Update error message and remove feature flag preloading

Discussion here https://github.com/github/codeql-action/pull/882#discussion_r789924177 shows that properly handling preloading feature flag errors is complex and the benefit we get from it does not offset the complexity.
github · Jan 21, 2022 · f18151c · f18151c
1 parent e175dea
commit f18151c
Showing 13 changed files with 16 additions and 71 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,7 @@
 ## [UNRELEASED]
 
 - Display a better error message when encountering a workflow that runs the `codeql-action/init` action multiple times. [#876](https://github.com/github/codeql-action/pull/876)
-- Add better error message is the workflow does not have security-events write permissions. [#882](https://github.com/github/codeql-action/pull/882)
+- Add better error message is the workflow does not have the `security-events: write` permission. [#882](https://github.com/github/codeql-action/pull/882)
 
 ## 1.0.29 - 21 Jan 2022
 

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
diff --git a/lib/analyze-action.js.map b/lib/analyze-action.js.map
diff --git a/lib/feature-flags.js b/lib/feature-flags.js
diff --git a/lib/feature-flags.js.map b/lib/feature-flags.js.map
diff --git a/lib/feature-flags.test.js b/lib/feature-flags.test.js
diff --git a/lib/feature-flags.test.js.map b/lib/feature-flags.test.js.map
diff --git a/lib/init-action.js b/lib/init-action.js
diff --git a/lib/init-action.js.map b/lib/init-action.js.map
diff --git a/src/analyze-action.ts b/src/analyze-action.ts
@@ -111,12 +111,6 @@ async function run() {
       repositoryNwo,
       logger
     );
-    // We currently perform an API request in both the `init` and `analyze` Actions to determine
-    // what feature flags are enabled. At the time of writing, this redundant API call is acceptable
-    // to us, but if we wanted to avoid it, we could do so by serializing the feature flags as part
-    // of the config file.
-    void featureFlags.preloadFeatureFlags();
-
     await runFinalize(outputDir, threads, memory, config, logger);
     if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
       runStats = await runQueries(

diff --git a/src/feature-flags.test.ts b/src/feature-flags.test.ts
@@ -102,26 +102,6 @@ test("Feature flags are disabled if they're not returned in API response", async
   });
 });
 
-test("Feature flags exception is propagated if the API request errors", async (t) => {
-  await withTmpDir(async (tmpDir) => {
-    setupActionsVars(tmpDir, tmpDir);
-
-    const featureFlags = new GitHubFeatureFlags(
-      { type: GitHubVariant.DOTCOM },
-      testApiDetails,
-      testRepositoryNwo,
-      getRunnerLogger(true)
-    );
-
-    mockFeatureFlagApiEndpoint(500, {});
-
-    await t.throwsAsync(async () => featureFlags.preloadFeatureFlags(), {
-      message:
-        "Encountered an error while trying to load feature flags: Error: some error message",
-    });
-  });
-});
-
 const FEATURE_FLAGS = [
   "database_uploads_enabled",
   "ml_powered_queries_enabled",

diff --git a/src/feature-flags.ts b/src/feature-flags.ts
@@ -42,10 +42,6 @@ export class GitHubFeatureFlags implements FeatureFlags {
     return response;
   }
 
-  async preloadFeatureFlags(): Promise<void> {
-    await this.getApiResponse();
-  }
-
   private async getApiResponse(): Promise<FeatureFlagsApiResponse> {
     const loadApiResponse = async () => {
       // Do nothing when not running against github.com
@@ -66,15 +62,12 @@ export class GitHubFeatureFlags implements FeatureFlags {
         );
         return response.data;
       } catch (e) {
-        if (
-          e instanceof Error &&
-          e.message.includes("Resource not accessible by integration")
-        ) {
-          throw new Error(
-            `Resource not accessible by integration. This usually means that your ` +
-              `workflow is missing the required security-events write permissions. ` +
-              `See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions ` +
-              `for more information.`
+        if (util.isHTTPError(e) && e.status === 403) {
+          this.logger.warning(
+            "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
+              "As a result, it will not be opted into any experimental features. " +
+              "This could be because the Action is running on a pull request from a fork. If not, " +
+              `please ensure the Action has the 'security-events: write' permission. Details: ${e}`
           );
         } else {
           // Some feature flags, such as `ml_powered_queries_enabled` affect the produced alerts.

diff --git a/src/init-action.ts b/src/init-action.ts
@@ -145,8 +145,6 @@ async function run() {
   );
 
   try {
-    await featureFlags.preloadFeatureFlags();
-
     const workflowErrors = await validateWorkflow();
 
     if (