Delete analysis after uploading

The analysis is purposefully failing. We don't want a failed analysis sitting in the security center since this can cause some internal checks to erroneously fail.
github · Nov 7, 2023 · c265620 · c265620
1 parent 137a1e0
commit c265620
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 3 deletions.
diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml
@@ -38,4 +38,5 @@ jobs:
     - name: Analyze
       uses: ./../action/analyze
       with:
+        upload: false
         upload-database: false
diff --git a/lib/init-action-post-helper.js b/lib/init-action-post-helper.js
diff --git a/lib/init-action-post-helper.js.map b/lib/init-action-post-helper.js.map
diff --git a/src/init-action-post-helper.ts b/src/init-action-post-helper.ts
@@ -1,6 +1,7 @@
 import * as core from "@actions/core";
 
 import * as actionsUtil from "./actions-util";
+import { getApiClient } from "./api-client";
 import { CODEQL_VERSION_EXPORT_FAILED_SARIF, getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { EnvVar } from "./environment";
@@ -29,6 +30,9 @@ export interface UploadFailedSarifResult extends uploadLib.UploadStatusReport {
   upload_failed_run_stack_trace?: string;
   /** Reason why we did not upload a SARIF payload with `executionSuccessful: false`. */
   upload_failed_run_skipped_because?: string;
+
+  /** The internal ID of SARIF analysis. */
+  sarifID?: string;
 }
 
 function createFailedUploadFailedSarifResult(
@@ -107,7 +111,9 @@ async function maybeUploadFailedSarif(
     logger,
     { isUnsuccessfulExecution: true },
   );
-  return uploadResult?.statusReport ?? {};
+  return uploadResult
+    ? { ...uploadResult.statusReport, sarifID: uploadResult.sarifID }
+    : {};
 }
 
 export async function tryUploadSarifIfRunFailed(
@@ -180,6 +186,10 @@ export async function run(
     );
   }
 
+  if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
+    await removeUploadedSarif(uploadFailedSarifResult);
+  }
+
   // Upload appropriate Actions artifacts for debugging
   if (config.debugMode) {
     core.info(
@@ -193,3 +203,48 @@ export async function run(
 
   return uploadFailedSarifResult;
 }
+
+async function removeUploadedSarif(
+  uploadFailedSarifResult: UploadFailedSarifResult,
+) {
+  const sarifID = uploadFailedSarifResult.sarifID;
+  if (sarifID) {
+    core.info(
+      `Uploaded failed SARIF file with ID ${sarifID}. Because this is a test, the analysis associated with it will now be deleted.`,
+    );
+    const client = getApiClient();
+
+    try {
+      // Get the analysis associated with the uploaded sarif
+      const analysisInfo = await client.request(
+        "GET /repos/:owner/:repo/code-scanning/analyses?sarif_id:sarif_id",
+        {
+          owner: "github",
+          repo: "codeql-action",
+          sarif_id: sarifID,
+        },
+      );
+
+      // Delete the analysis.
+      for (const analysis of analysisInfo.data) {
+        core.info(`Deleting analysis ${analysis.id}`);
+        await client.request(
+          "DELETE /repos/:owner/:repo/code-scanning/analyses/:analysis_id",
+          {
+            owner: "github",
+            repo: "codeql-action",
+            analysis_id: analysis.id,
+          },
+        );
+      }
+    } catch (e) {
+      // Fail the test if we can't delete the analysis.
+      core.error("Failed to delete uploaded SARIF analysis.");
+      throw e;
+    }
+  } else {
+    core.warning(
+      "Could not delete uploaded SARIF analysis because no sarifID was returned.",
+    );
+  }
+}