github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-30 02:40:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/github/codeql-action into copilot/add-tools-input-source-repository

Browse Source
This commit is contained in:
Óscar San José
2026-04-15 17:32:30 +02:00
parent 8c41253947 e2d518d895
commit 8266ae1159
81 changed files with 15225 additions and 12322 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/actions/release-branches/action.yml
+2 -1
View File
@@ -22,7 +22,8 @@ runs:
MAJOR_VERSION: ${{ inputs.major_version }}
LATEST_TAG: ${{ inputs.latest_tag }}
run: |
python ${{ github.action_path }}/release-branches.py \
npm ci
npx tsx ./pr-checks/release-branches.ts \
--major-version "$MAJOR_VERSION" \
--latest-tag "$LATEST_TAG"
shell: bash
.github/actions/release-branches/release-branches.py
-55
View File
@@ -1,55 +0,0 @@
import argparse
import json
import os
import configparser
# Name of the remote
ORIGIN = 'origin'
script_dir = os.path.dirname(os.path.realpath(__file__))
grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
config = configparser.ConfigParser()
with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
config.read_string('[default]\n' + stream.read())
OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--major-version", required=True, type=str, help="The major version of the release")
parser.add_argument("--latest-tag", required=True, type=str, help="The most recent tag published to the repository")
args = parser.parse_args()
major_version = args.major_version
latest_tag = args.latest_tag
print("major_version: " + major_version)
print("latest_tag: " + latest_tag)
# If this is a primary release, we backport to all supported branches,
# so we check whether the major_version taken from the package.json
# is greater than or equal to the latest tag pulled from the repo.
# For example...
# 'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
# 'v2' >= 'v2' is True # the normal case where we're updating the current version
# 'v3' >= 'v2' is True # in this case we are making the first release of a new major version
consider_backports = ( major_version >= latest_tag.split(".")[0] )
with open(os.environ["GITHUB_OUTPUT"], "a") as f:
f.write(f"backport_source_branch=releases/{major_version}\n")
backport_target_branches = []
if consider_backports:
for i in range(int(major_version.strip("v"))-1, 0, -1):
branch_name = f"releases/v{i}"
if i >= OLDEST_SUPPORTED_MAJOR_VERSION:
backport_target_branches.append(branch_name)
f.write("backport_target_branches="+json.dumps(backport_target_branches)+"\n")
if __name__ == "__main__":
main()
.github/actions/release-initialise/action.yml
+6
View File
@@ -15,6 +15,12 @@ runs:
run: echo "$GITHUB_CONTEXT"
shell: bash
- name: Set up Node
uses: actions/setup-node@v6
with:
node-version: 20
cache: 'npm'
- name: Set up Python
uses: actions/setup-python@v6
with:
.github/dependabot.yml
+3 -1
View File
@@ -1,7 +1,9 @@
version: 2
updates:
- package-ecosystem: npm
directory: "/"
directories:
- "/"
- "/pr-checks"
schedule:
interval: weekly
cooldown:
.github/releases.ini
-1
View File
@@ -1 +0,0 @@
OLDEST_SUPPORTED_MAJOR_VERSION=3
.github/workflows/__language-aliases.yml
Generated
+2 -2
View File
@@ -60,12 +60,12 @@ jobs:
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: C#,java-kotlin,swift,typescript
languages: C#,java-kotlin,typescript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: 'Check languages'
run: |
expected_languages="csharp,java,swift,javascript"
expected_languages="csharp,java,javascript"
actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
if [ "$expected_languages" != "$actual_languages" ]; then
.github/workflows/__rubocop-multi-language.yml
Generated
+1 -1
View File
@@ -59,7 +59,7 @@ jobs:
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Ruby
uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1.301.0
with:
ruby-version: 2.6
- name: Install Code Scanning integration
.github/workflows/__start-proxy.yml
Generated
+18 -1
View File
@@ -71,7 +71,17 @@ jobs:
id: proxy
uses: ./../action/start-proxy
with:
registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
registry_secrets: |
[
{
"type": "maven_repository",
"url": "https://repo.maven.apache.org/maven2/"
},
{
"type": "maven_repository",
"url": "https://repo1.maven.org/maven2"
}
]
- name: Print proxy outputs
run: |
@@ -82,5 +92,12 @@ jobs:
- name: Fail if proxy outputs are not set
if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
run: exit 1
- name: Fail if proxy_urls does not contain all registries
if: |
join(fromJSON(steps.proxy.outputs.proxy_urls)[*].type, ',') != 'maven_repository,maven_repository'
|| !contains(steps.proxy.outputs.proxy_urls, 'https://repo.maven.apache.org/maven2/')
|| !contains(steps.proxy.outputs.proxy_urls, 'https://repo1.maven.org/maven2')
run: exit 1
env:
CODEQL_ACTION_TEST_MODE: true
.github/workflows/debug-artifacts-failure-safe.yml
+1
View File
@@ -66,6 +66,7 @@ jobs:
uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
- uses: ./../action/init
with:
languages: cpp,csharp,go,java,javascript,python
tools: ${{ steps.prepare-test.outputs.tools-url }}
debug: true
debug-artifact-name: my-debug-artifacts
.github/workflows/post-release-mergeback.yml
+2 -2
View File
@@ -24,7 +24,7 @@ defaults:
jobs:
merge-back:
runs-on: ubuntu-slim
runs-on: ubuntu-latest
environment: Automation
if: github.repository == 'github/codeql-action'
env:
@@ -131,7 +131,7 @@ jobs:
echo "::endgroup::"
- name: Generate token
uses: actions/create-github-app-token@v3.0.0
uses: actions/create-github-app-token@v3.1.1
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
.github/workflows/prepare-release.yml
+1 -1
View File
@@ -29,7 +29,7 @@ defaults:
jobs:
prepare:
name: "Prepare release"
runs-on: ubuntu-slim
runs-on: ubuntu-latest
if: github.repository == 'github/codeql-action'
permissions:
.github/workflows/rollback-release.yml
+1 -1
View File
@@ -136,7 +136,7 @@ jobs:
- name: Generate token
if: github.event_name == 'workflow_dispatch'
uses: actions/create-github-app-token@v3.0.0
uses: actions/create-github-app-token@v3.1.1
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
.github/workflows/script/update-required-checks.sh
-64
View File
@@ -1,64 +0,0 @@
#!/usr/bin/env bash
# Update the required checks based on the current branch.
set -euo pipefail
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
REPO_DIR="$(dirname "$SCRIPT_DIR")"
GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
source "$GRANDPARENT_DIR/releases.ini"
if ! gh auth status 2>/dev/null; then
gh auth status
echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
exit 1
fi
if [ "$#" -eq 1 ]; then
# If we were passed an argument, use that as the SHA
GITHUB_SHA="$1"
elif [ "$#" -gt 1 ]; then
echo "Usage: $0 [SHA]"
echo "Update the required checks based on the SHA, or main."
exit 1
elif [ -z "$GITHUB_SHA" ]; then
# If we don't have a SHA, use main
GITHUB_SHA="$(git rev-parse main)"
fi
echo "Getting checks for $GITHUB_SHA"
# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") or . == "Agent" or . == "Cleanup artifacts" or . == "Prepare" or . == "Upload results" or . == "Label PR with size" | not)] | unique | sort')"
echo "$CHECKS" | jq
# Fail if there are no checks
if [ -z "$CHECKS" ] || [ "$(echo "$CHECKS" | jq '. | length')" -eq 0 ]; then
echo "No checks found for $GITHUB_SHA"
exit 1
fi
echo "{\"contexts\": ${CHECKS}}" > checks.json
echo "Updating main"
gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
# list all branchs on origin remote matching releases/v*
BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
for BRANCH in $BRANCHES; do
# strip exact 'releases/v' prefix from $BRANCH using count of characters
VERSION="${BRANCH:10}"
if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
echo "Skipping $BRANCH"
continue
fi
echo "Updating $BRANCH"
gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
done
rm checks.json
.github/workflows/update-bundle.yml
+15 -1
View File
@@ -20,7 +20,7 @@ defaults:
jobs:
update-bundle:
if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-slim
runs-on: ubuntu-latest
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull requests
@@ -57,6 +57,20 @@ jobs:
- name: Update bundle
uses: ./.github/actions/update-bundle
- name: Set up CodeQL CLI from new bundle
id: setup-codeql
uses: ./setup-codeql
with:
tools: https://github.com/github/codeql-action/releases/download/${{ github.event.release.tag_name }}/codeql-bundle-linux64.tar.gz
- name: Update language aliases
env:
CODEQL_PATH: ${{ steps.setup-codeql.outputs.codeql-path }}
run: |
"$CODEQL_PATH" resolve languages --format=betterjson --extractor-include-aliases \
| jq -S '.aliases // {}' \
> src/known-language-aliases.json
- name: Bump Action minor version if new CodeQL minor version series
id: bump-action-version
run: |
.github/workflows/update-release-branch.yml
+3 -3
View File
@@ -26,7 +26,7 @@ jobs:
update:
timeout-minutes: 45
runs-on: ubuntu-slim
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
needs: [prepare]
env:
@@ -77,7 +77,7 @@ jobs:
backport:
timeout-minutes: 45
runs-on: ubuntu-slim
runs-on: ubuntu-latest
environment: Automation
needs: [prepare]
if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
@@ -93,7 +93,7 @@ jobs:
pull-requests: write # needed to create pull request
steps:
- name: Generate token
uses: actions/create-github-app-token@v3.0.0
uses: actions/create-github-app-token@v3.1.1
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
.gitignore
+2
View File
@@ -11,3 +11,5 @@ build/
eslint.sarif
# for local incremental compilation
tsconfig.tsbuildinfo
# esbuild metadata file
meta.json
.vscode/tests.code-snippets
Vendored
+30
View File
@@ -0,0 +1,30 @@
{
// Place your codeql-action workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
// description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
// is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
// used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
// $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
// Placeholders with the same ids are connected.
// Example:
// "Print to console": {
// "scope": "javascript,typescript",
// "prefix": "log",
// "body": [
// "console.log('$1');",
// "$2"
// ],
// "description": "Log output to console"
// }
"Test Macro": {
"scope": "javascript, typescript",
"prefix": "testMacro",
"body": [
"const ${1:nameMacro} = test.macro({",
" exec: async (t: ExecutionContext<unknown>) => {},",
"",
" title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,",
"});",
],
"description": "An Ava test macro",
},
}
CHANGELOG.md
+17
View File
@@ -6,6 +6,23 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
- Organizations can now create a custom repository property with the name `github-codeql-tools` to control the CodeQL CLI tools input at the repository level. When this property is set to a valid tools input value (such as `"toolcache"`, `"latest"`, or a specific version), it will override the default tools configuration for that repository. This allows organization administrators to standardize CodeQL CLI versions across repositories or enable toolcache usage on repositories where it would otherwise be restricted. For more information on creating custom repository properties, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
## 4.35.2 - 15 Apr 2026
- The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#3795](https://github.com/github/codeql-action/pull/3795)
- The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#3789](https://github.com/github/codeql-action/pull/3789)
- Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#3794](https://github.com/github/codeql-action/pull/3794)
- Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#3807](https://github.com/github/codeql-action/pull/3807)
- Update default CodeQL bundle version to [2.25.2](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#3823](https://github.com/github/codeql-action/pull/3823)
## 4.35.1 - 27 Mar 2026
- Fix incorrect minimum required Git version for [improved incremental analysis](https://github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://github.com/github/codeql-action/pull/3781)
## 4.35.0 - 27 Mar 2026
- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
- Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://github.com/github/codeql-action/pull/3773)
## 4.34.1 - 20 Mar 2026
- Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
CONTRIBUTING.md
+7 -5
View File
@@ -69,12 +69,14 @@ Once the mergeback and backport pull request have been merged, the release is co
## Keeping the PR checks up to date (admin access required)
Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
- By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
- If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
- You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v4`, and any other currently supported major versions have been updated.
Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
@@ -122,7 +124,7 @@ To deprecate an older version of the Action:
- Implement an Actions warning for customers using the deprecated version.
1. Wait for the deprecation period to pass.
1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini). Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [config.ts](pr-checks/config.ts). Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
## Resources
build.mjs
+10 -3
View File
@@ -1,4 +1,4 @@
import { copyFile, rm } from "node:fs/promises";
import { copyFile, rm, writeFile } from "node:fs/promises";
import { dirname, join } from "node:path";
import { fileURLToPath } from "node:url";
@@ -64,7 +64,11 @@ const onEndPlugin = {
const context = await esbuild.context({
// Include upload-lib.ts as an entry point for use in testing environments.
entryPoints: globSync([`${SRC_DIR}/*-action.ts`, `${SRC_DIR}/*-action-post.ts`, "src/upload-lib.ts"]),
entryPoints: globSync([
`${SRC_DIR}/*-action.ts`,
`${SRC_DIR}/*-action-post.ts`,
"src/upload-lib.ts",
]),
bundle: true,
format: "cjs",
outdir: OUT_DIR,
@@ -74,7 +78,10 @@ const context = await esbuild.context({
define: {
__CODEQL_ACTION_VERSION__: JSON.stringify(pkg.version),
},
metafile: true,
});
await context.rebuild();
const result = await context.rebuild();
await writeFile(join(__dirname, "meta.json"), JSON.stringify(result.metafile));
await context.dispose();
eslint.config.mjs
+21 -6
View File
@@ -7,7 +7,11 @@ import noAsyncForeach from "eslint-plugin-no-async-foreach";
import jsdoc from "eslint-plugin-jsdoc";
import tseslint from "typescript-eslint";
import globals from "globals";
import path from "path";
import { fileURLToPath } from "url";
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const githubFlatConfigs = github.getFlatConfigs();
export default [
@@ -43,7 +47,7 @@ export default [
plugins: {
"import-x": importX,
"no-async-foreach": fixupPluginRules(noAsyncForeach),
"jsdoc": jsdoc,
jsdoc: jsdoc,
},
languageOptions: {
@@ -67,7 +71,13 @@ export default [
typescript: {},
},
"import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
"import/ignore": [
"sinon",
"uuid",
"@octokit/plugin-retry",
"del",
"get-folder-size",
],
"import-x/resolver-next": [
createTypeScriptImportResolver(),
createNodeResolver({
@@ -143,7 +153,7 @@ export default [
// We don't currently require full JSDoc coverage, so this rule
// should not error on missing @param annotations.
disableMissingParamChecks: true,
}
},
],
},
},
@@ -162,9 +172,9 @@ export default [
"@typescript-eslint/no-unused-vars": [
"error",
{
"args": "all",
"argsIgnorePattern": "^_",
}
args: "all",
argsIgnorePattern: "^_",
},
],
"func-style": "off",
},
@@ -183,6 +193,11 @@ export default [
// The scripts in `pr-checks` are expected to output to the console.
"no-console": "off",
"import/no-extraneous-dependencies": [
"error",
{ packageDir: [__dirname, path.resolve(__dirname, "pr-checks")] },
],
"@typescript-eslint/no-floating-promises": [
"error",
{
lib/analyze-action-post.js
Generated
+1517 -1415
View File
File diff suppressed because it is too large Load Diff
lib/analyze-action.js
Generated
+430 -470
View File
File diff suppressed because it is too large Load Diff
lib/autobuild-action.js
Generated
+784 -678
View File
File diff suppressed because it is too large Load Diff
lib/defaults.json
+4 -4
View File
@@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-v2.24.3",
"cliVersion": "2.24.3",
"priorBundleVersion": "codeql-bundle-v2.24.2",
"priorCliVersion": "2.24.2"
"bundleVersion": "codeql-bundle-v2.25.2",
"cliVersion": "2.25.2",
"priorBundleVersion": "codeql-bundle-v2.25.1",
"priorCliVersion": "2.25.1"
}
lib/init-action-post.js
Generated
+522 -411
View File
File diff suppressed because it is too large Load Diff
lib/init-action.js
Generated
+839 -596
View File
File diff suppressed because it is too large Load Diff
lib/resolve-environment-action.js
Generated
+769 -667
View File
File diff suppressed because it is too large Load Diff
lib/setup-codeql-action.js
Generated
+1782 -1674
View File
File diff suppressed because it is too large Load Diff
lib/start-proxy-action-post.js
Generated
+78 -56
View File
@@ -41057,18 +41057,18 @@ var init_dist_src2 = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
var VERSION5;
var init_version2 = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
VERSION5 = "17.0.0";
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
var Endpoints, endpoints_default;
var init_endpoints = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
Endpoints = {
actions: {
addCustomLabelsToSelfHostedRunnerForOrg: [
@@ -43362,7 +43362,7 @@ var init_endpoints = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
function endpointsToMethods(octokit) {
const newMethods = {};
for (const scope of endpointMethodsMap.keys()) {
@@ -43413,7 +43413,7 @@ function decorate(octokit, scope, methodName, defaults, decorations) {
}
var endpointMethodsMap, handler;
var init_endpoints_to_methods = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
init_endpoints();
endpointMethodsMap = /* @__PURE__ */ new Map();
for (const [scope, endpoints] of Object.entries(endpoints_default)) {
@@ -43491,7 +43491,7 @@ var init_endpoints_to_methods = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
var dist_src_exports2 = {};
__export(dist_src_exports2, {
legacyRestEndpointMethods: () => legacyRestEndpointMethods,
@@ -43511,7 +43511,7 @@ function legacyRestEndpointMethods(octokit) {
};
}
var init_dist_src3 = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
init_version2();
init_endpoints_to_methods();
restEndpointMethods.VERSION = VERSION5;
@@ -43519,7 +43519,7 @@ var init_dist_src3 = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
// node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
var dist_bundle_exports = {};
__export(dist_bundle_exports, {
composePaginateRest: () => composePaginateRest,
@@ -43645,7 +43645,7 @@ function paginateRest(octokit) {
}
var VERSION6, composePaginateRest, paginatingEndpoints;
var init_dist_bundle5 = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
"node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
VERSION6 = "0.0.0-development";
composePaginateRest = Object.assign(paginate, {
iterator
@@ -47304,7 +47304,6 @@ var require_light = __commonJS({
var require_helpers = __commonJS({
"node_modules/jsonschema/lib/helpers.js"(exports2, module2) {
"use strict";
var uri = require("url");
var ValidationError = exports2.ValidationError = function ValidationError2(message, instance, schema2, path4, name, argument) {
if (Array.isArray(path4)) {
this.path = path4;
@@ -47379,7 +47378,7 @@ var require_helpers = __commonJS({
} });
module2.exports.ValidatorResultError = ValidatorResultError;
function ValidatorResultError(result) {
if (Error.captureStackTrace) {
if (typeof Error.captureStackTrace === "function") {
Error.captureStackTrace(this, ValidatorResultError);
}
this.instance = result.instance;
@@ -47394,7 +47393,9 @@ var require_helpers = __commonJS({
this.message = msg;
this.schema = schema2;
Error.call(this, msg);
Error.captureStackTrace(this, SchemaError2);
if (typeof Error.captureStackTrace === "function") {
Error.captureStackTrace(this, SchemaError2);
}
};
SchemaError.prototype = Object.create(
Error.prototype,
@@ -47418,12 +47419,12 @@ var require_helpers = __commonJS({
this.schemas = schemas;
};
SchemaContext.prototype.resolve = function resolve3(target) {
return uri.resolve(this.base, target);
return (() => resolveUrl(this.base, target))();
};
SchemaContext.prototype.makeChild = function makeChild(schema2, propertyName) {
var path4 = propertyName === void 0 ? this.path : this.path.concat([propertyName]);
var id = schema2.$id || schema2.id;
var base = uri.resolve(this.base, id || "");
let base = (() => resolveUrl(this.base, id || ""))();
var ctx = new SchemaContext(schema2, this.options, path4, base, Object.create(this.schemas));
if (id && !ctx.schemas[base]) {
ctx.schemas[base] = schema2;
@@ -47617,6 +47618,14 @@ var require_helpers = __commonJS({
exports2.isSchema = function isSchema(val) {
return typeof val === "object" && val || typeof val === "boolean";
};
var resolveUrl = exports2.resolveUrl = function resolveUrl2(from, to) {
const resolvedUrl = new URL(to, new URL(from, "resolve://"));
if (resolvedUrl.protocol === "resolve:") {
const { pathname, search, hash } = resolvedUrl;
return pathname + search + hash;
}
return resolvedUrl.toString();
};
}
});
@@ -48292,7 +48301,6 @@ var require_attribute = __commonJS({
var require_scan = __commonJS({
"node_modules/jsonschema/lib/scan.js"(exports2, module2) {
"use strict";
var urilib = require("url");
var helpers = require_helpers();
module2.exports.SchemaScanResult = SchemaScanResult;
function SchemaScanResult(found, ref) {
@@ -48303,12 +48311,13 @@ var require_scan = __commonJS({
function scanSchema(baseuri, schema3) {
if (!schema3 || typeof schema3 != "object") return;
if (schema3.$ref) {
var resolvedUri = urilib.resolve(baseuri, schema3.$ref);
let resolvedUri = helpers.resolveUrl(baseuri, schema3.$ref);
ref[resolvedUri] = ref[resolvedUri] ? ref[resolvedUri] + 1 : 0;
return;
}
var id = schema3.$id || schema3.id;
var ourBase = id ? urilib.resolve(baseuri, id) : baseuri;
let resolvedBase = helpers.resolveUrl(baseuri, id);
var ourBase = id ? resolvedBase : baseuri;
if (ourBase) {
if (ourBase.indexOf("#") < 0) ourBase += "#";
if (found[ourBase]) {
@@ -48360,7 +48369,6 @@ var require_scan = __commonJS({
var require_validator = __commonJS({
"node_modules/jsonschema/lib/validator.js"(exports2, module2) {
"use strict";
var urilib = require("url");
var attribute = require_attribute();
var helpers = require_helpers();
var scanSchema = require_scan().scan;
@@ -48425,7 +48433,7 @@ var require_validator = __commonJS({
options = {};
}
var id = schema2.$id || schema2.id;
var base = urilib.resolve(options.base || anonymousBase, id || "");
let base = helpers.resolveUrl(options.base, id || "");
if (!ctx) {
ctx = new SchemaContext(schema2, options, [], base, Object.create(this.schemas));
if (!ctx.schemas[base]) {
@@ -48520,8 +48528,8 @@ var require_validator = __commonJS({
if (ctx.schemas[switchSchema]) {
return { subschema: ctx.schemas[switchSchema], switchSchema };
}
var parsed = urilib.parse(switchSchema);
var fragment = parsed && parsed.hash;
let parsed = new URL(switchSchema, "thismessage::/");
let fragment = parsed.hash;
var document2 = fragment && fragment.length && switchSchema.substr(0, switchSchema.length - fragment.length);
if (!document2 || !ctx.schemas[document2]) {
throw new SchemaError("no such schema <" + switchSchema + ">", schema2);
@@ -49102,7 +49110,7 @@ var require_brace_expansion = __commonJS({
var x = numeric(n[0]);
var y = numeric(n[1]);
var width = Math.max(n[0].length, n[1].length);
var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
var test = lte;
var reverse = y < x;
if (reverse) {
@@ -93210,7 +93218,7 @@ var require_cacheHttpClient = __commonJS({
exports2.getCacheEntry = getCacheEntry;
exports2.downloadCache = downloadCache;
exports2.reserveCache = reserveCache;
exports2.saveCache = saveCache5;
exports2.saveCache = saveCache4;
var core15 = __importStar2(require_core());
var http_client_1 = require_lib();
var auth_1 = require_auth();
@@ -93387,7 +93395,7 @@ Other caches with similar key:`);
}));
});
}
function saveCache5(cacheId, archivePath, signedUploadURL, options) {
function saveCache4(cacheId, archivePath, signedUploadURL, options) {
return __awaiter2(this, void 0, void 0, function* () {
const uploadOptions = (0, options_1.getUploadOptions)(options);
if (uploadOptions.useAzureSdk) {
@@ -98887,8 +98895,8 @@ var require_cache5 = __commonJS({
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
exports2.isFeatureAvailable = isFeatureAvailable;
exports2.restoreCache = restoreCache5;
exports2.saveCache = saveCache5;
exports2.restoreCache = restoreCache4;
exports2.saveCache = saveCache4;
var core15 = __importStar2(require_core());
var path4 = __importStar2(require("path"));
var utils = __importStar2(require_cacheUtils());
@@ -98945,7 +98953,7 @@ var require_cache5 = __commonJS({
return !!process.env["ACTIONS_CACHE_URL"];
}
}
function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -99089,7 +99097,7 @@ var require_cache5 = __commonJS({
return void 0;
});
}
function saveCache5(paths_1, key_1, options_1) {
function saveCache4(paths_1, key_1, options_1) {
return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -115635,7 +115643,7 @@ var require_commonjs19 = __commonJS({
var openPattern = /\\{/g;
var closePattern = /\\}/g;
var commaPattern = /\\,/g;
var periodPattern = /\\./g;
var periodPattern = /\\\./g;
exports2.EXPANSION_MAX = 1e5;
function numeric(str2) {
return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0);
@@ -115730,7 +115738,7 @@ var require_commonjs19 = __commonJS({
const x = numeric(n[0]);
const y = numeric(n[1]);
const width = Math.max(n[0].length, n[1].length);
let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1;
let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
let test = lte;
const reverse = y < x;
if (reverse) {
@@ -158263,6 +158271,11 @@ var require_follow_redirects = __commonJS({
} catch (error3) {
useNativeURL = error3.code === "ERR_INVALID_URL";
}
var sensitiveHeaders = [
"Authorization",
"Proxy-Authorization",
"Cookie"
];
var preservedUrlFields = [
"auth",
"host",
@@ -158327,6 +158340,7 @@ var require_follow_redirects = __commonJS({
self2.emit("error", cause instanceof RedirectionError ? cause : new RedirectionError({ cause }));
}
};
this._headerFilter = new RegExp("^(?:" + sensitiveHeaders.concat(options.sensitiveHeaders).map(escapeRegex).join("|") + ")$", "i");
this._performRequest();
}
RedirectableRequest.prototype = Object.create(Writable.prototype);
@@ -158464,6 +158478,9 @@ var require_follow_redirects = __commonJS({
if (!options.headers) {
options.headers = {};
}
if (!isArray(options.sensitiveHeaders)) {
options.sensitiveHeaders = [];
}
if (options.host) {
if (!options.hostname) {
options.hostname = options.host;
@@ -158569,7 +158586,7 @@ var require_follow_redirects = __commonJS({
this._isRedirect = true;
spreadUrlObject(redirectUrl, this._options);
if (redirectUrl.protocol !== currentUrlParts.protocol && redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) {
removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
removeMatchingHeaders(this._headerFilter, this._options.headers);
}
if (isFunction(beforeRedirect)) {
var responseDetails = {
@@ -158718,6 +158735,9 @@ var require_follow_redirects = __commonJS({
var dot = subdomain.length - domain.length - 1;
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
}
function isArray(value) {
return value instanceof Array;
}
function isString2(value) {
return typeof value === "string" || value instanceof String;
}
@@ -158730,6 +158750,9 @@ var require_follow_redirects = __commonJS({
function isURL(value) {
return URL2 && value instanceof URL2;
}
function escapeRegex(regex) {
return regex.replace(/[\]\\/()*+?.$]/g, "\\$&");
}
module2.exports = wrap({ http, https: https2 });
module2.exports.wrap = wrap;
}
@@ -161498,7 +161521,7 @@ function getTemporaryDirectory() {
return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
}
function getActionVersion() {
return "4.34.2";
return "4.35.3";
}
var persistedInputsKey = "persisted_inputs";
var restoreInputs = function() {
@@ -161518,8 +161541,11 @@ var githubUtils = __toESM(require_utils5());
var import_light = __toESM(require_light(), 1);
init_dist_src();
var VERSION7 = "0.0.0-development";
function isRequestError(error3) {
return error3.request !== void 0;
}
async function errorRequest(state, octokit, error3, options) {
if (!error3.request || !error3.request.request) {
if (!isRequestError(error3) || !error3?.request.request) {
throw error3;
}
if (error3.status >= 400 && !state.doNotRetry.includes(error3.status)) {
@@ -161532,8 +161558,8 @@ async function errorRequest(state, octokit, error3, options) {
async function wrapRequest(state, octokit, request2, options) {
const limiter = new import_light.default();
limiter.on("failed", function(error3, info7) {
const maxRetries = ~~error3.request.request.retries;
const after = ~~error3.request.request.retryAfter;
const maxRetries = ~~error3.request.request?.retries;
const after = ~~error3.request.request?.retryAfter;
options.request.retryCount = info7.retryCount + 1;
if (maxRetries > info7.retryCount) {
return after * state.retryAfterBaseValue;
@@ -161545,7 +161571,7 @@ async function wrapRequest(state, octokit, request2, options) {
);
}
async function requestWithGraphqlErrorHandling(state, octokit, request2, options) {
const response = await request2(request2, options);
const response = await request2(options);
if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
response.data.errors[0].message
)) {
@@ -161567,11 +161593,7 @@ function retry(octokit, octokitOptions) {
},
octokitOptions.retry
);
if (state.enabled) {
octokit.hook.error("request", errorRequest.bind(null, state, octokit));
octokit.hook.wrap("request", wrapRequest.bind(null, state, octokit));
}
return {
const retryPlugin = {
retry: {
retryRequest: (error3, retries, retryAfter) => {
error3.request.request = Object.assign({}, error3.request.request, {
@@ -161582,6 +161604,11 @@ function retry(octokit, octokitOptions) {
}
}
};
if (state.enabled) {
octokit.hook.error("request", errorRequest.bind(null, state, retryPlugin));
octokit.hook.wrap("request", wrapRequest.bind(null, state, retryPlugin));
}
return retryPlugin;
}
retry.VERSION = VERSION7;
@@ -161700,9 +161727,6 @@ function getActionsLogger() {
// src/feature-flags.ts
var semver5 = __toESM(require_semver2());
// src/overlay/index.ts
var actionsCache = __toESM(require_cache5());
// src/git-utils.ts
var core8 = __toESM(require_core());
var toolrunner2 = __toESM(require_toolrunner());
@@ -161718,8 +161742,6 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
// src/tools-features.ts
var semver4 = __toESM(require_semver2());
@@ -161899,12 +161921,6 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
minimumVersion: void 0,
toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
},
["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_QA_TELEMETRY",
@@ -161941,10 +161957,10 @@ var featureConfig = {
};
// src/overlay/status.ts
var actionsCache2 = __toESM(require_cache5());
var actionsCache = __toESM(require_cache5());
// src/trap-caching.ts
var actionsCache3 = __toESM(require_cache5());
var actionsCache2 = __toESM(require_cache5());
// src/config-utils.ts
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
@@ -162134,6 +162150,12 @@ var cliErrorsConfig = {
)
]
},
["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: {
cliErrorMessageCandidates: [
new RegExp("\\[incompatible-os\\]"),
new RegExp("Swift analysis is only supported on macOS")
]
},
["UnsupportedBuildMode" /* UnsupportedBuildMode */]: {
cliErrorMessageCandidates: [
new RegExp(
@@ -162168,7 +162190,7 @@ var semver7 = __toESM(require_semver2());
var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
// src/dependency-caching.ts
var actionsCache4 = __toESM(require_cache5());
var actionsCache3 = __toESM(require_cache5());
var glob = __toESM(require_glob());
// src/artifact-scanner.ts
lib/start-proxy-action.js
Generated
+3228 -3145
View File
File diff suppressed because it is too large Load Diff
lib/upload-lib.js
Generated
+263 -158
View File
File diff suppressed because it is too large Load Diff
lib/upload-sarif-action-post.js
Generated
+78 -56
View File
@@ -41057,18 +41057,18 @@ var init_dist_src2 = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js
var VERSION5;
var init_version2 = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/version.js"() {
VERSION5 = "17.0.0";
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js
var Endpoints, endpoints_default;
var init_endpoints = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/generated/endpoints.js"() {
Endpoints = {
actions: {
addCustomLabelsToSelfHostedRunnerForOrg: [
@@ -43362,7 +43362,7 @@ var init_endpoints = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js
function endpointsToMethods(octokit) {
const newMethods = {};
for (const scope of endpointMethodsMap.keys()) {
@@ -43413,7 +43413,7 @@ function decorate(octokit, scope, methodName, defaults, decorations) {
}
var endpointMethodsMap, handler;
var init_endpoints_to_methods = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/endpoints-to-methods.js"() {
init_endpoints();
endpointMethodsMap = /* @__PURE__ */ new Map();
for (const [scope, endpoints] of Object.entries(endpoints_default)) {
@@ -43491,7 +43491,7 @@ var init_endpoints_to_methods = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
// node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js
var dist_src_exports2 = {};
__export(dist_src_exports2, {
legacyRestEndpointMethods: () => legacyRestEndpointMethods,
@@ -43511,7 +43511,7 @@ function legacyRestEndpointMethods(octokit) {
};
}
var init_dist_src3 = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
"node_modules/@octokit/plugin-rest-endpoint-methods/dist-src/index.js"() {
init_version2();
init_endpoints_to_methods();
restEndpointMethods.VERSION = VERSION5;
@@ -43519,7 +43519,7 @@ var init_dist_src3 = __esm({
}
});
// node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
// node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js
var dist_bundle_exports = {};
__export(dist_bundle_exports, {
composePaginateRest: () => composePaginateRest,
@@ -43645,7 +43645,7 @@ function paginateRest(octokit) {
}
var VERSION6, composePaginateRest, paginatingEndpoints;
var init_dist_bundle5 = __esm({
"node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
"node_modules/@octokit/plugin-paginate-rest/dist-bundle/index.js"() {
VERSION6 = "0.0.0-development";
composePaginateRest = Object.assign(paginate, {
iterator
@@ -107819,7 +107819,7 @@ var require_commonjs19 = __commonJS({
var openPattern = /\\{/g;
var closePattern = /\\}/g;
var commaPattern = /\\,/g;
var periodPattern = /\\./g;
var periodPattern = /\\\./g;
exports2.EXPANSION_MAX = 1e5;
function numeric(str2) {
return !isNaN(str2) ? parseInt(str2, 10) : str2.charCodeAt(0);
@@ -107914,7 +107914,7 @@ var require_commonjs19 = __commonJS({
const x = numeric(n[0]);
const y = numeric(n[1]);
const width = Math.max(n[0].length, n[1].length);
let incr = n.length === 3 && n[2] !== void 0 ? Math.abs(numeric(n[2])) : 1;
let incr = n.length === 3 && n[2] !== void 0 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
let test = lte;
const reverse = y < x;
if (reverse) {
@@ -149550,7 +149550,6 @@ var require_artifact_client2 = __commonJS({
var require_helpers3 = __commonJS({
"node_modules/jsonschema/lib/helpers.js"(exports2, module2) {
"use strict";
var uri = require("url");
var ValidationError = exports2.ValidationError = function ValidationError2(message, instance, schema2, path3, name, argument) {
if (Array.isArray(path3)) {
this.path = path3;
@@ -149625,7 +149624,7 @@ var require_helpers3 = __commonJS({
} });
module2.exports.ValidatorResultError = ValidatorResultError;
function ValidatorResultError(result) {
if (Error.captureStackTrace) {
if (typeof Error.captureStackTrace === "function") {
Error.captureStackTrace(this, ValidatorResultError);
}
this.instance = result.instance;
@@ -149640,7 +149639,9 @@ var require_helpers3 = __commonJS({
this.message = msg;
this.schema = schema2;
Error.call(this, msg);
Error.captureStackTrace(this, SchemaError2);
if (typeof Error.captureStackTrace === "function") {
Error.captureStackTrace(this, SchemaError2);
}
};
SchemaError.prototype = Object.create(
Error.prototype,
@@ -149664,12 +149665,12 @@ var require_helpers3 = __commonJS({
this.schemas = schemas;
};
SchemaContext.prototype.resolve = function resolve2(target) {
return uri.resolve(this.base, target);
return (() => resolveUrl(this.base, target))();
};
SchemaContext.prototype.makeChild = function makeChild(schema2, propertyName) {
var path3 = propertyName === void 0 ? this.path : this.path.concat([propertyName]);
var id = schema2.$id || schema2.id;
var base = uri.resolve(this.base, id || "");
let base = (() => resolveUrl(this.base, id || ""))();
var ctx = new SchemaContext(schema2, this.options, path3, base, Object.create(this.schemas));
if (id && !ctx.schemas[base]) {
ctx.schemas[base] = schema2;
@@ -149863,6 +149864,14 @@ var require_helpers3 = __commonJS({
exports2.isSchema = function isSchema(val) {
return typeof val === "object" && val || typeof val === "boolean";
};
var resolveUrl = exports2.resolveUrl = function resolveUrl2(from, to) {
const resolvedUrl = new URL(to, new URL(from, "resolve://"));
if (resolvedUrl.protocol === "resolve:") {
const { pathname, search, hash } = resolvedUrl;
return pathname + search + hash;
}
return resolvedUrl.toString();
};
}
});
@@ -150538,7 +150547,6 @@ var require_attribute = __commonJS({
var require_scan = __commonJS({
"node_modules/jsonschema/lib/scan.js"(exports2, module2) {
"use strict";
var urilib = require("url");
var helpers = require_helpers3();
module2.exports.SchemaScanResult = SchemaScanResult;
function SchemaScanResult(found, ref) {
@@ -150549,12 +150557,13 @@ var require_scan = __commonJS({
function scanSchema(baseuri, schema3) {
if (!schema3 || typeof schema3 != "object") return;
if (schema3.$ref) {
var resolvedUri = urilib.resolve(baseuri, schema3.$ref);
let resolvedUri = helpers.resolveUrl(baseuri, schema3.$ref);
ref[resolvedUri] = ref[resolvedUri] ? ref[resolvedUri] + 1 : 0;
return;
}
var id = schema3.$id || schema3.id;
var ourBase = id ? urilib.resolve(baseuri, id) : baseuri;
let resolvedBase = helpers.resolveUrl(baseuri, id);
var ourBase = id ? resolvedBase : baseuri;
if (ourBase) {
if (ourBase.indexOf("#") < 0) ourBase += "#";
if (found[ourBase]) {
@@ -150606,7 +150615,6 @@ var require_scan = __commonJS({
var require_validator = __commonJS({
"node_modules/jsonschema/lib/validator.js"(exports2, module2) {
"use strict";
var urilib = require("url");
var attribute = require_attribute();
var helpers = require_helpers3();
var scanSchema = require_scan().scan;
@@ -150671,7 +150679,7 @@ var require_validator = __commonJS({
options = {};
}
var id = schema2.$id || schema2.id;
var base = urilib.resolve(options.base || anonymousBase, id || "");
let base = helpers.resolveUrl(options.base, id || "");
if (!ctx) {
ctx = new SchemaContext(schema2, options, [], base, Object.create(this.schemas));
if (!ctx.schemas[base]) {
@@ -150766,8 +150774,8 @@ var require_validator = __commonJS({
if (ctx.schemas[switchSchema]) {
return { subschema: ctx.schemas[switchSchema], switchSchema };
}
var parsed = urilib.parse(switchSchema);
var fragment = parsed && parsed.hash;
let parsed = new URL(switchSchema, "thismessage::/");
let fragment = parsed.hash;
var document2 = fragment && fragment.length && switchSchema.substr(0, switchSchema.length - fragment.length);
if (!document2 || !ctx.schemas[document2]) {
throw new SchemaError("no such schema <" + switchSchema + ">", schema2);
@@ -151293,7 +151301,7 @@ var require_brace_expansion2 = __commonJS({
var x = numeric(n[0]);
var y = numeric(n[1]);
var width = Math.max(n[0].length, n[1].length);
var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
var test = lte;
var reverse = y < x;
if (reverse) {
@@ -155544,7 +155552,7 @@ var require_cacheHttpClient = __commonJS({
exports2.getCacheEntry = getCacheEntry;
exports2.downloadCache = downloadCache;
exports2.reserveCache = reserveCache;
exports2.saveCache = saveCache5;
exports2.saveCache = saveCache4;
var core15 = __importStar2(require_core());
var http_client_1 = require_lib();
var auth_1 = require_auth();
@@ -155721,7 +155729,7 @@ Other caches with similar key:`);
}));
});
}
function saveCache5(cacheId, archivePath, signedUploadURL, options) {
function saveCache4(cacheId, archivePath, signedUploadURL, options) {
return __awaiter2(this, void 0, void 0, function* () {
const uploadOptions = (0, options_1.getUploadOptions)(options);
if (uploadOptions.useAzureSdk) {
@@ -156995,8 +157003,8 @@ var require_cache6 = __commonJS({
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0;
exports2.isFeatureAvailable = isFeatureAvailable;
exports2.restoreCache = restoreCache5;
exports2.saveCache = saveCache5;
exports2.restoreCache = restoreCache4;
exports2.saveCache = saveCache4;
var core15 = __importStar2(require_core());
var path3 = __importStar2(require("path"));
var utils = __importStar2(require_cacheUtils());
@@ -157053,7 +157061,7 @@ var require_cache6 = __commonJS({
return !!process.env["ACTIONS_CACHE_URL"];
}
}
function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) {
function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) {
return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) {
const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -157197,7 +157205,7 @@ var require_cache6 = __commonJS({
return void 0;
});
}
function saveCache5(paths_1, key_1, options_1) {
function saveCache4(paths_1, key_1, options_1) {
return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) {
const cacheServiceVersion = (0, config_1.getCacheServiceVersion)();
core15.debug(`Cache service version: ${cacheServiceVersion}`);
@@ -158263,6 +158271,11 @@ var require_follow_redirects = __commonJS({
} catch (error3) {
useNativeURL = error3.code === "ERR_INVALID_URL";
}
var sensitiveHeaders = [
"Authorization",
"Proxy-Authorization",
"Cookie"
];
var preservedUrlFields = [
"auth",
"host",
@@ -158327,6 +158340,7 @@ var require_follow_redirects = __commonJS({
self2.emit("error", cause instanceof RedirectionError ? cause : new RedirectionError({ cause }));
}
};
this._headerFilter = new RegExp("^(?:" + sensitiveHeaders.concat(options.sensitiveHeaders).map(escapeRegex).join("|") + ")$", "i");
this._performRequest();
}
RedirectableRequest.prototype = Object.create(Writable.prototype);
@@ -158464,6 +158478,9 @@ var require_follow_redirects = __commonJS({
if (!options.headers) {
options.headers = {};
}
if (!isArray(options.sensitiveHeaders)) {
options.sensitiveHeaders = [];
}
if (options.host) {
if (!options.hostname) {
options.hostname = options.host;
@@ -158569,7 +158586,7 @@ var require_follow_redirects = __commonJS({
this._isRedirect = true;
spreadUrlObject(redirectUrl, this._options);
if (redirectUrl.protocol !== currentUrlParts.protocol && redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) {
removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
removeMatchingHeaders(this._headerFilter, this._options.headers);
}
if (isFunction(beforeRedirect)) {
var responseDetails = {
@@ -158718,6 +158735,9 @@ var require_follow_redirects = __commonJS({
var dot = subdomain.length - domain.length - 1;
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
}
function isArray(value) {
return value instanceof Array;
}
function isString2(value) {
return typeof value === "string" || value instanceof String;
}
@@ -158730,6 +158750,9 @@ var require_follow_redirects = __commonJS({
function isURL(value) {
return URL2 && value instanceof URL2;
}
function escapeRegex(regex) {
return regex.replace(/[\]\\/()*+?.$]/g, "\\$&");
}
module2.exports = wrap({ http, https: https2 });
module2.exports.wrap = wrap;
}
@@ -161498,7 +161521,7 @@ function getTemporaryDirectory() {
return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
}
function getActionVersion() {
return "4.34.2";
return "4.35.3";
}
var persistedInputsKey = "persisted_inputs";
var restoreInputs = function() {
@@ -161518,8 +161541,11 @@ var githubUtils = __toESM(require_utils5());
var import_light = __toESM(require_light(), 1);
init_dist_src();
var VERSION7 = "0.0.0-development";
function isRequestError(error3) {
return error3.request !== void 0;
}
async function errorRequest(state, octokit, error3, options) {
if (!error3.request || !error3.request.request) {
if (!isRequestError(error3) || !error3?.request.request) {
throw error3;
}
if (error3.status >= 400 && !state.doNotRetry.includes(error3.status)) {
@@ -161532,8 +161558,8 @@ async function errorRequest(state, octokit, error3, options) {
async function wrapRequest(state, octokit, request2, options) {
const limiter = new import_light.default();
limiter.on("failed", function(error3, info7) {
const maxRetries = ~~error3.request.request.retries;
const after = ~~error3.request.request.retryAfter;
const maxRetries = ~~error3.request.request?.retries;
const after = ~~error3.request.request?.retryAfter;
options.request.retryCount = info7.retryCount + 1;
if (maxRetries > info7.retryCount) {
return after * state.retryAfterBaseValue;
@@ -161545,7 +161571,7 @@ async function wrapRequest(state, octokit, request2, options) {
);
}
async function requestWithGraphqlErrorHandling(state, octokit, request2, options) {
const response = await request2(request2, options);
const response = await request2(options);
if (response.data && response.data.errors && response.data.errors.length > 0 && /Something went wrong while executing your query/.test(
response.data.errors[0].message
)) {
@@ -161567,11 +161593,7 @@ function retry(octokit, octokitOptions) {
},
octokitOptions.retry
);
if (state.enabled) {
octokit.hook.error("request", errorRequest.bind(null, state, octokit));
octokit.hook.wrap("request", wrapRequest.bind(null, state, octokit));
}
return {
const retryPlugin = {
retry: {
retryRequest: (error3, retries, retryAfter) => {
error3.request.request = Object.assign({}, error3.request.request, {
@@ -161582,6 +161604,11 @@ function retry(octokit, octokitOptions) {
}
}
};
if (state.enabled) {
octokit.hook.error("request", errorRequest.bind(null, state, retryPlugin));
octokit.hook.wrap("request", wrapRequest.bind(null, state, retryPlugin));
}
return retryPlugin;
}
retry.VERSION = VERSION7;
@@ -161791,6 +161818,12 @@ var cliErrorsConfig = {
)
]
},
["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: {
cliErrorMessageCandidates: [
new RegExp("\\[incompatible-os\\]"),
new RegExp("Swift analysis is only supported on macOS")
]
},
["UnsupportedBuildMode" /* UnsupportedBuildMode */]: {
cliErrorMessageCandidates: [
new RegExp(
@@ -161860,9 +161893,6 @@ function withGroup(groupName, f) {
// src/feature-flags.ts
var semver5 = __toESM(require_semver2());
// src/overlay/index.ts
var actionsCache = __toESM(require_cache6());
// src/git-utils.ts
var core8 = __toESM(require_core());
var toolrunner2 = __toESM(require_toolrunner());
@@ -161878,8 +161908,6 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6;
// src/tools-features.ts
var semver4 = __toESM(require_semver2());
@@ -162063,12 +162091,6 @@ var featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: void 0
},
["python_default_is_to_not_extract_stdlib" /* PythonDefaultIsToNotExtractStdlib */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
minimumVersion: void 0,
toolsFeature: "pythonDefaultIsToNotExtractStdlib" /* PythonDefaultIsToNotExtractStdlib */
},
["qa_telemetry_enabled" /* QaTelemetryEnabled */]: {
defaultValue: false,
envVar: "CODEQL_ACTION_QA_TELEMETRY",
@@ -162105,10 +162127,10 @@ var featureConfig = {
};
// src/overlay/status.ts
var actionsCache2 = __toESM(require_cache6());
var actionsCache = __toESM(require_cache6());
// src/trap-caching.ts
var actionsCache3 = __toESM(require_cache6());
var actionsCache2 = __toESM(require_cache6());
// src/config-utils.ts
var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4;
@@ -162155,7 +162177,7 @@ var semver7 = __toESM(require_semver2());
var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024;
// src/dependency-caching.ts
var actionsCache4 = __toESM(require_cache6());
var actionsCache3 = __toESM(require_cache6());
var glob = __toESM(require_glob2());
// src/artifact-scanner.ts
lib/upload-sarif-action.js
Generated
+1593 -1484
View File
File diff suppressed because it is too large Load Diff
package-lock.json
Generated
+831 -324
View File
File diff suppressed because it is too large Load Diff
package.json
+15 -16
View File
@@ -1,11 +1,11 @@
{
"name": "codeql",
"version": "4.34.2",
"version": "4.35.3",
"private": true,
"description": "CodeQL action",
"scripts": {
"_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'",
"build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs",
"build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts",
"lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
"lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
"lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
@@ -29,23 +29,22 @@
"@actions/http-client": "^3.0.0",
"@actions/io": "^2.0.0",
"@actions/tool-cache": "^3.0.1",
"@octokit/plugin-retry": "^8.0.0",
"@schemastore/package": "0.0.10",
"@octokit/plugin-retry": "^8.1.0",
"archiver": "^7.0.1",
"fast-deep-equal": "^3.1.3",
"follow-redirects": "^1.15.11",
"follow-redirects": "^1.16.0",
"get-folder-size": "^5.0.0",
"https-proxy-agent": "^7.0.6",
"js-yaml": "^4.1.1",
"jsonschema": "1.4.1",
"jsonschema": "1.5.0",
"long": "^5.3.2",
"node-forge": "^1.3.3",
"node-forge": "^1.4.0",
"semver": "^7.7.4",
"uuid": "^13.0.0"
},
"devDependencies": {
"@ava/typescript": "6.0.0",
"@eslint/compat": "^2.0.3",
"@eslint/compat": "^2.0.4",
"@microsoft/eslint-formatter-sarif": "^3.1.0",
"@octokit/types": "^16.0.0",
"@types/archiver": "^7.0.0",
@@ -55,21 +54,21 @@
"@types/node-forge": "^1.3.14",
"@types/sarif": "^2.1.7",
"@types/semver": "^7.7.1",
"@types/sinon": "^21.0.0",
"@types/sinon": "^21.0.1",
"ava": "^7.0.0",
"esbuild": "^0.27.3",
"esbuild": "^0.28.0",
"eslint": "^9.39.2",
"eslint-import-resolver-typescript": "^3.8.7",
"eslint-plugin-github": "^6.0.0",
"eslint-plugin-import-x": "^4.16.1",
"eslint-plugin-jsdoc": "^62.7.1",
"eslint-plugin-import-x": "^4.16.2",
"eslint-plugin-jsdoc": "^62.9.0",
"eslint-plugin-no-async-foreach": "^0.1.1",
"glob": "^11.1.0",
"globals": "^17.4.0",
"nock": "^14.0.11",
"sinon": "^21.0.2",
"typescript": "^5.9.3",
"typescript-eslint": "^8.57.0"
"nock": "^14.0.12",
"sinon": "^21.0.3",
"typescript": "^6.0.2",
"typescript-eslint": "^8.58.0"
},
"overrides": {
"@actions/tool-cache": {
pr-checks/api-client.ts
+13
View File
@@ -0,0 +1,13 @@
import * as githubUtils from "@actions/github/lib/utils";
import { type Octokit } from "@octokit/core";
import { type PaginateInterface } from "@octokit/plugin-paginate-rest";
import { type Api } from "@octokit/plugin-rest-endpoint-methods";
/** The type of the Octokit client. */
export type ApiClient = Octokit & Api & { paginate: PaginateInterface };
/** Constructs an `ApiClient` using `token` for authentication. */
export function getApiClient(token: string): ApiClient {
const opts = githubUtils.getOctokitOptions(token);
return new githubUtils.GitHub(opts);
}
pr-checks/bundle-metadata.ts
Executable
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/env npx tsx
import * as fs from "node:fs/promises";
import { BUNDLE_METADATA_FILE } from "./config";
interface InputInfo {
bytesInOutput: number;
}
type Inputs = Record<string, InputInfo>;
interface Output {
bytes: number;
inputs: Inputs;
}
interface Metadata {
outputs: Record<string, Output>;
}
function toMB(bytes: number): string {
return `${(bytes / (1024 * 1024)).toFixed(2)}MB`;
}
async function main() {
const fileContents = await fs.readFile(BUNDLE_METADATA_FILE);
const metadata = JSON.parse(String(fileContents)) as Metadata;
for (const [outputFile, outputData] of Object.entries(
metadata.outputs,
).reverse()) {
console.info(`${outputFile}: ${toMB(outputData.bytes)}`);
for (const [inputName, inputData] of Object.entries(outputData.inputs)) {
// Ignore any inputs that make up less than 5% of the output.
const percentage = (inputData.bytesInOutput / outputData.bytes) * 100.0;
if (percentage < 5.0) continue;
console.info(` ${inputName}: ${toMB(inputData.bytesInOutput)}`);
}
}
}
// Only call `main` if this script was run directly.
if (require.main === module) {
void main();
}
pr-checks/checks/language-aliases.yml
+2 -2
View File
@@ -5,12 +5,12 @@ versions:
steps:
- uses: ./../action/init
with:
languages: C#,java-kotlin,swift,typescript
languages: C#,java-kotlin,typescript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: "Check languages"
run: |
expected_languages="csharp,java,swift,javascript"
expected_languages="csharp,java,javascript"
actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
if [ "$expected_languages" != "$actual_languages" ]; then
pr-checks/checks/rubocop-multi-language.yml
+1 -1
View File
@@ -5,7 +5,7 @@ versions:
- default
steps:
- name: Set up Ruby
uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
uses: ruby/setup-ruby@4c56a21280b36d862b5fc31348f463d60bdc55d5 # v1.301.0
with:
ruby-version: 2.6
- name: Install Code Scanning integration
pr-checks/checks/start-proxy.yml
+18 -1
View File
@@ -16,7 +16,17 @@ steps:
id: proxy
uses: ./../action/start-proxy
with:
registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]'
registry_secrets: |
[
{
"type": "maven_repository",
"url": "https://repo.maven.apache.org/maven2/"
},
{
"type": "maven_repository",
"url": "https://repo1.maven.org/maven2"
}
]
- name: Print proxy outputs
run: |
@@ -27,3 +37,10 @@ steps:
- name: Fail if proxy outputs are not set
if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
run: exit 1
- name: Fail if proxy_urls does not contain all registries
if: |
join(fromJSON(steps.proxy.outputs.proxy_urls)[*].type, ',') != 'maven_repository,maven_repository'
|| !contains(steps.proxy.outputs.proxy_urls, 'https://repo.maven.apache.org/maven2/')
|| !contains(steps.proxy.outputs.proxy_urls, 'https://repo1.maven.org/maven2')
run: exit 1
pr-checks/config.ts
+13
View File
@@ -0,0 +1,13 @@
import path from "path";
/** The oldest supported major version of the CodeQL Action. */
export const OLDEST_SUPPORTED_MAJOR_VERSION = 3;
/** The `pr-checks` directory. */
export const PR_CHECKS_DIR = __dirname;
/** The path of the file configuring which checks shouldn't be required. */
export const PR_CHECK_EXCLUDED_FILE = path.join(PR_CHECKS_DIR, "excluded.yml");
/** The path to the esbuild metadata file. */
export const BUNDLE_METADATA_FILE = path.join(PR_CHECKS_DIR, "..", "meta.json");
pr-checks/excluded.yml
+16
View File
@@ -0,0 +1,16 @@
# PR checks to exclude from required checks
contains:
- "https://"
- "Update"
- "ESLint"
- "update"
- "test-setup-python-scripts"
is:
- "CodeQL"
- "Dependabot"
- "check-expected-release-files"
- "Agent"
- "Cleanup artifacts"
- "Prepare"
- "Upload results"
- "Label PR with size"
pr-checks/package.json
+7 -3
View File
@@ -2,11 +2,15 @@
"private": true,
"description": "Dependencies for the sync.ts",
"dependencies": {
"yaml": "^2.8.2"
"@actions/core": "^2.0.3",
"@actions/github": "^8.0.1",
"@octokit/core": "^7.0.6",
"@octokit/plugin-paginate-rest": ">=9.2.2",
"@octokit/plugin-rest-endpoint-methods": "^17.0.0",
"yaml": "^2.8.3"
},
"devDependencies": {
"@types/node": "^20.19.9",
"tsx": "^4.21.0",
"typescript": "^5.9.3"
"tsx": "^4.21.0"
}
}
pr-checks/release-branches.test.ts
+61
View File
@@ -0,0 +1,61 @@
#!/usr/bin/env npx tsx
/*
Tests for the release-branches.ts script
*/
import * as assert from "node:assert/strict";
import { describe, it } from "node:test";
import { computeBackportBranches } from "./release-branches";
describe("computeBackportBranches", async () => {
await it("rejects invalid major versions", () => {
// The majorVersion is expected to be in vN format.
assert.throws(() => computeBackportBranches("3", "v4.28.0", 3));
assert.throws(() => computeBackportBranches("v3.1", "v4.28.0", 3));
});
await it("rejects invalid latest tags", () => {
// The latestTag is expected to be in vN.M.P format.
assert.throws(() => computeBackportBranches("v3", "v4", 3));
assert.throws(() => computeBackportBranches("v3", "4", 3));
assert.throws(() => computeBackportBranches("v3", "v4.28", 3));
assert.throws(() => computeBackportBranches("v3", "4.28", 3));
assert.throws(() => computeBackportBranches("v3", "4.28.0", 3));
});
await it("sets backport source branch based on major version", () => {
// Test that the backport source branch is releases/v{majorVersion}
const result = computeBackportBranches("v3", "v4.28.0", 3);
assert.equal(result.backportSourceBranch, "releases/v3");
});
await it("no backport targets when major version is the oldest supported", () => {
// When majorVersion equals the major version of latestTag and we do not support older major versions,
// then there are no older supported branches to backport to.
const result = computeBackportBranches("v3", "v3.28.0", 3);
assert.deepEqual(result.backportTargetBranches, []);
});
await it("backports to older supported major versions", () => {
const result = computeBackportBranches("v4", "v4.1.0", 3);
assert.equal(result.backportSourceBranch, "releases/v4");
assert.deepEqual(result.backportTargetBranches, ["releases/v3"]);
});
await it("backports to multiple older supported branches", () => {
const result = computeBackportBranches("v5", "v5.0.0", 3);
assert.equal(result.backportSourceBranch, "releases/v5");
assert.deepEqual(result.backportTargetBranches, [
"releases/v4",
"releases/v3",
]);
});
await it("does not backport when major version is older than latest tag", () => {
const result = computeBackportBranches("v2", "v3.28.0", 2);
assert.equal(result.backportSourceBranch, "releases/v2");
assert.deepEqual(result.backportTargetBranches, []);
});
});
pr-checks/release-branches.ts
Executable
+121
View File
@@ -0,0 +1,121 @@
#!/usr/bin/env npx tsx
import { parseArgs } from "node:util";
import * as core from "@actions/core";
import { OLDEST_SUPPORTED_MAJOR_VERSION } from "./config";
/** The results of checking which release branches to backport to. */
export interface BackportInfo {
/** The source release branch. */
backportSourceBranch: string;
/**
* The computed release branches we should backport to.
* Will be empty if there are no branches we need to backport to.
*/
backportTargetBranches: string[];
}
/**
* Compute the backport source and target branches for a release.
*
* @param majorVersion - The major version string (e.g. "v4").
* @param latestTag - The most recent tag published to the repository (e.g. "v4.32.6").
* @param oldestSupportedMajorVersion - The oldest supported major version number.
* @returns The names of the source branch and target branches.
*/
export function computeBackportBranches(
majorVersion: string,
latestTag: string,
oldestSupportedMajorVersion: number,
): BackportInfo {
// Perform some sanity checks on the inputs.
// For `majorVersion`, we expect exactly `vN` for some `N`.
const majorVersionMatch = majorVersion.match(/^v(\d+)$/);
if (!majorVersionMatch) {
throw new Error("--major-version value must be in `vN` format.");
}
// For latestTag, we expect something starting with `vN.M.P`
const latestTagMatch = latestTag.match(/^v(\d+)\.\d+\.\d+/);
if (!latestTagMatch) {
throw new Error(
`--latest-tag value must be in 'vN.M.P' format, but '${latestTag}' is not.`,
);
}
const majorVersionNumber = Number.parseInt(majorVersionMatch[1]);
const latestTagMajor = Number.parseInt(latestTagMatch[1]);
// If this is a primary release, we backport to all supported branches,
// so we check whether the majorVersion taken from the package.json
// is greater than or equal to the latest tag pulled from the repo.
// For example...
// 'v1' >= 'v2' is False # we're operating from an older release branch and should not backport
// 'v2' >= 'v2' is True # the normal case where we're updating the current version
// 'v3' >= 'v2' is True # in this case we are making the first release of a new major version
const considerBackports = majorVersionNumber >= latestTagMajor;
const backportSourceBranch = `releases/v${majorVersionNumber}`;
const backportTargetBranches: string[] = [];
if (considerBackports) {
for (let i = majorVersionNumber - 1; i > 0; i--) {
const branchName = `releases/v${i}`;
if (i >= oldestSupportedMajorVersion) {
backportTargetBranches.push(branchName);
}
}
}
return { backportSourceBranch, backportTargetBranches };
}
async function main() {
const { values: options } = parseArgs({
options: {
// The major version of the release in `vN` format (e.g. `v4`).
"major-version": {
type: "string",
},
// The most recent tag published to the repository (e.g. `v4.28.0`).
"latest-tag": {
type: "string",
},
},
strict: true,
});
if (options["major-version"] === undefined) {
throw Error("--major-version is required");
}
if (options["latest-tag"] === undefined) {
throw Error("--latest-tag is required");
}
const majorVersion = options["major-version"];
const latestTag = options["latest-tag"];
console.log(`Major version: ${majorVersion}`);
console.log(`Latest tag: ${latestTag}`);
const result = computeBackportBranches(
majorVersion,
latestTag,
OLDEST_SUPPORTED_MAJOR_VERSION,
);
core.setOutput("backport_source_branch", result.backportSourceBranch);
core.setOutput(
"backport_target_branches",
JSON.stringify(result.backportTargetBranches),
);
process.exit(0);
}
// Only call `main` if this script was run directly.
if (require.main === module) {
void main();
}
pr-checks/sync-checks.test.ts
+60
View File
@@ -0,0 +1,60 @@
#!/usr/bin/env npx tsx
/*
Tests for the sync-checks.ts script
*/
import * as assert from "node:assert/strict";
import { describe, it } from "node:test";
import { CheckInfo, Exclusions, Options, removeExcluded } from "./sync-checks";
const defaultOptions: Options = {
apply: false,
verbose: false,
};
const toCheckInfo = (name: string) =>
({ context: name, app_id: -1 }) satisfies CheckInfo;
const expectedPartialMatches = ["PR Check - Foo", "https://example.com"].map(
toCheckInfo,
);
const expectedExactMatches = ["CodeQL", "Update"].map(toCheckInfo);
const testChecks = expectedExactMatches.concat(expectedPartialMatches);
const emptyExclusions: Exclusions = {
is: [],
contains: [],
};
describe("removeExcluded", async () => {
await it("retains all checks if no exclusions are configured", () => {
const retained = removeExcluded(
defaultOptions,
emptyExclusions,
testChecks,
);
assert.deepEqual(retained, testChecks);
});
await it("removes exact matches", () => {
const retained = removeExcluded(
defaultOptions,
{ ...emptyExclusions, is: ["CodeQL", "Update"] },
testChecks,
);
assert.deepEqual(retained, expectedPartialMatches);
});
await it("removes partial matches", () => {
const retained = removeExcluded(
defaultOptions,
{ ...emptyExclusions, contains: ["https://", "PR Check"] },
testChecks,
);
assert.deepEqual(retained, expectedExactMatches);
});
});
pr-checks/sync-checks.ts
Executable
+287
View File
@@ -0,0 +1,287 @@
#!/usr/bin/env npx tsx
/** Update the required checks based on the current branch. */
import * as fs from "fs";
import { parseArgs } from "node:util";
import * as yaml from "yaml";
import { type ApiClient, getApiClient } from "./api-client";
import {
OLDEST_SUPPORTED_MAJOR_VERSION,
PR_CHECK_EXCLUDED_FILE,
} from "./config";
/** Represents the command-line options. */
export interface Options {
/** The token to use to authenticate to the GitHub API. */
token?: string;
/** The git ref to use the checks for. */
ref?: string;
/** Whether to actually apply the changes or not. */
apply: boolean;
/** Whether to output additional information. */
verbose: boolean;
}
/** Identifies the CodeQL Action repository. */
const codeqlActionRepo = {
owner: "github",
repo: "codeql-action",
};
/** Represents a configuration of which checks should not be set up as required checks. */
export interface Exclusions {
/** A list of strings that, if contained in a check name, are excluded. */
contains: string[];
/** A list of check names that are excluded if their name is an exact match. */
is: string[];
}
/** Loads the configuration for which checks to exclude. */
function loadExclusions(): Exclusions {
return yaml.parse(
fs.readFileSync(PR_CHECK_EXCLUDED_FILE, "utf-8"),
) as Exclusions;
}
/**
* Represents information about a check run. We track the `app_id` that generated the check,
* because the API will require it in addition to the name in the future.
*/
export interface CheckInfo {
/** The display name of the check. */
context: string;
/** The ID of the app that generated the check. */
app_id: number;
}
/** Removes entries from `checkInfos` based on the configuration. */
export function removeExcluded(
options: Options,
exclusions: Exclusions,
checkInfos: CheckInfo[],
): CheckInfo[] {
if (options.verbose) {
console.log(exclusions);
}
return checkInfos.filter((checkInfo) => {
if (exclusions.is.includes(checkInfo.context)) {
console.info(
`Excluding '${checkInfo.context}' because it is an exact exclusion.`,
);
return false;
}
for (const containsStr of exclusions.contains) {
if (checkInfo.context.includes(containsStr)) {
console.info(
`Excluding '${checkInfo.context}' because it contains '${containsStr}'.`,
);
return false;
}
}
// Keep.
return true;
});
}
/** Gets a list of check run names for `ref`. */
async function getChecksFor(
options: Options,
client: ApiClient,
ref: string,
): Promise<CheckInfo[]> {
console.info(`Getting checks for '${ref}'`);
const response = await client.paginate(
"GET /repos/{owner}/{repo}/commits/{ref}/check-runs",
{
...codeqlActionRepo,
ref,
},
);
if (response.length === 0) {
throw new Error(`No checks found for '${ref}'.`);
}
console.info(`Retrieved ${response.length} check runs.`);
const notSkipped = response.filter(
(checkRun) => checkRun.conclusion !== "skipped",
);
console.info(`Of those: ${notSkipped.length} were not skipped.`);
// We use the ID of the app that generated the check run when returned by the API,
// but default to -1 to tell the API that any check with the given name should be
// required.
const checkInfos = notSkipped.map((check) => ({
context: check.name,
app_id: check.app?.id || -1,
}));
// Load the configuration for which checks to exclude and apply it before
// returning the checks.
const exclusions = loadExclusions();
return removeExcluded(options, exclusions, checkInfos);
}
/** Gets the current list of release branches. */
async function getReleaseBranches(client: ApiClient): Promise<string[]> {
const refs = await client.rest.git.listMatchingRefs({
...codeqlActionRepo,
ref: "heads/releases/v",
});
return refs.data.map((ref) => ref.ref).sort();
}
/** Updates the required status checks for `branch` to `checks`. */
async function patchBranchProtectionRule(
client: ApiClient,
branch: string,
checks: Set<string>,
) {
await client.rest.repos.setStatusCheckContexts({
...codeqlActionRepo,
branch,
contexts: Array.from(checks),
});
}
/** Sets `checkNames` as required checks for `branch`. */
async function updateBranch(
options: Options,
client: ApiClient,
branch: string,
checkNames: Set<string>,
) {
console.info(`Updating '${branch}'...`);
// Query the current set of required checks for this branch.
const currentContexts = await client.rest.repos.getAllStatusCheckContexts({
...codeqlActionRepo,
branch,
});
// Identify which required checks we will remove and which ones we will add.
const currentCheckNames = new Set(currentContexts.data);
let additions = 0;
let removals = 0;
let unchanged = 0;
for (const currentCheck of currentCheckNames) {
if (!checkNames.has(currentCheck)) {
console.info(`- Removing '${currentCheck}' for branch '${branch}'`);
removals++;
} else {
unchanged++;
}
}
for (const newCheck of checkNames) {
if (!currentCheckNames.has(newCheck)) {
console.info(`+ Adding '${newCheck}' for branch '${branch}'`);
additions++;
}
}
console.info(
`For '${branch}': ${removals} removals; ${additions} additions; ${unchanged} unchanged`,
);
// Perform the update if there are changes and `--apply` was specified.
if (unchanged === checkNames.size && removals === 0 && additions === 0) {
console.info("Not applying changes because there is nothing to do.");
} else if (options.apply) {
await patchBranchProtectionRule(client, branch, checkNames);
} else {
console.info("Not applying changes because `--apply` was not specified.");
}
}
async function main(): Promise<void> {
const { values: options } = parseArgs({
options: {
// The token to use to authenticate to the API.
token: {
type: "string",
},
// The git ref for which to retrieve the check runs.
ref: {
type: "string",
default: "main",
},
// By default, we perform a dry-run. Setting `apply` to `true` actually applies the changes.
apply: {
type: "boolean",
default: false,
},
// Whether to output additional information.
verbose: {
type: "boolean",
default: false,
},
},
strict: true,
});
if (options.token === undefined) {
throw new Error("Missing --token");
}
console.info(
`Oldest supported major version is: ${OLDEST_SUPPORTED_MAJOR_VERSION}`,
);
// Initialise the API client.
const client = getApiClient(options.token);
// Find the check runs for the specified `ref` that we will later set as the required checks
// for the main and release branches.
const checkInfos = await getChecksFor(options, client, options.ref);
const checkNames = new Set(checkInfos.map((info) => info.context));
// Update the main branch.
await updateBranch(options, client, "main", checkNames);
// Retrieve the refs of the release branches.
const releaseBranches = await getReleaseBranches(client);
console.info(
`Found ${releaseBranches.length} release branches: ${releaseBranches.join(", ")}`,
);
for (const releaseBranchRef of releaseBranches) {
// Sanity check that the ref name is in the expected format and extract the major version.
const releaseBranchMatch = releaseBranchRef.match(
/^refs\/heads\/(releases\/v(\d+))/,
);
if (!releaseBranchMatch) {
console.warn(
`Branch ref '${releaseBranchRef}' not in the expected format.`,
);
continue;
}
const releaseBranch = releaseBranchMatch[1];
const releaseBranchMajor = Number.parseInt(releaseBranchMatch[2]);
// Update the required checks for this major version if it is still supported.
if (releaseBranchMajor < OLDEST_SUPPORTED_MAJOR_VERSION) {
console.info(
`Skipping '${releaseBranch}' since it is older than v${OLDEST_SUPPORTED_MAJOR_VERSION}`,
);
continue;
} else {
await updateBranch(options, client, releaseBranch, checkNames);
}
}
process.exit(0);
}
// Only call `main` if this script was run directly.
if (require.main === module) {
void main();
}
pr-checks/tsconfig.json
+1
View File
@@ -3,6 +3,7 @@
"compilerOptions": {
/* Basic Options */
"lib": ["esnext"],
"module": "preserve",
"rootDir": "..",
"sourceMap": false,
"noEmit": true,
src/actions-util.ts
+6
View File
@@ -85,6 +85,12 @@ export function getTemporaryDirectory(): string {
: getRequiredEnvParam("RUNNER_TEMP");
}
const PR_DIFF_RANGE_JSON_FILENAME = "pr-diff-range.json";
export function getDiffRangesJsonFilePath(): string {
return path.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
}
export function getActionVersion(): string {
return __CODEQL_ACTION_VERSION__;
}
src/analyze-action.ts
+3 -10
View File
@@ -28,12 +28,11 @@ import {
DependencyCacheUploadStatusReport,
uploadDependencyCaches,
} from "./dependency-caching";
import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
import { EnvVar } from "./environment";
import { initFeatures } from "./feature-flags";
import { KnownLanguage } from "./languages";
import { getActionsLogger, Logger } from "./logging";
import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay";
import { cleanupAndUploadOverlayBaseDatabaseToCache } from "./overlay/caching";
import { getRepositoryNwo } from "./repository";
import * as statusReport from "./status-report";
import {
@@ -305,14 +304,8 @@ async function run(startedAt: Date) {
logger,
);
const branches = await getDiffInformedAnalysisBranches(
codeql,
features,
logger,
);
const diffRangePackDir = branches
? await setupDiffInformedQueryRun(branches, logger)
: undefined;
// Setup diff informed analysis if needed (based on whether init created the file)
const diffRangePackDir = await setupDiffInformedQueryRun(logger);
await warnIfGoInstalledAfterInit(config, logger);
await runAutobuildIfLegacyGoWorkflow(config, logger);
src/analyze.ts
+11 -17
View File
@@ -5,11 +5,7 @@ import { performance } from "perf_hooks";
import * as io from "@actions/io";
import * as yaml from "js-yaml";
import {
getTemporaryDirectory,
getRequiredInput,
PullRequestBranches,
} from "./actions-util";
import { getTemporaryDirectory, getRequiredInput } from "./actions-util";
import * as analyses from "./analyses";
import { setupCppAutobuild } from "./autobuild";
import { type CodeQL } from "./codeql";
@@ -21,14 +17,13 @@ import {
import { addDiagnostic, makeDiagnostic } from "./diagnostics";
import {
DiffThunkRange,
writeDiffRangesJsonFile,
getPullRequestEditedDiffRanges,
readDiffRangesJsonFile,
} from "./diff-informed-analysis-utils";
import { EnvVar } from "./environment";
import { FeatureEnablement, Feature } from "./feature-flags";
import { KnownLanguage, Language } from "./languages";
import { Logger, withGroupAsync } from "./logging";
import { OverlayDatabaseMode } from "./overlay";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import type * as sarif from "./sarif";
import { DatabaseCreationTimings, EventReport } from "./status-report";
import { endTracingForCluster } from "./tracer-config";
@@ -237,16 +232,19 @@ async function finalizeDatabaseCreation(
* the diff range information, or `undefined` if the feature is disabled.
*/
export async function setupDiffInformedQueryRun(
branches: PullRequestBranches,
logger: Logger,
): Promise<string | undefined> {
return await withGroupAsync(
"Generating diff range extension pack",
async () => {
logger.info(
`Calculating diff ranges for ${branches.base}...${branches.head}`,
);
const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
const diffRanges = readDiffRangesJsonFile(logger);
if (diffRanges === undefined) {
logger.info(
"No precomputed diff ranges found; skipping diff-informed analysis stage.",
);
return undefined;
}
const checkoutPath = getRequiredInput("checkout_path");
const packDir = writeDiffRangeDataExtensionPack(
logger,
@@ -368,10 +366,6 @@ dataExtensions:
`Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`,
);
// Write the diff ranges to a JSON file, for action-side alert filtering by the
// upload-lib module.
writeDiffRangesJsonFile(logger, ranges);
return diffRangeDir;
}
src/cli-errors.test.ts
+14
View File
@@ -299,6 +299,20 @@ test("wrapCliConfigurationError - swift build failed", (t) => {
t.true(wrappedError instanceof ConfigurationError);
});
test("wrapCliConfigurationError - swift incompatible os", (t) => {
const commandError = new CommandInvocationError(
"codeql",
["swift/tools/autobuild.sh"],
1,
"2026-04-01 18:35:00 EST ERRO [extractor/main] [incompatible-os] Currently, Swift analysis is only supported on macOS. (IncompatibleOs.cpp:26)",
);
const cliError = new CliError(commandError);
const wrappedError = wrapCliConfigurationError(cliError);
t.true(wrappedError instanceof ConfigurationError);
});
test("wrapCliConfigurationError - pack cannot be found", (t) => {
const commandError = new CommandInvocationError(
"codeql",
src/cli-errors.ts
+7
View File
@@ -144,6 +144,7 @@ export enum CliConfigErrorCategory {
OutOfMemoryOrDisk = "OutOfMemoryOrDisk",
PackCannotBeFound = "PackCannotBeFound",
PackMissingAuth = "PackMissingAuth",
SwiftIncompatibleOs = "SwiftIncompatibleOs",
SwiftBuildFailed = "SwiftBuildFailed",
UnsupportedBuildMode = "UnsupportedBuildMode",
}
@@ -281,6 +282,12 @@ const cliErrorsConfig: Record<CliConfigErrorCategory, CliErrorConfiguration> = {
),
],
},
[CliConfigErrorCategory.SwiftIncompatibleOs]: {
cliErrorMessageCandidates: [
new RegExp("\\[incompatible-os\\]"),
new RegExp("Swift analysis is only supported on macOS"),
],
},
[CliConfigErrorCategory.UnsupportedBuildMode]: {
cliErrorMessageCandidates: [
new RegExp(
src/codeql.ts
+2 -5
View File
@@ -24,11 +24,8 @@ import {
import { isAnalyzingDefaultBranch } from "./git-utils";
import { Language } from "./languages";
import { Logger } from "./logging";
import {
OverlayDatabaseMode,
writeBaseDatabaseOidsFile,
writeOverlayChangesFile,
} from "./overlay";
import { writeBaseDatabaseOidsFile, writeOverlayChangesFile } from "./overlay";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import * as setupCodeql from "./setup-codeql";
import { ZstdAvailability } from "./tar";
import { ToolsDownloadStatusReport } from "./tools-download";
src/config-utils.test.ts
+27 -8
View File
@@ -20,8 +20,9 @@ import * as gitUtils from "./git-utils";
import { GitVersionInfo } from "./git-utils";
import { KnownLanguage, Language } from "./languages";
import { getRunnerLogger } from "./logging";
import { CODEQL_OVERLAY_MINIMUM_VERSION, OverlayDatabaseMode } from "./overlay";
import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
import { OverlayDisabledReason } from "./overlay/diagnostics";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import * as overlayStatus from "./overlay/status";
import { parseRepositoryNwo } from "./repository";
import {
@@ -1004,6 +1005,7 @@ interface OverlayDatabaseModeTestSetup {
codeqlVersion: string;
gitRoot: string | undefined;
gitVersion: GitVersionInfo | undefined;
hasSubmodules: boolean;
codeScanningConfig: UserConfig;
diskUsage: DiskUsage | undefined;
memoryFlagValue: number;
@@ -1020,10 +1022,8 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = {
languages: [KnownLanguage.javascript],
codeqlVersion: CODEQL_OVERLAY_MINIMUM_VERSION,
gitRoot: "/some/git/root",
gitVersion: new GitVersionInfo(
gitUtils.GIT_MINIMUM_VERSION_FOR_OVERLAY,
gitUtils.GIT_MINIMUM_VERSION_FOR_OVERLAY,
),
gitVersion: new GitVersionInfo("2.39.0", "2.39.0"),
hasSubmodules: false,
codeScanningConfig: {},
diskUsage: {
numAvailableBytes: 50_000_000_000,
@@ -1099,6 +1099,9 @@ const checkOverlayEnablementMacro = test.macro({
sinon.stub(gitUtils, "getGitRoot").resolves(setup.gitRoot);
}
// Mock submodule detection
sinon.stub(gitUtils, "hasSubmodules").returns(setup.hasSubmodules);
// Mock default branch detection
sinon
.stub(gitUtils, "isAnalyzingDefaultBranch")
@@ -1933,10 +1936,11 @@ test.serial(
test.serial(
checkOverlayEnablementMacro,
"Fallback due to old git version",
"Fallback due to old git version with submodules",
{
overlayDatabaseEnvVar: "overlay",
gitVersion: new GitVersionInfo("2.30.0", "2.30.0"), // Version below required 2.38.0
gitVersion: new GitVersionInfo("2.34.1", "2.34.1"), // Above 2.11.0 but below 2.36.0
hasSubmodules: true,
},
{
disabledReason: OverlayDisabledReason.IncompatibleGit,
@@ -1945,16 +1949,31 @@ test.serial(
test.serial(
checkOverlayEnablementMacro,
"Fallback when git version cannot be determined",
"Fallback when git version cannot be determined and repo has submodules",
{
overlayDatabaseEnvVar: "overlay",
gitVersion: undefined,
hasSubmodules: true,
},
{
disabledReason: OverlayDisabledReason.IncompatibleGit,
},
);
test.serial(
checkOverlayEnablementMacro,
"Overlay enabled when git version cannot be determined and repo has no submodules",
{
overlayDatabaseEnvVar: "overlay",
gitVersion: undefined,
hasSubmodules: false,
},
{
overlayDatabaseMode: OverlayDatabaseMode.Overlay,
useOverlayDatabaseCaching: false,
},
);
test.serial(
checkOverlayEnablementMacro,
"No overlay when disabled via repository property",
src/config-utils.ts
+26 -18
View File
@@ -43,17 +43,19 @@ import {
getGeneratedFiles,
getGitRoot,
getGitVersionOrThrow,
GIT_MINIMUM_VERSION_FOR_OVERLAY,
GIT_MINIMUM_VERSION_FOR_OVERLAY_WITH_SUBMODULES,
GitVersionInfo,
hasSubmodules,
isAnalyzingDefaultBranch,
} from "./git-utils";
import { KnownLanguage, Language } from "./languages";
import { Logger } from "./logging";
import { CODEQL_OVERLAY_MINIMUM_VERSION, OverlayDatabaseMode } from "./overlay";
import { CODEQL_OVERLAY_MINIMUM_VERSION } from "./overlay";
import {
addOverlayDisablementDiagnostics,
OverlayDisabledReason,
} from "./overlay/diagnostics";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import { shouldSkipOverlayAnalysis } from "./overlay/status";
import { RepositoryNwo } from "./repository";
import { ToolsFeature } from "./tools-features";
@@ -969,7 +971,8 @@ async function validateOverlayDatabaseMode(
);
return new Failure(OverlayDisabledReason.IncompatibleCodeQl);
}
if ((await getGitRoot(sourceRoot)) === undefined) {
const gitRoot = await getGitRoot(sourceRoot);
if (gitRoot === undefined) {
logger.warning(
`Cannot build an ${overlayDatabaseMode} database because ` +
`the source root "${sourceRoot}" is not inside a git repository. ` +
@@ -977,21 +980,26 @@ async function validateOverlayDatabaseMode(
);
return new Failure(OverlayDisabledReason.NoGitRoot);
}
if (gitVersion === undefined) {
logger.warning(
`Cannot build an ${overlayDatabaseMode} database because ` +
"the Git version could not be determined. " +
"Falling back to creating a normal full database instead.",
);
return new Failure(OverlayDisabledReason.IncompatibleGit);
}
if (!gitVersion.isAtLeast(GIT_MINIMUM_VERSION_FOR_OVERLAY)) {
logger.warning(
`Cannot build an ${overlayDatabaseMode} database because ` +
`the installed Git version is older than ${GIT_MINIMUM_VERSION_FOR_OVERLAY}. ` +
"Falling back to creating a normal full database instead.",
);
return new Failure(OverlayDisabledReason.IncompatibleGit);
if (hasSubmodules(gitRoot)) {
if (gitVersion === undefined) {
logger.warning(
`Cannot build an ${overlayDatabaseMode} database because ` +
"the repository has submodules and the Git version could not be determined. " +
"Falling back to creating a normal full database instead.",
);
return new Failure(OverlayDisabledReason.IncompatibleGit);
}
if (
!gitVersion.isAtLeast(GIT_MINIMUM_VERSION_FOR_OVERLAY_WITH_SUBMODULES)
) {
logger.warning(
`Cannot build an ${overlayDatabaseMode} database because ` +
"the repository has submodules and the installed Git version is older " +
`than ${GIT_MINIMUM_VERSION_FOR_OVERLAY_WITH_SUBMODULES}. ` +
"Falling back to creating a normal full database instead.",
);
return new Failure(OverlayDisabledReason.IncompatibleGit);
}
}
return new Success({
src/database-upload.ts
+1 -1
View File
@@ -12,7 +12,7 @@ import { Config } from "./config-utils";
import { Feature, FeatureEnablement } from "./feature-flags";
import * as gitUtils from "./git-utils";
import { Logger, withGroupAsync } from "./logging";
import { OverlayDatabaseMode } from "./overlay";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import { RepositoryNwo } from "./repository";
import * as util from "./util";
import { asHTTPError, bundleDb, CleanupLevel, parseGitHubUrl } from "./util";
src/defaults.json
+4 -4
View File
@@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-v2.24.3",
"cliVersion": "2.24.3",
"priorBundleVersion": "codeql-bundle-v2.24.2",
"priorCliVersion": "2.24.2"
"bundleVersion": "codeql-bundle-v2.25.2",
"cliVersion": "2.25.2",
"priorBundleVersion": "codeql-bundle-v2.25.1",
"priorCliVersion": "2.25.1"
}
src/diff-informed-analysis-utils.ts
+10 -8
View File
@@ -1,5 +1,4 @@
import * as fs from "fs";
import * as path from "path";
import * as actionsUtil from "./actions-util";
import type { PullRequestBranches } from "./actions-util";
@@ -77,16 +76,12 @@ export interface DiffThunkRange {
endLine: number;
}
function getDiffRangesJsonFilePath(): string {
return path.join(actionsUtil.getTemporaryDirectory(), "pr-diff-range.json");
}
export function writeDiffRangesJsonFile(
logger: Logger,
ranges: DiffThunkRange[],
): void {
const jsonContents = JSON.stringify(ranges, null, 2);
const jsonFilePath = getDiffRangesJsonFilePath();
const jsonFilePath = actionsUtil.getDiffRangesJsonFilePath();
fs.writeFileSync(jsonFilePath, jsonContents);
logger.debug(
`Wrote pr-diff-range JSON file to ${jsonFilePath}:\n${jsonContents}`,
@@ -96,7 +91,7 @@ export function writeDiffRangesJsonFile(
export function readDiffRangesJsonFile(
logger: Logger,
): DiffThunkRange[] | undefined {
const jsonFilePath = getDiffRangesJsonFilePath();
const jsonFilePath = actionsUtil.getDiffRangesJsonFilePath();
if (!fs.existsSync(jsonFilePath)) {
logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`);
return undefined;
@@ -105,7 +100,14 @@ export function readDiffRangesJsonFile(
logger.debug(
`Read pr-diff-range JSON file from ${jsonFilePath}:\n${jsonContents}`,
);
return JSON.parse(jsonContents) as DiffThunkRange[];
try {
return JSON.parse(jsonContents) as DiffThunkRange[];
} catch (e) {
logger.warning(
`Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}`,
);
return undefined;
}
}
/**
src/feature-flags.ts
-7
View File
@@ -85,7 +85,6 @@ export enum Feature {
OverlayAnalysisStatusCheck = "overlay_analysis_status_check",
/** Controls whether overlay build failures on the default branch are stored in the Actions cache. */
OverlayAnalysisStatusSave = "overlay_analysis_status_save",
PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
QaTelemetryEnabled = "qa_telemetry_enabled",
/** Note that this currently only disables baseline file coverage information. */
SkipFileCoverageOnPrs = "skip_file_coverage_on_prs",
@@ -298,12 +297,6 @@ export const featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS",
minimumVersion: undefined,
},
[Feature.PythonDefaultIsToNotExtractStdlib]: {
defaultValue: false,
envVar: "CODEQL_ACTION_DISABLE_PYTHON_STANDARD_LIBRARY_EXTRACTION",
minimumVersion: undefined,
toolsFeature: ToolsFeature.PythonDefaultIsToNotExtractStdlib,
},
[Feature.QaTelemetryEnabled]: {
defaultValue: false,
envVar: "CODEQL_ACTION_QA_TELEMETRY",
src/git-utils.test.ts
+118 -51
View File
@@ -343,75 +343,142 @@ test.serial("decodeGitFilePath quoted strings", async (t) => {
);
});
test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
const runGitCommandStub = sinon
.stub(gitUtils as any, "runGitCommand")
.resolves(
"30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
"d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map\n" +
"a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
);
test.serial(
"getFileOidsUnderPath uses --recurse-submodules when submodules exist",
async (t) => {
await withTmpDir(async (tmpDir) => {
fs.writeFileSync(path.join(tmpDir, ".gitmodules"), "");
const runGitCommandStub = sinon
.stub(gitUtils as any, "runGitCommand")
.callsFake(async (_cwd: any, args: any) => {
if (args[0] === "rev-parse") {
return `${tmpDir}\n`;
}
return (
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
"100644 d89514599a9a99f22b4085766d40af7b99974827 0\tlib/git-utils.js.map\n" +
"100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts"
);
});
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
t.deepEqual(result, {
"lib/git-utils.js": "30d998ded095371488be3a729eb61d86ed721a18",
"lib/git-utils.js.map": "d89514599a9a99f22b4085766d40af7b99974827",
"src/git-utils.ts": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
});
t.deepEqual(result, {
"lib/git-utils.js": "30d998ded095371488be3a729eb61d86ed721a18",
"lib/git-utils.js.map": "d89514599a9a99f22b4085766d40af7b99974827",
"src/git-utils.ts": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
});
t.deepEqual(runGitCommandStub.firstCall.args, [
"/fake/path",
["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
"Cannot list Git OIDs of tracked files.",
]);
});
// Second call (after getGitRoot) should include --recurse-submodules
t.deepEqual(runGitCommandStub.secondCall.args[1], [
"ls-files",
"--recurse-submodules",
"--stage",
]);
});
},
);
test.serial(
"getFileOidsUnderPath omits --recurse-submodules when no submodules exist",
async (t) => {
await withTmpDir(async (tmpDir) => {
const runGitCommandStub = sinon
.stub(gitUtils as any, "runGitCommand")
.callsFake(async (_cwd: any, args: any) => {
if (args[0] === "rev-parse") {
return `${tmpDir}\n`;
}
return (
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
"100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts"
);
});
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
t.deepEqual(result, {
"lib/git-utils.js": "30d998ded095371488be3a729eb61d86ed721a18",
"src/git-utils.ts": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
});
// Second call (after getGitRoot) should NOT include --recurse-submodules
t.deepEqual(runGitCommandStub.secondCall.args[1], [
"ls-files",
"--stage",
]);
});
},
);
test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
sinon
.stub(gitUtils as any, "runGitCommand")
.resolves(
"30d998ded095371488be3a729eb61d86ed721a18_lib/normal-file.js\n" +
'd89514599a9a99f22b4085766d40af7b99974827_"lib/file with spaces.js"\n' +
'a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_"lib/file\\twith\\ttabs.js"',
);
await withTmpDir(async (tmpDir) => {
sinon
.stub(gitUtils as any, "runGitCommand")
.callsFake(async (_cwd: any, args: any) => {
if (args[0] === "rev-parse") {
return `${tmpDir}\n`;
}
return (
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/normal-file.js\n" +
'100644 d89514599a9a99f22b4085766d40af7b99974827 0\t"lib/file with spaces.js"\n' +
'100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\t"lib/file\\twith\\ttabs.js"'
);
});
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
t.deepEqual(result, {
"lib/normal-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
"lib/file with spaces.js": "d89514599a9a99f22b4085766d40af7b99974827",
"lib/file\twith\ttabs.js": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
t.deepEqual(result, {
"lib/normal-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
"lib/file with spaces.js": "d89514599a9a99f22b4085766d40af7b99974827",
"lib/file\twith\ttabs.js": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
});
});
});
test.serial("getFileOidsUnderPath handles empty output", async (t) => {
sinon.stub(gitUtils as any, "runGitCommand").resolves("");
await withTmpDir(async (tmpDir) => {
sinon
.stub(gitUtils as any, "runGitCommand")
.callsFake(async (_cwd: any, args: any) => {
if (args[0] === "rev-parse") {
return `${tmpDir}\n`;
}
return "";
});
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
t.deepEqual(result, {});
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
t.deepEqual(result, {});
});
});
test.serial(
"getFileOidsUnderPath throws on unexpected output format",
async (t) => {
sinon
.stub(gitUtils as any, "runGitCommand")
.resolves(
"30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
"invalid-line-format\n" +
"a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
);
await withTmpDir(async (tmpDir) => {
sinon
.stub(gitUtils as any, "runGitCommand")
.callsFake(async (_cwd: any, args: any) => {
if (args[0] === "rev-parse") {
return `${tmpDir}\n`;
}
return (
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
"invalid-line-format\n" +
"100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts"
);
});
await t.throwsAsync(
async () => {
await gitUtils.getFileOidsUnderPath("/fake/path");
},
{
instanceOf: Error,
message: 'Unexpected "git ls-files" output: invalid-line-format',
},
);
await t.throwsAsync(
async () => {
await gitUtils.getFileOidsUnderPath("/fake/path");
},
{
instanceOf: Error,
message: 'Unexpected "git ls-files" output: invalid-line-format',
},
);
});
},
);
src/git-utils.ts
+38 -11
View File
@@ -1,4 +1,6 @@
import * as fs from "fs";
import * as os from "os";
import * as path from "path";
import * as core from "@actions/core";
import { ExecOptions } from "@actions/exec";
@@ -14,10 +16,11 @@ import {
import { ConfigurationError, getRequiredEnvParam } from "./util";
/**
* Minimum Git version required for overlay analysis. The `git ls-files --format`
* option, which is used by `getFileOidsUnderPath`, was introduced in Git 2.38.0.
* Minimum Git version required for overlay analysis in repositories that
* contain submodules. Support for using the `git ls-files
* --recurse-submodules` option with `--stage` was added in Git 2.36.0.
*/
export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
export const GIT_MINIMUM_VERSION_FOR_OVERLAY_WITH_SUBMODULES = "2.36.0";
/**
* Git version information
@@ -244,6 +247,16 @@ export const getGitRoot = async function (
}
};
/**
* Returns true if the Git repository has submodules registered (i.e. a
* `.gitmodules` file exists at the repository root).
*
* @param gitRoot The root of the Git repository.
*/
export function hasSubmodules(gitRoot: string): boolean {
return fs.existsSync(path.join(gitRoot, ".gitmodules"));
}
/**
* Returns the Git OIDs of all tracked files (in the index and in the working
* tree) that are under the given base path, including files in active
@@ -252,31 +265,45 @@ export const getGitRoot = async function (
*
* @param basePath A path into the Git repository.
* @returns a map from file paths (relative to `basePath`) to Git OIDs.
* @throws {Error} if "git ls-tree" produces unexpected output.
* @throws {Error} if "git ls-files" produces unexpected output.
*/
export const getFileOidsUnderPath = async function (
basePath: string,
): Promise<{ [key: string]: string }> {
// Without the --full-name flag, the path is relative to the current working
// directory of the git command, which is basePath.
//
// We use --stage rather than --format here because --format was only
// introduced in Git 2.38.0, which would limit overlay rollout.
//
// We only pass --recurse-submodules when the repository actually has
// submodules, because the combination of --recurse-submodules and --stage is
// only supported since Git 2.36.0.
const gitRoot = await getGitRoot(basePath);
const mayHaveSubmodules =
gitRoot === undefined ? true : hasSubmodules(gitRoot);
const args = mayHaveSubmodules
? ["ls-files", "--recurse-submodules", "--stage"]
: ["ls-files", "--stage"];
const stdout = await runGitCommand(
basePath,
["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
args,
"Cannot list Git OIDs of tracked files.",
);
const fileOidMap: { [key: string]: string } = {};
// With --format=%(objectname)_%(path), the output is a list of lines like:
// 30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js
// d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map
const regex = /^([0-9a-f]{40})_(.+)$/;
// With --stage, the output is a list of lines like:
// 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
// 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
// The fields are: <mode> <oid> <stage>\t<path>
const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
for (const line of stdout.split("\n")) {
if (line) {
const match = line.match(regex);
if (match) {
const oid = match[1];
const path = decodeGitFilePath(match[2]);
fileOidMap[path] = oid;
const filePath = decodeGitFilePath(match[2]);
fileOidMap[filePath] = oid;
} else {
throw new Error(`Unexpected "git ls-files" output: ${line}`);
}
src/init-action-post-helper.test.ts
+1 -1
View File
@@ -12,7 +12,7 @@ import { EnvVar } from "./environment";
import { Feature } from "./feature-flags";
import * as initActionPostHelper from "./init-action-post-helper";
import { getRunnerLogger } from "./logging";
import { OverlayDatabaseMode } from "./overlay";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import * as overlayStatus from "./overlay/status";
import { parseRepositoryNwo } from "./repository";
import {
src/init-action-post-helper.ts
+1 -1
View File
@@ -21,7 +21,7 @@ import * as dependencyCaching from "./dependency-caching";
import { EnvVar } from "./environment";
import { Feature, FeatureEnablement } from "./feature-flags";
import { Logger } from "./logging";
import { OverlayDatabaseMode } from "./overlay";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import {
createOverlayStatus,
OverlayStatus,
src/init-action.ts
+54 -33
View File
@@ -38,6 +38,11 @@ import {
makeDiagnostic,
makeTelemetryDiagnostic,
} from "./diagnostics";
import {
getDiffInformedAnalysisBranches,
getPullRequestEditedDiffRanges,
writeDiffRangesJsonFile,
} from "./diff-informed-analysis-utils";
import { EnvVar } from "./environment";
import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
import {
@@ -56,12 +61,12 @@ import {
runDatabaseInitCluster,
} from "./init";
import { JavaEnvVars, KnownLanguage } from "./languages";
import { getActionsLogger, Logger } from "./logging";
import { getActionsLogger, Logger, withGroupAsync } from "./logging";
import {
downloadOverlayBaseDatabaseFromCache,
OverlayBaseDatabaseDownloadStats,
OverlayDatabaseMode,
} from "./overlay";
} from "./overlay/caching";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import { getRepositoryNwo, RepositoryNwo } from "./repository";
import { ToolsSource } from "./setup-codeql";
import {
@@ -398,6 +403,15 @@ async function run(startedAt: Date) {
logger,
});
if (
config.languages.includes(KnownLanguage.swift) &&
process.platform !== "darwin"
) {
throw new ConfigurationError(
`Swift analysis is only supported on macOS runner images. Please migrate to a macOS runner.`,
);
}
if (repositoryPropertiesResult.isFailure()) {
addNoLanguageDiagnostic(
config,
@@ -427,6 +441,7 @@ async function run(startedAt: Date) {
}
await checkInstallPython311(config.languages, codeql);
await computeAndPersistDiffRanges(codeql, features, logger);
} catch (unwrappedError) {
const error = wrapError(unwrappedError);
core.setFailed(error.message);
@@ -507,15 +522,6 @@ async function run(startedAt: Date) {
);
}
if (
config.languages.includes(KnownLanguage.swift) &&
process.platform === "linux"
) {
logger.warning(
`Swift analysis on Ubuntu runner images is no longer supported. Please migrate to a macOS runner if this affects you.`,
);
}
if (
config.languages.includes(KnownLanguage.go) &&
process.platform === "linux"
@@ -653,27 +659,6 @@ async function run(startedAt: Date) {
);
}
if (
await codeql.supportsFeature(
ToolsFeature.PythonDefaultIsToNotExtractStdlib,
)
) {
if (process.env["CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB"]) {
logger.debug(
"CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB is already set, so the Action will not override it.",
);
} else if (
!(await features.getValue(
Feature.PythonDefaultIsToNotExtractStdlib,
codeql,
))
) {
// We are in a situation where the feature flag is not rolled out,
// so we need to suppress the new default CLI behavior.
core.exportVariable("CODEQL_EXTRACTOR_PYTHON_EXTRACT_STDLIB", "true");
}
}
// If we are doing a Java `build-mode: none` analysis, then set the environment variable that
// enables the option in the Java extractor to minimize dependency jars. We also only do this if
// dependency caching is enabled, since the option is intended to reduce the size of dependency
@@ -849,6 +834,42 @@ async function loadRepositoryProperties(
}
}
/**
* Compute and persist diff ranges when diff-informed analysis is enabled
* (feature flag + PR context). This writes the standard pr-diff-range.json
* file for later reuse in the analyze step. Failures are logged but non-fatal.
*/
async function computeAndPersistDiffRanges(
codeql: CodeQL,
features: FeatureEnablement,
logger: Logger,
): Promise<void> {
await withGroupAsync("Computing PR diff ranges", async () => {
try {
const branches = await getDiffInformedAnalysisBranches(
codeql,
features,
logger,
);
if (!branches) {
return;
}
const ranges = await getPullRequestEditedDiffRanges(branches, logger);
if (ranges === undefined) {
return;
}
writeDiffRangesJsonFile(logger, ranges);
const distinctFiles = new Set(ranges.map((r) => r.path)).size;
logger.info(
`Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
);
} catch (e) {
logger.warning(
`Failed to compute and persist PR diff ranges: ${getErrorMessage(e)}`,
);
}
});
}
async function recordZstdAvailability(
config: configUtils.Config,
zstdAvailability: ZstdAvailability,
src/known-language-aliases.json
+11
View File
@@ -0,0 +1,11 @@
{
"c": "cpp",
"c#": "csharp",
"c++": "cpp",
"c-c++": "cpp",
"c-cpp": "cpp",
"java-kotlin": "java",
"javascript-typescript": "javascript",
"kotlin": "java",
"typescript": "javascript"
}
src/overlay/caching.test.ts
+287
View File
@@ -0,0 +1,287 @@
import * as fs from "fs";
import * as path from "path";
import * as actionsCache from "@actions/cache";
import test from "ava";
import * as sinon from "sinon";
import * as actionsUtil from "../actions-util";
import * as apiClient from "../api-client";
import { ResolveDatabaseOutput } from "../codeql";
import * as gitUtils from "../git-utils";
import { KnownLanguage } from "../languages";
import { getRunnerLogger } from "../logging";
import {
createTestConfig,
mockCodeQLVersion,
setupTests,
} from "../testing-utils";
import * as utils from "../util";
import { withTmpDir } from "../util";
import {
downloadOverlayBaseDatabaseFromCache,
getCacheRestoreKeyPrefix,
getCacheSaveKey,
} from "./caching";
import { OverlayDatabaseMode } from "./overlay-database-mode";
setupTests(test);
interface DownloadOverlayBaseDatabaseTestCase {
overlayDatabaseMode: OverlayDatabaseMode;
useOverlayDatabaseCaching: boolean;
isInTestMode: boolean;
restoreCacheResult: string | undefined | Error;
hasBaseDatabaseOidsFile: boolean;
tryGetFolderBytesSucceeds: boolean;
codeQLVersion: string;
resolveDatabaseOutput: ResolveDatabaseOutput | Error;
}
const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
overlayDatabaseMode: OverlayDatabaseMode.Overlay,
useOverlayDatabaseCaching: true,
isInTestMode: false,
restoreCacheResult: "cache-key",
hasBaseDatabaseOidsFile: true,
tryGetFolderBytesSucceeds: true,
codeQLVersion: "2.20.5",
resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
};
const testDownloadOverlayBaseDatabaseFromCache = test.macro({
exec: async (
t,
_title: string,
partialTestCase: Partial<DownloadOverlayBaseDatabaseTestCase>,
expectDownloadSuccess: boolean,
) => {
await withTmpDir(async (tmpDir) => {
const dbLocation = path.join(tmpDir, "db");
await fs.promises.mkdir(dbLocation, { recursive: true });
const logger = getRunnerLogger(true);
const testCase = { ...defaultDownloadTestCase, ...partialTestCase };
const config = createTestConfig({
dbLocation,
languages: [KnownLanguage.java],
});
config.overlayDatabaseMode = testCase.overlayDatabaseMode;
config.useOverlayDatabaseCaching = testCase.useOverlayDatabaseCaching;
if (testCase.hasBaseDatabaseOidsFile) {
const baseDatabaseOidsFile = path.join(
dbLocation,
"base-database-oids.json",
);
await fs.promises.writeFile(baseDatabaseOidsFile, JSON.stringify({}));
}
const stubs: sinon.SinonStub[] = [];
const getAutomationIDStub = sinon
.stub(apiClient, "getAutomationID")
.resolves("test-automation-id/");
stubs.push(getAutomationIDStub);
const isInTestModeStub = sinon
.stub(utils, "isInTestMode")
.returns(testCase.isInTestMode);
stubs.push(isInTestModeStub);
if (testCase.restoreCacheResult instanceof Error) {
const restoreCacheStub = sinon
.stub(actionsCache, "restoreCache")
.rejects(testCase.restoreCacheResult);
stubs.push(restoreCacheStub);
} else {
const restoreCacheStub = sinon
.stub(actionsCache, "restoreCache")
.resolves(testCase.restoreCacheResult);
stubs.push(restoreCacheStub);
}
const tryGetFolderBytesStub = sinon
.stub(utils, "tryGetFolderBytes")
.resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined);
stubs.push(tryGetFolderBytesStub);
const codeql = mockCodeQLVersion(testCase.codeQLVersion);
if (testCase.resolveDatabaseOutput instanceof Error) {
const resolveDatabaseStub = sinon
.stub(codeql, "resolveDatabase")
.rejects(testCase.resolveDatabaseOutput);
stubs.push(resolveDatabaseStub);
} else {
const resolveDatabaseStub = sinon
.stub(codeql, "resolveDatabase")
.resolves(testCase.resolveDatabaseOutput);
stubs.push(resolveDatabaseStub);
}
try {
const result = await downloadOverlayBaseDatabaseFromCache(
codeql,
config,
logger,
);
if (expectDownloadSuccess) {
t.truthy(result);
} else {
t.is(result, undefined);
}
} finally {
for (const stub of stubs) {
stub.restore();
}
}
});
},
title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
});
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns stats when successful",
{},
true,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when mode is OverlayDatabaseMode.OverlayBase",
{
overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when mode is OverlayDatabaseMode.None",
{
overlayDatabaseMode: OverlayDatabaseMode.None,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when caching is disabled",
{
useOverlayDatabaseCaching: false,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined in test mode",
{
isInTestMode: true,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when cache miss",
{
restoreCacheResult: undefined,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when download fails",
{
restoreCacheResult: new Error("Download failed"),
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when downloaded database is invalid",
{
hasBaseDatabaseOidsFile: false,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
{
resolveDatabaseOutput: {},
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when resolving database metadata fails",
{
resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when filesystem error occurs",
{
tryGetFolderBytesSucceeds: false,
},
false,
);
test.serial("overlay-base database cache keys remain stable", async (t) => {
const logger = getRunnerLogger(true);
const config = createTestConfig({ languages: ["python", "javascript"] });
const codeQlVersion = "2.23.0";
const commitOid = "abc123def456";
sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
sinon.stub(gitUtils, "getCommitOid").resolves(commitOid);
sinon.stub(actionsUtil, "getWorkflowRunID").returns(12345);
sinon.stub(actionsUtil, "getWorkflowRunAttempt").returns(1);
const saveKey = await getCacheSaveKey(
config,
codeQlVersion,
"checkout-path",
logger,
);
const expectedSaveKey =
"codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123def456-12345-1";
t.is(
saveKey,
expectedSaveKey,
"Cache save key changed unexpectedly. " +
"This may indicate breaking changes in the cache key generation logic.",
);
const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
config,
codeQlVersion,
);
const expectedRestoreKeyPrefix =
"codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-";
t.is(
restoreKeyPrefix,
expectedRestoreKeyPrefix,
"Cache restore key prefix changed unexpectedly. " +
"This may indicate breaking changes in the cache key generation logic.",
);
t.true(
saveKey.startsWith(restoreKeyPrefix),
`Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
);
});
src/overlay/caching.ts
+428
View File
@@ -0,0 +1,428 @@
import * as fs from "fs";
import * as actionsCache from "@actions/cache";
import {
getRequiredInput,
getWorkflowRunAttempt,
getWorkflowRunID,
} from "../actions-util";
import { getAutomationID } from "../api-client";
import { createCacheKeyHash } from "../caching-utils";
import { type CodeQL } from "../codeql";
import { type Config } from "../config-utils";
import { getCommitOid } from "../git-utils";
import { Logger, withGroupAsync } from "../logging";
import {
CleanupLevel,
getBaseDatabaseOidsFilePath,
getCodeQLDatabasePath,
getErrorMessage,
isInTestMode,
tryGetFolderBytes,
waitForResultWithTimeLimit,
} from "../util";
import { OverlayDatabaseMode } from "./overlay-database-mode";
/**
* The maximum (uncompressed) size of the overlay base database that we will
* upload. By default, the Actions Cache has an overall capacity of 10 GB, and
* the Actions Cache client library uses zstd compression.
*
* Ideally we would apply a size limit to the compressed overlay-base database,
* but we cannot do so because compression is handled transparently by the
* Actions Cache client library. Instead we place a limit on the uncompressed
* size of the overlay-base database.
*
* Assuming 2.5:1 compression ratio, the 7.5 GB limit on uncompressed data would
* translate to a limit of around 3 GB after compression.
*/
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES =
OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;
// Constants for database caching
const CACHE_VERSION = 1;
const CACHE_PREFIX = "codeql-overlay-base-database";
// The purpose of this ten-minute limit is to guard against the possibility
// that the cache service is unresponsive, which would otherwise cause the
// entire action to hang. Normally we expect cache operations to complete
// within two minutes.
const MAX_CACHE_OPERATION_MS = 600_000;
/**
* Checks that the overlay-base database is valid by checking for the
* existence of the base database OIDs file.
*
* @param config The configuration object
* @param logger The logger instance
* @param warningPrefix Prefix for the check failure warning message
* @returns True if the verification succeeded, false otherwise
*/
async function checkOverlayBaseDatabase(
codeql: CodeQL,
config: Config,
logger: Logger,
warningPrefix: string,
): Promise<boolean> {
// An overlay-base database should contain the base database OIDs file.
const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
if (!fs.existsSync(baseDatabaseOidsFilePath)) {
logger.warning(
`${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist`,
);
return false;
}
for (const language of config.languages) {
const dbPath = getCodeQLDatabasePath(config, language);
try {
const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath);
if (
resolveDatabaseOutput === undefined ||
!("overlayBaseSpecifier" in resolveDatabaseOutput)
) {
logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`);
return false;
} else {
logger.debug(
`Overlay base specifier for ${language} overlay-base database found: ` +
`${resolveDatabaseOutput.overlayBaseSpecifier}`,
);
}
} catch (e) {
logger.warning(`${warningPrefix}: failed to resolve database: ${e}`);
return false;
}
}
return true;
}
/**
* Uploads the overlay-base database to the GitHub Actions cache. If conditions
* for uploading are not met, the function does nothing and returns false.
*
* This function uses the `checkout_path` input to determine the repository path
* and works only when called from `analyze` or `upload-sarif`.
*
* @param codeql The CodeQL instance
* @param config The configuration object
* @param logger The logger instance
* @returns A promise that resolves to true if the upload was performed and
* successfully completed, or false otherwise
*/
export async function cleanupAndUploadOverlayBaseDatabaseToCache(
codeql: CodeQL,
config: Config,
logger: Logger,
): Promise<boolean> {
const overlayDatabaseMode = config.overlayDatabaseMode;
if (overlayDatabaseMode !== OverlayDatabaseMode.OverlayBase) {
logger.debug(
`Overlay database mode is ${overlayDatabaseMode}. ` +
"Skip uploading overlay-base database to cache.",
);
return false;
}
if (!config.useOverlayDatabaseCaching) {
logger.debug(
"Overlay database caching is disabled. " +
"Skip uploading overlay-base database to cache.",
);
return false;
}
if (isInTestMode()) {
logger.debug(
"In test mode. Skip uploading overlay-base database to cache.",
);
return false;
}
const databaseIsValid = await checkOverlayBaseDatabase(
codeql,
config,
logger,
"Abort uploading overlay-base database to cache",
);
if (!databaseIsValid) {
return false;
}
// Clean up the database using the overlay cleanup level.
await withGroupAsync("Cleaning up databases", async () => {
await codeql.databaseCleanupCluster(config, CleanupLevel.Overlay);
});
const dbLocation = config.dbLocation;
const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
if (databaseSizeBytes === undefined) {
logger.warning(
"Failed to determine database size. " +
"Skip uploading overlay-base database to cache.",
);
return false;
}
if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) {
const databaseSizeMB = Math.round(databaseSizeBytes / 1_000_000);
logger.warning(
`Database size (${databaseSizeMB} MB) ` +
`exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). ` +
"Skip uploading overlay-base database to cache.",
);
return false;
}
const codeQlVersion = (await codeql.getVersion()).version;
const checkoutPath = getRequiredInput("checkout_path");
const cacheSaveKey = await getCacheSaveKey(
config,
codeQlVersion,
checkoutPath,
logger,
);
logger.info(
`Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`,
);
try {
const cacheId = await waitForResultWithTimeLimit(
MAX_CACHE_OPERATION_MS,
actionsCache.saveCache([dbLocation], cacheSaveKey),
() => {},
);
if (cacheId === undefined) {
logger.warning("Timed out while uploading overlay-base database");
return false;
}
} catch (error) {
logger.warning(
"Failed to upload overlay-base database to cache: " +
`${error instanceof Error ? error.message : String(error)}`,
);
return false;
}
logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`);
return true;
}
export interface OverlayBaseDatabaseDownloadStats {
databaseSizeBytes: number;
databaseDownloadDurationMs: number;
}
/**
* Downloads the overlay-base database from the GitHub Actions cache. If conditions
* for downloading are not met, the function does nothing and returns false.
*
* @param codeql The CodeQL instance
* @param config The configuration object
* @param logger The logger instance
* @returns A promise that resolves to download statistics if an overlay-base
* database was successfully downloaded, or undefined if the download was
* either not performed or failed.
*/
export async function downloadOverlayBaseDatabaseFromCache(
codeql: CodeQL,
config: Config,
logger: Logger,
): Promise<OverlayBaseDatabaseDownloadStats | undefined> {
const overlayDatabaseMode = config.overlayDatabaseMode;
if (overlayDatabaseMode !== OverlayDatabaseMode.Overlay) {
logger.debug(
`Overlay database mode is ${overlayDatabaseMode}. ` +
"Skip downloading overlay-base database from cache.",
);
return undefined;
}
if (!config.useOverlayDatabaseCaching) {
logger.debug(
"Overlay database caching is disabled. " +
"Skip downloading overlay-base database from cache.",
);
return undefined;
}
if (isInTestMode()) {
logger.debug(
"In test mode. Skip downloading overlay-base database from cache.",
);
return undefined;
}
const dbLocation = config.dbLocation;
const codeQlVersion = (await codeql.getVersion()).version;
const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix(
config,
codeQlVersion,
);
logger.info(
"Looking in Actions cache for overlay-base database with " +
`restore key ${cacheRestoreKeyPrefix}`,
);
let databaseDownloadDurationMs = 0;
try {
const databaseDownloadStart = performance.now();
const foundKey = await waitForResultWithTimeLimit(
// This ten-minute limit for the cache restore operation is mainly to
// guard against the possibility that the cache service is unresponsive
// and hangs outside the data download.
//
// Data download (which is normally the most time-consuming part of the
// restore operation) should not run long enough to hit this limit. Even
// for an extremely large 10GB database, at a download speed of 40MB/s
// (see below), the download should complete within five minutes. If we
// do hit this limit, there are likely more serious problems other than
// mere slow download speed.
//
// This is important because we don't want any ongoing file operations
// on the database directory when we do hit this limit. Hitting this
// time limit takes us to a fallback path where we re-initialize the
// database from scratch at dbLocation, and having the cache restore
// operation continue to write into dbLocation in the background would
// really mess things up. We want to hit this limit only in the case
// of a hung cache service, not just slow download speed.
MAX_CACHE_OPERATION_MS,
actionsCache.restoreCache(
[dbLocation],
cacheRestoreKeyPrefix,
undefined,
{
// Azure SDK download (which is the default) uses 128MB segments; see
// https://github.com/actions/toolkit/blob/main/packages/cache/README.md.
// Setting segmentTimeoutInMs to 3000 translates to segment download
// speed of about 40 MB/s, which should be achievable unless the
// download is unreliable (in which case we do want to abort).
segmentTimeoutInMs: 3000,
},
),
() => {
logger.info("Timed out downloading overlay-base database from cache");
},
);
databaseDownloadDurationMs = Math.round(
performance.now() - databaseDownloadStart,
);
if (foundKey === undefined) {
logger.info("No overlay-base database found in Actions cache");
return undefined;
}
logger.info(
`Downloaded overlay-base database in cache with key ${foundKey}`,
);
} catch (error) {
logger.warning(
"Failed to download overlay-base database from cache: " +
`${error instanceof Error ? error.message : String(error)}`,
);
return undefined;
}
const databaseIsValid = await checkOverlayBaseDatabase(
codeql,
config,
logger,
"Downloaded overlay-base database is invalid",
);
if (!databaseIsValid) {
logger.warning("Downloaded overlay-base database failed validation");
return undefined;
}
const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
if (databaseSizeBytes === undefined) {
logger.info(
"Filesystem error while accessing downloaded overlay-base database",
);
// The problem that warrants reporting download failure is not that we are
// unable to determine the size of the database. Rather, it is that we
// encountered a filesystem error while accessing the database, which
// indicates that an overlay analysis will likely fail.
return undefined;
}
logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`);
return {
databaseSizeBytes: Math.round(databaseSizeBytes),
databaseDownloadDurationMs,
};
}
/**
* Computes the cache key for saving the overlay-base database to the GitHub
* Actions cache.
*
* The key consists of the restore key prefix (which does not include the
* commit SHA) and the commit SHA of the current checkout.
*/
export async function getCacheSaveKey(
config: Config,
codeQlVersion: string,
checkoutPath: string,
logger: Logger,
): Promise<string> {
let runId = 1;
let attemptId = 1;
try {
runId = getWorkflowRunID();
attemptId = getWorkflowRunAttempt();
} catch (e) {
logger.warning(
`Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}`,
);
}
const sha = await getCommitOid(checkoutPath);
const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
config,
codeQlVersion,
);
return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`;
}
/**
* Computes the cache key prefix for restoring the overlay-base database from
* the GitHub Actions cache.
*
* Actions cache supports using multiple restore keys to indicate preference,
* and this function could in principle take advantage of that feature by
* returning a list of restore key prefixes. However, since overlay-base
* databases are built from the default branch and used in PR analysis, it is
* exceedingly unlikely that the commit SHA will ever be the same.
*
* Therefore, this function returns only a single restore key prefix, which does
* not include the commit SHA. This allows us to restore the most recent
* compatible overlay-base database.
*/
export async function getCacheRestoreKeyPrefix(
config: Config,
codeQlVersion: string,
): Promise<string> {
const languages = [...config.languages].sort().join("_");
const cacheKeyComponents = {
automationID: await getAutomationID(),
// Add more components here as needed in the future
};
const componentsHash = createCacheKeyHash(cacheKeyComponents);
// For a cached overlay-base database to be considered compatible for overlay
// analysis, all components in the cache restore key must match:
//
// CACHE_PREFIX: distinguishes overlay-base databases from other cache objects
// CACHE_VERSION: cache format version
// componentsHash: hash of additional components (see above for details)
// languages: the languages included in the overlay-base database
// codeQlVersion: CodeQL bundle version
//
// Technically we can also include languages and codeQlVersion in the
// componentsHash, but including them explicitly in the cache key makes it
// easier to debug and understand the cache key structure.
return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
}
src/overlay/index.test.ts
+237 -259
View File
@@ -1,32 +1,16 @@
import * as fs from "fs";
import * as path from "path";
import * as actionsCache from "@actions/cache";
import test from "ava";
import * as sinon from "sinon";
import * as actionsUtil from "../actions-util";
import * as apiClient from "../api-client";
import { ResolveDatabaseOutput } from "../codeql";
import * as gitUtils from "../git-utils";
import { KnownLanguage } from "../languages";
import { getRunnerLogger } from "../logging";
import {
createTestConfig,
mockCodeQLVersion,
setupTests,
} from "../testing-utils";
import * as utils from "../util";
import { createTestConfig, setupTests } from "../testing-utils";
import { withTmpDir } from "../util";
import {
downloadOverlayBaseDatabaseFromCache,
getCacheRestoreKeyPrefix,
getCacheSaveKey,
OverlayDatabaseMode,
writeBaseDatabaseOidsFile,
writeOverlayChangesFile,
} from ".";
import { writeBaseDatabaseOidsFile, writeOverlayChangesFile } from ".";
setupTests(test);
@@ -34,12 +18,14 @@ test.serial(
"writeOverlayChangesFile generates correct changes file",
async (t) => {
await withTmpDir(async (tmpDir) => {
const dbLocation = path.join(tmpDir, "db");
await fs.promises.mkdir(dbLocation, { recursive: true });
const sourceRoot = path.join(tmpDir, "src");
await fs.promises.mkdir(sourceRoot, { recursive: true });
const tempDir = path.join(tmpDir, "temp");
await fs.promises.mkdir(tempDir, { recursive: true });
const [dbLocation, sourceRoot, tempDir] = ["db", "src", "temp"].map((d) =>
path.join(tmpDir, d),
);
await Promise.all(
[dbLocation, sourceRoot, tempDir].map((d) =>
fs.promises.mkdir(d, { recursive: true }),
),
);
const logger = getRunnerLogger(true);
const config = createTestConfig({ dbLocation });
@@ -70,9 +56,16 @@ test.serial(
// Write the overlay changes file, which uses the mocked overlay OIDs
// and the base database OIDs file
const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
const getTempDirStub = sinon
.stub(actionsUtil, "getTemporaryDirectory")
.returns(tempDir);
const getDiffRangesStub = sinon
.stub(actionsUtil, "getDiffRangesJsonFilePath")
.returns(diffRangeFilePath);
const getGitRootStub = sinon
.stub(gitUtils, "getGitRoot")
.resolves(sourceRoot);
const changesFilePath = await writeOverlayChangesFile(
config,
sourceRoot,
@@ -80,6 +73,8 @@ test.serial(
);
getFileOidsStubForOverlay.restore();
getTempDirStub.restore();
getDiffRangesStub.restore();
getGitRootStub.restore();
const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
const parsedContent = JSON.parse(fileContent) as { changes: string[] };
@@ -93,260 +88,243 @@ test.serial(
},
);
interface DownloadOverlayBaseDatabaseTestCase {
overlayDatabaseMode: OverlayDatabaseMode;
useOverlayDatabaseCaching: boolean;
isInTestMode: boolean;
restoreCacheResult: string | undefined | Error;
hasBaseDatabaseOidsFile: boolean;
tryGetFolderBytesSucceeds: boolean;
codeQLVersion: string;
resolveDatabaseOutput: ResolveDatabaseOutput | Error;
}
const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = {
overlayDatabaseMode: OverlayDatabaseMode.Overlay,
useOverlayDatabaseCaching: true,
isInTestMode: false,
restoreCacheResult: "cache-key",
hasBaseDatabaseOidsFile: true,
tryGetFolderBytesSucceeds: true,
codeQLVersion: "2.20.5",
resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" },
};
const testDownloadOverlayBaseDatabaseFromCache = test.macro({
exec: async (
t,
_title: string,
partialTestCase: Partial<DownloadOverlayBaseDatabaseTestCase>,
expectDownloadSuccess: boolean,
) => {
test.serial(
"writeOverlayChangesFile merges additional diff files into overlay changes",
async (t) => {
await withTmpDir(async (tmpDir) => {
const dbLocation = path.join(tmpDir, "db");
await fs.promises.mkdir(dbLocation, { recursive: true });
const [dbLocation, sourceRoot, tempDir] = ["db", "src", "temp"].map((d) =>
path.join(tmpDir, d),
);
await Promise.all(
[dbLocation, sourceRoot, tempDir].map((d) =>
fs.promises.mkdir(d, { recursive: true }),
),
);
const logger = getRunnerLogger(true);
const testCase = { ...defaultDownloadTestCase, ...partialTestCase };
const config = createTestConfig({
dbLocation,
languages: [KnownLanguage.java],
});
const config = createTestConfig({ dbLocation });
config.overlayDatabaseMode = testCase.overlayDatabaseMode;
config.useOverlayDatabaseCaching = testCase.useOverlayDatabaseCaching;
// Mock the getFileOidsUnderPath function to return base OIDs
// "reverted.js" has the same OID in both base and current, simulating
// a revert PR where the file content matches the overlay-base
const baseOids = {
"unchanged.js": "aaa111",
"modified.js": "bbb222",
"reverted.js": "eee555",
};
const getFileOidsStubForBase = sinon
.stub(gitUtils, "getFileOidsUnderPath")
.resolves(baseOids);
if (testCase.hasBaseDatabaseOidsFile) {
const baseDatabaseOidsFile = path.join(
dbLocation,
"base-database-oids.json",
);
await fs.promises.writeFile(baseDatabaseOidsFile, JSON.stringify({}));
}
// Write the base database OIDs file
await writeBaseDatabaseOidsFile(config, sourceRoot);
getFileOidsStubForBase.restore();
const stubs: sinon.SinonStub[] = [];
// Mock the getFileOidsUnderPath function to return overlay OIDs
// "reverted.js" has the same OID as the base -- OID comparison alone
// would NOT include it, only additionalChangedFiles causes it to appear
const currentOids = {
"unchanged.js": "aaa111",
"modified.js": "ddd444", // Changed OID
"reverted.js": "eee555", // Same OID as base -- not detected by OID comparison
};
const getFileOidsStubForOverlay = sinon
.stub(gitUtils, "getFileOidsUnderPath")
.resolves(currentOids);
const getAutomationIDStub = sinon
.stub(apiClient, "getAutomationID")
.resolves("test-automation-id/");
stubs.push(getAutomationIDStub);
const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
const getTempDirStub = sinon
.stub(actionsUtil, "getTemporaryDirectory")
.returns(tempDir);
const getDiffRangesStub = sinon
.stub(actionsUtil, "getDiffRangesJsonFilePath")
.returns(diffRangeFilePath);
const getGitRootStub = sinon
.stub(gitUtils, "getGitRoot")
.resolves(sourceRoot);
const isInTestModeStub = sinon
.stub(utils, "isInTestMode")
.returns(testCase.isInTestMode);
stubs.push(isInTestModeStub);
// Write a pr-diff-range.json file with diff ranges including
// "reverted.js" (unchanged OIDs) and "modified.js" (already in OID changes)
await fs.promises.writeFile(
diffRangeFilePath,
JSON.stringify([
{ path: "reverted.js", startLine: 1, endLine: 10 },
{ path: "modified.js", startLine: 1, endLine: 5 },
{ path: "diff-only.js", startLine: 1, endLine: 3 },
]),
);
if (testCase.restoreCacheResult instanceof Error) {
const restoreCacheStub = sinon
.stub(actionsCache, "restoreCache")
.rejects(testCase.restoreCacheResult);
stubs.push(restoreCacheStub);
} else {
const restoreCacheStub = sinon
.stub(actionsCache, "restoreCache")
.resolves(testCase.restoreCacheResult);
stubs.push(restoreCacheStub);
}
const changesFilePath = await writeOverlayChangesFile(
config,
sourceRoot,
logger,
);
getFileOidsStubForOverlay.restore();
getTempDirStub.restore();
getDiffRangesStub.restore();
getGitRootStub.restore();
const tryGetFolderBytesStub = sinon
.stub(utils, "tryGetFolderBytes")
.resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined);
stubs.push(tryGetFolderBytesStub);
const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
const parsedContent = JSON.parse(fileContent) as { changes: string[] };
const codeql = mockCodeQLVersion(testCase.codeQLVersion);
if (testCase.resolveDatabaseOutput instanceof Error) {
const resolveDatabaseStub = sinon
.stub(codeql, "resolveDatabase")
.rejects(testCase.resolveDatabaseOutput);
stubs.push(resolveDatabaseStub);
} else {
const resolveDatabaseStub = sinon
.stub(codeql, "resolveDatabase")
.resolves(testCase.resolveDatabaseOutput);
stubs.push(resolveDatabaseStub);
}
try {
const result = await downloadOverlayBaseDatabaseFromCache(
codeql,
config,
logger,
);
if (expectDownloadSuccess) {
t.truthy(result);
} else {
t.is(result, undefined);
}
} finally {
for (const stub of stubs) {
stub.restore();
}
}
t.deepEqual(
parsedContent.changes.sort(),
["diff-only.js", "modified.js", "reverted.js"],
"Should include OID-changed files, diff-only files, and deduplicate overlapping files",
);
});
},
title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`,
});
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns stats when successful",
{},
true,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when mode is OverlayDatabaseMode.OverlayBase",
{
overlayDatabaseMode: OverlayDatabaseMode.OverlayBase,
"writeOverlayChangesFile works without additional diff files",
async (t) => {
await withTmpDir(async (tmpDir) => {
const [dbLocation, sourceRoot, tempDir] = ["db", "src", "temp"].map((d) =>
path.join(tmpDir, d),
);
await Promise.all(
[dbLocation, sourceRoot, tempDir].map((d) =>
fs.promises.mkdir(d, { recursive: true }),
),
);
const logger = getRunnerLogger(true);
const config = createTestConfig({ dbLocation });
// Mock the getFileOidsUnderPath function to return base OIDs
const baseOids = {
"unchanged.js": "aaa111",
"modified.js": "bbb222",
};
const getFileOidsStubForBase = sinon
.stub(gitUtils, "getFileOidsUnderPath")
.resolves(baseOids);
await writeBaseDatabaseOidsFile(config, sourceRoot);
getFileOidsStubForBase.restore();
const currentOids = {
"unchanged.js": "aaa111",
"modified.js": "ddd444",
};
const getFileOidsStubForOverlay = sinon
.stub(gitUtils, "getFileOidsUnderPath")
.resolves(currentOids);
const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
const getTempDirStub = sinon
.stub(actionsUtil, "getTemporaryDirectory")
.returns(tempDir);
const getDiffRangesStub = sinon
.stub(actionsUtil, "getDiffRangesJsonFilePath")
.returns(diffRangeFilePath);
const getGitRootStub = sinon
.stub(gitUtils, "getGitRoot")
.resolves(sourceRoot);
// No pr-diff-range.json file exists - should work the same as before
const changesFilePath = await writeOverlayChangesFile(
config,
sourceRoot,
logger,
);
getFileOidsStubForOverlay.restore();
getTempDirStub.restore();
getDiffRangesStub.restore();
getGitRootStub.restore();
const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
const parsedContent = JSON.parse(fileContent) as { changes: string[] };
t.deepEqual(
parsedContent.changes.sort(),
["modified.js"],
"Should only include OID-changed files when no additional files provided",
);
});
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when mode is OverlayDatabaseMode.None",
{
overlayDatabaseMode: OverlayDatabaseMode.None,
"writeOverlayChangesFile converts diff range paths to sourceRoot-relative when sourceRoot is a subdirectory",
async (t) => {
await withTmpDir(async (tmpDir) => {
// Simulate: repo root = tmpDir, sourceRoot = tmpDir/src
const repoRoot = tmpDir;
const sourceRoot = path.join(tmpDir, "src");
const [dbLocation, tempDir] = ["db", "temp"].map((d) =>
path.join(tmpDir, d),
);
await Promise.all(
[dbLocation, sourceRoot, tempDir].map((d) =>
fs.promises.mkdir(d, { recursive: true }),
),
);
const logger = getRunnerLogger(true);
const config = createTestConfig({ dbLocation });
// Base OIDs (sourceRoot-relative paths)
const baseOids = {
"app.js": "aaa111",
"lib/util.js": "bbb222",
};
const getFileOidsStubForBase = sinon
.stub(gitUtils, "getFileOidsUnderPath")
.resolves(baseOids);
await writeBaseDatabaseOidsFile(config, sourceRoot);
getFileOidsStubForBase.restore();
// Current OIDs — same as base (no OID changes)
const currentOids = {
"app.js": "aaa111",
"lib/util.js": "bbb222",
};
const getFileOidsStubForOverlay = sinon
.stub(gitUtils, "getFileOidsUnderPath")
.resolves(currentOids);
const diffRangeFilePath = path.join(tempDir, "pr-diff-range.json");
const getTempDirStub = sinon
.stub(actionsUtil, "getTemporaryDirectory")
.returns(tempDir);
const getDiffRangesStub = sinon
.stub(actionsUtil, "getDiffRangesJsonFilePath")
.returns(diffRangeFilePath);
// getGitRoot returns the repo root (parent of sourceRoot)
const getGitRootStub = sinon
.stub(gitUtils, "getGitRoot")
.resolves(repoRoot);
// Diff ranges use repo-root-relative paths (as returned by the GitHub compare API)
await fs.promises.writeFile(
diffRangeFilePath,
JSON.stringify([
{ path: "src/app.js", startLine: 1, endLine: 10 },
{ path: "src/lib/util.js", startLine: 5, endLine: 8 },
{ path: "other/outside.js", startLine: 1, endLine: 3 }, // not under sourceRoot
]),
);
const changesFilePath = await writeOverlayChangesFile(
config,
sourceRoot,
logger,
);
getFileOidsStubForOverlay.restore();
getTempDirStub.restore();
getDiffRangesStub.restore();
getGitRootStub.restore();
const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
const parsedContent = JSON.parse(fileContent) as { changes: string[] };
t.deepEqual(
parsedContent.changes.sort(),
["app.js", "lib/util.js"],
"Should convert repo-root-relative paths to sourceRoot-relative and filter out files outside sourceRoot",
);
});
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when caching is disabled",
{
useOverlayDatabaseCaching: false,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined in test mode",
{
isInTestMode: true,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when cache miss",
{
restoreCacheResult: undefined,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when download fails",
{
restoreCacheResult: new Error("Download failed"),
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when downloaded database is invalid",
{
hasBaseDatabaseOidsFile: false,
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when downloaded database doesn't have an overlayBaseSpecifier",
{
resolveDatabaseOutput: {},
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when resolving database metadata fails",
{
resolveDatabaseOutput: new Error("Failed to resolve database metadata"),
},
false,
);
test.serial(
testDownloadOverlayBaseDatabaseFromCache,
"returns undefined when filesystem error occurs",
{
tryGetFolderBytesSucceeds: false,
},
false,
);
test.serial("overlay-base database cache keys remain stable", async (t) => {
const logger = getRunnerLogger(true);
const config = createTestConfig({ languages: ["python", "javascript"] });
const codeQlVersion = "2.23.0";
const commitOid = "abc123def456";
sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
sinon.stub(gitUtils, "getCommitOid").resolves(commitOid);
sinon.stub(actionsUtil, "getWorkflowRunID").returns(12345);
sinon.stub(actionsUtil, "getWorkflowRunAttempt").returns(1);
const saveKey = await getCacheSaveKey(
config,
codeQlVersion,
"checkout-path",
logger,
);
const expectedSaveKey =
"codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123def456-12345-1";
t.is(
saveKey,
expectedSaveKey,
"Cache save key changed unexpectedly. " +
"This may indicate breaking changes in the cache key generation logic.",
);
const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
config,
codeQlVersion,
);
const expectedRestoreKeyPrefix =
"codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-";
t.is(
restoreKeyPrefix,
expectedRestoreKeyPrefix,
"Cache restore key prefix changed unexpectedly. " +
"This may indicate breaking changes in the cache key generation logic.",
);
t.true(
saveKey.startsWith(restoreKeyPrefix),
`Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
);
});
src/overlay/index.ts
+62 -418
View File
@@ -1,35 +1,12 @@
import * as fs from "fs";
import * as path from "path";
import * as actionsCache from "@actions/cache";
import {
getRequiredInput,
getTemporaryDirectory,
getWorkflowRunAttempt,
getWorkflowRunID,
} from "../actions-util";
import { getAutomationID } from "../api-client";
import { createCacheKeyHash } from "../caching-utils";
import { type CodeQL } from "../codeql";
import * as actionsUtil from "../actions-util";
import { getOptionalInput, getTemporaryDirectory } from "../actions-util";
import { type Config } from "../config-utils";
import { getCommitOid, getFileOidsUnderPath } from "../git-utils";
import { Logger, withGroupAsync } from "../logging";
import {
CleanupLevel,
getBaseDatabaseOidsFilePath,
getCodeQLDatabasePath,
getErrorMessage,
isInTestMode,
tryGetFolderBytes,
waitForResultWithTimeLimit,
} from "../util";
export enum OverlayDatabaseMode {
Overlay = "overlay",
OverlayBase = "overlay-base",
None = "none",
}
import { getFileOidsUnderPath, getGitRoot } from "../git-utils";
import { Logger } from "../logging";
import { getBaseDatabaseOidsFilePath } from "../util";
export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
@@ -43,23 +20,6 @@ export const CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9";
export const CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9";
export const CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9";
/**
* The maximum (uncompressed) size of the overlay base database that we will
* upload. By default, the Actions Cache has an overall capacity of 10 GB, and
* the Actions Cache client library uses zstd compression.
*
* Ideally we would apply a size limit to the compressed overlay-base database,
* but we cannot do so because compression is handled transparently by the
* Actions Cache client library. Instead we place a limit on the uncompressed
* size of the overlay-base database.
*
* Assuming 2.5:1 compression ratio, the 7.5 GB limit on uncompressed data would
* translate to a limit of around 3 GB after compression.
*/
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500;
const OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES =
OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1_000_000;
/**
* Writes a JSON file containing Git OIDs for all tracked files (represented
* by path relative to the source root) under the source root. The file is
@@ -130,11 +90,17 @@ export async function writeOverlayChangesFile(
): Promise<string> {
const baseFileOids = await readBaseDatabaseOidsFile(config, logger);
const overlayFileOids = await getFileOidsUnderPath(sourceRoot);
const changedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
const oidChangedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
logger.info(
`Found ${changedFiles.length} changed file(s) under ${sourceRoot}.`,
`Found ${oidChangedFiles.length} changed file(s) under ${sourceRoot} from OID comparison.`,
);
// Merge in any file paths from precomputed PR diff ranges to ensure the
// overlay always includes all files from the PR diff, even in edge cases
// like revert PRs where OID comparison shows no change.
const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger);
const changedFiles = [...new Set([...oidChangedFiles, ...diffRangeFiles])];
const changedFilesJson = JSON.stringify({ changes: changedFiles });
const overlayChangesFile = path.join(
getTemporaryDirectory(),
@@ -165,387 +131,65 @@ function computeChangedFiles(
return changes;
}
// Constants for database caching
const CACHE_VERSION = 1;
const CACHE_PREFIX = "codeql-overlay-base-database";
// The purpose of this ten-minute limit is to guard against the possibility
// that the cache service is unresponsive, which would otherwise cause the
// entire action to hang. Normally we expect cache operations to complete
// within two minutes.
const MAX_CACHE_OPERATION_MS = 600_000;
/**
* Checks that the overlay-base database is valid by checking for the
* existence of the base database OIDs file.
*
* @param config The configuration object
* @param logger The logger instance
* @param warningPrefix Prefix for the check failure warning message
* @returns True if the verification succeeded, false otherwise
*/
async function checkOverlayBaseDatabase(
codeql: CodeQL,
config: Config,
async function getDiffRangeFilePaths(
sourceRoot: string,
logger: Logger,
warningPrefix: string,
): Promise<boolean> {
// An overlay-base database should contain the base database OIDs file.
const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
if (!fs.existsSync(baseDatabaseOidsFilePath)) {
logger.warning(
`${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist`,
);
return false;
}
): Promise<string[]> {
const jsonFilePath = actionsUtil.getDiffRangesJsonFilePath();
for (const language of config.languages) {
const dbPath = getCodeQLDatabasePath(config, language);
try {
const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath);
if (
resolveDatabaseOutput === undefined ||
!("overlayBaseSpecifier" in resolveDatabaseOutput)
) {
logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`);
return false;
} else {
logger.debug(
`Overlay base specifier for ${language} overlay-base database found: ` +
`${resolveDatabaseOutput.overlayBaseSpecifier}`,
);
}
} catch (e) {
logger.warning(`${warningPrefix}: failed to resolve database: ${e}`);
return false;
}
}
return true;
}
/**
* Uploads the overlay-base database to the GitHub Actions cache. If conditions
* for uploading are not met, the function does nothing and returns false.
*
* This function uses the `checkout_path` input to determine the repository path
* and works only when called from `analyze` or `upload-sarif`.
*
* @param codeql The CodeQL instance
* @param config The configuration object
* @param logger The logger instance
* @returns A promise that resolves to true if the upload was performed and
* successfully completed, or false otherwise
*/
export async function cleanupAndUploadOverlayBaseDatabaseToCache(
codeql: CodeQL,
config: Config,
logger: Logger,
): Promise<boolean> {
const overlayDatabaseMode = config.overlayDatabaseMode;
if (overlayDatabaseMode !== OverlayDatabaseMode.OverlayBase) {
if (!fs.existsSync(jsonFilePath)) {
logger.debug(
`Overlay database mode is ${overlayDatabaseMode}. ` +
"Skip uploading overlay-base database to cache.",
`No diff ranges JSON file found at ${jsonFilePath}; skipping.`,
);
return false;
}
if (!config.useOverlayDatabaseCaching) {
logger.debug(
"Overlay database caching is disabled. " +
"Skip uploading overlay-base database to cache.",
);
return false;
}
if (isInTestMode()) {
logger.debug(
"In test mode. Skip uploading overlay-base database to cache.",
);
return false;
return [];
}
const databaseIsValid = await checkOverlayBaseDatabase(
codeql,
config,
logger,
"Abort uploading overlay-base database to cache",
);
if (!databaseIsValid) {
return false;
}
// Clean up the database using the overlay cleanup level.
await withGroupAsync("Cleaning up databases", async () => {
await codeql.databaseCleanupCluster(config, CleanupLevel.Overlay);
});
const dbLocation = config.dbLocation;
const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
if (databaseSizeBytes === undefined) {
logger.warning(
"Failed to determine database size. " +
"Skip uploading overlay-base database to cache.",
);
return false;
}
if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) {
const databaseSizeMB = Math.round(databaseSizeBytes / 1_000_000);
logger.warning(
`Database size (${databaseSizeMB} MB) ` +
`exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). ` +
"Skip uploading overlay-base database to cache.",
);
return false;
}
const codeQlVersion = (await codeql.getVersion()).version;
const checkoutPath = getRequiredInput("checkout_path");
const cacheSaveKey = await getCacheSaveKey(
config,
codeQlVersion,
checkoutPath,
logger,
);
logger.info(
`Uploading overlay-base database to Actions cache with key ${cacheSaveKey}`,
);
let contents: string;
try {
const cacheId = await waitForResultWithTimeLimit(
MAX_CACHE_OPERATION_MS,
actionsCache.saveCache([dbLocation], cacheSaveKey),
() => {},
);
if (cacheId === undefined) {
logger.warning("Timed out while uploading overlay-base database");
return false;
}
} catch (error) {
logger.warning(
"Failed to upload overlay-base database to cache: " +
`${error instanceof Error ? error.message : String(error)}`,
);
return false;
}
logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`);
return true;
}
export interface OverlayBaseDatabaseDownloadStats {
databaseSizeBytes: number;
databaseDownloadDurationMs: number;
}
/**
* Downloads the overlay-base database from the GitHub Actions cache. If conditions
* for downloading are not met, the function does nothing and returns false.
*
* @param codeql The CodeQL instance
* @param config The configuration object
* @param logger The logger instance
* @returns A promise that resolves to download statistics if an overlay-base
* database was successfully downloaded, or undefined if the download was
* either not performed or failed.
*/
export async function downloadOverlayBaseDatabaseFromCache(
codeql: CodeQL,
config: Config,
logger: Logger,
): Promise<OverlayBaseDatabaseDownloadStats | undefined> {
const overlayDatabaseMode = config.overlayDatabaseMode;
if (overlayDatabaseMode !== OverlayDatabaseMode.Overlay) {
logger.debug(
`Overlay database mode is ${overlayDatabaseMode}. ` +
"Skip downloading overlay-base database from cache.",
);
return undefined;
}
if (!config.useOverlayDatabaseCaching) {
logger.debug(
"Overlay database caching is disabled. " +
"Skip downloading overlay-base database from cache.",
);
return undefined;
}
if (isInTestMode()) {
logger.debug(
"In test mode. Skip downloading overlay-base database from cache.",
);
return undefined;
}
const dbLocation = config.dbLocation;
const codeQlVersion = (await codeql.getVersion()).version;
const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix(
config,
codeQlVersion,
);
logger.info(
"Looking in Actions cache for overlay-base database with " +
`restore key ${cacheRestoreKeyPrefix}`,
);
let databaseDownloadDurationMs = 0;
try {
const databaseDownloadStart = performance.now();
const foundKey = await waitForResultWithTimeLimit(
// This ten-minute limit for the cache restore operation is mainly to
// guard against the possibility that the cache service is unresponsive
// and hangs outside the data download.
//
// Data download (which is normally the most time-consuming part of the
// restore operation) should not run long enough to hit this limit. Even
// for an extremely large 10GB database, at a download speed of 40MB/s
// (see below), the download should complete within five minutes. If we
// do hit this limit, there are likely more serious problems other than
// mere slow download speed.
//
// This is important because we don't want any ongoing file operations
// on the database directory when we do hit this limit. Hitting this
// time limit takes us to a fallback path where we re-initialize the
// database from scratch at dbLocation, and having the cache restore
// operation continue to write into dbLocation in the background would
// really mess things up. We want to hit this limit only in the case
// of a hung cache service, not just slow download speed.
MAX_CACHE_OPERATION_MS,
actionsCache.restoreCache(
[dbLocation],
cacheRestoreKeyPrefix,
undefined,
{
// Azure SDK download (which is the default) uses 128MB segments; see
// https://github.com/actions/toolkit/blob/main/packages/cache/README.md.
// Setting segmentTimeoutInMs to 3000 translates to segment download
// speed of about 40 MB/s, which should be achievable unless the
// download is unreliable (in which case we do want to abort).
segmentTimeoutInMs: 3000,
},
),
() => {
logger.info("Timed out downloading overlay-base database from cache");
},
);
databaseDownloadDurationMs = Math.round(
performance.now() - databaseDownloadStart,
);
if (foundKey === undefined) {
logger.info("No overlay-base database found in Actions cache");
return undefined;
}
logger.info(
`Downloaded overlay-base database in cache with key ${foundKey}`,
);
} catch (error) {
logger.warning(
"Failed to download overlay-base database from cache: " +
`${error instanceof Error ? error.message : String(error)}`,
);
return undefined;
}
const databaseIsValid = await checkOverlayBaseDatabase(
codeql,
config,
logger,
"Downloaded overlay-base database is invalid",
);
if (!databaseIsValid) {
logger.warning("Downloaded overlay-base database failed validation");
return undefined;
}
const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger);
if (databaseSizeBytes === undefined) {
logger.info(
"Filesystem error while accessing downloaded overlay-base database",
);
// The problem that warrants reporting download failure is not that we are
// unable to determine the size of the database. Rather, it is that we
// encountered a filesystem error while accessing the database, which
// indicates that an overlay analysis will likely fail.
return undefined;
}
logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`);
return {
databaseSizeBytes: Math.round(databaseSizeBytes),
databaseDownloadDurationMs,
};
}
/**
* Computes the cache key for saving the overlay-base database to the GitHub
* Actions cache.
*
* The key consists of the restore key prefix (which does not include the
* commit SHA) and the commit SHA of the current checkout.
*/
export async function getCacheSaveKey(
config: Config,
codeQlVersion: string,
checkoutPath: string,
logger: Logger,
): Promise<string> {
let runId = 1;
let attemptId = 1;
try {
runId = getWorkflowRunID();
attemptId = getWorkflowRunAttempt();
contents = await fs.promises.readFile(jsonFilePath, "utf8");
} catch (e) {
logger.warning(
`Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}`,
`Failed to read diff ranges JSON file at ${jsonFilePath}: ${e}`,
);
return [];
}
const sha = await getCommitOid(checkoutPath);
const restoreKeyPrefix = await getCacheRestoreKeyPrefix(
config,
codeQlVersion,
let diffRanges: Array<{ path: string }>;
try {
diffRanges = JSON.parse(contents) as Array<{ path: string }>;
} catch (e) {
logger.warning(
`Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}`,
);
return [];
}
logger.debug(
`Read ${diffRanges.length} diff range(s) from ${jsonFilePath} for overlay changes.`,
);
return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`;
}
/**
* Computes the cache key prefix for restoring the overlay-base database from
* the GitHub Actions cache.
*
* Actions cache supports using multiple restore keys to indicate preference,
* and this function could in principle take advantage of that feature by
* returning a list of restore key prefixes. However, since overlay-base
* databases are built from the default branch and used in PR analysis, it is
* exceedingly unlikely that the commit SHA will ever be the same.
*
* Therefore, this function returns only a single restore key prefix, which does
* not include the commit SHA. This allows us to restore the most recent
* compatible overlay-base database.
*/
export async function getCacheRestoreKeyPrefix(
config: Config,
codeQlVersion: string,
): Promise<string> {
const languages = [...config.languages].sort().join("_");
const cacheKeyComponents = {
automationID: await getAutomationID(),
// Add more components here as needed in the future
};
const componentsHash = createCacheKeyHash(cacheKeyComponents);
// For a cached overlay-base database to be considered compatible for overlay
// analysis, all components in the cache restore key must match:
//
// CACHE_PREFIX: distinguishes overlay-base databases from other cache objects
// CACHE_VERSION: cache format version
// componentsHash: hash of additional components (see above for details)
// languages: the languages included in the overlay-base database
// codeQlVersion: CodeQL bundle version
//
// Technically we can also include languages and codeQlVersion in the
// componentsHash, but including them explicitly in the cache key makes it
// easier to debug and understand the cache key structure.
return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
// Diff-range paths are relative to the repo root (from the GitHub compare
// API), but overlay changed files must be relative to sourceRoot (to match
// getFileOidsUnderPath output). Convert and filter accordingly.
const repoRoot = await getGitRoot(sourceRoot);
if (repoRoot === undefined) {
if (getOptionalInput("source-root")) {
throw new Error(
"Cannot determine git root to convert diff range paths relative to source-root. " +
"Failing to avoid omitting files from the analysis.",
);
}
logger.warning(
"Cannot determine git root; returning diff range paths as-is.",
);
return [...new Set(diffRanges.map((r) => r.path))];
}
const relativePaths = diffRanges
.map((r) =>
path
.relative(sourceRoot, path.join(repoRoot, r.path))
.replaceAll(path.sep, "/"),
)
.filter((rel) => !rel.startsWith(".."));
return [...new Set(relativePaths)];
}
src/overlay/overlay-database-mode.ts
+5
View File
@@ -0,0 +1,5 @@
export enum OverlayDatabaseMode {
Overlay = "overlay",
OverlayBase = "overlay-base",
None = "none",
}
src/start-proxy.test.ts
+200 -35
View File
@@ -14,9 +14,9 @@ import * as startProxyExports from "./start-proxy";
import { parseLanguage } from "./start-proxy";
import * as statusReport from "./status-report";
import {
assertNotLogged,
checkExpectedLogMessages,
createFeatures,
getRecordingLogger,
makeTestToken,
RecordingLogger,
setupTests,
@@ -252,6 +252,57 @@ test("getCredentials returns all for a language when specified", async (t) => {
t.assert(credentialsTypes.includes("git_source"));
});
test("getCredentials returns all goproxy_servers for Go when specified", async (t) => {
const multipleGoproxyServers = [
{ type: "goproxy_server", host: "goproxy1.example.com", token: "token1" },
{ type: "goproxy_server", host: "goproxy2.example.com", token: "token2" },
{ type: "git_source", host: "github.com/github", token: "mno" },
];
const credentials = startProxyExports.getCredentials(
getRunnerLogger(true),
undefined,
toEncodedJSON(multipleGoproxyServers),
KnownLanguage.go,
);
t.is(credentials.length, 3);
const goproxyServers = credentials.filter((c) => c.type === "goproxy_server");
t.is(goproxyServers.length, 2);
t.assert(goproxyServers.some((c) => c.host === "goproxy1.example.com"));
t.assert(goproxyServers.some((c) => c.host === "goproxy2.example.com"));
});
test("getCredentials returns all maven_repositories for Java when specified", async (t) => {
const multipleMavenRepositories = [
{
type: "maven_repository",
host: "maven1.pkg.github.com",
token: "token1",
},
{
type: "maven_repository",
host: "maven2.pkg.github.com",
token: "token2",
},
{ type: "git_source", host: "github.com/github", token: "mno" },
];
const credentials = startProxyExports.getCredentials(
getRunnerLogger(true),
undefined,
toEncodedJSON(multipleMavenRepositories),
KnownLanguage.java,
);
t.is(credentials.length, 2);
const mavenRepositories = credentials.filter(
(c) => c.type === "maven_repository",
);
t.assert(mavenRepositories.some((c) => c.host === "maven1.pkg.github.com"));
t.assert(mavenRepositories.some((c) => c.host === "maven2.pkg.github.com"));
});
test("getCredentials returns all credentials when no language specified", async (t) => {
const credentialsInput = toEncodedJSON(mixedCredentials);
@@ -300,23 +351,23 @@ test("getCredentials throws an error when non-printable characters are used", as
});
const validAzureCredential: startProxyExports.AzureConfig = {
tenant_id: "12345678-1234-1234-1234-123456789012",
client_id: "abcdef01-2345-6789-abcd-ef0123456789",
"tenant-id": "12345678-1234-1234-1234-123456789012",
"client-id": "abcdef01-2345-6789-abcd-ef0123456789",
};
const validAwsCredential: startProxyExports.AWSConfig = {
aws_region: "us-east-1",
account_id: "123456789012",
role_name: "MY_ROLE",
"aws-region": "us-east-1",
"account-id": "123456789012",
"role-name": "MY_ROLE",
domain: "MY_DOMAIN",
domain_owner: "987654321098",
"domain-owner": "987654321098",
audience: "custom-audience",
};
const validJFrogCredential: startProxyExports.JFrogConfig = {
jfrog_oidc_provider_name: "MY_PROVIDER",
"jfrog-oidc-provider-name": "MY_PROVIDER",
audience: "jfrog-audience",
identity_mapping_name: "my-mapping",
"identity-mapping-name": "my-mapping",
};
test("getCredentials throws an error when non-printable characters are used for Azure OIDC", (t) => {
@@ -439,41 +490,155 @@ test("getCredentials accepts OIDC configurations", (t) => {
t.assert(credentials.some((c) => startProxyExports.isJFrogConfig(c)));
});
test("getCredentials logs a warning when a PAT is used without a username", async (t) => {
const loggedMessages = [];
const logger = getRecordingLogger(loggedMessages);
const likelyWrongCredentials = toEncodedJSON([
const getCredentialsMacro = test.macro({
exec: async (
t: ExecutionContext<unknown>,
credentials: startProxyExports.RawCredential[],
checkAccepted: (
t: ExecutionContext<unknown>,
logger: RecordingLogger,
results: startProxyExports.Credential[],
) => void,
) => {
const logger = new RecordingLogger();
const credentialsString = toEncodedJSON(credentials);
const results = startProxyExports.getCredentials(
logger,
undefined,
credentialsString,
undefined,
);
checkAccepted(t, logger, results);
},
title: (providedTitle = "") => `getCredentials - ${providedTitle}`,
});
test(
"warns for PAT-like password without a username",
getCredentialsMacro,
[
{
type: "git_server",
host: "https://github.com/",
password: `ghp_${makeTestToken()}`,
},
]);
],
(t, logger, results) => {
// The configurations should be accepted, despite the likely problem.
t.assert(results);
t.is(results.length, 1);
t.is(results[0].type, "git_server");
t.is(results[0].host, "https://github.com/");
const results = startProxyExports.getCredentials(
logger,
undefined,
likelyWrongCredentials,
undefined,
);
if (startProxyExports.isUsernamePassword(results[0])) {
t.assert(results[0].password?.startsWith("ghp_"));
} else {
t.fail("Expected a `UsernamePassword`-based credential.");
}
// The configuration should be accepted, despite the likely problem.
t.assert(results);
t.is(results.length, 1);
t.is(results[0].type, "git_server");
t.is(results[0].host, "https://github.com/");
// A warning should have been logged.
checkExpectedLogMessages(t, logger.messages, [
"using a GitHub Personal Access Token (PAT), but no username was provided",
]);
},
);
if (startProxyExports.isUsernamePassword(results[0])) {
t.assert(results[0].password?.startsWith("ghp_"));
} else {
t.fail("Expected a `UsernamePassword`-based credential.");
}
test(
"no warning for PAT-like password with a username",
getCredentialsMacro,
[
{
type: "git_server",
host: "https://github.com/",
username: "someone",
password: `ghp_${makeTestToken()}`,
},
],
(t, logger, results) => {
// The configurations should be accepted, despite the likely problem.
t.assert(results);
t.is(results.length, 1);
t.is(results[0].type, "git_server");
t.is(results[0].host, "https://github.com/");
// A warning should have been logged.
checkExpectedLogMessages(t, loggedMessages, [
"using a GitHub Personal Access Token (PAT), but no username was provided",
]);
});
if (startProxyExports.isUsernamePassword(results[0])) {
t.assert(results[0].password?.startsWith("ghp_"));
} else {
t.fail("Expected a `UsernamePassword`-based credential.");
}
assertNotLogged(
t,
logger,
"using a GitHub Personal Access Token (PAT), but no username was provided",
);
},
);
test(
"warns for PAT-like token without a username",
getCredentialsMacro,
[
{
type: "git_server",
host: "https://github.com/",
token: `ghp_${makeTestToken()}`,
},
],
(t, logger, results) => {
// The configurations should be accepted, despite the likely problem.
t.assert(results);
t.is(results.length, 1);
t.is(results[0].type, "git_server");
t.is(results[0].host, "https://github.com/");
if (startProxyExports.isToken(results[0])) {
t.assert(results[0].token?.startsWith("ghp_"));
} else {
t.fail("Expected a `Token`-based credential.");
}
// A warning should have been logged.
checkExpectedLogMessages(t, logger.messages, [
"using a GitHub Personal Access Token (PAT), but no username was provided",
]);
},
);
test(
"no warning for PAT-like token with a username",
getCredentialsMacro,
[
{
type: "git_server",
host: "https://github.com/",
username: "someone",
token: `ghp_${makeTestToken()}`,
},
],
(t, logger, results) => {
// The configurations should be accepted, despite the likely problem.
t.assert(results);
t.is(results.length, 1);
t.is(results[0].type, "git_server");
t.is(results[0].host, "https://github.com/");
if (startProxyExports.isToken(results[0])) {
t.assert(results[0].token?.startsWith("ghp_"));
} else {
t.fail("Expected a `Token`-based credential.");
}
assertNotLogged(
t,
logger,
"using a GitHub Personal Access Token (PAT), but no username was provided",
);
},
);
test("getCredentials returns all credentials for Actions when using LANGUAGE_TO_REGISTRY_TYPE", async (t) => {
const credentialsInput = toEncodedJSON(mixedCredentials);
src/start-proxy.ts
+32 -41
View File
@@ -18,6 +18,7 @@ import {
FeatureEnablement,
} from "./feature-flags";
import * as json from "./json";
import * as knownLanguageAliases from "./known-language-aliases.json";
import { KnownLanguage } from "./languages";
import { Logger } from "./logging";
import {
@@ -188,43 +189,30 @@ export const UPDATEJOB_PROXY_VERSION = "v2.0.20250624110901";
const UPDATEJOB_PROXY_URL_PREFIX =
"https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.0/";
/*
* Language aliases supported by the start-proxy Action.
*
* In general, the CodeQL CLI is the source of truth for language aliases, and to
* allow us to more easily support new languages, we want to avoid hardcoding these
* aliases in the Action itself. However this is difficult to do in the start-proxy
* Action since this Action does not use CodeQL, so we're accepting some hardcoding
* for this Action.
*/
const LANGUAGE_ALIASES: { [lang: string]: KnownLanguage } = {
c: KnownLanguage.cpp,
"c++": KnownLanguage.cpp,
"c#": KnownLanguage.csharp,
kotlin: KnownLanguage.java,
typescript: KnownLanguage.javascript,
"javascript-typescript": KnownLanguage.javascript,
"java-kotlin": KnownLanguage.java,
};
/**
* Parse the start-proxy language input into its canonical CodeQL language name.
*
* Exported for testing. Do not use this outside of the start-proxy Action
* to avoid complicating the process of adding new CodeQL languages.
* This uses the language aliases shipped with the Action and will not be able to resolve aliases
* added by versions of the CodeQL CLI newer than the one mentioned in `defaults.json`. However,
* this is sufficient for the start-proxy Action since we are already specifying proxy
* configurations on a per-language basis.
*/
export function parseLanguage(language: string): KnownLanguage | undefined {
// Normalize to lower case
language = language.trim().toLowerCase();
// See if it's an exact match
if (language in KnownLanguage) {
if (Object.hasOwn(KnownLanguage, language)) {
return language as KnownLanguage;
}
// Check language aliases
if (language in LANGUAGE_ALIASES) {
return LANGUAGE_ALIASES[language];
if (Object.hasOwn(knownLanguageAliases, language)) {
language =
knownLanguageAliases[language as keyof typeof knownLanguageAliases];
if (Object.hasOwn(KnownLanguage, language)) {
return language as KnownLanguage;
}
}
return undefined;
@@ -301,22 +289,22 @@ export function getAuthConfig(
// which we can use to identify them.
if (isAzureConfig(config)) {
return {
tenant_id: config.tenant_id,
client_id: config.client_id,
"tenant-id": config["tenant-id"],
"client-id": config["client-id"],
} satisfies AzureConfig;
} else if (isAWSConfig(config)) {
return {
aws_region: config.aws_region,
account_id: config.account_id,
role_name: config.role_name,
"aws-region": config["aws-region"],
"account-id": config["account-id"],
"role-name": config["role-name"],
domain: config.domain,
domain_owner: config.domain_owner,
"domain-owner": config["domain-owner"],
audience: config.audience,
} satisfies AWSConfig;
} else if (isJFrogConfig(config)) {
return {
jfrog_oidc_provider_name: config.jfrog_oidc_provider_name,
identity_mapping_name: config.identity_mapping_name,
"jfrog-oidc-provider-name": config["jfrog-oidc-provider-name"],
"identity-mapping-name": config["identity-mapping-name"],
audience: config.audience,
} satisfies JFrogConfig;
} else if (isToken(config)) {
@@ -447,15 +435,18 @@ export function getCredentials(
}
// If the password or token looks like a GitHub PAT, warn if no username is configured.
if (
((!hasUsername(authConfig) || !isDefined(authConfig.username)) &&
isUsernamePassword(authConfig) &&
isDefined(authConfig.password) &&
isPAT(authConfig.password)) ||
(isToken(authConfig) &&
isDefined(authConfig.token) &&
isPAT(authConfig.token))
) {
const noUsername =
!hasUsername(authConfig) || !isDefined(authConfig.username);
const passwordIsPAT =
isUsernamePassword(authConfig) &&
isDefined(authConfig.password) &&
isPAT(authConfig.password);
const tokenIsPAT =
isToken(authConfig) &&
isDefined(authConfig.token) &&
isPAT(authConfig.token);
if (noUsername && (passwordIsPAT || tokenIsPAT)) {
logger.warning(
`A ${e.type} private registry is configured for ${e.host || e.url} using a GitHub Personal Access Token (PAT), but no username was provided. ` +
`This may not work correctly. When configuring a private registry using a PAT, select "Username and password" and enter the username of the user ` +
src/start-proxy/types.test.ts
+8 -8
View File
@@ -7,23 +7,23 @@ import * as types from "./types";
setupTests(test);
const validAzureCredential: types.AzureConfig = {
tenant_id: "12345678-1234-1234-1234-123456789012",
client_id: "abcdef01-2345-6789-abcd-ef0123456789",
"tenant-id": "12345678-1234-1234-1234-123456789012",
"client-id": "abcdef01-2345-6789-abcd-ef0123456789",
};
const validAwsCredential: types.AWSConfig = {
aws_region: "us-east-1",
account_id: "123456789012",
role_name: "MY_ROLE",
"aws-region": "us-east-1",
"account-id": "123456789012",
"role-name": "MY_ROLE",
domain: "MY_DOMAIN",
domain_owner: "987654321098",
"domain-owner": "987654321098",
audience: "custom-audience",
};
const validJFrogCredential: types.JFrogConfig = {
jfrog_oidc_provider_name: "MY_PROVIDER",
"jfrog-oidc-provider-name": "MY_PROVIDER",
audience: "jfrog-audience",
identity_mapping_name: "my-mapping",
"identity-mapping-name": "my-mapping",
};
test("credentialToStr - pretty-prints valid username+password configurations", (t) => {
src/start-proxy/types.ts
+34 -31
View File
@@ -59,29 +59,29 @@ export function isToken(
}
/** Configuration for Azure OIDC. */
export type AzureConfig = { tenant_id: string; client_id: string };
export type AzureConfig = { "tenant-id": string; "client-id": string };
/** Decides whether `config` is an Azure OIDC configuration. */
export function isAzureConfig(
config: UnvalidatedObject<AuthConfig>,
): config is AzureConfig {
return (
"tenant_id" in config &&
"client_id" in config &&
isDefined(config.tenant_id) &&
isDefined(config.client_id) &&
json.isString(config.tenant_id) &&
json.isString(config.client_id)
"tenant-id" in config &&
"client-id" in config &&
isDefined(config["tenant-id"]) &&
isDefined(config["client-id"]) &&
json.isString(config["tenant-id"]) &&
json.isString(config["client-id"])
);
}
/** Configuration for AWS OIDC. */
export type AWSConfig = {
aws_region: string;
account_id: string;
role_name: string;
"aws-region": string;
"account-id": string;
"role-name": string;
domain: string;
domain_owner: string;
"domain-owner": string;
audience?: string;
};
@@ -91,11 +91,11 @@ export function isAWSConfig(
): config is AWSConfig {
// All of these properties are required.
const requiredProperties = [
"aws_region",
"account_id",
"role_name",
"aws-region",
"account-id",
"role-name",
"domain",
"domain_owner",
"domain-owner",
];
for (const property of requiredProperties) {
@@ -118,30 +118,30 @@ export function isAWSConfig(
/** Configuration for JFrog OIDC. */
export type JFrogConfig = {
jfrog_oidc_provider_name: string;
"jfrog-oidc-provider-name": string;
audience?: string;
identity_mapping_name?: string;
"identity-mapping-name"?: string;
};
/** Decides whether `config` is a JFrog OIDC configuration. */
export function isJFrogConfig(
config: UnvalidatedObject<AuthConfig>,
): config is JFrogConfig {
// The "audience" and "identity_mapping_name" fields are optional, but should be strings if present.
// The "audience" and "identity-mapping-name" fields are optional, but should be strings if present.
if ("audience" in config && !json.isStringOrUndefined(config.audience)) {
return false;
}
if (
"identity_mapping_name" in config &&
!json.isStringOrUndefined(config.identity_mapping_name)
"identity-mapping-name" in config &&
!json.isStringOrUndefined(config["identity-mapping-name"])
) {
return false;
}
return (
"jfrog_oidc_provider_name" in config &&
isDefined(config.jfrog_oidc_provider_name) &&
json.isString(config.jfrog_oidc_provider_name)
"jfrog-oidc-provider-name" in config &&
isDefined(config["jfrog-oidc-provider-name"]) &&
json.isString(config["jfrog-oidc-provider-name"])
);
}
@@ -189,18 +189,21 @@ export function credentialToStr(credential: Credential): string {
}
if (isAzureConfig(credential)) {
appendIfDefined("Tenant", credential.tenant_id);
appendIfDefined("Client", credential.client_id);
appendIfDefined("Tenant", credential["tenant-id"]);
appendIfDefined("Client", credential["client-id"]);
} else if (isAWSConfig(credential)) {
appendIfDefined("AWS Region", credential.aws_region);
appendIfDefined("AWS Account", credential.account_id);
appendIfDefined("AWS Role", credential.role_name);
appendIfDefined("AWS Region", credential["aws-region"]);
appendIfDefined("AWS Account", credential["account-id"]);
appendIfDefined("AWS Role", credential["role-name"]);
appendIfDefined("AWS Domain", credential.domain);
appendIfDefined("AWS Domain Owner", credential.domain_owner);
appendIfDefined("AWS Domain Owner", credential["domain-owner"]);
appendIfDefined("AWS Audience", credential.audience);
} else if (isJFrogConfig(credential)) {
appendIfDefined("JFrog Provider", credential.jfrog_oidc_provider_name);
appendIfDefined("JFrog Identity Mapping", credential.identity_mapping_name);
appendIfDefined("JFrog Provider", credential["jfrog-oidc-provider-name"]);
appendIfDefined(
"JFrog Identity Mapping",
credential["identity-mapping-name"],
);
appendIfDefined("JFrog Audience", credential.audience);
}
src/status-report.ts
+1 -1
View File
@@ -18,7 +18,7 @@ import { DocUrl } from "./doc-url";
import { EnvVar } from "./environment";
import { getRef } from "./git-utils";
import { Logger } from "./logging";
import { OverlayBaseDatabaseDownloadStats } from "./overlay";
import { OverlayBaseDatabaseDownloadStats } from "./overlay/caching";
import { getRepositoryNwo } from "./repository";
import { ToolsSource } from "./setup-codeql";
import {
src/testing-utils.ts
+60 -43
View File
@@ -21,7 +21,7 @@ import {
FeatureEnablement,
} from "./feature-flags";
import { Logger } from "./logging";
import { OverlayDatabaseMode } from "./overlay";
import { OverlayDatabaseMode } from "./overlay/overlay-database-mode";
import {
DEFAULT_DEBUG_ARTIFACT_NAME,
DEFAULT_DEBUG_DATABASE_NAME,
@@ -185,8 +185,8 @@ export interface LoggedMessage {
export class RecordingLogger implements Logger {
messages: LoggedMessage[] = [];
groups: string[] = [];
unfinishedGroups: Set<string> = new Set();
readonly groups: string[] = [];
readonly unfinishedGroups: Set<string> = new Set();
private currentGroup: string | undefined = undefined;
constructor(private readonly logToConsole: boolean = true) {}
@@ -200,6 +200,19 @@ export class RecordingLogger implements Logger {
}
}
/**
* Checks whether the logged messages contain `messageOrRegExp`.
*
* If `messageOrRegExp` is a string, this function returns true as long as
* `messageOrRegExp` appears as part of one of the `messages`.
*
* If `messageOrRegExp` is a regular expression, this function returns true as long as
* one of the `messages` matches `messageOrRegExp`.
*/
hasMessage(messageOrRegExp: string | RegExp): boolean {
return hasLoggedMessage(this.messages, messageOrRegExp);
}
isDebug() {
return true;
}
@@ -238,41 +251,37 @@ export function getRecordingLogger(
messages: LoggedMessage[],
{ logToConsole }: { logToConsole?: boolean } = { logToConsole: true },
): Logger {
return {
debug: (message: string) => {
messages.push({ type: "debug", message });
if (logToConsole) {
// eslint-disable-next-line no-console
console.debug(message);
}
},
info: (message: string) => {
messages.push({ type: "info", message });
if (logToConsole) {
// eslint-disable-next-line no-console
console.info(message);
}
},
warning: (message: string | Error) => {
messages.push({ type: "warning", message });
if (logToConsole) {
// eslint-disable-next-line no-console
console.warn(message);
}
},
error: (message: string | Error) => {
messages.push({ type: "error", message });
if (logToConsole) {
// eslint-disable-next-line no-console
console.error(message);
}
},
isDebug: () => true,
startGroup: () => undefined,
endGroup: () => undefined,
};
const logger = new RecordingLogger(logToConsole);
logger.messages = messages;
return logger;
}
/**
* Checks whether `messages` contains `messageOrRegExp`.
*
* If `messageOrRegExp` is a string, this function returns true as long as
* `messageOrRegExp` appears as part of one of the `messages`.
*
* If `messageOrRegExp` is a regular expression, this function returns true as long as
* one of the `messages` matches `messageOrRegExp`.
*/
function hasLoggedMessage(
messages: LoggedMessage[],
messageOrRegExp: string | RegExp,
): boolean {
const check = (val: string) =>
typeof messageOrRegExp === "string"
? val.includes(messageOrRegExp)
: messageOrRegExp.test(val);
return messages.some(
(msg) => typeof msg.message === "string" && check(msg.message),
);
}
/**
* Checks that `messages` contains all of `expectedMessages`.
*/
export function checkExpectedLogMessages(
t: ExecutionContext<any>,
messages: LoggedMessage[],
@@ -281,13 +290,7 @@ export function checkExpectedLogMessages(
const missingMessages: string[] = [];
for (const expectedMessage of expectedMessages) {
if (
!messages.some(
(msg) =>
typeof msg.message === "string" &&
msg.message.includes(expectedMessage),
)
) {
if (!hasLoggedMessage(messages, expectedMessage)) {
missingMessages.push(expectedMessage);
}
}
@@ -304,6 +307,20 @@ export function checkExpectedLogMessages(
}
}
/**
* Asserts that `message` should not have been logged to `logger`.
*/
export function assertNotLogged(
t: ExecutionContext<any>,
logger: RecordingLogger,
message: string | RegExp,
) {
t.false(
logger.hasMessage(message),
`'${message}' should not have been logged, but was.`,
);
}
/**
* Initialises a recording logger and calls `body` with it.
*
src/tools-features.ts
-1
View File
@@ -9,7 +9,6 @@ export enum ToolsFeature {
DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
ForceOverwrite = "forceOverwrite",
IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
PythonDefaultIsToNotExtractStdlib = "pythonDefaultIsToNotExtractStdlib",
SuppressesMissingFileBaselineWarning = "suppressesMissingFileBaselineWarning",
}
src/trap-caching.ts
+4
View File
@@ -185,6 +185,10 @@ export async function cleanupTrapCaches(
trap_cache_cleanup_skipped_because: "feature disabled",
};
}
logger.warning(
"TRAP cache cleanup is deprecated and will be removed in May 2026. " +
"We recommend instead disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action.",
);
if (!(await gitUtils.isAnalyzingDefaultBranch())) {
return {
trap_cache_cleanup_skipped_because: "not analyzing default branch",
tsconfig.json
+10 -1
View File
@@ -4,9 +4,11 @@
"lib": ["ES2022"],
"target": "ES2022",
"module": "commonjs",
"moduleResolution": "bundler",
"outDir": "./build",
"rootDir": "./src",
"sourceMap": true,
"types": ["node"],
/* Strict Type-Checking Options */
"strict": true, /* Enable all strict type-checking options. */
@@ -16,7 +18,6 @@
"strictBindCallApply": true, /* Enable strict 'bind', 'call', and 'apply' methods on functions. */
"strictPropertyInitialization": true, /* Enable strict checking of property initialization in classes. */
"noImplicitThis": true, /* Raise error on 'this' expressions with an implied 'any' type. */
"alwaysStrict": true, /* Parse in strict mode and emit "use strict" for each source file. */
/* Additional Checks */
"noUnusedLocals": false, /* Report errors on unused locals. */
@@ -27,6 +28,14 @@
/* Module Resolution Options */
"esModuleInterop": true, /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
"resolveJsonModule": true,
"skipLibCheck": true,
// @actions/github imports this path from @octokit/core but it's not in @octokit/core's
// exports map (only "@octokit/core/types" is). Under moduleResolution: "bundler", TypeScript
// checks exports maps and can't find it, causing all GitHub/Octokit types to degrade to `any`.
// This paths override restores the direct filesystem resolution that moduleResolution: "node10" used.
"paths": {
"@octokit/core/dist-types/types": ["./node_modules/@octokit/core/dist-types/types.d.ts"]
},
},
"exclude": ["node_modules", "pr-checks"]
}