-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaction.yml
More file actions
313 lines (271 loc) · 12.1 KB
/
action.yml
File metadata and controls
313 lines (271 loc) · 12.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
name: "codeql-mobb-fixer-action"
description: "Mobb automatic vulnerability fixer action for GitHub CodeQL analysis on pull requests and commits"
branding:
icon: aperture
color: blue
inputs:
mobb-api-token:
description: "Mobb API token"
required: true
mobb-project-name:
description: "Mobb Project Name"
required: false
organization-id:
description: "Mobb Organization ID"
required: false
github-token:
description: "GitHub token"
required: true
outputs:
fix-report-url:
description: "Mobb fix report URL"
value: ${{ steps.run-npx-mobb-dev.outputs.fix-report-url }}
runs:
using: "composite"
steps:
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 18
- id: env
name: Set Up Environment
run: |
# Getting the head-sha
echo "head_sha=$HEAD_SHA"
echo "head-sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
# Getting the action-run-path
RUN_PATH="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
echo "RUN_PATH: $RUN_PATH"
echo "action-run-path=$RUN_PATH" >> "$GITHUB_OUTPUT"
echo "triggering_event=$TRIGGERING_EVENT"
echo "head_branch=$HEAD_BRANCH"
# Initialize variables
PR_NUMBER=""
GITHUB_HEAD_REF=""
IS_COMMIT_RUN=false
if [[ "$TRIGGERING_EVENT" == "pull_request" ]]; then
echo "Triggering event is a pull request, extracting PR Number from github.event.pull_request.number"
PR_NUMBER=$(jq -r '.workflow_run.pull_requests[0].number' "$GITHUB_EVENT_PATH")
echo "PR_NUMBER: $PR_NUMBER"
# Getting the head-ref for PR
GITHUB_HEAD_REF=$(curl --header "authorization: Bearer $GH_TOKEN" -s "$REPO_API_URL/pulls/${PR_NUMBER}" | jq -r '.head.ref')
echo "GITHUB_HEAD_REF: $GITHUB_HEAD_REF"
elif [[ "$TRIGGERING_EVENT" == "dynamic" && "$HEAD_BRANCH" == refs/pull/* ]]; then
# Extract the PR number from the head_branch
echo "Triggering event is a dynamic event, extracting PR Number from head_branch"
PR_NUMBER=$(echo "$HEAD_BRANCH" | cut --delimiter='/' --fields=3)
echo "PR_NUMBER: $PR_NUMBER"
# Getting the head-ref for PR
GITHUB_HEAD_REF=$(curl --header "authorization: Bearer $GH_TOKEN" -s "$REPO_API_URL/pulls/${PR_NUMBER}" | jq -r '.head.ref')
echo "GITHUB_HEAD_REF: $GITHUB_HEAD_REF"
elif [[ "$TRIGGERING_EVENT" == "push" ]]; then
echo "Triggering event is a push/commit, using commit SHA and branch"
IS_COMMIT_RUN=true
PR_NUMBER=""
# For push events, use the head_branch directly
if [[ "$HEAD_BRANCH" == refs/heads/* ]]; then
GITHUB_HEAD_REF=$(echo "$HEAD_BRANCH" | sed 's/refs\/heads\///')
else
GITHUB_HEAD_REF="$HEAD_BRANCH"
fi
echo "GITHUB_HEAD_REF: $GITHUB_HEAD_REF"
else
echo "Warning: Triggering event '$TRIGGERING_EVENT' is not explicitly handled. Attempting to proceed as commit run."
IS_COMMIT_RUN=true
PR_NUMBER=""
# For other events, try to extract branch from head_branch
if [[ "$HEAD_BRANCH" == refs/heads/* ]]; then
GITHUB_HEAD_REF=$(echo "$HEAD_BRANCH" | sed 's/refs\/heads\///')
else
GITHUB_HEAD_REF="$HEAD_BRANCH"
fi
echo "GITHUB_HEAD_REF: $GITHUB_HEAD_REF"
fi
# Setting outputs
echo "pr-number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
echo "github-head-ref=$GITHUB_HEAD_REF" >> "$GITHUB_OUTPUT"
echo "is-commit-run=$IS_COMMIT_RUN" >> "$GITHUB_OUTPUT"
# Log the run type for clarity
if [[ "$IS_COMMIT_RUN" == "true" ]]; then
echo "Running Mobb analysis for COMMIT on branch: $GITHUB_HEAD_REF"
echo "Commit SHA: $HEAD_SHA"
else
echo "Running Mobb analysis for PULL REQUEST #$PR_NUMBER"
echo "Branch: $GITHUB_HEAD_REF, SHA: $HEAD_SHA"
fi
shell: bash
env:
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
TRIGGERING_EVENT: ${{ github.event.workflow_run.event }}
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
GH_TOKEN: ${{ inputs.github-token }}
REPO_API_URL: ${{ github.event.workflow_run.repository.url }}
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
ref: ${{ steps.env.outputs.github-head-ref }}
# Displays status in the PR that this action is in 'pending' status (PR only)
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
if: steps.env.outputs.is-commit-run != 'true'
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Analysis"
state: "pending"
target_url: ${{ steps.env.outputs.action-run-path }}
sha: ${{steps.env.outputs.head-sha}}
description: "Mobb fix analysis in progress..."
- id: run-codeql-generate-report
name: CodeQL Generate Report
run: |
# Check all available CodeQL analyses
URL="$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/code-scanning/analyses"
echo "analyses list URL=$URL"
response=$(curl -H "Authorization: Bearer $GH_TOKEN" "$URL")
echo "length of code-scanning analyses list=${#response}"
echo "analyses list: $response"
# Different filtering logic based on whether this is a PR or commit run
if [[ "$IS_COMMIT_RUN" == "true" ]]; then
echo "Filtering CodeQL analyses for commit run - matching SHA: $HEAD_SHA"
# For commit runs, filter by commit SHA
ids=$(echo "$response" | jq -r --arg sha "$HEAD_SHA" '.[] | select((.commit_sha == $sha) and (.tool.name == "CodeQL")) | .id')
else
echo "Filtering CodeQL analyses for PR run - matching refs/pull/$PR_NUMBER/"
# For PR runs, filter by PR ref pattern
ids=$(echo "$response" | jq -r --arg pr "$PR_NUMBER" '.[] | select((.ref | test("^refs/pull/" + $pr + "/")) and (.tool.name == "CodeQL")) | .id')
fi
echo "Matching analyses ids=$ids"
if [ -z "$ids" ]; then
if [[ "$IS_COMMIT_RUN" == "true" ]]; then
echo "Error: No matching CodeQL analyses found for commit SHA $HEAD_SHA." >&2
else
echo "Error: No matching CodeQL analyses found for PR $PR_NUMBER." >&2
fi
exit 1
fi
echo "Initialize sarif_output.json with the base structure"
echo '{
"runs": [],
"version": "2.1.0"
}' > sarif_output.json
cat sarif_output.json
# Loop through each ID
for id in $ids; do
echo "Found Analysis ID: $id"
# Fetch the SARIF response
sarif_response=$(curl -s -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/sarif+json" "$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/code-scanning/analyses/$id")
echo "length of sarif_response=${#sarif_response}"
# Save the response to a temporary file
echo "$sarif_response" > current_sarif.json
# Combine the current sarif_output.json with the new SARIF response
jq -s '{"version": "2.1.0", "runs": (.[0].runs + .[1].runs)}' sarif_output.json current_sarif.json > temp_sarif_output.json
# Move the temporary file to sarif_output.json
mv temp_sarif_output.json sarif_output.json
echo "sarif_output.json size=$(stat -c%s sarif_output.json)"
done
# Print directory
ls -l
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
PR_NUMBER: ${{ steps.env.outputs.pr-number }}
HEAD_SHA: ${{ steps.env.outputs.head-sha }}
IS_COMMIT_RUN: ${{ steps.env.outputs.is-commit-run }}
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: CodeQL Sarif Report
path: sarif_output.json
- id: run-npx-mobb-dev
name: Mobb - Generate Autofix
run: |
REPO=$(git remote get-url origin)
REPO=${REPO%".git"}
echo "REPO: $REPO"
echo "GITHUB_HEAD_REF: $MOBB_HEAD_REF"
echo "GITHUB_SHA: $MOBB_HEAD_SHA"
echo "PR_NUMBER: $MOBB_PR_NUMBER"
echo "IS_COMMIT_RUN: $MOBB_IS_COMMIT_RUN"
# Build the Mobb command based on run type
if [[ "$MOBB_IS_COMMIT_RUN" != "true" && -n "$MOBB_PR_NUMBER" ]]; then
echo "Building PR review command for PR #$MOBB_PR_NUMBER"
MOBB_ARGS=(
npx --yes mobbdev@latest review
-r "$REPO"
--ref "$MOBB_HEAD_REF"
--ch "$MOBB_HEAD_SHA"
--api-key "$MOBB_API_TOKEN"
-f sarif_output.json
--github-token "$GH_TOKEN"
--scanner codeql
--pr "$MOBB_PR_NUMBER"
)
else
echo "Building commit analyze command - no PR parameters"
MOBB_ARGS=(
npx --yes mobbdev@latest analyze
-r "$REPO"
--ref "$MOBB_HEAD_REF"
--api-key "$MOBB_API_TOKEN"
-f sarif_output.json
--ci
)
fi
# Check if mobb-project-name exists and append it
if [ -n "$MOBB_PROJECT_NAME" ]; then
echo "mobb-project-name specified: $MOBB_PROJECT_NAME"
MOBB_ARGS+=(--mobb-project-name "$MOBB_PROJECT_NAME")
fi
# Check if organization-id exists and append it
if [ -n "$MOBB_ORG_ID" ]; then
echo "organization-id specified: $MOBB_ORG_ID"
MOBB_ARGS+=(--organization-id "$MOBB_ORG_ID")
fi
OUT=$("${MOBB_ARGS[@]}")
# Check for errors
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
exit $RETVAL
fi
# Process the output - extract just the URL from any surrounding status messages
OUT=$(echo "$OUT" | tr '\n' ' ')
MOBB_URL=$(echo "$OUT" | grep -oE 'https://[^ ]+' | head -1)
echo "fix-report-url=$MOBB_URL" >> "$GITHUB_OUTPUT"
echo "Mobb URL: $MOBB_URL"
shell: bash
env:
MOBB_HEAD_SHA: ${{ steps.env.outputs.head-sha }}
MOBB_PR_NUMBER: ${{ steps.env.outputs.pr-number }}
MOBB_HEAD_REF: ${{ steps.env.outputs.github-head-ref }}
MOBB_IS_COMMIT_RUN: ${{ steps.env.outputs.is-commit-run }}
MOBB_API_TOKEN: ${{ inputs.mobb-api-token }}
GH_TOKEN: ${{ inputs.github-token }}
MOBB_PROJECT_NAME: ${{ inputs.mobb-project-name }}
MOBB_ORG_ID: ${{ inputs.organization-id }}
# Publish the Mobb fix report link in the PR (PR only)
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
if: steps.env.outputs.is-commit-run != 'true'
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Report Link"
state: "success"
target_url: ${{ steps.run-npx-mobb-dev.outputs.fix-report-url }}
sha: ${{steps.env.outputs.head-sha}}
description: "Click \"Details\" to access the full fix analysis report"
# Displays status in the PR that this action is in 'complete' status (PR only)
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
if: success() && steps.env.outputs.is-commit-run != 'true'
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Analysis"
state: "success"
target_url: ${{ steps.env.outputs.action-run-path }}
sha: ${{steps.env.outputs.head-sha}}
description: "Mobb fix analysis completed. See comment in the PR for results"
# Displays status in the PR that this action is in 'failure' status (PR only)
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
if: failure() && steps.env.outputs.is-commit-run != 'true'
with:
authToken: ${{ inputs.github-token }}
context: "Mobb Fix Analysis"
state: "failure"
target_url: ${{ steps.env.outputs.action-run-path }}
sha: ${{steps.env.outputs.head-sha}}
description: "Mobb fix analysis failed. Click \"Details\" to see console logs"