Respect proxy settings when streaming the download and extraction of the CodeQL bundle #2624
Conversation
NlightNFotis
force-pushed
the
NlightNFotis/detect_use_proxy_when_streaming
branch
2 times, most recently
from
c888d44 to
f742d6b
Compare
NlightNFotis
force-pushed
the
NlightNFotis/detect_use_proxy_when_streaming
branch
from
326b0f1 to
28dd147
Compare
|
The streaming of the bundle using the Proxy worked fine in the last CI run: https://github.com/github/codeql-action/actions/runs/12146133664/job/33869336618?pr=2624#step:7:33 I'm now in the process of tidying this up (lots of experimental commits), and incorporating conflicting changes from |
NlightNFotis
force-pushed
the
NlightNFotis/detect_use_proxy_when_streaming
branch
3 times, most recently
from
99f0c0d to
2ff0598
Compare
NlightNFotis
force-pushed
the
NlightNFotis/detect_use_proxy_when_streaming
branch
from
2ff0598 to
78be2f1
Compare
NlightNFotis
requested review from
aeisenberg,
henrymercer and
zutshisunakshi
NlightNFotis
changed the title
|
Something that I forgot to mention: this PR is not removing the feature flag: there are 2 references in the code (after this PR gets merged) which are very easy to remove and do not impact functionality. There are also two more references in a couple of test actions, which would require a bit more thought as to how to handle (we could just remove the environment variable reference in them, or just delete them given that this is more or less tested in the new I wanted to do any changes to the feature flag/env var as a different PR, and keep the changes here scoped down to the proxy settings and their handling by the streaming download handler. |
| @@ -1,10 +1,20 @@ | |||
| name: "Proxy test" | |||
| description: "Tests using a proxy specified by the https_proxy environment variable" | |||
| versions: ["linked"] | |||
| versions: ["linked", "nightly-latest"] | |||
There was a problem hiding this comment.
This test was passing before when we were streaming zstd bundles with a CodeQL Action version that wasn't respecting proxy settings, presumably because the CodeQL Action could still access the bundle without the proxy.
Can we update the test to ensure that we're downloading the bundle via the proxy?
There was a problem hiding this comment.
In the latest test added as part of this PR, I'm fairly confident we're downloading the bundle through the proxy.
The reason it worked before is that it didn't test the streaming of the bundle, because when linked is passed as the version, the prepare-step action was choosing the .tar.gz bundle by default - as example the latest run from a PR merged recently.
I am not sure though how it makes that selection between the .tar.gz and the .tar.zst one, because in this PR, the same job downloaded the .tar.zst one. But previously, we didn't go through this code because the same job was opting for the .tar.gz when downloading.
Will look more into that and report back any interesting findings.
src/tools-download.ts
Outdated
| core.warning( | ||
| `Failed to download and extract CodeQL bundle using streaming. Falling back to downloading the bundle before extracting.`, |
There was a problem hiding this comment.
Have you tested this fallback? For instance, what happens if we partially extract the CodeQL bundle while streaming, but something goes wrong? Is it worth cleaning up the destination directory in this case or is that handled elsewhere?
There was a problem hiding this comment.
Yes, I'm quoting from a previous message of mine that probably got lost because of the volume of messages here:
I'm confident we are good without a flag to manage the risk.
To explain why: because the conflicts introduced by a couple of other PRs were extensive, and I couldn't sort out a clean commit history, I opted to instead just manually recreate the PR on top of main (my code changes are small, so easy to manually replay).
In doing so, I made a mistake: I initialised the HTTP client (the one that respects the proxy settings) and passed it to the headers by accident (instead of the http.get options). What happened is here, but short story, because of the streaming download now being inside of a fallback try/catch, the failure to download the CodeQL pack with streaming resulted in falling back to downloading it and then extracting it.
I've since fixed this, but this little mistake validated the fallback mechanism working as intended, so I believe that this won't cause an incident like last time - if it fails, worst case scenario is that the mechanism won't work as expected and fall back to the previous mechanism (download and then extract), with the impact being that we lose a few seconds per run (compared to a failed run).
Does this answer your question satisfactorily?
There was a problem hiding this comment.
Thank you, that answers the first part of my question. I still wonder if it is worth cleaning up the destination directory as part of the catch in case we managed to extract some of the CodeQL bundle but not a complete CodeQL bundle.
There was a problem hiding this comment.
I agree this is a good idea, and something prudent for us to do before we retry.
Added in 4c20d4f.
Co-authored-by: Henry Mercer <henrymercer@github.com>
…ep for the container
|
Thank you for your reviews @aeisenberg @henrymercer. I have now implemented all outstanding items on this PR. Would it be possible to have another look at this? |
CHANGELOG.md
Outdated
| @@ -7,7 +7,8 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the | |||
| ## [UNRELEASED] | |||
|
|
|||
| - We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. [#2631](https://github.com/github/codeql-action/pull/2631) | |||
| - We have added support for respecting the proxy settings present in environment variables in a runner when streaming the download and extraction of the CodeQL bundle. [#2624](https://github.com/github/codeql-action/pull/2624) | |||
| - Fixed an issue where streaming the download and extraction of the CodeQL bundle did not respect proxy settings. [#2624](https://github.com/github/codeql-action/pull/2624) | |||
| - Update default CodeQL bundle version to 2.20.0. [#2636](https://github.com/github/codeql-action/pull/2636) | |||
There was a problem hiding this comment.
Was this line added due to a bad merge?
There was a problem hiding this comment.
Hm, I will have a look.
This was reported as a conflict in the GitHub UI, but when I did a git merge locally, it had no problem automatically resolving the conflict. Perhaps it did a weird thing because of my .gitconfig.
There was a problem hiding this comment.
I cannot find precisely what went wrong here, as the merge log is past my terminal character limit. I remember it saying that it resolved it automatically using the ort method, but it apparently went wrong there.
This is now fixed in 9e8cd42.
Going forward I will be more careful validating these merges went right.
src/tools-download.ts
Outdated
| @@ -127,7 +127,11 @@ export async function downloadAndExtract( | |||
| core.warning( | |||
| `Failed to download and extract CodeQL bundle using streaming. Falling back to downloading the bundle before extracting.`, | |||
| ); | |||
| core.warning(getErrorMessage(e)); | |||
| core.warning(`Error: ${getErrorMessage(e)}`); | |||
There was a problem hiding this comment.
Don't prefix a warning with Error.
| core.warning(`Error: ${getErrorMessage(e)}`); | |
| core.warning(`Warning: ${getErrorMessage(e)}`); |
But, do we even need the prefix at all?
Maybe reverting this is better:
| core.warning(`Error: ${getErrorMessage(e)}`); | |
| core.warning(getErrorMessage(e)); |
There was a problem hiding this comment.
Thank you for catching this.
Seeing it reported now, I agree it looks a bit silly.
My rationale for changing this was that this was rendering an error that was generated in the process of unpacking as a simple warning, with no other context whatsoever, which could be confusing to a user when interpreting the runner log (example).
I'm still motivated to decorate it somehow, as reverting may not satisfy this concern, but I will think about a cleaner decoration that doesn't look weird/silly.
There was a problem hiding this comment.
Okay, this is what I came up with: 88bcf64
I've reworded the warnings to flow a bit more naturally for me, and to allow me to embed the error message in an indicative but non-invasive way.
Is this workable for you @aeisenberg ? Or do you have a strong preference for the previous state of affairs?
pr-checks/readme.md
Outdated
|
|
||
| This folder contains the code supporting the workflows run when a PR is created. | ||
|
|
||
| ## Update |
There was a problem hiding this comment.
I think we can simplify this. I can give some suggestions, but not quite right now.
There was a problem hiding this comment.
There was a problem hiding this comment.
Thank you for this! I agree it looks cleaner.
Will cherry-pick this in.
|
I've merged in |
NlightNFotis
deleted the
NlightNFotis/detect_use_proxy_when_streaming
branch
Description
This PR is adding support for respecting proxy settings while downloading the CodeQL bundle in streaming mode.
Fixes #2600
Guidance
justfile, which is a script interpreted by https://github.com/casey/just, a command action runner. It allows us to create an python virtual environment and run thesync.pyto update dependencies in one step, which is very useful for someone trying to interact with it the first time.justis not present, the file is irrelevant (it's just a text file) but can act as documentation for the steps to invoke manually.tinyproxyand writing a function that invokeddownloadAndExtractZstdWithStreamingand observing that we go through the proxy.test_proxy.ymlworkflow, so that we download the latest nightly bundle, which by default has the extension.tar.zstwhich goes through the code path introduced.sync.pyfile in 9c48c8b in order to support a step that is being used to initialise the container image (because the Ubuntu container is leaned out and doesn't come with the list of pre-installed software the runners usually come prepared with).Merge / deployment checklist