Write processed SARIF files if post-process-output input is provided

2026-04-27 01:08:46 +00:00 · 2025-10-22 00:16:27 +01:00
parent c2bec36917
commit 12f3cfef09
7 changed files with 109 additions and 49 deletions
@@ -95932,6 +95932,19 @@ async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths,
  );
  return { sarif, analysisKey, environment };
 }
+async function writeProcessedFiles(logger, pathInput, uploadTarget, processingResults) {
+  const outputPath = pathInput || process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (outputPath !== void 0) {
+    dumpSarifFile(
+      JSON.stringify(processingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget
+    );
+  } else {
+    logger.debug(`Not writing processed SARIF files.`);
+  }
+}
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
@@ -95970,10 +95983,6 @@ async function uploadProcessedFiles(logger, checkoutPath, uploadTarget, processi
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -96017,14 +96026,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
    fs18.mkdirSync(outputDir, { recursive: true });
  } else if (!fs18.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
    );
  }
  const outputFile = path18.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`
  );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs18.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -96180,7 +96189,7 @@ function filterAlertsByDiffRange(logger, sarif) {
 }

 // src/upload-sarif.ts
-async function uploadSarif(logger, features, uploadKind, checkoutPath, sarifPath, category) {
+async function uploadSarif(logger, features, uploadKind, checkoutPath, sarifPath, category, processedOutputPath) {
  const sarifGroups = await getGroupedSarifFilePaths(
    logger,
    sarifPath
@@ -96198,6 +96207,12 @@ async function uploadSarif(logger, features, uploadKind, checkoutPath, sarifPath
      category,
      analysisConfig
    );
+    await writeProcessedFiles(
+      logger,
+      processedOutputPath,
+      analysisConfig,
+      processingResults
+    );
    if (uploadKind === "always") {
      uploadResults[analysisKind] = await uploadProcessedFiles(
        logger,
@@ -96417,7 +96432,8 @@ async function run() {
          uploadKind,
          checkoutPath,
          outputDir,
-          category
+          category,
+          getOptionalInput("post-process-output")
        );
      } else {
        uploadResults = {};
@@ -133381,10 +133381,6 @@ async function uploadProcessedFiles(logger, checkoutPath, uploadTarget, processi
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -133423,21 +133419,6 @@ async function uploadProcessedFiles(logger, checkoutPath, uploadTarget, processi
    sarifID
  };
 }
-function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
-  if (!fs17.existsSync(outputDir)) {
-    fs17.mkdirSync(outputDir, { recursive: true });
-  } else if (!fs17.lstatSync(outputDir).isDirectory()) {
-    throw new ConfigurationError(
-      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
-    );
-  }
-  const outputFile = path17.resolve(
-    outputDir,
-    `upload${uploadTarget.sarifExtension}`
-  );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
-  fs17.writeFileSync(outputFile, sarifPayload);
-}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
@@ -84858,7 +84858,8 @@ __export(upload_lib_exports, {
  uploadProcessedFiles: () => uploadProcessedFiles,
  validateSarifFileSchema: () => validateSarifFileSchema,
  validateUniqueCategory: () => validateUniqueCategory,
-  waitForProcessing: () => waitForProcessing
+  waitForProcessing: () => waitForProcessing,
+  writeProcessedFiles: () => writeProcessedFiles
 });
 module.exports = __toCommonJS(upload_lib_exports);
 var fs13 = __toESM(require("fs"));
@@ -92747,6 +92748,19 @@ async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths,
  );
  return { sarif, analysisKey, environment };
 }
+async function writeProcessedFiles(logger, pathInput, uploadTarget, processingResults) {
+  const outputPath = pathInput || process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (outputPath !== void 0) {
+    dumpSarifFile(
+      JSON.stringify(processingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget
+    );
+  } else {
+    logger.debug(`Not writing processed SARIF files.`);
+  }
+}
 async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger, uploadTarget) {
  const sarifPaths = getSarifFilePaths(
    inputSarifPath,
@@ -92785,10 +92799,6 @@ async function uploadProcessedFiles(logger, checkoutPath, uploadTarget, processi
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -92832,14 +92842,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
    fs13.mkdirSync(outputDir, { recursive: true });
  } else if (!fs13.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
    );
  }
  const outputFile = path14.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`
  );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs13.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -93012,7 +93022,8 @@ function filterAlertsByDiffRange(logger, sarif) {
  uploadProcessedFiles,
  validateSarifFileSchema,
  validateUniqueCategory,
-  waitForProcessing
+  waitForProcessing,
+  writeProcessedFiles
 });
 /*! Bundled license information:

@@ -93402,6 +93402,19 @@ async function postProcessSarifFiles(logger, features, checkoutPath, sarifPaths,
  );
  return { sarif, analysisKey, environment };
 }
+async function writeProcessedFiles(logger, pathInput, uploadTarget, processingResults) {
+  const outputPath = pathInput || process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (outputPath !== void 0) {
+    dumpSarifFile(
+      JSON.stringify(processingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget
+    );
+  } else {
+    logger.debug(`Not writing processed SARIF files.`);
+  }
+}
 async function uploadProcessedFiles(logger, checkoutPath, uploadTarget, processingResults) {
  logger.startGroup(`Uploading ${uploadTarget.name} results`);
  const sarif = processingResults.sarif;
@@ -93410,10 +93423,6 @@ async function uploadProcessedFiles(logger, checkoutPath, uploadTarget, processi
  validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);
-  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -93457,14 +93466,14 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
    fs14.mkdirSync(outputDir, { recursive: true });
  } else if (!fs14.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`
    );
  }
  const outputFile = path15.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`
  );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs14.writeFileSync(outputFile, sarifPayload);
 }
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
@@ -93620,7 +93629,7 @@ function filterAlertsByDiffRange(logger, sarif) {
 }

 // src/upload-sarif.ts
-async function uploadSarif(logger, features, uploadKind, checkoutPath, sarifPath, category) {
+async function uploadSarif(logger, features, uploadKind, checkoutPath, sarifPath, category, processedOutputPath) {
  const sarifGroups = await getGroupedSarifFilePaths(
    logger,
    sarifPath
@@ -93638,6 +93647,12 @@ async function uploadSarif(logger, features, uploadKind, checkoutPath, sarifPath
      category,
      analysisConfig
    );
+    await writeProcessedFiles(
+      logger,
+      processedOutputPath,
+      analysisConfig,
+      processingResults
+    );
    if (uploadKind === "always") {
      uploadResults[analysisKind] = await uploadProcessedFiles(
        logger,
@@ -359,6 +359,7 @@ async function run() {
          checkoutPath,
          outputDir,
          category,
+          actionsUtil.getOptionalInput("post-process-output"),
        );
      } else {
        uploadResults = {};
@@ -759,6 +759,36 @@ export async function postProcessSarifFiles(
  return { sarif, analysisKey, environment };
 }

+/**
+ * Writes the processed SARIF file to disk, if needed based on `pathInput` or the `SARIF_DUMP_DIR`.
+ *
+ * @param logger The logger to use.
+ * @param pathInput The input provided for `post-process-output`.
+ * @param uploadTarget The upload target.
+ * @param processingResults The results of post-processing SARIF files.
+ */
+export async function writeProcessedFiles(
+  logger: Logger,
+  pathInput: string | undefined,
+  uploadTarget: analyses.AnalysisConfig,
+  processingResults: PostProcessingResults,
+) {
+  // If there's an explicit input, use that. Otherwise, use the value from the environment variable.
+  const outputPath = pathInput || process.env[EnvVar.SARIF_DUMP_DIR];
+
+  // If we have an output path, write the SARIF file to it.
+  if (outputPath !== undefined) {
+    dumpSarifFile(
+      JSON.stringify(processingResults.sarif),
+      outputPath,
+      logger,
+      uploadTarget,
+    );
+  } else {
+    logger.debug(`Not writing processed SARIF files.`);
+  }
+}
+
 /**
 * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
 * to.
@@ -841,11 +871,6 @@ export async function uploadProcessedFiles(
  logger.debug(`Serializing SARIF for upload`);
  const sarifPayload = JSON.stringify(sarif);

-  const dumpDir = process.env[EnvVar.SARIF_DUMP_DIR];
-  if (dumpDir) {
-    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
-  }
-
  logger.debug(`Compressing serialized SARIF`);
  const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
  const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -905,14 +930,14 @@ function dumpSarifFile(
    fs.mkdirSync(outputDir, { recursive: true });
  } else if (!fs.lstatSync(outputDir).isDirectory()) {
    throw new ConfigurationError(
-      `The path specified by the ${EnvVar.SARIF_DUMP_DIR} environment variable exists and is not a directory: ${outputDir}`,
+      `The path that processed SARIF files should be written to exists, but is not a directory: ${outputDir}`,
    );
  }
  const outputFile = path.resolve(
    outputDir,
    `upload${uploadTarget.sarifExtension}`,
  );
-  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  logger.info(`Writing processed SARIF file to ${outputFile}`);
  fs.writeFileSync(outputFile, sarifPayload);
 }

@@ -19,6 +19,7 @@ export type UploadSarifResults = Partial<
 * @param checkoutPath The path where the repository was checked out at.
 * @param sarifPath The path to the file or directory to upload.
 * @param category The analysis category.
+ * @param processedOutputPath The path to a directory to which the post-processed SARIF files should be written to.
 *
 * @returns A partial mapping from analysis kinds to the upload results.
 */
@@ -29,6 +30,7 @@ export async function uploadSarif(
  checkoutPath: string,
  sarifPath: string,
  category?: string,
+  processedOutputPath?: string,
 ): Promise<UploadSarifResults> {
  const sarifGroups = await upload_lib.getGroupedSarifFilePaths(
    logger,
@@ -49,6 +51,15 @@ export async function uploadSarif(
      analysisConfig,
    );

+    // Write the processed SARIF files to disk. This will only write them if needed based on user inputs
+    // or environment variables.
+    await upload_lib.writeProcessedFiles(
+      logger,
+      processedOutputPath,
+      analysisConfig,
+      processingResults,
+    );
+
    // Only perform the actual upload of the processed files, if `uploadKind` is `always`.
    if (uploadKind === "always") {
      uploadResults[analysisKind] = await upload_lib.uploadProcessedFiles(