github
HttpError: Not Found when attempting to reference private pack
We're trying to reference a private CodeQL pack when running init. When this runs in Github actions, we get HttpError: Not Found.
name: "SAST Scans"
on:
push:
branches: ["master", "main"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["master", "main"]
schedule:
- cron: "0 */12 * * *"
jobs:
codeql-analysis:
name: code-scanning
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
packages: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["python", "javascript"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
packs: companyname/python-queries
token: ${{ secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN }}
debug: true
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
- I've verified that we can download the pack by using
codeql package download companyname/python-queries --github-auth-stdinand supply the value ofsecrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN. - I've verified that
CUSTOM_CODEQL_SCAN_GITHUB_TOKENexists as an organization secret. - I've verified that this repo has access to the published package in the organization settings.
- I've verified that the codeql scan runs fine when I remove the custom package reference.
Is there anything I'm missing or is there a bug with the init script? I'm having trouble finding any documentation around referencing private packs for CodeQL Github actions.
Thank you.
Apologies that the docs are unclear. Here is the information you are looking for. You need to set the GITHUB_TOKEN environment variable to the secret.
Hi @aeisenberg
Thank you for the quick reply. We already have GITHUB_TOKEN set to a secret. Do we need to replace that secret with a secret that has read:packages permission as well? I thought it'd be possible to supply a different token for pulling down the package.
Thanks!
Apologies. I was mistaken. Using the token input should work as well. So, I'm not sure what is happening here. Would you be able to share your full debug logs?
Also (unrelated), the autobuild step is not necessary since neither of your scanned languages require a build.
@aeisenberg
Thank you. That's helpful to know. Here's the full debug log...
##[debug]Evaluating condition for step: 'Initialize CodeQL'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Initialize CodeQL
##[debug]Register post job cleanup for action: github/codeql-action/init@v3
##[debug]Loading inputs
##[debug]Evaluating: matrix.language
##[debug]Evaluating Index:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'language'
##[debug]=> 'python'
##[debug]Result: 'python'
##[debug]Evaluating: secrets.CUSTOM_CODEQL_SCAN_GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'CUSTOM_CODEQL_SCAN_GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Evaluating: toJson(matrix)
##[debug]Evaluating toJson:
##[debug]..Evaluating matrix:
##[debug]..=> Object
##[debug]=> '{
##[debug] "language": "python"
##[debug]}'
##[debug]Result: '{
##[debug] "language": "python"
##[debug]}'
##[debug]Loading env
Run github/codeql-action/init@v3
with:
languages: python
packs: redacted/[email protected]
token: ***
debug: true
matrix: {
"language": "python"
}
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
Error: Encountered an error while trying to determine feature enablement: HttpError: Not Found
Warning: Caught an exception while gathering information for telemetry: HttpError: Not Found. Will skip sending status report.
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='3.[2](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:2)5.15'
##[debug]JOB_RUN_UUID='dc2ed5fb-c226-4a42-901b-d9dc772a2[3](https://github.com/Redacted/Redacted/actions/runs/10116045020/job/28126259083#step:3:3)4d'
##[debug]CODEQL_ACTION_INIT_HAS_RUN='true'
##[debug]Finishing: Initialize CodeQL
Thanks for this. The logs are showing that the error is not happening due to package downloads at all. It's due to not being able to access the endpoint that exposes feature flags. This is a different kind of permissions problem. I'm guessing that the token you are using in the CUSTOM_CODEQL_SCAN_GITHUB_TOKEN has a very restricted set of permissions. I'll have to get back to you on exactly which permissions are required, but you can try by changing the set of permissions so that they match the permissions you have in the workflow. Eg-
permissions:
actions: read
contents: read
packages: read
security-events: write