Add an option to upload some debugging artifacts

[edoardopirovano]

This PR adds a new option debug-artifacts to the analyze step which will result in the following files being uploaded as artifacts in order to aid debugging:

1. Logs, including the tracer log for pre-multilanguage tracing. (After multi language tracing this is in the database logs, so does not need to be special cased).
2. The bundle(s) for the CodeQL database(s) produced.
3. The SARIF file(s) produced.

[adityasharad]

What do you think about making this a catch-all debug option, potentially including other changes like increasing the verbosity of CLI commands?

[edoardopirovano]

What do you think about making this a catch-all debug option, potentially including other changes like increasing the verbosity of CLI commands?

That sounds like a sensible idea, yes. For this PR let's stick to just uploading artifacts, but we can name it debug to give us room to have that flag do more things in future.

Follow-up question - if it's a general debugging flag should it go in the init step instead? I think that would make sense in case we want to debug something from before the analyze step.

[aeisenberg]

Is there ever a danger of running with debugMode === true on the runner? Presumably, if so, the runner would fail on the upload stage, but it would be nice if we could detect this and fail faster.

[aeisenberg]

Note, this will be caught (if it is indeed a problem) by updating the unguarded-action-lib.ql query.

[edoardopirovano]

It should never be possible to be in debug mode when using the runner. In particular, note that the call to initConfig in runner.ts has gained a hard-coded value of false for the parameter specifying whether we are in debug mode.

[aeisenberg]

I think the unguarded-action-lib.ql query should be updated to include calls to @actions/artifact.

[edoardopirovano]

Unless I'm misunderstanding that query, it will already be including these calls as they match

codeql-action/queries/unguarded-action-lib.ql

Line 44 in 4293754

getImportedPath().getValue().matches("@actions/%") and

and are not specifically included in the whitelist

codeql-action/queries/unguarded-action-lib.ql

Lines 17 to 20 in 4293754

	lib = "@actions/http-client" or
	lib = "@actions/exec" or
	lib = "@actions/io" or
	lib.matches("@actions/exec/%")

[aeisenberg]

Yep...sorry...you're right here.

[aeisenberg]

Hmmm...artifacting lots of little files (eg- a database) can take a really long time. It looks like you're doing this in several places. Much better to zip things up first and then upload.

[aeisenberg]

Take a look and see if this really is a problem in the action, but I've encountered it before in semmle-code.

[aeisenberg]

Actually, you may already be zipping things, so maybe this is a noop.

[edoardopirovano]

This is indeed a no-op, I think. The only place this a concern is databases since, as you say, they contain lots of little files. These are being zipped up using codeql database bundle. The SARIF and some of the logs (those that exist outside of a database) are being uploaded unzipped, but that is okay because they are only a couple of files.

[aeisenberg]

Updating the query can happen in a different PR.

[aeisenberg]

Nice. All my comments turned into noops. Thanks for explaining. The code looks fine to me. Just need to address merge conflicts and 🚢 .

[edoardopirovano]

Thanks! Have squashed and rebased to address the merge conflicts.

[adityasharad]

I think this needs a changelog entry.