Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup of CodeQL workflow #10308

Merged
merged 2 commits into from
Dec 24, 2021
Merged

Cleanup of CodeQL workflow #10308

merged 2 commits into from
Dec 24, 2021

Conversation

paulcacheux
Copy link
Contributor

@paulcacheux paulcacheux commented Dec 21, 2021
edited
Loading

What does this PR do?

The CodeQL jobs are generating a lot of noise especially when you list all commits from the main branch (https://github.com/DataDog/datadog-agent/commits/main).
Here for example we only see failing commits because of the CodeQL results that are failing to understand that main is the default branch and tries to compare with master which is not evaluated.

Looking at the logs, I saw:

fatal: not a git repository (or any of the parent directories): .git
Failed to call git to get current commit. Continuing with data from environment: Error: The process '/bin/git' failed with exit code 128
Error: The process '/bin/git' failed with exit code 128
    at ExecState._setResult (/home/runner/work/_actions/github/codeql-action/v1/node_modules/@actions/exec/lib/toolrunner.js:592:25)
    at ExecState.CheckComplete (/home/runner/work/_actions/github/codeql-action/v1/node_modules/@actions/exec/lib/toolrunner.js:575:18)
    at ChildProcess.<anonymous> (/home/runner/work/_actions/github/codeql-action/v1/node_modules/@actions/exec/lib/toolrunner.js:469:27)
    at ChildProcess.emit (events.js:210:5)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:430:11)
    at Socket.emit (events.js:210:5)
    at Pipe.<anonymous> (net.js:659:12)

I believe codeql is confused by the complexity of the path used in the workflow and fails to fetch the current/base commit refs.

This PR tries to reduce this complexity by removing references to useless GOPATH or go/src/github.com/.... This is possible since the agent is go 1.11 module aware and thus doesn't require this setup.

It is of course impossible to guarantee that this will do what it should, in the pure tradition of github actions.

Motivation

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

Reviewer's Checklist

  • If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
  • The appropriate team/.. label has been applied, if known.
  • A release note has been added or the changelog/no-changelog label has been applied.
  • Changed code has automated tests for its functionality.
  • Adequate QA/testing plan information is provided if the qa/skip-qa label is not applied.
  • If applicable, docs team has been notified or an issue has been opened on the documentation repo.
  • If applicable, the need-change/operator and need-change/helm labels have been applied.
  • If applicable, the config template has been updated.

@paulcacheux paulcacheux added this to the Triage milestone Dec 21, 2021
@paulcacheux paulcacheux marked this pull request as ready for review December 21, 2021 15:14
@paulcacheux paulcacheux requested a review from a team as a code owner December 21, 2021 15:14
@mx-psi mx-psi requested a review from ganeshkumarsv December 21, 2021 15:16
ganeshkumarsv
ganeshkumarsv approved these changes Dec 21, 2021
View reviewed changes
Copy link
Contributor

@ganeshkumarsv ganeshkumarsv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I'd like to have one more review from @stephengroat-dd

stephengroat-dd
stephengroat-dd approved these changes Dec 22, 2021
View reviewed changes
Copy link
Contributor

@stephengroat-dd stephengroat-dd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, slight ask to add the go modules cache if were making a change (sorry for the multiple user names, was performing some testing)

paulcacheux
paulcacheux commented Dec 22, 2021
View reviewed changes
.github/workflows/codeql.yml
@@ -20,47 +20,41 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 0
path: go/src/github.com/DataDog/datadog-agent

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello ! I think this is a good idea and should absolutely be done (even for Python deps). But currently the go dependencies are downloaded between the codeql init and the codeql analyse steps which means that there is a possibility that they are analysed by CodeQL. I believe this warrants a separate PR to ensure that we are still getting the same amount of security findings.

@paulcacheux paulcacheux merged commit a2bcd23 into main Dec 24, 2021
@paulcacheux paulcacheux deleted the paulcacheux/fix-codeql branch December 24, 2021 10:46
@paulcacheux
Copy link
Contributor Author

Sadly this doesn't seem to fix the issue with the default branch. Happy to revert if you preferred the old way

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephengroat stephengroat stephengroat left review comments

@ganeshkumarsv ganeshkumarsv ganeshkumarsv approved these changes

@stephengroat-dd stephengroat-dd stephengroat-dd approved these changes

@albertvaka albertvaka albertvaka approved these changes

Assignees
No one assigned
Labels
changelog/no-changelog team/agent-security
Projects
None yet
Milestone
Triage
Development

Successfully merging this pull request may close these issues.
5 participants
@paulcacheux @albertvaka @stephengroat @stephengroat-dd @ganeshkumarsv