From 9b3ade946d34bbaaada8d43f8f902886b7e9c020 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 13:50:21 +0100 Subject: [PATCH 1/7] Rename `upload-quality-sarif.yml` workflow --- .../{__upload-quality-sarif.yml => __upload-sarif.yml} | 6 +++--- .../checks/{upload-quality-sarif.yml => upload-sarif.yml} | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) rename .github/workflows/{__upload-quality-sarif.yml => __upload-sarif.yml} (95%) rename pr-checks/checks/{upload-quality-sarif.yml => upload-sarif.yml} (94%) diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-sarif.yml similarity index 95% rename from .github/workflows/__upload-quality-sarif.yml rename to .github/workflows/__upload-sarif.yml index 9e1dceafc5..ed92f095ef 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -3,7 +3,7 @@ # pr-checks/sync.sh # to regenerate this file. -name: 'PR Check - Upload-sarif: code quality endpoint' +name: PR Check - Test different uses of `upload-sarif` env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GO111MODULE: auto @@ -41,14 +41,14 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - upload-quality-sarif: + upload-sarif: strategy: fail-fast: false matrix: include: - os: ubuntu-latest version: default - name: 'Upload-sarif: code quality endpoint' + name: Test different uses of `upload-sarif` if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read diff --git a/pr-checks/checks/upload-quality-sarif.yml b/pr-checks/checks/upload-sarif.yml similarity index 94% rename from pr-checks/checks/upload-quality-sarif.yml rename to pr-checks/checks/upload-sarif.yml index 1d4dd9d28d..7f68e5507a 100644 --- a/pr-checks/checks/upload-quality-sarif.yml +++ b/pr-checks/checks/upload-sarif.yml @@ -1,4 +1,4 @@ -name: "Upload-sarif: code quality endpoint" +name: "Test different uses of `upload-sarif`" description: "Checks that uploading SARIFs to the code quality endpoint works" versions: ["default"] installGo: true From 6bdf5d3d00fd477b954432761e4dcd9d3cf02b72 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 13:56:19 +0100 Subject: [PATCH 2/7] Run `upload-sarif` check for all `analysis-kinds` values --- .github/workflows/__upload-sarif.yml | 21 +++++++++++++++++---- pr-checks/checks/upload-sarif.yml | 15 +++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index ed92f095ef..fd98b8d64b 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -48,6 +48,13 @@ jobs: include: - os: ubuntu-latest version: default + analysis-kinds: code-scanning + - os: ubuntu-latest + version: default + analysis-kinds: code-quality + - os: ubuntu-latest + version: default + analysis-kinds: code-scanning,code-quality name: Test different uses of `upload-sarif` if: github.triggering_actor != 'dependabot[bot]' permissions: @@ -74,7 +81,7 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: csharp,java,javascript,python - analysis-kinds: code-quality + analysis-kinds: ${{ matrix.analysis-kinds }} - name: Build code run: ./build.sh # Generate some SARIF we can upload with the upload-sarif step @@ -83,13 +90,19 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 upload: never - - uses: ./../action/upload-sarif + + - name: | + Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}` + uses: ./../action/upload-sarif id: upload-sarif with: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 - - name: Check output from `upload-sarif` step - if: '!(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)' + - name: Check output from `upload-sarif` step for `code-scanning` + if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning) + run: exit 1 + - name: Check output from `upload-sarif` step for `code-quality` + if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality) run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/upload-sarif.yml b/pr-checks/checks/upload-sarif.yml index 7f68e5507a..f40cb67946 100644 --- a/pr-checks/checks/upload-sarif.yml +++ b/pr-checks/checks/upload-sarif.yml @@ -1,13 +1,14 @@ name: "Test different uses of `upload-sarif`" description: "Checks that uploading SARIFs to the code quality endpoint works" versions: ["default"] +analysisKinds: ["code-scanning", "code-quality", "code-scanning,code-quality"] installGo: true steps: - uses: ./../action/init with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: csharp,java,javascript,python - analysis-kinds: code-quality + analysis-kinds: ${{ matrix.analysis-kinds }} - name: Build code run: ./build.sh # Generate some SARIF we can upload with the upload-sarif step @@ -16,11 +17,17 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' upload: never - - uses: ./../action/upload-sarif + + - name: | + Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}` + uses: ./../action/upload-sarif id: upload-sarif with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' - - name: "Check output from `upload-sarif` step" - if: '!(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)' + - name: "Check output from `upload-sarif` step for `code-scanning`" + if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)" + run: exit 1 + - name: "Check output from `upload-sarif` step for `code-quality`" + if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)" run: exit 1 From 6f964b7776696bb9ff2cebad990817c49ecf449f Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 14:10:49 +0100 Subject: [PATCH 3/7] Cover more cases in `upload-sarif` check --- .github/workflows/__upload-sarif.yml | 42 ++++++++++++++++++++++++++++ pr-checks/checks/upload-sarif.yml | 40 ++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index fd98b8d64b..7bf239e519 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -90,6 +90,7 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 upload: never + output: ${{ runner.temp }}/results - name: | Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}` @@ -98,11 +99,52 @@ jobs: with: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + sarif_file: ${{ runner.temp }}/results - name: Check output from `upload-sarif` step for `code-scanning` if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning) run: exit 1 - name: Check output from `upload-sarif` step for `code-quality` if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality) run: exit 1 + + - name: Upload single SARIF file for Code Scanning + uses: ./../action/upload-sarif + id: upload-single-sarif-code-scanning + if: contains(matrix.analysis-kinds, 'code-scanning') + with: + ref: refs/heads/main + sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + sarif_file: ${{ runner.temp }}/results/javascript.sarif + - name: Check output from `upload-single-sarif-code-scanning` step + if: contains(matrix.analysis-kinds, 'code-scanning') && + !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning) + run: exit 1 + - name: Upload single SARIF file for Code Scanning + uses: ./../action/upload-sarif + id: upload-single-sarif-code-quality + if: contains(matrix.analysis-kinds, 'code-quality') + with: + ref: refs/heads/main + sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif + - name: Check output from `upload-single-sarif-code-quality` step + if: contains(matrix.analysis-kinds, 'code-quality') && + !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality) + run: exit 1 + + - name: Change SARIF file extension + if: contains(matrix.analysis-kinds, 'code-scanning') + run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json + - name: Upload single non-`.sarif` file + uses: ./../action/upload-sarif + id: upload-single-non-sarif + if: contains(matrix.analysis-kinds, 'code-scanning') + with: + ref: refs/heads/main + sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + sarif_file: ${{ runner.temp }}/results/javascript.sarif.json + - name: Check output from `upload-single-non-sarif` step + if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning) + run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/upload-sarif.yml b/pr-checks/checks/upload-sarif.yml index f40cb67946..9401c49e8e 100644 --- a/pr-checks/checks/upload-sarif.yml +++ b/pr-checks/checks/upload-sarif.yml @@ -17,6 +17,7 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' upload: never + output: ${{ runner.temp }}/results - name: | Upload all SARIF files for `analysis-kinds: ${{ matrix.analysis-kinds }}` @@ -25,9 +26,48 @@ steps: with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + sarif_file: ${{ runner.temp }}/results - name: "Check output from `upload-sarif` step for `code-scanning`" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)" run: exit 1 - name: "Check output from `upload-sarif` step for `code-quality`" if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)" run: exit 1 + + - name: Upload single SARIF file for Code Scanning + uses: ./../action/upload-sarif + id: upload-single-sarif-code-scanning + if: "contains(matrix.analysis-kinds, 'code-scanning')" + with: + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + sarif_file: ${{ runner.temp }}/results/javascript.sarif + - name: "Check output from `upload-single-sarif-code-scanning` step" + if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)" + run: exit 1 + - name: Upload single SARIF file for Code Scanning + uses: ./../action/upload-sarif + id: upload-single-sarif-code-quality + if: "contains(matrix.analysis-kinds, 'code-quality')" + with: + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif + - name: "Check output from `upload-single-sarif-code-quality` step" + if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)" + run: exit 1 + + - name: Change SARIF file extension + if: "contains(matrix.analysis-kinds, 'code-scanning')" + run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json + - name: Upload single non-`.sarif` file + uses: ./../action/upload-sarif + id: upload-single-non-sarif + if: "contains(matrix.analysis-kinds, 'code-scanning')" + with: + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + sarif_file: ${{ runner.temp }}/results/javascript.sarif.json + - name: "Check output from `upload-single-non-sarif` step" + if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)" + run: exit 1 From 22aba57acf39c63a1b4963298698fb3f7a991e17 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 14:30:30 +0100 Subject: [PATCH 4/7] Include analysis kind in `payloadSaveFile` path in `uploadPayload` --- lib/analyze-action.js | 8 ++++---- lib/init-action-post.js | 8 ++++---- lib/upload-lib.js | 8 ++++---- lib/upload-sarif-action.js | 8 ++++---- src/upload-lib.ts | 8 ++++---- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c2788900b3..77f1e6f14a 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -95530,12 +95530,12 @@ function getAutomationID2(category, analysis_key, environment) { } return computeAutomationID(analysis_key, environment); } -async function uploadPayload(payload, repositoryNwo, logger, target) { +async function uploadPayload(payload, repositoryNwo, logger, analysis) { logger.info("Uploading results"); if (isInTestMode()) { const payloadSaveFile = path18.join( getTemporaryDirectory(), - "payload.json" + `payload-${analysis.kind}.json` ); logger.info( `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}` @@ -95546,7 +95546,7 @@ async function uploadPayload(payload, repositoryNwo, logger, target) { } const client = getApiClient(); try { - const response = await client.request(target, { + const response = await client.request(analysis.target, { owner: repositoryNwo.owner, repo: repositoryNwo.repo, data: payload @@ -95780,7 +95780,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features payload, getRepositoryNwo(), logger, - uploadTarget.target + uploadTarget ); logger.endGroup(); return { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index e138420a3e..6c4eb38d91 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -133006,12 +133006,12 @@ function getAutomationID2(category, analysis_key, environment) { } return computeAutomationID(analysis_key, environment); } -async function uploadPayload(payload, repositoryNwo, logger, target) { +async function uploadPayload(payload, repositoryNwo, logger, analysis) { logger.info("Uploading results"); if (isInTestMode()) { const payloadSaveFile = path17.join( getTemporaryDirectory(), - "payload.json" + `payload-${analysis.kind}.json` ); logger.info( `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}` @@ -133022,7 +133022,7 @@ async function uploadPayload(payload, repositoryNwo, logger, target) { } const client = getApiClient(); try { - const response = await client.request(target, { + const response = await client.request(analysis.target, { owner: repositoryNwo.owner, repo: repositoryNwo.repo, data: payload @@ -133256,7 +133256,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features payload, getRepositoryNwo(), logger, - uploadTarget.target + uploadTarget ); logger.endGroup(); return { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index a6342ff212..44a52209d1 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -92365,12 +92365,12 @@ function getAutomationID2(category, analysis_key, environment) { } return computeAutomationID(analysis_key, environment); } -async function uploadPayload(payload, repositoryNwo, logger, target) { +async function uploadPayload(payload, repositoryNwo, logger, analysis) { logger.info("Uploading results"); if (isInTestMode()) { const payloadSaveFile = path14.join( getTemporaryDirectory(), - "payload.json" + `payload-${analysis.kind}.json` ); logger.info( `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}` @@ -92381,7 +92381,7 @@ async function uploadPayload(payload, repositoryNwo, logger, target) { } const client = getApiClient(); try { - const response = await client.request(target, { + const response = await client.request(analysis.target, { owner: repositoryNwo.owner, repo: repositoryNwo.repo, data: payload @@ -92663,7 +92663,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features payload, getRepositoryNwo(), logger, - uploadTarget.target + uploadTarget ); logger.endGroup(); return { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 7ad72583b5..bc7a2c0ac6 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93037,12 +93037,12 @@ function getAutomationID2(category, analysis_key, environment) { } return computeAutomationID(analysis_key, environment); } -async function uploadPayload(payload, repositoryNwo, logger, target) { +async function uploadPayload(payload, repositoryNwo, logger, analysis) { logger.info("Uploading results"); if (isInTestMode()) { const payloadSaveFile = path15.join( getTemporaryDirectory(), - "payload.json" + `payload-${analysis.kind}.json` ); logger.info( `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}` @@ -93053,7 +93053,7 @@ async function uploadPayload(payload, repositoryNwo, logger, target) { } const client = getApiClient(); try { - const response = await client.request(target, { + const response = await client.request(analysis.target, { owner: repositoryNwo.owner, repo: repositoryNwo.repo, data: payload @@ -93304,7 +93304,7 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features payload, getRepositoryNwo(), logger, - uploadTarget.target + uploadTarget ); logger.endGroup(); return { diff --git a/src/upload-lib.ts b/src/upload-lib.ts index cfa362b678..2559cd7ad1 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -352,7 +352,7 @@ async function uploadPayload( payload: any, repositoryNwo: RepositoryNwo, logger: Logger, - target: analyses.SARIF_UPLOAD_ENDPOINT, + analysis: analyses.AnalysisConfig, ): Promise { logger.info("Uploading results"); @@ -360,7 +360,7 @@ async function uploadPayload( if (util.isInTestMode()) { const payloadSaveFile = path.join( actionsUtil.getTemporaryDirectory(), - "payload.json", + `payload-${analysis.kind}.json`, ); logger.info( `In test mode. Results are not uploaded. Saving to ${payloadSaveFile}`, @@ -373,7 +373,7 @@ async function uploadPayload( const client = api.getApiClient(); try { - const response = await client.request(target, { + const response = await client.request(analysis.target, { owner: repositoryNwo.owner, repo: repositoryNwo.repo, data: payload, @@ -807,7 +807,7 @@ export async function uploadSpecifiedFiles( payload, getRepositoryNwo(), logger, - uploadTarget.target, + uploadTarget, ); logger.endGroup(); From 380e002752dd3ae10c718f81ac27a53db40a2769 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 15:15:43 +0100 Subject: [PATCH 5/7] Add explicit `category` values --- .github/workflows/__upload-sarif.yml | 8 ++++++++ pr-checks/checks/upload-sarif.yml | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index 7bf239e519..20b059f398 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -100,6 +100,8 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 sarif_file: ${{ runner.temp }}/results + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/ - name: Check output from `upload-sarif` step for `code-scanning` if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning) run: exit 1 @@ -115,6 +117,8 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 sarif_file: ${{ runner.temp }}/results/javascript.sarif + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/ - name: Check output from `upload-single-sarif-code-scanning` step if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning) @@ -127,6 +131,8 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/ - name: Check output from `upload-single-sarif-code-quality` step if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality) @@ -143,6 +149,8 @@ jobs: ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 sarif_file: ${{ runner.temp }}/results/javascript.sarif.json + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/ - name: Check output from `upload-single-non-sarif` step if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning) run: exit 1 diff --git a/pr-checks/checks/upload-sarif.yml b/pr-checks/checks/upload-sarif.yml index 9401c49e8e..840e765011 100644 --- a/pr-checks/checks/upload-sarif.yml +++ b/pr-checks/checks/upload-sarif.yml @@ -27,6 +27,8 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/ - name: "Check output from `upload-sarif` step for `code-scanning`" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)" run: exit 1 @@ -42,6 +44,8 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results/javascript.sarif + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/ - name: "Check output from `upload-single-sarif-code-scanning` step" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)" run: exit 1 @@ -53,6 +57,8 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/ - name: "Check output from `upload-single-sarif-code-quality` step" if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)" run: exit 1 @@ -68,6 +74,8 @@ steps: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results/javascript.sarif.json + category: | + ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/ - name: "Check output from `upload-single-non-sarif` step" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)" run: exit 1 From 14c5d77032ee3effd4fd42710395800466c8d7cb Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 15:28:40 +0100 Subject: [PATCH 6/7] Fix: Update `payload.json` path in `with-checkout-path` test --- .github/workflows/__with-checkout-path.yml | 13 +++++++------ pr-checks/checks/with-checkout-path.yml | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index e12c9846a3..e706b5d391 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -103,29 +103,30 @@ jobs: - name: Verify SARIF after upload run: | + PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json" EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6" EXPECTED_REF="v1.1.0" EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo" - ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)" - ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)" - ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)" + ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)" + ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)" + ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)" if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID" - echo "$RUNNER_TEMP/payload.json" + echo "$PAYLOAD_FILE" exit 1 fi if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'" - echo "$RUNNER_TEMP/payload.json" + echo "$PAYLOAD_FILE" exit 1 fi if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI" - echo "$RUNNER_TEMP/payload.json" + echo "$PAYLOAD_FILE" exit 1 fi env: diff --git a/pr-checks/checks/with-checkout-path.yml b/pr-checks/checks/with-checkout-path.yml index 641dcf2205..d0662be010 100644 --- a/pr-checks/checks/with-checkout-path.yml +++ b/pr-checks/checks/with-checkout-path.yml @@ -37,28 +37,29 @@ steps: - name: Verify SARIF after upload run: | + PAYLOAD_FILE="$RUNNER_TEMP/payload-code-scanning.json" EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6" EXPECTED_REF="v1.1.0" EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo" - ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)" - ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)" - ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)" + ACTUAL_COMMIT_OID="$(cat "$PAYLOAD_FILE" | jq -r .commit_oid)" + ACTUAL_REF="$(cat "$PAYLOAD_FILE" | jq -r .ref)" + ACTUAL_CHECKOUT_URI="$(cat "$PAYLOAD_FILE" | jq -r .checkout_uri)" if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID" - echo "$RUNNER_TEMP/payload.json" + echo "$PAYLOAD_FILE" exit 1 fi if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'" - echo "$RUNNER_TEMP/payload.json" + echo "$PAYLOAD_FILE" exit 1 fi if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI" - echo "$RUNNER_TEMP/payload.json" + echo "$PAYLOAD_FILE" exit 1 fi From dabf6fc57806f7dec50430fd9193732fbdd276c5 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 6 Oct 2025 15:40:35 +0100 Subject: [PATCH 7/7] Adjust step names to be clearer --- .github/workflows/__upload-sarif.yml | 12 ++++++------ pr-checks/checks/upload-sarif.yml | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index 20b059f398..91a1af5e05 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -102,10 +102,10 @@ jobs: sarif_file: ${{ runner.temp }}/results category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/ - - name: Check output from `upload-sarif` step for `code-scanning` + - name: Fail for missing output from `upload-sarif` step for `code-scanning` if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning) run: exit 1 - - name: Check output from `upload-sarif` step for `code-quality` + - name: Fail for missing output from `upload-sarif` step for `code-quality` if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality) run: exit 1 @@ -119,11 +119,11 @@ jobs: sarif_file: ${{ runner.temp }}/results/javascript.sarif category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/ - - name: Check output from `upload-single-sarif-code-scanning` step + - name: Fail for missing output from `upload-single-sarif-code-scanning` step if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning) run: exit 1 - - name: Upload single SARIF file for Code Scanning + - name: Upload single SARIF file for Code Quality uses: ./../action/upload-sarif id: upload-single-sarif-code-quality if: contains(matrix.analysis-kinds, 'code-quality') @@ -133,7 +133,7 @@ jobs: sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/ - - name: Check output from `upload-single-sarif-code-quality` step + - name: Fail for missing output from `upload-single-sarif-code-quality` step if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality) run: exit 1 @@ -151,7 +151,7 @@ jobs: sarif_file: ${{ runner.temp }}/results/javascript.sarif.json category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/ - - name: Check output from `upload-single-non-sarif` step + - name: Fail for missing output from `upload-single-non-sarif` step if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning) run: exit 1 env: diff --git a/pr-checks/checks/upload-sarif.yml b/pr-checks/checks/upload-sarif.yml index 840e765011..1801a27407 100644 --- a/pr-checks/checks/upload-sarif.yml +++ b/pr-checks/checks/upload-sarif.yml @@ -29,10 +29,10 @@ steps: sarif_file: ${{ runner.temp }}/results category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/ - - name: "Check output from `upload-sarif` step for `code-scanning`" + - name: "Fail for missing output from `upload-sarif` step for `code-scanning`" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)" run: exit 1 - - name: "Check output from `upload-sarif` step for `code-quality`" + - name: "Fail for missing output from `upload-sarif` step for `code-quality`" if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)" run: exit 1 @@ -46,10 +46,10 @@ steps: sarif_file: ${{ runner.temp }}/results/javascript.sarif category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/ - - name: "Check output from `upload-single-sarif-code-scanning` step" + - name: "Fail for missing output from `upload-single-sarif-code-scanning` step" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)" run: exit 1 - - name: Upload single SARIF file for Code Scanning + - name: Upload single SARIF file for Code Quality uses: ./../action/upload-sarif id: upload-single-sarif-code-quality if: "contains(matrix.analysis-kinds, 'code-quality')" @@ -59,7 +59,7 @@ steps: sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/ - - name: "Check output from `upload-single-sarif-code-quality` step" + - name: "Fail for missing output from `upload-single-sarif-code-quality` step" if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)" run: exit 1 @@ -76,6 +76,6 @@ steps: sarif_file: ${{ runner.temp }}/results/javascript.sarif.json category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/ - - name: "Check output from `upload-single-non-sarif` step" + - name: "Fail for missing output from `upload-single-non-sarif` step" if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)" run: exit 1