feat(ghes): add ghe-base-url input and honor baseUrl for Octokit when uploading SARIF

p4r53c · p4r53c · commit e62277a12a98 · 2025-08-26T14:00:53.000+03:00
diff --git a/lib/job-summary.js b/lib/job-summary.js
@@ -38,7 +38,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.JobSummary = void 0;
 const core = __importStar(require("@actions/core"));
 const semver_1 = require("semver");
-const core_1 = require("@octokit/core");
 const github = __importStar(require("@actions/github"));
 const util_1 = require("util");
 const zlib_1 = require("zlib");
@@ -107,24 +106,38 @@ class JobSummary {
         });
     }
     /**
-     * Uploads the code scanning SARIF content to the code-scanning GitHub API.
-     * @param encodedSarif - The final compressed and encoded sarif content.
-     * @param token - GitHub token to use for the request. Has to have 'security-events: write' permission.
-     * @private
+     * Uploads a gzip-compressed, base64-encoded SARIF payload to GitHub Code Scanning.
+     *
+     * Uses the current GitHub Actions context (owner, repo, commit SHA, and ref) for the target.
+     * If a GitHub Enterprise Server base URL is provided via the 'ghe-base-url' or 'ghe_base_url'
+     * action input, the request is sent to that endpoint; otherwise, it targets github.com.
+     *
+     * @param encodedSarif - The SARIF report content after gzip compression and base64 encoding,
+     *                       as required by the POST /repos/{owner}/{repo}/code-scanning/sarifs API.
+     *                       Typically produced by compressing raw SARIF with gzip and encoding to base64.
+     * @param token - GitHub token used to authenticate the upload request. Must have
+     *                security_events: write permission on the target repository (e.g., a PAT or GITHUB_TOKEN
+     *                with the appropriate permission).
+     *
+     * @returns A promise that resolves when the upload completes successfully.
+     * @throws Error if the API response status is not 2xx; the thrown error includes the resolved baseUrl
+     *         and a serialized response summary to aid debugging.
      */
     static uploadCodeScanningSarif(encodedSarif, token) {
         return __awaiter(this, void 0, void 0, function* () {
-            const octokit = new core_1.Octokit({ auth: token });
-            let response;
-            response = yield octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
+            var _a, _b, _c;
+            const inputBaseUrl = core.getInput('ghe-base-url', { required: false }) || core.getInput('ghe_base_url', { required: false }) || '';
+            const octokit = inputBaseUrl ? github.getOctokit(token, { baseUrl: inputBaseUrl }) : github.getOctokit(token);
+            const response = yield octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
                 owner: github.context.repo.owner,
                 repo: github.context.repo.repo,
                 commit_sha: github.context.sha,
                 ref: github.context.ref,
                 sarif: encodedSarif,
             });
             if (response.status < 200 || response.status >= 300) {
-                throw new Error(`Failed to upload SARIF file: ` + JSON.stringify(response));
+                const usedBaseUrl = ((_c = (_b = (_a = octokit.request) === null || _a === void 0 ? void 0 : _a.endpoint) === null || _b === void 0 ? void 0 : _b.DEFAULTS) === null || _c === void 0 ? void 0 : _c.baseUrl) || 'unknown';
+                throw new Error(`Failed to upload SARIF file (status ${response.status}). baseUrl=${usedBaseUrl}; response=` + JSON.stringify(response));
             }
             core.info('SARIF file uploaded successfully');
         });
diff --git a/src/job-summary.ts b/src/job-summary.ts
@@ -105,15 +105,29 @@ export class JobSummary {
     }
 
     /**
-     * Uploads the code scanning SARIF content to the code-scanning GitHub API.
-     * @param encodedSarif - The final compressed and encoded sarif content.
-     * @param token - GitHub token to use for the request. Has to have 'security-events: write' permission.
-     * @private
+     * Uploads a gzip-compressed, base64-encoded SARIF payload to GitHub Code Scanning.
+     *
+     * Uses the current GitHub Actions context (owner, repo, commit SHA, and ref) for the target.
+     * If a GitHub Enterprise Server base URL is provided via the 'ghe-base-url' or 'ghe_base_url'
+     * action input, the request is sent to that endpoint; otherwise, it targets github.com.
+     *
+     * @param encodedSarif - The SARIF report content after gzip compression and base64 encoding,
+     *                       as required by the POST /repos/{owner}/{repo}/code-scanning/sarifs API.
+     *                       Typically produced by compressing raw SARIF with gzip and encoding to base64.
+     * @param token - GitHub token used to authenticate the upload request. Must have
+     *                security_events: write permission on the target repository (e.g., a PAT or GITHUB_TOKEN
+     *                with the appropriate permission).
+     *
+     * @returns A promise that resolves when the upload completes successfully.
+     * @throws Error if the API response status is not 2xx; the thrown error includes the resolved baseUrl
+     *         and a serialized response summary to aid debugging.
      */
     private static async uploadCodeScanningSarif(encodedSarif: string, token: string) {
-        const octokit: Octokit = new Octokit({ auth: token });
-        let response: OctokitResponse<any> | undefined;
-        response = await octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
+        const inputBaseUrl = core.getInput('ghe-base-url', { required: false }) || core.getInput('ghe_base_url', { required: false }) || '';
+
+        const octokit = inputBaseUrl ? github.getOctokit(token, { baseUrl: inputBaseUrl }) : github.getOctokit(token);
+
+        const response = await octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
             owner: github.context.repo.owner,
             repo: github.context.repo.repo,
             commit_sha: github.context.sha,
@@ -122,7 +136,8 @@ export class JobSummary {
         });
 
         if (response.status < 200 || response.status >= 300) {
-            throw new Error(`Failed to upload SARIF file: ` + JSON.stringify(response));
+            const usedBaseUrl = (octokit as any).request?.endpoint?.DEFAULTS?.baseUrl || 'unknown';
+            throw new Error(`Failed to upload SARIF file (status ${response.status}). baseUrl=${usedBaseUrl}; response=` + JSON.stringify(response));
         }
 
         core.info('SARIF file uploaded successfully');
diff --git a/test/job-summary.sarif.baseurl.spec.ts b/test/job-summary.sarif.baseurl.spec.ts
@@ -0,0 +1,64 @@
+/**
+ * test/job-summary.sarif.baseurl.spec.ts
+ * Checking baseUrl selection when loading SARIF on GHES.
+ */
+
+import * as core from '@actions/core';
+
+jest.mock('@actions/github', () => {
+    const actual = jest.requireActual('@actions/github');
+    return {
+        ...actual,
+        getOctokit: jest.fn((token: string, opts?: { baseUrl?: string }) => {
+            const usedBaseUrl = (opts && opts.baseUrl) || process.env.__AUTO_BASE_URL__ || 'https://api.github.com';
+
+            const req = jest.fn(async (_route: string, _params: any) => {
+                (global as any).__USED_BASE_URL__ = usedBaseUrl;
+                return { status: 201, data: {} };
+            }) as unknown as any;
+
+            req.endpoint = { DEFAULTS: { baseUrl: usedBaseUrl } };
+
+            return { request: req } as any;
+        }),
+        context: {
+            repo: { owner: 'o', repo: 'r' },
+            sha: 'deadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
+            ref: 'refs/heads/main',
+        },
+    };
+});
+
+import { JobSummary } from '../src/job-summary';
+
+describe('uploadCodeScanningSarif baseUrl selection (GHES)', () => {
+    beforeEach(() => {
+        jest.resetModules();
+        jest.clearAllMocks();
+
+        jest.spyOn(core, 'getInput').mockImplementation((_name: string) => '');
+
+        delete process.env.__AUTO_BASE_URL__;
+        delete (global as any).__USED_BASE_URL__;
+    });
+
+    it('Should use explicit input ghe-base-url if given', async () => {
+        (core.getInput as jest.Mock).mockImplementation((name: string) => {
+            if (name === 'ghe-base-url') return 'https://github.enterprise.local/api/v3';
+            if (name === 'ghe_base_url') return '';
+            return '';
+        });
+
+        await (JobSummary as any).uploadCodeScanningSarif('eJx4YWJj', 'ghs_token');
+
+        expect((global as any).__USED_BASE_URL__).toBe('https://github.enterprise.local/api/v3');
+    });
+
+    it('Should falls back to auto GHES baseUrl via @actions/github if input is not specified', async () => {
+        process.env.__AUTO_BASE_URL__ = 'https://ghe.corp.local/api/v3';
+
+        await (JobSummary as any).uploadCodeScanningSarif('eJx4YWJj', 'ghs_token');
+
+        expect((global as any).__USED_BASE_URL__).toBe('https://ghe.corp.local/api/v3');
+    });
+});
