Use artifact scanner in debug artifacts PR checks

2026-04-27 17:39:15 +00:00 · 2025-12-17 10:25:47 +00:00
parent 5459b98ca0
commit f28848a66a
7 changed files with 2828 additions and 2193 deletions
@@ -8,6 +8,7 @@ import archiver from "archiver";

 import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
+import { scanArtifactsForTokens } from "./artifact-scanner";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
 import { EnvVar } from "./environment";
@@ -23,6 +24,7 @@ import {
  getCodeQLDatabasePath,
  getErrorMessage,
  GitHubVariant,
+  isInTestMode,
  listFolder,
 } from "./util";

@@ -269,6 +271,14 @@ export async function uploadDebugArtifacts(
    return "upload-not-supported";
  }

+  // When running in test mode, perform a best effort scan of the debug artifacts. The artifact
+  // scanner is basic and not reliable or fast enough for production use, but it can help catch
+  // some issues early.
+  if (isInTestMode()) {
+    await scanArtifactsForTokens(toUpload, logger);
+    core.exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
+  }
+
  let suffix = "";
  const matrix = getOptionalInput("matrix");
  if (matrix) {