Merge pull request #3123 from github/mbg/fix/upload-sarif-cq-only

2026-04-29 18:30:14 +00:00 · 2025-09-19 18:48:48 +01:00
parent c22ae04dd3 db37d924ee
commit 0337c4c06e
5 changed files with 186 additions and 99 deletions
@@ -32,6 +32,55 @@ interface UploadSarifStatusReport
  extends StatusReportBase,
    upload_lib.UploadStatusReport {}

+/**
+ * Searches for SARIF files for the given `analysis` in the given `sarifPath`.
+ * If any are found, then they are uploaded to the appropriate endpoint for the given `analysis`.
+ *
+ * @param logger The logger to use.
+ * @param features Information about FFs.
+ * @param sarifPath The path to a SARIF file or directory containing SARIF files.
+ * @param pathStats Information about `sarifPath`.
+ * @param checkoutPath The checkout path.
+ * @param analysis The configuration of the analysis we should upload SARIF files for.
+ * @param category The SARIF category to use for the upload.
+ * @returns The result of uploading the SARIF file(s) or `undefined` if there are none.
+ */
+async function findAndUpload(
+  logger: Logger,
+  features: Features,
+  sarifPath: string,
+  pathStats: fs.Stats,
+  checkoutPath: string,
+  analysis: analyses.AnalysisConfig,
+  category?: string,
+): Promise<upload_lib.UploadResult | undefined> {
+  let sarifFiles: string[] | undefined;
+
+  if (pathStats.isDirectory()) {
+    sarifFiles = upload_lib.findSarifFilesInDir(
+      sarifPath,
+      analysis.sarifPredicate,
+    );
+  } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) {
+    sarifFiles = [sarifPath];
+  } else {
+    return undefined;
+  }
+
+  if (sarifFiles.length !== 0) {
+    return await upload_lib.uploadSpecifiedFiles(
+      sarifFiles,
+      checkoutPath,
+      category,
+      features,
+      logger,
+      analysis,
+    );
+  }
+
+  return undefined;
+}
+
 async function sendSuccessStatusReport(
  startedAt: Date,
  uploadStats: upload_lib.UploadStatusReport,
@@ -86,54 +135,71 @@ async function run() {
  }

  try {
+    // `sarifPath` can either be a path to a single file, or a path to a directory.
    const sarifPath = actionsUtil.getRequiredInput("sarif_file");
    const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
    const category = actionsUtil.getOptionalInput("category");
+    const pathStats = fs.lstatSync(sarifPath, { throwIfNoEntry: false });

-    const uploadResult = await upload_lib.uploadFiles(
-      sarifPath,
-      checkoutPath,
-      category,
-      features,
+    if (pathStats === undefined) {
+      throw new ConfigurationError(`Path does not exist: ${sarifPath}.`);
+    }
+
+    const sarifIds: Array<{ analysis: string; id: string }> = [];
+    const uploadResult = await findAndUpload(
      logger,
+      features,
+      sarifPath,
+      pathStats,
+      checkoutPath,
      analyses.CodeScanning,
+      category,
    );
-    core.setOutput("sarif-id", uploadResult.sarifID);
+    if (uploadResult !== undefined) {
+      core.setOutput("sarif-id", uploadResult.sarifID);
+      sarifIds.push({
+        analysis: analyses.AnalysisKind.CodeScanning,
+        id: uploadResult.sarifID,
+      });
+    }

    // If there are `.quality.sarif` files in `sarifPath`, then upload those to the code quality service.
-    // Code quality can currently only be enabled on top of security, so we'd currently always expect to
-    // have a directory for the results here.
-    if (fs.lstatSync(sarifPath).isDirectory()) {
-      const qualitySarifFiles = upload_lib.findSarifFilesInDir(
-        sarifPath,
-        analyses.CodeQuality.sarifPredicate,
-      );
-
-      if (qualitySarifFiles.length !== 0) {
-        await upload_lib.uploadSpecifiedFiles(
-          qualitySarifFiles,
-          checkoutPath,
-          actionsUtil.fixCodeQualityCategory(logger, category),
-          features,
-          logger,
-          analyses.CodeQuality,
-        );
-      }
+    const qualityUploadResult = await findAndUpload(
+      logger,
+      features,
+      sarifPath,
+      pathStats,
+      checkoutPath,
+      analyses.CodeQuality,
+      actionsUtil.fixCodeQualityCategory(logger, category),
+    );
+    if (qualityUploadResult !== undefined) {
+      sarifIds.push({
+        analysis: analyses.AnalysisKind.CodeQuality,
+        id: qualityUploadResult.sarifID,
+      });
    }
+    core.setOutput("sarif-ids", JSON.stringify(sarifIds));

    // We don't upload results in test mode, so don't wait for processing
    if (isInTestMode()) {
      core.debug("In test mode. Waiting for processing is disabled.");
    } else if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-      await upload_lib.waitForProcessing(
-        getRepositoryNwo(),
-        uploadResult.sarifID,
-        logger,
-      );
+      if (uploadResult !== undefined) {
+        await upload_lib.waitForProcessing(
+          getRepositoryNwo(),
+          uploadResult.sarifID,
+          logger,
+        );
+      }
      // The code quality service does not currently have an endpoint to wait for SARIF processing,
      // so we can't wait for that here.
    }
-    await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger);
+    await sendSuccessStatusReport(
+      startedAt,
+      uploadResult?.statusReport || {},
+      logger,
+    );
  } catch (unwrappedError) {
    const error =
      isThirdPartyAnalysis(ActionName.UploadSarif) &&