Merge remote-tracking branch 'origin/releases/v3' into backport-v2.26.7-8214744c5

2026-05-07 14:20:19 +00:00 · 2024-09-13 11:56:49 -04:00
parent 9d8d30f5fe 8214744c54
commit 3452639dc8
420 changed files with 20746 additions and 1435 deletions
@@ -87,7 +87,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.22.0
+          go-version: ~1.23.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
@@ -87,7 +87,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.22.0
+          go-version: ~1.23.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
@@ -87,7 +87,7 @@ jobs:
          setup-kotlin: 'true'
      - uses: actions/setup-go@v5
        with:
-          go-version: ~1.22.0
+          go-version: ~1.23.0
      # to avoid potentially misleading autobuilder results where we expect it to download
      # dependencies successfully, but they actually come from a warm cache
          cache: false
@@ -0,0 +1,84 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Job run UUID added to SARIF
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  job-run-uuid-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Job run UUID added to SARIF
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
+          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
+            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
+            exit 1
+          else
+            echo "Found job run UUID '$actual'."
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true
@@ -66,7 +66,7 @@ jobs:
        with:
      # Swift is not supported on Ubuntu so we manually exclude it from the list here
          languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.gz
+          tools: ./codeql-bundle-linux64.tar.zst
      - name: Build code
        shell: bash
        run: ./build.sh
@@ -24,7 +24,16 @@ jobs:
        uses: actions/checkout@v4

      - name: Lint
-        run: npm run-script lint
+        id: lint
+        run: npm run-script lint-ci
+
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v3
+        # Only upload SARIF for the latest version of Node.js
+        if: "always() && matrix.node-types-version == 'current'"
+        with:
+          sarif_file: eslint.sarif
+          category: eslint

      - name: Update version of @types/node
        if: matrix.node-types-version != 'current'
@@ -104,6 +104,7 @@ jobs:
  backport:
    timeout-minutes: 45
    runs-on: ubuntu-latest
+    environment: Automation
    needs: [prepare]
    if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
    strategy:
@@ -114,17 +115,24 @@ jobs:
      SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
      TARGET_BRANCH: ${{ matrix.target_branch }}
    steps:
+    - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4
+      id: app-token
+      with:
+        app-id: ${{ vars.AUTOMATION_APP_ID }}
+        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0  # Need full history for calculation of diffs
    - uses: ./.github/actions/release-initialise

    - name: Update older release branch
+      env:
+        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
      run: |
        echo SOURCE_BRANCH=${SOURCE_BRANCH}
        echo TARGET_BRANCH=${TARGET_BRANCH}
        python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
+          --github-token ${GITHUB_TOKEN} \
          --repository-nwo ${{ github.repository }} \
          --source-branch ${SOURCE_BRANCH} \
          --target-branch ${TARGET_BRANCH} \