SDPLAT-26671: use GH_APP for GitHub REST API (#160)

* SDPLAT-26671: use GH_APP for GitHub REST API * fixup YAML for codeql * adjust CodeQL upload language * upload CodeQL results as curl file workaround Argument list too long * use jq to prepare SARIF upload
Skyscanner · Feb 25, 2025 · dc76821 · dc76821
1 parent c248c23
commit dc76821
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,16 +26,53 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Autobuild
         uses: github/codeql-action/autobuild@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{ matrix.language }}"
+          token: ${{ steps.app-token.outputs.token }}
+          upload: never
+
+      # Workaround for parallel GitHub bugs
+      # * Can't use GHA token with IP allowlisting
+      #   https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list
+      # * Can't use codeql-action/analyze with custom token
+      #   https://support.github.com/ticket/enterprise/3427/3214517
+      - name: Prepare for CodeQL Upload
+        run: |
+          echo '{"commit_sha": "${{ github.sha }}", "ref": "${{ github.ref }}"}' > ./codeql-upload.json
+
+      - name: Gzip CodeQL SARIF Result
+        run: |
+          gzip -c ../results/${{ matrix.language }}.sarif | base64 -w0 > codeql-results.sarif.gz.base64
+    
+      - name: Staple SARIF result to CodeQL upload
+        run: |
+          jq --rawfile sarif codeql-results.sarif.gz.base64 '.sarif = $sarif' codeql-upload.json > codeql-upload-with-sarif.json
+
+      - name: Upload CodeQL Results
+        run: |
+          curl --fail-with-body \
+            -X POST \
+            -H "Authorization: token ${{ steps.app-token.outputs.token }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            --data "@codeql-upload-with-sarif.json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -27,6 +27,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+
       - uses: release-drafter/release-drafter@v6
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}