Skip to content

fix: use token instead of github-token for upload-sarif action #23837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 2 commits into from
Apr 1, 2026
Merged

fix: use token instead of github-token for upload-sarif action #23837

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e262efd
Initial plan
Copilot Apr 1, 2026
f904afb
fix: use 'token' instead of 'github-token' in upload-sarif step (#issue)
Copilot Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/daily-malicious-code-scan.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/daily-semgrep-scan.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions actions/setup/js/create_code_scanning_alert.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ async function main(config = {}) {
core.info(`Create code scanning alert configuration: max=${maxFindings === 0 ? "unlimited" : maxFindings}`);
core.info(`Driver name: ${driverName}`);
core.info(`Workflow filename for rule ID prefix: ${workflowFilename}`);
core.info(`Working directory: ${process.cwd()}`);
core.info(`GitHub ref: ${process.env.GITHUB_REF || "(not set)"}`);
core.info(`GitHub SHA: ${process.env.GITHUB_SHA || "(not set)"}`);
core.info(`GitHub repository: ${process.env.GITHUB_REPOSITORY || "(not set)"}`);

// Track how many items we've processed for max limit
let processedCount = 0;
Expand All @@ -39,6 +43,7 @@ async function main(config = {}) {
// SARIF file path
const sarifFileName = "code-scanning-alert.sarif";
const sarifFilePath = path.join(process.cwd(), sarifFileName);
core.info(`SARIF file will be written to: ${sarifFilePath}`);

/**
* Generate and write SARIF file with all collected findings
Expand Down
14 changes: 14 additions & 0 deletions pkg/workflow/compiler_safe_outputs_job_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -841,6 +841,20 @@ func TestCreateCodeScanningAlertIncludesSARIFUploadStep(t *testing.T) {
"Upload step should reference sarif_file output")
assert.Contains(t, stepsContent, "wait-for-processing: true",
"Upload step should wait for processing")
// github/codeql-action/upload-sarif uses 'token' not 'github-token'
// Extract the upload-sarif step section to check it specifically
uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning")
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning") is unlikely to match because the compiled YAML step name line is indented (e.g., it’s emitted as " - name: Upload SARIF to GitHub Code Scanning\n"). This will make the test fail even when the step exists. Update the search string to include the expected indentation (or use a more robust delimiter that doesn’t depend on exact spacing).

Suggested change
uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning")
uploadStepStart := strings.Index(stepsContent, " - name: Upload SARIF to GitHub Code Scanning")

Copilot uses AI. Check for mistakes.
require.Greater(t, uploadStepStart, -1, "Upload SARIF step must exist in steps content")
uploadStepSection := stepsContent[uploadStepStart:]
// Find the end of this step (next step starts with " - name:")
nextStepIdx := strings.Index(uploadStepSection[len(" - name:"):], " - name:")
if nextStepIdx > -1 {
uploadStepSection = uploadStepSection[:nextStepIdx+len(" - name:")]
}
assert.Contains(t, uploadStepSection, "token:",
"Upload step should use 'token' input (not 'github-token')")
assert.NotContains(t, uploadStepSection, "github-token:",
"Upload step must not use 'github-token' - upload-sarif only accepts 'token'")

// Verify the upload step appears after the process_safe_outputs step
processSafeOutputsPos := strings.Index(stepsContent, "id: process_safe_outputs")
Expand Down
36 changes: 35 additions & 1 deletion pkg/workflow/create_code_scanning_alert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,43 @@ func (c *Compiler) buildUploadCodeScanningSARIFStep(data *WorkflowData) []string
steps = append(steps, " if: steps.process_safe_outputs.outputs.sarif_file != ''\n")
steps = append(steps, fmt.Sprintf(" uses: %s\n", GetActionPin("github/codeql-action/upload-sarif")))
steps = append(steps, " with:\n")
c.addSafeOutputGitHubTokenForConfig(&steps, data, data.SafeOutputs.CreateCodeScanningAlerts.GitHubToken)
// NOTE: github/codeql-action/upload-sarif uses 'token' as the input name, not 'github-token'
c.addUploadSARIFToken(&steps, data, data.SafeOutputs.CreateCodeScanningAlerts.GitHubToken)
steps = append(steps, " sarif_file: ${{ steps.process_safe_outputs.outputs.sarif_file }}\n")
steps = append(steps, " wait-for-processing: true\n")

return steps
}

// addUploadSARIFToken adds the 'token' input for github/codeql-action/upload-sarif.
// This action uses 'token' as the input name (not 'github-token' like other GitHub Actions).
// Uses precedence: config token > safe-outputs global github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, configToken string) {
var safeOutputsToken string
if data.SafeOutputs != nil {
safeOutputsToken = data.SafeOutputs.GitHubToken
}

// If app is configured, use app token
if data.SafeOutputs != nil && data.SafeOutputs.GitHubApp != nil {
*steps = append(*steps, " token: ${{ steps.safe-outputs-app-token.outputs.token }}\n")
return
Comment on lines +89 to +101
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docstring for addUploadSARIFToken says precedence is config token > safe-outputs global github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN, but the implementation returns the GitHub App minted token whenever data.SafeOutputs.GitHubApp != nil, regardless of configToken/safeOutputsToken. Please update the comment to reflect the actual precedence (including where the GitHub App token fits) so future changes don’t rely on an incorrect contract.

Copilot uses AI. Check for mistakes.
}

// Choose the first non-empty custom token for precedence
effectiveCustomToken := configToken
if effectiveCustomToken == "" {
effectiveCustomToken = safeOutputsToken
}

effectiveToken := getEffectiveSafeOutputGitHubToken(effectiveCustomToken)
// Log which token source is being used for debugging
tokenSource := "default (GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)"
if configToken != "" {
tokenSource = "per-config github-token"
} else if safeOutputsToken != "" {
tokenSource = "safe-outputs github-token"
}
createCodeScanningAlertLog.Printf("Using token for SARIF upload from source: %s (upload-sarif uses 'token' not 'github-token')", tokenSource)
*steps = append(*steps, fmt.Sprintf(" token: %s\n", effectiveToken))
}
Loading