Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HttpError: Not Found when attempting to reference private pack #2397

Open
MichaelBlake-gingerio opened this issue Jul 29, 2024 · 6 comments
Open

Comments

@MichaelBlake-gingerio
Copy link

We're trying to reference a private CodeQL pack when running init. When this runs in Github actions, we get HttpError: Not Found.

name: "SAST Scans"

on:
  push:
    branches: ["master", "main"]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["master", "main"]
  schedule:
    - cron: "0 */12 * * *"

jobs:
  codeql-analysis:
    name: code-scanning
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: ["python", "javascript"]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          packs: companyname/python-queries
          token: ${{ secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN }}
          debug: true

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{matrix.language}}"
  • I've verified that we can download the pack by using codeql package download companyname/python-queries --github-auth-stdin and supply the value of secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN.
  • I've verified that CUSTOM_CODEQL_SCAN_GITHUB_TOKEN exists as an organization secret.
  • I've verified that this repo has access to the published package in the organization settings.
  • I've verified that the codeql scan runs fine when I remove the custom package reference.

Is there anything I'm missing or is there a bug with the init script? I'm having trouble finding any documentation around referencing private packs for CodeQL Github actions.

Thank you.

@aeisenberg
Copy link
Contributor

Apologies that the docs are unclear. Here is the information you are looking for. You need to set the GITHUB_TOKEN environment variable to the secret.

@MichaelBlake-gingerio
Copy link
Author

Hi @aeisenberg

Thank you for the quick reply. We already have GITHUB_TOKEN set to a secret. Do we need to replace that secret with a secret that has read:packages permission as well? I thought it'd be possible to supply a different token for pulling down the package.

Thanks!

@aeisenberg
Copy link
Contributor

Apologies. I was mistaken. Using the token input should work as well. So, I'm not sure what is happening here. Would you be able to share your full debug logs?

Also (unrelated), the autobuild step is not necessary since neither of your scanned languages require a build.

@MichaelBlake-gingerio
Copy link
Author

@aeisenberg

Thank you. That's helpful to know. Here's the full debug log...

##[debug]Evaluating condition for step: 'Initialize CodeQL'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Initialize CodeQL
##[debug]Register post job cleanup for action: github/codeql-action/init@v3
##[debug]Loading inputs
##[debug]Evaluating: matrix.language
##[debug]Evaluating Index:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'language'
##[debug]=> 'python'
##[debug]Result: 'python'
##[debug]Evaluating: secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'CUSTOM_CODEQL_SCAN_GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: toJson(matrix)
##[debug]Evaluating toJson:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]=> '{
##[debug]  "language": "python"
##[debug]}'
##[debug]Result: '{
##[debug]  "language": "python"
##[debug]}'
##[debug]Loading env
Run github/codeql-action/init@v3
  with:
    languages: python
    packs: redacted/python-queries@0.0.1
    token: ***
    debug: true
    matrix: {
    "language": "python"
  }
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
Error: Encountered an error while trying to determine feature enablement: HttpError: Not Found
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='3.[2](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:2)5.15'
##[debug]JOB_RUN_UUID='dc2ed5fb-c226-4a42-901b-d9dc772a2[3](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:3)4d'
##[debug]CODEQL_ACTION_INIT_HAS_RUN='true'
##[debug]Finishing: Initialize CodeQL

@aeisenberg
Copy link
Contributor

Thanks for this. The logs are showing that the error is not happening due to package downloads at all. It's due to not being able to access the endpoint that exposes feature flags. This is a different kind of permissions problem. I'm guessing that the token you are using in the CUSTOM_CODEQL_SCAN_GITHUB_TOKEN has a very restricted set of permissions. I'll have to get back to you on exactly which permissions are required, but you can try by changing the set of permissions so that they match the permissions you have in the workflow. Eg-

    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write

@MichaelBlake-gingerio
Copy link
Author

That makes perfect sense. I'll try that out. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants