Update codeql.yml to automatically create new CodeQL issues

[gaylem]

Fixes #5059

What changes did you make?

• Added the following steps to .github/workflows/codeql.yml:
  • Setup Node.js (needed to use @actions/core)
  • Install @actions/core (needed to use @actions/core)
  • Fetch Alerts
  • Check Existing Issues
  • Create New Issues
• Created a folder github-actions/trigger-issue/create-codeql-issues
• Created the following files inside the above folder:
  • issue-body.md
  • fetch-alerts.js
  • check-existing-issues.js
  • create-new-issues.js

Why did you make the changes (we will use this info to test)?

• We need to automatically to create GitHub issues when new CodeQL alerts are detected so that we may respond in a prompt manner and ensure the security and quality of our codebase.
• The new updates will (1) query the GitHub API to find any open CodeQL alerts, (2) check if there are existing tracking issues for the alerts, and (3) if any issues are missing, it creates them automatically.

Screenshots of Proposed Changes Of The Website (if any, please do not screen shot code changes)

CodeQL workflow completed

Issue Trigger workflow completed

38 issues created automatically by codeql.yml

38 issues added to project board

Testing Notes

• Test your solution by running the codeql.yml workflow. You will need to do the following:
  • Enable Issues your private repo so that you see an Issues tab at the top (instructions)
  • Enable CodeQL alerts Security tab (GitHub CodeQL Documentation)
  • Copy the Hack for LA Project Board in your private repo and make sure the title says Project Board (instructions)
  • Create the following tokens in your GitHub account and add them to your private repo:
    • HACKFORLA_ADMIN_TOKEN for the codeql.yml file. Choose these scopes:
      - public_repo (under 'repo')
      - admin:org_hook
      - write:org (under 'admin:org')
    • TEAMS for the issue-trigger.yml file. Choose these scopes:
      - 'read:org' (under 'admin:org')
      - 'read:user' (under 'user')
    • HACKFORLA_BOT_PA_TOKEN for the issue-trigger.yml file. Choose these scopes:
      - public_repo (under 'repo')
      - admin:org_hook
  • Push to your branch on your own repo to test.
  • You should see code scanning alerts in your Security tab for your branch after you push to your repo (it'll take a minute). You will need to switch branches inside your Security tab to see them (there is a search bar above the alerts): is:open branch:YOUR-BRANCH
  • Once the security alerts are created, you should see the CodeQL workflow running under your last commit message in the Actions tab.
  • This will also trigger the Issues Trigger workflow in your Actions tab, and you will see workflows with the titles of each new issue.
  • When it's all done, you should also see the issues appear in your Issues tab and on the Project Board in the New Issue Approval column.

[github-actions]

Want to review this pull request? Take a look at this documentation for a step by step guide!

From your project repository, check out a new branch and test the changes.

git checkout -b gaylem-create-new-codeql-issues-5059 gh-pages
git pull https://github.com/gaylem/hackforla-website.git create-new-codeql-issues-5059

---

Note that CONTRIBUTING.md cannot previewed locally; rather it should be previewed at this URL:

https://github.com/gaylem/website/blob/create-new-codeql-issues-5059/CONTRIBUTING.md  

[aidanwsimmons]

ETA: EOD Thursday
Availability: Weekday afternoons

[t-will-gillis]

Hey @gaylem -

Sincere kudos for working on this GHA and getting the code to this point, especially for your first time! GHAs can be tricky, and I know you have reworked this once already.

I see the convo with Mario above regarding the setup/ architecture of the of GHA. It is not my decision to make, but I feel that this likely needs to be rewritten using the same architecture that we use on our other GHAs- ie., what is described in Hack for LA’s GitHub Actions. I think there is a benefit to having consistency and interchangeability in the codebase. For example, since most of our GHAs use the actions/github-script workflow context, it is fairly simple to modularize repetitive functions (in the /utils/) to use in multiple workflows. I also believe it would be helpful to break the step “Check for CodeQL Alerts” down into 2 or more discrete steps.

I am able to get this GHA running and generating new issues, but I am seeing the same problem with the issue-trigger.yml workflow failing due to missing or bad credentials. I have not spent much time trying to figure out why the credentials are not being passed - but I can say that handling credentials using the actions/github-script context is straightforward and I think reformatting the code would clear up these errors because the context includes the credentials.

I believe that your workflow’s structure is sound. I think that refactoring this using the HfLA wiki guide (hopefully) shouldn’t be too painful- of course keep asking questions.

PS- the Wiki guide, Tip 7.5 is wrong regarding the token scopes and needs to be fixed (I am writing an issue for it). HfLA’s HACKFORLA_BOT_PA_TOKEN only has “public_repo” and “admin:org_hook” scopes, so I would recommend creating another token with these scopes. Keep using your other token and when everything is working, substitute the new token at the end to make sure that the GHA doesn’t need a token with additional scopes. If so there is also a HACKFORLA_ADMIN_TOKEN that has the admin “write:org” scope.

[gaylem]

Hey @t-will-gillis and @aidanwsimmons,

This should be my final update. If you could both take one last look and give your approval, that would be awesome. Here's a summary of how we resolved the issues:

1. Updated Problem: I updated my tokens to match the scopes listed in this issue. I used HACKFORLA_ADMIN_TOKEN for the Create New Issues step and it worked perfectly in my personal repo (GITHUB_TOKEN did not). So that token should work in production as well. But the Create New Issues step was still failing when this PR ran it as part of the standard checks.
2. Explanation: After much digging and theorizing, @t-will-gillis and I came up with the answer: workflows triggered by Dependabot PRs will run with read-only permissions. So that's why the Create New Issues step was failing. Which means if I deployed the original changes I made, then the codeql.yml workflow would have always failed on every PR.
3. Solution: I added the following code to all three of the new steps I built on the codeql.yml fileso they don't run on PRs: if: github.event_name != 'pull_request'. I tested it locally and it creates the issues as expected. And as you can see in the workflow logs on this PR, those steps are being skipped as expected.
4. Request @t-will-gillis and @aidanwsimmons Could you review this (and test with the updated instructions in the PR description) one last time and give your approval (or request more changes if you notice something is wrong)? The only change I made other than adding the if condition to the codeql.yml file was refactoring the post requests on create-new-issues.yml.

Thanks everyone for your help and patience with this!

[t-will-gillis]

Hey @gaylem Fantastic job! I ran this one more time and everything appears to be working as expected. Thanks for all of your work on this!

[gaylem]

FYI, I did some regression testing because I wanted to confirm that the workflow still picks up errors and throws alerts on PR requests. It does! I added an unused variable to the fetch-alerts.js file and it threw an alert. (I also reverted the changes I made to test this.)

2. Also, I double checked and the fetch-alerts step should not pick up on alerts created by PR checks because the state is set to open:

3. Lastly, I updated my TEAMS test token with the correct scope and it still added labels correctly.

[aidanwsimmons]

Great job Gayle! pulled your most recent changes and configured tokens per your instructions. Successfully generated issues and they appeared on my project board. Approved!