If CRDA fails with exit code 1, the action doesn't fail at that point it fails at the later stage.
Exit codes should be handled better.
Example: https://github.com/redhat-actions/crda/runs/3597871246?check_suite_focus=true#step:10:699

In the python test workflow, pip install is failing.
Workflow 👉 https://github.com/redhat-actions/crda/runs/5086723834?check_suite_focus=true#step:5:67

If PR author has write access, workflow runs stating label is present but no label is found in the PR.

Ref: divyansh42/express-ts#1

An extension of #3

User may need SARIF as an artifact to download and view.
So uploading that as a part of this action can be a good addition.
Possible inputs can be:

• upload_artifact (Boolean value, defaults to true)
• upload_artifact_filename (File name to upload)

Rather than delegating the upload step to the user

It points to the base repo tetchel/express-ts but the scan was acutally run on divyanshu/express-ts

Is your feature request related to a problem? Please describe.

Node.js 12 actions are deprecated

Describe the solution you'd like

Update Node version

Describe alternatives you've considered

Additional context

https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

Just fail the workflow don't add failed label.
Add failed label only if exit code is 1

Just fail the workflow don't add failed label.
Add failed label only if exit code is 1

Our CI jobs for Golang was failing as it was not able to add some of the dependency to the go.sum file. To avoid any such problem in future it will be good to use go mod tidy instead of go mod vendor

the redhat actions are MIT licensed. This repo is currently licensed under Apache 2.0.

ie, prevent this

If package-lock.json is present, npm ci is the correct deps installation command
Otherwise, if yarn.lock is present, yarn install --frozen-lockfile is the correct deps installation command

if neither is present, I suppose npm i is fine
if both are present, it should be an error

Is your feature request related to a problem? Please describe.

I started using crda in a project and I love what I can get from it, but I'm getting random errors that I'm unable to debug because they are quite hard to reproduce (they appear randomly without a clear cause); furthermore, the error messages are not really clear about what's happening.

Describe the solution you'd like

I would like to have better error messages to know when the action is failing and why.

Describe alternatives you've considered

Are there any throttling limits for the scans that we should know?

Additional context

I provide here some examples, this is my workflow:

name: Scan Java project
on:
  push:
  
jobs:
  test:
    strategy:
      fail-fast: false
      matrix:
        os: [ "macos-latest", "ubuntu-20.04" ] # removed (, "windows-latest") because got a lot of timeout failures
        # Test once with explicit manifest_file, and once without
        manifest_file: [ "pom.xml", "" ]
    runs-on: ${{ matrix.os }}
    permissions: write-all
      # todo: find permissions
    defaults:
      run:
        shell: bash
    name: Analyse Java project
    steps:
      - name: Checkout action
        uses: actions/checkout@v3

      - name: Setup Java
        uses: actions/setup-java@v2
        with:
          distribution: temurin
          java-version: 11
          cache: maven

      - name: Install CRDA
        uses: redhat-actions/[email protected]
        with:
          source: github
          github_pat: ${{ github.token }}
          crda: "latest"

      - name: CRDA Scan
        id: crda_scan
        uses: redhat-actions/[email protected]
        with:
          manifest_file: ${{ matrix.manifest_file }}
          snyk_token: ${{ secrets.SNYK_KEY }}
          fail_on: never

      - name: Print JSON analysis report
        if: ${{ always() && steps.crda_scan.outputs.crda_report_json }}
        run: cat ${{ steps.crda_scan.outputs.crda_report_json }}

      - name: Print SARIF analysis report
        if: ${{ always() && steps.crda_scan.outputs.crda_report_sarif }}
        run: cat ${{ steps.crda_scan.outputs.crda_report_sarif }}

      - name: Print Report Link
        run: echo ${{ steps.crda_scan.outputs.report_link }}

      - name: Print Artifact Name
        run: echo ${{ steps.crda_scan.outputs.artifact_name }}

And sometimes all the runs fail, other times a few complete and others fail, this one failed only in the macos case without the pom.xml specified, complaining about an invalid '<' character, but the same action ran correctly only repeating the run (Re-run failed jobs):

Run redhat-actions/[email protected]
Working directory is /Users/runner/work/DevSecOpsWorkshop-jm/DevSecOpsWorkshop-jm
crda version
/usr/local/bin/git rev-parse HEAD
e0[19](https://[redacted]/DevSecOpsWorkshop-jm/actions/runs/3330075886/jobs/5508676708#step:5:21)9b383358e6ca316cd737d56931074f0f686e
Ref to analyze is "refs/heads/master"
Commit to analyze is "e0199b383358e6ca316cd737d56931074f0f686e"
"manifest_directory" not provided. Using working directory "/Users/runner/work/DevSecOpsWorkshop-jm/DevSecOpsWorkshop-jm"
"manifest_file" input not provided. Auto-detecting manifest file
🔍 Looking for manifest in "/Users/runner/work/DevSecOpsWorkshop-jm/DevSecOpsWorkshop-jm"
Manifest file is pom.xml
Dependencies will be installed using Maven strategy
⬇️ Installing dependencies...
mvn -ntp -B package
✅ Finished installing dependencies
🖊️ Setting consent_telemetry to false.
/Users/runner/work/_temp/openshift-bin/crda config set consent_telemetry false
successfully set configuration value
🔐 Authenticating with the provided Snyk Token.
/Users/runner/work/_temp/openshift-bin/crda auth --snyk-token=***
*** Suppressing command output
Successfully Registered. 

crda_key:***

This key is confidential, Please keep it safe!

✅ Successfully authenticated with the provided Snyk Token.
/Users/runner/work/_temp/openshift-bin/crda analyse pom.xml --verbose --client=gh-actions
Analysing your Dependency Stack! Please wait...
invalid character '<' looking for beginning of value
Error: crda exited with code 1
invalid character '<' looking for beginning of value

In another run I got this one (just the error msg), I got a timeout but I don't know for which server or where is it connecting:

[...]
Adding labels "CRDA Scan Failed" to pull request
Error: crda exited with code 1
2:09PM ERR Stack Analyses Get Request Failed with status code 408.  Please retry after sometime. If issue persists, Please raise at https://github.com/fabric8-analytics/cli-tools/issues."
message from server: Stack analysis request e08dce85b9784c6db2ced5e8ebd8d622 has timed out. Please retry with a new analysis.
[...]

This one looks that it couldn't authenticate for some reason, but got an exit code 1 only:

[...]
🔐 Authenticating with the provided Snyk Token.
/home/runner/work/_temp/openshift-bin/crda auth --snyk-token=***
*** Suppressing command output
Adding labels "CRDA Scan Failed" to pull request
Error: crda exited with code 1
Usage:
  crda auth [flags]

Flags:
  -h, --help                help for auth
  -t, --snyk-token string   Authenticate with Snyk Token to unlock Verbose stack analyses.

Global Flags:
  -m, --client string   Client [tekton/jenkins/gh-actions] (default "terminal")
  -d, --debug           Sets Log level to Debug.
  -c, --no-color        Toggle colors in output.



/usr/bin/git checkout master
Switched to branch 'master'
Your branch is up to date with 'origin/master'.
/usr/bin/git remote remove remote-8
/usr/bin/git branch -D pr-8
Deleted branch pr-8 (was a9989a3).

Thanks for the great work!

Similar to what we have in other actions,

• for CI checks
• latest tag
• test workflows

1. There is an extra path.resolve or join here. the /home/runner/work/express-ts should not be part of this path.
   

2. Skip deps install chdir if not necessary
   

3. Improve output when sarif upload is slow
   

Workflows that we presently have as a test case is not at all suitable to test the different scenarios and different ecosystems.
The problem in adding test workflows is we can't have all the manifest files present in the redhat-actions/crda repository and if we checkout it in the workflow then commit-sha required during the SARIF upload will be invalid (as that doesn't belong to this repo).

We would have to discuss more on this to get a working workflow.

If running any git command, it fails on the windows runner.
The reason of the failure is not confirmed yet as there is no proper logs by the exec command
Path of the installed git is https://github.com/divyansh42/crda/runs/3485174117?check_suite_focus=true#step:6:2852

Needs further analysis

Default are:

I think fail_on input doesn't work very well for a CI workflow. Ideally, before failing we should upload the SARIF to GitHub.
So that users are aware of which deps made the workflow fail.
and the other thing, if for a PR admin sets fail_on to never as he wants to see vuln. uploaded on GH security tab, but he will get CRDA scan passed in the label.
Both the things are kind of contradictory, on one side he is getting vuln in the security tab, and also he is getting crda scan passed.
Probably we should update the labels:

• crda-found-warning ---> in case of warning
• crda-found-error ---> in case of error
• crda scan passed --> no vulnerability
• crda-scan-failed --> for workflow failure/anything wrong
• crda-scan-pending ---> pending approval
• crda-scan-approved ---> scan approved

We have to run analyse in JSON mode to collect the data. But we can also run it in regular mode for some nice output.

So a user can read/copy it if they want.

Debug mode does not show the cause, either

Few inputs are too long, which may be bad as per UX.
Need to think of a better replacement of those inputs.

• dependency_installation_cmd ---> deps_install_cmd
• manifest_file_path --> manifest_path
• analysis_report_file_name ---> analysis_report_name
• fail_on_vulnerability ---> fail_on with accepted values error, warning and never (same behaviour as false)

It seems like the value set as a secret can't be set in output.
Verify this behavior once

Question

Marketplace documentation page for Github Actions about redhat-actions/crda contains typos making runs to fail.
Following typos considered:

• Required unless synk_token is set
• For authentication, you must provide either a CRDA Key or a Synk Token.
• Sign up for Synk.
• Go to Account settings to find your Synk Token (aka "key").
• Provide the token in the synk_token input.
• Run crda auth. Provide the Snyk token so the CRDA Key can also access the Synk database.

https://github.com/marketplace/actions/codeready-dependency-analytics#action-inputs

In this case, we can bypass the PR security process since the committer already has write access/