github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-26 16:58:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Warn if a private registry configuration uses a PAT, but has no username

Browse Source
This commit is contained in:
Michael B. Gale
2026-01-24 13:02:41 +00:00
parent c12cf8d49a
commit 9fccf271ff
3 changed files with 130 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/start-proxy-action.js
Generated
+72 -18
View File
@@ -19578,11 +19578,11 @@ var require_exec = __commonJS({
});
};
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.exec = exec;
exports2.exec = exec3;
exports2.getExecOutput = getExecOutput;
var string_decoder_1 = require("string_decoder");
var tr = __importStar2(require_toolrunner());
function exec(commandLine, args, options) {
function exec3(commandLine, args, options) {
return __awaiter2(this, void 0, void 0, function* () {
const commandArgs = tr.argStringToArray(commandLine);
if (commandArgs.length === 0) {
@@ -19616,7 +19616,7 @@ var require_exec = __commonJS({
}
};
const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener });
const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
const exitCode = yield exec3(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
stdout += stdoutDecoder.end();
stderr += stderrDecoder.end();
return {
@@ -19704,12 +19704,12 @@ var require_platform = __commonJS({
exports2.isLinux = exports2.isMacOS = exports2.isWindows = exports2.arch = exports2.platform = void 0;
exports2.getDetails = getDetails;
var os_1 = __importDefault2(require("os"));
var exec = __importStar2(require_exec());
var exec3 = __importStar2(require_exec());
var getWindowsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
const { stdout: version } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
const { stdout: version } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
silent: true
});
const { stdout: name } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
const { stdout: name } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
silent: true
});
return {
@@ -19719,7 +19719,7 @@ var require_platform = __commonJS({
});
var getMacOsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
var _a, _b, _c, _d;
const { stdout } = yield exec.getExecOutput("sw_vers", void 0, {
const { stdout } = yield exec3.getExecOutput("sw_vers", void 0, {
silent: true
});
const version = (_b = (_a = stdout.match(/ProductVersion:\s*(.+)/)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : "";
@@ -19730,7 +19730,7 @@ var require_platform = __commonJS({
};
});
var getLinuxInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
const { stdout } = yield exec.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
const { stdout } = yield exec3.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
silent: true
});
const [name, version] = stdout.trim().split("\n");
@@ -50597,7 +50597,7 @@ var require_exec2 = __commonJS({
exports2.getExecOutput = exports2.exec = void 0;
var string_decoder_1 = require("string_decoder");
var tr = __importStar2(require_toolrunner2());
function exec(commandLine, args, options) {
function exec3(commandLine, args, options) {
return __awaiter2(this, void 0, void 0, function* () {
const commandArgs = tr.argStringToArray(commandLine);
if (commandArgs.length === 0) {
@@ -50609,7 +50609,7 @@ var require_exec2 = __commonJS({
return runner.exec();
});
}
exports2.exec = exec;
exports2.exec = exec3;
function getExecOutput(commandLine, args, options) {
var _a, _b;
return __awaiter2(this, void 0, void 0, function* () {
@@ -50632,7 +50632,7 @@ var require_exec2 = __commonJS({
}
};
const listeners = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.listeners), { stdout: stdOutListener, stderr: stdErrListener });
const exitCode = yield exec(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
const exitCode = yield exec3(commandLine, args, Object.assign(Object.assign({}, options), { listeners }));
stdout += stdoutDecoder.end();
stderr += stderrDecoder.end();
return {
@@ -50710,12 +50710,12 @@ var require_platform2 = __commonJS({
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.getDetails = exports2.isLinux = exports2.isMacOS = exports2.isWindows = exports2.arch = exports2.platform = void 0;
var os_1 = __importDefault2(require("os"));
var exec = __importStar2(require_exec2());
var exec3 = __importStar2(require_exec2());
var getWindowsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
const { stdout: version } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
const { stdout: version } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Version"', void 0, {
silent: true
});
const { stdout: name } = yield exec.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
const { stdout: name } = yield exec3.getExecOutput('powershell -command "(Get-CimInstance -ClassName Win32_OperatingSystem).Caption"', void 0, {
silent: true
});
return {
@@ -50725,7 +50725,7 @@ var require_platform2 = __commonJS({
});
var getMacOsInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
var _a, _b, _c, _d;
const { stdout } = yield exec.getExecOutput("sw_vers", void 0, {
const { stdout } = yield exec3.getExecOutput("sw_vers", void 0, {
silent: true
});
const version = (_b = (_a = stdout.match(/ProductVersion:\s*(.+)/)) === null || _a === void 0 ? void 0 : _a[1]) !== null && _b !== void 0 ? _b : "";
@@ -50736,7 +50736,7 @@ var require_platform2 = __commonJS({
};
});
var getLinuxInfo = () => __awaiter2(void 0, void 0, void 0, function* () {
const { stdout } = yield exec.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
const { stdout } = yield exec3.getExecOutput("lsb_release", ["-i", "-r", "-s"], {
silent: true
});
const [name, version] = stdout.trim().split("\n");
@@ -54169,7 +54169,7 @@ var require_cacheUtils = __commonJS({
exports2.getCacheVersion = getCacheVersion;
exports2.getRuntimeToken = getRuntimeToken;
var core12 = __importStar2(require_core());
var exec = __importStar2(require_exec());
var exec3 = __importStar2(require_exec());
var glob = __importStar2(require_glob());
var io4 = __importStar2(require_io());
var crypto2 = __importStar2(require("crypto"));
@@ -54249,7 +54249,7 @@ var require_cacheUtils = __commonJS({
additionalArgs.push("--version");
core12.debug(`Checking ${app} ${additionalArgs.join(" ")}`);
try {
yield exec.exec(`${app}`, additionalArgs, {
yield exec3.exec(`${app}`, additionalArgs, {
ignoreReturnCode: true,
silent: true,
listeners: {
@@ -103962,6 +103962,49 @@ function getActionsLogger() {
// src/start-proxy.ts
var core7 = __toESM(require_core());
// src/artifact-scanner.ts
var exec = __toESM(require_exec());
var GITHUB_PAT_CLASSIC_PATTERN = {
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
};
var GITHUB_PAT_FINE_GRAINED_PATTERN = {
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
};
var GITHUB_TOKEN_PATTERNS = [
GITHUB_PAT_CLASSIC_PATTERN,
GITHUB_PAT_FINE_GRAINED_PATTERN,
{
type: "OAuth Access Token" /* OAuth */,
pattern: /\bgho_[a-zA-Z0-9]{36}\b/g
},
{
type: "User-to-Server Token" /* UserToServer */,
pattern: /\bghu_[a-zA-Z0-9]{36}\b/g
},
{
type: "Server-to-Server Token" /* ServerToServer */,
pattern: /\bghs_[a-zA-Z0-9]{36}\b/g
},
{
type: "Refresh Token" /* Refresh */,
pattern: /\bghr_[a-zA-Z0-9]{36}\b/g
},
{
type: "App Installation Access Token" /* AppInstallationAccess */,
pattern: /\bghs_[a-zA-Z0-9]{255}\b/g
}
];
function isAuthToken(value, patterns = GITHUB_TOKEN_PATTERNS) {
for (const { type: type2, pattern } of patterns) {
if (pattern.test(value)) {
return type2;
}
}
return void 0;
}
// src/defaults.json
var bundleVersion = "codeql-bundle-v2.23.9";
var cliVersion = "2.23.9";
@@ -104004,6 +104047,12 @@ function parseLanguage(language) {
}
return void 0;
}
function isPAT(value) {
return isAuthToken(value, [
GITHUB_PAT_CLASSIC_PATTERN,
GITHUB_PAT_FINE_GRAINED_PATTERN
]);
}
var LANGUAGE_TO_REGISTRY_TYPE = {
java: ["maven_repository"],
csharp: ["nuget_feed"],
@@ -104065,6 +104114,11 @@ function getCredentials(logger, registrySecrets, registriesCredentials, language
"Invalid credentials - fields must contain only printable characters"
);
}
if (!isDefined(e.username) && (isDefined(e.password) && isPAT(e.password) || isDefined(e.token) && isPAT(e.token))) {
logger.warning(
`A ${e.type} private registry is configured for ${e.host || e.url} using a GitHub Personal Access Token (PAT), but no username was provided. This may not work correctly. When configuring a private registry using a PAT, select "Username and password" and enter the username of the user who generated the PAT.`
);
}
out.push({
type: e.type,
host: e.host,