HttpError: Not Found when attempting to reference private pack

[MichaelBlake-gingerio]

We're trying to reference a private CodeQL pack when running init. When this runs in Github actions, we get HttpError: Not Found.

name: "SAST Scans"

on:
  push:
    branches: ["master", "main"]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["master", "main"]
  schedule:
    - cron: "0 */12 * * *"

jobs:
  codeql-analysis:
    name: code-scanning
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: ["python", "javascript"]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          packs: companyname/python-queries
          token: ${{ secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN }}
          debug: true

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{matrix.language}}"

• I've verified that we can download the pack by using codeql package download companyname/python-queries --github-auth-stdin and supply the value of secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN.
• I've verified that CUSTOM_CODEQL_SCAN_GITHUB_TOKEN exists as an organization secret.
• I've verified that this repo has access to the published package in the organization settings.
• I've verified that the codeql scan runs fine when I remove the custom package reference.

Is there anything I'm missing or is there a bug with the init script? I'm having trouble finding any documentation around referencing private packs for CodeQL Github actions.

Thank you.

[aeisenberg]

Apologies that the docs are unclear. Here is the information you are looking for. You need to set the GITHUB_TOKEN environment variable to the secret.

[MichaelBlake-gingerio]

Hi @aeisenberg

Thank you for the quick reply. We already have GITHUB_TOKEN set to a secret. Do we need to replace that secret with a secret that has read:packages permission as well? I thought it'd be possible to supply a different token for pulling down the package.

Thanks!

[aeisenberg]

Apologies. I was mistaken. Using the token input should work as well. So, I'm not sure what is happening here. Would you be able to share your full debug logs?

Also (unrelated), the autobuild step is not necessary since neither of your scanned languages require a build.

[MichaelBlake-gingerio]

@aeisenberg

Thank you. That's helpful to know. Here's the full debug log...

##[debug]Evaluating condition for step: 'Initialize CodeQL'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Initialize CodeQL
##[debug]Register post job cleanup for action: github/codeql-action/init@v3
##[debug]Loading inputs
##[debug]Evaluating: matrix.language
##[debug]Evaluating Index:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'language'
##[debug]=> 'python'
##[debug]Result: 'python'
##[debug]Evaluating: secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'CUSTOM_CODEQL_SCAN_GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: toJson(matrix)
##[debug]Evaluating toJson:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]=> '{
##[debug]  "language": "python"
##[debug]}'
##[debug]Result: '{
##[debug]  "language": "python"
##[debug]}'
##[debug]Loading env
Run github/codeql-action/init@v3
  with:
    languages: python
    packs: redacted/python-queries@0.0.1
    token: ***
    debug: true
    matrix: {
    "language": "python"
  }
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
Error: Encountered an error while trying to determine feature enablement: HttpError: Not Found
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='3.[2](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:2)5.15'
##[debug]JOB_RUN_UUID='dc2ed5fb-c226-4a42-901b-d9dc772a2[3](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:3)4d'
##[debug]CODEQL_ACTION_INIT_HAS_RUN='true'
##[debug]Finishing: Initialize CodeQL

[aeisenberg]

Thanks for this. The logs are showing that the error is not happening due to package downloads at all. It's due to not being able to access the endpoint that exposes feature flags. This is a different kind of permissions problem. I'm guessing that the token you are using in the CUSTOM_CODEQL_SCAN_GITHUB_TOKEN has a very restricted set of permissions. I'll have to get back to you on exactly which permissions are required, but you can try by changing the set of permissions so that they match the permissions you have in the workflow. Eg-

    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write

[MichaelBlake-gingerio]

That makes perfect sense. I'll try that out. Thanks!