Use private registry proxy for API requests when available#4007
Open
mbg wants to merge 14 commits into
Open
Conversation
fcdd601 to
b6d92e3
Compare
This will make it easier to gate the `getRegistryProxy` with a FF, without the significant refactoring that is needed to thread the FFs into `createApiClientWithDetails`
Member
Author
|
As an example of this in action, see https://github.com/github/codeql-action/actions/runs/29347975179/job/87138397597?pr=4007#step:8:312 for the expected log message and the proxy log artifact at https://github.com/github/codeql-action/actions/runs/29347975179/artifacts/8317105753 |
Contributor
There was a problem hiding this comment.
Warning
- Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.
Pull request overview
Adds feature-flagged registry-proxy support for retrieving remote CodeQL configuration files from private repositories.
Changes:
- Adds proxy environment handling and Undici-based API routing.
- Routes remote configuration requests through the proxy when enabled.
- Adds unit and PR-check coverage.
Show a summary per file
| File | Description |
|---|---|
src/api-client.ts |
Implements proxy-aware API clients. |
src/api-client.test.ts |
Tests proxy configuration. |
src/config/file.ts |
Proxies remote configuration requests. |
src/config/file.test.ts |
Tests feature-flagged proxy selection. |
src/environment.ts |
Defines proxy variables and environment cloning. |
src/feature-flags.ts |
Adds the proxy feature flag. |
src/testing-utils.ts |
Isolates environments between test-builder clones. |
pr-checks/checks/start-proxy.yml |
Exercises proxy-backed initialization. |
package.json |
Adds Undici. |
package-lock.json |
Locks the dependency update. |
lib/entry-points.js |
Generated artifact; excluded from review. |
.github/workflows/__start-proxy.yml |
Generated workflow; excluded from review. |
Review details
Files excluded by content exclusion policy (2)
- .github/workflows/__start-proxy.yml
- lib/entry-points.js
- Files reviewed: 9/12 changed files
- Comments generated: 1
- Review effort level: Medium
| .stub(client.rest.repos, "getContent") | ||
| // eslint-disable-next-line @typescript-eslint/no-unsafe-argument | ||
| .resolves(response as any); | ||
| sinon.stub(api, "getApiClientWithExternalAuth").value(() => client); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR allows the CodeQL Action to use the private registry authentication proxy when fetching remote configuration files. The authentication proxy is available in Default Setup workflows. Doing so allows configuration files to be retrieved from private repositories, provided that a suitable
git_sourceregistry is set up for the organisation.#4000 has laid the groundwork for this, by always enabling
git_sourceregistries when they are available.The change is behind a new FF.
Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
dynamicworkflows (Default Setup, Code Quality, ...).Products:
analysis-kinds: code-scanning.analysis-kinds: code-quality.Environments:
github.comand/or GitHub Enterprise Cloud with Data Residency.How did/will you validate this change?
.test.tsfiles).pr-checks).If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist