Allow pull requests, and report correct commit oid and ref

github · May 28, 2020 · da1e237 · da1e237
1 parent 8b71cf3
commit da1e237
Showing 9 changed files with 97 additions and 36 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,6 +1,6 @@
 name: "CodeQL action"
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   build:
@@ -11,6 +11,16 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
+       with:
+         # Must fetch at least the immediate parents so that if this is
+         # a pull request then we can checkout the head of the pull request.
+         fetch-depth: 2
+
+    # If this run was triggered by a pull request event then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
     - uses: ./init
       with:
         languages: javascript

diff --git a/.github/workflows/integration-testing.yml b/.github/workflows/integration-testing.yml
@@ -1,6 +1,6 @@
 name: "Integration Testing"
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   multi-language-repo_test-autodetect-languages:
@@ -16,9 +16,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - uses: ./../action/init
     - name: Build code
       shell: bash
@@ -40,9 +39,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - uses: ./../action/init
       with:
         languages: cpp,csharp,java,javascript,python
@@ -72,9 +70,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - uses: ./../action/init
       with:
         languages: go
@@ -96,9 +93,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
@@ -117,4 +113,4 @@ jobs:
       with:
         sarif_file: rubocop.sarif
       env:
-        TEST_MODE: true
+        TEST_MODE: true
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ name: "Code Scanning - Action"
 
 on:
   push:
+  pull_request:
   schedule:
     - cron: '0 0 * * 0'
 
@@ -33,6 +34,17 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          # Must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head of the pull request.
+          # Only include this option if you are running this workflow on pull requests.
+          fetch-depth: 2
+
+      # If this run was triggered by a pull request event then checkout
+      # the head of the pull request instead of the merge commit.
+      # Only include this step if you are running this workflow on pull requests.
+      - run: git checkout HEAD^2
+        if: ${{ github.event_name == 'pull_request' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

diff --git a/lib/upload-lib.js b/lib/upload-lib.js
diff --git a/lib/upload-lib.js.map b/lib/upload-lib.js.map
diff --git a/lib/util.js b/lib/util.js
diff --git a/lib/util.js.map b/lib/util.js.map
diff --git a/src/upload-lib.ts b/src/upload-lib.ts
@@ -136,7 +136,7 @@ async function uploadFiles(sarifFiles: string[]): Promise<boolean> {
         }
         core.exportVariable(sentinelEnvVar, sentinelEnvVar);
 
-        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
+        const commitOid = await util.getCommitOid();
         const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
         const ref = util.getRef();
         const analysisKey = await util.getAnalysisKey();

diff --git a/src/util.ts b/src/util.ts
@@ -1,4 +1,5 @@
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
 import * as http from '@actions/http-client';
 import * as auth from '@actions/http-client/auth';
 import * as octokit from '@octokit/rest';
@@ -25,13 +26,6 @@ export function should_abort(actionName: string, requireInitActionHasRun: boolea
         return true;
     }
 
-    // Should abort if called on a merge commit for a pull request.
-    if (ref.startsWith('refs/pull/')) {
-        core.warning('The CodeQL ' + actionName + ' action is intended for workflows triggered on `push` events, '
-            + 'but the current workflow is running on a pull request. Aborting.');
-        return true;
-    }
-
     // If the init action is required, then check the it completed successfully.
     if (requireInitActionHasRun && process.env[sharedEnv.CODEQL_ACTION_INIT_COMPLETED] === undefined) {
         core.setFailed('The CodeQL ' + actionName + ' action cannot be used unless the CodeQL init action is run first. Aborting.');
@@ -152,6 +146,21 @@ export async function getLanguages(): Promise<string[]> {
     return languages;
 }
 
+/**
+ * Gets the SHA of the commit that is currently checked out.
+ */
+export async function getCommitOid(): Promise<string> {
+    let commitOid = '';
+    await exec.exec('git', ['rev-parse', 'HEAD'], {
+        silent: true,
+        listeners: {
+            stdout: (data) => { commitOid += data.toString(); },
+            stderr: (data) => { process.stderr.write(data); }
+        }
+    });
+    return commitOid.trim();
+}
+
 /**
  * Get the path of the currently executing workflow.
  */
@@ -204,8 +213,20 @@ export async function getAnalysisKey(): Promise<string> {
  * Get the ref currently being analyzed.
  */
 export function getRef(): string {
-    // it's in the form "refs/heads/master"
-    return getRequiredEnvParam('GITHUB_REF');
+    // Will be in the form "refs/heads/master" on a push event
+    // or in the form "refs/pull/N/merge" on a pull_request event
+    const ref = getRequiredEnvParam('GITHUB_REF');
+
+    // For pull request refs we want to convert from the 'merge' ref
+    // to the 'head' ref, as that is what we want to analyse.
+    // There should have been some code earlier in the workflow to do
+    // the checkout, but we have no way of verifying that here.
+    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
+    if (pull_ref_regex.test(ref)) {
+        return ref.replace(pull_ref_regex, 'refs/pull/$1/head');
+    } else {
+        return ref;
+    }
 }
 
 interface StatusReport {