[K9VULN-10939] Refactor from container action to composite action#55
[K9VULN-10939] Refactor from container action to composite action#55jasonforal merged 2 commits intomainfrom
Conversation
37b8cb0 to
54d9d85
Compare
| exit 1 | ||
| fi | ||
|
|
||
| sed -i.bak "s/$test_hook/echo 'Simulating cURL error...'; exit 1/" action.yml |
There was a problem hiding this comment.
should we route to stderr for proper logging? echo 'Simulating cURL error...' >&2; exit 1
There was a problem hiding this comment.
We only care about showing a message in GitHub actions UI for what's happening (it's conceptually a console.log rather than an error message). But regardless, not sure that's necessary as the UI doesn't distinguish stdout vs stderr
| dd_api_key: ${{ secrets.DD_API_KEY }} | ||
| dd_app_key: ${{ secrets.DD_APP_KEY }} | ||
| dd_site: ${{ vars.DD_SITE }} | ||
| diff_aware: true |
There was a problem hiding this comment.
do we need to test the diff_aware:false case?
There was a problem hiding this comment.
Not in my opinion. The diff_aware:true strictly adds new behavior to the workflow:
datadog-static-analyzer-github-action/action.yml
Lines 166 to 174 in 54d9d85
So setting it to false will hit all the same code paths as when it's true
| git config --global user.name "User" | ||
| git config --global user.email "user@example.com" | ||
| # (A dummy commit is added so a new commit hash is always uploaded to Datadog) | ||
| git commit -m "Commit" --allow-empty |
There was a problem hiding this comment.
should we make the commit message a little clearer in case anyone comes up on this without context?
There was a problem hiding this comment.
The commit is ephemeral and the message is never uploaded (so no one sees it), so I think the code comment above suffices.
|
|
||
| if [ -n "$resolved_version" ] && ( | ||
| echo "Fetching datadog-ci $resolved_version release" | ||
| TEST_HOOK_FORCE_NPM_INSTALL="" # (Test hook to simulate an error) |
There was a problem hiding this comment.
If this is meant to force npm install during testing (as the comment suggests), it should be checking the variable's value, not setting it right? I'm a little confused about how setting it to an empty string forces the npm install
There was a problem hiding this comment.
The intent for here is to have a no-op statement that can be found/replaced with arbitrary logic (not sure if there's a better way to test more complex control flow in GHA like this...)
This could've also been
echo "Fetching datadog-ci $resolved_version release"
### <TEST_HOOK_FORCE_NPM_INSTALL_DO_NOT_DELETE_THIS> ###
filename="datadog-ci_$DDCI_OS-$DDCI_ARCH"Or anything else that no-ops when left alone.
Happy to rename if you think it would be more clear
| -f sarif \ | ||
| --cpus "$CPU_COUNT" \ | ||
| "$ENABLE_PERFORMANCE_STATISTICS" \ | ||
| --debug $DEBUG_ARGUMENT_VALUE \ |
There was a problem hiding this comment.
do you need to quote this like the other args?
There was a problem hiding this comment.
Technically yes, but that's a bug that exists in the current implementation, so we need to preserve it 🥲 :
What this PR does
Refactors the action from a Docker container action to a composite action.
In practice, this reduces the lower bound of the cold start of the action from ~66 seconds to ~7 seconds.
All users of Github Actions will be able to upgrade without issue. However, this will be released as a new major version (
v3) because self-hosted runners might require migrations if either of the following apply:curl,node, orbash, etc.)Before (~66s)
After (~7s)
Rationale
#51 introduced a shim Dockerfile to ensure
datadog-ciwas always up-to-date. While this works, it's inefficient, as it requires a new Docker container to be built for each execution. For a standard GitHub runner, this introduces a minimum of 1 minute overhead.Implementation Details
The bulk of the new code in this PR relates to fetching
datadog-static-analyzeranddatadog-ciin the most efficient manner possible. The actual configuration and param passing to the analyzer is a copy/paste of the old implementation found in datadog-static-analyzer/misc/github-action.sh, so there is no behavior change.Installing datadog-static-analyzer
datadog-static-analyzer-aarch64-unknown-linux-gnu.zip) from the official GitHub releases. The version used will always be "latest".Installing datadog-ci
This is where it gets more complex. The strategy here is:
Attempt a direct GitHub release download:
datadog-civersions usingnpm list. npm returns matching versions as a list, e.g.:datadog-ci_linux-arm64) from the official GitHub releases.If any of the above steps fail:
npm install.Testing
You'll want to confirm that this PR implements the exact logic from datadog-static-analyzer/misc/github-action.sh (paying attention to small details like shell quoting or lack thereof)
Notes
architectureinput has been deprecated. Turns out it never did anything anyway, so no need to have a formal deprecation window.npxwould've simplified the implementation by avoiding thenpm viewsong and dance. However, when specifying a semver range (e.g.^4), two separate calls could resolve to two separate versions. Ensuring a stable version introduces a comparable amount of complexity, and so it feels cleaner this way.