From 51971d1c4bb6bc4cf071baac4a67ad056e1bedb4 Mon Sep 17 00:00:00 2001
From: Alex Croteau <alex.croteau@caseware.com>
Date: Mon, 24 Jan 2022 14:14:01 -0500
Subject: [PATCH] Adds ref and SHA as inputs, and sarif-id as output

---
 CHANGELOG.md               |  3 ++-
 analyze/action.yml         |  8 ++++++++
 src/actions-util.test.ts   | 18 ++++++++++++++++++
 src/actions-util.ts        | 17 ++++++++++++-----
 src/analyze-action.ts      |  1 +
 src/upload-sarif-action.ts |  1 +
 upload-sarif/action.yml    |  9 +++++++++
 7 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6e41de411a..760fc9e9e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,8 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Add sarif-id as an output for upload-sarif action and analyze action (if uploading)
+- Accept ref and hash as inputs to override the ones provided by the runner
 
 ## 1.0.30 - 24 Jan 2022
 
diff --git a/analyze/action.yml b/analyze/action.yml
index 50c8b3d311..688b4b718c 100644
--- a/analyze/action.yml
+++ b/analyze/action.yml
@@ -45,6 +45,12 @@ inputs:
     description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
     required: false
     default: ${{ github.workspace }}
+  ref:
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable."
+    required: false
+  sha:
+    description: "The hash of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable."
+    required: false
   category:
     description: String used by Code Scanning for matching the analyses
     required: false
@@ -63,6 +69,8 @@ inputs:
 outputs:
   db-locations:
     description: A map from language to absolute path for each database created by CodeQL.
+  sarif-id:
+    description: The ID of the uploaded sarif file.
 runs:
   using: "node12"
   main: "../lib/analyze-action.js"
diff --git a/src/actions-util.test.ts b/src/actions-util.test.ts
index 2eb2425dda..5b835abec1 100644
--- a/src/actions-util.test.ts
+++ b/src/actions-util.test.ts
@@ -65,6 +65,24 @@ test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (
   callback.restore();
 });
 
+test("getRef() returns ref provided as an input and ignores current HEAD", async (t) => {
+  const getAdditionalInputStub = sinon.stub(actionsutil, "getOptionalInput");
+  getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+  getAdditionalInputStub.withArgs("sha").resolves("b".repeat(40));
+
+  // These values are be ignored
+  process.env["GITHUB_REF"] = "refs/pull/1/merge";
+  process.env["GITHUB_SHA"] = "a".repeat(40);
+
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/pull/1/merge").resolves("b".repeat(40));
+  callback.withArgs("HEAD").resolves("b".repeat(40));
+
+  const actualRef = await actionsutil.getRef();
+  t.deepEqual(actualRef, "refs/pull/2/head");
+  callback.restore();
+});
+
 test("computeAutomationID()", async (t) => {
   let actualAutomationID = actionsutil.computeAutomationID(
     ".github/workflows/codeql-analysis.yml:analyze",
diff --git a/src/actions-util.ts b/src/actions-util.ts
index cb09bb5a10..52c1f8d122 100644
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -83,10 +83,10 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
     return commitOid.trim();
   } catch (e) {
     core.info(
-      `Failed to call git to get current commit. Continuing with data from environment: ${e}`
+      `Failed to call git to get current commit. Continuing with data from environment or input: ${e}`
     );
     core.info((e as Error).stack || "NO STACK");
-    return getRequiredEnvParam("GITHUB_SHA");
+    return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA");
   }
 };
 
@@ -431,8 +431,15 @@ export function computeAutomationID(
 export async function getRef(): Promise<string> {
   // Will be in the form "refs/heads/master" on a push event
   // or in the form "refs/pull/N/merge" on a pull_request event
-  const ref = getRequiredEnvParam("GITHUB_REF");
-  const sha = getRequiredEnvParam("GITHUB_SHA");
+  const refInput = getOptionalInput("ref");
+  const ref = refInput || getRequiredEnvParam("GITHUB_REF");
+  const sha = getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA");
+
+  // If the ref is a user-provided input, we have to skip logic
+  // and assume that it is really where they want to upload the results.
+  if (refInput) {
+    return refInput;
+  }
 
   // For pull request refs we want to detect whether the workflow
   // has run `git checkout HEAD^2` to analyze the 'head' ref rather
@@ -520,7 +527,7 @@ export async function createStatusReportBase(
   cause?: string,
   exception?: string
 ): Promise<StatusReportBase> {
-  const commitOid = process.env["GITHUB_SHA"] || "";
+  const commitOid = getOptionalInput("sha") || process.env["GITHUB_SHA"] || "";
   const ref = await getRef();
   const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
   let workflowRunID = -1;
diff --git a/src/analyze-action.ts b/src/analyze-action.ts
index 5122f9ca3e..1132b06783 100644
--- a/src/analyze-action.ts
+++ b/src/analyze-action.ts
@@ -193,6 +193,7 @@ async function run() {
         apiDetails,
         logger
       );
+      core.setOutput('sarif-id');
     } else {
       logger.info("Not uploading results");
     }
diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts
index 4e112849e4..712db4b5e8 100644
--- a/src/upload-sarif-action.ts
+++ b/src/upload-sarif-action.ts
@@ -63,6 +63,7 @@ async function run() {
       apiDetails,
       getActionsLogger()
     );
+    core.setOutput('sarif-id');
     if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
       await upload_lib.waitForProcessing(
         parseRepositoryNwo(getRequiredEnvParam("GITHUB_REPOSITORY")),
diff --git a/upload-sarif/action.yml b/upload-sarif/action.yml
index 3f26f099b7..1034771564 100644
--- a/upload-sarif/action.yml
+++ b/upload-sarif/action.yml
@@ -13,6 +13,12 @@ inputs:
     description: "The path at which the analyzed repository was checked out. Used to relativize any absolute paths in the uploaded SARIF file."
     required: false
     default: ${{ github.workspace }}
+  ref:
+    description: "The ref where results will be uploaded. If not provided, the Action will use the GITHUB_REF environment variable."
+    required: false
+  sha:
+    description: "The hash of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable."
+    required: false
   token:
     default: ${{ github.token }}
   matrix:
@@ -24,6 +30,9 @@ inputs:
     description: If true, the Action will wait for the uploaded SARIF to be processed before completing.
     required: true
     default: "false"
+outputs:
+  sarif-id:
+    description: The ID of the uploaded sarif file.
 runs:
   using: 'node12'
   main: '../lib/upload-sarif-action.js'