Skip to content

Comments

Fix upload-sarif potentially initialising CodeQL twice (second attempt)#3505

Open
mbg wants to merge 7 commits intomainfrom
mbg/upload-sarif/fix-codeql-multi-init
Open

Fix upload-sarif potentially initialising CodeQL twice (second attempt)#3505
mbg wants to merge 7 commits intomainfrom
mbg/upload-sarif/fix-codeql-multi-init

Conversation

@mbg
Copy link
Member

@mbg mbg commented Feb 24, 2026

This is a fresh attempt at #3006 based on the suggestion in #3006 (review).

This wasn't a priority to fix, but I am working on something else that requires a CodeQL instance in upload-sarif and thought it would make sense to address this first.

Risk assessment

For internal use only. Please select the risk level of this change:

  • High risk: Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

Which use cases does this change impact?

Workflow types:

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • Other first-party - The changes impact other first-party analyses.
  • Third-party analyses - The changes affect the upload-sarif action.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

  • Test repository - This change will be tested on a test repository before merging.
  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg requested a review from henrymercer February 24, 2026 14:39
@mbg mbg self-assigned this Feb 24, 2026
@mbg mbg requested a review from a team as a code owner February 24, 2026 14:39
Copilot AI review requested due to automatic review settings February 24, 2026 14:39
@github-actions github-actions bot added the size/M Should be of average difficulty to review label Feb 24, 2026
@mbg mbg mentioned this pull request Feb 24, 2026
Closed
3 tasks
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the upload-sarif flow to avoid potentially initializing the CodeQL CLI more than once by moving CodeQL acquisition/initialization earlier and threading a shared CodeQL getter + temp directory through SARIF post-processing.

Changes:

  • Extend postProcessAndUploadSarif / postProcessSarifFiles to accept a CodeQLGetter and temp directory, so combining SARIF via CLI can reuse a single CodeQL instance.
  • Add getOrInitCodeQL caching in upload-sarif-action and introduce minimalInitCodeQL in upload-lib for upload-only initialization.
  • Update call sites and tests (analyze, init post helper, and upload-sarif tests) for the new parameter flow.

Reviewed changes

Copilot reviewed 7 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/upload-sarif.ts Threads tempPath + getCodeQL into SARIF post-processing.
src/upload-sarif.test.ts Updates stubs/calls to match the new postProcessAndUploadSarif signature.
src/upload-sarif-action.ts Adds cached CodeQL initialization and ensures temp dir/config are determined up front.
src/upload-lib.ts Introduces minimalInitCodeQL, adds CodeQLGetter, and propagates getter/temp dir into CLI SARIF combining + upload flow.
src/init-action-post-helper.ts Updates failed-SARIF upload to pass tempDir + codeql into uploadFiles.
src/init-action-post-helper.test.ts Adjusts expectations for updated uploadFiles signature.
src/analyze-action.ts Passes config.tempDir and a CodeQLGetter into postProcessAndUploadSarif.

henrymercer
henrymercer reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

@henrymercer henrymercer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but do we actually have a PR check that tests this behaviour? It would need to:

  • not call init
  • upload multiple SARIF files

src/upload-lib.ts
sarifFiles: string[],
gitHubVersion: GitHubVersion,
features: FeatureEnablement,
_features: FeatureEnablement,
Copy link
Contributor

@henrymercer henrymercer Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drive-by cleanup: Remove this arg?

@mbg
Copy link
Member Author

mbg commented Feb 25, 2026

Looks good, but do we actually have a PR check that tests this behaviour? It would need to:

  • not call init
  • upload multiple SARIF files

I added some unit tests for getOrInitCodeQL which exercise the caching behaviour. Let me know if you think that's sufficient or you think we need something more comprehensive. We could add another language to the existing PR check for analysis kinds, which in some matrix jobs would then call combineSarifFilesUsingCLI twice.

@mbg mbg requested a review from henrymercer February 25, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer Awaiting requested review from henrymercer

At least 1 approving review is required to merge this pull request.

Assignees

@mbg mbg

Labels

size/M Should be of average difficulty to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbg @henrymercer