github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-09 05:32:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into henrymercer/fix-cleanup-info

Browse Source
This commit is contained in:
Michael B. Gale
2025-08-15 18:28:16 +01:00
committed by GitHub
parent 537405376b 4ff91f1080
commit 75151c2782
69 changed files with 773 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/__all-platform-bundle.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
all-platform-bundle:
strategy:
@@ -48,7 +61,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- id: init
uses: ./../action/init

17
.github/workflows/__analyze-ref-input.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
analyze-ref-input:
strategy:
@@ -52,7 +65,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

5
.github/workflows/__autobuild-action.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
autobuild-action:
strategy:

20
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
java-version:
type: string
description: The version of Java to install
required: false
default: '17'
workflow_call:
inputs:
java-version:
type: string
description: The version of Java to install
required: false
default: '17'
jobs:
autobuild-direct-tracing-with-working-dir:
strategy:
@@ -51,6 +64,11 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Java
uses: actions/setup-java@v4
with:
java-version: ${{ inputs.java-version || '17' }}
distribution: temurin
- name: Test setup
shell: bash
run: |

20
.github/workflows/__autobuild-direct-tracing.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
java-version:
type: string
description: The version of Java to install
required: false
default: '17'
workflow_call:
inputs:
java-version:
type: string
description: The version of Java to install
required: false
default: '17'
jobs:
autobuild-direct-tracing:
strategy:
@@ -51,6 +64,11 @@ jobs:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Java
uses: actions/setup-java@v4
with:
java-version: ${{ inputs.java-version || '17' }}
distribution: temurin
- name: Set up Java test repo configuration
shell: bash
run: |

5
.github/workflows/__build-mode-autobuild.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
build-mode-autobuild:
strategy:

17
.github/workflows/__build-mode-manual.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
build-mode-manual:
strategy:
@@ -48,7 +61,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
id: init

5
.github/workflows/__build-mode-none.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
build-mode-none:
strategy:

5
.github/workflows/__build-mode-rollback.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
build-mode-rollback:
strategy:

5
.github/workflows/__bundle-toolcache.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
bundle-toolcache:
strategy:

5
.github/workflows/__bundle-zstd.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
bundle-zstd:
strategy:

5
.github/workflows/__cleanup-db-cluster-dir.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
cleanup-db-cluster-dir:
strategy:

5
.github/workflows/__config-export.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
config-export:
strategy:

5
.github/workflows/__config-input.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
config-input:
strategy:

5
.github/workflows/__cpp-deptrace-disabled.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
cpp-deptrace-disabled:
strategy:

5
.github/workflows/__cpp-deptrace-enabled-on-macos.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
cpp-deptrace-enabled-on-macos:
strategy:

5
.github/workflows/__cpp-deptrace-enabled.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
cpp-deptrace-enabled:
strategy:

5
.github/workflows/__diagnostics-export.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
diagnostics-export:
strategy:

17
.github/workflows/__export-file-baseline-information.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
export-file-baseline-information:
strategy:
@@ -52,7 +65,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
id: init

5
.github/workflows/__extractor-ram-threads.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
extractor-ram-threads:
strategy:

17
.github/workflows/__go-custom-queries.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-custom-queries:
strategy:
@@ -50,7 +63,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-indirect-tracing-workaround-diagnostic:
strategy:
@@ -48,7 +61,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-indirect-tracing-workaround-no-file-program:
strategy:
@@ -48,7 +61,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Remove `file` program
run: |

17
.github/workflows/__go-indirect-tracing-workaround.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-indirect-tracing-workaround:
strategy:
@@ -48,7 +61,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-tracing-autobuilder:
strategy:
@@ -78,7 +91,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-tracing-custom-build-steps:
strategy:
@@ -78,7 +91,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-tracing-legacy-workflow:
strategy:
@@ -78,7 +91,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

77
.github/workflows/__go.yml generated vendored Normal file
View File

@@ -0,0 +1,77 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pr-checks/sync.sh
# to regenerate this file.
name: Manual Check - go
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
paths:
- .github/workflows/__go.yml
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
go-custom-queries:
name: 'Go: Custom queries'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-custom-queries.yml
with:
go-version: ${{ inputs.go-version }}
go-indirect-tracing-workaround-diagnostic:
name: 'Go: diagnostic when Go is changed after init step'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
with:
go-version: ${{ inputs.go-version }}
go-indirect-tracing-workaround-no-file-program:
name: 'Go: diagnostic when `file` is not installed'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
with:
go-version: ${{ inputs.go-version }}
go-indirect-tracing-workaround:
name: 'Go: workaround for indirect tracing'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-indirect-tracing-workaround.yml
with:
go-version: ${{ inputs.go-version }}
go-tracing-autobuilder:
name: 'Go: tracing with autobuilder step'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-tracing-autobuilder.yml
with:
go-version: ${{ inputs.go-version }}
go-tracing-custom-build-steps:
name: 'Go: tracing with custom build steps'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-tracing-custom-build-steps.yml
with:
go-version: ${{ inputs.go-version }}
go-tracing-legacy-workflow:
name: 'Go: tracing with legacy workflow'
permissions:
contents: read
security-events: read
uses: ./.github/workflows/__go-tracing-legacy-workflow.yml
with:
go-version: ${{ inputs.go-version }}

5
.github/workflows/__init-with-registries.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
init-with-registries:
strategy:

5
.github/workflows/__javascript-source-root.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
javascript-source-root:
strategy:

5
.github/workflows/__job-run-uuid-sarif.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
job-run-uuid-sarif:
strategy:

5
.github/workflows/__language-aliases.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
language-aliases:
strategy:

17
.github/workflows/__multi-language-autodetect.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
multi-language-autodetect:
strategy:
@@ -78,7 +91,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
id: init

5
.github/workflows/__overlay-init-fallback.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
overlay-init-fallback:
strategy:

17
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
packaging-codescanning-config-inputs-js:
strategy:
@@ -64,7 +77,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
packaging-config-inputs-js:
strategy:
@@ -64,7 +77,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__packaging-config-js.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
packaging-config-js:
strategy:
@@ -64,7 +77,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__packaging-inputs-js.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
packaging-inputs-js:
strategy:
@@ -64,7 +77,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

5
.github/workflows/__quality-queries.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
quality-queries:
strategy:

17
.github/workflows/__remote-config.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
remote-config:
strategy:
@@ -50,7 +63,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

5
.github/workflows/__resolve-environment-action.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
resolve-environment-action:
strategy:

5
.github/workflows/__rubocop-multi-language.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
rubocop-multi-language:
strategy:

5
.github/workflows/__ruby.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
ruby:
strategy:

5
.github/workflows/__rust.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
rust:
strategy:

17
.github/workflows/__split-workflow.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
split-workflow:
strategy:
@@ -58,7 +71,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

5
.github/workflows/__start-proxy.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
start-proxy:
strategy:

5
.github/workflows/__submit-sarif-failure.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
submit-sarif-failure:
strategy:

5
.github/workflows/__swift-autobuild.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
swift-autobuild:
strategy:

17
.github/workflows/__swift-custom-build.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
swift-custom-build:
strategy:
@@ -52,7 +65,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
id: init

5
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
test-autobuild-working-dir:
strategy:

17
.github/workflows/__test-local-codeql.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
test-local-codeql:
strategy:
@@ -48,7 +61,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Fetch a CodeQL bundle
shell: bash

5
.github/workflows/__test-proxy.yml generated vendored
View File

@@ -20,7 +20,10 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs: {}
workflow_call:
inputs: {}
jobs:
test-proxy:
strategy:

17
.github/workflows/__unset-environment.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
unset-environment:
strategy:
@@ -50,7 +63,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
id: init

17
.github/workflows/__upload-quality-sarif.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
upload-quality-sarif:
strategy:
@@ -52,7 +65,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__upload-ref-sha-input.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
upload-ref-sha-input:
strategy:
@@ -52,7 +65,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- uses: ./../action/init
with:

17
.github/workflows/__with-checkout-path.yml generated vendored
View File

@@ -20,7 +20,20 @@ on:
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
workflow_dispatch:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
workflow_call:
inputs:
go-version:
type: string
description: The version of Go to install
required: false
default: '>=1.21.0'
jobs:
with-checkout-path:
strategy:
@@ -52,7 +65,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Delete original checkout
shell: bash

28
lib/overlay-database-utils.js generated
View File

@@ -53,6 +53,21 @@ var OverlayDatabaseMode;
OverlayDatabaseMode["None"] = "none";
})(OverlayDatabaseMode || (exports.OverlayDatabaseMode = OverlayDatabaseMode = {}));
exports.CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
/**
* The maximum (uncompressed) size of the overlay base database that we will
* upload. Actions Cache has an overall capacity of 10 GB, and the Actions Cache
* client library uses zstd compression.
*
* Ideally we would apply a size limit to the compressed overlay-base database,
* but we cannot do so because compression is handled transparently by the
* Actions Cache client library. Instead we place a limit on the uncompressed
* size of the overlay-base database.
*
* Assuming 2.5:1 compression ratio, the 6 GB limit on uncompressed data would
* translate to a limit of around 2.4 GB after compression.
*/
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6000;
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;
/**
* Writes a JSON file containing Git OIDs for all tracked files (represented
* by path relative to the source root) under the source root. The file is
@@ -192,6 +207,19 @@ async function uploadOverlayBaseDatabaseToCache(codeql, config, logger) {
await codeql.databaseCleanupCluster(config, "overlay");
});
const dbLocation = config.dbLocation;
const databaseSizeBytes = await (0, util_1.tryGetFolderBytes)(dbLocation, logger);
if (databaseSizeBytes === undefined) {
logger.warning("Failed to determine database size. " +
"Skip uploading overlay-base database to cache.");
return false;
}
if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) {
const databaseSizeMB = Math.round(databaseSizeBytes / 1_000_000);
logger.warning(`Database size (${databaseSizeMB} MB) ` +
`exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). ` +
"Skip uploading overlay-base database to cache.");
return false;
}
const codeQlVersion = (await codeql.getVersion()).version;
const checkoutPath = (0, actions_util_1.getRequiredInput)("checkout_path");
const cacheKey = await generateCacheKey(config, codeQlVersion, checkoutPath);

2
lib/overlay-database-utils.js.map
View File

File diff suppressed because one or more lines are too long

1
pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml
View File

@@ -5,6 +5,7 @@ description: >
autobuild Action.
operatingSystems: ["ubuntu", "windows"]
versions: ["linked", "nightly-latest"]
installJava: "true"
env:
CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
steps:

3
pr-checks/checks/autobuild-direct-tracing.yml
View File

@@ -2,6 +2,7 @@ name: "Autobuild direct tracing"
description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled"
operatingSystems: ["ubuntu", "windows"]
versions: ["linked", "nightly-latest"]
installJava: "true"
env:
CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
steps:
@@ -19,7 +20,7 @@ steps:
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check that indirect tracing is disabled
shell: bash
run: |

1
pr-checks/checks/go-custom-queries.yml
View File

@@ -1,5 +1,6 @@
name: "Go: Custom queries"
description: "Checks that Go works in conjunction with a config file specifying custom queries"
collection: go
operatingSystems:
- ubuntu
versions:

1
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml
View File

@@ -5,6 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["default"]
installGo: "true"
collection: go
steps:
- uses: ./../action/init
with:

1
pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml
View File

@@ -5,6 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["default"]
installGo: "true"
collection: go
steps:
- name: Remove `file` program
run: |

1
pr-checks/checks/go-indirect-tracing-workaround.yml
View File

@@ -5,6 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["default"]
installGo: "true"
collection: go
steps:
- uses: ./../action/init
with:

1
pr-checks/checks/go-tracing-autobuilder.yml
View File

@@ -1,5 +1,6 @@
name: "Go: tracing with autobuilder step"
description: "Checks that Go tracing works when using an autobuilder step"
collection: go
operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"

1
pr-checks/checks/go-tracing-custom-build-steps.yml
View File

@@ -1,5 +1,6 @@
name: "Go: tracing with custom build steps"
description: "Checks that Go tracing traces the build when using custom build steps"
collection: go
operatingSystems: ["ubuntu", "macos"]
installGo: "true"
steps:

1
pr-checks/checks/go-tracing-legacy-workflow.yml
View File

@@ -1,5 +1,6 @@
name: "Go: tracing with legacy workflow"
description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
collection: go
operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"

112
pr-checks/sync.py
View File

@@ -60,10 +60,16 @@ yaml.indent(mapping=2, sequence=4, offset=2)
this_dir = pathlib.Path(__file__).resolve().parent
allJobs = {}
for file in (this_dir / 'checks').glob('*.yml'):
collections = {}
for file in sorted((this_dir / 'checks').glob('*.yml')):
with open(file, 'r') as checkStream:
checkSpecification = yaml.load(checkStream)
matrix = []
workflowInputs = {}
if 'inputs' in checkSpecification:
workflowInputs = checkSpecification['inputs']
excludedOsesAndVersions = checkSpecification.get('excludeOsAndVersionCombination', [])
for version in checkSpecification.get('versions', defaultTestVersions):
if version == "latest":
@@ -108,22 +114,48 @@ for file in (this_dir / 'checks').glob('*.yml'):
},
]
installGo = False
if checkSpecification.get('installGo'):
installGo = True if checkSpecification['installGo'].lower() == "true" else False
installGo = checkSpecification.get('installGo', '').lower() == 'true'
if installGo:
baseGoVersionExpr = '>=1.21.0'
workflowInputs['go-version'] = {
'type': 'string',
'description': 'The version of Go to install',
'required': False,
'default': baseGoVersionExpr,
}
steps.append({
'name': 'Install Go',
'uses': 'actions/setup-go@v5',
'with': {
'go-version': '>=1.21.0',
'go-version': '${{ inputs.go-version || \'' + baseGoVersionExpr + '\' }}',
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
'cache': False
}
})
installJava = checkSpecification.get('installJava', '').lower() == 'true'
if installJava:
baseJavaVersionExpr = '17'
workflowInputs['java-version'] = {
'type': 'string',
'description': 'The version of Java to install',
'required': False,
'default': baseJavaVersionExpr,
}
steps.append({
'name': 'Install Java',
'uses': 'actions/setup-java@v4',
'with': {
'java-version': '${{ inputs.java-version || \'' + baseJavaVersionExpr + '\' }}',
'distribution': 'temurin'
}
})
# If container initialisation steps are present in the check specification,
# make sure to execute them first.
if 'container' in checkSpecification and 'container-init-steps' in checkSpecification:
@@ -160,6 +192,15 @@ for file in (this_dir / 'checks').glob('*.yml'):
checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
checkName = file.stem
# If this check belongs to a named collection, record it.
if 'collection' in checkSpecification:
collection_name = checkSpecification['collection']
collections.setdefault(collection_name, []).append({
'specification': checkSpecification,
'checkName': checkName,
'inputs': workflowInputs
})
raw_file = this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml.raw"
with open(raw_file, 'w') as output_stream:
writeHeader(output_stream)
@@ -177,7 +218,12 @@ for file in (this_dir / 'checks').glob('*.yml'):
'types': ["opened", "synchronize", "reopened", "ready_for_review"]
},
'schedule': [{'cron': SingleQuotedScalarString('0 5 * * *')}],
'workflow_dispatch': {}
'workflow_dispatch': {
'inputs': workflowInputs
},
'workflow_call': {
'inputs': workflowInputs
}
},
'jobs': {
checkName: checkJob
@@ -189,3 +235,57 @@ for file in (this_dir / 'checks').glob('*.yml'):
content = input_stream.read()
output_stream.write("\n".join(list(map(lambda x:x.rstrip(), content.splitlines()))+['']))
os.remove(raw_file)
# write workflow files for collections
for collection_name in collections:
jobs = {}
combinedInputs = {}
for check in collections[collection_name]:
checkName = check['checkName']
checkSpecification = check['specification']
checkInputs = check['inputs']
checkWith = {}
combinedInputs |= checkInputs
for inputName in checkInputs.keys():
checkWith[inputName] = "${{ inputs." + inputName + " }}"
jobs[checkName] = {
'name': checkSpecification['name'],
'permissions': {
'contents': 'read',
'security-events': 'read'
},
'uses': "./.github/workflows/" + f"__{checkName}.yml",
'with': checkWith
}
raw_file = this_dir.parent / ".github" / "workflows" / f"__{collection_name}.yml.raw"
with open(raw_file, 'w') as output_stream:
writeHeader(output_stream)
yaml.dump({
'name': f"Manual Check - {collection_name}",
'env': {
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
'GO111MODULE': 'auto'
},
'on': {
'push': {
'paths': [
f'.github/workflows/__{collection_name}.yml'
]
},
'workflow_dispatch': {
'inputs': combinedInputs
},
},
'jobs': jobs
}, output_stream)
with open(raw_file, 'r') as input_stream:
with open(this_dir.parent / ".github" / "workflows" / f"__{collection_name}.yml", 'w') as output_stream:
content = input_stream.read()
output_stream.write("\n".join(list(map(lambda x:x.rstrip(), content.splitlines()))+['']))
os.remove(raw_file)

37
src/overlay-database-utils.ts
View File

@@ -18,6 +18,23 @@ export enum OverlayDatabaseMode {
export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.22.3";
/**
* The maximum (uncompressed) size of the overlay base database that we will
* upload. Actions Cache has an overall capacity of 10 GB, and the Actions Cache
* client library uses zstd compression.
*
* Ideally we would apply a size limit to the compressed overlay-base database,
* but we cannot do so because compression is handled transparently by the
* Actions Cache client library. Instead we place a limit on the uncompressed
* size of the overlay-base database.
*
* Assuming 2.5:1 compression ratio, the 6 GB limit on uncompressed data would
* translate to a limit of around 2.4 GB after compression.
*/
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 6000;
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES =
OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;
/**
* Writes a JSON file containing Git OIDs for all tracked files (represented
* by path relative to the source root) under the source root. The file is
@@ -212,6 +229,26 @@ export async function uploadOverlayBaseDatabaseToCache(
});
const dbLocation = config.dbLocation;
const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
if (databaseSizeBytes === undefined) {
logger.warning(
"Failed to determine database size. " +
"Skip uploading overlay-base database to cache.",
);
return false;
}
if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) {
const databaseSizeMB = Math.round(databaseSizeBytes / 1_000_000);
logger.warning(
`Database size (${databaseSizeMB} MB) ` +
`exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). ` +
"Skip uploading overlay-base database to cache.",
);
return false;
}
const codeQlVersion = (await codeql.getVersion()).version;
const checkoutPath = getRequiredInput("checkout_path");
const cacheKey = await generateCacheKey(config, codeQlVersion, checkoutPath);