-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Respect proxy settings when streaming the download and extraction of the CodeQL bundle #2624
Respect proxy settings when streaming the download and extraction of the CodeQL bundle #2624
Conversation
c888d44
to
f742d6b
Compare
326b0f1
to
28dd147
Compare
The streaming of the bundle using the Proxy worked fine in the last CI run: https://github.com/github/codeql-action/actions/runs/12146133664/job/33869336618?pr=2624#step:7:33 I'm now in the process of tidying this up (lots of experimental commits), and incorporating conflicting changes from |
99f0c0d
to
2ff0598
Compare
2ff0598
to
78be2f1
Compare
Something that I forgot to mention: this PR is not removing the feature flag: there are 2 references in the code (after this PR gets merged) which are very easy to remove and do not impact functionality. There are also two more references in a couple of test actions, which would require a bit more thought as to how to handle (we could just remove the environment variable reference in them, or just delete them given that this is more or less tested in the new I wanted to do any changes to the feature flag/env var as a different PR, and keep the changes here scoped down to the proxy settings and their handling by the streaming download handler. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this fix! I've added a couple of questions / suggestions:
@@ -1,10 +1,20 @@ | |||
name: "Proxy test" | |||
description: "Tests using a proxy specified by the https_proxy environment variable" | |||
versions: ["linked"] | |||
versions: ["linked", "nightly-latest"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test was passing before when we were streaming zstd bundles with a CodeQL Action version that wasn't respecting proxy settings, presumably because the CodeQL Action could still access the bundle without the proxy.
Can we update the test to ensure that we're downloading the bundle via the proxy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the latest test added as part of this PR, I'm fairly confident we're downloading the bundle through the proxy.
The reason it worked before is that it didn't test the streaming of the bundle, because when linked
is passed as the version
, the prepare-step
action was choosing the .tar.gz
bundle by default - as example the latest run from a PR merged recently.
I am not sure though how it makes that selection between the .tar.gz
and the .tar.zst
one, because in this PR, the same job downloaded the .tar.zst
one. But previously, we didn't go through this code because the same job was opting for the .tar.gz
when downloading.
Will look more into that and report back any interesting findings.
src/tools-download.ts
Outdated
core.warning( | ||
`Failed to download and extract CodeQL bundle using streaming. Falling back to downloading the bundle before extracting.`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tested this fallback? For instance, what happens if we partially extract the CodeQL bundle while streaming, but something goes wrong? Is it worth cleaning up the destination directory in this case or is that handled elsewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I'm quoting from a previous message of mine that probably got lost because of the volume of messages here:
I'm confident we are good without a flag to manage the risk.
To explain why: because the conflicts introduced by a couple of other PRs were extensive, and I couldn't sort out a clean commit history, I opted to instead just manually recreate the PR on top of main (my code changes are small, so easy to manually replay).
In doing so, I made a mistake: I initialised the HTTP client (the one that respects the proxy settings) and passed it to the headers by accident (instead of the http.get options). What happened is here, but short story, because of the streaming download now being inside of a fallback try/catch, the failure to download the CodeQL pack with streaming resulted in falling back to downloading it and then extracting it.
I've since fixed this, but this little mistake validated the fallback mechanism working as intended, so I believe that this won't cause an incident like last time - if it fails, worst case scenario is that the mechanism won't work as expected and fall back to the previous mechanism (download and then extract), with the impact being that we lose a few seconds per run (compared to a failed run).
Does this answer your question satisfactorily?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, that answers the first part of my question. I still wonder if it is worth cleaning up the destination directory as part of the catch
in case we managed to extract some of the CodeQL bundle but not a complete CodeQL bundle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree this is a good idea, and something prudent for us to do before we retry.
Added in 4c20d4f.
Co-authored-by: Henry Mercer <[email protected]>
…ep for the container
Thank you for your reviews @aeisenberg @henrymercer. I have now implemented all outstanding items on this PR. Would it be possible to have another look at this? |
CHANGELOG.md
Outdated
@@ -7,7 +7,8 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the | |||
## [UNRELEASED] | |||
|
|||
- We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. [#2631](https://github.com/github/codeql-action/pull/2631) | |||
- We have added support for respecting the proxy settings present in environment variables in a runner when streaming the download and extraction of the CodeQL bundle. [#2624](https://github.com/github/codeql-action/pull/2624) | |||
- Fixed an issue where streaming the download and extraction of the CodeQL bundle did not respect proxy settings. [#2624](https://github.com/github/codeql-action/pull/2624) | |||
- Update default CodeQL bundle version to 2.20.0. [#2636](https://github.com/github/codeql-action/pull/2636) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this line added due to a bad merge?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, I will have a look.
This was reported as a conflict in the GitHub UI, but when I did a git merge
locally, it had no problem automatically resolving the conflict. Perhaps it did a weird thing because of my .gitconfig
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cannot find precisely what went wrong here, as the merge log is past my terminal character limit. I remember it saying that it resolved it automatically using the ort
method, but it apparently went wrong there.
This is now fixed in 9e8cd42.
Going forward I will be more careful validating these merges went right.
src/tools-download.ts
Outdated
@@ -127,7 +127,11 @@ export async function downloadAndExtract( | |||
core.warning( | |||
`Failed to download and extract CodeQL bundle using streaming. Falling back to downloading the bundle before extracting.`, | |||
); | |||
core.warning(getErrorMessage(e)); | |||
core.warning(`Error: ${getErrorMessage(e)}`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't prefix a warning with Error
.
core.warning(`Error: ${getErrorMessage(e)}`); | |
core.warning(`Warning: ${getErrorMessage(e)}`); |
But, do we even need the prefix at all?
Maybe reverting this is better:
core.warning(`Error: ${getErrorMessage(e)}`); | |
core.warning(getErrorMessage(e)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for catching this.
Seeing it reported now, I agree it looks a bit silly.
My rationale for changing this was that this was rendering an error that was generated in the process of unpacking as a simple warning, with no other context whatsoever, which could be confusing to a user when interpreting the runner log (example).
I'm still motivated to decorate it somehow, as reverting may not satisfy this concern, but I will think about a cleaner decoration that doesn't look weird/silly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, this is what I came up with: 88bcf64
I've reworded the warnings to flow a bit more naturally for me, and to allow me to embed the error message in an indicative but non-invasive way.
Is this workable for you @aeisenberg ? Or do you have a strong preference for the previous state of affairs?
pr-checks/readme.md
Outdated
|
||
This folder contains the code supporting the workflows run when a PR is created. | ||
|
||
## Update |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can simplify this. I can give some suggestions, but not quite right now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this! I agree it looks cleaner.
Will cherry-pick
this in.
I've merged in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice.
Description
This PR is adding support for respecting proxy settings while downloading the CodeQL bundle in streaming mode.
Fixes #2600
Guidance
justfile
, which is a script interpreted by https://github.com/casey/just, a command action runner. It allows us to create an python virtual environment and run thesync.py
to update dependencies in one step, which is very useful for someone trying to interact with it the first time.just
is not present, the file is irrelevant (it's just a text file) but can act as documentation for the steps to invoke manually.tinyproxy
and writing a function that invokeddownloadAndExtractZstdWithStreaming
and observing that we go through the proxy.test_proxy.yml
workflow, so that we download the latest nightly bundle, which by default has the extension.tar.zst
which goes through the code path introduced.sync.py
file in 9c48c8b in order to support a step that is being used to initialise the container image (because the Ubuntu container is leaned out and doesn't come with the list of pre-installed software the runners usually come prepared with).Merge / deployment checklist