Skip to content

Commit 8534f56

Browse files
eltyagieltyagi
committed
Fix attestation creation and CodeQL data extraction
- Add delays between attestation creation to prevent conflicts - Increase CodeQL API wait time from 10s to 30s - Improve error handling for CodeQL data extraction - Add better fallback data when API calls fail
1 parent 4f09dd3 commit 8534f56

1 file changed

Lines changed: 36 additions & 17 deletions

File tree

.github/workflows/unified-build-attest.yml

Lines changed: 36 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -73,8 +73,9 @@ jobs:
7373
run: |
7474
echo "🔍 Extracting CodeQL security results..."
7575
76-
# Wait a moment for results to be processed
77-
sleep 10
76+
# Wait longer for results to be processed
77+
echo "⏳ Waiting for CodeQL results to be available in API..."
78+
sleep 30
7879
7980
# Get CodeQL alerts for this commit/ref
8081
if [ "${{ github.event_name }}" = "pull_request" ]; then
@@ -88,13 +89,14 @@ jobs:
8889
echo "📊 Checking alerts for ref: $REF_NAME, commit: $COMMIT_SHA"
8990
9091
# Get alerts from the API
92+
echo "🔍 Fetching CodeQL alerts from API..."
9193
ALERTS_DATA=$(gh api repos/${{ github.repository }}/code-scanning/alerts \
92-
--jq --arg ref "$REF_NAME" '
94+
--jq --arg ref "$REF_NAME" --arg commit "$COMMIT_SHA" '
9395
map(select(.state == "open")) |
9496
{
9597
scan_timestamp: now | strftime("%Y-%m-%dT%H:%M:%SZ"),
96-
commit_sha: "'"$COMMIT_SHA"'",
97-
ref: "'"$REF_NAME"'",
98+
commit_sha: $commit,
99+
ref: $ref,
98100
total_alerts: length,
99101
severity_counts: {
100102
critical: map(select(.rule.security_severity_level == "critical")) | length,
@@ -111,18 +113,29 @@ jobs:
111113
severity: .[0].rule.security_severity_level
112114
}) | sort_by(.count) | reverse | .[0:10]),
113115
tools_used: ["codeql"],
114-
languages_scanned: ["python"]
115-
}' 2>/dev/null) || echo '{
116-
"scan_timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'",
117-
"commit_sha": "'"$COMMIT_SHA"'",
118-
"ref": "'"$REF_NAME"'",
119-
"total_alerts": 0,
120-
"severity_counts": {"critical": 0, "high": 0, "medium": 0, "low": 0, "note": 0, "warning": 0},
121-
"rule_summary": [],
122-
"tools_used": ["codeql"],
123-
"languages_scanned": ["python"],
124-
"note": "No alerts found or API access limited"
125-
}'
116+
languages_scanned: ["python"],
117+
scan_context: {
118+
analysis_key: ".github/workflows/unified-build-attest.yml:build-scan-attest",
119+
category: "/language:python"
120+
}
121+
}' 2>/dev/null) || {
122+
echo "⚠️ Failed to fetch alerts from API, creating fallback summary..."
123+
ALERTS_DATA='{
124+
"scan_timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'",
125+
"commit_sha": "'"$COMMIT_SHA"'",
126+
"ref": "'"$REF_NAME"'",
127+
"total_alerts": 0,
128+
"severity_counts": {"critical": 0, "high": 0, "medium": 0, "low": 0, "note": 0, "warning": 0},
129+
"rule_summary": [],
130+
"tools_used": ["codeql"],
131+
"languages_scanned": ["python"],
132+
"note": "CodeQL scan completed but alerts not available via API at attestation time",
133+
"scan_context": {
134+
"analysis_key": ".github/workflows/unified-build-attest.yml:build-scan-attest",
135+
"category": "/language:python"
136+
}
137+
}'
138+
}
126139
127140
echo "security_summary<<EOF" >> $GITHUB_OUTPUT
128141
echo "$ALERTS_DATA" >> $GITHUB_OUTPUT
@@ -145,6 +158,9 @@ jobs:
145158
with:
146159
subject-path: ${{ steps.build.outputs.artifact_name }}
147160

161+
- name: Wait between attestations
162+
run: sleep 2
163+
148164
- name: Create security assessment attestation
149165
uses: actions/attest@v1
150166
with:
@@ -221,6 +237,9 @@ jobs:
221237
}
222238
}
223239
240+
- name: Wait between attestations
241+
run: sleep 2
242+
224243
- name: Verify attestations
225244
run: |
226245
echo "🔐 Verifying created attestations..."

0 commit comments

Comments
 (0)