Skip to content

MacOS CodeQL enableAutomaticCodeQLInstall forbidden #11925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 of 15 tasks
stefanrenne opened this issue Apr 1, 2025 · 4 comments
Open
3 of 15 tasks

MacOS CodeQL enableAutomaticCodeQLInstall forbidden #11925

stefanrenne opened this issue Apr 1, 2025 · 4 comments
Assignees
@prasanjitsahoo
Labels
bug report investigate Collect additional information, like space on disk, other tool incompatibilities etc. OS: macOS

Comments

@stefanrenne
Copy link

stefanrenne commented Apr 1, 2025
edited
Loading

Description

The AdvancedSecurity-Codeql-Init@1 task has the option to automatically install the latest version

- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    enableAutomaticCodeQLInstall: true

50% of the times it fails with a 403 (forbidden)

2025-04-01T07:50:30.9591570Z ##[section]Starting: Advanced Security Codeql Initialize
2025-04-01T07:50:30.9598030Z ==============================================================================
2025-04-01T07:50:30.9598240Z Task         : Advanced Security Initialize CodeQL
2025-04-01T07:50:30.9598380Z Description  : Initializes the CodeQL database in preparation for building.
2025-04-01T07:50:30.9598560Z Version      : 1.1.311
2025-04-01T07:50:30.9598660Z Author       : Microsoft Corporation
2025-04-01T07:50:30.9598780Z Help         : https://aka.ms/advancedsecurity/code-scanning/detection
2025-04-01T07:50:30.9599080Z ==============================================================================
2025-04-01T07:50:31.6831380Z Session Id=d002106b-dd67-4e8a-874b-0f27e4424fa0
2025-04-01T07:50:31.6845400Z Starting CodeQL automatic detection and installation.
2025-04-01T07:50:31.6845820Z ##[group]CodeQL Detection and Installation
2025-04-01T07:50:31.6846260Z Retrieving the latest release information for https://api.github.com/repos/github/codeql-action/releases/latest
2025-04-01T07:50:31.8900440Z ##[warning] Request failed with status code 403
2025-04-01T07:50:31.9840830Z ##[group]Install and Setup CodeQL tools
2025-04-01T07:50:31.9982680Z ##[endgroup]
2025-04-01T07:50:32.0009980Z ##[warning] The GitHub release API URL for CodeQL failed.
2025-04-01T07:50:32.0072200Z ##[error]The GitHub release API URL for CodeQL failed.
2025-04-01T07:50:32.0089940Z 
2025-04-01T07:50:32.1091810Z Learn more about the scan for the CodeQL build tasks:
2025-04-01T07:50:32.1604200Z https://aka.ms/advanced-security/code-scanning/detection
2025-04-01T07:50:32.1643230Z 
2025-04-01T07:50:32.1981970Z ##[section]Finishing: Advanced Security Codeql Initialize

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • macOS 15
  • macOS 15 Arm64
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2025

Image version and build link

MacOS14: 20250324.987
MacOS15: 20250327.1013

Is it regression?

no

Expected behavior

Download and use the latest version of Graphql

Actual behavior

Fails with a 403

Repro steps

- task: AdvancedSecurity-Codeql-Init@1
  inputs:
    enableAutomaticCodeQLInstall: true
@prasanjitsahoo prasanjitsahoo self-assigned this Apr 1, 2025
@prasanjitsahoo
Copy link
Contributor

Hi @stefanrenne , We'll investigate the issue and keep you informed of any updates. Thank you.

@prasanjitsahoo prasanjitsahoo mentioned this issue Apr 2, 2025
Merged
2 tasks
@prasanjitsahoo prasanjitsahoo added the investigate Collect additional information, like space on disk, other tool incompatibilities etc. label Apr 9, 2025
@diegoddp
Copy link

Hi @stefanrenne Please verify that your GitHub API rate limits are not being exceeded. The 403 error might be due to hitting the rate limit for API requests

@prasanjitsahoo
Copy link
Contributor

Hi @stefanrenne 👋,
The latest CodeQL version is now available post-deployment. Could you please verify from your end once again?
The 403 Forbidden error during CodeQL auto-install is a known behavior and typically stems from unauthenticated access to the GitHub public API:
https://api.github.com/repos/github/codeql-action/releases/latest
Why It Fails ~50% of the Time:
This is due to GitHub’s rate limiting for unauthenticated requests — limited to 60 requests/hour per IP. In shared environments (e.g., hosted runners or NATed gateways), this limit is commonly exceeded, resulting in:
##[warning] Request failed with status code 403

@stefanrenne
Copy link
Author

@prasanjitsahoo would be great if there would be a option for auto-install to use a custom GitHub api token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prasanjitsahoo prasanjitsahoo

Labels
bug report investigate Collect additional information, like space on disk, other tool incompatibilities etc. OS: macOS
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefanrenne @diegoddp @prasanjitsahoo