github-actionscodeql

Running CodeQL Action always looks for the latest CLI version


I have a CodeQL CLI bundle (v2.13.5) stored on an on-prem Artifactory repository. I want to fetch this, store it using the tool-cache action and then run the CodeQL action on GitHub Actions.

I have the following code to fetch the bundle which works fine:

const artifactoryUrl = `https://example.com/repository_name/CodeQL_2.13.5/codeql-bundle-linux64.tar.gz`;

async function run() {
  const codeQLDirectory = tc.find("CodeQL", "2.13.5");

  if (!codeQLDirectory) {
    let userId = process.env["USER_ID"];
    let pass = process.env["PWD"];
    let authentication = `${userId}:${pass}`;
    let encodedAuthentication = btoa(authentication);

    const downloadPath = await tc.downloadTool(
      artifactoryUrl,
      undefined,
      `Basic ${encodedAuthentication}`,
    );
    const extractedFolder = await tc.extractTar(
      downloadPath,
      "codeql-bundle-linux64",
    );
    const cachedPath = await tc.cacheDir(
      extractedFolder,
      "CodeQL",
      "2.13.5",
      "x64",
    );
    core.addPath(cachedPath);
  }
}

I then call the CodeQL action with the following:

- name: 'CodeQL init'
  uses: GitHub/codeql-action/init@v2
  with:
    ram: 5120
    queries: security-extended

When running this on GitHub I see the following in the debug logs:

Setup CodeQL tools
  ##[debug]Attempting to obtain CodeQL tools. CLI version: 2.16.3, bundle tag name: unknown, URL: unspecified.
  ##[debug]isExplicit: 2.16.3
  ##[debug]explicit? true
  ##[debug]checking cache: /home/runner/_work/_tool/CodeQL/2.16.3/x64
  ##[debug]not found
  ##[debug]Didn't find a version of the CodeQL tools in the toolcache with a version number exactly matching 2.16.3.
  ##[debug]isExplicit: 2.13.5
  ##[debug]explicit? true
  ##[debug]Found the following versions of the CodeQL tools in the toolcache: ["2.13.5"].
  ##[debug]Didn't find any versions of the CodeQL tools starting with 2.16.3 in the toolcache. Trying next fallback method.
  ##[debug]Fetching CodeQL CLI version and CodeQL bundle tag name information for releases of the CodeQL tools.
  Error: HttpError: Not Found
  Error: Unable to download and extract CodeQL CLI
  Error: Unable to download and extract CodeQL CLI

CodeQL seems to check for the latest version (2.16.3 at the time of writing), Check the tool cache, recognize that 2.13.5 is there but ignore it. Is there a way to specify a version to use?


Solution

  • Looking at the log references in the source code, seems like the cliVersion variable is evaluated to 2.16.3 and also it is trying to look for the exact same version here in the toolcache.

    How about you specify the exact codeql cli version in the action itself using tools parameter? Looking at the code, following might make the action look for your desired toolcache version:

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3.22.12
      with:
        languages: swift
        queries: security-and-quality
        tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.5/codeql-bundle-linux64.tar.gz