Update codebase to handle both GitHub Actions and Azure Devops Pipelines submitting snapshots to GitHub Repo #128
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Fix: Added package.json with "type": "commonjs" in the task directory This tells Node.js to treat the index.js file as CommonJS instead of ES modules Azure DevOps can now properly execute the bundled code
… "type": "module" in the package.json or use the .mjs extension. ✅ Execute properly in Azure DevOps (CommonJS format) ✅ Display proper marketplace overview (README content) ✅ Have a clean package (no unnecessary build artifacts)
- Replace CommonJS conversion with native ES module approach using .mjs extension - Simplify build process by directly copying ncc output as index.mjs - Remove complex regex-based ES-to-CommonJS conversion script - Update Azure DevOps task execution target from index.js to index.mjs - Leverage Node20_1 native ES module support instead of compatibility workarounds This eliminates the need for post-processing ES modules to CommonJS, resulting in cleaner code and a more maintainable build pipeline.
…work/_tasks/component-detection-github-submission-task_5065f07b-c417-4050-bf2b-f8520ce76aba/0.1.7/sourcemap-register.cjs' imported from /home/vsts/work/_tasks/component-detection-github-submission-task_5065f07b-c417-4050-bf2b-f8520ce76aba/0.1.7/index.mjs Updated build script to copy both index.js → index.mjs and sourcemap-register.cjs Both files are now included in the Azure DevOps task directory The ES module can now properly resolve its dependencies
Fixed GitHub token authentication issue: Modified the Octokit configuration to only use authentication when a token is provided, preventing "Bad credentials" errors when accessing the public microsoft/component-detection repository. Enhanced error handling: Added comprehensive error handling and validation throughout the component detection process: Better error messages when download fails Verification that the executable file was created successfully Validation that the executable has proper permissions on Unix systems Verification that the output.json file was created after running component-detection Improved logging: Added debug logging to help troubleshoot issues: Shows the download URL being used Lists available assets from the GitHub release Shows which asset was matched for the current platform Logs the exact command being executed Enhanced input validation: Added validation in the ADO entry point to ensure required inputs (GitHub repository and token) are provided before proceeding. Set GitHub token environment variable: Ensured the GitHub token is available to the dependency-submission-toolkit.
Enhanced error handling for GitHub submission: Added try-catch around the submitSnapshot call with detailed error logging including HTTP status codes and response data. Added early validation: Check if manifests exist before attempting submission to avoid unnecessary API calls. Enhanced environment variable setup: Set additional environment variables that the dependency-submission-toolkit might expect: GITHUB_REPOSITORY GITHUB_API_URL GITHUB_SERVER_URL GITHUB_GRAPHQL_URL Improved debug logging: Added more detailed logging around the submission process including snapshot details and correlator information. Better manifest validation: Added check to ensure manifests aren't empty before proceeding with submission.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- split scripts for ado:build and add ado:debugbuild so that sourcemap-register.cjs is no longer needed (has a CodeQL alert)
…t-detection-dependency-submission-action into gh-ado-bundle
- enhance tests for platform detection and CLI execution
…e logging - The issue was that @actions/github doesn't export a default export. Instead, it exports named exports like context directly.
- "Submitting snapshot with undefined manifests to GitHub repository: testing-felickz/eShopOnWeb"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bringing an idea to fruition: a common code base (this one) that can run security tasks on both GitHub Actions and Azure DevOps Pipelines! In this scenario - both using the same Component Detection dotnet tool to detect and generate GitHub Dependency Graph Snapshots to submit back to a GitHub repo. This will aide in migrating ADO customers over to GitHub repos and continue using pipelines as needed.
Before:
After:
Ex Pipeline: https://github.com/testing-felickz/eShopOnWeb/blob/main/.ado/gh-cd-submission.yml
RAW Pipeline log
TODO
Advanced Securityteam to use their publisher: https://marketplace.visualstudio.com/publishers/advancedsecurity