ForAllSecure · vlussenburg · Mar 3, 2023 · Mar 1, 2023 · Mar 1, 2023 · Mar 1, 2023
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -74,12 +74,14 @@ jobs:
         with:
           name: coverage-report
           path: out/coverage/
+          if-no-files-found: error
 
       - name: Archive JUnit results
         uses: actions/upload-artifact@v3
         with:
           name: mcode-junit
           path: out/junit/
+          if-no-files-found: error
 
       - name: Upload SARIF file(s)
         uses: github/codeql-action/upload-sarif@v2
@@ -111,3 +113,31 @@ jobs:
         run: |
           [ -z "${{ steps.mcode-action.outputs.runId }}" ] && echo "runId was blank!" && exit 1;
           echo "The run id was: ${{ steps.mcode-action.outputs.runId }}"
+
+  # note: requires human inspection by checking the output and seeing the overrided inputs are picked up.
+  test-override-inputs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # fetch entire history to compute diffs between jobs
+          fetch-depth: 0
+
+      - uses: ./
+        id: mcode-action
+        with:
+          mayhem-url: https://demo.forallsecure.com
+          mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          args: --image forallsecure/lighttpd:vulnerable --file __tests__/Mayhemfile --duration 60
+          # override the default owner which is forallsecure
+          # the secrets.MAYHEM_TOKEN is this case is owned by vlussenburg, which is why we choose that owner here
+          owner: vlussenburg
+          # override default verbosity which is info (contrary to what the `action.yml` says: https://github.com/ForAllSecure/mcode-action/blob/806778bb4a79d793f678087d0f9f3ff18f9a2d93/src/main.ts#L36)
+          verbosity: debug
+          # already covered and skipped in this test: mayhem-token, mayhem-url, github-token, sarif|junit|coverage-output, args
+
+      - name: Print runId (${{ steps.mcode-action.outputs.runId }}) and test it's non-empty
+        run: |
+          [ -z "${{ steps.mcode-action.outputs.runId }}" ] && echo "runId was blank!" && exit 1;
+          echo "The run id was: ${{ steps.mcode-action.outputs.runId }}"
diff --git a/__tests__/Mayhemfile b/__tests__/Mayhemfile
@@ -4,13 +4,11 @@ project: forallsecure/lighttpd                 # be filled at
 target: lighttpd                               # run creation time
 advanced_triage: true
 tasks:
+  # just do one quick task
   - name: exploitability_factors
-  - name: regression_testing
-  - name: behavior_testing
-  - name: coverage_analysis
 cmds:
   - cmd: /usr/local/sbin/lighttpd -D -f /usr/local/etc/lighttpd.conf
     network:
       url: tcp://localhost:80
       timeout: 2
-      client: false
+      client: false
diff --git a/action.yml b/action.yml
@@ -8,6 +8,10 @@ inputs:
   mayhem-url:
     description: URL pointing to your Mayhem instance
     required: false
+  owner:
+    description: sets the owner of the project (organization or user).
+    required: false
+    default: ${{ github.repository_owner }}
   github-token:
     description: github token for posting feedback
     required: false

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/main.ts b/src/main.ts
@@ -34,6 +34,7 @@ async function run(): Promise<void> {
     const junitOutput: string = core.getInput("junit-output") || "";
     const coverageOutput: string = core.getInput("coverage-output") || "";
     const verbosity: string = core.getInput("verbosity") || "info";
+    const owner: string = core.getInput("owner").toLowerCase();
     const args: string[] = (core.getInput("args") || "").split(" ");
 
     // defaults next
@@ -44,15 +45,14 @@ async function run(): Promise<void> {
       args.push("--image", "forallsecure/debian-buster:latest");
     }
 
-    // Auto-generate target name
     const repo = process.env["GITHUB_REPOSITORY"];
-    const account = repo?.split("/")[0].toLowerCase();
     if (repo === undefined) {
       throw Error(
         "Missing GITHUB_REPOSITORY environment variable. " +
           "Are you not running this in a Github Action environment?"
       );
     }
+
     const eventPath = process.env["GITHUB_EVENT_PATH"] || "event.json";
     const event = JSON.parse(readFileSync(eventPath, "utf-8")) || {};
     const eventPullRequest = event.pull_request;
@@ -114,7 +114,7 @@ async function run(): Promise<void> {
     # Run mayhem
     run=$(${cli} --verbosity ${verbosity} run . \
                  --project ${repo.toLowerCase()} \
-                 --owner ${account} ${argsString});
+                 --owner ${owner} ${argsString});
 
     # Persist the run id to the GitHub output
     echo "runId=$run" >> $GITHUB_OUTPUT;
@@ -137,20 +137,20 @@ async function run(): Promise<void> {
 
     # wait for run to finish
     ${cli} --verbosity ${verbosity} wait $run \
-            --owner ${account} \
+            --owner ${owner} \
             ${waitArgsString};
 
     # check status, exit with non-zero status if failed or stopped
     status=$(${cli} --verbosity ${verbosity} show \
-                    --owner ${account} \
+                    --owner ${owner} \
                     --format json $run | jq '.[0].status');
     if [[ $status == *"stopped"* || $status == *"failed"* ]]; then
       exit 2;
     fi
 
     # download coverage (owner flag doesn't work for download, prepend instead)
     if [ -n "${coverageOutput}" ]; then
-      ${cli} --verbosity ${verbosity} download ${account}/$run -o ${coverageOutput};
+      ${cli} --verbosity ${verbosity} download ${owner}/$run -o ${coverageOutput};
     fi
     `;