Use private registry proxy for API requests when available#4007
Conversation
fcdd601 to
b6d92e3
Compare
This will make it easier to gate the `getRegistryProxy` with a FF, without the significant refactoring that is needed to thread the FFs into `createApiClientWithDetails`
|
As an example of this in action, see https://github.com/github/codeql-action/actions/runs/29347975179/job/87138397597?pr=4007#step:8:312 for the expected log message and the proxy log artifact at https://github.com/github/codeql-action/actions/runs/29347975179/artifacts/8317105753 |
There was a problem hiding this comment.
Warning
- Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.
Pull request overview
Adds feature-flagged registry-proxy support for retrieving remote CodeQL configuration files from private repositories.
Changes:
- Adds proxy environment handling and Undici-based API routing.
- Routes remote configuration requests through the proxy when enabled.
- Adds unit and PR-check coverage.
Show a summary per file
| File | Description |
|---|---|
src/api-client.ts |
Implements proxy-aware API clients. |
src/api-client.test.ts |
Tests proxy configuration. |
src/config/file.ts |
Proxies remote configuration requests. |
src/config/file.test.ts |
Tests feature-flagged proxy selection. |
src/environment.ts |
Defines proxy variables and environment cloning. |
src/feature-flags.ts |
Adds the proxy feature flag. |
src/testing-utils.ts |
Isolates environments between test-builder clones. |
pr-checks/checks/start-proxy.yml |
Exercises proxy-backed initialization. |
package.json |
Adds Undici. |
package-lock.json |
Locks the dependency update. |
lib/entry-points.js |
Generated artifact; excluded from review. |
.github/workflows/__start-proxy.yml |
Generated workflow; excluded from review. |
Review details
Files excluded by content exclusion policy (2)
- .github/workflows/__start-proxy.yml
- lib/entry-points.js
- Files reviewed: 9/12 changed files
- Comments generated: 1
- Review effort level: Medium
There was a problem hiding this comment.
Missing some tests for RegistryProxyVars.PROXY_CA_CERTIFICATE:
requestTlsis defined whenRegistryProxyVars.PROXY_CA_CERTIFICATEis definedrequestTlsisundefinedwhenRegistryProxyVars.PROXY_CA_CERTIFICATEis not defined
There was a problem hiding this comment.
I am not aware of any nice way of inspecting this once the ProxyAgent has been constructed. The e2e test exercises this though. Since it is given a remote address, the API request is made via the proxy and wouldn't work if requestTls wasn't set up correctly.
| with: | ||
| languages: java | ||
| tools: ${{ steps.prepare-test.outputs.tools-url }} | ||
| config-file: codeql-action@main:tests/multi-language-repo/.github/codeql/custom-queries.yml |
There was a problem hiding this comment.
I believe #4014 added support for a local prefix?
| config-file: codeql-action@main:tests/multi-language-repo/.github/codeql/custom-queries.yml | |
| config-file: ./tests/multi-language-repo/.github/codeql/custom-queries.yml |
There was a problem hiding this comment.
This is intentionally a remote address so that the CodeQL Action fetches the file via the proxy in this test.
| // Should use it when the FF is enabled and the environment variables are set. | ||
| await target | ||
| .withFeatures([Feature.ProxyApiRequests, Feature.NewRemoteFileAddresses]) | ||
| .withEnv((env) => { | ||
| env.set(RegistryProxyVars.PROXY_HOST, "localhost"); | ||
| env.set(RegistryProxyVars.PROXY_PORT, "1234"); | ||
| }) | ||
| .logs(t, "Using private registry proxy at 'http://localhost:1234'") | ||
| .passes(t.truthy); | ||
|
|
||
| // But not when the FF is not enabled. | ||
| await target | ||
| .withFeatures([Feature.NewRemoteFileAddresses]) | ||
| .withEnv((env) => { | ||
| env.set(RegistryProxyVars.PROXY_HOST, "localhost"); | ||
| env.set(RegistryProxyVars.PROXY_PORT, "1234"); | ||
| }) | ||
| .notLogs(t, "Using private registry proxy at 'http://localhost:1234'") | ||
| .throws(t, { message: errorMessage }); | ||
|
|
||
| // And not when the environment variables aren't set. | ||
| await target | ||
| .withFeatures([Feature.ProxyApiRequests, Feature.NewRemoteFileAddresses]) | ||
| .notLogs(t, "Using private registry proxy at 'http://localhost:1234'") | ||
| .throws(t, { message: errorMessage }); | ||
| }); |
There was a problem hiding this comment.
I think that these should be three individual unit tests—per best-practice. But, that's quite a lot of boilerplate setup code to duplicate. You could put it into a helper setup method, but not crazy about that either. I'll leave that up to you whether to keep as-is, or split/refactor.
There was a problem hiding this comment.
I have no strong feelings here. I can break this up into three separate tests, but these can also be viewed as three separate assertions. Not duplicating the boilerplate isn't hard.
| export function makeProxyRequestOptions( | ||
| dispatcher: ProxyAgent, | ||
| ): RequestRequestOptions { | ||
| return { | ||
| fetch: (req: RequestInfo, init?: RequestInit) => { | ||
| return undiciFetch(req, { ...init, dispatcher }); | ||
| }, | ||
| }; | ||
| } |
There was a problem hiding this comment.
This seems very similar to getApiFetch. Perhaps there's a way to combine the two? Or have getApiFetch call makeProxyRequestOptions.
There was a problem hiding this comment.
getApiFetch is unused and left over from when I had hoped to perform the FF check in createApiClientWithDetails. Since it is unused, I will remove it.
This PR allows the CodeQL Action to use the private registry authentication proxy when fetching remote configuration files. The authentication proxy is available in Default Setup workflows. Doing so allows configuration files to be retrieved from private repositories, provided that a suitable
git_sourceregistry is set up for the organisation.#4000 has laid the groundwork for this, by always enabling
git_sourceregistries when they are available.The change is behind a new FF.
Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
dynamicworkflows (Default Setup, Code Quality, ...).Products:
analysis-kinds: code-scanning.analysis-kinds: code-quality.Environments:
github.comand/or GitHub Enterprise Cloud with Data Residency.How did/will you validate this change?
.test.tsfiles).pr-checks).If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist