Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accessing private maven repo using default GitHub configuration #16674

Open
futureviperowner opened this issue Jun 4, 2024 · 5 comments
Open

Accessing private maven repo using default GitHub configuration #16674

futureviperowner opened this issue Jun 4, 2024 · 5 comments
Labels
question Further information is requested

Comments

@futureviperowner
Copy link

Description of the issue

We've been using the advanced configuration option for GitHub for awhile now with no issues. With all of the improvements made to the default configuration option, I wanted to experiment with it to simplify management of our CodeQL configuration. I switched from advanced to default and created a branch that eliminated our CodeQL workflow and configuration file to test it out.

The default CodeQL check triggered and appears to have scanned the code successfully. However, when I view the results under Security | Code scanning | Tools | CodeQL (Default setup) | View configuration, warnings appear that CodeQL was unable to extract dependency information from gradle.

image

After further investigation this appears to be caused by the fact that our project uses a private maven repo for retrieving dependencies and the CodeQL workflow does not have access to these credentials. Is there a way to fix this or is my only option to stick with the advanced configuration? If the latter, any chance support for this might be added?
@futureviperowner futureviperowner added the question Further information is requested label Jun 4, 2024
@smowton
Copy link
Contributor

smowton commented Jun 5, 2024

In your normal CI process, how do you teach Gradle to access your private repo?

@futureviperowner
Copy link
Author

We set some environment variables from GitHub secrets that gradle picks up and uses in our repository configuration.

@futureviperowner
Copy link
Author

It occurred to me that calling it "private" might be too vague. It's not private in that it requires a VPN or private network connection. It just requires authentication.

@smowton
Copy link
Contributor

smowton commented Jun 5, 2024

For the time being that does require advanced mode, I'm afraid -- you'd need to expose those variables, or write a .m2/settings.xml file defining a mirror (yes, even for a Gradle-driven analysis). At that point you might as well use an ordinary traced build, unless there are additional difficulties that still make build-mode none valuable?

In the medium term we are intending to provide specific customisations, like exposing environment variables to the action, that can be used while still in default mode.

@futureviperowner
Copy link
Author

Thanks for the clarification. I'll keep an eye out for future releases. We'll stick to the advanced configuration that works fine. The attempt to move to default configuration was really just about simplifying (eliminating) workflows and making onboarding a new repo a bit easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smowton @futureviperowner