github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-29 18:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Changes from CR

Browse Source
This commit is contained in:
Óscar San José
2026-04-15 11:45:57 +02:00
parent 3b0b845f42
commit 8c41253947
15 changed files with 376 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1 -1
View File
@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
## [UNRELEASED]
No user facing changes.
- Organizations can now create a custom repository property with the name `github-codeql-tools` to control the CodeQL CLI tools input at the repository level. When this property is set to a valid tools input value (such as `"toolcache"`, `"latest"`, or a specific version), it will override the default tools configuration for that repository. This allows organization administrators to standardize CodeQL CLI versions across repositories or enable toolcache usage on repositories where it would otherwise be restricted. For more information on creating custom repository properties, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
## 4.34.1 - 20 Mar 2026
lib/analyze-action.js
Generated
+29 -17
View File
@@ -109538,7 +109538,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
`Using the latest CodeQL CLI nightly, as requested.`
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -109560,15 +109560,16 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
const allowToolcacheValueFF = await features.getValue(
"allow_toolcache_input" /* AllowToolcacheInput */
);
const allowToolcacheValue = toolsInputFromRepositoryProperty || allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
const allowToolcacheValue = toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${"github-codeql-tools" /* TOOLS */}' repository property.`
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
@@ -109580,7 +109581,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the 'github-codeql-tools' repository property...`
`Found no CodeQL CLI in the toolcache, ignoring the '${"github-codeql-tools" /* TOOLS */}' repository property...`
);
} else {
logger.info(
@@ -109593,7 +109594,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
);
} else {
logger.info(
logger.warning(
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
);
}
@@ -109980,7 +109981,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion, toolsInputFromRepositoryProperty = false) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
try {
const {
codeqlFolder,
@@ -109995,8 +109996,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
variant,
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
logger.debug(
`Bundle download status report: ${JSON.stringify(
@@ -112694,7 +112694,7 @@ var core14 = __toESM(require_core());
var toolrunner4 = __toESM(require_toolrunner());
var github2 = __toESM(require_github());
var io6 = __toESM(require_io());
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, toolsInputFromRepositoryProperty = false) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
logger.startGroup("Setup CodeQL tools");
const {
codeql,
@@ -112710,8 +112710,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
defaultCliVersion,
features,
logger,
true,
toolsInputFromRepositoryProperty
true
);
await codeql.printVersion();
logger.endGroup();
@@ -113248,20 +113247,33 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
);
break;
}
if (!response) {
logger.warning(
"Unable to check analysis status due to missing response. It should still be processed in the background."
);
break;
}
const status = response.data.processing_status;
logger.info(`Analysis upload status is ${status}.`);
if (status === "pending") {
logger.debug("Analysis processing is still pending...");
} else if (options.isUnsuccessfulExecution) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
if (response) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
}
break;
} else if (status === "complete") {
break;
} else if (status === "failed") {
if (!response) {
throw new Error(
"Code Scanning could not process the submitted SARIF file: Unable to retrieve error details."
);
}
const message = `Code Scanning could not process the submitted SARIF file:
${response.data.errors}`;
const processingErrors = response.data.errors;
lib/init-action-post.js
Generated
+29 -17
View File
@@ -167091,7 +167091,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
`Using the latest CodeQL CLI nightly, as requested.`
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -167113,15 +167113,16 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
const allowToolcacheValueFF = await features.getValue(
"allow_toolcache_input" /* AllowToolcacheInput */
);
const allowToolcacheValue = toolsInputFromRepositoryProperty || allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
const allowToolcacheValue = toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${"github-codeql-tools" /* TOOLS */}' repository property.`
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
@@ -167133,7 +167134,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the 'github-codeql-tools' repository property...`
`Found no CodeQL CLI in the toolcache, ignoring the '${"github-codeql-tools" /* TOOLS */}' repository property...`
);
} else {
logger.info(
@@ -167146,7 +167147,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
);
} else {
logger.info(
logger.warning(
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
);
}
@@ -167500,7 +167501,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion, toolsInputFromRepositoryProperty = false) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
try {
const {
codeqlFolder,
@@ -167515,8 +167516,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
variant,
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
logger.debug(
`Bundle download status report: ${JSON.stringify(
@@ -169771,7 +169771,7 @@ var core14 = __toESM(require_core());
var toolrunner4 = __toESM(require_toolrunner());
var github2 = __toESM(require_github());
var io6 = __toESM(require_io());
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, toolsInputFromRepositoryProperty = false) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
logger.startGroup("Setup CodeQL tools");
const {
codeql,
@@ -169787,8 +169787,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
defaultCliVersion,
features,
logger,
true,
toolsInputFromRepositoryProperty
true
);
await codeql.printVersion();
logger.endGroup();
@@ -170296,20 +170295,33 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
);
break;
}
if (!response) {
logger.warning(
"Unable to check analysis status due to missing response. It should still be processed in the background."
);
break;
}
const status = response.data.processing_status;
logger.info(`Analysis upload status is ${status}.`);
if (status === "pending") {
logger.debug("Analysis processing is still pending...");
} else if (options.isUnsuccessfulExecution) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
if (response) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
}
break;
} else if (status === "complete") {
break;
} else if (status === "failed") {
if (!response) {
throw new Error(
"Code Scanning could not process the submitted SARIF file: Unable to retrieve error details."
);
}
const message = `Code Scanning could not process the submitted SARIF file:
${response.data.errors}`;
const processingErrors = response.data.errors;
lib/init-action.js
Generated
+35 -20
View File
@@ -104077,6 +104077,19 @@ var getOptionalInput = function(name) {
const value = core4.getInput(name);
return value.length > 0 ? value : void 0;
};
function resolveToolsInput(repositoryProperties, toolsPropertyName, logger) {
const toolsWorkflowInput = getOptionalInput("tools");
const toolsPropertyValue = repositoryProperties[toolsPropertyName];
const effectiveToolsInput = toolsWorkflowInput ?? toolsPropertyValue;
if (effectiveToolsInput) {
if (toolsWorkflowInput) {
logger.info(`Setting tools: ${effectiveToolsInput} based on workflow input.`);
} else {
logger.info(`Setting tools: ${effectiveToolsInput} based on the '${toolsPropertyName}' repository property.`);
}
}
return effectiveToolsInput;
}
function getTemporaryDirectory() {
const value = process.env["CODEQL_ACTION_TEMP"];
return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
@@ -108225,7 +108238,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
`Using the latest CodeQL CLI nightly, as requested.`
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -108247,15 +108260,16 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
const allowToolcacheValueFF = await features.getValue(
"allow_toolcache_input" /* AllowToolcacheInput */
);
const allowToolcacheValue = toolsInputFromRepositoryProperty || allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
const allowToolcacheValue = toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${"github-codeql-tools" /* TOOLS */}' repository property.`
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
@@ -108267,7 +108281,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the 'github-codeql-tools' repository property...`
`Found no CodeQL CLI in the toolcache, ignoring the '${"github-codeql-tools" /* TOOLS */}' repository property...`
);
} else {
logger.info(
@@ -108280,7 +108294,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
);
} else {
logger.info(
logger.warning(
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
);
}
@@ -108656,7 +108670,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion, toolsInputFromRepositoryProperty = false) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
try {
const {
codeqlFolder,
@@ -108671,8 +108685,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
variant,
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
logger.debug(
`Bundle download status report: ${JSON.stringify(
@@ -109260,7 +109273,7 @@ async function getJobRunUuidSarifOptions(codeql) {
}
// src/init.ts
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, toolsInputFromRepositoryProperty = false) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
logger.startGroup("Setup CodeQL tools");
const {
codeql,
@@ -109276,8 +109289,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
defaultCliVersion,
features,
logger,
true,
toolsInputFromRepositoryProperty
true
);
await codeql.printVersion();
logger.endGroup();
@@ -109948,7 +109960,7 @@ async function sendStartingStatusReport(startedAt, config, logger) {
await sendStatusReport(statusReportBase);
}
}
async function sendCompletedStatusReport(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
async function sendCompletedStatusReport(startedAt, config, configFile, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, overlayBaseDatabaseStats, dependencyCachingResults, logger, error3) {
const statusReportBase = await createStatusReportBase(
"init" /* Init */,
getActionsStatus(error3),
@@ -109965,7 +109977,7 @@ async function sendCompletedStatusReport(startedAt, config, configFile, toolsDow
const workflowLanguages = getOptionalInput("languages");
const initStatusReport = {
...statusReportBase,
tools_input: getOptionalInput("tools") || "",
tools_input: effectiveToolsInput || "",
tools_resolved_version: toolsVersion,
tools_source: toolsSource || "UNKNOWN" /* Unknown */,
workflow_languages: workflowLanguages || ""
@@ -110009,6 +110021,7 @@ async function run(startedAt) {
let toolsSource;
let toolsVersion;
let zstdAvailability;
let effectiveToolsInput;
try {
initializeEnvironment(getActionVersion());
persistInputs();
@@ -110059,10 +110072,11 @@ async function run(startedAt) {
gitHubVersion.type
);
toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
const toolsWorkflowInput = getOptionalInput("tools");
const toolsPropertyValue = repositoryPropertiesResult.orElse({})["github-codeql-tools" /* TOOLS */];
const effectiveToolsInput = toolsWorkflowInput ?? toolsPropertyValue;
const toolsInputFromRepositoryProperty = toolsWorkflowInput === void 0 && toolsPropertyValue !== void 0;
effectiveToolsInput = resolveToolsInput(
repositoryPropertiesResult.orElse({}),
"github-codeql-tools" /* TOOLS */,
logger
);
const initCodeQLResult = await initCodeQL(
effectiveToolsInput,
apiDetails,
@@ -110070,8 +110084,7 @@ async function run(startedAt) {
gitHubVersion.type,
codeQLDefaultVersionInfo,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
codeql = initCodeQLResult.codeql;
toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
@@ -110406,6 +110419,7 @@ exec ${goBinaryPath} "$@"`
toolsFeatureFlagsValid,
toolsSource,
toolsVersion,
effectiveToolsInput,
overlayBaseDatabaseStats,
dependencyCachingStatus,
logger,
@@ -110423,6 +110437,7 @@ exec ${goBinaryPath} "$@"`
toolsFeatureFlagsValid,
toolsSource,
toolsVersion,
effectiveToolsInput,
overlayBaseDatabaseStats,
dependencyCachingStatus,
logger
lib/setup-codeql-action.js
Generated
+156 -35
View File
@@ -100236,7 +100236,7 @@ var require_follow_redirects = __commonJS({
if (this._ending) {
throw new WriteAfterEndError();
}
if (!isString2(data) && !isBuffer(data)) {
if (!isString3(data) && !isBuffer(data)) {
throw new TypeError("data should be a string, Buffer or Uint8Array");
}
if (isFunction(encoding)) {
@@ -100491,7 +100491,7 @@ var require_follow_redirects = __commonJS({
function request2(input, options, callback) {
if (isURL(input)) {
input = spreadUrlObject(input);
} else if (isString2(input)) {
} else if (isString3(input)) {
input = spreadUrlObject(parseUrl2(input));
} else {
callback = options;
@@ -100507,7 +100507,7 @@ var require_follow_redirects = __commonJS({
maxBodyLength: exports3.maxBodyLength
}, input, options);
options.nativeProtocols = nativeProtocols;
if (!isString2(options.host) && !isString2(options.hostname)) {
if (!isString3(options.host) && !isString3(options.hostname)) {
options.hostname = "::1";
}
assert.equal(options.protocol, protocol, "protocol mismatch");
@@ -100534,7 +100534,7 @@ var require_follow_redirects = __commonJS({
parsed = new URL2(input);
} else {
parsed = validateUrl(url.parse(input));
if (!isString2(parsed.protocol)) {
if (!isString3(parsed.protocol)) {
throw new InvalidUrlError({ input });
}
}
@@ -100606,11 +100606,11 @@ var require_follow_redirects = __commonJS({
request2.destroy(error3);
}
function isSubdomain(subdomain, domain) {
assert(isString2(subdomain) && isString2(domain));
assert(isString3(subdomain) && isString3(domain));
var dot = subdomain.length - domain.length - 1;
return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
}
function isString2(value) {
function isString3(value) {
return typeof value === "string" || value instanceof String;
}
function isFunction(value) {
@@ -103620,6 +103620,19 @@ var getOptionalInput = function(name) {
const value = core4.getInput(name);
return value.length > 0 ? value : void 0;
};
function resolveToolsInput(repositoryProperties, toolsPropertyName, logger) {
const toolsWorkflowInput = getOptionalInput("tools");
const toolsPropertyValue = repositoryProperties[toolsPropertyName];
const effectiveToolsInput = toolsWorkflowInput ?? toolsPropertyValue;
if (effectiveToolsInput) {
if (toolsWorkflowInput) {
logger.info(`Setting tools: ${effectiveToolsInput} based on workflow input.`);
} else {
logger.info(`Setting tools: ${effectiveToolsInput} based on the '${toolsPropertyName}' repository property.`);
}
}
return effectiveToolsInput;
}
function getTemporaryDirectory() {
const value = process.env["CODEQL_ACTION_TEMP"];
return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
@@ -103936,6 +103949,12 @@ async function getAnalysisKey() {
core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey);
return analysisKey;
}
async function getRepositoryProperties(repositoryNwo) {
return getApiClient().request("GET /repos/:owner/:repo/properties/values", {
owner: repositoryNwo.owner,
repo: repositoryNwo.repo
});
}
function isEnablementError(msg) {
return [
/Code Security must be enabled/i,
@@ -104794,6 +104813,112 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) {
}
}
// src/feature-flags/properties.ts
var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-";
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
RepositoryPropertyName2["TOOLS"] = "github-codeql-tools";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
function isString2(value) {
return typeof value === "string";
}
var stringProperty = {
validate: isString2,
parse: parseStringRepositoryProperty
};
var booleanProperty = {
// The value from the API should come as a string, which we then parse into a boolean.
validate: isString2,
parse: parseBooleanRepositoryProperty
};
var repositoryPropertyParsers = {
["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty,
["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty,
["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty,
["github-codeql-tools" /* TOOLS */]: stringProperty
};
async function loadPropertiesFromApi(logger, repositoryNwo) {
try {
const response = await getRepositoryProperties(repositoryNwo);
const remoteProperties = response.data;
if (!Array.isArray(remoteProperties)) {
throw new Error(
`Expected repository properties API to return an array, but got: ${JSON.stringify(response.data)}`
);
}
logger.debug(
`Retrieved ${remoteProperties.length} repository properties: ${remoteProperties.map((p) => p.property_name).join(", ")}`
);
const properties = {};
const unrecognisedProperties = [];
for (const property of remoteProperties) {
if (property.property_name === void 0) {
throw new Error(
`Expected repository property object to have a 'property_name', but got: ${JSON.stringify(property)}`
);
}
if (isKnownPropertyName(property.property_name)) {
setProperty2(properties, property.property_name, property.value, logger);
} else if (property.property_name.startsWith(GITHUB_CODEQL_PROPERTY_PREFIX) && !isDynamicWorkflow()) {
unrecognisedProperties.push(property.property_name);
}
}
if (Object.keys(properties).length === 0) {
logger.debug("No known repository properties were found.");
} else {
logger.debug(
"Loaded the following values for the repository properties:"
);
for (const [property, value] of Object.entries(properties).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB)
)) {
logger.debug(` ${property}: ${value}`);
}
}
if (unrecognisedProperties.length > 0) {
const unrecognisedPropertyList = unrecognisedProperties.map((name) => `'${name}'`).join(", ");
logger.warning(
`Found repository properties (${unrecognisedPropertyList}), which look like CodeQL Action repository properties, but which are not understood by this version of the CodeQL Action. Do you need to update to a newer version?`
);
}
return properties;
} catch (e) {
throw new Error(
`Encountered an error while trying to determine repository properties: ${e}`
);
}
}
function setProperty2(properties, name, value, logger) {
const propertyOptions = repositoryPropertyParsers[name];
if (propertyOptions.validate(value)) {
properties[name] = propertyOptions.parse(name, value, logger);
} else {
throw new Error(
`Unexpected value for repository property '${name}' (${typeof value}), got: ${JSON.stringify(value)}`
);
}
}
function parseBooleanRepositoryProperty(name, value, logger) {
if (value !== "true" && value !== "false") {
logger.warning(
`Repository property '${name}' has unexpected value '${value}'. Expected 'true' or 'false'. Defaulting to false.`
);
}
return value === "true";
}
function parseStringRepositoryProperty(_name, value) {
return value;
}
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
Object.values(RepositoryPropertyName)
);
function isKnownPropertyName(name) {
return KNOWN_REPOSITORY_PROPERTY_NAMES.has(name);
}
// src/init.ts
var core12 = __toESM(require_core());
var toolrunner4 = __toESM(require_toolrunner());
@@ -105063,20 +105188,6 @@ var supportedAnalysisKinds = new Set(Object.values(AnalysisKind));
// src/config/db-config.ts
var jsonschema = __toESM(require_lib2());
var semver5 = __toESM(require_semver2());
// src/feature-flags/properties.ts
var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => {
RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay";
RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries";
RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs";
RepositoryPropertyName2["TOOLS"] = "github-codeql-tools";
return RepositoryPropertyName2;
})(RepositoryPropertyName || {});
var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set(
Object.values(RepositoryPropertyName)
);
// src/config/db-config.ts
var PACK_IDENTIFIER_PATTERN = (function() {
const alphaNumeric = "[a-z0-9]";
const alphaNumericDash = "[a-z0-9-]";
@@ -105705,7 +105816,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
`Using the latest CodeQL CLI nightly, as requested.`
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -105727,15 +105838,16 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
const allowToolcacheValueFF = await features.getValue(
"allow_toolcache_input" /* AllowToolcacheInput */
);
const allowToolcacheValue = toolsInputFromRepositoryProperty || allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
const allowToolcacheValue = toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${"github-codeql-tools" /* TOOLS */}' repository property.`
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
@@ -105747,7 +105859,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the 'github-codeql-tools' repository property...`
`Found no CodeQL CLI in the toolcache, ignoring the '${"github-codeql-tools" /* TOOLS */}' repository property...`
);
} else {
logger.info(
@@ -105760,7 +105872,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
);
} else {
logger.info(
logger.warning(
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
);
}
@@ -106114,7 +106226,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion, toolsInputFromRepositoryProperty = false) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
try {
const {
codeqlFolder,
@@ -106129,8 +106241,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
variant,
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
logger.debug(
`Bundle download status report: ${JSON.stringify(
@@ -106718,7 +106829,7 @@ async function getJobRunUuidSarifOptions(codeql) {
}
// src/init.ts
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, toolsInputFromRepositoryProperty = false) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
logger.startGroup("Setup CodeQL tools");
const {
codeql,
@@ -106734,8 +106845,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
defaultCliVersion,
features,
logger,
true,
toolsInputFromRepositoryProperty
true
);
await codeql.printVersion();
logger.endGroup();
@@ -106956,7 +107066,7 @@ async function sendUnhandledErrorStatusReport(actionName, actionStartedAt, error
}
// src/setup-codeql-action.ts
async function sendCompletedStatusReport(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error3) {
async function sendCompletedStatusReport(startedAt, toolsDownloadStatusReport, toolsFeatureFlagsValid, toolsSource, toolsVersion, effectiveToolsInput, logger, error3) {
const statusReportBase = await createStatusReportBase(
"setup-codeql" /* SetupCodeQL */,
getActionsStatus(error3),
@@ -106972,7 +107082,7 @@ async function sendCompletedStatusReport(startedAt, toolsDownloadStatusReport, t
}
const initStatusReport = {
...statusReportBase,
tools_input: getOptionalInput("tools") || "",
tools_input: effectiveToolsInput || "",
tools_resolved_version: toolsVersion,
tools_source: toolsSource || "UNKNOWN" /* Unknown */,
workflow_languages: ""
@@ -106993,6 +107103,7 @@ async function run(startedAt) {
let toolsFeatureFlagsValid;
let toolsSource;
let toolsVersion;
let effectiveToolsInput;
try {
initializeEnvironment(getActionVersion());
const apiDetails = {
@@ -107011,6 +107122,10 @@ async function run(startedAt) {
getTemporaryDirectory(),
logger
);
const repositoryPropertiesResult = await loadPropertiesFromApi(
logger,
repositoryNwo
);
const jobRunUuid = v4_default();
logger.info(`Job run UUID is ${jobRunUuid}.`);
core14.exportVariable("JOB_RUN_UUID" /* JOB_RUN_UUID */, jobRunUuid);
@@ -107029,8 +107144,13 @@ async function run(startedAt) {
gitHubVersion.type
);
toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
effectiveToolsInput = resolveToolsInput(
repositoryPropertiesResult,
"github-codeql-tools" /* TOOLS */,
logger
);
const initCodeQLResult = await initCodeQL(
getOptionalInput("tools"),
effectiveToolsInput,
apiDetails,
getTemporaryDirectory(),
gitHubVersion.type,
@@ -107069,6 +107189,7 @@ async function run(startedAt) {
toolsFeatureFlagsValid,
toolsSource,
toolsVersion,
effectiveToolsInput,
logger
);
}
lib/upload-lib.js
Generated
+29 -17
View File
@@ -108394,7 +108394,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
`Using the latest CodeQL CLI nightly, as requested.`
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -108416,15 +108416,16 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
const allowToolcacheValueFF = await features.getValue(
"allow_toolcache_input" /* AllowToolcacheInput */
);
const allowToolcacheValue = toolsInputFromRepositoryProperty || allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
const allowToolcacheValue = toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${"github-codeql-tools" /* TOOLS */}' repository property.`
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
@@ -108436,7 +108437,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the 'github-codeql-tools' repository property...`
`Found no CodeQL CLI in the toolcache, ignoring the '${"github-codeql-tools" /* TOOLS */}' repository property...`
);
} else {
logger.info(
@@ -108449,7 +108450,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
);
} else {
logger.info(
logger.warning(
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
);
}
@@ -108803,7 +108804,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion, toolsInputFromRepositoryProperty = false) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
try {
const {
codeqlFolder,
@@ -108818,8 +108819,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
variant,
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
logger.debug(
`Bundle download status report: ${JSON.stringify(
@@ -110539,7 +110539,7 @@ var core12 = __toESM(require_core());
var toolrunner4 = __toESM(require_toolrunner());
var github2 = __toESM(require_github());
var io5 = __toESM(require_io());
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, toolsInputFromRepositoryProperty = false) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
logger.startGroup("Setup CodeQL tools");
const {
codeql,
@@ -110555,8 +110555,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
defaultCliVersion,
features,
logger,
true,
toolsInputFromRepositoryProperty
true
);
await codeql.printVersion();
logger.endGroup();
@@ -111140,20 +111139,33 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
);
break;
}
if (!response) {
logger.warning(
"Unable to check analysis status due to missing response. It should still be processed in the background."
);
break;
}
const status = response.data.processing_status;
logger.info(`Analysis upload status is ${status}.`);
if (status === "pending") {
logger.debug("Analysis processing is still pending...");
} else if (options.isUnsuccessfulExecution) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
if (response) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
}
break;
} else if (status === "complete") {
break;
} else if (status === "failed") {
if (!response) {
throw new Error(
"Code Scanning could not process the submitted SARIF file: Unable to retrieve error details."
);
}
const message = `Code Scanning could not process the submitted SARIF file:
${response.data.errors}`;
const processingErrors = response.data.errors;
lib/upload-sarif-action.js
Generated
+29 -17
View File
@@ -109056,7 +109056,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by 'tools: ${toolsInput}'.`
`Using the latest CodeQL CLI nightly, as requested.`
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -109078,15 +109078,16 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
const allowToolcacheValueFF = await features.getValue(
"allow_toolcache_input" /* AllowToolcacheInput */
);
const allowToolcacheValue = toolsInputFromRepositoryProperty || allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
const allowToolcacheValue = toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
allowToolcacheValueFF && (isDynamicWorkflow() || isInTestMode());
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${"github-codeql-tools" /* TOOLS */}' repository property.`
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
@@ -109098,7 +109099,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
if (allowToolcacheValue) {
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the 'github-codeql-tools' repository property...`
`Found no CodeQL CLI in the toolcache, ignoring the '${"github-codeql-tools" /* TOOLS */}' repository property...`
);
} else {
logger.info(
@@ -109111,7 +109112,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`
);
} else {
logger.info(
logger.warning(
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`
);
}
@@ -109465,7 +109466,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.17.6";
var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.13";
var GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion, toolsInputFromRepositoryProperty = false) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
try {
const {
codeqlFolder,
@@ -109480,8 +109481,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
variant,
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty
logger
);
logger.debug(
`Bundle download status report: ${JSON.stringify(
@@ -111201,7 +111201,7 @@ var core13 = __toESM(require_core());
var toolrunner4 = __toESM(require_toolrunner());
var github2 = __toESM(require_github());
var io5 = __toESM(require_io());
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, toolsInputFromRepositoryProperty = false) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) {
logger.startGroup("Setup CodeQL tools");
const {
codeql,
@@ -111217,8 +111217,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
defaultCliVersion,
features,
logger,
true,
toolsInputFromRepositoryProperty
true
);
await codeql.printVersion();
logger.endGroup();
@@ -111684,20 +111683,33 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
);
break;
}
if (!response) {
logger.warning(
"Unable to check analysis status due to missing response. It should still be processed in the background."
);
break;
}
const status = response.data.processing_status;
logger.info(`Analysis upload status is ${status}.`);
if (status === "pending") {
logger.debug("Analysis processing is still pending...");
} else if (options.isUnsuccessfulExecution) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
if (response) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger
);
}
break;
} else if (status === "complete") {
break;
} else if (status === "failed") {
if (!response) {
throw new Error(
"Code Scanning could not process the submitted SARIF file: Unable to retrieve error details."
);
}
const message = `Code Scanning could not process the submitted SARIF file:
${response.data.errors}`;
const processingErrors = response.data.errors;
src/actions-util.ts
+15 -12
View File
@@ -53,26 +53,29 @@ export const getOptionalInput = function (name: string): string | undefined {
*
* @param repositoryProperties - The loaded repository properties object
* @param toolsPropertyName - The name of the tools property to look up
* @returns An object containing the effective tools input and whether it came from repository property
* @param logger - Logger for outputting resolution messages
* @returns The effective tools input value
*/
export function resolveToolsInput(
repositoryProperties: Record<string, any>,
toolsPropertyName: string,
): {
effectiveToolsInput: string | undefined;
toolsInputFromRepositoryProperty: boolean;
} {
logger: Logger,
): string | undefined {
const toolsWorkflowInput = getOptionalInput("tools");
const toolsPropertyValue: string | undefined =
repositoryProperties[toolsPropertyName];
const effectiveToolsInput = toolsWorkflowInput ?? toolsPropertyValue;
const toolsInputFromRepositoryProperty =
toolsWorkflowInput === undefined && toolsPropertyValue !== undefined;
return {
effectiveToolsInput,
toolsInputFromRepositoryProperty,
};
// Log the source of the tools input for transparency
if (effectiveToolsInput) {
if (toolsWorkflowInput) {
logger.info(`Setting tools: ${effectiveToolsInput} based on workflow input.`);
} else {
logger.info(`Setting tools: ${effectiveToolsInput} based on the '${toolsPropertyName}' repository property.`);
}
}
return effectiveToolsInput;
}
export function getTemporaryDirectory(): string {
src/codeql.ts
-2
View File
@@ -323,7 +323,6 @@ export async function setupCodeQL(
features: FeatureEnablement,
logger: Logger,
checkVersion: boolean,
toolsInputFromRepositoryProperty: boolean,
): Promise<{
codeql: CodeQL;
toolsDownloadStatusReport?: ToolsDownloadStatusReport;
@@ -346,7 +345,6 @@ export async function setupCodeQL(
defaultCliVersion,
features,
logger,
toolsInputFromRepositoryProperty,
);
logger.debug(
src/init-action.ts
+2 -5
View File
@@ -305,13 +305,11 @@ async function run(startedAt: Date) {
// Determine the effective tools input.
// The explicit `tools` workflow input takes precedence. If none is provided,
// fall back to the 'github-codeql-tools' repository property (if set).
const resolvedToolsInput = resolveToolsInput(
effectiveToolsInput = resolveToolsInput(
repositoryPropertiesResult.orElse({}),
RepositoryPropertyName.TOOLS,
logger,
);
effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
const toolsInputFromRepositoryProperty =
resolvedToolsInput.toolsInputFromRepositoryProperty;
const initCodeQLResult = await initCodeQL(
effectiveToolsInput,
@@ -321,7 +319,6 @@ async function run(startedAt: Date) {
codeQLDefaultVersionInfo,
features,
logger,
toolsInputFromRepositoryProperty,
);
codeql = initCodeQLResult.codeql;
toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
src/init.ts
-2
View File
@@ -41,7 +41,6 @@ export async function initCodeQL(
defaultCliVersion: CodeQLDefaultVersionInfo,
features: FeatureEnablement,
logger: Logger,
toolsInputFromRepositoryProperty: boolean,
): Promise<{
codeql: CodeQL;
toolsDownloadStatusReport?: ToolsDownloadStatusReport;
@@ -65,7 +64,6 @@ export async function initCodeQL(
features,
logger,
true,
toolsInputFromRepositoryProperty,
);
await codeql.printVersion();
logger.endGroup();
src/setup-codeql-action.ts
+2 -5
View File
@@ -156,13 +156,11 @@ async function run(startedAt: Date): Promise<void> {
// Determine the effective tools input.
// The explicit `tools` workflow input takes precedence. If none is provided,
// fall back to the 'github-codeql-tools' repository property (if set).
const resolvedToolsInput = resolveToolsInput(
effectiveToolsInput = resolveToolsInput(
repositoryPropertiesResult,
RepositoryPropertyName.TOOLS,
logger,
);
effectiveToolsInput = resolvedToolsInput.effectiveToolsInput;
const toolsInputFromRepositoryProperty =
resolvedToolsInput.toolsInputFromRepositoryProperty;
const initCodeQLResult = await initCodeQL(
effectiveToolsInput,
@@ -172,7 +170,6 @@ async function run(startedAt: Date): Promise<void> {
codeQLDefaultVersionInfo,
features,
logger,
toolsInputFromRepositoryProperty,
);
codeql = initCodeQLResult.codeql;
toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
src/setup-codeql.test.ts
+3 -12
View File
@@ -113,7 +113,6 @@ test.serial(
false,
features,
getRunnerLogger(true),
false,
);
t.is(source.sourceType, "download");
@@ -137,7 +136,6 @@ test.serial(
false,
features,
getRunnerLogger(true),
false,
);
t.is(source.toolsVersion, LINKED_CLI_VERSION.cliVersion);
@@ -163,7 +161,6 @@ test.serial(
false,
features,
logger,
false,
);
// First, ensure that the CLI version is the linked version, so that backwards
@@ -217,7 +214,6 @@ test.serial(
SAMPLE_DEFAULT_CLI_VERSION,
features,
logger,
false,
);
// Basic sanity check that the version we got back is indeed
@@ -273,7 +269,6 @@ test.serial(
SAMPLE_DEFAULT_CLI_VERSION,
features,
logger,
false,
);
// Basic sanity check that the version we got back is indeed the version that the
@@ -328,7 +323,6 @@ test.serial(
false,
features,
logger,
false,
);
// Check that the `CodeQLToolsSource` object matches our expectations.
@@ -345,7 +339,7 @@ test.serial(
// Afterwards, ensure that we see the expected messages in the log.
checkExpectedLogMessages(t, loggedMessages, [
"Using the latest CodeQL CLI nightly, as requested by 'tools: nightly'.",
"Using the latest CodeQL CLI nightly, as requested.",
`Bundle version ${expectedDate} is not in SemVer format. Will treat it as pre-release ${expectedVersion}.`,
`Attempting to obtain CodeQL tools. CLI version: unknown, bundle tag name: ${expectedTag}`,
`Using CodeQL CLI sourced from ${expectedURL}`,
@@ -390,7 +384,6 @@ test.serial(
false,
features,
logger,
false,
);
// Check that the `CodeQLToolsSource` object matches our expectations.
@@ -445,7 +438,6 @@ test.serial(
false,
features,
logger,
false,
);
// Check that the toolcache functions were called with the expected arguments
@@ -464,7 +456,7 @@ test.serial(
// Check that key messages we would expect to find in the log are present.
const expectedMessages: string[] = [
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: toolcache'.`,
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`,
`CLI version ${latestToolcacheVersion} is the latest version in the toolcache.`,
`Using CodeQL CLI version ${latestToolcacheVersion} from toolcache at ${latestVersionPath}`,
];
@@ -513,7 +505,6 @@ const toolcacheInputFallbackMacro = test.macro({
false,
features,
logger,
false,
);
// Check that the toolcache functions were called with the expected arguments
@@ -550,7 +541,7 @@ test.serial(
{ GITHUB_EVENT_NAME: "dynamic" },
[],
[
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: toolcache'.`,
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`,
`Found no CodeQL CLI in the toolcache, ignoring 'tools: toolcache'...`,
],
);
src/setup-codeql.ts
+28 -36
View File
@@ -265,24 +265,6 @@ async function findOverridingToolsInCache(
return undefined;
}
/**
* Creates a user-friendly description of the tools input origin for log messages.
*
* @param toolsInput The tools input value
* @param toolsInputFromRepositoryProperty Whether the tools input came from repository property
* @returns A description like "'tools: toolcache'" or "the 'github-codeql-tools' repository property"
*/
function getToolsInputOriginDescription(
toolsInput: string | undefined,
toolsInputFromRepositoryProperty: boolean,
): string {
if (toolsInputFromRepositoryProperty) {
return `the '${RepositoryPropertyName.TOOLS}' repository property`;
} else {
return `'tools: ${toolsInput}'`;
}
}
/**
* Determines where the CodeQL CLI we want to use comes from. This can be from a local file,
* the Actions toolcache, or a download.
@@ -305,7 +287,7 @@ export async function getCodeQLSource(
tarSupportsZstd: boolean,
features: FeatureEnablement,
logger: Logger,
toolsInputFromRepositoryProperty: boolean,
toolsInputFromRepositoryProperty: boolean = false,
): Promise<CodeQLToolsSource> {
// If there is an explicit `tools` input, it's not one of the reserved values, and it doesn't appear
// to point to a URL, then we assume it is a local path and use the CLI from there.
@@ -380,7 +362,7 @@ export async function getCodeQLSource(
);
} else {
logger.info(
`Using the latest CodeQL CLI nightly, as requested by ${getToolsInputOriginDescription(toolsInput, toolsInputFromRepositoryProperty)}.`,
`Using the latest CodeQL CLI nightly, as requested.`,
);
}
toolsInput = await getNightlyToolsUrl(logger);
@@ -405,7 +387,7 @@ export async function getCodeQLSource(
tagName = defaults.bundleVersion;
logger.info(
`${getToolsInputOriginDescription(toolsInput, toolsInputFromRepositoryProperty)} was requested, so using CodeQL version ${cliVersion}, the version shipped with the Action.`,
`'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion}, the version shipped with the Action.`,
);
if (toolsInput === "latest") {
@@ -421,23 +403,27 @@ export async function getCodeQLSource(
// We only allow `toolsInput === "toolcache"` for `dynamic` events. In general, using `toolsInput === "toolcache"`
// can lead to alert wobble and so it shouldn't be used for an analysis where results are intended to be uploaded.
// We also allow this in test mode, and when the value was set via a repository property (in which case the
// organization admin has explicitly opted in to this behavior).
// We also allow this in test mode or when the input comes from a repository property.
const allowToolcacheValueFF = await features.getValue(
Feature.AllowToolcacheInput,
);
const allowToolcacheValue =
allowToolcacheValueFF &&
(toolsInputFromRepositoryProperty ||
isDynamicWorkflow() ||
util.isInTestMode());
toolsInputFromRepositoryProperty || // Repository properties bypass all restrictions
(allowToolcacheValueFF &&
(isDynamicWorkflow() || util.isInTestMode()));
if (allowToolcacheValue) {
// If `toolsInput === "toolcache"`, try to find the latest version of the CLI that's available in the toolcache
// and use that. We perform this check here since we can set `cliVersion` directly and don't want to default to
// the linked version.
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by ${getToolsInputOriginDescription(toolsInput, toolsInputFromRepositoryProperty)}.`,
);
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the '${RepositoryPropertyName.TOOLS}' repository property.`,
);
} else {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested.`,
);
}
latestToolcacheVersion = getLatestToolcacheVersion(logger);
if (latestToolcacheVersion) {
@@ -447,17 +433,23 @@ export async function getCodeQLSource(
if (latestToolcacheVersion === undefined) {
if (allowToolcacheValue) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring ${getToolsInputOriginDescription(toolsInput, toolsInputFromRepositoryProperty)}...`,
);
if (toolsInputFromRepositoryProperty) {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring the '${RepositoryPropertyName.TOOLS}' repository property...`,
);
} else {
logger.info(
`Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`,
);
}
} else {
if (allowToolcacheValueFF) {
logger.warning(
`Ignoring ${getToolsInputOriginDescription(toolsInput, toolsInputFromRepositoryProperty)} because the workflow was not triggered dynamically.`,
`Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
);
} else {
logger.warning(
`Ignoring ${getToolsInputOriginDescription(toolsInput, toolsInputFromRepositoryProperty)} because the feature is not enabled.`,
`Ignoring 'tools: ${toolsInput}' because the feature is not enabled.`,
);
}
}
@@ -817,7 +809,7 @@ export async function setupCodeQLBundle(
defaultCliVersion: CodeQLDefaultVersionInfo,
features: FeatureEnablement,
logger: Logger,
toolsInputFromRepositoryProperty: boolean,
toolsInputFromRepositoryProperty: boolean = false,
): Promise<SetupCodeQLResult> {
if (!(await util.isBinaryAccessible("tar", logger))) {
throw new util.ConfigurationError(
src/upload-lib.ts
+18 -5
View File
@@ -883,6 +883,12 @@ export async function waitForProcessing(
);
break;
}
if (!response) {
logger.warning(
"Unable to check analysis status due to missing response. It should still be processed in the background.",
);
break;
}
const status = response.data.processing_status as ProcessingStatus;
logger.info(`Analysis upload status is ${status}.`);
@@ -891,15 +897,22 @@ export async function waitForProcessing(
} else if (options.isUnsuccessfulExecution) {
// We expect a specific processing error for unsuccessful executions, so
// handle these separately.
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger,
);
if (response) {
handleProcessingResultForUnsuccessfulExecution(
response,
status,
logger,
);
}
break;
} else if (status === "complete") {
break;
} else if (status === "failed") {
if (!response) {
throw new Error(
"Code Scanning could not process the submitted SARIF file: Unable to retrieve error details.",
);
}
const message = `Code Scanning could not process the submitted SARIF file:\n${response.data.errors}`;
const processingErrors = response.data.errors as string[];
throw shouldConsiderConfigurationError(processingErrors)