-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upload-sarif: token input doesn't work #2386
Comments
Your SARIF file is suspiciously small 542 bytes. My guess is that there is something invalid about the file being generated. Could you share the file here? If you ran the job in debug mode, it should have been uploaded as an artifact. |
I'm experiencing the same issue. The logging immediately before and at the failure appears to come from this block https://github.com/github/codeql-action/blob/v3.25.0/src/upload-lib.ts#L233-L240. I did not see a corresponding Action Debug Output
|
It's likely that your token does not have the proper scopes associated with it. It needs the |
I believe currently only the built-in GitHub Actions token can be used to upload SARIF files with the Note that you should still be able to use a custom token for other steps like checking out the repository or downloading build dependencies. |
Thanks, @chrisgavin. The docs are updated here #2477. |
We leverage a shared workflow in a number of repositories and the custom token (with the required permissions) would allow us to avoid adding the following boilerplate to each call of the shared workflow. permissions:
actions: read
contents: read
security-events: write |
I have this step in a workflow and it works:
but it doesn't work if add the token argument:
This is the error:
Uploading results Processing sarif files: ["trivy-test-yellow.sarif"] Validating trivy-test-yellow.sarif Combining SARIF files using the CodeQL CLI Adding fingerprints to SARIF file. For more information, see https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs Uploading results Warning: Not Found Error: Not Found
Debug
The secret is properly configured. If I change the secret value, I got "Bad credentials". I created this step to check the token and it works:
The text was updated successfully, but these errors were encountered: