Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert code-ql-action/upload-sarif #3517

Closed
jsjoeio opened this issue Jun 1, 2021 · 6 comments
Closed

Revert code-ql-action/upload-sarif #3517

jsjoeio opened this issue Jun 1, 2021 · 6 comments
Assignees
@jsjoeio
Labels
ci Issues related to ci security Security related
Milestone
On Deck

Comments

@jsjoeio
Copy link
Contributor

jsjoeio commented Jun 1, 2021
edited
Loading

Revert #3459

We have a short term workaround thanks to @adityasharad

Short term workaround: please try removing the TAR file /release-images/code-server-amd64-3.10.2.tar (and others like it) from the workspace before running the upload step.

UPDATE: a PR has been merged github/codeql-action#550

So we should be able to re-enable without using the workaround.
@jsjoeio jsjoeio added security Security related ci Issues related to ci labels Jun 1, 2021
@jsjoeio jsjoeio added this to the 3.11.0 milestone Jun 1, 2021
@jsjoeio jsjoeio self-assigned this Jun 1, 2021
@jsjoeio jsjoeio changed the title Remove TAR files in /release-images and revert code-ql-action/upload-sarif Revert code-ql-action/upload-sarif Jun 7, 2021
@edoardopirovano
Copy link

Note that my PR has been merged in the main branch of the CodeQL action while your workflow is using @v1. So, it will be a little bit longer before the fix reaches you (we usually release to v1 every week or two).

@jsjoeio
Copy link
Contributor Author

jsjoeio commented Jun 7, 2021

Ah...good to know. Thanks for pointing that out @edoardopirovano 👍🏼

@jsjoeio
Copy link
Contributor Author

jsjoeio commented Jun 22, 2021

Looks like there is a new release out, so I think this is fine to upgrade: https://github.com/github/codeql-action/releases/tag/codeql-bundle-20210622

@edoardopirovano
Copy link

Looks like there is a new release out, so I think this is fine to upgrade: https://github.com/github/codeql-action/releases/tag/codeql-bundle-20210622

Almost! The CodeQL Action that your workflow is running still hasn't been bumped to use the latest version, that should happen once this PR is merged later today:

github/codeql-action#585

Once that's merged you should be all good to go ahead with this 🙂

@jsjoeio
Copy link
Contributor Author

jsjoeio commented Jun 23, 2021

Ahh... Got it. Guess the release notification was a false alarm!

Thanks for the heads-up and linking the PR 😄

@jsjoeio jsjoeio mentioned this issue Jul 6, 2021
Closed
@jsjoeio jsjoeio modified the milestones: 3.11.0, On Deck Jul 7, 2021
@jsjoeio
Copy link
Contributor Author

jsjoeio commented Jul 7, 2021

The GitHub Action side is fixed but now it seems like there's an issue on the trivy side (see aquasecurity/trivy#1080).

I looked into reverting this in #3727 but it seems like it's more work than it's worth at this time. I will revisit later (hoping that the upstream trivy issue is fixed).

If this gets revisited, and the upstream issue isn't fixed, we can look into uploading the Docker image per PR to the GitHub Container Registry. Some resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsjoeio jsjoeio

Labels
ci Issues related to ci security Security related
Projects
None yet
Milestone
On Deck
Development

Successfully merging a pull request may close this issue.

fix(ci): update codeql upload-sarif to v1.0.4 coder/code-server
3 participants
@jsjoeio @edoardopirovano @code-asher