Description
It looks like a recent change to enable zstd bundles on GHES has broken CodeQL scanning for anyone on Enterprise Cloud with self-hosted runners that are behind a proxy that is configured by the normal https_proxy type system variables.
I did some investigation to understand why, and it appears that in the commit 33f2dc5 the code path used now always uses the streaming version as the feature flag that previously prevented it has been removed.
The main problem seems to be that the change from v3.27.0 to v3.27.1 has switched http libraries and broken the previous proxy support.
Specifically, in the working v3.27.0 version, the feature flag checked here:
https://github.com/github/codeql-action/blob/v3.27.0/lib/tools-download.js#L59
wasn't triggered and therefore it used this code path:
https://github.com/github/codeql-action/blob/v3.27.0/lib/tools-download.js#L73
which downloads via the tool-cache:
https://github.com/actions/toolkit/blob/main/packages/tool-cache/src/tool-cache.ts
and this respects the system proxy variables as you can see in:
https://github.com/actions/toolkit/blob/main/packages/http-client/src/proxy.ts
Unfortunately, now the feature flag is removed in v3.27.1:
https://github.com/github/codeql-action/blob/v3.27.1/lib/tools-download.js#L62
it always uses the streaming method, but this does not use the toolkit http-client that includes system proxy support but instead appears to use the follow_directs library here:
https://github.com/github/codeql-action/blob/v3.27.1/lib/tools-download.js#L62
which appears to be a small wrapper over the basic node fetch functionality and does not support proxies as far as I can make out.
This ultimately has meant that we've had to revert to v3.27.0 functionality to get CodeQL scanning in our Enterprise Cloud self-hosted runners working again.
As a short term fix, is it possible this feature flag can be brought back until proxy support has been added to the new streaming method?