github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-02 09:42:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into mbg/private-registry/oidc

Browse Source
This commit is contained in:
Michael B. Gale
2026-03-11 16:15:07 +00:00
parent 048d0ea295 1a97b0f94e
commit 6c99ca514e
62 changed files with 4855 additions and 4126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
.github/workflows/__all-platform-bundle.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: all-platform-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
all-platform-bundle:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'true'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- id: init
uses: ./../action/init
with:

40
.github/workflows/__analyze-ref-input.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: analyze-ref-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
analyze-ref-input:
strategy:
@@ -71,6 +71,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -78,15 +87,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}

8
.github/workflows/__autobuild-action.yml generated vendored
View File

@@ -65,6 +65,10 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -72,10 +76,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
languages: csharp

10
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View File

@@ -67,6 +67,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Java
uses: actions/setup-java@v5
with:
java-version: ${{ inputs.java-version || '17' }}
distribution: temurin
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -74,11 +79,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Java
uses: actions/setup-java@v5
with:
java-version: ${{ inputs.java-version || '17' }}
distribution: temurin
- name: Test setup
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...

14
.github/workflows/__build-mode-autobuild.yml generated vendored
View File

@@ -67,13 +67,6 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Java
uses: actions/setup-java@v5
with:
@@ -87,6 +80,13 @@ jobs:
run: |-
gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"
echo "$YQ_PATH" >> "$GITHUB_PATH"
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/

40
.github/workflows/__build-mode-manual.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: build-mode-manual-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
build-mode-manual:
strategy:
@@ -71,6 +71,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -78,15 +87,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
id: init
with:

40
.github/workflows/__export-file-baseline-information.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: export-file-baseline-information-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
export-file-baseline-information:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
id: init
with:

40
.github/workflows/__go-custom-queries.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: go-custom-queries-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
go-custom-queries:
strategy:
@@ -73,6 +73,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -80,15 +89,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
languages: go

10
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored
View File

@@ -61,6 +61,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:
languages: go

10
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored
View File

@@ -61,6 +61,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Remove `file` program
run: |
echo $(which file)

10
.github/workflows/__go-indirect-tracing-workaround.yml generated vendored
View File

@@ -61,6 +61,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -68,11 +73,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:
languages: go

10
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View File

@@ -95,6 +95,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -102,11 +107,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:
languages: go

10
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View File

@@ -95,6 +95,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -102,11 +107,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:
languages: go

10
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View File

@@ -95,6 +95,11 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -102,11 +107,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:
languages: go

12
.github/workflows/__go.yml generated vendored
View File

@@ -10,16 +10,16 @@ env:
on:
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-custom-queries:
name: 'Go: Custom queries'
@@ -28,8 +28,8 @@ jobs:
security-events: read
uses: ./.github/workflows/__go-custom-queries.yml
with:
go-version: ${{ inputs.go-version }}
dotnet-version: ${{ inputs.dotnet-version }}
go-version: ${{ inputs.go-version }}
go-indirect-tracing-workaround-diagnostic:
name: 'Go: diagnostic when Go is changed after init step'
permissions:

40
.github/workflows/__local-bundle.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: local-bundle-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
local-bundle:
strategy:
@@ -71,6 +71,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -78,15 +87,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Fetch latest CodeQL bundle
run: |
wget https://github.com/github/codeql-action/releases/latest/download/codeql-bundle-linux64.tar.zst

59
.github/workflows/__multi-language-autodetect.yml generated vendored
View File

@@ -25,44 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
python-version:
type: string
description: The version of Python to install
required: false
default: '3.13'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
python-version:
type: string
description: The version of Python to install
required: false
default: '3.13'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}}
group: multi-language-autodetect-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
multi-language-autodetect:
strategy:
@@ -115,6 +105,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -122,20 +121,14 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install Python
if: matrix.version != 'nightly-latest'
- name: Install Python 3.13 for older CLI versions
# We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
# See https://github.com/github/codeql-action/pull/3212
if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
uses: actions/setup-python@v6
with:
python-version: ${{ inputs.python-version || '3.13' }}
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
python-version: '3.13'
- name: Use Xcode 16
if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
run: sudo xcode-select -s "/Applications/Xcode_16.app"

40
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
packaging-codescanning-config-inputs-js:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install Node.js
uses: actions/setup-node@v6
with:
@@ -89,15 +98,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
config-file: '.github/codeql/codeql-config-packaging3.yml'

40
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: packaging-config-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
packaging-config-inputs-js:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install Node.js
uses: actions/setup-node@v6
with:
@@ -89,15 +98,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
config-file: '.github/codeql/codeql-config-packaging3.yml'

40
.github/workflows/__packaging-config-js.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: packaging-config-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
packaging-config-js:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install Node.js
uses: actions/setup-node@v6
with:
@@ -89,15 +98,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
config-file: '.github/codeql/codeql-config-packaging.yml'

40
.github/workflows/__packaging-inputs-js.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: packaging-inputs-js-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
packaging-inputs-js:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install Node.js
uses: actions/setup-node@v6
with:
@@ -89,15 +98,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
config-file: '.github/codeql/codeql-config-packaging2.yml'

40
.github/workflows/__remote-config.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: remote-config-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
remote-config:
strategy:
@@ -73,6 +73,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -80,15 +89,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}

40
.github/workflows/__split-workflow.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: split-workflow-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: split-workflow-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
split-workflow:
strategy:
@@ -81,6 +81,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -88,15 +97,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
config-file: '.github/codeql/codeql-config-packaging3.yml'

40
.github/workflows/__swift-custom-build.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: swift-custom-build-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
swift-custom-build:
strategy:
@@ -75,6 +75,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -82,15 +91,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Use Xcode 16
if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
run: sudo xcode-select -s "/Applications/Xcode_16.app"

40
.github/workflows/__unset-environment.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: unset-environment-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
unset-environment:
strategy:
@@ -73,6 +73,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -80,15 +89,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
id: init
with:

40
.github/workflows/__upload-ref-sha-input.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: upload-ref-sha-input-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
upload-ref-sha-input:
strategy:
@@ -71,6 +71,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -78,15 +87,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}

40
.github/workflows/__upload-sarif.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: upload-sarif-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
upload-sarif:
strategy:
@@ -78,6 +78,15 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -85,15 +94,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}

40
.github/workflows/__with-checkout-path.yml generated vendored
View File

@@ -25,34 +25,34 @@ on:
- cron: '0 5 * * *'
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
dotnet-version:
type: string
description: The version of .NET to install
required: false
default: 9.x
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
defaults:
run:
shell: bash
concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}}
group: with-checkout-path-${{github.ref}}-${{inputs.dotnet-version}}-${{inputs.go-version}}
jobs:
with-checkout-path:
strategy:
@@ -72,6 +72,15 @@ jobs:
# This ensures we don't accidentally use the original checkout for any part of the test.
- name: Check out repository
uses: actions/checkout@v6
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
@@ -79,15 +88,6 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: ${{ inputs.dotnet-version || '9.x' }}
- name: Delete original checkout
run: |
# delete the original checkout so we don't accidentally use it.

43
.github/workflows/pr-checks.yml vendored
View File

@@ -52,19 +52,10 @@ jobs:
- name: Verify compiled JS up to date
run: .github/workflows/script/check-js.sh
- name: Verify PR checks up to date
if: always()
run: .github/workflows/script/verify-pr-checks.sh
- name: Run unit tests
if: always()
run: npm test
- name: Run pr-checks tests
if: always()
working-directory: pr-checks
run: npm ci && npx tsx --test
- name: Lint
if: always() && matrix.os != 'windows-latest'
run: npm run lint-ci
@@ -76,6 +67,40 @@ jobs:
sarif_file: eslint.sarif
category: eslint
# Verifying the PR checks are up-to-date requires Node 24. The PR checks are not dependent
# on the main codebase and therefore do not need to be run as part of the same matrix that
# we use for the `unit-tests` job.
verify-pr-checks:
name: Verify PR checks
if: github.triggering_actor != 'dependabot[bot]'
permissions:
contents: read
runs-on: ubuntu-slim
timeout-minutes: 10
steps:
- name: Prepare git (Windows)
if: runner.os == 'Windows'
run: git config --global core.autocrlf false
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: 24
cache: 'npm'
- name: Verify PR checks up to date
if: always()
run: .github/workflows/script/verify-pr-checks.sh
- name: Run pr-checks tests
if: always()
working-directory: pr-checks
run: npm ci && npx tsx --test
check-node-version:
if: github.triggering_actor != 'dependabot[bot]'
name: Check Action Node versions

7
CHANGELOG.md
View File

@@ -4,9 +4,16 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
## [UNRELEASED]
- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
To opt out of this change:
- **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
- **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
- **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow.
- Fixed [a bug](https://github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://github.com/github/codeql-action/pull/3557)
- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
## 4.32.6 - 05 Mar 2026

107
lib/analyze-action-post.js generated
View File

@@ -161409,6 +161409,7 @@ retry.VERSION = VERSION7;
// src/api-client.ts
var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -161423,10 +161424,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
error: core5.error
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451]
doNotRetry: DO_NOT_RETRY_STATUSES
}
})
);
@@ -161738,6 +161736,7 @@ var semver2 = __toESM(require_semver2());
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -161949,6 +161948,12 @@ async function isAnalyzingDefaultBranch() {
// src/overlay/index.ts
var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
async function writeBaseDatabaseOidsFile(config, sourceRoot) {
@@ -162091,70 +162096,48 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
},
["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: void 0
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: void 0
},
["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
defaultValue: false,
@@ -162166,25 +162149,20 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: void 0
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: void 0
},
["overlay_analysis_java" /* OverlayAnalysisJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_python" /* OverlayAnalysisPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
defaultValue: false,
@@ -162194,23 +162172,13 @@ var featureConfig = {
["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: void 0
},
["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -162226,11 +162194,8 @@ var featureConfig = {
["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: void 0
minimumVersion: void 0,
toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
},
["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
defaultValue: false,
@@ -162268,28 +162233,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
var OVERLAY_ANALYSIS_FEATURES = {
actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
go: "overlay_analysis_go" /* OverlayAnalysisGo */,
java: "overlay_analysis_java" /* OverlayAnalysisJava */,
javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
python: "overlay_analysis_python" /* OverlayAnalysisPython */,
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
};
var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
};
function getPathToParsedConfigFile(tempDir) {
return path3.join(tempDir, "config");

694
lib/analyze-action.js generated
View File

File diff suppressed because it is too large Load Diff

107
lib/autobuild-action.js generated
View File

@@ -103431,6 +103431,7 @@ function parseRepositoryNwo(input) {
// src/api-client.ts
var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -103445,10 +103446,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
error: core5.error
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451]
doNotRetry: DO_NOT_RETRY_STATUSES
}
})
);
@@ -103794,6 +103792,7 @@ var semver2 = __toESM(require_semver2());
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -104003,6 +104002,12 @@ async function isAnalyzingDefaultBranch() {
// src/overlay/index.ts
var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
async function writeBaseDatabaseOidsFile(config, sourceRoot) {
@@ -104143,70 +104148,48 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
},
["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: void 0
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: void 0
},
["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
defaultValue: false,
@@ -104218,25 +104201,20 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: void 0
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: void 0
},
["overlay_analysis_java" /* OverlayAnalysisJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_python" /* OverlayAnalysisPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
defaultValue: false,
@@ -104246,23 +104224,13 @@ var featureConfig = {
["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: void 0
},
["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -104278,11 +104246,8 @@ var featureConfig = {
["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: void 0
minimumVersion: void 0,
toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
},
["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
defaultValue: false,
@@ -104643,28 +104608,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
var OVERLAY_ANALYSIS_FEATURES = {
actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
go: "overlay_analysis_go" /* OverlayAnalysisGo */,
java: "overlay_analysis_java" /* OverlayAnalysisJava */,
javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
python: "overlay_analysis_python" /* OverlayAnalysisPython */,
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
};
var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
};
function getPathToParsedConfigFile(tempDir) {
return path4.join(tempDir, "config");

2111
lib/init-action-post.js generated
View File

File diff suppressed because it is too large Load Diff

756
lib/init-action.js generated
View File

File diff suppressed because it is too large Load Diff

107
lib/resolve-environment-action.js generated
View File

@@ -103439,6 +103439,7 @@ function parseRepositoryNwo(input) {
// src/api-client.ts
var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -103453,10 +103454,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
error: core5.error
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451]
doNotRetry: DO_NOT_RETRY_STATUSES
}
})
);
@@ -103793,6 +103791,7 @@ var semver2 = __toESM(require_semver2());
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -103996,6 +103995,12 @@ async function isAnalyzingDefaultBranch() {
// src/overlay/index.ts
var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
async function writeBaseDatabaseOidsFile(config, sourceRoot) {
@@ -104134,70 +104139,48 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
},
["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: void 0
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: void 0
},
["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
defaultValue: false,
@@ -104209,25 +104192,20 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: void 0
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: void 0
},
["overlay_analysis_java" /* OverlayAnalysisJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_python" /* OverlayAnalysisPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
defaultValue: false,
@@ -104237,23 +104215,13 @@ var featureConfig = {
["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: void 0
},
["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -104269,11 +104237,8 @@ var featureConfig = {
["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: void 0
minimumVersion: void 0,
toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
},
["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
defaultValue: false,
@@ -104311,28 +104276,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
var OVERLAY_ANALYSIS_FEATURES = {
actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
go: "overlay_analysis_go" /* OverlayAnalysisGo */,
java: "overlay_analysis_java" /* OverlayAnalysisJava */,
javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
python: "overlay_analysis_python" /* OverlayAnalysisPython */,
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
};
var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
};
function getPathToParsedConfigFile(tempDir) {
return path3.join(tempDir, "config");

595
lib/setup-codeql-action.js generated
View File

File diff suppressed because it is too large Load Diff

107
lib/start-proxy-action-post.js generated
View File

@@ -161292,6 +161292,7 @@ retry.VERSION = VERSION7;
// src/api-client.ts
var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -161306,10 +161307,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
error: core5.error
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451]
doNotRetry: DO_NOT_RETRY_STATUSES
}
})
);
@@ -161373,6 +161371,7 @@ var semver2 = __toESM(require_semver2());
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -161415,6 +161414,12 @@ var semver3 = __toESM(require_semver2());
// src/overlay/index.ts
var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
@@ -161497,70 +161502,48 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
},
["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: void 0
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: void 0
},
["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
defaultValue: false,
@@ -161572,25 +161555,20 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: void 0
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: void 0
},
["overlay_analysis_java" /* OverlayAnalysisJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_python" /* OverlayAnalysisPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
defaultValue: false,
@@ -161600,23 +161578,13 @@ var featureConfig = {
["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: void 0
},
["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -161632,11 +161600,8 @@ var featureConfig = {
["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: void 0
minimumVersion: void 0,
toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
},
["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
defaultValue: false,
@@ -161674,28 +161639,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
var OVERLAY_ANALYSIS_FEATURES = {
actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
go: "overlay_analysis_go" /* OverlayAnalysisGo */,
java: "overlay_analysis_java" /* OverlayAnalysisJava */,
javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
python: "overlay_analysis_python" /* OverlayAnalysisPython */,
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
};
var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
};
function getPathToParsedConfigFile(tempDir) {
return path.join(tempDir, "config");

107
lib/start-proxy-action.js generated
View File

@@ -120529,6 +120529,7 @@ function parseRepositoryNwo(input) {
// src/api-client.ts
var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -120543,10 +120544,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
error: core5.error
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451]
doNotRetry: DO_NOT_RETRY_STATUSES
}
})
);
@@ -120750,6 +120748,12 @@ function getActionsLogger() {
// src/overlay/index.ts
var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
@@ -120834,70 +120838,48 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
},
["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: void 0
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: void 0
},
["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
defaultValue: false,
@@ -120909,25 +120891,20 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: void 0
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: void 0
},
["overlay_analysis_java" /* OverlayAnalysisJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_python" /* OverlayAnalysisPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
defaultValue: false,
@@ -120937,23 +120914,13 @@ var featureConfig = {
["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: void 0
},
["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -120969,11 +120936,8 @@ var featureConfig = {
["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: void 0
minimumVersion: void 0,
toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
},
["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
defaultValue: false,
@@ -121494,6 +121458,7 @@ var semver5 = __toESM(require_semver2());
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -121521,28 +121486,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
var OVERLAY_ANALYSIS_FEATURES = {
actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
go: "overlay_analysis_go" /* OverlayAnalysisGo */,
java: "overlay_analysis_java" /* OverlayAnalysisJava */,
javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
python: "overlay_analysis_python" /* OverlayAnalysisPython */,
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
};
var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
};
// src/status-report.ts

567
lib/upload-lib.js generated
View File

File diff suppressed because it is too large Load Diff

107
lib/upload-sarif-action-post.js generated
View File

@@ -161292,6 +161292,7 @@ retry.VERSION = VERSION7;
// src/api-client.ts
var GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
var DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
function createApiClientWithDetails(apiDetails, { allowExternal = false } = {}) {
const auth2 = allowExternal && apiDetails.externalRepoAuth || apiDetails.auth;
const retryingOctokit = githubUtils.GitHub.plugin(retry);
@@ -161306,10 +161307,7 @@ function createApiClientWithDetails(apiDetails, { allowExternal = false } = {})
error: core5.error
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451]
doNotRetry: DO_NOT_RETRY_STATUSES
}
})
);
@@ -161523,6 +161521,7 @@ var semver2 = __toESM(require_semver2());
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
@@ -161573,6 +161572,12 @@ var semver3 = __toESM(require_semver2());
// src/overlay/index.ts
var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
@@ -161659,70 +161664,48 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION
},
["overlay_analysis_actions" /* OverlayAnalysisActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: void 0
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: void 0
},
["overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: void 0
},
["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO
},
["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: {
defaultValue: false,
@@ -161734,25 +161717,20 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: void 0
},
["overlay_analysis_go" /* OverlayAnalysisGo */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: void 0
},
["overlay_analysis_java" /* OverlayAnalysisJava */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA
},
["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT
},
["overlay_analysis_python" /* OverlayAnalysisPython */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON
},
["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: {
defaultValue: false,
@@ -161762,23 +161740,13 @@ var featureConfig = {
["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: void 0
},
["overlay_analysis_rust" /* OverlayAnalysisRust */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: void 0
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY
},
["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["overlay_analysis_swift" /* OverlayAnalysisSwift */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -161794,11 +161762,8 @@ var featureConfig = {
["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: void 0
minimumVersion: void 0,
toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */
},
["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: {
defaultValue: false,
@@ -161836,28 +161801,20 @@ var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3;
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6;
var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024;
var OVERLAY_ANALYSIS_FEATURES = {
actions: "overlay_analysis_actions" /* OverlayAnalysisActions */,
cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */,
csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */,
go: "overlay_analysis_go" /* OverlayAnalysisGo */,
java: "overlay_analysis_java" /* OverlayAnalysisJava */,
javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */,
python: "overlay_analysis_python" /* OverlayAnalysisPython */,
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */,
rust: "overlay_analysis_rust" /* OverlayAnalysisRust */,
swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */
ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */
};
var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = {
actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */,
cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */,
csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */,
go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */,
java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */,
javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */,
python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */,
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */,
rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */,
swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */
ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */
};
// src/setup-codeql.ts

579
lib/upload-sarif-action.js generated
View File

File diff suppressed because it is too large Load Diff

9
pr-checks/checks/multi-language-autodetect.yml
View File

@@ -4,9 +4,16 @@ operatingSystems: ["macos", "ubuntu"]
env:
CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
installGo: true
installPython: true
installDotNet: true
steps:
- name: Install Python 3.13 for older CLI versions
# We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer.
# See https://github.com/github/codeql-action/pull/3212
if: matrix.version != 'nightly-latest' && matrix.version != 'linked'
uses: actions/setup-python@v6
with:
python-version: "3.13"
- name: Use Xcode 16
if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
run: sudo xcode-select -s "/Applications/Xcode_16.app"

743
pr-checks/sync.ts
View File

@@ -5,6 +5,8 @@ import * as path from "path";
import * as yaml from "yaml";
import { KnownLanguage } from "../src/languages";
/** Known workflow input names. */
enum KnownInputName {
GoVersion = "go-version",
@@ -29,11 +31,7 @@ type WorkflowInputs = Partial<Record<KnownInputName, WorkflowInput>>;
/**
* Represents PR check specifications.
*/
interface Specification {
/** The display name for the check. */
name: string;
/** The workflow steps specific to this check. */
steps: any[];
interface Specification extends JobSpecification {
/** Workflow-level input definitions forwarded to `workflow_dispatch`/`workflow_call`. */
inputs?: Record<string, WorkflowInput>;
/** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */
@@ -45,27 +43,49 @@ interface Specification {
/** Values for the `analysis-kinds` matrix dimension. */
analysisKinds?: string[];
/** Container image configuration for the job. */
container?: any;
/** Service containers for the job. */
services?: any;
/** Additional jobs to run after the main PR check job. */
validationJobs?: Record<string, JobSpecification>;
/** If set, this check is part of a named collection that gets its own caller workflow. */
collection?: string;
}
/** Represents job specifications. */
interface JobSpecification {
/** The display name for the check. */
name: string;
/** Custom permissions override for the job. */
permissions?: Record<string, string>;
/** Extra environment variables for the job. */
env?: Record<string, any>;
/** The workflow steps specific to this check. */
steps: any[];
installNode?: boolean;
installGo?: boolean;
installJava?: boolean;
installPython?: boolean;
installDotNet?: boolean;
installYq?: boolean;
/** Container image configuration for the job. */
container?: any;
/** Service containers for the job. */
services?: any;
/** Custom permissions override for the job. */
permissions?: Record<string, string>;
/** Extra environment variables for the job. */
env?: Record<string, any>;
/** If set, this check is part of a named collection that gets its own caller workflow. */
collection?: string;
}
/** Describes language/framework-specific steps and inputs. */
interface LanguageSetup {
specProperty: keyof JobSpecification;
/** The names of the known inputs which are required for this setup step. */
inputs?: KnownInputName[];
steps: any[];
}
/** Describes partial mappings from known languages to their specific setup information. */
type LanguageSetups = Partial<Record<KnownLanguage, LanguageSetup>>;
// The default set of CodeQL Bundle versions to use for the PR checks.
const defaultTestVersions = [
// The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
@@ -90,6 +110,147 @@ const defaultTestVersions = [
"nightly-latest",
];
/** The default versions we use for languages / frameworks, if not specified as a workflow input. */
const defaultLanguageVersions = {
javascript: "20.x",
go: ">=1.21.0",
java: "17",
python: "3.13",
csharp: "9.x",
} as const satisfies Partial<Record<KnownLanguage, string>>;
/** A mapping from known input names to their specifications. */
const inputSpecs: WorkflowInputs = {
[KnownInputName.GoVersion]: {
type: "string",
description: "The version of Go to install",
required: false,
default: defaultLanguageVersions.go,
},
[KnownInputName.JavaVersion]: {
type: "string",
description: "The version of Java to install",
required: false,
default: defaultLanguageVersions.java,
},
[KnownInputName.PythonVersion]: {
type: "string",
description: "The version of Python to install",
required: false,
default: defaultLanguageVersions.python,
},
[KnownInputName.DotnetVersion]: {
type: "string",
description: "The version of .NET to install",
required: false,
default: defaultLanguageVersions.csharp,
},
};
/** Obtains a `WorkflowInputs` object for all the inputs given by `requiredInputs`. */
function getSetupInputs(requiredInputs: Set<KnownInputName>): WorkflowInputs {
const inputs: WorkflowInputs = {};
// Copy the input specifications for the requested inputs into the output.
for (const requiredInput of requiredInputs) {
inputs[requiredInput] = inputSpecs[requiredInput];
}
return inputs;
}
/** A partial mapping from known languages to their specific setup information. */
const languageSetups: LanguageSetups = {
javascript: {
specProperty: "installNode",
steps: [
{
name: "Install Node.js",
uses: "actions/setup-node@v6",
with: {
"node-version": defaultLanguageVersions.javascript,
cache: "npm",
},
},
{
name: "Install dependencies",
run: "npm ci",
},
],
},
go: {
specProperty: "installGo",
inputs: [KnownInputName.GoVersion],
steps: [
{
name: "Install Go",
uses: "actions/setup-go@v6",
with: {
"go-version":
"${{ inputs.go-version || '" + defaultLanguageVersions.go + "' }}",
// to avoid potentially misleading autobuilder results where we expect it to download
// dependencies successfully, but they actually come from a warm cache
cache: false,
},
},
],
},
java: {
specProperty: "installJava",
inputs: [KnownInputName.JavaVersion],
steps: [
{
name: "Install Java",
uses: "actions/setup-java@v5",
with: {
"java-version":
"${{ inputs.java-version || '" +
defaultLanguageVersions.java +
"' }}",
distribution: "temurin",
},
},
],
},
python: {
specProperty: "installPython",
inputs: [KnownInputName.PythonVersion],
steps: [
{
name: "Install Python",
uses: "actions/setup-python@v6",
with: {
"python-version":
"${{ inputs.python-version || '" +
defaultLanguageVersions.python +
"' }}",
},
},
],
},
csharp: {
specProperty: "installDotNet",
inputs: [KnownInputName.DotnetVersion],
steps: [
{
name: "Install .NET",
uses: "actions/setup-dotnet@v5",
with: {
"dotnet-version":
"${{ inputs.dotnet-version || '" +
defaultLanguageVersions.csharp +
"' }}",
},
},
],
},
};
// This is essentially an arbitrary version of `yq`, which happened to be the one that
// `choco` fetched when we moved away from using that here.
// See https://github.com/github/codeql-action/pull/3423
const YQ_VERSION = "v4.50.1";
const THIS_DIR = __dirname;
const CHECKS_DIR = path.join(THIS_DIR, "checks");
const OUTPUT_DIR = path.join(THIS_DIR, "..", ".github", "workflows");
@@ -102,6 +263,11 @@ function loadYaml(filePath: string): yaml.Document {
return yaml.parseDocument(content);
}
/** Computes the union of all given `sets`. */
function unionAll<T>(sets: Array<Set<T>>): Set<T> {
return sets.reduce((prev, cur) => prev.union(cur), new Set<T>());
}
/**
* Serialize a value to YAML and write it to a file, prepended with the
* standard header comment.
@@ -134,6 +300,287 @@ function stripTrailingWhitespace(content: string): string {
.join("\n");
}
/** Generates the matrix for a job. */
function generateJobMatrix(
checkSpecification: Specification,
): Array<Record<string, any>> {
let matrix: Array<Record<string, any>> = [];
for (const version of checkSpecification.versions ?? defaultTestVersions) {
if (version === "latest") {
throw new Error(
`Did not recognise "version: ${version}". Did you mean "version: linked"?`,
);
}
const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];
for (const operatingSystem of operatingSystems) {
const runnerImagesForOs = runnerImages.filter((image) =>
image.startsWith(operatingSystem),
);
for (const runnerImage of runnerImagesForOs) {
matrix.push({
os: runnerImage,
version,
});
}
}
}
if (checkSpecification.analysisKinds) {
const newMatrix: Array<Record<string, any>> = [];
for (const matrixInclude of matrix) {
for (const analysisKind of checkSpecification.analysisKinds) {
newMatrix.push({
...matrixInclude,
"analysis-kinds": analysisKind,
});
}
}
matrix = newMatrix;
}
return matrix;
}
/**
* Retrieves setup steps and additional input definitions based on specific languages or frameworks
* that are requested by the `checkSpecification`.
*
* @returns An object containing setup steps and required input names.
*/
function getSetupSteps(checkSpecification: JobSpecification): {
inputs: Set<KnownInputName>;
steps: any[];
} {
const inputs: Array<Set<KnownInputName>> = [];
const steps: any[] = [];
for (const language of Object.values(KnownLanguage).sort()) {
const setupSpec = languageSetups[language];
if (
setupSpec === undefined ||
checkSpecification[setupSpec.specProperty] !== true
) {
continue;
}
steps.push(...setupSpec.steps);
inputs.push(new Set(setupSpec.inputs));
}
const installYq = checkSpecification.installYq;
if (installYq) {
steps.push({
name: "Install yq",
if: "runner.os == 'Windows'",
env: {
YQ_PATH: "${{ runner.temp }}/yq",
YQ_VERSION,
},
run:
'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' +
'echo "$YQ_PATH" >> "$GITHUB_PATH"',
});
}
return { inputs: unionAll(inputs), steps };
}
/**
* Generates an Actions job from the `checkSpecification`.
*
* @param specDocument
* The raw YAML document of the PR check specification.
* Used to extract `jobs` without losing the original formatting.
* @param checkSpecification The PR check specification.
* @returns The job and additional workflow inputs.
*/
function generateJob(
specDocument: yaml.Document,
checkSpecification: Specification,
) {
const matrix: Array<Record<string, any>> =
generateJobMatrix(checkSpecification);
const useAllPlatformBundle = checkSpecification.useAllPlatformBundle
? checkSpecification.useAllPlatformBundle
: "false";
// Determine which languages or frameworks have to be installed.
const setupInfo = getSetupSteps(checkSpecification);
const workflowInputs = setupInfo.inputs;
// Construct the workflow steps needed for this check.
const steps: any[] = [
{
name: "Check out repository",
uses: "actions/checkout@v6",
},
...setupInfo.steps,
{
name: "Prepare test",
id: "prepare-test",
uses: "./.github/actions/prepare-test",
with: {
version: "${{ matrix.version }}",
"use-all-platform-bundle": useAllPlatformBundle,
// If the action is being run from a container, then do not setup kotlin.
// This is because the kotlin binaries cannot be downloaded from the container.
"setup-kotlin": "container" in checkSpecification ? "false" : "true",
},
},
];
// Extract the sequence of steps from the YAML document to persist as much formatting as possible.
const specSteps = specDocument.get("steps") as yaml.YAMLSeq;
// A handful of workflow specifications use double quotes for values, while we generally use single quotes.
// This replaces double quotes with single quotes for consistency.
yaml.visit(specSteps, {
Scalar(_key, node) {
if (node.type === "QUOTE_DOUBLE") {
node.type = "QUOTE_SINGLE";
}
},
});
// Add the generated steps in front of the ones from the specification.
specSteps.items.unshift(...steps);
const checkJob: Record<string, any> = {
strategy: {
"fail-fast": false,
matrix: {
include: matrix,
},
},
name: checkSpecification.name,
if: "github.triggering_actor != 'dependabot[bot]'",
permissions: {
contents: "read",
"security-events": "read",
},
"timeout-minutes": 45,
"runs-on": "${{ matrix.os }}",
steps: specSteps,
};
if (checkSpecification.permissions) {
checkJob.permissions = checkSpecification.permissions;
}
for (const key of ["env", "container", "services"] as const) {
if (checkSpecification[key] !== undefined) {
checkJob[key] = checkSpecification[key];
}
}
checkJob.env = checkJob.env ?? {};
if (!("CODEQL_ACTION_TEST_MODE" in checkJob.env)) {
checkJob.env.CODEQL_ACTION_TEST_MODE = true;
}
return { checkJob, workflowInputs };
}
/** Generates a validation job. */
function generateValidationJob(
specDocument: yaml.Document,
jobSpecification: JobSpecification,
checkName: string,
name: string,
) {
// Determine which languages or frameworks have to be installed.
const { inputs, steps } = getSetupSteps(jobSpecification);
// Extract the sequence of steps from the YAML document to persist as much formatting as possible.
const specSteps = specDocument.getIn([
"validationJobs",
name,
"steps",
]) as yaml.YAMLSeq;
// Add the generated steps in front of the ones from the specification.
specSteps.items.unshift(...steps);
const validationJob: Record<string, any> = {
name: jobSpecification.name,
if: "github.triggering_actor != 'dependabot[bot]'",
needs: [checkName],
permissions: {
contents: "read",
"security-events": "read",
},
"timeout-minutes": 5,
"runs-on": "ubuntu-slim",
steps: specSteps,
};
if (jobSpecification.permissions) {
validationJob.permissions = jobSpecification.permissions;
}
for (const key of ["env"] as const) {
if (jobSpecification[key] !== undefined) {
validationJob[key] = jobSpecification[key];
}
}
validationJob.env = validationJob.env ?? {};
if (!("CODEQL_ACTION_TEST_MODE" in validationJob.env)) {
validationJob.env.CODEQL_ACTION_TEST_MODE = true;
}
return { validationJob, inputs };
}
/** Generates additional jobs that run after the main check job, based on the `validationJobs` property. */
function generateValidationJobs(
specDocument: yaml.Document,
checkSpecification: Specification,
checkName: string,
): {
validationJobs: Record<string, any>;
workflowInputs: Set<KnownInputName>;
} {
if (checkSpecification.validationJobs === undefined) {
return { validationJobs: {}, workflowInputs: new Set() };
}
const validationJobs: Record<string, any> = {};
const workflowInputs: Array<Set<KnownInputName>> = [];
for (const [jobName, jobSpec] of Object.entries(
checkSpecification.validationJobs,
)) {
if (checkName === jobName) {
throw new Error(
`Validation job '${jobName}' cannot have the same name as the main job.`,
);
}
const { validationJob, inputs } = generateValidationJob(
specDocument,
jobSpec,
checkName,
jobName,
);
validationJobs[jobName] = validationJob;
workflowInputs.push(inputs);
}
return {
validationJobs,
workflowInputs: unionAll(workflowInputs),
};
}
/**
* Main entry point for the sync script.
*/
@@ -166,248 +613,15 @@ function main(): void {
console.log(`Processing: ${checkName} — "${checkSpecification.name}"`);
const workflowInputs: WorkflowInputs = {};
let matrix: Array<Record<string, any>> = [];
for (const version of checkSpecification.versions ?? defaultTestVersions) {
if (version === "latest") {
throw new Error(
'Did not recognise "version: latest". Did you mean "version: linked"?',
);
}
const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"];
const operatingSystems = checkSpecification.operatingSystems ?? [
"ubuntu",
];
for (const operatingSystem of operatingSystems) {
const runnerImagesForOs = runnerImages.filter((image) =>
image.startsWith(operatingSystem),
);
for (const runnerImage of runnerImagesForOs) {
matrix.push({
os: runnerImage,
version,
});
}
}
}
const useAllPlatformBundle = checkSpecification.useAllPlatformBundle
? checkSpecification.useAllPlatformBundle
: "false";
if (checkSpecification.analysisKinds) {
const newMatrix: Array<Record<string, any>> = [];
for (const matrixInclude of matrix) {
for (const analysisKind of checkSpecification.analysisKinds) {
newMatrix.push({
...matrixInclude,
"analysis-kinds": analysisKind,
});
}
}
matrix = newMatrix;
}
// Construct the workflow steps needed for this check.
const steps: any[] = [
{
name: "Check out repository",
uses: "actions/checkout@v6",
},
];
const installNode = checkSpecification.installNode;
if (installNode) {
steps.push(
{
name: "Install Node.js",
uses: "actions/setup-node@v6",
with: {
"node-version": "20.x",
cache: "npm",
},
},
{
name: "Install dependencies",
run: "npm ci",
},
);
}
steps.push({
name: "Prepare test",
id: "prepare-test",
uses: "./.github/actions/prepare-test",
with: {
version: "${{ matrix.version }}",
"use-all-platform-bundle": useAllPlatformBundle,
// If the action is being run from a container, then do not setup kotlin.
// This is because the kotlin binaries cannot be downloaded from the container.
"setup-kotlin": "container" in checkSpecification ? "false" : "true",
},
});
const installGo = checkSpecification.installGo;
if (installGo) {
const baseGoVersionExpr = ">=1.21.0";
workflowInputs[KnownInputName.GoVersion] = {
type: "string",
description: "The version of Go to install",
required: false,
default: baseGoVersionExpr,
};
steps.push({
name: "Install Go",
uses: "actions/setup-go@v6",
with: {
"go-version":
"${{ inputs.go-version || '" + baseGoVersionExpr + "' }}",
// to avoid potentially misleading autobuilder results where we expect it to download
// dependencies successfully, but they actually come from a warm cache
cache: false,
},
});
}
const installJava = checkSpecification.installJava;
if (installJava) {
const baseJavaVersionExpr = "17";
workflowInputs[KnownInputName.JavaVersion] = {
type: "string",
description: "The version of Java to install",
required: false,
default: baseJavaVersionExpr,
};
steps.push({
name: "Install Java",
uses: "actions/setup-java@v5",
with: {
"java-version":
"${{ inputs.java-version || '" + baseJavaVersionExpr + "' }}",
distribution: "temurin",
},
});
}
const installPython = checkSpecification.installPython;
if (installPython) {
const basePythonVersionExpr = "3.13";
workflowInputs[KnownInputName.PythonVersion] = {
type: "string",
description: "The version of Python to install",
required: false,
default: basePythonVersionExpr,
};
steps.push({
name: "Install Python",
if: "matrix.version != 'nightly-latest'",
uses: "actions/setup-python@v6",
with: {
"python-version":
"${{ inputs.python-version || '" + basePythonVersionExpr + "' }}",
},
});
}
const installDotNet = checkSpecification.installDotNet;
if (installDotNet) {
const baseDotNetVersionExpr = "9.x";
workflowInputs[KnownInputName.DotnetVersion] = {
type: "string",
description: "The version of .NET to install",
required: false,
default: baseDotNetVersionExpr,
};
steps.push({
name: "Install .NET",
uses: "actions/setup-dotnet@v5",
with: {
"dotnet-version":
"${{ inputs.dotnet-version || '" + baseDotNetVersionExpr + "' }}",
},
});
}
const installYq = checkSpecification.installYq;
if (installYq) {
steps.push({
name: "Install yq",
if: "runner.os == 'Windows'",
env: {
YQ_PATH: "${{ runner.temp }}/yq",
// This is essentially an arbitrary version of `yq`, which happened to be the one that
// `choco` fetched when we moved away from using that here.
// See https://github.com/github/codeql-action/pull/3423
YQ_VERSION: "v4.50.1",
},
run:
'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' +
'echo "$YQ_PATH" >> "$GITHUB_PATH"',
});
}
// Extract the sequence of steps from the YAML document to persist as much formatting as possible.
const specSteps = specDocument.get("steps") as yaml.YAMLSeq;
// A handful of workflow specifications use double quotes for values, while we generally use single quotes.
// This replaces double quotes with single quotes for consistency.
yaml.visit(specSteps, {
Scalar(_key, node) {
if (node.type === "QUOTE_DOUBLE") {
node.type = "QUOTE_SINGLE";
}
},
});
// Add the generated steps in front of the ones from the specification.
specSteps.items.unshift(...steps);
const checkJob: Record<string, any> = {
strategy: {
"fail-fast": false,
matrix: {
include: matrix,
},
},
name: checkSpecification.name,
if: "github.triggering_actor != 'dependabot[bot]'",
permissions: {
contents: "read",
"security-events": "read",
},
"timeout-minutes": 45,
"runs-on": "${{ matrix.os }}",
steps: specSteps,
};
if (checkSpecification.permissions) {
checkJob.permissions = checkSpecification.permissions;
}
for (const key of ["env", "container", "services"] as const) {
if (checkSpecification[key] !== undefined) {
checkJob[key] = checkSpecification[key];
}
}
checkJob.env = checkJob.env ?? {};
if (!("CODEQL_ACTION_TEST_MODE" in checkJob.env)) {
checkJob.env.CODEQL_ACTION_TEST_MODE = true;
}
const { checkJob, workflowInputs } = generateJob(
specDocument,
checkSpecification,
);
const { validationJobs, workflowInputs: validationJobInputs } =
generateValidationJobs(specDocument, checkSpecification, checkName);
const combinedInputs = getSetupInputs(
workflowInputs.union(validationJobInputs),
);
// If this check belongs to a named collection, record it.
if (checkSpecification.collection) {
@@ -418,12 +632,12 @@ function main(): void {
collections[collectionName].push({
specification: checkSpecification,
checkName,
inputs: workflowInputs,
inputs: combinedInputs,
});
}
let extraGroupName = "";
for (const inputName of Object.keys(workflowInputs)) {
for (const inputName of Object.keys(combinedInputs)) {
extraGroupName += "-${{inputs." + inputName + "}}";
}
@@ -448,10 +662,10 @@ function main(): void {
},
schedule: [{ cron }],
workflow_dispatch: {
inputs: workflowInputs,
inputs: combinedInputs,
},
workflow_call: {
inputs: workflowInputs,
inputs: combinedInputs,
},
},
defaults: {
@@ -466,6 +680,7 @@ function main(): void {
},
jobs: {
[checkName]: checkJob,
...validationJobs,
},
};

12
pr-checks/tsconfig.json Normal file
View File

@@ -0,0 +1,12 @@
{
"extends": "../tsconfig.json",
"compilerOptions": {
/* Basic Options */
"lib": ["esnext"],
"rootDir": "..",
"sourceMap": false,
"noEmit": true,
},
"include": ["./*.ts", "../src/**/*.ts"],
"exclude": ["node_modules"]
}

3
src/api-client.test.ts
View File

@@ -5,6 +5,7 @@ import * as sinon from "sinon";
import * as actionsUtil from "./actions-util";
import * as api from "./api-client";
import { DO_NOT_RETRY_STATUSES } from "./api-client";
import { setupTests } from "./testing-utils";
import * as util from "./util";
@@ -37,7 +38,7 @@ test.serial("getApiClient", async (t) => {
log: sinon.match.any,
userAgent: `CodeQL-Action/${actionsUtil.getActionVersion()}`,
retry: {
doNotRetry: [400, 410, 422, 451],
doNotRetry: DO_NOT_RETRY_STATUSES,
},
}),
);

14
src/api-client.ts
View File

@@ -19,6 +19,15 @@ import {
const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
/**
* HTTP status codes that should not be retried.
*
* The default Octokit list is 400, 401, 403, 404, 410, 422, and 451. We have
* observed transient errors with authentication, so we remove 401, 403, and 404
* from the default list to ensure that these errors are retried.
*/
export const DO_NOT_RETRY_STATUSES = [400, 410, 422, 451];
export type GitHubApiCombinedDetails = GitHubApiDetails &
GitHubApiExternalRepoDetails;
@@ -52,10 +61,7 @@ function createApiClientWithDetails(
error: core.error,
},
retry: {
// The default is 400, 401, 403, 404, 410, 422, and 451. We have observed transient errors
// with authentication, so we remove 401, 403, and 404 from the default list to ensure that
// these errors are retried.
doNotRetry: [400, 410, 422, 451],
doNotRetry: DO_NOT_RETRY_STATUSES,
},
}),
);

17
src/config-utils.test.ts
View File

@@ -2011,6 +2011,23 @@ for (const language in KnownLanguage) {
);
}
// Verify that a language without a per-language overlay feature flag cannot have
// overlay analysis enabled, even when the base overlay feature flag is on.
// Using cpp here as it doesn't currently have overlay support — update this if
// cpp gains overlay support.
test.serial(
checkOverlayEnablementMacro,
"No overlay analysis for language without per-language overlay feature flag",
{
languages: [KnownLanguage.cpp],
features: [Feature.OverlayAnalysis],
isPullRequest: true,
},
{
disabledReason: OverlayDisabledReason.LanguageNotEnabled,
},
);
test.serial(
"hasActionsWorkflows doesn't throw if workflows folder doesn't exist",
async (t) => {

26
src/config-utils.ts
View File

@@ -630,30 +630,29 @@ async function loadUserConfig(
}
}
const OVERLAY_ANALYSIS_FEATURES: Record<Language, Feature> = {
actions: Feature.OverlayAnalysisActions,
cpp: Feature.OverlayAnalysisCpp,
/**
* Maps languages to their overlay analysis feature flags. Only languages that
* are GA or in staff-ship for overlay analysis are included here. Languages
* without an entry will have overlay analysis disabled.
*/
const OVERLAY_ANALYSIS_FEATURES: Partial<Record<Language, Feature>> = {
csharp: Feature.OverlayAnalysisCsharp,
go: Feature.OverlayAnalysisGo,
java: Feature.OverlayAnalysisJava,
javascript: Feature.OverlayAnalysisJavascript,
python: Feature.OverlayAnalysisPython,
ruby: Feature.OverlayAnalysisRuby,
rust: Feature.OverlayAnalysisRust,
swift: Feature.OverlayAnalysisSwift,
};
const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES: Record<Language, Feature> = {
actions: Feature.OverlayAnalysisCodeScanningActions,
cpp: Feature.OverlayAnalysisCodeScanningCpp,
const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES: Partial<
Record<Language, Feature>
> = {
csharp: Feature.OverlayAnalysisCodeScanningCsharp,
go: Feature.OverlayAnalysisCodeScanningGo,
java: Feature.OverlayAnalysisCodeScanningJava,
javascript: Feature.OverlayAnalysisCodeScanningJavascript,
python: Feature.OverlayAnalysisCodeScanningPython,
ruby: Feature.OverlayAnalysisCodeScanningRuby,
rust: Feature.OverlayAnalysisCodeScanningRust,
swift: Feature.OverlayAnalysisCodeScanningSwift,
};
/**
@@ -1555,6 +1554,13 @@ export function isCodeQualityEnabled(config: Config): boolean {
return config.analysisKinds.includes(AnalysisKind.CodeQuality);
}
/**
* Returns `true` if Code Scanning Risk Assessment analysis is enabled, or `false` if not.
*/
export function isRiskAssessmentEnabled(config: Config): boolean {
return config.analysisKinds.includes(AnalysisKind.RiskAssessment);
}
/**
* Returns the primary analysis kind that the Action is initialised with. If there is only
* one analysis kind, then that is returned.

178
src/database-upload.test.ts
View File

@@ -15,6 +15,7 @@ import * as gitUtils from "./git-utils";
import { KnownLanguage } from "./languages";
import { RepositoryNwo } from "./repository";
import {
checkExpectedLogMessages,
createFeatures,
createTestConfig,
getRecordingLogger,
@@ -93,7 +94,7 @@ test.serial(
.returns("false");
sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
const loggedMessages = [];
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
@@ -102,14 +103,9 @@ test.serial(
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v: LoggedMessage) =>
v.type === "debug" &&
v.message ===
"Database upload disabled in workflow. Skipping upload.",
) !== undefined,
);
checkExpectedLogMessages(t, loggedMessages, [
"Database upload disabled in workflow. Skipping upload.",
]);
});
},
);
@@ -127,7 +123,7 @@ test.serial(
await mockHttpRequests(201);
const loggedMessages = [];
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
@@ -139,14 +135,9 @@ test.serial(
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v: LoggedMessage) =>
v.type === "debug" &&
v.message ===
"Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
) !== undefined,
);
checkExpectedLogMessages(t, loggedMessages, [
"Not uploading database because 'analysis-kinds: code-scanning' is not enabled.",
]);
});
},
);
@@ -163,7 +154,7 @@ test.serial("Abort database upload if running against GHES", async (t) => {
const config = getTestConfig(tmpDir);
config.gitHubVersion = { type: GitHubVariant.GHES, version: "3.0" };
const loggedMessages = [];
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
@@ -172,14 +163,9 @@ test.serial("Abort database upload if running against GHES", async (t) => {
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v: LoggedMessage) =>
v.type === "debug" &&
v.message ===
"Not running against github.com or GHEC-DR. Skipping upload.",
) !== undefined,
);
checkExpectedLogMessages(t, loggedMessages, [
"Not running against github.com or GHEC-DR. Skipping upload.",
]);
});
});
@@ -194,7 +180,7 @@ test.serial(
.returns("true");
sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(false);
const loggedMessages = [];
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
@@ -203,48 +189,90 @@ test.serial(
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v: LoggedMessage) =>
v.type === "debug" &&
v.message === "Not analyzing default branch. Skipping upload.",
) !== undefined,
);
checkExpectedLogMessages(t, loggedMessages, [
"Not analyzing default branch. Skipping upload.",
]);
});
},
);
test.serial("Don't crash if uploading a database fails", async (t) => {
await withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("upload-database")
.returns("true");
sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
test.serial(
"Don't crash if uploading a database fails with a non-retryable error",
async (t) => {
await withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("upload-database")
.returns("true");
sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
await mockHttpRequests(500);
const databaseUploadSpy = await mockHttpRequests(422);
const loggedMessages = [] as LoggedMessage[];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
getTestConfig(tmpDir),
testApiDetails,
createFeatures([]),
getRecordingLogger(loggedMessages),
);
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
getTestConfig(tmpDir),
testApiDetails,
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v) =>
v.type === "warning" &&
v.message ===
"Failed to upload database for javascript: some error message",
) !== undefined,
);
});
});
checkExpectedLogMessages(t, loggedMessages, [
"Failed to upload database for javascript: some error message",
]);
// Non-retryable errors should not be retried.
t.is(databaseUploadSpy.callCount, 1);
});
},
);
test.serial(
"Don't crash if uploading a database fails with a retryable error",
async (t) => {
await withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("upload-database")
.returns("true");
sinon.stub(gitUtils, "isAnalyzingDefaultBranch").resolves(true);
const databaseUploadSpy = await mockHttpRequests(500);
// Stub setTimeout to fire immediately to avoid real delays from retry backoff.
const originalSetTimeout = global.setTimeout;
const setTimeoutStub = sinon
.stub(global, "setTimeout")
.callsFake((fn: () => void) => originalSetTimeout(fn, 0));
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
getTestConfig(tmpDir),
testApiDetails,
createFeatures([]),
getRecordingLogger(loggedMessages),
);
checkExpectedLogMessages(t, loggedMessages, [
"Failed to upload database for javascript: some error message",
]);
// Retryable errors should be retried the expected number of times.
t.is(databaseUploadSpy.callCount, 4);
// setTimeout should have been called with the expected backoff delays.
const setTimeoutDelays = setTimeoutStub.args.map(
(args) => args[1] as number,
);
t.deepEqual(setTimeoutDelays, [15_000, 30_000, 60_000]);
});
},
);
test.serial("Successfully uploading a database to github.com", async (t) => {
await withTmpDir(async (tmpDir) => {
@@ -257,7 +285,7 @@ test.serial("Successfully uploading a database to github.com", async (t) => {
await mockHttpRequests(201);
const loggedMessages = [] as LoggedMessage[];
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
@@ -266,13 +294,9 @@ test.serial("Successfully uploading a database to github.com", async (t) => {
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v) =>
v.type === "debug" &&
v.message === "Successfully uploaded database for javascript",
) !== undefined,
);
checkExpectedLogMessages(t, loggedMessages, [
"Successfully uploaded database for javascript",
]);
});
});
@@ -287,7 +311,7 @@ test.serial("Successfully uploading a database to GHEC-DR", async (t) => {
const databaseUploadSpy = await mockHttpRequests(201);
const loggedMessages = [] as LoggedMessage[];
const loggedMessages: LoggedMessage[] = [];
await cleanupAndUploadDatabases(
testRepoName,
getCodeQL(),
@@ -300,13 +324,9 @@ test.serial("Successfully uploading a database to GHEC-DR", async (t) => {
createFeatures([]),
getRecordingLogger(loggedMessages),
);
t.assert(
loggedMessages.find(
(v) =>
v.type === "debug" &&
v.message === "Successfully uploaded database for javascript",
) !== undefined,
);
checkExpectedLogMessages(t, loggedMessages, [
"Successfully uploaded database for javascript",
]);
t.assert(
databaseUploadSpy.calledOnceWith(
sinon.match.string,

144
src/database-upload.ts
View File

@@ -2,7 +2,11 @@ import * as fs from "fs";
import * as actionsUtil from "./actions-util";
import { AnalysisKind } from "./analyses";
import { getApiClient, GitHubApiDetails } from "./api-client";
import {
DO_NOT_RETRY_STATUSES,
getApiClient,
GitHubApiDetails,
} from "./api-client";
import { type CodeQL } from "./codeql";
import { Config } from "./config-utils";
import { Feature, FeatureEnablement } from "./feature-flags";
@@ -11,7 +15,7 @@ import { Logger, withGroupAsync } from "./logging";
import { OverlayDatabaseMode } from "./overlay";
import { RepositoryNwo } from "./repository";
import * as util from "./util";
import { bundleDb, CleanupLevel, parseGitHubUrl } from "./util";
import { asHTTPError, bundleDb, CleanupLevel, parseGitHubUrl } from "./util";
/** Information about a database upload. */
export interface DatabaseUploadResult {
@@ -81,18 +85,6 @@ export async function cleanupAndUploadDatabases(
await codeql.databaseCleanupCluster(config, cleanupLevel);
});
const client = getApiClient();
const uploadsUrl = new URL(parseGitHubUrl(apiDetails.url));
uploadsUrl.hostname = `uploads.${uploadsUrl.hostname}`;
// Octokit expects the baseUrl to not have a trailing slash,
// but it is included by default in a URL.
let uploadsBaseUrl = uploadsUrl.toString();
if (uploadsBaseUrl.endsWith("/")) {
uploadsBaseUrl = uploadsBaseUrl.slice(0, -1);
}
const reports: DatabaseUploadResult[] = [];
for (const language of config.languages) {
let bundledDbSize: number | undefined = undefined;
@@ -105,40 +97,51 @@ export async function cleanupAndUploadDatabases(
includeDiagnostics: false,
});
bundledDbSize = fs.statSync(bundledDb).size;
const bundledDbReadStream = fs.createReadStream(bundledDb);
const commitOid = await gitUtils.getCommitOid(
actionsUtil.getRequiredInput("checkout_path"),
);
try {
const startTime = performance.now();
await client.request(
`POST /repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name&commit_oid=:commit_oid`,
{
baseUrl: uploadsBaseUrl,
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
// Upload with manual retry logic. We disable Octokit's built-in retries
// because the request body is a ReadStream, which can only be consumed
// once.
const maxAttempts = 4; // 1 initial attempt + 3 retries, identical to the default retry behavior of Octokit
let uploadDurationMs: number | undefined;
for (let attempt = 1; attempt <= maxAttempts; attempt++) {
try {
uploadDurationMs = await uploadBundledDatabase(
repositoryNwo,
language,
name: `${language}-database`,
commit_oid: commitOid,
data: bundledDbReadStream,
headers: {
authorization: `token ${apiDetails.auth}`,
"Content-Type": "application/zip",
"Content-Length": bundledDbSize,
},
},
);
const endTime = performance.now();
reports.push({
language,
zipped_upload_size_bytes: bundledDbSize,
is_overlay_base: shouldUploadOverlayBase,
upload_duration_ms: endTime - startTime,
});
logger.debug(`Successfully uploaded database for ${language}`);
} finally {
bundledDbReadStream.close();
commitOid,
bundledDb,
bundledDbSize,
apiDetails,
);
break;
} catch (e) {
const httpError = asHTTPError(e);
const isRetryable =
!httpError || !DO_NOT_RETRY_STATUSES.includes(httpError.status);
if (!isRetryable) {
throw e;
} else if (attempt === maxAttempts) {
logger.error(
`Maximum retry attempts exhausted (${attempt}), aborting database upload`,
);
throw e;
}
const backoffMs = 15_000 * Math.pow(2, attempt - 1); // 15s, 30s, 60s
logger.debug(
`Database upload attempt ${attempt} of ${maxAttempts} failed for ${language}: ${util.getErrorMessage(e)}. Retrying in ${backoffMs / 1000}s...`,
);
await new Promise((resolve) => setTimeout(resolve, backoffMs));
}
}
reports.push({
language,
zipped_upload_size_bytes: bundledDbSize,
is_overlay_base: shouldUploadOverlayBase,
upload_duration_ms: uploadDurationMs,
});
logger.debug(`Successfully uploaded database for ${language}`);
} catch (e) {
// Log a warning but don't fail the workflow
logger.warning(
@@ -155,3 +158,58 @@ export async function cleanupAndUploadDatabases(
}
return reports;
}
/**
* Uploads a bundled database to the GitHub API.
*
* @returns the duration of the upload in milliseconds
*/
async function uploadBundledDatabase(
repositoryNwo: RepositoryNwo,
language: string,
commitOid: string,
bundledDb: string,
bundledDbSize: number,
apiDetails: GitHubApiDetails,
): Promise<number> {
const client = getApiClient();
const uploadsUrl = new URL(parseGitHubUrl(apiDetails.url));
uploadsUrl.hostname = `uploads.${uploadsUrl.hostname}`;
// Octokit expects the baseUrl to not have a trailing slash,
// but it is included by default in a URL.
let uploadsBaseUrl = uploadsUrl.toString();
if (uploadsBaseUrl.endsWith("/")) {
uploadsBaseUrl = uploadsBaseUrl.slice(0, -1);
}
const bundledDbReadStream = fs.createReadStream(bundledDb);
try {
const startTime = performance.now();
await client.request(
`POST /repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name&commit_oid=:commit_oid`,
{
baseUrl: uploadsBaseUrl,
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
language,
name: `${language}-database`,
commit_oid: commitOid,
data: bundledDbReadStream,
headers: {
authorization: `token ${apiDetails.auth}`,
"Content-Type": "application/zip",
"Content-Length": bundledDbSize,
},
// Disable `octokit/plugin-retry.js`, since the request body is a ReadStream which can only be consumed once.
request: {
retries: 0,
},
},
);
return performance.now() - startTime;
} finally {
bundledDbReadStream.close();
}
}

9
src/environment.ts
View File

@@ -47,6 +47,15 @@ export enum EnvVar {
/** Whether the init action has been run. */
INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
/** Whether the deprecation warning for file coverage on PRs has been logged. */
DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION = "CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION",
/**
* Set to `true` to opt out of the upcoming change that skips file coverage
* information on pull requests.
*/
FILE_COVERAGE_ON_PRS = "CODEQL_ACTION_FILE_COVERAGE_ON_PRS",
/** Whether the error for a deprecated version of the CodeQL Action was logged. */
LOG_VERSION_DEPRECATION = "CODEQL_ACTION_DID_LOG_VERSION_DEPRECATION",

100
src/feature-flags.ts
View File

@@ -7,7 +7,15 @@ import { getApiClient } from "./api-client";
import type { CodeQL } from "./codeql";
import * as defaults from "./defaults.json";
import { Logger } from "./logging";
import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
import {
CODEQL_OVERLAY_MINIMUM_VERSION,
CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP,
CODEQL_OVERLAY_MINIMUM_VERSION_GO,
CODEQL_OVERLAY_MINIMUM_VERSION_JAVA,
CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT,
CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON,
CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
} from "./overlay";
import { RepositoryNwo } from "./repository";
import { ToolsFeature } from "./tools-features";
import * as util from "./util";
@@ -49,24 +57,18 @@ export enum Feature {
IgnoreGeneratedFiles = "ignore_generated_files",
JavaNetworkDebugging = "java_network_debugging",
OverlayAnalysis = "overlay_analysis",
OverlayAnalysisActions = "overlay_analysis_actions",
OverlayAnalysisCodeScanningActions = "overlay_analysis_code_scanning_actions",
OverlayAnalysisCodeScanningCpp = "overlay_analysis_code_scanning_cpp",
OverlayAnalysisCodeScanningCsharp = "overlay_analysis_code_scanning_csharp",
OverlayAnalysisCodeScanningGo = "overlay_analysis_code_scanning_go",
OverlayAnalysisCodeScanningJava = "overlay_analysis_code_scanning_java",
OverlayAnalysisCodeScanningJavascript = "overlay_analysis_code_scanning_javascript",
OverlayAnalysisCodeScanningPython = "overlay_analysis_code_scanning_python",
OverlayAnalysisCodeScanningRuby = "overlay_analysis_code_scanning_ruby",
OverlayAnalysisCodeScanningRust = "overlay_analysis_code_scanning_rust",
OverlayAnalysisCodeScanningSwift = "overlay_analysis_code_scanning_swift",
OverlayAnalysisCpp = "overlay_analysis_cpp",
OverlayAnalysisCsharp = "overlay_analysis_csharp",
OverlayAnalysisGo = "overlay_analysis_go",
/** Controls whether the Actions cache is checked for overlay build outcomes. */
OverlayAnalysisStatusCheck = "overlay_analysis_status_check",
/** Controls whether overlay build failures on are stored in the Actions cache. */
OverlayAnalysisStatusSave = "overlay_analysis_status_save",
OverlayAnalysisGo = "overlay_analysis_go",
OverlayAnalysisJava = "overlay_analysis_java",
OverlayAnalysisJavascript = "overlay_analysis_javascript",
OverlayAnalysisPython = "overlay_analysis_python",
@@ -76,10 +78,8 @@ export enum Feature {
*/
OverlayAnalysisResourceChecksV2 = "overlay_analysis_resource_checks_v2",
OverlayAnalysisRuby = "overlay_analysis_ruby",
OverlayAnalysisRust = "overlay_analysis_rust",
/** Controls whether hardware checks are skipped for overlay analysis. */
OverlayAnalysisSkipResourceChecks = "overlay_analysis_skip_resource_checks",
OverlayAnalysisSwift = "overlay_analysis_swift",
PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
QaTelemetryEnabled = "qa_telemetry_enabled",
/** Note that this currently only disables baseline file coverage information. */
@@ -194,70 +194,48 @@ export const featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
},
[Feature.OverlayAnalysisActions]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_ACTIONS",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisCodeScanningActions]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_ACTIONS",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisCodeScanningCpp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: undefined,
},
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
[Feature.OverlayAnalysisCodeScanningCsharp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP,
},
[Feature.OverlayAnalysisCodeScanningGo]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO,
},
[Feature.OverlayAnalysisCodeScanningJava]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA,
},
[Feature.OverlayAnalysisCodeScanningJavascript]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT,
},
[Feature.OverlayAnalysisCodeScanningPython]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON,
},
[Feature.OverlayAnalysisCodeScanningRuby]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisCodeScanningRust]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUST",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisCodeScanningSwift]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_SWIFT",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisCpp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
},
[Feature.OverlayAnalysisCsharp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP,
},
[Feature.OverlayAnalysisGo]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO,
},
[Feature.OverlayAnalysisStatusCheck]: {
defaultValue: false,
@@ -269,25 +247,20 @@ export const featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisGo]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisJava]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA,
},
[Feature.OverlayAnalysisJavascript]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT,
},
[Feature.OverlayAnalysisPython]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON,
},
[Feature.OverlayAnalysisResourceChecksV2]: {
defaultValue: false,
@@ -297,23 +270,13 @@ export const featureConfig = {
[Feature.OverlayAnalysisRuby]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisRust]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUST",
minimumVersion: undefined,
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
},
[Feature.OverlayAnalysisSkipResourceChecks]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisSwift]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SWIFT",
minimumVersion: undefined,
},
[Feature.PythonDefaultIsToNotExtractStdlib]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
@@ -329,11 +292,8 @@ export const featureConfig = {
[Feature.SkipFileCoverageOnPrs]: {
defaultValue: false,
envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS",
// For testing, this is not behind a CLI version check yet. However
// before rolling this out externally, we should set a minimum version here
// since current versions of the CodeQL CLI will log if baseline information
// cannot be found when interpreting results.
minimumVersion: undefined,
toolsFeature: ToolsFeature.SuppressesMissingFileBaselineWarning,
},
[Feature.StartProxyRemoveUnusedRegistries]: {
defaultValue: false,

4
src/feature-flags/properties.ts
View File

@@ -8,12 +8,14 @@ import { RepositoryNwo } from "../repository";
export enum RepositoryPropertyName {
DISABLE_OVERLAY = "github-codeql-disable-overlay",
EXTRA_QUERIES = "github-codeql-extra-queries",
FILE_COVERAGE_ON_PRS = "github-codeql-file-coverage-on-prs",
}
/** Parsed types of the known repository properties. */
export type AllRepositoryProperties = {
[RepositoryPropertyName.DISABLE_OVERLAY]: boolean;
[RepositoryPropertyName.EXTRA_QUERIES]: string;
[RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: boolean;
};
/** Parsed repository properties. */
@@ -23,6 +25,7 @@ export type RepositoryProperties = Partial<AllRepositoryProperties>;
export type RepositoryPropertyApiType = {
[RepositoryPropertyName.DISABLE_OVERLAY]: string;
[RepositoryPropertyName.EXTRA_QUERIES]: string;
[RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: string;
};
/** The type of functions which take the `value` from the API and try to convert it to the type we want. */
@@ -69,6 +72,7 @@ const repositoryPropertyParsers: {
} = {
[RepositoryPropertyName.DISABLE_OVERLAY]: booleanProperty,
[RepositoryPropertyName.EXTRA_QUERIES]: stringProperty,
[RepositoryPropertyName.FILE_COVERAGE_ON_PRS]: booleanProperty,
};
/**

212
src/init-action-post-helper.test.ts
View File

@@ -1,10 +1,13 @@
import * as core from "@actions/core";
import test, { ExecutionContext } from "ava";
import * as sinon from "sinon";
import * as actionsUtil from "./actions-util";
import { AnalysisKind } from "./analyses";
import * as apiClient from "./api-client";
import * as codeql from "./codeql";
import * as configUtils from "./config-utils";
import * as debugArtifacts from "./debug-artifacts";
import { EnvVar } from "./environment";
import { Feature } from "./feature-flags";
import * as initActionPostHelper from "./init-action-post-helper";
@@ -17,6 +20,7 @@ import {
createTestConfig,
DEFAULT_ACTIONS_VARS,
makeVersionInfo,
RecordingLogger,
setupActionsVars,
setupTests,
} from "./testing-utils";
@@ -46,7 +50,7 @@ test.serial("init-post action with debug mode off", async (t) => {
const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
const printDebugLogsSpy = sinon.spy();
await initActionPostHelper.run(
await initActionPostHelper.uploadFailureInfo(
uploadAllAvailableDebugArtifactsSpy,
printDebugLogsSpy,
codeql.createStubCodeQL({}),
@@ -68,7 +72,7 @@ test.serial("init-post action with debug mode on", async (t) => {
const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
const printDebugLogsSpy = sinon.spy();
await initActionPostHelper.run(
await initActionPostHelper.uploadFailureInfo(
uploadAllAvailableDebugArtifactsSpy,
printDebugLogsSpy,
codeql.createStubCodeQL({}),
@@ -334,7 +338,7 @@ test.serial(
});
t.is(
result.upload_failed_run_skipped_because,
"Code Scanning is not enabled.",
"No analysis kind that supports failed SARIF uploads is enabled.",
);
},
);
@@ -359,7 +363,7 @@ test.serial(
const stubCodeQL = codeql.createStubCodeQL({});
await initActionPostHelper.run(
await initActionPostHelper.uploadFailureInfo(
sinon.spy(),
sinon.spy(),
stubCodeQL,
@@ -427,7 +431,7 @@ test.serial(
.stub(overlayStatus, "saveOverlayStatus")
.resolves(true);
await initActionPostHelper.run(
await initActionPostHelper.uploadFailureInfo(
sinon.spy(),
sinon.spy(),
codeql.createStubCodeQL({}),
@@ -464,7 +468,7 @@ test.serial("does not save overlay status when build successful", async (t) => {
.stub(overlayStatus, "saveOverlayStatus")
.resolves(true);
await initActionPostHelper.run(
await initActionPostHelper.uploadFailureInfo(
sinon.spy(),
sinon.spy(),
codeql.createStubCodeQL({}),
@@ -501,7 +505,7 @@ test.serial(
.stub(overlayStatus, "saveOverlayStatus")
.resolves(true);
await initActionPostHelper.run(
await initActionPostHelper.uploadFailureInfo(
sinon.spy(),
sinon.spy(),
codeql.createStubCodeQL({}),
@@ -658,3 +662,197 @@ async function testFailedSarifUpload(
}
return result;
}
const singleLanguageMatrix = JSON.stringify({
language: "javascript",
category: "/language:javascript",
"build-mode": "none",
runner: "ubuntu-latest",
});
async function mockRiskAssessmentEnv(matrix: string) {
process.env[EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY] = "false";
process.env["GITHUB_JOB"] = "analyze";
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
process.env["GITHUB_WORKSPACE"] =
"/home/runner/work/codeql-action-fake-repository/codeql-action-fake-repository";
sinon
.stub(apiClient, "getGitHubVersion")
.resolves({ type: util.GitHubVariant.GHES, version: "3.0.0" });
const codeqlObject = await codeql.getCodeQLForTesting();
const databaseExportDiagnostics = sinon
.stub(codeqlObject, "databaseExportDiagnostics")
.resolves();
const diagnosticsExport = sinon
.stub(codeqlObject, "diagnosticsExport")
.resolves();
sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
sinon.stub(core, "getInput").withArgs("matrix").returns(matrix);
const uploadArtifact = sinon.stub().resolves();
const artifactClient = { uploadArtifact };
sinon
.stub(debugArtifacts, "getArtifactUploaderClient")
.value(() => artifactClient);
return { uploadArtifact, databaseExportDiagnostics, diagnosticsExport };
}
test.serial(
"tryUploadSarifIfRunFailed - uploads as artifact for risk assessments (diagnosticsExport)",
async (t) => {
const logger = new RecordingLogger();
const { uploadArtifact, databaseExportDiagnostics, diagnosticsExport } =
await mockRiskAssessmentEnv(singleLanguageMatrix);
const config = createTestConfig({
analysisKinds: [AnalysisKind.RiskAssessment],
codeQLCmd: "codeql-for-testing",
languages: ["javascript"],
});
const features = createFeatures([]);
const result = await initActionPostHelper.tryUploadSarifIfRunFailed(
config,
parseRepositoryNwo("github/codeql-action-fake-repository"),
features,
logger,
);
const expectedName = debugArtifacts.sanitizeArtifactName(
`sarif-artifact-${debugArtifacts.getArtifactSuffix(singleLanguageMatrix)}`,
);
const expectedFilePattern = /codeql-failed-sarif-javascript\.csra\.sarif$/;
t.is(result.upload_failed_run_skipped_because, undefined);
t.is(result.upload_failed_run_error, undefined);
t.is(result.sarifID, expectedName);
t.assert(
uploadArtifact.calledOnceWith(
expectedName,
[sinon.match(expectedFilePattern)],
sinon.match.string,
),
);
t.assert(databaseExportDiagnostics.notCalled);
t.assert(
diagnosticsExport.calledOnceWith(
sinon.match(expectedFilePattern),
"/language:javascript",
config,
),
);
},
);
test.serial(
"tryUploadSarifIfRunFailed - uploads as artifact for risk assessments (databaseExportDiagnostics)",
async (t) => {
const logger = new RecordingLogger();
const { uploadArtifact, databaseExportDiagnostics, diagnosticsExport } =
await mockRiskAssessmentEnv(singleLanguageMatrix);
const dbLocation = "/some/path";
const config = createTestConfig({
analysisKinds: [AnalysisKind.RiskAssessment],
codeQLCmd: "codeql-for-testing",
languages: ["javascript"],
dbLocation: "/some/path",
});
const features = createFeatures([Feature.ExportDiagnosticsEnabled]);
const result = await initActionPostHelper.tryUploadSarifIfRunFailed(
config,
parseRepositoryNwo("github/codeql-action-fake-repository"),
features,
logger,
);
const expectedName = debugArtifacts.sanitizeArtifactName(
`sarif-artifact-${debugArtifacts.getArtifactSuffix(singleLanguageMatrix)}`,
);
const expectedFilePattern = /codeql-failed-sarif-javascript\.csra\.sarif$/;
t.is(result.upload_failed_run_skipped_because, undefined);
t.is(result.upload_failed_run_error, undefined);
t.is(result.sarifID, expectedName);
t.assert(
uploadArtifact.calledOnceWith(
expectedName,
[sinon.match(expectedFilePattern)],
sinon.match.string,
),
);
t.assert(diagnosticsExport.notCalled);
t.assert(
databaseExportDiagnostics.calledOnceWith(
dbLocation,
sinon.match(expectedFilePattern),
"/language:javascript",
),
);
},
);
const skippedUploadTest = test.macro({
exec: async (
t: ExecutionContext<unknown>,
config: Partial<configUtils.Config>,
expectedSkippedReason: string,
) => {
const logger = new RecordingLogger();
const { uploadArtifact, diagnosticsExport } =
await mockRiskAssessmentEnv(singleLanguageMatrix);
const features = createFeatures([]);
const result = await initActionPostHelper.tryUploadSarifIfRunFailed(
createTestConfig(config),
parseRepositoryNwo("github/codeql-action-fake-repository"),
features,
logger,
);
t.is(result.upload_failed_run_skipped_because, expectedSkippedReason);
t.assert(uploadArtifact.notCalled);
t.assert(diagnosticsExport.notCalled);
},
title: (providedTitle: string = "") =>
`tryUploadSarifIfRunFailed - skips upload ${providedTitle}`,
});
test.serial(
"without CodeQL command",
skippedUploadTest,
// No codeQLCmd
{
analysisKinds: [AnalysisKind.RiskAssessment],
languages: ["javascript"],
} satisfies Partial<configUtils.Config>,
"CodeQL command not found",
);
test.serial(
"if no language is configured",
skippedUploadTest,
// No explicit language configuration
{
analysisKinds: [AnalysisKind.RiskAssessment],
codeQLCmd: "codeql-for-testing",
} satisfies Partial<configUtils.Config>,
"Unexpectedly, the configuration is not for a single language.",
);
test.serial(
"if multiple languages is configured",
skippedUploadTest,
// Multiple explicit languages configured
{
analysisKinds: [AnalysisKind.RiskAssessment],
codeQLCmd: "codeql-for-testing",
languages: ["javascript", "python"],
} satisfies Partial<configUtils.Config>,
"Unexpectedly, the configuration is not for a single language.",
);

242
src/init-action-post-helper.ts
View File

@@ -1,12 +1,22 @@
import * as fs from "fs";
import path from "path";
import * as github from "@actions/github";
import * as actionsUtil from "./actions-util";
import { CodeScanning } from "./analyses";
import { getApiClient } from "./api-client";
import { CodeScanning, RiskAssessment } from "./analyses";
import { getApiClient, getGitHubVersion } from "./api-client";
import { CodeQL, getCodeQL } from "./codeql";
import { Config, isCodeScanningEnabled } from "./config-utils";
import {
Config,
isCodeScanningEnabled,
isRiskAssessmentEnabled,
} from "./config-utils";
import {
getArtifactSuffix,
getArtifactUploaderClient,
sanitizeArtifactName,
} from "./debug-artifacts";
import * as dependencyCaching from "./dependency-caching";
import { EnvVar } from "./environment";
import { Feature, FeatureEnablement } from "./feature-flags";
@@ -23,10 +33,13 @@ import * as uploadLib from "./upload-lib";
import {
checkDiskUsage,
delay,
Failure,
getErrorMessage,
getRequiredEnvParam,
parseMatrixInput,
Result,
shouldSkipSarifUpload,
Success,
wrapError,
} from "./util";
import {
@@ -66,37 +79,96 @@ function createFailedUploadFailedSarifResult(
};
}
/** Records details about a SARIF file that contains information about a failed analysis. */
interface FailedSarifInfo {
sarifFile: string;
category: string | undefined;
checkoutPath: string;
}
/**
* Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
* category for the workflow.
* Tries to prepare a SARIF file that contains information about a failed analysis.
*
* @returns Either information about the SARIF file that was produced, or a reason why it couldn't be produced.
*/
async function maybeUploadFailedSarif(
config: Config,
repositoryNwo: RepositoryNwo,
features: FeatureEnablement,
async function prepareFailedSarif(
logger: Logger,
): Promise<UploadFailedSarifResult> {
features: FeatureEnablement,
config: Config,
): Promise<Result<FailedSarifInfo, UploadFailedSarifResult>> {
if (!config.codeQLCmd) {
return { upload_failed_run_skipped_because: "CodeQL command not found" };
return new Failure({
upload_failed_run_skipped_because: "CodeQL command not found",
});
}
const workflow = await getWorkflow(logger);
const jobName = getRequiredEnvParam("GITHUB_JOB");
const matrix = parseMatrixInput(actionsUtil.getRequiredInput("matrix"));
const shouldUpload = getUploadInputOrThrow(workflow, jobName, matrix);
if (
!["always", "failure-only"].includes(
actionsUtil.getUploadValue(shouldUpload),
) ||
shouldSkipSarifUpload()
) {
return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
}
const category = getCategoryInputOrThrow(workflow, jobName, matrix);
const checkoutPath = getCheckoutPathInputOrThrow(workflow, jobName, matrix);
const databasePath = config.dbLocation;
if (shouldSkipSarifUpload()) {
return new Failure({
upload_failed_run_skipped_because: "SARIF upload is disabled",
});
}
if (isRiskAssessmentEnabled(config)) {
if (config.languages.length !== 1) {
return new Failure({
upload_failed_run_skipped_because:
"Unexpectedly, the configuration is not for a single language.",
});
}
// We can make these assumptions for risk assessments.
const language = config.languages[0];
const category = `/language:${language}`;
const checkoutPath = ".";
const result = await generateFailedSarif(
features,
config,
category,
checkoutPath,
`../codeql-failed-sarif-${language}${RiskAssessment.sarifExtension}`,
);
return new Success(result);
} else {
const workflow = await getWorkflow(logger);
const shouldUpload = getUploadInputOrThrow(workflow, jobName, matrix);
if (
!["always", "failure-only"].includes(
actionsUtil.getUploadValue(shouldUpload),
)
) {
return new Failure({
upload_failed_run_skipped_because: "SARIF upload is disabled",
});
}
const category = getCategoryInputOrThrow(workflow, jobName, matrix);
const checkoutPath = getCheckoutPathInputOrThrow(workflow, jobName, matrix);
const result = await generateFailedSarif(
features,
config,
category,
checkoutPath,
);
return new Success(result);
}
}
async function generateFailedSarif(
features: FeatureEnablement,
config: Config,
category: string | undefined,
checkoutPath: string,
sarifFile?: string,
) {
const databasePath = config.dbLocation;
const codeql = await getCodeQL(config.codeQLCmd);
const sarifFile = "../codeql-failed-run.sarif";
// Set the filename for the SARIF file if not already set.
if (sarifFile === undefined) {
sarifFile = "../codeql-failed-run.sarif";
}
// If there is no database or the feature flag is off, we run 'export diagnostics'
if (
@@ -109,11 +181,32 @@ async function maybeUploadFailedSarif(
await codeql.databaseExportDiagnostics(databasePath, sarifFile, category);
}
logger.info(`Uploading failed SARIF file ${sarifFile}`);
return { sarifFile, category, checkoutPath };
}
/**
* Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
* category for the workflow.
*/
async function maybeUploadFailedSarif(
config: Config,
repositoryNwo: RepositoryNwo,
features: FeatureEnablement,
logger: Logger,
): Promise<UploadFailedSarifResult> {
const failedSarifResult = await prepareFailedSarif(logger, features, config);
if (failedSarifResult.isFailure()) {
return failedSarifResult.value;
}
const failedSarif = failedSarifResult.value;
logger.info(`Uploading failed SARIF file ${failedSarif.sarifFile}`);
const uploadResult = await uploadLib.uploadFiles(
sarifFile,
checkoutPath,
category,
failedSarif.sarifFile,
failedSarif.checkoutPath,
failedSarif.category,
features,
logger,
CodeScanning,
@@ -129,31 +222,78 @@ async function maybeUploadFailedSarif(
: {};
}
/** Uploads a failed SARIF file as workflow artifact, if it can be generated. */
async function maybeUploadFailedSarifArtifact(
config: Config,
features: FeatureEnablement,
logger: Logger,
): Promise<UploadFailedSarifResult> {
const failedSarifResult = await prepareFailedSarif(logger, features, config);
if (failedSarifResult.isFailure()) {
return failedSarifResult.value;
}
const failedSarif = failedSarifResult.value;
logger.info(
`Uploading failed SARIF file ${failedSarif.sarifFile} as artifact`,
);
const gitHubVersion = await getGitHubVersion();
const client = await getArtifactUploaderClient(logger, gitHubVersion.type);
const suffix = getArtifactSuffix(actionsUtil.getOptionalInput("matrix"));
const name = sanitizeArtifactName(`sarif-artifact-${suffix}`);
await client.uploadArtifact(
name,
[path.normalize(failedSarif.sarifFile)],
path.normalize(".."),
);
return { sarifID: name };
}
/**
* Tries to upload a SARIF file with information about the run, if it failed.
*
* @param config The CodeQL Action configuration.
* @param repositoryNwo The name and owner of the repository.
* @param features Information about enabled features.
* @param logger The logger to use.
* @returns The results of uploading the SARIF file for the failure.
*/
export async function tryUploadSarifIfRunFailed(
config: Config,
repositoryNwo: RepositoryNwo,
features: FeatureEnablement,
logger: Logger,
): Promise<UploadFailedSarifResult> {
// Only upload the failed SARIF to Code scanning if Code scanning is enabled.
if (!isCodeScanningEnabled(config)) {
return {
upload_failed_run_skipped_because: "Code Scanning is not enabled.",
};
}
// There's nothing to do here if the analysis succeeded.
if (process.env[EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY] === "true") {
return {
upload_failed_run_skipped_because:
"Analyze Action completed successfully",
};
}
try {
return await maybeUploadFailedSarif(
config,
repositoryNwo,
features,
logger,
);
// Only upload the failed SARIF to Code scanning if Code scanning is enabled.
if (isCodeScanningEnabled(config)) {
return await maybeUploadFailedSarif(
config,
repositoryNwo,
features,
logger,
);
} else if (isRiskAssessmentEnabled(config)) {
return await maybeUploadFailedSarifArtifact(config, features, logger);
} else {
return {
upload_failed_run_skipped_because:
"No analysis kind that supports failed SARIF uploads is enabled.",
};
}
} catch (e) {
logger.debug(
`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`,
@@ -162,7 +302,21 @@ export async function tryUploadSarifIfRunFailed(
}
}
export async function run(
/**
* Handles the majority of the `post-init` step logic which, depending on the configuration,
* mainly involves uploading a SARIF file with information about the failed run, debug
* artifacts, and performing clean-up operations.
*
* @param uploadAllAvailableDebugArtifacts A function with which to upload debug artifacts.
* @param printDebugLogs A function with which to print debug logs.
* @param codeql The CodeQL CLI instance.
* @param config The CodeQL Action configuration.
* @param repositoryNwo The name and owner of the repository.
* @param features Information about enabled features.
* @param logger The logger to use.
* @returns The results of uploading the SARIF file for the failure.
*/
export async function uploadFailureInfo(
uploadAllAvailableDebugArtifacts: (
codeql: CodeQL,
config: Config,
@@ -175,7 +329,7 @@ export async function run(
repositoryNwo: RepositoryNwo,
features: FeatureEnablement,
logger: Logger,
) {
): Promise<UploadFailedSarifResult> {
await recordOverlayStatus(codeql, config, features, logger);
const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(
@@ -187,7 +341,7 @@ export async function run(
if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
logger.debug(
"Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
"Won't upload a failed SARIF file for this CodeQL analysis because: " +
`${uploadFailedSarifResult.upload_failed_run_skipped_because}.`,
);
}

2
src/init-action-post.ts
View File

@@ -77,7 +77,7 @@ async function run(startedAt: Date) {
} else {
const codeql = await getCodeQL(config.codeQLCmd);
uploadFailedSarifResult = await initActionPostHelper.run(
uploadFailedSarifResult = await initActionPostHelper.uploadFailureInfo(
debugArtifacts.tryUploadAllAvailableDebugArtifacts,
printDebugLogs,
codeql,

32
src/init-action.ts
View File

@@ -48,6 +48,7 @@ import {
checkPacksForOverlayCompatibility,
cleanupDatabaseClusterDirectory,
getFileCoverageInformationEnabled,
logFileCoverageOnPrsDeprecationWarning,
initCodeQL,
initConfig,
runDatabaseInitCluster,
@@ -343,6 +344,14 @@ async function run(startedAt: Date) {
analysisKinds = await getAnalysisKinds(logger);
const debugMode = getOptionalInput("debug") === "true" || core.isDebug();
const repositoryProperties = repositoryPropertiesResult.orElse({});
const fileCoverageResult = await getFileCoverageInformationEnabled(
debugMode,
codeql,
features,
repositoryProperties,
);
config = await initConfig(features, {
analysisKinds,
languagesInput: getOptionalInput("languages"),
@@ -372,12 +381,8 @@ async function run(startedAt: Date) {
githubVersion: gitHubVersion,
apiDetails,
features,
repositoryProperties: repositoryPropertiesResult.orElse({}),
enableFileCoverageInformation: await getFileCoverageInformationEnabled(
debugMode,
repositoryNwo,
features,
),
repositoryProperties,
enableFileCoverageInformation: fileCoverageResult.enabled,
logger,
});
@@ -394,6 +399,21 @@ async function run(startedAt: Date) {
);
}
if (fileCoverageResult.enabledByRepositoryProperty) {
addNoLanguageDiagnostic(
config,
makeTelemetryDiagnostic(
"codeql-action/file-coverage-on-prs-enabled-by-repository-property",
"File coverage on PRs enabled by repository property",
{},
),
);
}
if (fileCoverageResult.showDeprecationWarning) {
logFileCoverageOnPrsDeprecationWarning(logger);
}
await checkInstallPython311(config.languages, codeql);
} catch (unwrappedError) {
const error = wrapError(unwrappedError);

258
src/init.test.ts
View File

@@ -1,6 +1,8 @@
import * as fs from "fs";
import path from "path";
import * as core from "@actions/core";
import * as github from "@actions/github";
import test, { ExecutionContext } from "ava";
import * as sinon from "sinon";
@@ -11,9 +13,9 @@ import {
checkPacksForOverlayCompatibility,
cleanupDatabaseClusterDirectory,
getFileCoverageInformationEnabled,
logFileCoverageOnPrsDeprecationWarning,
} from "./init";
import { KnownLanguage } from "./languages";
import { parseRepositoryNwo } from "./repository";
import {
createFeatures,
LoggedMessage,
@@ -453,13 +455,15 @@ test(
);
test("file coverage information enabled when debugMode is true", async (t) => {
t.true(
await getFileCoverageInformationEnabled(
true, // debugMode
parseRepositoryNwo("github/codeql-action"),
createFeatures([Feature.SkipFileCoverageOnPrs]),
),
const result = await getFileCoverageInformationEnabled(
true, // debugMode
createStubCodeQL({}),
createFeatures([Feature.SkipFileCoverageOnPrs]),
{},
);
t.true(result.enabled);
t.false(result.enabledByRepositoryProperty);
t.false(result.showDeprecationWarning);
});
test.serial(
@@ -467,43 +471,69 @@ test.serial(
async (t) => {
sinon.stub(actionsUtil, "isAnalyzingPullRequest").returns(false);
t.true(
await getFileCoverageInformationEnabled(
false, // debugMode
parseRepositoryNwo("github/codeql-action"),
createFeatures([Feature.SkipFileCoverageOnPrs]),
),
const result = await getFileCoverageInformationEnabled(
false, // debugMode
createStubCodeQL({}),
createFeatures([Feature.SkipFileCoverageOnPrs]),
{},
);
t.true(result.enabled);
t.false(result.enabledByRepositoryProperty);
t.false(result.showDeprecationWarning);
},
);
test.serial(
"file coverage information enabled when owner is not 'github'",
"file coverage information enabled when feature flag is not enabled, with deprecation warning",
async (t) => {
sinon.stub(actionsUtil, "isAnalyzingPullRequest").returns(true);
t.true(
await getFileCoverageInformationEnabled(
false, // debugMode
parseRepositoryNwo("other-org/some-repo"),
createFeatures([Feature.SkipFileCoverageOnPrs]),
),
const result = await getFileCoverageInformationEnabled(
false, // debugMode
createStubCodeQL({}),
createFeatures([]),
{},
);
t.true(result.enabled);
t.false(result.enabledByRepositoryProperty);
t.true(result.showDeprecationWarning);
},
);
test.serial(
"file coverage information enabled when feature flag is not enabled",
"file coverage information enabled when repository property is set",
async (t) => {
sinon.stub(actionsUtil, "isAnalyzingPullRequest").returns(true);
t.true(
await getFileCoverageInformationEnabled(
false, // debugMode
parseRepositoryNwo("github/codeql-action"),
createFeatures([]),
),
const result = await getFileCoverageInformationEnabled(
false, // debugMode
createStubCodeQL({}),
createFeatures([Feature.SkipFileCoverageOnPrs]),
{
"github-codeql-file-coverage-on-prs": true,
},
);
t.true(result.enabled);
t.true(result.enabledByRepositoryProperty);
t.false(result.showDeprecationWarning);
},
);
test.serial(
"file coverage information enabled when env var opt-out is set",
async (t) => {
sinon.stub(actionsUtil, "isAnalyzingPullRequest").returns(true);
process.env["CODEQL_ACTION_FILE_COVERAGE_ON_PRS"] = "true";
const result = await getFileCoverageInformationEnabled(
false, // debugMode
createStubCodeQL({}),
createFeatures([Feature.SkipFileCoverageOnPrs]),
{},
);
t.true(result.enabled);
t.false(result.enabledByRepositoryProperty);
t.false(result.showDeprecationWarning);
},
);
@@ -512,12 +542,174 @@ test.serial(
async (t) => {
sinon.stub(actionsUtil, "isAnalyzingPullRequest").returns(true);
t.false(
await getFileCoverageInformationEnabled(
false, // debugMode
parseRepositoryNwo("github/codeql-action"),
createFeatures([Feature.SkipFileCoverageOnPrs]),
),
const result = await getFileCoverageInformationEnabled(
false, // debugMode
createStubCodeQL({}),
createFeatures([Feature.SkipFileCoverageOnPrs]),
{},
);
t.false(result.enabled);
t.false(result.enabledByRepositoryProperty);
t.false(result.showDeprecationWarning);
},
);
test.serial(
"file coverage deprecation warning for org-owned repo with default setup recommends repo property",
(t) => {
const exportVariableStub = sinon.stub(core, "exportVariable");
sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
github.context.payload = {
repository: {
name: "test-repo",
owner: { login: "test-org", type: "Organization" },
},
};
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 1);
t.is(messages[0].type, "warning");
t.is(
messages[0].message,
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.\n\n" +
"To opt out of this change, create a custom repository property " +
'with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to ' +
"`true` in the repository's settings.",
);
t.true(exportVariableStub.calledOnce);
},
);
test.serial(
"file coverage deprecation warning for org-owned repo with advanced setup recommends env var and repo property",
(t) => {
const exportVariableStub = sinon.stub(core, "exportVariable");
sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
github.context.payload = {
repository: {
name: "test-repo",
owner: { login: "test-org", type: "Organization" },
},
};
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 1);
t.is(messages[0].type, "warning");
t.is(
messages[0].message,
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.\n\n" +
"To opt out of this change, set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`. " +
"Alternatively, create a custom repository property " +
'with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to ' +
"`true` in the repository's settings.",
);
t.true(exportVariableStub.calledOnce);
},
);
test.serial(
"file coverage deprecation warning for user-owned repo with default setup recommends advanced setup",
(t) => {
const exportVariableStub = sinon.stub(core, "exportVariable");
sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
github.context.payload = {
repository: {
name: "test-repo",
owner: { login: "test-user", type: "User" },
},
};
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 1);
t.is(messages[0].type, "warning");
t.is(
messages[0].message,
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.\n\n" +
"To opt out of this change, switch to an advanced setup workflow and " +
"set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.",
);
t.true(exportVariableStub.calledOnce);
},
);
test.serial(
"file coverage deprecation warning for user-owned repo with advanced setup recommends env var",
(t) => {
const exportVariableStub = sinon.stub(core, "exportVariable");
sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
github.context.payload = {
repository: {
name: "test-repo",
owner: { login: "test-user", type: "User" },
},
};
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 1);
t.is(messages[0].type, "warning");
t.is(
messages[0].message,
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.\n\n" +
"To opt out of this change, set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.",
);
t.true(exportVariableStub.calledOnce);
},
);
test.serial(
"file coverage deprecation warning for unknown owner type with default setup recommends advanced setup",
(t) => {
const exportVariableStub = sinon.stub(core, "exportVariable");
sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
github.context.payload = { repository: undefined };
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 1);
t.is(messages[0].type, "warning");
t.is(
messages[0].message,
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.\n\n" +
"To opt out of this change, switch to an advanced setup workflow and " +
"set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.",
);
t.true(exportVariableStub.calledOnce);
},
);
test.serial(
"file coverage deprecation warning for unknown owner type with advanced setup recommends env var",
(t) => {
const exportVariableStub = sinon.stub(core, "exportVariable");
sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
github.context.payload = { repository: undefined };
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 1);
t.is(messages[0].type, "warning");
t.is(
messages[0].message,
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.\n\n" +
"To opt out of this change, set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.",
);
t.true(exportVariableStub.calledOnce);
},
);
test.serial(
"logFileCoverageOnPrsDeprecationWarning does not log if already logged",
(t) => {
process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION"] =
"true";
const exportVariableStub = sinon.stub(core, "exportVariable");
const messages: LoggedMessage[] = [];
logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
t.is(messages.length, 0);
t.true(exportVariableStub.notCalled);
},
);

129
src/init.ts
View File

@@ -1,26 +1,33 @@
import * as fs from "fs";
import * as path from "path";
import * as core from "@actions/core";
import * as toolrunner from "@actions/exec/lib/toolrunner";
import * as github from "@actions/github";
import * as io from "@actions/io";
import * as yaml from "js-yaml";
import {
getOptionalInput,
isAnalyzingPullRequest,
isDefaultSetup,
isSelfHostedRunner,
} from "./actions-util";
import { GitHubApiDetails } from "./api-client";
import { CodeQL, setupCodeQL } from "./codeql";
import * as configUtils from "./config-utils";
import { EnvVar } from "./environment";
import {
CodeQLDefaultVersionInfo,
Feature,
FeatureEnablement,
} from "./feature-flags";
import {
RepositoryProperties,
RepositoryPropertyName,
} from "./feature-flags/properties";
import { KnownLanguage, Language } from "./languages";
import { Logger, withGroupAsync } from "./logging";
import { RepositoryNwo } from "./repository";
import { ToolsSource } from "./setup-codeql";
import { ZstdAvailability } from "./tar";
import { ToolsDownloadStatusReport } from "./tools-download";
@@ -300,18 +307,112 @@ export function cleanupDatabaseClusterDirectory(
export async function getFileCoverageInformationEnabled(
debugMode: boolean,
repositoryNwo: RepositoryNwo,
codeql: CodeQL,
features: FeatureEnablement,
): Promise<boolean> {
return (
// Always enable file coverage information in debug mode
debugMode ||
// We're most interested in speeding up PRs, and we want to keep
// submitting file coverage information for the default branch since
// it is used to populate the status page.
!isAnalyzingPullRequest() ||
// For now, restrict this feature to the GitHub org
repositoryNwo.owner !== "github" ||
!(await features.getValue(Feature.SkipFileCoverageOnPrs))
);
repositoryProperties: RepositoryProperties,
): Promise<{
enabled: boolean;
enabledByRepositoryProperty: boolean;
showDeprecationWarning: boolean;
}> {
// Always enable file coverage information in debug mode
if (debugMode) {
return {
enabled: true,
enabledByRepositoryProperty: false,
showDeprecationWarning: false,
};
}
// We're most interested in speeding up PRs, and we want to keep
// submitting file coverage information for the default branch since
// it is used to populate the status page.
if (!isAnalyzingPullRequest()) {
return {
enabled: true,
enabledByRepositoryProperty: false,
showDeprecationWarning: false,
};
}
// If the user has explicitly opted out via an environment variable, don't
// show the deprecation warning.
if (
(process.env[EnvVar.FILE_COVERAGE_ON_PRS] || "").toLocaleLowerCase() ===
"true"
) {
return {
enabled: true,
enabledByRepositoryProperty: false,
showDeprecationWarning: false,
};
}
// Allow repositories to opt in to file coverage information on PRs
// using a repository property. In this case, don't show the deprecation
// warning since the repository has explicitly opted in.
if (
repositoryProperties[RepositoryPropertyName.FILE_COVERAGE_ON_PRS] === true
) {
return {
enabled: true,
enabledByRepositoryProperty: true,
showDeprecationWarning: false,
};
}
// If the feature is disabled, then maintain the previous behavior of
// unconditionally computing file coverage information, but warn that
// file coverage on PRs will be disabled in a future release.
if (!(await features.getValue(Feature.SkipFileCoverageOnPrs, codeql))) {
return {
enabled: true,
enabledByRepositoryProperty: false,
showDeprecationWarning: true,
};
}
// Otherwise, disable file coverage information on PRs to speed up analysis.
return {
enabled: false,
enabledByRepositoryProperty: false,
showDeprecationWarning: false,
};
}
/**
* Log a warning about the deprecation of file coverage information on PRs, including how to opt
* back in via an environment variable or repository property.
*/
export function logFileCoverageOnPrsDeprecationWarning(logger: Logger): void {
if (process.env[EnvVar.DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION]) {
return;
}
const repositoryOwnerType: string | undefined =
github.context.payload.repository?.owner.type;
let message =
"Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests " +
"to improve analysis performance. File coverage information will still be computed on non-PR analyses.";
const envVarOptOut =
"set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`.";
const repoPropertyOptOut =
"create a custom repository property with the name " +
'`github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to ' +
"`true` in the repository's settings.";
if (repositoryOwnerType === "Organization") {
// Org-owned repo: can use the repository property
if (isDefaultSetup()) {
message += `\n\nTo opt out of this change, ${repoPropertyOptOut}`;
} else {
message += `\n\nTo opt out of this change, ${envVarOptOut} Alternatively, ${repoPropertyOptOut}`;
}
} else if (isDefaultSetup()) {
// User-owned repo on default setup: no repo property available and
// no way to set env vars, so need to switch to advanced setup.
message += `\n\nTo opt out of this change, switch to an advanced setup workflow and ${envVarOptOut}`;
} else {
// User-owned repo on advanced setup: can set the env var
message += `\n\nTo opt out of this change, ${envVarOptOut}`;
}
logger.warning(message);
core.exportVariable(EnvVar.DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION, "true");
}

9
src/overlay/index.ts
View File

@@ -33,6 +33,15 @@ export enum OverlayDatabaseMode {
export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
// Per-language minimum CLI versions for overlay analysis, based on release
// validation data.
export const CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
export const CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
export const CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
export const CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
export const CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
export const CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
/**
* The maximum (uncompressed) size of the overlay base database that we will
* upload. By default, the Actions Cache has an overall capacity of 10 GB, and

1
src/tools-features.ts
View File

@@ -10,6 +10,7 @@ export enum ToolsFeature {
ForceOverwrite = "forceOverwrite",
IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
PythonDefaultIsToNotExtractStdlib = "pythonDefaultIsToNotExtractStdlib",
SuppressesMissingFileBaselineWarning = "suppressesMissingFileBaselineWarning",
}
/**