From d1b51f05c9feafc343d1b8975c78492225be8aa0 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 23 Oct 2025 13:02:31 +0100 Subject: [PATCH 1/3] Update API permissions warning --- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/upload-sarif-action.js | 2 +- src/feature-flags.ts | 4 ++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 7069a73755..f542306c4c 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -91562,7 +91562,7 @@ var GitHubFeatureFlags = class { const httpError = asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` ); this.hasAccessedRemoteFeatureFlags = false; return {}; diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index a6aaf21db4..55e45109f2 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -80323,7 +80323,7 @@ var GitHubFeatureFlags = class { const httpError = asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` ); this.hasAccessedRemoteFeatureFlags = false; return {}; diff --git a/lib/init-action-post.js b/lib/init-action-post.js index bb0b377d3b..6e25d41c52 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -129686,7 +129686,7 @@ var GitHubFeatureFlags = class { const httpError = asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` ); this.hasAccessedRemoteFeatureFlags = false; return {}; diff --git a/lib/init-action.js b/lib/init-action.js index cffd583604..8bc286e9b2 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -88988,7 +88988,7 @@ var GitHubFeatureFlags = class { const httpError = asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` ); this.hasAccessedRemoteFeatureFlags = false; return {}; diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index e6a3b6b5ba..e67adb4ac6 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -86793,7 +86793,7 @@ var GitHubFeatureFlags = class { const httpError = asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` ); this.hasAccessedRemoteFeatureFlags = false; return {}; diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 73391b6bee..574440a749 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89736,7 +89736,7 @@ var GitHubFeatureFlags = class { const httpError = asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - `This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` ); this.hasAccessedRemoteFeatureFlags = false; return {}; diff --git a/src/feature-flags.ts b/src/feature-flags.ts index bf7f7d3d4f..21ba268579 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -666,10 +666,10 @@ class GitHubFeatureFlags { const httpError = util.asHTTPError(e); if (httpError?.status === 403) { this.logger.warning( - "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " + + "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " + "As a result, it will not be opted into any experimental features. " + "This could be because the Action is running on a pull request from a fork. If not, " + - `please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}`, + `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`, ); this.hasAccessedRemoteFeatureFlags = false; return {}; From e849c567ec05201c767007005b2a0eb820411a90 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 23 Oct 2025 13:04:06 +0100 Subject: [PATCH 2/3] Update debug message --- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/upload-sarif-action.js | 2 +- src/feature-flags.ts | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index f542306c4c..0e03bbf263 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -91549,7 +91549,7 @@ var GitHubFeatureFlags = class { remoteFlags = { ...remoteFlags, ...chunkFlags }; } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:" + "Loaded the following default values for the feature flags from the CodeQL Action API:" ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB) diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 55e45109f2..d8d2101dde 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -80310,7 +80310,7 @@ var GitHubFeatureFlags = class { remoteFlags = { ...remoteFlags, ...chunkFlags }; } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:" + "Loaded the following default values for the feature flags from the CodeQL Action API:" ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB) diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 6e25d41c52..9af8999b33 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -129673,7 +129673,7 @@ var GitHubFeatureFlags = class { remoteFlags = { ...remoteFlags, ...chunkFlags }; } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:" + "Loaded the following default values for the feature flags from the CodeQL Action API:" ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB) diff --git a/lib/init-action.js b/lib/init-action.js index 8bc286e9b2..691e48b887 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -88975,7 +88975,7 @@ var GitHubFeatureFlags = class { remoteFlags = { ...remoteFlags, ...chunkFlags }; } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:" + "Loaded the following default values for the feature flags from the CodeQL Action API:" ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB) diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index e67adb4ac6..05021981c4 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -86780,7 +86780,7 @@ var GitHubFeatureFlags = class { remoteFlags = { ...remoteFlags, ...chunkFlags }; } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:" + "Loaded the following default values for the feature flags from the CodeQL Action API:" ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 574440a749..636afe9d39 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89723,7 +89723,7 @@ var GitHubFeatureFlags = class { remoteFlags = { ...remoteFlags, ...chunkFlags }; } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:" + "Loaded the following default values for the feature flags from the CodeQL Action API:" ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB) diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 21ba268579..068d847273 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -653,7 +653,7 @@ class GitHubFeatureFlags { } this.logger.debug( - "Loaded the following default values for the feature flags from the Code Scanning API:", + "Loaded the following default values for the feature flags from the CodeQL Action API:", ); for (const [feature, value] of Object.entries(remoteFlags).sort( ([nameA], [nameB]) => nameA.localeCompare(nameB), From 40b4cdd21fa7e43516cf56e07aa86237a1c6eab9 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 23 Oct 2025 13:10:03 +0100 Subject: [PATCH 3/3] Update status report messages --- lib/analyze-action.js | 12 +++++++----- lib/autobuild-action.js | 12 +++++++----- lib/init-action-post.js | 12 +++++++----- lib/init-action.js | 12 +++++++----- lib/resolve-environment-action.js | 12 +++++++----- lib/setup-codeql-action.js | 12 +++++++----- lib/start-proxy-action.js | 12 +++++++----- lib/upload-sarif-action.js | 12 +++++++----- src/status-report.ts | 16 ++++++++++------ 9 files changed, 66 insertions(+), 46 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 0e03bbf263..f98a421a6f 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -94277,8 +94277,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -94305,10 +94305,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core12.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core12.warning(httpError.message); + core12.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -94324,7 +94326,7 @@ async function sendStatusReport(statusReport) { } } core12.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index d8d2101dde..73d896cd91 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -81233,8 +81233,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -81261,10 +81261,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core12.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core12.warning(httpError.message); + core12.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -81280,7 +81282,7 @@ async function sendStatusReport(statusReport) { } } core12.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 9af8999b33..6fdfc28db8 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -131736,8 +131736,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -131764,10 +131764,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core13.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core13.warning(httpError.message); + core13.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -131783,7 +131785,7 @@ async function sendStatusReport(statusReport) { } } core13.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/init-action.js b/lib/init-action.js index 691e48b887..6e0d9ac2cc 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -91941,8 +91941,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -91969,10 +91969,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core11.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core11.warning(httpError.message); + core11.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -91988,7 +91990,7 @@ async function sendStatusReport(statusReport) { } } core11.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 4538b0e356..18b48974f9 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -80859,8 +80859,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -80887,10 +80887,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core11.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core11.warning(httpError.message); + core11.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -80906,7 +80908,7 @@ async function sendStatusReport(statusReport) { } } core11.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 05021981c4..9777e5333b 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -88750,8 +88750,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -88778,10 +88778,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core11.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core11.warning(httpError.message); + core11.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -88797,7 +88799,7 @@ async function sendStatusReport(statusReport) { } } core11.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 99e294ab1c..9c9c434c3e 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -97005,8 +97005,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -97033,10 +97033,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core10.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core10.warning(httpError.message); + core10.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -97052,7 +97054,7 @@ async function sendStatusReport(statusReport) { } } core10.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 636afe9d39..79d0f16926 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89987,8 +89987,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi return void 0; } } -var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; -var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; +var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; +var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; async function sendStatusReport(statusReport) { setJobStatusIfUnsuccessful(statusReport.status); const statusReportJSON = JSON.stringify(statusReport); @@ -90015,10 +90015,12 @@ async function sendStatusReport(statusReport) { case 403: if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { core9.warning( - `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` + `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` ); } else { - core9.warning(httpError.message); + core9.warning( + `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}` + ); } return; case 404: @@ -90034,7 +90036,7 @@ async function sendStatusReport(statusReport) { } } core9.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e )}` ); diff --git a/src/status-report.ts b/src/status-report.ts index b1f1acc715..d43d276bfe 100644 --- a/src/status-report.ts +++ b/src/status-report.ts @@ -387,9 +387,9 @@ export async function createStatusReportBase( } const OUT_OF_DATE_MSG = - "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; + "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`."; const INCOMPATIBLE_MSG = - "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; + "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`."; /** * Send a status report to the code_scanning/analysis/status endpoint. @@ -439,12 +439,16 @@ export async function sendStatusReport( ) { core.warning( 'Workflows triggered by Dependabot on the "push" event run with read-only access. ' + - "Uploading Code Scanning results requires write access. " + - 'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' + + "Uploading CodeQL results requires write access. " + + 'To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' + `See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`, ); } else { - core.warning(httpError.message); + core.warning( + "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " + + "This could be because the Action is running on a pull request from a fork. If not, " + + `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`, + ); } return; case 404: @@ -466,7 +470,7 @@ export async function sendStatusReport( // something else has gone wrong and the request/response will be logged by octokit // it's possible this is a transient error and we should continue scanning core.warning( - `An unexpected error occurred when sending code scanning status report: ${getErrorMessage( + `An unexpected error occurred when sending a status report: ${getErrorMessage( e, )}`, );