Fix/ghes sum png call

action.yml

@@ -30,6 +30,12 @@ inputs:
     custom-server-id:
         description: "Custom JFrog CLI configuration server ID to use instead of the default one generated by the action."
         required: false
+    ghe-base-url:
+        description: 'Base URL GitHub Enterprise Server REST API.'
+        required: false
+    ghe_base_url:
+        description: 'Alias for ghe-base-url'
+        required: false
 outputs:
     oidc-token:
         description: "JFrog OIDC token generated by the Setup JFrog CLI when setting oidc-provider-name."

lib/job-summary.js

@@ -38,7 +38,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.JobSummary = void 0;
 const core = __importStar(require("@actions/core"));
 const semver_1 = require("semver");
-const core_1 = require("@octokit/core");
 const github = __importStar(require("@actions/github"));
 const util_1 = require("util");
 const zlib_1 = require("zlib");
@@ -107,24 +106,30 @@ class JobSummary {
         });
     }
     /**
-     * Uploads the code scanning SARIF content to the code-scanning GitHub API.
-     * @param encodedSarif - The final compressed and encoded sarif content.
-     * @param token - GitHub token to use for the request. Has to have 'security-events: write' permission.
-     * @private
+     * Uploads a SARIF (Static Analysis Results Interchange Format) file to GitHub's code scanning API.
+     * This method handles the communication with GitHub's REST API to populate the code scanning tab with security analysis results.
+     * Supports both GitHub.com and GitHub Enterprise Server installations.
+     * @param encodedSarif - The SARIF content that has been compressed using gzip and encoded to base64 format.
+     *                       This encoding is required by GitHub's code-scanning/sarifs API endpoint.
+     * @param token - GitHub authentication token with appropriate permissions to upload SARIF files.
+     *                Must have 'security_events: write' and 'contents: read' permissions.
+     * @throws Will throw an error if the HTTP response status is not in the 2xx range or if authentication fails.
      */
     static uploadCodeScanningSarif(encodedSarif, token) {
         return __awaiter(this, void 0, void 0, function* () {
-            const octokit = new core_1.Octokit({ auth: token });
-            let response;
-            response = yield octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
+            var _a, _b, _c;
+            const inputBaseUrl = utils_1.Utils.getGheBaseUrl();
+            const octokit = inputBaseUrl ? github.getOctokit(token, { baseUrl: inputBaseUrl }) : github.getOctokit(token);
+            const response = yield octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
                 owner: github.context.repo.owner,
                 repo: github.context.repo.repo,
                 commit_sha: github.context.sha,
                 ref: github.context.ref,
                 sarif: encodedSarif,
             });
             if (response.status < 200 || response.status >= 300) {
-                throw new Error(`Failed to upload SARIF file: ` + JSON.stringify(response));
+                const usedBaseUrl = ((_c = (_b = (_a = octokit.request) === null || _a === void 0 ? void 0 : _a.endpoint) === null || _b === void 0 ? void 0 : _b.DEFAULTS) === null || _c === void 0 ? void 0 : _c.baseUrl) || 'unknown';
+                throw new Error(`Failed to upload SARIF file (status ${response.status}). baseUrl=${usedBaseUrl}; response=` + JSON.stringify(response));
             }
             core.info('SARIF file uploaded successfully');
         });
@@ -271,13 +276,12 @@ class JobSummary {
                 return this.isSummaryHeaderAccessible;
             }
             const url = this.MARKDOWN_HEADER_PNG_URL;
-            const httpClient = new http_client_1.HttpClient();
+            const httpClient = new http_client_1.HttpClient('jfrog-setup-action', [], {
+                socketTimeout: 5000,
+            });
             try {
                 // Set timeout to 5 seconds
-                const requestOptions = {
-                    socketTimeout: 5000,
-                };
-                const response = yield httpClient.head(url, requestOptions);
+                const response = yield httpClient.head(url);
                 this.isSummaryHeaderAccessible = response.message.statusCode === 200;
             }
             catch (error) {

lib/utils.js

@@ -73,6 +73,10 @@ class Utils {
         }
         return jfrogCredentials;
     }
+    static getGheBaseUrl() {
+        const v = core.getInput(Utils.GHE_BASE_URL_INPUT, { required: false }) || core.getInput(Utils.GHE_BASE_URL_ALIAS_INPUT, { required: false }) || '';
+        return v.trim();
+    }
     static getAndAddCliToPath(jfrogCredentials) {
         return __awaiter(this, void 0, void 0, function* () {
             let version = core.getInput(Utils.CLI_VERSION_ARG);
@@ -489,3 +493,6 @@ Utils.AUTO_BUILD_PUBLISH_DISABLE = 'disable-auto-build-publish';
 Utils.AUTO_EVIDENCE_COLLECTION_DISABLE = 'disable-auto-evidence-collection';
 // Custom server ID input
 Utils.CUSTOM_SERVER_ID = 'custom-server-id';
+// GHES baseUrl support
+Utils.GHE_BASE_URL_INPUT = 'ghe-base-url';
+Utils.GHE_BASE_URL_ALIAS_INPUT = 'ghe_base_url';

src/job-summary.ts

@@ -105,15 +105,21 @@ export class JobSummary {
     }
 
     /**
-     * Uploads the code scanning SARIF content to the code-scanning GitHub API.
-     * @param encodedSarif - The final compressed and encoded sarif content.
-     * @param token - GitHub token to use for the request. Has to have 'security-events: write' permission.
-     * @private
+     * Uploads a SARIF (Static Analysis Results Interchange Format) file to GitHub's code scanning API.
+     * This method handles the communication with GitHub's REST API to populate the code scanning tab with security analysis results.
+     * Supports both GitHub.com and GitHub Enterprise Server installations.
+     * @param encodedSarif - The SARIF content that has been compressed using gzip and encoded to base64 format.
+     *                       This encoding is required by GitHub's code-scanning/sarifs API endpoint.
+     * @param token - GitHub authentication token with appropriate permissions to upload SARIF files.
+     *                Must have 'security_events: write' and 'contents: read' permissions.
+     * @throws Will throw an error if the HTTP response status is not in the 2xx range or if authentication fails.
      */
     private static async uploadCodeScanningSarif(encodedSarif: string, token: string) {
-        const octokit: Octokit = new Octokit({ auth: token });
-        let response: OctokitResponse<any> | undefined;
-        response = await octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
+        const inputBaseUrl = Utils.getGheBaseUrl();
+
+        const octokit = inputBaseUrl ? github.getOctokit(token, { baseUrl: inputBaseUrl }) : github.getOctokit(token);
+
+        const response = await octokit.request('POST /repos/{owner}/{repo}/code-scanning/sarifs', {
             owner: github.context.repo.owner,
             repo: github.context.repo.repo,
             commit_sha: github.context.sha,
@@ -122,7 +128,8 @@ export class JobSummary {
         });
 
         if (response.status < 200 || response.status >= 300) {
-            throw new Error(`Failed to upload SARIF file: ` + JSON.stringify(response));
+            const usedBaseUrl = (octokit as any).request?.endpoint?.DEFAULTS?.baseUrl || 'unknown';
+            throw new Error(`Failed to upload SARIF file (status ${response.status}). baseUrl=${usedBaseUrl}; response=` + JSON.stringify(response));
         }
 
         core.info('SARIF file uploaded successfully');
@@ -276,13 +283,12 @@ export class JobSummary {
             return this.isSummaryHeaderAccessible;
         }
         const url: string = this.MARKDOWN_HEADER_PNG_URL;
-        const httpClient: HttpClient = new HttpClient();
+        const httpClient: HttpClient = new HttpClient('jfrog-setup-action', [], {
+            socketTimeout: 5000,
+        });
         try {
             // Set timeout to 5 seconds
-            const requestOptions: OutgoingHttpHeaders = {
-                socketTimeout: 5000,
-            };
-            const response: HttpClientResponse = await httpClient.head(url, requestOptions);
+            const response: HttpClientResponse = await httpClient.head(url);
             this.isSummaryHeaderAccessible = response.message.statusCode === 200;
         } catch (error) {
             core.warning('No internet access to the header image, using the text header instead.');

src/utils.ts

@@ -54,6 +54,9 @@ export class Utils {
     public static readonly AUTO_EVIDENCE_COLLECTION_DISABLE: string = 'disable-auto-evidence-collection';
     // Custom server ID input
     private static readonly CUSTOM_SERVER_ID: string = 'custom-server-id';
+    // GHES baseUrl support
+    public static readonly GHE_BASE_URL_INPUT: string = 'ghe-base-url';
+    public static readonly GHE_BASE_URL_ALIAS_INPUT: string = 'ghe_base_url';
 
     /**
      * Gathers JFrog's credentials from environment variables and delivers them in a JfrogCredentials structure
@@ -88,6 +91,12 @@ export class Utils {
         return jfrogCredentials;
     }
 
+    public static getGheBaseUrl(): string {
+        const v =
+            core.getInput(Utils.GHE_BASE_URL_INPUT, { required: false }) || core.getInput(Utils.GHE_BASE_URL_ALIAS_INPUT, { required: false }) || '';
+        return v.trim();
+    }
+
     public static async getAndAddCliToPath(jfrogCredentials: JfrogCredentials) {
         let version: string = core.getInput(Utils.CLI_VERSION_ARG);
         let cliRemote: string = core.getInput(Utils.CLI_REMOTE_ARG);

test/job-summary.sarif.baseurl.spec.ts

@@ -0,0 +1,64 @@
+/**
+ * test/job-summary.sarif.baseurl.spec.ts
+ * Checking baseUrl selection when loading SARIF on GHES.
+ */
+
+import * as core from '@actions/core';
+
+jest.mock('@actions/github', () => {
+    const actual = jest.requireActual('@actions/github');
+    return {
+        ...actual,
+        getOctokit: jest.fn((token: string, opts?: { baseUrl?: string }) => {
+            const usedBaseUrl = (opts && opts.baseUrl) || process.env.__AUTO_BASE_URL__ || 'https://api.github.com';
+
+            const req = jest.fn(async (_route: string, _params: any) => {
+                (global as any).__USED_BASE_URL__ = usedBaseUrl;
+                return { status: 201, data: {} };
+            }) as unknown as any;
+
+            req.endpoint = { DEFAULTS: { baseUrl: usedBaseUrl } };
+
+            return { request: req } as any;
+        }),
+        context: {
+            repo: { owner: 'o', repo: 'r' },
+            sha: 'deadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
+            ref: 'refs/heads/main',
+        },
+    };
+});
+
+import { JobSummary } from '../src/job-summary';
+
+describe('uploadCodeScanningSarif baseUrl selection (GHES)', () => {
+    beforeEach(() => {
+        jest.resetModules();
+        jest.clearAllMocks();
+
+        jest.spyOn(core, 'getInput').mockImplementation((_name: string) => '');
+
+        delete process.env.__AUTO_BASE_URL__;
+        delete (global as any).__USED_BASE_URL__;
+    });
+
+    it('Should use explicit input ghe-base-url if given', async () => {
+        (core.getInput as jest.Mock).mockImplementation((name: string) => {
+            if (name === 'ghe-base-url') return 'https://github.enterprise.local/api/v3';
+            if (name === 'ghe_base_url') return '';
+            return '';
+        });
+
+        await (JobSummary as any).uploadCodeScanningSarif('eJx4YWJj', 'ghs_token');
+
+        expect((global as any).__USED_BASE_URL__).toBe('https://github.enterprise.local/api/v3');
+    });
+
+    it('Should falls back to auto GHES baseUrl via @actions/github if input is not specified', async () => {
+        process.env.__AUTO_BASE_URL__ = 'https://ghe.corp.local/api/v3';
+
+        await (JobSummary as any).uploadCodeScanningSarif('eJx4YWJj', 'ghs_token');
+
+        expect((global as any).__USED_BASE_URL__).toBe('https://ghe.corp.local/api/v3');
+    });
+});