From fcdf5dd4cf22ae17254feae1708a1037f4cb0160 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 14 May 2026 17:21:52 +0100 Subject: [PATCH 01/15] Add PR checks shortcut to `package.json` --- package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index d46e50792..15fbe1c26 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,8 @@ "ava": "npm run transpile && ava --verbose", "test": "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", - "transpile": "tsc --build --verbose tsconfig.json" + "transpile": "tsc --build --verbose tsconfig.json", + "update-pr-checks": "pr-checks/sync.sh" }, "license": "MIT", "workspaces": [ From aa005faaad68ba76e579afbcdc6b87297c3b291a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 14 May 2026 17:29:44 +0100 Subject: [PATCH 02/15] PR checks: Run slowest macOS checks on larger runners --- .github/workflows/__all-platform-bundle.yml | 2 +- .../workflows/__multi-language-autodetect.yml | 18 +++++------ .github/workflows/__swift-autobuild.yml | 2 +- .github/workflows/__swift-custom-build.yml | 6 ++-- .github/workflows/codeql.yml | 2 +- pr-checks/checks/all-platform-bundle.yml | 3 +- .../checks/multi-language-autodetect.yml | 3 +- pr-checks/checks/swift-autobuild.yml | 3 +- pr-checks/checks/swift-custom-build.yml | 3 +- pr-checks/sync.ts | 32 +++++++++++++++---- 10 files changed, 49 insertions(+), 25 deletions(-) diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 1be1d6375..0690c3197 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -61,7 +61,7 @@ jobs: include: - os: ubuntu-latest version: nightly-latest - - os: macos-latest + - os: macos-latest-xlarge version: nightly-latest - os: windows-latest version: nightly-latest diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 33dbd2f69..ff54c07eb 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -61,39 +61,39 @@ jobs: include: - os: ubuntu-latest version: stable-v2.17.6 - - os: macos-latest + - os: macos-latest-xlarge version: stable-v2.17.6 - os: ubuntu-latest version: stable-v2.18.4 - - os: macos-latest + - os: macos-latest-xlarge version: stable-v2.18.4 - os: ubuntu-latest version: stable-v2.19.4 - - os: macos-latest + - os: macos-latest-xlarge version: stable-v2.19.4 - os: ubuntu-latest version: stable-v2.20.7 - - os: macos-latest + - os: macos-latest-xlarge version: stable-v2.20.7 - os: ubuntu-latest version: stable-v2.21.4 - - os: macos-latest + - os: macos-latest-xlarge version: stable-v2.21.4 - os: ubuntu-latest version: stable-v2.22.4 - - os: macos-latest + - os: macos-latest-xlarge version: stable-v2.22.4 - os: ubuntu-latest version: default - - os: macos-latest + - os: macos-latest-xlarge version: default - os: ubuntu-latest version: linked - - os: macos-latest + - os: macos-latest-xlarge version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest + - os: macos-latest-xlarge version: nightly-latest name: Multi-language repository if: github.triggering_actor != 'dependabot[bot]' diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index 473c13644..cd26309f4 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -39,7 +39,7 @@ jobs: fail-fast: false matrix: include: - - os: macos-latest + - os: macos-latest-xlarge version: nightly-latest name: Swift analysis using autobuild if: github.triggering_actor != 'dependabot[bot]' diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index efdbde721..18b0364ca 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -59,11 +59,11 @@ jobs: fail-fast: false matrix: include: - - os: macos-latest + - os: macos-latest-xlarge version: linked - - os: macos-latest + - os: macos-latest-xlarge version: default - - os: macos-latest + - os: macos-latest-xlarge version: nightly-latest name: Swift analysis using a custom build command if: github.triggering_actor != 'dependabot[bot]' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0b32bc20e..6ac51cc42 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -77,7 +77,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14,macos-15] + os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-latest-xlarge] tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }} runs-on: ${{ matrix.os }} diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index d35620706..a13ba7cde 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -2,7 +2,8 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" operatingSystems: - ubuntu - - macos + - os: macos + runner-image: macos-latest-xlarge - windows versions: - nightly-latest diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index e005a9239..c52dcf940 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -2,7 +2,8 @@ name: "Multi-language repository" description: "An end-to-end integration test of a multi-language repository using automatic language detection" operatingSystems: - ubuntu - - macos + - os: macos + runner-image: macos-latest-xlarge env: CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true installGo: true diff --git a/pr-checks/checks/swift-autobuild.yml b/pr-checks/checks/swift-autobuild.yml index e9949c12e..393857cd2 100644 --- a/pr-checks/checks/swift-autobuild.yml +++ b/pr-checks/checks/swift-autobuild.yml @@ -3,7 +3,8 @@ description: "Tests creation of a Swift database using autobuild" versions: - nightly-latest operatingSystems: - - macos + - os: macos + runner-image: macos-latest-xlarge steps: - uses: ./../action/init id: init diff --git a/pr-checks/checks/swift-custom-build.yml b/pr-checks/checks/swift-custom-build.yml index 7a07d5b7e..6fe8f1c46 100644 --- a/pr-checks/checks/swift-custom-build.yml +++ b/pr-checks/checks/swift-custom-build.yml @@ -5,7 +5,8 @@ versions: - default - nightly-latest operatingSystems: - - macos + - os: macos + runner-image: macos-latest-xlarge installGo: true installDotNet: true env: diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index e46fca248..cf04203c4 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -28,6 +28,13 @@ interface WorkflowInput { /** A partial mapping from known input names to input definitions. */ type WorkflowInputs = Partial>; +type OperatingSystem = + | string + | { + os: string; + "runner-image"?: string; + }; + /** * Represents PR check specifications. */ @@ -37,7 +44,7 @@ interface Specification extends JobSpecification { /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */ versions?: string[]; /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */ - operatingSystems?: string[]; + operatingSystems?: OperatingSystem[]; /** Per-OS version overrides. If specified for an OS, only those versions are tested on that OS. */ osCodeQlVersions?: Record; /** Whether to use the all-platform CodeQL bundle. */ @@ -311,10 +318,19 @@ function generateJobMatrix( ); } - const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"]; + const defaultRunnerImages = [ + "ubuntu-latest", + "macos-latest", + "windows-latest", + ]; const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"]; - for (const operatingSystem of operatingSystems) { + for (const operatingSystemConfig of operatingSystems) { + const operatingSystem = + typeof operatingSystemConfig === "string" + ? operatingSystemConfig + : operatingSystemConfig.os; + // If osCodeQlVersions is set for this OS, only include the specified CodeQL versions. const allowedVersions = checkSpecification.osCodeQlVersions?.[operatingSystem]; @@ -322,9 +338,13 @@ function generateJobMatrix( continue; } - const runnerImagesForOs = runnerImages.filter((image) => - image.startsWith(operatingSystem), - ); + const runnerImagesForOs = + typeof operatingSystemConfig === "string" || + operatingSystemConfig["runner-image"] === undefined + ? defaultRunnerImages.filter((image) => + image.startsWith(operatingSystem), + ) + : [operatingSystemConfig["runner-image"]]; for (const runnerImage of runnerImagesForOs) { matrix.push({ From a32db48565227b7119e20d944f6346421af55341 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 14 May 2026 17:57:11 +0100 Subject: [PATCH 03/15] Move checks back to default runners These jobs are not rate-limiting so we don't need to run them on larger runners. --- .github/workflows/__all-platform-bundle.yml | 2 +- .github/workflows/__swift-custom-build.yml | 6 +++--- pr-checks/checks/all-platform-bundle.yml | 3 +-- pr-checks/checks/swift-custom-build.yml | 3 +-- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 0690c3197..1be1d6375 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -61,7 +61,7 @@ jobs: include: - os: ubuntu-latest version: nightly-latest - - os: macos-latest-xlarge + - os: macos-latest version: nightly-latest - os: windows-latest version: nightly-latest diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index 18b0364ca..efdbde721 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -59,11 +59,11 @@ jobs: fail-fast: false matrix: include: - - os: macos-latest-xlarge + - os: macos-latest version: linked - - os: macos-latest-xlarge + - os: macos-latest version: default - - os: macos-latest-xlarge + - os: macos-latest version: nightly-latest name: Swift analysis using a custom build command if: github.triggering_actor != 'dependabot[bot]' diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index a13ba7cde..d35620706 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -2,8 +2,7 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" operatingSystems: - ubuntu - - os: macos - runner-image: macos-latest-xlarge + - macos - windows versions: - nightly-latest diff --git a/pr-checks/checks/swift-custom-build.yml b/pr-checks/checks/swift-custom-build.yml index 6fe8f1c46..7a07d5b7e 100644 --- a/pr-checks/checks/swift-custom-build.yml +++ b/pr-checks/checks/swift-custom-build.yml @@ -5,8 +5,7 @@ versions: - default - nightly-latest operatingSystems: - - os: macos - runner-image: macos-latest-xlarge + - macos installGo: true installDotNet: true env: From 1b65777c19630cc5e61b44388ff6ac61869b79ac Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 14 May 2026 18:13:20 +0100 Subject: [PATCH 04/15] Address review comments --- .github/workflows/codeql.yml | 2 +- package.json | 2 +- pr-checks/sync.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6ac51cc42..9f14b05bf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -77,7 +77,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-latest-xlarge] + os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-14-xlarge,macos-15-xlarge] tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }} runs-on: ${{ matrix.os }} diff --git a/package.json b/package.json index 15fbe1c26..5125ea0d8 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ "test": "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", "transpile": "tsc --build --verbose tsconfig.json", - "update-pr-checks": "pr-checks/sync.sh" + "update-pr-checks": "./pr-checks/sync.sh" }, "license": "MIT", "workspaces": [ diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index cf04203c4..3faffc1d0 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -43,7 +43,7 @@ interface Specification extends JobSpecification { inputs?: Record; /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */ versions?: string[]; - /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */ + /** Operating system prefixes, either as strings or with explicit runner image labels. */ operatingSystems?: OperatingSystem[]; /** Per-OS version overrides. If specified for an OS, only those versions are tested on that OS. */ osCodeQlVersions?: Record; From 931147e852fc8f5eea6a5ee734f426c164a34ddb Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 15 May 2026 11:10:02 +0100 Subject: [PATCH 05/15] Improve OS types and docs --- pr-checks/sync.ts | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index 3faffc1d0..c810e7cbf 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -28,10 +28,21 @@ interface WorkflowInput { /** A partial mapping from known input names to input definitions. */ type WorkflowInputs = Partial>; +/** An operating system identifier. */ +type OperatingSystemIdentifier = "ubuntu" | "macos" | "windows"; + +/** + * Represents an operating system matrix entry for a generated PR check workflow. + * + * Either a string containing the OS identifier or an object containing the OS identifier and an + * optional runner image label. + */ type OperatingSystem = - | string + | OperatingSystemIdentifier | { - os: string; + /** OS identifier. */ + os: OperatingSystemIdentifier; + /** Optional runner image label. */ "runner-image"?: string; }; From db84cb5ccbfdbf6a74bbdc943c5fceb3bd399ebd Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:22:17 +0100 Subject: [PATCH 06/15] Remove outdated comments for `analyze-action` tests --- src/analyze-action-env.test.ts | 7 ------- src/analyze-action-input.test.ts | 7 ------- 2 files changed, 14 deletions(-) diff --git a/src/analyze-action-env.test.ts b/src/analyze-action-env.test.ts index 93992c4a8..bcdcf9723 100644 --- a/src/analyze-action-env.test.ts +++ b/src/analyze-action-env.test.ts @@ -17,13 +17,6 @@ import * as util from "./util"; setupTests(test); -// This test needs to be in its own file so that ava would run it in its own -// nodejs process. The code being tested is in analyze-action.ts, which runs -// immediately on load. So the file needs to be loaded during part of the test, -// and that can happen only once per nodejs process. If multiple such tests are -// in the same test file, ava would run them in the same nodejs process, and all -// but the first test would fail. - test("analyze action with RAM & threads from environment variables", async (t) => { // This test frequently times out on Windows with the default timeout, so we bump // it a bit to 20s. diff --git a/src/analyze-action-input.test.ts b/src/analyze-action-input.test.ts index b0c2f90c0..9aee1a844 100644 --- a/src/analyze-action-input.test.ts +++ b/src/analyze-action-input.test.ts @@ -17,13 +17,6 @@ import * as util from "./util"; setupTests(test); -// This test needs to be in its own file so that ava would run it in its own -// nodejs process. The code being tested is in analyze-action.ts, which runs -// immediately on load. So the file needs to be loaded during part of the test, -// and that can happen only once per nodejs process. If multiple such tests are -// in the same test file, ava would run them in the same nodejs process, and all -// but the first test would fail. - test("analyze action with RAM & threads from action inputs", async (t) => { t.timeout(1000 * 20); await util.withTmpDir(async (tmpDir) => { From 9e1f9145605145b546d301106b3e5d8122ce5f56 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:24:28 +0100 Subject: [PATCH 07/15] Merge `analyze-action-input` test into `analyze-action-env` file The tests still can't run in parallel so I had to change `test` to `test.serial`, which caused a bunch of formatting changes. --- src/analyze-action-env.test.ts | 172 +++++++++++++++++++++---------- src/analyze-action-input.test.ts | 76 -------------- 2 files changed, 118 insertions(+), 130 deletions(-) delete mode 100644 src/analyze-action-input.test.ts diff --git a/src/analyze-action-env.test.ts b/src/analyze-action-env.test.ts index bcdcf9723..923908a64 100644 --- a/src/analyze-action-env.test.ts +++ b/src/analyze-action-env.test.ts @@ -17,62 +17,126 @@ import * as util from "./util"; setupTests(test); -test("analyze action with RAM & threads from environment variables", async (t) => { - // This test frequently times out on Windows with the default timeout, so we bump - // it a bit to 20s. - t.timeout(1000 * 20); - await util.withTmpDir(async (tmpDir) => { - setupActionsVars(tmpDir, tmpDir); - sinon - .stub(statusReport, "createStatusReportBase") - .resolves({} as statusReport.StatusReportBase); - sinon.stub(statusReport, "sendStatusReport").resolves(); - sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true); +test.serial( + "analyze action with RAM & threads from environment variables", + async (t) => { + // This test frequently times out on Windows with the default timeout, so we bump + // it a bit to 20s. + t.timeout(1000 * 20); + await util.withTmpDir(async (tmpDir) => { + setupActionsVars(tmpDir, tmpDir); + sinon + .stub(statusReport, "createStatusReportBase") + .resolves({} as statusReport.StatusReportBase); + sinon.stub(statusReport, "sendStatusReport").resolves(); + sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true); - const gitHubVersion: util.GitHubVersion = { - type: util.GitHubVariant.DOTCOM, - }; - sinon.stub(configUtils, "getConfig").resolves({ - gitHubVersion, - augmentationProperties: {}, - languages: [], - packs: [], - trapCaches: {}, - } as unknown as configUtils.Config); - const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); - requiredInputStub.withArgs("token").returns("fake-token"); - requiredInputStub.withArgs("upload-database").returns("false"); - requiredInputStub.withArgs("output").returns("out"); - const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput"); - optionalInputStub.withArgs("expect-error").returns("false"); - sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion); - mockFeatureFlagApiEndpoint(200, {}); + const gitHubVersion: util.GitHubVersion = { + type: util.GitHubVariant.DOTCOM, + }; + sinon.stub(configUtils, "getConfig").resolves({ + gitHubVersion, + augmentationProperties: {}, + languages: [], + packs: [], + trapCaches: {}, + } as unknown as configUtils.Config); + const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); + requiredInputStub.withArgs("token").returns("fake-token"); + requiredInputStub.withArgs("upload-database").returns("false"); + requiredInputStub.withArgs("output").returns("out"); + const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput"); + optionalInputStub.withArgs("expect-error").returns("false"); + sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion); + mockFeatureFlagApiEndpoint(200, {}); - // When there are no action inputs for RAM and threads, the action uses - // environment variables (passed down from the init action) to set RAM and - // threads usage. - process.env["CODEQL_THREADS"] = "-1"; - process.env["CODEQL_RAM"] = "4992"; + // When there are no action inputs for RAM and threads, the action uses + // environment variables (passed down from the init action) to set RAM and + // threads usage. + process.env["CODEQL_THREADS"] = "-1"; + process.env["CODEQL_RAM"] = "4992"; - const runFinalizeStub = sinon.stub(analyze, "runFinalize"); - const runQueriesStub = sinon.stub(analyze, "runQueries"); + const runFinalizeStub = sinon.stub(analyze, "runFinalize"); + const runQueriesStub = sinon.stub(analyze, "runQueries"); - await runWrapper(); + await runWrapper(); - t.assert( - runFinalizeStub.calledOnceWith( - sinon.match.any, - sinon.match.any, - "--threads=-1", - "--ram=4992", - ), - ); - t.assert( - runQueriesStub.calledOnceWith( - sinon.match.any, - "--ram=4992", - "--threads=-1", - ), - ); - }); -}); + t.assert( + runFinalizeStub.calledOnceWith( + sinon.match.any, + sinon.match.any, + "--threads=-1", + "--ram=4992", + ), + ); + t.assert( + runQueriesStub.calledOnceWith( + sinon.match.any, + "--ram=4992", + "--threads=-1", + ), + ); + }); + }, +); + +test.serial( + "analyze action with RAM & threads from action inputs", + async (t) => { + t.timeout(1000 * 20); + await util.withTmpDir(async (tmpDir) => { + setupActionsVars(tmpDir, tmpDir); + sinon + .stub(statusReport, "createStatusReportBase") + .resolves({} as statusReport.StatusReportBase); + sinon.stub(statusReport, "sendStatusReport").resolves(); + const gitHubVersion: util.GitHubVersion = { + type: util.GitHubVariant.DOTCOM, + }; + sinon.stub(configUtils, "getConfig").resolves({ + gitHubVersion, + augmentationProperties: {}, + languages: [], + packs: [], + trapCaches: {}, + } as unknown as configUtils.Config); + const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); + requiredInputStub.withArgs("token").returns("fake-token"); + requiredInputStub.withArgs("upload-database").returns("false"); + requiredInputStub.withArgs("output").returns("out"); + const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput"); + optionalInputStub.withArgs("expect-error").returns("false"); + sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion); + sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true); + mockFeatureFlagApiEndpoint(200, {}); + + process.env["CODEQL_THREADS"] = "1"; + process.env["CODEQL_RAM"] = "4992"; + + // Action inputs have precedence over environment variables. + optionalInputStub.withArgs("threads").returns("-1"); + optionalInputStub.withArgs("ram").returns("3012"); + + const runFinalizeStub = sinon.stub(analyze, "runFinalize"); + const runQueriesStub = sinon.stub(analyze, "runQueries"); + + await runWrapper(); + + t.assert( + runFinalizeStub.calledOnceWith( + sinon.match.any, + sinon.match.any, + "--threads=-1", + "--ram=3012", + ), + ); + t.assert( + runQueriesStub.calledOnceWith( + sinon.match.any, + "--ram=3012", + "--threads=-1", + ), + ); + }); + }, +); diff --git a/src/analyze-action-input.test.ts b/src/analyze-action-input.test.ts deleted file mode 100644 index 9aee1a844..000000000 --- a/src/analyze-action-input.test.ts +++ /dev/null @@ -1,76 +0,0 @@ -import test from "ava"; -import * as sinon from "sinon"; - -import * as actionsUtil from "./actions-util"; -import * as analyze from "./analyze"; -import { runWrapper } from "./analyze-action"; -import * as api from "./api-client"; -import * as configUtils from "./config-utils"; -import * as gitUtils from "./git-utils"; -import * as statusReport from "./status-report"; -import { - setupTests, - setupActionsVars, - mockFeatureFlagApiEndpoint, -} from "./testing-utils"; -import * as util from "./util"; - -setupTests(test); - -test("analyze action with RAM & threads from action inputs", async (t) => { - t.timeout(1000 * 20); - await util.withTmpDir(async (tmpDir) => { - setupActionsVars(tmpDir, tmpDir); - sinon - .stub(statusReport, "createStatusReportBase") - .resolves({} as statusReport.StatusReportBase); - sinon.stub(statusReport, "sendStatusReport").resolves(); - const gitHubVersion: util.GitHubVersion = { - type: util.GitHubVariant.DOTCOM, - }; - sinon.stub(configUtils, "getConfig").resolves({ - gitHubVersion, - augmentationProperties: {}, - languages: [], - packs: [], - trapCaches: {}, - } as unknown as configUtils.Config); - const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); - requiredInputStub.withArgs("token").returns("fake-token"); - requiredInputStub.withArgs("upload-database").returns("false"); - requiredInputStub.withArgs("output").returns("out"); - const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput"); - optionalInputStub.withArgs("expect-error").returns("false"); - sinon.stub(api, "getGitHubVersion").resolves(gitHubVersion); - sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true); - mockFeatureFlagApiEndpoint(200, {}); - - process.env["CODEQL_THREADS"] = "1"; - process.env["CODEQL_RAM"] = "4992"; - - // Action inputs have precedence over environment variables. - optionalInputStub.withArgs("threads").returns("-1"); - optionalInputStub.withArgs("ram").returns("3012"); - - const runFinalizeStub = sinon.stub(analyze, "runFinalize"); - const runQueriesStub = sinon.stub(analyze, "runQueries"); - - await runWrapper(); - - t.assert( - runFinalizeStub.calledOnceWith( - sinon.match.any, - sinon.match.any, - "--threads=-1", - "--ram=3012", - ), - ); - t.assert( - runQueriesStub.calledOnceWith( - sinon.match.any, - "--ram=3012", - "--threads=-1", - ), - ); - }); -}); From 46959216a24c116c409ed9569b4805bb0ac122c1 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:25:12 +0100 Subject: [PATCH 08/15] Rename `analyze-action-env.test.ts` to `analyze-action.test.ts` --- src/{analyze-action-env.test.ts => analyze-action.test.ts} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/{analyze-action-env.test.ts => analyze-action.test.ts} (100%) diff --git a/src/analyze-action-env.test.ts b/src/analyze-action.test.ts similarity index 100% rename from src/analyze-action-env.test.ts rename to src/analyze-action.test.ts From 2320f9d058dc9e523d1bed5c91422017c043c282 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:26:51 +0100 Subject: [PATCH 09/15] "action" to "Action" in `build.mjs` --- build.mjs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/build.mjs b/build.mjs index 01a1c4d51..a79f6921f 100644 --- a/build.mjs +++ b/build.mjs @@ -66,7 +66,7 @@ const onEndPlugin = { const SHARED_ENTRYPOINT = "entry-points"; /** - * This plugin finds all source files that contain action entry points. + * This plugin finds all source files that contain Action entry points. * It then generates the virtual `entry-points` module which imports all identifies files, * and re-exports their `runWrapper` functions with suitable aliases. * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle @@ -83,7 +83,7 @@ const entryPointsPlugin = { const toPascal = (s) => s.replace(/(^|-)([a-z0-9])/gi, (_, __, c) => c.toUpperCase()); - // Find the source files containing action entry points. + // Find the source files containing Action entry points. build.onStart(() => { const actionFiles = globSync("src/*-action{,-post}.ts"); for (const actionFile of actionFiles) { @@ -112,7 +112,7 @@ const entryPointsPlugin = { return { path: SHARED_ENTRYPOINT, namespace }; }); - // Generate the virtual `entry-points` file based on the actions we discovered. + // Generate the virtual `entry-points` file based on the Actions we discovered. // Restrict using the namespace. The path filter does not need to discriminate any further. build.onLoad({ filter: /.*/, namespace }, async () => { const wrapperTemplatePath = "entry-wrapper.js.tpl"; @@ -143,7 +143,7 @@ const entryPointsPlugin = { }; }); - // Emit entry point stubs for each action using the entry template. + // Emit entry point stubs for each Action using the entry template. build.onEnd(async (result) => { // Read the entry point template. const templatePath = "action-entry.js.tpl"; @@ -152,7 +152,7 @@ const entryPointsPlugin = { const makeHeader = (sourceFile) => `// Automatically generated from '${templatePath}' for 'src/${basename(sourceFile)}'.\n\n`; - // Write entry point stubs for each action. + // Write entry point stubs for each Action. for (const action of actions) { await writeFile( join( From ab5047bf8fad10629454ead49bd1baa263446eef Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:27:58 +0100 Subject: [PATCH 10/15] Add missing semicolons --- build.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.mjs b/build.mjs index a79f6921f..868d1b285 100644 --- a/build.mjs +++ b/build.mjs @@ -127,7 +127,7 @@ const entryPointsPlugin = { const imports = actionsSorted .map( (action) => - `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}"`, + `import * as ${action.pascalCaseName} from "./src/${basename(action.path)}";`, ) .join("\n"); const wrappers = actionsSorted From 064674dfa309caa7e172743113994aa4a86166bb Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:35:47 +0100 Subject: [PATCH 11/15] Fix typo Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- build.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.mjs b/build.mjs index 868d1b285..d4df66b2b 100644 --- a/build.mjs +++ b/build.mjs @@ -67,7 +67,7 @@ const SHARED_ENTRYPOINT = "entry-points"; /** * This plugin finds all source files that contain Action entry points. - * It then generates the virtual `entry-points` module which imports all identifies files, + * It then generates the virtual `entry-points` module which imports all identified files, * and re-exports their `runWrapper` functions with suitable aliases. * A tiny stub file is emitted for each Action entrypoint. Each stub imports the shared bundle * and calls the respective entry point. From 51f7e38c69d3cd7966375fe0ffff19669f22bd14 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 15 May 2026 10:48:24 +0000 Subject: [PATCH 12/15] Update changelog for v4.35.5 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53ad4d765..9af2d9efd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.35.5 - 15 May 2026 - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791) - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892) From 6d7d59927c0c7336c1d1247c7e159e79edbf7684 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 15 May 2026 11:58:39 +0100 Subject: [PATCH 13/15] Add changelog entry for #3899 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9af2d9efd..52eeef991 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## 4.35.5 - 15 May 2026 +- We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899) - For performance and accuracy reasons, [improved incremental analysis](https://github.com/github/roadmap/issues/1158) will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. [#3791](https://github.com/github/codeql-action/pull/3791) - If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892) - Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) From 06c7e6fdd57b503e9f9c43d47d022267763a6e4b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 15 May 2026 11:24:05 +0000 Subject: [PATCH 14/15] Update changelog and version after v4.35.5 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 52eeef991..d19019fff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.35.5 - 15 May 2026 - We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. [#3899](https://github.com/github/codeql-action/pull/3899) diff --git a/package-lock.json b/package-lock.json index 48052b773..130ed3da1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.35.5", + "version": "4.35.6", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.35.5", + "version": "4.35.6", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index d46e50792..3f6cc6a27 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.35.5", + "version": "4.35.6", "private": true, "description": "CodeQL action", "scripts": { From f1ce9f4421f8ca59657c648dce11b9f6dd204c67 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 15 May 2026 11:30:22 +0000 Subject: [PATCH 15/15] Rebuild --- lib/entry-points.js | 2 +- lib/upload-lib.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 43e961f71..eb048fc9c 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -148304,7 +148304,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.5"; + return "4.35.6"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 1b398dc76..476db6ff2 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88509,7 +88509,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.5"; + return "4.35.6"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME");