CodeQL setup using Github Actions

I am trying to setup CodeQL using the Github Actions and we have advanced Github Security enabled for the repository that I am currently working on.

Our enterprise account also has the below flag turned on
image.png

We tried to fork the below repos containing GH Actions to our org to make it work.
https://github.com/actions/checkout
https://github.com/github/codeql-action

And after forking these repos, we did change the CodeQL workflow (yaml files) to point to these local forked repos. However, with these new changes, we are still seeing 403 forbidden issues.

Failed to download action https://api.github.com/repos/<org>/checkout/tarball/<probablySomeToken>. Error: Response status code does not indicate success: 403(Forbidden)

How do we get this to work? Thanks!

Hey your image isn’t displaying, so I’m not sure what you are trying to show there.

If you have GHAS enabled on the repository, then CodeQL should be as easy as clicking the setup button, and it creates the GitHub Actions workflow for you to use. I’m not sure why you are forking those repos and changing your code to use those.

Can you provide some more details?

Hello, the image I have shows that we have “Allow local actions only” turned on in the settings page. So, since we have this enabled, we couldn’t directly use the GH actions as is since we were getting the below error

actions/checkout@v2, github/codeql-action/init@v1, github/codeql-action/autobuild@v1, and github/codeql-action/analyze@v1 are not allowed to be used in <orgName>. 
Actions in this workflow must be: within a repository that belongs to your Enterprise account

At this point, we went ahead and forked the actions and codeql-action repos as mentioned in the post above. But that led to 403 forbidden errors.

Please let me know if there is anything else I can add here. Thanks!

Questions:

  1. How about, instead of selecting Allow Local Actions Only, you select Allow Select Actions, and then list these actions as ones that can be used?

  2. I’m assuming you forked that code into a private repo in your og? Or have it in a private repo? and that your CodeQL is also in a private repo?

I have some more questions, based off these answers.

Replied below:

  1. This setting is at the org level and that is not something that I can change. I am currently testing CodeQL and checking to see how it works for us.

  2. I have forked these repos directly int our org which is private. The forked repos as such are currently public there as of this moment (we are trying to make these repos private as well but looks like the option to change visibility is disabled)

Thanks!

Question:

When you say you changed the CodeQL YAML to point to your forked repos, did you just changes the uses statement? Or did you add a statement to check out the repo first?

And I meant check out the forked repos with the actions in them.

Yes, I changed the uses to point to the local forked repo location. I did not add any statement to checkout the repo.

Something like this:
uses: github/codeql-action/init@v1 to uses: <orgName>/codeql-action/init@v1
uses: actions/checkout@v2 to uses: <orgName>/checkout@v2

and the error message now changed to (truncated log)

Download action repository '<orgName>/checkout@v2'
Warning: Failed to download action 'https://api.github.com/repos/<orgName>/checkout/tarball/<someToken>'. Error: Response status code does not indicate success: 403 (Forbidden).
Warning: Back off 11.134 seconds before retry.
Warning: Failed to download action 'https://api.github.com/repos/<orgName>/checkout/tarball/<someToken>'. Error: Response status code does not indicate success: 403 (Forbidden).
Warning: Back off 25.744 seconds before retry.
Error: Response status code does not indicate success: 403 (Forbidden).

ok, I’m gonna have to try this to really figure it out. So here is the scenario:

You have a private/internal repo in your org
Your org allows local actions only
You forked those two repos into your org, into public repos

I’ll see if I can recreate and troubleshoot

So, the org I am working on is GHEC. And this org allows local actions only. I forked the two repos into this org (which are currently public as we cannot mark the forked repos as private - I am working to figure this out if we can mark them private on the side). Thanks!

So what I"m wondering is that, because you have forked the repo over, and you have that option set, do you now need to kinda treat this like a GitHub Action that has been declared in a private repo.

So I’m thinking you will need to modify the codeql yaml where you add an extra step to first checkout the action that you forked, then run it.

Similar to something like this:

I see. I am wondering however whether its safe to pass in the token through the yaml file directly. Any thoughts on this please?

Put the token in a repo or an org secret, and reference it that way. That would be ok. Again, I don’t know if this way will work, but it is worth a shot.

Also, I’m going to take this scenario to the internal team and see if they have a particular way they would handle it.

@ydorbala one last question (famous last words), what happens if you try and run the original codeql workflow, without changing the actions? Does it tell you that you can’t because of that organizational setting?

Internal suggestion was the same as mine, change the setting to Allow Selected Actions at the org level and grant access to those specific actions :slight_smile:

Yeah, if I use the same repos as from before, I am getting the same error.
“Actions in this workflow must be: within a repository that belongs to your Enterprise account.”

So, if I understand this correct, the prescribed method would be to get this done using Allow Selected Actions at the org level, and there is no other way if I want to test this out?

Edit: The reason for this ask is because, as I have mentioned before in this thread, the organizational settings are enforced and we cannot change the setting to have anything other than “Allow local actions only”

The only other option, and I would have to test this to see if it would work would be to take those actions, clone and push their code into private repos in your org, and use that link I sent you previously to check them out, and then run them that way.

But if I was consulting with you, I would try and convince your admins to change that setting for you at the org level, and ask them to allow those specific actions. That is the better way.

@ydorbala:

I was able to get this working, using a forked repo of the actions/checkout action. Here is what I did:

So you SHOULD be able to make it work. I even added in a forked copy of the Codeql and it seemed to work as well.

Any chance you can share your workflow file? This scenario with the forked actions into your org should work.

Thanks for the update @mickeygousset ! Unfortunately, the .yaml file is pretty much the same in my scenario as well but it’s still throwing the same error as mentioned above (Failed to download action, 403 forbidden)

name: "CodeQL"

on:
  push:
    branches: [ main ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
  schedule:
    - cron: '24 15 * * 6'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: [ 'csharp' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
        # Learn more:
        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed

    steps:
    - name: Checkout repository
      uses: <orgName>/checkout@v2

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: <orgName>/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # queries: ./path/to/local/query, your-org/your-repo/queries@main

    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: <orgName>/codeql-action/autobuild@v1

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl

    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language

    #- run: |
    #   make bootstrap
    #   make release

    - name: Perform CodeQL Analysis
      uses: <orgName>/codeql-action/analyze@v1```

It can’t be a firewall blocking, because this is GHEC and you are using hosted runners.

hmmmmm… ok let me go ask some more questions of people smarter than me. Is there anything else to the error message? If you want to send me anything that you don’t necessarily want public, email it to me at my username at github dot com.