Bundle Custom Location

[GeekMasher]

Right now the Action pulls from the github/codeql-action repository. It would be great to be able to point to an external CodeQL bundle created by the community so that if a user wants to build on another bundle, you could specify it.

Solution

The values in the bundle.ts should come from the action.yml (default value is github/codeql-action).

- name: CodeQL bundle
    id: codeql-bundle
    uses: advanced-security/codeql-bundle-action@main
    with:
        packs: "geekmasher/python"
        bundle: advanced-security/codeql-queries
        # or a link?
        bundle: https://s3.amazonaws.com/<bucket>/<object>

This also helps if users store a version on CodeQL Bundle already in GitHub Packages, S3 bucket, Artifactory, etc.

Suggestions for other solutions are welcome too.

[rvermeulen]

After giving this some thought I think we should have the bundle either be a public url or a local path.

Then all the various authentication schemes can be excluded from this action which provides the most flexibility. That is, before this action add a step to download the bundle through any means (e.g., S3, Azure Blob, ...) and make it available to this action.

[rvermeulen]

Since version 2.0 you can obtain a bundle from any location before customizing it.