Install proxy cert on GitHub-hosted Ubuntu runners

Add JSDoc and a little extra logging for startProxy
2026-05-10 07:40:28 +00:00 · 2026-01-27 14:02:36 +00:00 · 2026-01-27 14:02:07 +00:00
3 changed files with 399 additions and 251 deletions
@@ -14,6 +14,7 @@ import {
  Credential,
  getCredentials,
  getDownloadUrl,
+  installProxyCertificate,
  parseLanguage,
  UPDATEJOB_PROXY,
 } from "./start-proxy";
@@ -220,6 +221,15 @@ async function runWrapper() {
  }
 }

+/**
+ * Starts the proxy process with the binary at `binPath` using `config` on a random
+ * port (but always starting with 49152).
+ *
+ * @param binPath The path to the proxy binary.
+ * @param config The configuration for the proxy.
+ * @param logFilePath The path for the proxy log file.
+ * @param logger The logger to use.
+ */
 async function startProxy(
  binPath: string,
  config: ProxyConfig,
@@ -232,6 +242,7 @@ async function startProxy(
  let tries = 5;
  let subprocessError: Error | undefined = undefined;
  while (tries-- > 0 && !subprocess && !subprocessError) {
+    logger.info(`Attempting to start proxy on ${host}:${port}...`);
    subprocess = spawn(
      binPath,
      ["-addr", `${host}:${port}`, "-config", "-", "-logfile", logFilePath],
@@ -275,6 +286,8 @@ async function startProxy(
      url: credential.url,
    }));
  core.setOutput("proxy_urls", JSON.stringify(registry_urls));
+
+  await installProxyCertificate(logger, config.ca.cert);
 }

 async function getProxyBinaryPath(logger: Logger): Promise<string> {
@@ -1,5 +1,9 @@
+import * as fs from "fs";
+import * as path from "path";
+
 import * as core from "@actions/core";

+import { isSelfHostedRunner, runTool } from "./actions-util";
 import { getApiClient } from "./api-client";
 import * as defaults from "./defaults.json";
 import { KnownLanguage } from "./languages";
@@ -256,3 +260,49 @@ export async function getDownloadUrl(
    version: UPDATEJOB_PROXY_VERSION,
  };
 }
+
+// The standard path for certificates on Ubuntu.
+const certPath = "/usr/local/share/ca-certificates/";
+
+/**
+ * If we are running on a GitHub-hosted Ubuntu runner, this function attempts to
+ * install the `cert` into the system-wide certificate store.
+ *
+ * This function does nothing on other platforms.
+ *
+ * @param logger The logger to use.
+ * @param cert The certificate to install.
+ */
+export async function installProxyCertificate(logger: Logger, cert: string) {
+  // On GitHub-hosted linux runners, install the certificate system-wide.
+  if (process.platform === "linux" && !isSelfHostedRunner()) {
+    try {
+      // Don't continue if the certificate path doesn't already exist in the expected location.
+      if (!fs.existsSync(certPath)) {
+        logger.debug(
+          "Certificate path does not exist in the expected location.",
+        );
+        return;
+      }
+
+      // Create a sub-directory for our certificates.
+      const certSubPath = path.join(certPath, "codeql-action");
+      fs.mkdirSync(certSubPath);
+
+      // Write the certificate
+      const certFilePath = path.join(certSubPath, "proxy.crt");
+      fs.writeFileSync(certFilePath, cert);
+
+      // Update the certificates.
+      await runTool("sudo", ["update-ca-certificates"]);
+
+      logger.info(
+        `Successfully installed proxy certificate to ${certFilePath}`,
+      );
+    } catch (e) {
+      logger.info(
+        `Unable to install proxy certificate system-wide: ${getErrorMessage(e)}`,
+      );
+    }
+  }
+}
Author	SHA1	Message	Date
Michael B. Gale	3b4b23a7ad	Install proxy cert on GitHub-hosted Ubuntu runners	2026-01-27 14:02:36 +00:00
Michael B. Gale	766eeaa42e	Add JSDoc and a little extra logging for `startProxy`	2026-01-27 14:02:07 +00:00