Log information about the runner which may affect the private registry proxy

[mbg]

This PR modifies the start-proxy action to perform a best-effort inspection of some environment variables and language-specific settings which may affect the operation of the authentication proxy. Relevant values are logged so that they are visible in the workflow log.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR adds environment inspection capabilities to the start-proxy action to log information about proxy-related settings on the runner. The goal is to provide better observability for debugging potential proxy configuration conflicts that may affect the authentication proxy's operation.

Changes:

• Added new src/start-proxy/environment.ts module with functions to inspect environment variables and JDK configuration files for proxy settings
• Added comprehensive unit tests in src/start-proxy/environment.test.ts
• Extended src/languages.ts with JavaEnvVars enum for consistent reference to Java environment variable names
• Refactored src/init-action.ts to use the new JavaEnvVars enum instead of string literals

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/start-proxy/environment.ts	New module implementing environment inspection with functions to check proxy-related environment variables and Java configuration files
src/start-proxy/environment.test.ts	Comprehensive unit tests for the environment inspection module
src/start-proxy-action.ts	Integration of environment inspection with try-catch wrapper for best-effort execution
src/languages.ts	Addition of JavaEnvVars enum for consistent reference to Java environment variable names
src/init-action.ts	Refactored to use JavaEnvVars enum instead of string literals for JAVA_TOOL_OPTIONS
lib/*.js	Auto-generated JavaScript (not reviewed per coding guidelines)

[Copilot]

This code logs the complete value of proxy-related environment variables (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) at INFO level. These environment variables commonly contain embedded credentials in the format http://username:password@proxy:port. Logging these values would expose sensitive credentials in workflow logs.

Consider implementing sanitization to redact credentials from proxy URLs before logging, or logging only the presence/absence of these variables without their values (similar to how the else branch logs at DEBUG level that variables are not set).

[mbg]

I have added some protection against this in 99fcc7b by trying to parse the value as a URL in checkEnvVar and, if successful, clearing the username and password. Broadly, this should only be a concern for the members of ProxyEnvVars since, for the Java properties, there are separate http(s).proxyUser and http(s).proxyPassword which we don't try to find and therefore don't log.

[esbena]

LGTM with a very minor suggestion for yet another FF.

[esbena]

I'm probably grasping at straws here. But what if it is not our Java version that is problematic? But some other Java version chosen at a different point in time. I suppose this is somewhat addressed by the fact that we log File contents explicitly in addition to this effective settings logging

[mbg]

I think this is a valid question and one I have thought about. Other than what you have already said about us inspecting some of the configuration files, my thinking is that there are essentially two scenarios since this is default setup:

1. The runner is a GH-hosted runner, and the configuration of all available JDKs is the standard one we can observe ourselves.
2. The runner is self-hosted and the active Java version at the time the action runs is probably the one a customer would intend to run their build with.

Based on that, I don't think this is unreasonable.