Merge pull request #21 from advanced-security/codeql-download-fallback

feat: Add logging for extractor archive size and improve CodeQL installation error handling

Author: GeekMasher

.github/workflows/build.yml

@@ -95,6 +95,13 @@ jobs:
             # latest / main
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1    # v3.5.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build Container ${{ github.repository }}
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
@@ -106,6 +113,9 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           # SBOM Settings
           sbom: true
+          # Pass GitHub token as a build secret
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
 
       # Upload Software Bill of Materials (SBOM) to GitHub
       - name: Upload SBOM

action.Dockerfile

@@ -1,3 +1,3 @@
-FROM ghcr.io/advanced-security/codeql-extractor-action:v0.1.1
+FROM ghcr.io/advanced-security/codeql-extractor-action:v0.1.0
 
 ENTRYPOINT [ "codeql-extractor-action" ]

src/codeql.rs

@@ -0,0 +1,36 @@
+use anyhow::{Context, Result};
+use ghastoolkit::CodeQL;
+
+/// Download the CodeQL CLI using the GitHub CLI
+pub async fn gh_codeql_download(codeql_version: &str) -> Result<String> {
+    log::info!("Downloading CodeQL Extension for GitHub CLI...");
+    tokio::process::Command::new("gh")
+        .args(&["extensions", "install", "github/gh-codeql"])
+        .status()
+        .await
+        .context("Failed to execute `gh extensions install github/gh-codeql` command")?;
+
+    log::info!("Setting CodeQL version to {codeql_version}...");
+    tokio::process::Command::new("gh")
+        .args(&["codeql", "set-version", codeql_version])
+        .status()
+        .await
+        .context("Failed to execute `gh codeql set-version` command")?;
+
+    log::info!("Install CodeQL stub...");
+    tokio::process::Command::new("gh")
+        .args(&["codeql", "install-stub"])
+        .status()
+        .await
+        .context("Failed to execute `gh codeql install-stub` command")?;
+
+    let codeql = CodeQL::new().await;
+    if codeql.is_installed().await {
+        log::info!("CodeQL CLI installed successfully via GitHub CLI");
+    } else {
+        log::error!("CodeQL CLI installation via GitHub CLI failed");
+        return Err(anyhow::anyhow!("CodeQL CLI installation failed"));
+    }
+
+    Ok("/usr/local/bin/codeql".to_string())
+}

src/extractors.rs

@@ -86,6 +86,19 @@ pub async fn fetch_extractor(
         }
     };
 
+    // Get and log the size of the extractor archive
+    if let Ok(metadata) = std::fs::metadata(&extractor_archive) {
+        let size_bytes = metadata.len();
+        let size_mb = size_bytes as f64 / 1_048_576.0; // Convert to MB (1 MB = 1,048,576 bytes)
+        log::info!(
+            "Extractor archive size: {:.2} MB ({} bytes)",
+            size_mb,
+            size_bytes
+        );
+    } else {
+        log::warn!("Unable to get size information for the extractor archive");
+    }
+
     if attest {
         log::info!("Attesting asset {extractor_tarball:?}");
 

src/main.rs

@@ -6,10 +6,13 @@ use ghastoolkit::prelude::*;
 use log::{debug, info};
 
 mod action;
+mod codeql;
 mod extractors;
 
 use action::{AUTHORS, Action, BANNER, VERSION};
 
+use crate::codeql::gh_codeql_download;
+
 #[tokio::main]
 async fn main() -> Result<()> {
     let mut action = Action::init()?;
@@ -41,10 +44,22 @@ async fn main() -> Result<()> {
     if !codeql.is_installed().await {
         let codeql_version = action.codeql_version();
         log::info!("CodeQL not installed, installing `{codeql_version}`...");
-        codeql
-            .install(&octocrab, codeql_version)
-            .await
-            .context("Failed to install CodeQL")?;
+
+        if let Err(error) = codeql.install(&octocrab, codeql_version).await {
+            log::warn!("Failed to install CodeQL: {error:?}");
+            log::info!("Attempting to install CodeQL using GitHub CLI...");
+
+            let location = gh_codeql_download(codeql_version)
+                .await
+                .context("Failed to download CodeQL using GitHub CLI")?;
+
+            codeql = CodeQL::init()
+                .path(location)
+                .build()
+                .await
+                .context("Failed to create CodeQL instance after GitHub CLI installation")?;
+        }
+
         log::info!("CodeQL installed");
     } else {
         log::info!("CodeQL already installed");