codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard

Published 20 hours ago verified publisher icon github

Can we use the github token as a parameter for reporting

Open 10000-ki opened this issue 1 year ago • 4 comments

when i use this action in enterprise github, Reporting is failing due to issue of access repository and 403 error returns

so how about improving it by receiving github token as below

Jacoco Report Action

      - name: Kover Test Report
        uses: actions/[email protected]
        with:
          title: "Koverage"
          paths: ${{ github.workspace }}/build/kover/result.xml
          token: ${{ secrets.GITHUB_TOKEN }}
          min-coverage-overall: 40
          min-coverage-changed-files: 60

10000-ki avatar Nov 18 '23 07:11 10000-ki

Hi @10000-ki 👋

I think what you are asking for is already possible. The CodeQL Actions all have a token input that is set to github.token by default, but can be set to something else if needed.

That being said, you should not normally need to change it from the default. Make sure there isn't a different underlying problem, such as incorrectly configured permissions for the workflow/job or missing GitHub Advanced Security access.

mbg avatar Nov 18 '23 12:11 mbg

HI 👋🏻 How can I securely integrate a GitHub token as a parameter for reporting in GitHub issues within a CI/CD pipeline, ensuring both the confidentiality of the token and seamless automation of the reporting process? Are there specific authentication mechanisms, encryption practices, or GitHub API features recommended for such advanced use cases? if you can reply me immediatly it will be very useful to me ❤️

mgunawardhana avatar Nov 19 '23 11:11 mgunawardhana 

data: {
      message: 'Advanced Security must be enabled for this repository to use code scanning.',
      documentation_url: 'https://docs.github.com/[email protected]/rest'
    }

oh i think this issue related to https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled#about-this-error

10000-ki avatar Nov 20 '23 02:11 10000-ki

HI 👋🏻 How can I securely integrate a GitHub token as a parameter for reporting in GitHub issues within a CI/CD pipeline, ensuring both the confidentiality of the token and seamless automation of the reporting process? Are there specific authentication mechanisms, encryption practices, or GitHub API features recommended for such advanced use cases? if you can reply me immediatly it will be very useful to me ❤️

Hi. I think this question is very broad, and not limited to just the CodeQL analysis tool, which is our focus in this repo. I suggest looking at the following resources for practices around authenticating to the GitHub API, and using secrets within GitHub Actions workflows:

  • https://docs.github.com/en/rest/overview/authenticating-to-the-rest-api?apiVersion=2022-11-28
  • https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions

If you have further questions after that, please ask in https://github.com/orgs/community/discussions (for questions about general GitHub usage), or open a fresh issue in this repo (for questions about CodeQL) with your specific question.

adityasharad avatar Nov 20 '23 20:11 adityasharad