From 4c47b50fd2ade4b9f42fd7218947b500dc824e05 Mon Sep 17 00:00:00 2001
From: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Date: Thu, 21 Sep 2023 17:06:08 +0200
Subject: [PATCH] chore: Add TODO comments

---
 setup/dist/index.js | 18 ++++++++++++++++--
 setup/src/main.ts   | 34 +++++++++++++++++++++++++++-------
 2 files changed, 43 insertions(+), 9 deletions(-)

diff --git a/setup/dist/index.js b/setup/dist/index.js
index 581f439..f508b70 100644
--- a/setup/dist/index.js
+++ b/setup/dist/index.js
@@ -6587,7 +6587,21 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
 const core = __importStar(__nccwpck_require__(2186));
 const tc = __importStar(__nccwpck_require__(7784));
 const exec = __importStar(__nccwpck_require__(1514));
+// TODO Update to 2.0.0 once available
 const INTERNAL_FCLI_VERSION = 'dev_develop';
+// TODO For both fcli and other tools, if version is 'latest', we probably shouldn't use
+//      tool cache (as then we may never download newer versions), but we do want to check
+//      whether installPath already exists to avoid reinstalling multiple times within a
+//      single workflow (depending on how we organize other actions, this setup action may 
+//      be invoked multiple times).
+// TODO Somewhat related, if version is 'default', we may want to translate that to the 
+//      actual version number for use in tool path and cache. For tools installed through
+//      fcli, we can run `fcli tool * list` with query and output options to get the version
+//      number for the default version.
+// TODO We may need 'internal' versions for the other tools as well, for example a composite
+//      export-vulnerabilities workflow may use this setup action to install a specific FVE
+//      version, but we don't want to add that version to the system path as we don't want
+//      the export-vulnerabilities action to override the FVE version requested by the user.
 /**
  * Install fcli
  * @returns path to the directory where fcli was installed
@@ -6596,7 +6610,7 @@ function installFcli(fcliVersion) {
     return __awaiter(this, void 0, void 0, function* () {
         let cachedPath = tc.find('fcli', fcliVersion);
         if (cachedPath) {
-            core.info(`Using fcli ${fcliVersion} from cache`);
+            core.info(`Using previously installed fcli ${fcliVersion}`);
         }
         else {
             const baseUrl = fcliVersion === 'latest'
@@ -6641,7 +6655,7 @@ function installTool(internalFcli, toolName, toolVersion) {
         if (toolVersion !== 'none') {
             let installPath = tc.find(toolName, toolVersion);
             if (installPath) {
-                core.info(`Using ${toolName} ${toolVersion} from cache`);
+                core.info(`Using previously installed ${toolName} ${toolVersion}`);
             }
             else {
                 core.info(`Installing ${toolName} ${toolVersion}`);
diff --git a/setup/src/main.ts b/setup/src/main.ts
index ee34ce5..d637054 100644
--- a/setup/src/main.ts
+++ b/setup/src/main.ts
@@ -2,8 +2,23 @@ import * as core from '@actions/core';
 import * as tc from '@actions/tool-cache';
 import * as exec from '@actions/exec';
 
+// TODO Update to 2.0.0 once available
 const INTERNAL_FCLI_VERSION='dev_develop';
 
+// TODO For both fcli and other tools, if version is 'latest', we probably shouldn't use
+//      tool cache (as then we may never download newer versions), but we do want to check
+//      whether installPath already exists to avoid reinstalling multiple times within a
+//      single workflow (depending on how we organize other actions, this setup action may 
+//      be invoked multiple times).
+// TODO Somewhat related, if version is 'default', we may want to translate that to the 
+//      actual version number for use in tool path and cache. For tools installed through
+//      fcli, we can run `fcli tool * list` with query and output options to get the version
+//      number for the default version.
+// TODO We may need 'internal' versions for the other tools as well, for example a composite
+//      export-vulnerabilities workflow may use this setup action to install a specific FVE
+//      version, but we don't want to add that version to the system path as we don't want
+//      the export-vulnerabilities action to override the FVE version requested by the user.
+
 /**
  * Install fcli
  * @returns path to the directory where fcli was installed
@@ -11,7 +26,7 @@ const INTERNAL_FCLI_VERSION='dev_develop';
 async function installFcli(fcliVersion: string): Promise<string> {
 	let cachedPath = tc.find('fcli', fcliVersion);
 	if (cachedPath) {
-		core.info(`Using fcli ${fcliVersion} from cache`);
+		core.info(`Using previously installed fcli ${fcliVersion}`);
 	} else {
 		const baseUrl = fcliVersion === 'latest'
 			? 'https://github.com/fortify/fcli/releases/latest/download'
@@ -48,15 +63,15 @@ function getFcliVersion(): string {
 	}
 }
 
-async function installTool(internalFcliPath: string, toolName: string, toolVersion: string): Promise<void> {
+async function installTool(internalFcli: string, toolName: string, toolVersion: string): Promise<void> {
 	if (toolVersion !== 'none') {
 		let installPath = tc.find(toolName, toolVersion);
 		if (installPath) {
-			core.info(`Using ${toolName} ${toolVersion} from cache`);
+			core.info(`Using previously installed ${toolName} ${toolVersion}`);
 		} else {
 			core.info(`Installing ${toolName} ${toolVersion}`);
 			installPath = `/opt/fortify/${toolName}/${toolVersion}`;
-			await exec.exec(`${internalFcliPath}/fcli`, ['tool', toolName, 'install', toolVersion, '-d', installPath]);
+			await exec.exec(internalFcli, ['tool', toolName, 'install', toolVersion, '-d', installPath]);
 			installPath = await tc.cacheDir(installPath, toolName, toolVersion);
 		}
 		core.addPath(`${installPath}/bin`);
@@ -66,11 +81,16 @@ async function installTool(internalFcliPath: string, toolName: string, toolVersi
 async function main(): Promise<void> {
 	const tools = ['sc-client', 'fod-uploader', 'vuln-exporter']
 	try {
-		const internalFcliPath = await installFcli(INTERNAL_FCLI_VERSION);
-		core.exportVariable('INTERNAL_FCLI_PATH', internalFcliPath);
+		// Install fixed fcli version for internal action use. The path to the
+		// internal fcli executable is accessible through the INTERNAL_FCLI
+		// environment variable.
+		const internalFcli = core.toPlatformPath(await installFcli(INTERNAL_FCLI_VERSION)+'/fcli');
+		core.exportVariable('INTERNAL_FCLI', internalFcli);
+		
+		// Install user-specified fcli version and other Fortify tools
 		core.addPath(await installFcli(getFcliVersion()));
 		for (const tool of tools) {
-			await installTool(internalFcliPath, tool, core.getInput(tool))
+			await installTool(internalFcli, tool, core.getInput(tool))
 		}
 	} catch (err) {
 		core.setFailed("Action failed with error: " + err);