Running Variant Analysis Across Multiple Organizations with a Single Controller Repository

[BullHacks3]

👋 Folks,

Scenario:
We have several internal organizations (e.g., org1, org2, org3), and we want to run variant analysis across all different repositories within these organizations. However, we only want to maintain a single controller repository in org1. Currently, when attempting to do this, we are facing issues.

Request:
Is there a way to run variant analysis across different organizations (where the repositories are private) while having only one controller repository in org1?

[charisk]

Hi @BullHacks3.

Currently, when attempting to do this, we are facing issues.

Can you please elaborate on this? What issues are you seeing? Are there any error logs that you can share?

[BullHacks3]

Let's take an example:

There are two different orgs:

org 1 --> staging
org 2 --> production

controller repository is present in org1 --> staging/controller

I'm trying to run the variant analysis on a repo available in production org (i.e production/sample-mp).

I'm getting error repostiory not found

RequestError [HttpError]: Repository not found for variant analysis
Error: Repository not found for variant analysis
    at /home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:41352:26
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async updateVariantAnalysisStatus (/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:79458:5)
    at async setVariantAnalysisRepoInProgress (/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:79418:3)
    at async run (/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:80527:7) {
  status: 404,
  response: {
    url: 'https://api.github.com/repositories/829375434/code-scanning/codeql/variant-analyses/11470/repositories/660872967/status',
    status: 404,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Thu, 22 Aug 2024 09:48:22 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '0400:3C1FAC:3DB1490:3E2C7BD:66C70966',
      'x-ratelimit-limit': '15000',
      'x-ratelimit-remaining': '14999',
      'x-ratelimit-reset': '1724323702',
      'x-ratelimit-resource': 'code_scanning_variant_analysis_update',
      'x-ratelimit-used': '1',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Repository not found for variant analysis',
      documentation_url: 'https://docs.github.com/rest/code-scanning/code-scanning#update-the-analysis-status-of-a-repository-in-a-codeql-variant-analysis',
      status: '404'
    }
  },
  request: {
    method: 'PATCH',
    url: 'https://api.github.com/repositories/829375434/code-scanning/codeql/variant-analyses/[114](https://github.com/testing/codeql-mrva-controller/actions/runs/10505755931/job/29103977747#step:8:114)70/repositories/660872967/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'GitHub multi-repository variant analysis action octokit-core.js/5.0.1 Node.js/20.13.1 (linux; x64)',
      authorization: 'RemoteAuth [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"status":"in_progress"}',
    request: {
      fetch: [AsyncFunction: customFetch],
      hook: [Function: bound bound register]
    }
  }
}
Request to PATCH /repositories/829375434/code-scanning/codeql/variant-analyses/11470/repositories/660872967/status failed with status code 404
/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:41352
          const error2 = new import_request_error.RequestError(toErrorMessage(data), status, {
                         ^
RequestError [HttpError]: Repository not found for variant analysis
    at /home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:41352:26
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async updateVariantAnalysisStatus (/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:79458:5)
    at async setVariantAnalysisFailed (/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:79441:3)
    at async run (/home/runner/work/_actions/github/codeql-variant-analysis-action/main/dist/query.js:80567:7) {
  status: 404,
  response: {
    url: 'https://api.github.com/repositories/829375434/code-scanning/codeql/variant-analyses/11470/repositories/660872967/status',
    status: 404,
    headers: {
      'access-control-allow-origin': '*',
      'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
      'content-encoding': 'gzip',
      'content-security-policy': "default-src 'none'",
      'content-type': 'application/json; charset=utf-8',
      date: 'Thu, 22 Aug 2024 09:48:23 GMT',
      'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
      server: 'github.com',
      'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
      'transfer-encoding': 'chunked',
      vary: 'Accept-Encoding, Accept, X-Requested-With',
      'x-content-type-options': 'nosniff',
      'x-frame-options': 'deny',
      'x-github-api-version-selected': '2022-11-28',
      'x-github-media-type': 'github.v3; format=json',
      'x-github-request-id': '0400:3C1FAC:3DB153B:3E2C85D:66C70966',
      'x-ratelimit-limit': '15000',
      'x-ratelimit-remaining': '14998',
      'x-ratelimit-reset': '1724323702',
      'x-ratelimit-resource': 'code_scanning_variant_analysis_update',
      'x-ratelimit-used': '2',
      'x-xss-protection': '0'
    },
    data: {
      message: 'Repository not found for variant analysis',
      documentation_url: 'https://docs.github.com/rest/code-scanning/code-scanning#update-the-analysis-status-of-a-repository-in-a-codeql-variant-analysis',
      status: '404'
    }
  },
  request: {
    method: 'PATCH',
    url: 'https://api.github.com/repositories/829375434/code-scanning/codeql/variant-analyses/11470/repositories/660872967/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'GitHub multi-repository variant analysis action octokit-core.js/5.0.1 Node.js/20.13.1 (linux; x64)',
      authorization: 'RemoteAuth [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"status":"failed","failure_message":"Repository not found for variant analysis"}',
    request: {
      fetch: [AsyncFunction: customFetch],
      hook: [Function: bound bound register]
    }
  }
}

ERROR: Repository not found for variant analysis

Issue:

• We are unable to perform variant analysis across cross organizations (private) repositories, using single controller repository.

[charisk]

Thanks @BullHacks3 for the additional information.

I've tried this locally and I can confirm I'm able to run a variant analysis that covers repos against different orgs. Both my repos were private.

Can you confirm whether you're able to run variant analysis against those repos individually? I wonder if there is something special around your access to those repos.

Also can you tell us about how you're logged in to the VS Code extension?