upload stage, but it would be nice if we could detect this and fail faster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note, this will be caught (if it is indeed a problem) by updating the unguarded-action-lib.ql
query.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should never be possible to be in debug mode when using the runner. In particular, note that the call to initConfig
in runner.ts
has gained a hard-coded value of false
for the parameter specifying whether we are in debug mode.
@@ -1,6 +1,7 @@ | |||
import * as fs from "fs"; | |||
import * as path from "path"; | |||
|
|||
import * as artifact from "@actions/artifact"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the unguarded-action-lib.ql
query should be updated to include calls to @actions/artifact
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I'm misunderstanding that query, it will already be including these calls as they match
getImportedPath().getValue().matches("@actions/%") and |
and are not specifically included in the whitelist
codeql-action/queries/unguarded-action-lib.ql
Lines 17 to 20 in 4293754
lib = "@actions/http-client" or | |
lib = "@actions/exec" or | |
lib = "@actions/io" or | |
lib.matches("@actions/exec/%") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep...sorry...you're right here.
async function uploadDebugArtifact(toUpload: string[], rootDir: string) { | ||
await artifact.create().uploadArtifact( | ||
DEBUG_ARTIFACT_NAME, | ||
toUpload.map((file) => path.normalize(file)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm...artifacting lots of little files (eg- a database) can take a really long time. It looks like you're doing this in several places. Much better to zip things up first and then upload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Take a look and see if this really is a problem in the action, but I've encountered it before in semmle-code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, you may already be zipping things, so maybe this is a noop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is indeed a no-op, I think. The only place this a concern is databases since, as you say, they contain lots of little files. These are being zipped up using codeql database bundle
. The SARIF and some of the logs (those that exist outside of a database) are being uploaded unzipped, but that is okay because they are only a couple of files.
Updating the query can happen in a different PR. |
cda039e
to
5425460
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice. All my comments turned into noops. Thanks for explaining. The code looks fine to me. Just need to address merge conflicts and 🚢 .
5425460
to
fb9b66d
Compare
Thanks! Have squashed and rebased to address the merge conflicts. |
fb9b66d
to
bc31f60
Compare
I think this needs a changelog entry. |
This PR adds a new option
debug-artifacts
to theanalyze
step which will result in the following files being uploaded as artifacts in order to aid debugging: