feat: Add logging for extractor archive size and improve CodeQL installation error handling

.github/workflows/build.yml

@@ -95,6 +95,13 @@
             # latest / main
             type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build Container ${{ github.repository }}
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build
@@ -106,6 +113,9 @@
           labels: ${{ steps.meta.outputs.labels }}
           # SBOM Settings
           sbom: true
+          # Pass GitHub token as a build secret
+          secrets: |
+            "github_token=${{ secrets.GITHUB_TOKEN }}"
 
       # Upload Software Bill of Materials (SBOM) to GitHub
       - name: Upload SBOM

Dockerfile

@@ -31,4 +31,20 @@
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+# Define GitHub token as a build ARG
+ARG github_token
+
+# Install the CodeQL extension for GitHub CLI
+RUN --mount=type=secret,id=github_token \
+    if [ -f "/run/secrets/github_token" ]; then \
+      export GITHUB_TOKEN=$(cat /run/secrets/github_token); \
+      gh auth setup-git; \
+      gh extensions install github/gh-codeql && \
+      gh codeql install-stub; \
+    else \
+      echo "No GitHub token provided, using public access"; \
+      gh extensions install github/gh-codeql && \
+      gh codeql install-stub; \
+    fi
+
 ENTRYPOINT [ "codeql-extractor-action" ]

src/extractors.rs

@@ -86,6 +86,19 @@ pub async fn fetch_extractor(
         }
     };
 
+    // Get and log the size of the extractor archive
+    if let Ok(metadata) = std::fs::metadata(&extractor_archive) {
+        let size_bytes = metadata.len();
+        let size_mb = size_bytes as f64 / 1_048_576.0; // Convert to MB (1 MB = 1,048,576 bytes)
+        log::info!(
+            "Extractor archive size: {:.2} MB ({} bytes)",
+            size_mb,
+            size_bytes
+        );
+    } else {
+        log::warn!("Unable to get size information for the extractor archive");
+    }
+
     if attest {
         log::info!("Attesting asset {extractor_tarball:?}");
 

src/main.rs

@@ -41,10 +41,18 @@ async fn main() -> Result<()> {
     if !codeql.is_installed().await {
         let codeql_version = action.codeql_version();
         log::info!("CodeQL not installed, installing `{codeql_version}`...");
-        codeql
-            .install(&octocrab, codeql_version)
-            .await
-            .context("Failed to install CodeQL")?;
+
+        if let Err(error) = codeql.install(&octocrab, codeql_version).await {
+            log::warn!("Failed to install CodeQL: {error:?}");
+            log::info!("Attempting to install CodeQL using GitHub CLI...");
+
+            tokio::process::Command::new("gh")
+                .args(&["codeql", "set-version", codeql_version.into()])
+                .status()
+                .await
+                .context("Failed to execute `gh codeql set-version` command")?;
+        }
+
         log::info!("CodeQL installed");
     } else {
         log::info!("CodeQL already installed");