From a796e3e4ed79ee0f1517ab0535d1fb7196eb5ac9 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 15:14:04 +0100 Subject: [PATCH 01/40] Add OverlayAnalysisMatchCodeqlVersion feature flag --- lib/analyze-action-post.js | 5 +++++ lib/analyze-action.js | 5 +++++ lib/autobuild-action.js | 5 +++++ lib/init-action-post.js | 5 +++++ lib/init-action.js | 5 +++++ lib/resolve-environment-action.js | 5 +++++ lib/setup-codeql-action.js | 5 +++++ lib/start-proxy-action-post.js | 5 +++++ lib/start-proxy-action.js | 5 +++++ lib/upload-lib.js | 5 +++++ lib/upload-sarif-action-post.js | 5 +++++ lib/upload-sarif-action.js | 5 +++++ src/feature-flags.ts | 12 ++++++++++++ 13 files changed, 72 insertions(+) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 7c1046ab3..0ecdbe3fe 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -162803,6 +162803,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 163a41c7e..558ad5147 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -108403,6 +108403,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 8fdbf5fa6..3ba526579 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -104855,6 +104855,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index e4fa85efb..f589829b3 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -166326,6 +166326,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/init-action.js b/lib/init-action.js index 60fb14071..2dbf6b3d0 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105960,6 +105960,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index efa88bd40..c819d2eda 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -104846,6 +104846,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 1d25f46c2..86a1340f4 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -104697,6 +104697,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 9cc3c099a..d65876fc2 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -162123,6 +162123,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index ad8b42d02..d3dbfcc98 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -121494,6 +121494,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index a0e9fc0c5..9ab80fc08 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -108009,6 +108009,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 7415e2ba9..1913fac84 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -162293,6 +162293,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 088eef393..00df3fef8 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -107682,6 +107682,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 80adce550..b9afbb849 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -72,6 +72,13 @@ export enum Feature { OverlayAnalysisGo = "overlay_analysis_go", OverlayAnalysisJava = "overlay_analysis_java", OverlayAnalysisJavascript = "overlay_analysis_javascript", + /** + * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by + * feature flags and present as an overlay-base database in the Actions cache for the configured + * languages. Falls back to the highest feature flagged version if no intersecting overlay-base + * database exists in the cache. + */ + OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version", OverlayAnalysisPython = "overlay_analysis_python", /** * Controls whether lower disk space requirements are used for overlay hardware checks. @@ -277,6 +284,11 @@ export const featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: undefined, }, + [Feature.OverlayAnalysisMatchCodeqlVersion]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: undefined, + }, [Feature.OverlayAnalysisResourceChecksV2]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", From b0942116d7fb70909c0153ccfe7e4a54dd932def Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 15:53:38 +0100 Subject: [PATCH 02/40] Expose all enabled default CLI versions --- lib/analyze-action-post.js | 22 ++++---- lib/analyze-action.js | 83 +++++++++++++++++-------------- lib/autobuild-action.js | 71 +++++++++++++++----------- lib/init-action-post.js | 83 +++++++++++++++++-------------- lib/init-action.js | 83 +++++++++++++++++-------------- lib/resolve-environment-action.js | 22 ++++---- lib/setup-codeql-action.js | 83 +++++++++++++++++-------------- lib/start-proxy-action-post.js | 22 ++++---- lib/start-proxy-action.js | 75 ++++++++++++++++------------ lib/upload-lib.js | 34 ++++++------- lib/upload-sarif-action-post.js | 22 ++++---- lib/upload-sarif-action.js | 83 +++++++++++++++++-------------- src/codeql.test.ts | 29 +++++++---- src/feature-flags.test.ts | 39 ++++++++++----- src/feature-flags.ts | 79 ++++++++++++++++++++--------- src/init-action.ts | 5 +- src/setup-codeql-action.ts | 5 +- src/setup-codeql.test.ts | 5 +- src/setup-codeql.ts | 8 +-- src/start-proxy.test.ts | 6 ++- src/start-proxy.ts | 4 +- src/testing-utils.ts | 16 +++--- src/upload-lib.ts | 5 +- 23 files changed, 507 insertions(+), 377 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 0ecdbe3fe..fe1995a45 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -162803,11 +162803,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -162824,6 +162819,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 558ad5147..580125393 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -108403,11 +108403,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -108424,6 +108419,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108484,10 +108484,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -108592,11 +108596,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -108655,34 +108659,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -109673,8 +109684,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -109686,8 +109697,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -113070,9 +113081,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 3ba526579..bff71e9b7 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -104855,11 +104855,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -104876,6 +104871,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -104936,10 +104936,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -105044,11 +105048,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -105107,34 +105111,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index f589829b3..ca4210952 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -166326,11 +166326,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -166347,6 +166342,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -166407,10 +166407,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -166515,11 +166519,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -166578,34 +166582,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -167518,8 +167529,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -167531,8 +167542,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -170298,9 +170309,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/lib/init-action.js b/lib/init-action.js index 2dbf6b3d0..03ad45b9a 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -51280,8 +51280,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -105960,11 +105960,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -105981,6 +105976,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -106041,10 +106041,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -106149,11 +106153,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -106212,34 +106216,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -108614,8 +108625,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -108627,8 +108638,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -110538,9 +110549,7 @@ async function run(startedAt) { `The 'init' action should not be run in the same workflow as 'setup-codeql'.` ); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index c819d2eda..6d9b50f18 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -104846,11 +104846,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -104867,6 +104862,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 86a1340f4..e647efada 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -104697,11 +104697,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -104718,6 +104713,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -104778,10 +104778,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -104886,11 +104890,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -104949,34 +104953,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -106129,8 +106140,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -106142,8 +106153,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -107386,9 +107397,7 @@ async function run(startedAt) { if (statusReportBase !== void 0) { await sendStatusReport(statusReportBase); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index d65876fc2..86f78ffda 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -162123,11 +162123,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -162144,6 +162139,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index d3dbfcc98..bd1e56c2b 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare = require_compare(); - var rcompare = (a, b, loose) => compare(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51951,8 +51951,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare(b, a, loose); } exports2.sort = sort; @@ -121494,11 +121494,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -121515,6 +121510,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -121575,10 +121575,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -121683,11 +121687,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -121746,34 +121750,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -122653,7 +122664,7 @@ async function getReleaseByVersion(version) { } async function getCliVersionFromFeatures(features) { const gitHubVersion = await getGitHubVersion(); - return await features.getDefaultCliVersion(gitHubVersion.type); + return await features.getEnabledDefaultCliVersions(gitHubVersion.type); } async function getDownloadUrl(logger, features) { const proxyPackage = getProxyPackage(); @@ -122661,7 +122672,7 @@ async function getDownloadUrl(logger, features) { const useFeaturesToDetermineCLI = await features.getValue( "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */ ); - const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : { + const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : { cliVersion, tagName: bundleVersion }; diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 9ab80fc08..17dbf166e 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -45983,8 +45983,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare2; } }); @@ -47209,7 +47209,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -47247,7 +47247,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -108009,11 +108009,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -108030,6 +108025,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108815,8 +108815,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -108828,8 +108828,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -111060,9 +111060,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 1913fac84..d0733a471 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -153559,8 +153559,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -162293,11 +162293,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -162314,6 +162309,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 00df3fef8..1ba53990b 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -107682,11 +107682,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -107703,6 +107698,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -107763,10 +107763,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -107871,11 +107875,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -107934,34 +107938,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -109481,8 +109492,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -109494,8 +109505,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -111655,9 +111666,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/src/codeql.test.ts b/src/codeql.test.ts index eccad6895..de7c40096 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -70,7 +70,7 @@ async function installIntoToolcache({ tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined - ? { cliVersion, tagName } + ? { enabledVersions: [{ cliVersion, tagName }] } : SAMPLE_DEFAULT_CLI_VERSION, createFeatures([]), getRunnerLogger(true), @@ -284,11 +284,11 @@ for (const { for (const toolcacheVersion of [ // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache. - SAMPLE_DEFAULT_CLI_VERSION.cliVersion, - `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`, ]) { test.serial( - `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` + + `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` + `${toolcacheVersion} is installed`, async (t) => { const features = createFeatures([]); @@ -312,7 +312,10 @@ for (const toolcacheVersion of [ getRunnerLogger(true), false, ); - t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion); + t.is( + result.toolsVersion, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + ); t.is(result.toolsSource, ToolsSource.Toolcache); t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined); t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined); @@ -342,8 +345,12 @@ test.serial( tmpDir, util.GitHubVariant.GHES, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }, features, getRunnerLogger(true), @@ -384,8 +391,12 @@ test.serial( tmpDir, util.GitHubVariant.GHES, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }, features, getRunnerLogger(true), diff --git a/src/feature-flags.test.ts b/src/feature-flags.test.ts index 85007df13..d8b5eea04 100644 --- a/src/feature-flags.test.ts +++ b/src/feature-flags.test.ts @@ -451,12 +451,16 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => { await withTmpDir(async (tmpDir) => { const features = setUpFeatureFlagTests(tmpDir); - const defaultCliVersion = await features.getDefaultCliVersion( + const defaultCliVersion = await features.getEnabledDefaultCliVersions( GitHubVariant.GHES, ); t.deepEqual(defaultCliVersion, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }); }); }); @@ -482,10 +486,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { false; mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: "2.20.1", - tagName: "codeql-bundle-v2.20.1", + enabledVersions: [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], toolsFeatureFlagsValid: true, }); }); @@ -500,10 +507,15 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { const expectedFeatureEnablement = initializeFeatures(true); mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], toolsFeatureFlagsValid: false, }); }); @@ -529,10 +541,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { ] = true; mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: "2.20.1", - tagName: "codeql-bundle-v2.20.1", + enabledVersions: [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], toolsFeatureFlagsValid: true, }); diff --git a/src/feature-flags.ts b/src/feature-flags.ts index b9afbb849..d6a6ba7bb 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -29,9 +29,27 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; */ export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; -export interface CodeQLDefaultVersionInfo { +export interface CodeQLVersionInfo { + /** The version number of the CodeQL CLI, e.g. `2.19.0`. */ cliVersion: string; + /** + * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`. + */ tagName: string; +} + +export interface CodeQLDefaultVersionInfo { + /** + * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest. + * + * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single + * entry containing the version pinned in `defaults.json`. + */ + enabledVersions: CodeQLVersionInfo[]; + /** + * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled + * version. + */ toolsFeatureFlagsValid?: boolean; } @@ -358,8 +376,12 @@ export type FeatureWithoutCLI = { }[keyof typeof featureConfig]; export interface FeatureEnablement { - /** Gets the default version of the CodeQL tools. */ - getDefaultCliVersion( + /** + * Returns the set of default CodeQL CLI versions to consider, sorted from + * highest to lowest. The first entry is the version that the CodeQL Action + * will use by default. The list is always non-empty. + */ + getEnabledDefaultCliVersions( variant: util.GitHubVariant, ): Promise; getValue(feature: FeatureWithoutCLI): Promise; @@ -383,12 +405,16 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json"; class OfflineFeatures implements FeatureEnablement { constructor(protected readonly logger: Logger) {} - async getDefaultCliVersion( + async getEnabledDefaultCliVersions( _variant: util.GitHubVariant, ): Promise { return { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }; } @@ -530,13 +556,13 @@ class Features extends OfflineFeatures { ); } - async getDefaultCliVersion( + async getEnabledDefaultCliVersions( variant: util.GitHubVariant, ): Promise { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** @@ -612,16 +638,22 @@ class GitHubFeatureFlags { return version; } - async getDefaultCliVersionFromFlags(): Promise { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags(): Promise { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response) + const sortedCliVersions = Object.entries(response) .map(([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined, ) - .filter((f): f is string => f !== undefined); + .filter((f): f is string => f !== undefined) + .sort(semver.rcompare); - if (enabledFeatureFlagCliVersions.length === 0) { + if (sortedCliVersions.length === 0) { // We expect at least one default CLI version to be enabled on Dotcom at any time. However if // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version // shipped with the Action in defaults.json. This has the effect of immediately rolling out @@ -637,8 +669,12 @@ class GitHubFeatureFlags { `shipped with the Action. This is ${defaults.cliVersion}.`, ); const result: CodeQLDefaultVersionInfo = { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; @@ -646,17 +682,14 @@ class GitHubFeatureFlags { return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => - currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0], - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.`, + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`, ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion) => ({ + cliVersion, + tagName: `codeql-bundle-v${cliVersion}`, + })), toolsFeatureFlagsValid: true, }; } diff --git a/src/init-action.ts b/src/init-action.ts index 859dcefa2..3d599d545 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -298,9 +298,8 @@ async function run(startedAt: Date) { ); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index bd504f3fd..34d5d76aa 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -136,9 +136,8 @@ async function run(startedAt: Date): Promise { if (statusReportBase !== undefined) { await sendStatusReport(statusReportBase); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 555352bd2..c35bd1d9d 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -514,7 +514,10 @@ const toolcacheInputFallbackMacro = test.macro({ // Check that `sourceType` and `toolsVersion` match expectations. t.is(source.sourceType, "download"); - t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion); + t.is( + source.toolsVersion, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + ); // Check that key messages we would expect to find in the log are present. for (const expectedMessage of expectedMessages) { diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 4ca3302f9..41eb7f1e4 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -438,8 +438,8 @@ export async function getCodeQLSource( } } - cliVersion = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. @@ -455,8 +455,8 @@ export async function getCodeQLSource( } } else { // Otherwise, use the default CLI version passed in. - cliVersion = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion = diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts index 621b8d499..a9d8be894 100644 --- a/src/start-proxy.test.ts +++ b/src/start-proxy.test.ts @@ -1019,8 +1019,10 @@ test.serial( return true; }); const getDefaultCliVersion = sinon - .stub(features, "getDefaultCliVersion") - .resolves({ cliVersion: "2.20.1", tagName: expectedTag }); + .stub(features, "getEnabledDefaultCliVersions") + .resolves({ + enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }], + }); const path = await startProxyExports.getProxyBinaryPath(logger, features); t.assert(getDefaultCliVersion.calledOnce); diff --git a/src/start-proxy.ts b/src/start-proxy.ts index 1013ae386..d6111510f 100644 --- a/src/start-proxy.ts +++ b/src/start-proxy.ts @@ -415,7 +415,7 @@ async function getCliVersionFromFeatures( features: FeatureEnablement, ): Promise { const gitHubVersion = await getGitHubVersion(); - return await features.getDefaultCliVersion(gitHubVersion.type); + return await features.getEnabledDefaultCliVersions(gitHubVersion.type); } /** @@ -440,7 +440,7 @@ export async function getDownloadUrl( // Retrieve information about the CLI version we should use. This will be either the linked // version, or the one enabled by FFs. const versionInfo = useFeaturesToDetermineCLI - ? await getCliVersionFromFeatures(features) + ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : { cliVersion: defaults.cliVersion, tagName: defaults.bundleVersion, diff --git a/src/testing-utils.ts b/src/testing-utils.ts index fcb7149b5..29966c1ad 100644 --- a/src/testing-utils.ts +++ b/src/testing-utils.ts @@ -36,16 +36,20 @@ export const SAMPLE_DOTCOM_API_DETAILS = { apiURL: "https://api.github.com", }; -export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = { - cliVersion: "2.20.0", - tagName: "codeql-bundle-v2.20.0", -}; - export const LINKED_CLI_VERSION = { cliVersion: defaults.cliVersion, tagName: defaults.bundleVersion, }; +export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = { + enabledVersions: [ + { + cliVersion: "2.20.0", + tagName: "codeql-bundle-v2.20.0", + }, + ], +}; + type TestContext = { stdoutWrite: any; stderrWrite: any; @@ -442,7 +446,7 @@ export function mockCodeQLVersion( */ export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement { return { - getDefaultCliVersion: async () => { + getEnabledDefaultCliVersions: async () => { throw new Error("not implemented"); }, getValue: async (feature) => { diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 2464fe5ea..e4230b6f9 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -156,9 +156,8 @@ async function combineSarifFilesUsingCLI( apiURL: getRequiredEnvParam("GITHUB_API_URL"), }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( undefined, // There is no tools input on the upload action From 55d6319f962eaad44a2f20b6bacf0ed4cac7d20a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 17:42:31 +0100 Subject: [PATCH 03/40] Match CLI version to cached overlay-base database --- lib/analyze-action-post.js | 108 +++--- lib/analyze-action.js | 532 +++++++++++++++++++----------- lib/autobuild-action.js | 100 +++--- lib/init-action-post.js | 444 +++++++++++++++++-------- lib/init-action.js | 530 ++++++++++++++++++----------- lib/resolve-environment-action.js | 100 +++--- lib/setup-codeql-action.js | 418 +++++++++++++++++------ lib/start-proxy-action-post.js | 108 +++--- lib/upload-lib.js | 402 ++++++++++++++++------ lib/upload-sarif-action-post.js | 108 +++--- lib/upload-sarif-action.js | 402 ++++++++++++++++------ src/codeql.test.ts | 10 + src/codeql.ts | 3 + src/init-action.ts | 4 + src/init.ts | 2 + src/setup-codeql-action.ts | 1 + src/setup-codeql.test.ts | 161 +++++++++ src/setup-codeql.ts | 104 +++++- src/upload-lib.ts | 1 + 19 files changed, 2437 insertions(+), 1101 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index fe1995a45..95609b3a2 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs9 = __importStar2(require("fs")); var path9 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path9 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99856,7 +99856,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path9 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) { @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs9.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -108004,7 +108004,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -108014,9 +108014,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -162985,20 +162985,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts @@ -163595,7 +163601,7 @@ var core12 = __toESM(require_core()); // src/dependency-caching.ts var import_path = require("path"); -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); function getJavaTempDependencyDir() { return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 580125393..f94d5a0dc 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -107131,6 +107131,32 @@ var persistInputs = function() { ); core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -107227,7 +107253,7 @@ var SarifScanOrder = [ ]; // src/analyze.ts -var fs13 = __toESM(require("fs")); +var fs14 = __toESM(require("fs")); var path12 = __toESM(require("path")); var import_perf_hooks2 = require("perf_hooks"); var io5 = __toESM(require_io()); @@ -107511,7 +107537,7 @@ function wrapApiConfigurationError(e) { } // src/codeql.ts -var fs12 = __toESM(require("fs")); +var fs13 = __toESM(require("fs")); var path11 = __toESM(require("path")); var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); @@ -108868,6 +108894,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -109080,11 +109117,11 @@ function getPrimaryAnalysisConfig(config) { } // src/setup-codeql.ts -var fs10 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var path9 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -109130,14 +109167,203 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var fs8 = __toESM(require("fs")); +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION2 = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +var MAX_CACHE_OPERATION_MS2 = 6e5; +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + if (!fs8.existsSync(baseDatabaseOidsFilePath)) { + logger.warning( + `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` + ); + return false; + } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.debug( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; +} +async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { + const overlayDatabaseMode = config.overlayDatabaseMode; + if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) { + logger.debug( + `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.` + ); + return false; + } + if (!config.useOverlayDatabaseCaching) { + logger.debug( + "Overlay database caching is disabled. Skip uploading overlay-base database to cache." + ); + return false; + } + if (isInTestMode()) { + logger.debug( + "In test mode. Skip uploading overlay-base database to cache." + ); + return false; + } + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, + config, + logger, + "Abort uploading overlay-base database to cache" + ); + if (!databaseIsValid) { + return false; + } + await withGroupAsync("Cleaning up databases", async () => { + await codeql.databaseCleanupCluster(config, "overlay" /* Overlay */); + }); + const dbLocation = config.dbLocation; + const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); + if (databaseSizeBytes === void 0) { + logger.warning( + "Failed to determine database size. Skip uploading overlay-base database to cache." + ); + return false; + } + if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) { + const databaseSizeMB = Math.round(databaseSizeBytes / 1e6); + logger.warning( + `Database size (${databaseSizeMB} MB) exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). Skip uploading overlay-base database to cache.` + ); + return false; + } + const codeQlVersion = (await codeql.getVersion()).version; + const checkoutPath = getRequiredInput("checkout_path"); + const cacheSaveKey = await getCacheSaveKey( + config, + codeQlVersion, + checkoutPath, + logger + ); + logger.info( + `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}` + ); + try { + const cacheId = await waitForResultWithTimeLimit( + MAX_CACHE_OPERATION_MS2, + actionsCache3.saveCache([dbLocation], cacheSaveKey), + () => { + } + ); + if (cacheId === void 0) { + logger.warning("Timed out while uploading overlay-base database"); + return false; + } + } catch (error3) { + logger.warning( + `Failed to upload overlay-base database to cache: ${error3 instanceof Error ? error3.message : String(error3)}` + ); + return false; + } + logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`); + return true; +} +async function getCacheSaveKey(config, codeQlVersion, checkoutPath, logger) { + let runId = 1; + let attemptId = 1; + try { + runId = getWorkflowRunID(); + attemptId = getWorkflowRunAttempt(); + } catch (e) { + logger.warning( + `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}` + ); + } + const sha = await getCommitOid(checkoutPath); + const restoreKeyPrefix = await getCacheRestoreKeyPrefix( + config, + codeQlVersion + ); + return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`; +} +async function getCacheRestoreKeyPrefix(config, codeQlVersion) { + return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; +} +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); -var fs8 = __toESM(require("fs")); +var fs9 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -109179,9 +109405,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -109190,7 +109416,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -109205,7 +109431,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs8.mkdirSync(dest, { recursive: true }); + fs9.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -109289,7 +109515,7 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs9 = __toESM(require("fs")); +var fs10 = __toESM(require("fs")); var os2 = __toESM(require("os")); var path8 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); @@ -109297,7 +109523,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -109396,7 +109622,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs9.mkdirSync(dest, { recursive: true }); + fs10.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -109427,13 +109653,13 @@ function getToolcacheDirectory(version) { return path8.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os2.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs9.writeFileSync(markerFilePath, ""); + fs10.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -109552,13 +109778,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -109568,7 +109794,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs10.existsSync(path9.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs11.existsSync(path9.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -109590,7 +109816,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -109684,21 +109958,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -109895,7 +110181,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -109905,6 +110191,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -109963,7 +110250,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -109995,7 +110282,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -110015,7 +110302,7 @@ function isReservedToolsValue(tools) { } // src/tracer-config.ts -var fs11 = __toESM(require("fs")); +var fs12 = __toESM(require("fs")); var path10 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { @@ -110035,14 +110322,14 @@ async function endTracingForCluster(codeql, config, logger) { config.dbLocation, "temp/tracingEnvironment/end-tracing.json" ); - if (!fs11.existsSync(envVariablesFile)) { + if (!fs12.existsSync(envVariablesFile)) { throw new Error( `Environment file for ending tracing not found: ${envVariablesFile}` ); } try { const endTracingEnvVariables = JSON.parse( - fs11.readFileSync(envVariablesFile, "utf8") + fs12.readFileSync(envVariablesFile, "utf8") ); for (const [key, value] of Object.entries(endTracingEnvVariables)) { if (value !== null) { @@ -110065,7 +110352,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -110079,6 +110366,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -110154,7 +110442,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { "tools", "tracing-config.lua" ); - return fs12.existsSync(tracingConfigPath); + return fs13.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -110630,7 +110918,7 @@ async function writeCodeScanningConfigFile(config, logger) { logger.startGroup("Augmented user configuration file contents"); logger.info(dump(augmentedConfig)); logger.endGroup(); - fs12.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); + fs13.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -110722,7 +111010,7 @@ async function runAutobuild(config, language, logger) { // src/dependency-caching.ts var os3 = __toESM(require("os")); var import_path2 = require("path"); -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies"; var CODEQL_DEPENDENCY_CACHE_VERSION = 1; @@ -110860,7 +111148,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) { ); try { const start = performance.now(); - await actionsCache3.saveCache( + await actionsCache4.saveCache( await cacheConfig.getDependencyPaths(codeql, features), key ); @@ -110872,7 +111160,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) { upload_duration_ms }); } catch (error3) { - if (error3 instanceof actionsCache3.ReserveCacheError) { + if (error3 instanceof actionsCache4.ReserveCacheError) { logger.info( `Not uploading cache for ${language}, because ${key} is already in use.` ); @@ -110980,7 +111268,7 @@ function dbIsFinalized(config, language, logger) { const dbPath = getCodeQLDatabasePath(config, language); try { const dbInfo = load( - fs13.readFileSync(path12.resolve(dbPath, "codeql-database.yml"), "utf8") + fs14.readFileSync(path12.resolve(dbPath, "codeql-database.yml"), "utf8") ); return !("inProgress" in dbInfo); } catch { @@ -111065,8 +111353,8 @@ function writeDiffRangeDataExtensionPack(logger, ranges, checkoutPath) { ranges = [{ path: "", startLine: 0, endLine: 0 }]; } const diffRangeDir = path12.join(getTemporaryDirectory(), "pr-diff-range"); - fs13.mkdirSync(diffRangeDir, { recursive: true }); - fs13.writeFileSync( + fs14.mkdirSync(diffRangeDir, { recursive: true }); + fs14.writeFileSync( path12.join(diffRangeDir, "qlpack.yml"), ` name: codeql-action/pr-diff-range @@ -111083,7 +111371,7 @@ dataExtensions: checkoutPath ); const extensionFilePath = path12.join(diffRangeDir, "pr-diff-range.yml"); - fs13.writeFileSync(extensionFilePath, extensionContents); + fs14.writeFileSync(extensionFilePath, extensionContents); logger.debug( `Wrote pr-diff-range extension pack to ${extensionFilePath}: ${extensionContents}` @@ -111235,7 +111523,7 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir } function getPerQueryAlertCounts(sarifPath) { const sarifObject = JSON.parse( - fs13.readFileSync(sarifPath, "utf8") + fs14.readFileSync(sarifPath, "utf8") ); const perQueryAlertCounts = {}; for (const sarifRun of sarifObject.runs) { @@ -111253,13 +111541,13 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir } async function runFinalize(features, outputDir, threadsFlag, memoryFlag, codeql, config, logger) { try { - await fs13.promises.rm(outputDir, { force: true, recursive: true }); + await fs14.promises.rm(outputDir, { force: true, recursive: true }); } catch (error3) { if (error3?.code !== "ENOENT") { throw error3; } } - await fs13.promises.mkdir(outputDir, { recursive: true }); + await fs14.promises.mkdir(outputDir, { recursive: true }); const timings = await finalizeDatabaseCreation( codeql, features, @@ -111303,7 +111591,7 @@ async function warnIfGoInstalledAfterInit(config, logger) { } // src/database-upload.ts -var fs14 = __toESM(require("fs")); +var fs15 = __toESM(require("fs")); async function cleanupAndUploadDatabases(repositoryNwo, codeql, config, apiDetails, features, logger) { if (getRequiredInput("upload-database") !== "true") { logger.debug("Database upload disabled in workflow. Skipping upload."); @@ -111339,7 +111627,7 @@ async function cleanupAndUploadDatabases(repositoryNwo, codeql, config, apiDetai const bundledDb = await bundleDb(config, language, codeql, language, { includeDiagnostics: false }); - bundledDbSize = fs14.statSync(bundledDb).size; + bundledDbSize = fs15.statSync(bundledDb).size; const commitOid = await getCommitOid( getRequiredInput("checkout_path") ); @@ -111402,7 +111690,7 @@ async function uploadBundledDatabase(repositoryNwo, language, commitOid, bundled if (uploadsBaseUrl.endsWith("/")) { uploadsBaseUrl = uploadsBaseUrl.slice(0, -1); } - const bundledDbReadStream = fs14.createReadStream(bundledDb); + const bundledDbReadStream = fs15.createReadStream(bundledDb); try { const startTime = performance.now(); await client.request( @@ -111432,151 +111720,6 @@ async function uploadBundledDatabase(repositoryNwo, language, commitOid, bundled } } -// src/overlay/caching.ts -var fs15 = __toESM(require("fs")); -var actionsCache4 = __toESM(require_cache5()); -var semver9 = __toESM(require_semver2()); -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; -var CACHE_VERSION2 = 1; -var CACHE_PREFIX = "codeql-overlay-base-database"; -var MAX_CACHE_OPERATION_MS2 = 6e5; -async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - if (!fs15.existsSync(baseDatabaseOidsFilePath)) { - logger.warning( - `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` - ); - return false; - } - for (const language of config.languages) { - const dbPath = getCodeQLDatabasePath(config, language); - try { - const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); - if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { - logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); - return false; - } else { - logger.debug( - `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` - ); - } - } catch (e) { - logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); - return false; - } - } - return true; -} -async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { - const overlayDatabaseMode = config.overlayDatabaseMode; - if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) { - logger.debug( - `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.` - ); - return false; - } - if (!config.useOverlayDatabaseCaching) { - logger.debug( - "Overlay database caching is disabled. Skip uploading overlay-base database to cache." - ); - return false; - } - if (isInTestMode()) { - logger.debug( - "In test mode. Skip uploading overlay-base database to cache." - ); - return false; - } - const databaseIsValid = await checkOverlayBaseDatabase( - codeql, - config, - logger, - "Abort uploading overlay-base database to cache" - ); - if (!databaseIsValid) { - return false; - } - await withGroupAsync("Cleaning up databases", async () => { - await codeql.databaseCleanupCluster(config, "overlay" /* Overlay */); - }); - const dbLocation = config.dbLocation; - const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); - if (databaseSizeBytes === void 0) { - logger.warning( - "Failed to determine database size. Skip uploading overlay-base database to cache." - ); - return false; - } - if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) { - const databaseSizeMB = Math.round(databaseSizeBytes / 1e6); - logger.warning( - `Database size (${databaseSizeMB} MB) exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). Skip uploading overlay-base database to cache.` - ); - return false; - } - const codeQlVersion = (await codeql.getVersion()).version; - const checkoutPath = getRequiredInput("checkout_path"); - const cacheSaveKey = await getCacheSaveKey( - config, - codeQlVersion, - checkoutPath, - logger - ); - logger.info( - `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}` - ); - try { - const cacheId = await waitForResultWithTimeLimit( - MAX_CACHE_OPERATION_MS2, - actionsCache4.saveCache([dbLocation], cacheSaveKey), - () => { - } - ); - if (cacheId === void 0) { - logger.warning("Timed out while uploading overlay-base database"); - return false; - } - } catch (error3) { - logger.warning( - `Failed to upload overlay-base database to cache: ${error3 instanceof Error ? error3.message : String(error3)}` - ); - return false; - } - logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`); - return true; -} -async function getCacheSaveKey(config, codeQlVersion, checkoutPath, logger) { - let runId = 1; - let attemptId = 1; - try { - runId = getWorkflowRunID(); - attemptId = getWorkflowRunAttempt(); - } catch (e) { - logger.warning( - `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}` - ); - } - const sha = await getCommitOid(checkoutPath); - const restoreKeyPrefix = await getCacheRestoreKeyPrefix( - config, - codeQlVersion - ); - return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`; -} -async function getCacheRestoreKeyPrefix(config, codeQlVersion) { - return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; -} -async function getCacheKeyPrefixBase(parsedLanguages) { - const languagesComponent = [...parsedLanguages].sort().join("_"); - const cacheKeyComponents = { - automationID: await getAutomationID() - // Add more components here as needed in the future - }; - const componentsHash = createCacheKeyHash(cacheKeyComponents); - return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; -} - // src/status-report.ts var os4 = __toESM(require("os")); var core13 = __toESM(require_core()); @@ -112919,7 +113062,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -112933,6 +113076,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -113089,6 +113233,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index bff71e9b7..4e1a75aac 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs8 = __importStar2(require("fs")); var path9 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var path9 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99856,7 +99856,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path9 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) { @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io5.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs8.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -105375,20 +105375,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts diff --git a/lib/init-action-post.js b/lib/init-action-post.js index ca4210952..4ed2d691b 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var os4 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -25260,11 +25260,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -25537,7 +25537,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -25552,7 +25552,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -26616,8 +26616,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -38021,13 +38021,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -38040,7 +38040,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -38112,9 +38112,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -38134,7 +38134,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -38164,7 +38164,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles2; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core19 = __importStar2(require_core()); var fs21 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core19.info : core19.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs21.createReadStream(file), hash2); result.write(hash2.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec3 = __importStar2(require_exec()); var glob2 = __importStar2(require_glob()); var io7 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var path19 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path19.join(baseLocation, "actions", "temp"); } - const dest = path19.join(tempDirectory, crypto2.randomUUID()); + const dest = path19.join(tempDirectory, crypto3.randomUUID()); yield io7.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core19.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core19 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core19 = __importStar2(require_core()); var path19 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core19.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core19.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os4 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core19 = __importStar2(require_core()); var io7 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os4 = __importStar2(require("os")); var path19 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path19.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path19.join(_getTempDirectory(), crypto3.randomUUID()); yield io7.mkdirP(path19.dirname(dest)); core19.debug(`Downloading ${url2}`); core19.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os4.arch(); core19.debug(`Caching tool ${tool} ${version} ${arch2}`); core19.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os4.arch(); core19.debug(`Caching tool ${tool} ${version} ${arch2}`); core19.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path19.join(_getCacheDirectory(), toolName, versionSpec, arch2); core19.debug(`checking cache: ${cachePath}`); if (fs21.existsSync(cachePath) && fs21.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path19.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path19.join(_getTempDirectory(), crypto3.randomUUID()); } yield io7.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path19.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path19.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core19.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io7.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path19.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path19.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs21.writeFileSync(markerPath, ""); core19.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core19.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core19.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core19.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core19.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -103730,7 +103730,7 @@ var require_blob_upload = __commonJS({ var storage_blob_1 = require_commonjs15(); var config_1 = require_config2(); var core19 = __importStar2(require_core()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var stream2 = __importStar2(require("stream")); var errors_1 = require_errors4(); function uploadZipToBlobStorage(authenticatedUploadURL, zipUploadStream) { @@ -103768,7 +103768,7 @@ var require_blob_upload = __commonJS({ }; let sha256Hash = void 0; const uploadStream = new stream2.PassThrough(); - const hashStream = crypto2.createHash("sha256"); + const hashStream = crypto3.createHash("sha256"); zipUploadStream.pipe(uploadStream); zipUploadStream.pipe(hashStream).setEncoding("hex"); core19.info("Beginning upload of artifact content to blob storage"); @@ -108004,7 +108004,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream2, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -108014,9 +108014,9 @@ var require_stream_writable = __commonJS({ if (er) { stream2.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -132571,11 +132571,11 @@ var require_util25 = __commonJS({ var assert = require("assert"); var { isUint8Array } = require("util/types"); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("crypto"); + crypto3 = require("crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -132852,7 +132852,7 @@ var require_util25 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -132867,7 +132867,7 @@ var require_util25 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -134213,8 +134213,8 @@ var require_body3 = __commonJS({ var { parseMIMEType, serializeAMimeType } = require_dataURL(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -145264,9 +145264,9 @@ var require_connection3 = __commonJS({ channels.open = diagnosticsChannel.channel("undici:websocket:open"); channels.close = diagnosticsChannel.channel("undici:websocket:close"); channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error"); - var crypto2; + var crypto3; try { - crypto2 = require("crypto"); + crypto3 = require("crypto"); } catch { } function establishWebSocketConnection(url2, protocols, ws, onEstablish, options) { @@ -145285,7 +145285,7 @@ var require_connection3 = __commonJS({ const headersList = new Headers(options.headers)[kHeadersList]; request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -145314,7 +145314,7 @@ var require_connection3 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -145394,9 +145394,9 @@ var require_frame3 = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; var { maxUnsigned16Bit } = require_constants24(); - var crypto2; + var crypto3; try { - crypto2 = require("crypto"); + crypto3 = require("crypto"); } catch { } var WebsocketFrameSend = class { @@ -145405,7 +145405,7 @@ var require_frame3 = __commonJS({ */ constructor(data) { this.frameData = data; - this.maskKey = crypto2.randomBytes(4); + this.maskKey = crypto3.randomBytes(4); } createFrame(opcode) { const bodyLength = this.frameData?.byteLength ?? 0; @@ -152794,7 +152794,7 @@ var require_download_artifact = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.downloadArtifactInternal = exports2.downloadArtifactPublic = exports2.streamExtractExternal = void 0; var promises_1 = __importDefault2(require("fs/promises")); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var stream2 = __importStar2(require("stream")); var github4 = __importStar2(require_github2()); var core19 = __importStar2(require_core()); @@ -152855,7 +152855,7 @@ var require_download_artifact = __commonJS({ reject(timeoutError); }; const timer = setTimeout(timerFn, opts.timeout); - const hashStream = crypto2.createHash("sha256").setEncoding("hex"); + const hashStream = crypto3.createHash("sha256").setEncoding("hex"); const passThrough = new stream2.PassThrough(); response.message.pipe(passThrough); passThrough.pipe(hashStream); @@ -153884,7 +153884,7 @@ var require_file_command2 = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.prepareKeyValueMessage = exports2.issueFileCommand = void 0; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var os4 = __importStar2(require("os")); var utils_1 = require_utils12(); @@ -153902,7 +153902,7 @@ var require_file_command2 = __commonJS({ } exports2.issueFileCommand = issueFileCommand; function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -156659,7 +156659,7 @@ var require_tmp = __commonJS({ var fs21 = require("fs"); var os4 = require("os"); var path19 = require("path"); - var crypto2 = require("crypto"); + var crypto3 = require("crypto"); var _c = { fs: fs21.constants, os: os4.constants }; var RANDOM_CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; var TEMPLATE_PATTERN = /XXXXXX/; @@ -156839,9 +156839,9 @@ var require_tmp = __commonJS({ function _randomChars(howMany) { let value = [], rnd = null; try { - rnd = crypto2.randomBytes(howMany); + rnd = crypto3.randomBytes(howMany); } catch (e) { - rnd = crypto2.pseudoRandomBytes(howMany); + rnd = crypto3.pseudoRandomBytes(howMany); } for (let i = 0; i < howMany; i++) { value.push(RANDOM_CHARS[rnd[i] % RANDOM_CHARS.length]); @@ -165103,6 +165103,32 @@ var restoreInputs = function() { } } }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -165326,6 +165352,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -165391,7 +165422,13 @@ function wrapApiConfigurationError(e) { } // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/codeql.ts var fs12 = __toESM(require("fs")); @@ -166791,6 +166828,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var fs7 = __toESM(require("fs")); @@ -166929,7 +166977,7 @@ var fs11 = __toESM(require("fs")); var path10 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -166975,6 +167023,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs9 = __toESM(require("fs")); @@ -166982,7 +167091,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -167024,9 +167133,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -167035,7 +167144,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -167142,7 +167251,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -167272,7 +167381,7 @@ function getToolcacheDirectory(version) { return path9.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -167397,13 +167506,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -167435,7 +167544,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -167529,21 +167686,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -167740,7 +167909,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -167750,6 +167919,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -167808,7 +167978,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -167840,7 +168010,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -167877,7 +168047,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -167891,6 +168061,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -168502,7 +168673,7 @@ var io5 = __toESM(require_io()); var core12 = __toESM(require_core()); // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies"; async function getDependencyCacheUsage(logger) { @@ -170147,7 +170318,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -170161,6 +170332,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -170317,6 +170489,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -170332,7 +170506,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run2 of sarifFile.runs || []) { if (run2.automationDetails === void 0) { @@ -170345,7 +170519,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/lib/init-action.js b/lib/init-action.js index 03ad45b9a..c4310c848 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -104817,6 +104817,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} async function getRepositoryProperties(repositoryNwo) { return getApiClient().request("GET /repos/:owner/:repo/properties/values", { owner: repositoryNwo.owner, @@ -106556,6 +106568,17 @@ var BuiltInLanguage = /* @__PURE__ */ ((BuiltInLanguage2) => { return BuiltInLanguage2; })(BuiltInLanguage || {}); var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/diagnostics.ts async function addOverlayDisablementDiagnostics(config, codeql, overlayDisabledReason) { @@ -107803,7 +107826,7 @@ var internal = { }; // src/init.ts -var fs15 = __toESM(require("fs")); +var fs16 = __toESM(require("fs")); var path15 = __toESM(require("path")); var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); @@ -107811,7 +107834,7 @@ var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); // src/codeql.ts -var fs14 = __toESM(require("fs")); +var fs15 = __toESM(require("fs")); var path14 = __toESM(require("path")); var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); @@ -108065,20 +108088,221 @@ function wrapCliConfigurationError(cliError) { } // src/setup-codeql.ts -var fs12 = __toESM(require("fs")); +var fs13 = __toESM(require("fs")); var path12 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var fs10 = __toESM(require("fs")); +var actionsCache4 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION2 = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +var MAX_CACHE_OPERATION_MS3 = 6e5; +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + if (!fs10.existsSync(baseDatabaseOidsFilePath)) { + logger.warning( + `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` + ); + return false; + } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.debug( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; +} +async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { + const overlayDatabaseMode = config.overlayDatabaseMode; + if (overlayDatabaseMode !== "overlay" /* Overlay */) { + logger.debug( + `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.` + ); + return void 0; + } + if (!config.useOverlayDatabaseCaching) { + logger.debug( + "Overlay database caching is disabled. Skip downloading overlay-base database from cache." + ); + return void 0; + } + if (isInTestMode()) { + logger.debug( + "In test mode. Skip downloading overlay-base database from cache." + ); + return void 0; + } + const dbLocation = config.dbLocation; + const codeQlVersion = (await codeql.getVersion()).version; + const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix( + config, + codeQlVersion + ); + logger.info( + `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}` + ); + let databaseDownloadDurationMs = 0; + try { + const databaseDownloadStart = performance.now(); + const foundKey = await waitForResultWithTimeLimit( + // This ten-minute limit for the cache restore operation is mainly to + // guard against the possibility that the cache service is unresponsive + // and hangs outside the data download. + // + // Data download (which is normally the most time-consuming part of the + // restore operation) should not run long enough to hit this limit. Even + // for an extremely large 10GB database, at a download speed of 40MB/s + // (see below), the download should complete within five minutes. If we + // do hit this limit, there are likely more serious problems other than + // mere slow download speed. + // + // This is important because we don't want any ongoing file operations + // on the database directory when we do hit this limit. Hitting this + // time limit takes us to a fallback path where we re-initialize the + // database from scratch at dbLocation, and having the cache restore + // operation continue to write into dbLocation in the background would + // really mess things up. We want to hit this limit only in the case + // of a hung cache service, not just slow download speed. + MAX_CACHE_OPERATION_MS3, + actionsCache4.restoreCache( + [dbLocation], + cacheRestoreKeyPrefix, + void 0, + { + // Azure SDK download (which is the default) uses 128MB segments; see + // https://github.com/actions/toolkit/blob/main/packages/cache/README.md. + // Setting segmentTimeoutInMs to 3000 translates to segment download + // speed of about 40 MB/s, which should be achievable unless the + // download is unreliable (in which case we do want to abort). + segmentTimeoutInMs: 3e3 + } + ), + () => { + logger.info("Timed out downloading overlay-base database from cache"); + } + ); + databaseDownloadDurationMs = Math.round( + performance.now() - databaseDownloadStart + ); + if (foundKey === void 0) { + logger.info("No overlay-base database found in Actions cache"); + return void 0; + } + logger.info( + `Downloaded overlay-base database in cache with key ${foundKey}` + ); + } catch (error3) { + logger.warning( + `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}` + ); + return void 0; + } + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, + config, + logger, + "Downloaded overlay-base database is invalid" + ); + if (!databaseIsValid) { + logger.warning("Downloaded overlay-base database failed validation"); + return void 0; + } + const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); + if (databaseSizeBytes === void 0) { + logger.info( + "Filesystem error while accessing downloaded overlay-base database" + ); + return void 0; + } + logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`); + return { + databaseSizeBytes: Math.round(databaseSizeBytes), + databaseDownloadDurationMs + }; +} +async function getCacheRestoreKeyPrefix(config, codeQlVersion) { + return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; +} +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} // src/tar.ts var import_child_process = require("child_process"); -var fs10 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -108120,9 +108344,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -108131,7 +108355,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -108146,7 +108370,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs10.mkdirSync(dest, { recursive: true }); + fs11.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -108230,7 +108454,7 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs11 = __toESM(require("fs")); +var fs12 = __toESM(require("fs")); var os4 = __toESM(require("os")); var path11 = __toESM(require("path")); var import_perf_hooks2 = require("perf_hooks"); @@ -108238,7 +108462,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -108337,7 +108561,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs11.mkdirSync(dest, { recursive: true }); + fs12.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -108368,13 +108592,13 @@ function getToolcacheDirectory(version) { return path11.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os4.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs11.writeFileSync(markerFilePath, ""); + fs12.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url) { @@ -108493,13 +108717,13 @@ function tryGetTagNameFromUrl(url, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -108509,7 +108733,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs12.existsSync(path12.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs13.existsSync(path12.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -108531,7 +108755,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -108625,21 +108897,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -108836,7 +109120,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -108846,6 +109130,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -108904,7 +109189,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -108936,7 +109221,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -108956,7 +109241,7 @@ function isReservedToolsValue(tools) { } // src/tracer-config.ts -var fs13 = __toESM(require("fs")); +var fs14 = __toESM(require("fs")); var path13 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { @@ -108969,7 +109254,7 @@ async function shouldEnableIndirectTracing(codeql, config) { } async function getTracerConfigForCluster(config) { const tracingEnvVariables = JSON.parse( - fs13.readFileSync( + fs14.readFileSync( path13.resolve( config.dbLocation, "temp/tracingEnvironment/start-tracing.json" @@ -108995,7 +109280,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -109009,6 +109294,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -109078,7 +109364,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { "tools", "tracing-config.lua" ); - return fs14.existsSync(tracingConfigPath); + return fs15.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -109554,7 +109840,7 @@ async function writeCodeScanningConfigFile(config, logger) { logger.startGroup("Augmented user configuration file contents"); logger.info(dump(augmentedConfig)); logger.endGroup(); - fs14.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); + fs15.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -109598,7 +109884,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -109612,6 +109898,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -109632,7 +109919,7 @@ async function initConfig2(features, inputs) { }); } async function runDatabaseInitCluster(databaseInitEnvironment, codeql, config, sourceRoot, processName, qlconfigFile, logger) { - fs15.mkdirSync(config.dbLocation, { recursive: true }); + fs16.mkdirSync(config.dbLocation, { recursive: true }); await wrapEnvironment( databaseInitEnvironment, async () => await codeql.databaseInitCluster( @@ -109668,24 +109955,24 @@ async function checkPacksForOverlayCompatibility(codeql, config, logger) { function checkPackForOverlayCompatibility(packDir, codeQlOverlayVersion, logger) { try { let qlpackPath = path15.join(packDir, "qlpack.yml"); - if (!fs15.existsSync(qlpackPath)) { + if (!fs16.existsSync(qlpackPath)) { qlpackPath = path15.join(packDir, "codeql-pack.yml"); } const qlpackContents = load( - fs15.readFileSync(qlpackPath, "utf8") + fs16.readFileSync(qlpackPath, "utf8") ); if (!qlpackContents.buildMetadata) { return true; } const packInfoPath = path15.join(packDir, ".packinfo"); - if (!fs15.existsSync(packInfoPath)) { + if (!fs16.existsSync(packInfoPath)) { logger.warning( `The query pack at ${packDir} does not have a .packinfo file, so it cannot support overlay analysis. Recompiling the query pack with the latest CodeQL CLI should solve this problem.` ); return false; } const packInfoFileContents = JSON.parse( - fs15.readFileSync(packInfoPath, "utf8") + fs16.readFileSync(packInfoPath, "utf8") ); const packOverlayVersion = packInfoFileContents.overlayVersion; if (typeof packOverlayVersion !== "number") { @@ -109720,8 +110007,8 @@ async function checkInstallPython311(languages, codeql) { ]).exec(); } } -function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs15.rmSync) { - if (fs15.existsSync(config.dbLocation) && (fs15.statSync(config.dbLocation).isFile() || fs15.readdirSync(config.dbLocation).length > 0)) { +function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs16.rmSync) { + if (fs16.existsSync(config.dbLocation) && (fs16.statSync(config.dbLocation).isFile() || fs16.readdirSync(config.dbLocation).length > 0)) { if (!options.disableExistingDirectoryWarning) { logger.warning( `The database cluster directory ${config.dbLocation} must be empty. Attempting to clean it up.` @@ -109825,163 +110112,6 @@ To opt out of this change, ${envVarOptOut}`; core12.exportVariable("CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */, "true"); } -// src/overlay/caching.ts -var fs16 = __toESM(require("fs")); -var actionsCache4 = __toESM(require_cache5()); -var semver9 = __toESM(require_semver2()); -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; -var CACHE_VERSION2 = 1; -var CACHE_PREFIX = "codeql-overlay-base-database"; -var MAX_CACHE_OPERATION_MS3 = 6e5; -async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - if (!fs16.existsSync(baseDatabaseOidsFilePath)) { - logger.warning( - `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` - ); - return false; - } - for (const language of config.languages) { - const dbPath = getCodeQLDatabasePath(config, language); - try { - const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); - if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { - logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); - return false; - } else { - logger.debug( - `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` - ); - } - } catch (e) { - logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); - return false; - } - } - return true; -} -async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { - const overlayDatabaseMode = config.overlayDatabaseMode; - if (overlayDatabaseMode !== "overlay" /* Overlay */) { - logger.debug( - `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.` - ); - return void 0; - } - if (!config.useOverlayDatabaseCaching) { - logger.debug( - "Overlay database caching is disabled. Skip downloading overlay-base database from cache." - ); - return void 0; - } - if (isInTestMode()) { - logger.debug( - "In test mode. Skip downloading overlay-base database from cache." - ); - return void 0; - } - const dbLocation = config.dbLocation; - const codeQlVersion = (await codeql.getVersion()).version; - const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix( - config, - codeQlVersion - ); - logger.info( - `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}` - ); - let databaseDownloadDurationMs = 0; - try { - const databaseDownloadStart = performance.now(); - const foundKey = await waitForResultWithTimeLimit( - // This ten-minute limit for the cache restore operation is mainly to - // guard against the possibility that the cache service is unresponsive - // and hangs outside the data download. - // - // Data download (which is normally the most time-consuming part of the - // restore operation) should not run long enough to hit this limit. Even - // for an extremely large 10GB database, at a download speed of 40MB/s - // (see below), the download should complete within five minutes. If we - // do hit this limit, there are likely more serious problems other than - // mere slow download speed. - // - // This is important because we don't want any ongoing file operations - // on the database directory when we do hit this limit. Hitting this - // time limit takes us to a fallback path where we re-initialize the - // database from scratch at dbLocation, and having the cache restore - // operation continue to write into dbLocation in the background would - // really mess things up. We want to hit this limit only in the case - // of a hung cache service, not just slow download speed. - MAX_CACHE_OPERATION_MS3, - actionsCache4.restoreCache( - [dbLocation], - cacheRestoreKeyPrefix, - void 0, - { - // Azure SDK download (which is the default) uses 128MB segments; see - // https://github.com/actions/toolkit/blob/main/packages/cache/README.md. - // Setting segmentTimeoutInMs to 3000 translates to segment download - // speed of about 40 MB/s, which should be achievable unless the - // download is unreliable (in which case we do want to abort). - segmentTimeoutInMs: 3e3 - } - ), - () => { - logger.info("Timed out downloading overlay-base database from cache"); - } - ); - databaseDownloadDurationMs = Math.round( - performance.now() - databaseDownloadStart - ); - if (foundKey === void 0) { - logger.info("No overlay-base database found in Actions cache"); - return void 0; - } - logger.info( - `Downloaded overlay-base database in cache with key ${foundKey}` - ); - } catch (error3) { - logger.warning( - `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}` - ); - return void 0; - } - const databaseIsValid = await checkOverlayBaseDatabase( - codeql, - config, - logger, - "Downloaded overlay-base database is invalid" - ); - if (!databaseIsValid) { - logger.warning("Downloaded overlay-base database failed validation"); - return void 0; - } - const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); - if (databaseSizeBytes === void 0) { - logger.info( - "Filesystem error while accessing downloaded overlay-base database" - ); - return void 0; - } - logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`); - return { - databaseSizeBytes: Math.round(databaseSizeBytes), - databaseDownloadDurationMs - }; -} -async function getCacheRestoreKeyPrefix(config, codeQlVersion) { - return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; -} -async function getCacheKeyPrefixBase(parsedLanguages) { - const languagesComponent = [...parsedLanguages].sort().join("_"); - const cacheKeyComponents = { - automationID: await getAutomationID() - // Add more components here as needed in the future - }; - const componentsHash = createCacheKeyHash(cacheKeyComponents); - return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; -} - // src/status-report.ts var os5 = __toESM(require("os")); var core13 = __toESM(require_core()); @@ -110551,12 +110681,16 @@ async function run(startedAt) { } const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = getRawLanguagesNoAutodetect( + getOptionalInput("languages") + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + rawLanguages, features, logger ); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 6d9b50f18..2d03ee808 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs6 = __importStar2(require("fs")); var path7 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core14.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var path7 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99856,7 +99856,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path7 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch}`); core14.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch}`); core14.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch); core14.debug(`checking cache: ${cachePath}`); if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) { @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core14.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io5.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs6.writeFileSync(markerPath, ""); core14.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core14.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core14.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core14.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core14.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -105034,20 +105034,26 @@ var toolrunner3 = __toESM(require_toolrunner()); // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index e647efada..fd4f84a37 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var os3 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); + supportedHashes = crypto3.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -25260,11 +25260,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); + supportedHashes = crypto3.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -25537,7 +25537,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -25552,7 +25552,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -26616,8 +26616,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -38021,13 +38021,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -38040,7 +38040,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -38112,9 +38112,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url, protocols, client, ws, onEstablish, options) { @@ -38134,7 +38134,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -38164,7 +38164,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core15 = __importStar2(require_core()); var fs10 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core15.info : core15.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash = crypto2.createHash("sha256"); + const hash = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs10.createReadStream(file), hash); result.write(hash.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var path10 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path10.join(baseLocation, "actions", "temp"); } - const dest = path10.join(tempDirectory, crypto2.randomUUID()); + const dest = path10.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var path10 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os3 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core15 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os3 = __importStar2(require("os")); var path10 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path10.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path10.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path10.dirname(dest)); core15.debug(`Downloading ${url}`); core15.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch2}`); core15.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch2}`); core15.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path10.join(_getCacheDirectory(), toolName, versionSpec, arch2); core15.debug(`checking cache: ${cachePath}`); if (fs10.existsSync(cachePath) && fs10.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path10.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path10.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path10.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path10.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path10.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path10.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs10.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -103784,6 +103784,12 @@ async function checkForTimeout() { process.exit(); } } +function parseMatrixInput(matrixInput) { + if (matrixInput === void 0 || matrixInput === "null") { + return void 0; + } + return JSON.parse(matrixInput); +} function wrapError(error3) { return error3 instanceof Error ? error3 : new Error(String(error3)); } @@ -104003,6 +104009,32 @@ async function runTool(cmd, args = [], opts = {}) { } return stdout; } +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} // src/api-client.ts var core5 = __toESM(require_core()); @@ -104202,6 +104234,37 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} +function computeAutomationID(analysis_key, environment) { + let automationID = `${analysis_key}/`; + const matrix = parseMatrixInput(environment); + if (matrix !== void 0) { + for (const entry of Object.entries(matrix).sort()) { + if (typeof entry[1] === "string") { + automationID += `${entry[0]}:${entry[1]}/`; + } else { + automationID += `${entry[0]}:/`; + } + } + } + return automationID; +} +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -105384,7 +105447,13 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core7 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -105529,6 +105598,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -105584,7 +105664,68 @@ var fs8 = __toESM(require("fs")); var path8 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} // src/tar.ts var import_child_process = require("child_process"); @@ -105593,7 +105734,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -105635,9 +105776,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -105646,7 +105787,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -105753,7 +105894,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -105883,7 +106024,7 @@ function getToolcacheDirectory(version) { return path7.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -106008,13 +106149,13 @@ function tryGetTagNameFromUrl(url, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -106046,7 +106187,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -106140,21 +106329,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -106351,7 +106552,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -106361,6 +106562,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -106419,7 +106621,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -106451,7 +106653,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -106488,7 +106690,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -106502,6 +106704,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -107091,7 +107294,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -107105,6 +107308,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -107405,6 +107609,8 @@ async function run(startedAt) { getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: currently, setup-codeql is not language aware features, logger ); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 86f78ffda..60fa054a6 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs3 = __importStar2(require("fs")); var path4 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path4 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -106616,7 +106616,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -106626,9 +106626,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -157681,7 +157681,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -157695,7 +157695,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -157704,7 +157704,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -157964,7 +157964,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path4 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -158237,7 +158237,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -158255,7 +158255,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -158285,7 +158285,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) { @@ -158365,7 +158365,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -158375,30 +158375,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs3.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -162446,24 +162446,30 @@ var cliErrorsConfig = { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); // src/artifact-scanner.ts diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 17dbf166e..0dfb131c1 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var os2 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -21922,16 +21922,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -22220,8 +22220,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -22234,8 +22234,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -26565,11 +26565,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -26842,7 +26842,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -26857,7 +26857,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -27921,8 +27921,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -39326,13 +39326,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -39345,7 +39345,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -39417,9 +39417,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -39439,7 +39439,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -39469,7 +39469,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -45836,11 +45836,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -45983,8 +45983,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -47200,7 +47200,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -47209,7 +47209,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -47238,7 +47238,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -47247,7 +47247,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core14 = __importStar2(require_core()); var fs14 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core14.info : core14.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs14.createReadStream(file), hash2); result.write(hash2.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var path12 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path12.join(baseLocation, "actions", "temp"); } - const dest = path12.join(tempDirectory, crypto2.randomUUID()); + const dest = path12.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core14.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var path12 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core14 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os2 = __importStar2(require("os")); var path12 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path12.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path12.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path12.dirname(dest)); core14.debug(`Downloading ${url2}`); core14.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch2}`); core14.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch2}`); core14.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path12.join(_getCacheDirectory(), toolName, versionSpec, arch2); core14.debug(`checking cache: ${cachePath}`); if (fs14.existsSync(cachePath) && fs14.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path12.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path12.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core14.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs14.writeFileSync(markerPath, ""); core14.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core14.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core14.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core14.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core14.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -106809,6 +106809,32 @@ async function runTool(cmd, args = [], opts = {}) { } return stdout; } +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -107091,6 +107117,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -107105,6 +107136,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -107403,7 +107446,13 @@ var path6 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -108136,6 +108185,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -108215,7 +108275,7 @@ var fs9 = __toESM(require("fs")); var path8 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -108261,6 +108321,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs7 = __toESM(require("fs")); @@ -108268,7 +108389,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -108310,9 +108431,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -108321,7 +108442,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -108428,7 +108549,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -108558,7 +108679,7 @@ function getToolcacheDirectory(version) { return path7.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -108683,13 +108804,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -108721,7 +108842,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -108815,21 +108984,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -109026,7 +109207,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -109036,6 +109217,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -109094,7 +109276,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -109126,7 +109308,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -109163,7 +109345,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -109177,6 +109359,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -110898,7 +111081,7 @@ var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -110912,6 +111095,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -111068,6 +111252,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -111083,7 +111269,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run of sarifFile.runs || []) { if (run.automationDetails === void 0) { @@ -111096,7 +111282,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index d0733a471..4824e4595 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -98792,7 +98792,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -98802,9 +98802,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -150217,16 +150217,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -150515,8 +150515,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -150529,8 +150529,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -153258,8 +153258,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -153559,8 +153559,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -154388,7 +154388,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs3 = __importStar2(require("fs")); var path3 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants24(); var versionSalt = "1.0"; @@ -154481,7 +154481,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -155791,7 +155791,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -155968,7 +155968,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -157242,8 +157242,8 @@ var require_cache6 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path3 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -157300,7 +157300,7 @@ var require_cache6 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -157444,7 +157444,7 @@ var require_cache6 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -157681,7 +157681,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -157695,7 +157695,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -157704,7 +157704,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -157964,7 +157964,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path3 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -158237,7 +158237,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -158255,7 +158255,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -158285,7 +158285,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) { @@ -158365,7 +158365,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -158375,30 +158375,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs3.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -162433,24 +162433,30 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache6()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache6()); +var actionsCache4 = __toESM(require_cache6()); var glob = __toESM(require_glob2()); // src/artifact-scanner.ts diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 1ba53990b..520b5270c 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var os3 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -25260,11 +25260,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -25537,7 +25537,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -25552,7 +25552,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -26616,8 +26616,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -38021,13 +38021,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -38040,7 +38040,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -38112,9 +38112,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -38134,7 +38134,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -38164,7 +38164,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core16 = __importStar2(require_core()); var fs15 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core16.info : core16.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs15.createReadStream(file), hash2); result.write(hash2.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var path13 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path13.join(baseLocation, "actions", "temp"); } - const dest = path13.join(tempDirectory, crypto2.randomUUID()); + const dest = path13.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core16.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core16 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core16 = __importStar2(require_core()); var path13 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core16.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core16.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os3 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core16 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os3 = __importStar2(require("os")); var path13 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path13.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path13.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path13.dirname(dest)); core16.debug(`Downloading ${url2}`); core16.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core16.debug(`Caching tool ${tool} ${version} ${arch2}`); core16.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core16.debug(`Caching tool ${tool} ${version} ${arch2}`); core16.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path13.join(_getCacheDirectory(), toolName, versionSpec, arch2); core16.debug(`checking cache: ${cachePath}`); if (fs15.existsSync(cachePath) && fs15.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path13.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path13.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path13.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path13.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core16.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path13.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path13.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs15.writeFileSync(markerPath, ""); core16.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core16.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core16.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core16.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core16.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -106847,6 +106847,32 @@ var persistInputs = function() { ); core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -107139,6 +107165,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -107153,6 +107184,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -108202,7 +108245,13 @@ var path7 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core8 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -108343,6 +108392,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -108892,7 +108952,7 @@ var fs11 = __toESM(require("fs")); var path9 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -108938,6 +108998,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs9 = __toESM(require("fs")); @@ -108945,7 +109066,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -108987,9 +109108,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -108998,7 +109119,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -109105,7 +109226,7 @@ var core11 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -109235,7 +109356,7 @@ function getToolcacheDirectory(version) { return path8.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os2.arch() || "" ); } @@ -109360,13 +109481,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -109398,7 +109519,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -109492,21 +109661,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -109703,7 +109884,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -109713,6 +109894,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -109771,7 +109953,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -109803,7 +109985,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -109840,7 +110022,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -109854,6 +110036,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -111575,7 +111758,7 @@ var core13 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -111589,6 +111772,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -111674,6 +111858,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -111689,7 +111875,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run2 of sarifFile.runs || []) { if (run2.automationDetails === void 0) { @@ -111702,7 +111888,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/src/codeql.test.ts b/src/codeql.test.ts index de7c40096..60756101f 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -72,6 +72,7 @@ async function installIntoToolcache({ cliVersion !== undefined ? { enabledVersions: [{ cliVersion, tagName }] } : SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages createFeatures([]), getRunnerLogger(true), false, @@ -143,6 +144,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -175,6 +177,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -214,6 +217,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -264,6 +268,7 @@ for (const { tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -308,6 +313,7 @@ for (const toolcacheVersion of [ tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -352,6 +358,7 @@ test.serial( }, ], }, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -398,6 +405,7 @@ test.serial( }, ], }, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -437,6 +445,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -478,6 +487,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, diff --git a/src/codeql.ts b/src/codeql.ts index ecad2ea19..046d3e719 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -305,6 +305,7 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; * @param tempDir * @param variant * @param defaultCliVersion + * @param rawLanguages Raw set of languages. * @param features Information about the features that are enabled. * @param logger * @param checkVersion Whether to check that CodeQL CLI meets the minimum @@ -317,6 +318,7 @@ export async function setupCodeQL( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, checkVersion: boolean, @@ -340,6 +342,7 @@ export async function setupCodeQL( tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, ); diff --git a/src/init-action.ts b/src/init-action.ts index 3d599d545..96745e203 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -301,12 +301,16 @@ async function run(startedAt: Date) { const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = configUtils.getRawLanguagesNoAutodetect( + getOptionalInput("languages"), + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + rawLanguages, features, logger, ); diff --git a/src/init.ts b/src/init.ts index 8ed6f6400..ef1f426d0 100644 --- a/src/init.ts +++ b/src/init.ts @@ -39,6 +39,7 @@ export async function initCodeQL( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, ): Promise<{ @@ -61,6 +62,7 @@ export async function initCodeQL( tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true, diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index 34d5d76aa..5e6c82442 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -145,6 +145,7 @@ async function run(startedAt: Date): Promise { getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + undefined, // rawLanguages: currently, setup-codeql is not language aware features, logger, ); diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index c35bd1d9d..820e6acd4 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -107,6 +107,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -130,6 +131,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "linked", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -155,6 +157,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "latest", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -211,6 +214,7 @@ test.serial( "tmp/codeql_action_test/", GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, logger, ); @@ -266,6 +270,7 @@ test.serial( "tmp/codeql_action_test/", GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, logger, ); @@ -317,6 +322,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "nightly", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -378,6 +384,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( undefined, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -432,6 +439,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -499,6 +507,7 @@ const toolcacheInputFallbackMacro = test.macro({ const source = await setupCodeql.getCodeQLSource( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -601,3 +610,155 @@ test.serial( t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1"); }, ); + +function makeOverlayMatchFeatures( + matchFlagEnabled: boolean, +): FeatureEnablement { + return { + getEnabledDefaultCliVersions: async () => { + throw new Error("not implemented"); + }, + getValue: async (feature) => { + if (feature === Feature.OverlayAnalysisMatchCodeqlVersion) { + return matchFlagEnabled; + } + return false; + }, + }; +} + +const overlayMatchEnabledVersions = { + enabledVersions: [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], + toolsFeatureFlagsValid: true, +}; + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + // Newer than any flag-enabled version: should be filtered out. + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.21.0-abc-1-1", + }, + // Flag-enabled versions present in the cache. + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-def-2-1", + }, + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.0-ghi-3-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ]); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.19.0-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when gate is off", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(false), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches when the gating feature flag is off.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + undefined, + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches without rawLanguages.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed")); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases includes the highest version when it is cached", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.2-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + ]); + }, +); diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 41eb7f1e4..6a0071eb1 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -7,17 +7,23 @@ import { default as deepEqual } from "fast-deep-equal"; import * as semver from "semver"; import { v4 as uuidV4 } from "uuid"; -import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util"; +import { + isAnalyzingPullRequest, + isDynamicWorkflow, + isRunningLocalAction, +} from "./actions-util"; import * as api from "./api-client"; import * as defaults from "./defaults.json"; import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics"; import { CODEQL_VERSION_ZSTD_BUNDLE, CodeQLDefaultVersionInfo, + CodeQLVersionInfo, Feature, FeatureEnablement, } from "./feature-flags"; import { Logger } from "./logging"; +import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching"; import * as tar from "./tar"; import { downloadAndExtract, @@ -264,12 +270,84 @@ async function findOverridingToolsInCache( return undefined; } +/** Returns the sorted set of enabled versions that have cached overlay-base databases. */ +export async function getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, + features: FeatureEnablement, + logger: Logger, +): Promise { + if (rawLanguages === undefined || rawLanguages.length === 0) { + return []; + } + if (!(await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersion))) { + return []; + } + + let cachedVersions: string[] | undefined; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger, + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}`, + ); + return []; + } + if (cachedVersions === undefined || cachedVersions.length === 0) { + return []; + } + + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter((v) => + cachedVersionsSet.has(v.cliVersion), + ); +} + +/** + * Resolves the newest enabled default CLI version that has a cached overlay-base database for the + * relevant languages, if analyzing a pull request and one exists. Otherwise, falls back to the + * newest enabled default CLI version. + */ +async function resolveDefaultCliVersion( + defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, + features: FeatureEnablement, + logger: Logger, +): Promise { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` + + `highest enabled version that has a cached overlay-base database.`, + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled ` + + `versions with cached overlay-base databases were found.`, + ); + return defaultCliVersion.enabledVersions[0]; +} + /** * Determines where the CodeQL CLI we want to use comes from. This can be from a local file, * the Actions toolcache, or a download. * * @param toolsInput The argument provided for the `tools` input, if any. * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action. + * @param rawLanguages Raw set of languages. * @param apiDetails Information about the GitHub API. * @param variant The GitHub variant we are running on. * @param tarSupportsZstd Whether zstd is supported by `tar`. @@ -281,6 +359,7 @@ async function findOverridingToolsInCache( export async function getCodeQLSource( toolsInput: string | undefined, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, apiDetails: api.GitHubApiDetails, variant: util.GitHubVariant, tarSupportsZstd: boolean, @@ -438,8 +517,14 @@ export async function getCodeQLSource( } } - cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + cliVersion = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. @@ -454,9 +539,14 @@ export async function getCodeQLSource( } } } else { - // Otherwise, use the default CLI version passed in. - cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + cliVersion = version.cliVersion; + tagName = version.tagName; } const bundleVersion = @@ -791,6 +881,7 @@ export async function setupCodeQLBundle( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, ): Promise { @@ -804,6 +895,7 @@ export async function setupCodeQLBundle( const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, diff --git a/src/upload-lib.ts b/src/upload-lib.ts index e4230b6f9..5db40f26d 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -165,6 +165,7 @@ async function combineSarifFilesUsingCLI( tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + undefined, // rawLanguages: upload-lib does not run analysis features, logger, ); From b967fdfbdcb34cdf41bdd304aec7e2c548eff473 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 18:30:24 +0100 Subject: [PATCH 04/40] Add dry run mode so we can dark ship --- lib/analyze-action-post.js | 5 ++ lib/analyze-action.js | 54 ++++++++++++-- lib/autobuild-action.js | 5 ++ lib/init-action-post.js | 54 ++++++++++++-- lib/init-action.js | 44 ++++++++++-- lib/resolve-environment-action.js | 5 ++ lib/setup-codeql-action.js | 54 ++++++++++++-- lib/start-proxy-action-post.js | 5 ++ lib/start-proxy-action.js | 5 ++ lib/upload-lib.js | 54 ++++++++++++-- lib/upload-sarif-action-post.js | 5 ++ lib/upload-sarif-action.js | 54 ++++++++++++-- src/feature-flags.ts | 11 +++ src/setup-codeql.test.ts | 113 ++++++++++++++++++++++-------- src/setup-codeql.ts | 64 ++++++++++++++--- 15 files changed, 466 insertions(+), 66 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 95609b3a2..45ab0ffb4 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -162824,6 +162824,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index f94d5a0dc..06d7e6c90 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -107934,6 +107934,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs6 = __toESM(require("fs")); @@ -108450,6 +108460,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -109820,7 +109835,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -109839,9 +109858,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -109859,9 +109906,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 4e1a75aac..a080b6928 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -104876,6 +104876,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 4ed2d691b..a406b54d1 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -165864,6 +165864,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs6 = __toESM(require("fs")); @@ -166384,6 +166394,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -167548,7 +167563,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -167567,9 +167586,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -167587,9 +167634,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/init-action.js b/lib/init-action.js index c4310c848..60b2aa4bc 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105993,6 +105993,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108759,7 +108764,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -108778,9 +108787,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -108798,9 +108835,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 2d03ee808..0fe58bb3d 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -104867,6 +104867,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index fd4f84a37..59458a705 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -104781,6 +104781,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -105568,6 +105573,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/languages/builtin.json var builtin_default = { @@ -106191,7 +106206,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -106210,9 +106229,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -106230,9 +106277,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 60fa054a6..8767a0138 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -162144,6 +162144,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index bd1e56c2b..0d4c0e733 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -121515,6 +121515,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 0dfb131c1..cab779a62 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -107567,6 +107567,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs5 = __toESM(require("fs")); @@ -108079,6 +108089,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108846,7 +108861,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -108865,9 +108884,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -108885,9 +108932,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 4824e4595..cb645d008 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -162314,6 +162314,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 520b5270c..fec1bf224 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -107746,6 +107746,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108339,6 +108344,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs7 = __toESM(require("fs")); @@ -109523,7 +109538,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -109542,9 +109561,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -109562,9 +109609,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/src/feature-flags.ts b/src/feature-flags.ts index d6a6ba7bb..ae3d24267 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -97,6 +97,12 @@ export enum Feature { * database exists in the cache. */ OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version", + /** + * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that + * would have been chosen instead of actually changing the default CodeQL CLI version. + * `OverlayAnalysisMatchCodeqlVersion` overrides this flag. + */ + OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run", OverlayAnalysisPython = "overlay_analysis_python", /** * Controls whether lower disk space requirements are used for overlay hardware checks. @@ -307,6 +313,11 @@ export const featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: undefined, }, + [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: undefined, + }, [Feature.OverlayAnalysisResourceChecksV2]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 820e6acd4..39f2422bd 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -611,16 +611,20 @@ test.serial( }, ); -function makeOverlayMatchFeatures( - matchFlagEnabled: boolean, -): FeatureEnablement { +function makeOverlayMatchFeatures(opts: { + matchFlagEnabled?: boolean; + dryRunFlagEnabled?: boolean; +}): FeatureEnablement { return { getEnabledDefaultCliVersions: async () => { throw new Error("not implemented"); }, getValue: async (feature) => { if (feature === Feature.OverlayAnalysisMatchCodeqlVersion) { - return matchFlagEnabled; + return opts.matchFlagEnabled ?? false; + } + if (feature === Feature.OverlayAnalysisMatchCodeqlVersionDryRun) { + return opts.dryRunFlagEnabled ?? false; } return false; }, @@ -657,7 +661,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, [ @@ -680,32 +684,13 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, []); }, ); -test.serial( - "getEnabledVersionsWithOverlayBaseDatabases does not list caches when gate is off", - async (t) => { - const listStub = sinon.stub(api, "listActionsCaches").resolves([]); - - const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( - overlayMatchEnabledVersions, - ["javascript"], - makeOverlayMatchFeatures(false), - getRunnerLogger(true), - ); - t.deepEqual(result, []); - t.assert( - listStub.notCalled, - "Should not list Actions caches when the gating feature flag is off.", - ); - }, -); - test.serial( "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", async (t) => { @@ -714,7 +699,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, undefined, - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -734,7 +719,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -754,7 +739,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, [ @@ -762,3 +747,75 @@ test.serial( ]); }, ); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({}), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches when both gating feature flags are off.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + const listStub = sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ dryRunFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual( + result, + [], + "Dry-run should return an empty list so the caller falls back.", + ); + t.assert( + listStub.calledOnce, + "Dry-run should still list Actions caches to populate the diagnostic.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ + matchFlagEnabled: true, + dryRunFlagEnabled: true, + }), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + ]); + }, +); diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 6a0071eb1..108214735 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -14,7 +14,11 @@ import { } from "./actions-util"; import * as api from "./api-client"; import * as defaults from "./defaults.json"; -import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics"; +import { + addNoLanguageDiagnostic, + makeDiagnostic, + makeTelemetryDiagnostic, +} from "./diagnostics"; import { CODEQL_VERSION_ZSTD_BUNDLE, CodeQLDefaultVersionInfo, @@ -270,7 +274,13 @@ async function findOverridingToolsInCache( return undefined; } -/** Returns the sorted set of enabled versions that have cached overlay-base databases. */ +/** + * Returns the sorted set of enabled versions that have cached overlay-base databases for the + * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the + * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag + * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that + * would have been chosen, but still returns an empty list so the caller falls back. + */ export async function getEnabledVersionsWithOverlayBaseDatabases( defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, @@ -280,7 +290,13 @@ export async function getEnabledVersionsWithOverlayBaseDatabases( if (rawLanguages === undefined || rawLanguages.length === 0) { return []; } - if (!(await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersion))) { + const isEnabled = await features.getValue( + Feature.OverlayAnalysisMatchCodeqlVersion, + ); + const isDryRun = + !isEnabled && + (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun)); + if (!isEnabled && !isDryRun) { return []; } @@ -296,14 +312,50 @@ export async function getEnabledVersionsWithOverlayBaseDatabases( ); return []; } + if (cachedVersions === undefined || cachedVersions.length === 0) { return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter((v) => + const overlayVersions = defaultCliVersion.enabledVersions.filter((v) => cachedVersionsSet.has(v.cliVersion), ); + + if (overlayVersions.length === 0) { + return []; + } + + const isCachedVersionDifferent = + overlayVersions[0].cliVersion !== + defaultCliVersion.enabledVersions[0].cliVersion; + + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + undefined, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion, + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion, + }, + ), + ); + } + + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`, + ); + return []; + } + + return overlayVersions; } /** @@ -334,10 +386,6 @@ async function resolveDefaultCliVersion( ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled ` + - `versions with cached overlay-base databases were found.`, - ); return defaultCliVersion.enabledVersions[0]; } From 2c9cd778370535d5d5cb8eb04a4ba7d34890717a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 18:45:24 +0100 Subject: [PATCH 05/40] Tests: Run slow `scanArtifactsForTokens` test in CI only by default --- src/artifact-scanner.test.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/artifact-scanner.test.ts b/src/artifact-scanner.test.ts index d2ecd18e2..6f68e647d 100644 --- a/src/artifact-scanner.test.ts +++ b/src/artifact-scanner.test.ts @@ -141,7 +141,12 @@ test("scanArtifactsForTokens handles files without tokens", async (t) => { } }); -if (os.platform() !== "win32") { +// This test is slow (extracts and scans a zip artifact), so by default we only run it in CI. Set +// RUN_SLOW_TESTS=1 to run it locally. +if ( + os.platform() !== "win32" && + (process.env.CI === "true" || process.env.RUN_SLOW_TESTS === "1") +) { test("scanArtifactsForTokens finds token in debug artifacts", async (t) => { t.timeout(15000); // 15 seconds const messages: LoggedMessage[] = []; From d1e9792bc8c60efe49036cad07d04ac6597e88fa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 17:59:44 +0000 Subject: [PATCH 06/40] Bump the npm-minor group across 1 directory with 4 updates Bumps the npm-minor group with 4 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [typescript](https://github.com/microsoft/TypeScript) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `@types/node` from 20.19.9 to 20.19.39 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.39.2 to 9.39.4 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.2...v9.39.4) Updates `typescript` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](https://github.com/microsoft/TypeScript/compare/v6.0.2...v6.0.3) Updates `typescript-eslint` from 8.58.2 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 20.19.39 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: eslint dependency-version: 9.39.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] --- package-lock.json | 188 +++++++++++++++++++++-------------------- package.json | 8 +- pr-checks/package.json | 2 +- 3 files changed, 100 insertions(+), 98 deletions(-) diff --git a/package-lock.json b/package-lock.json index 06055b9be..15d8ea112 100644 --- a/package-lock.json +++ b/package-lock.json @@ -43,14 +43,14 @@ "@types/archiver": "^7.0.0", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^20.19.9", + "@types/node": "^20.19.39", "@types/node-forge": "^1.3.14", "@types/sarif": "^2.1.7", "@types/semver": "^7.7.1", "@types/sinon": "^21.0.1", "ava": "^7.0.0", "esbuild": "^0.28.0", - "eslint": "^9.39.2", + "eslint": "^9.39.4", "eslint-import-resolver-typescript": "^4.4.4", "eslint-plugin-github": "^6.0.0", "eslint-plugin-import-x": "^4.16.2", @@ -60,8 +60,8 @@ "globals": "^17.5.0", "nock": "^14.0.12", "sinon": "^21.1.2", - "typescript": "^6.0.2", - "typescript-eslint": "^8.58.2" + "typescript": "^6.0.3", + "typescript-eslint": "^8.59.1" } }, "node_modules/@aashutoshrathi/word-wrap": { @@ -1337,15 +1337,15 @@ } }, "node_modules/@eslint/config-array": { - "version": "0.21.1", - "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz", - "integrity": "sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==", + "version": "0.21.2", + "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.2.tgz", + "integrity": "sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==", "dev": true, "license": "Apache-2.0", "dependencies": { "@eslint/object-schema": "^2.1.7", "debug": "^4.3.1", - "minimatch": "^3.1.2" + "minimatch": "^3.1.5" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -1391,20 +1391,20 @@ } }, "node_modules/@eslint/eslintrc": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz", - "integrity": "sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==", + "version": "3.3.5", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.5.tgz", + "integrity": "sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==", "dev": true, "license": "MIT", "dependencies": { - "ajv": "^6.12.4", + "ajv": "^6.14.0", "debug": "^4.3.2", "espree": "^10.0.1", "globals": "^14.0.0", "ignore": "^5.2.0", "import-fresh": "^3.2.1", "js-yaml": "^4.1.1", - "minimatch": "^3.1.2", + "minimatch": "^3.1.5", "strip-json-comments": "^3.1.1" }, "engines": { @@ -1427,9 +1427,9 @@ } }, "node_modules/@eslint/js": { - "version": "9.39.2", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.2.tgz", - "integrity": "sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==", + "version": "9.39.4", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.39.4.tgz", + "integrity": "sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw==", "dev": true, "license": "MIT", "engines": { @@ -2469,9 +2469,9 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "20.19.9", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz", - "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==", + "version": "20.19.39", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.39.tgz", + "integrity": "sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==", "dev": true, "license": "MIT", "dependencies": { @@ -2528,17 +2528,17 @@ "license": "MIT" }, "node_modules/@typescript-eslint/eslint-plugin": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.2.tgz", - "integrity": "sha512-aC2qc5thQahutKjP+cl8cgN9DWe3ZUqVko30CMSZHnFEHyhOYoZSzkGtAI2mcwZ38xeImDucI4dnqsHiOYuuCw==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.1.tgz", + "integrity": "sha512-BOziFIfE+6osHO9FoJG4zjoHUcvI7fTNBSpdAwrNH0/TLvzjsk2oo8XSSOT2HhqUyhZPfHv4UOffoJ9oEEQ7Ag==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/regexpp": "^4.12.2", - "@typescript-eslint/scope-manager": "8.58.2", - "@typescript-eslint/type-utils": "8.58.2", - "@typescript-eslint/utils": "8.58.2", - "@typescript-eslint/visitor-keys": "8.58.2", + "@typescript-eslint/scope-manager": "8.59.1", + "@typescript-eslint/type-utils": "8.59.1", + "@typescript-eslint/utils": "8.59.1", + "@typescript-eslint/visitor-keys": "8.59.1", "ignore": "^7.0.5", "natural-compare": "^1.4.0", "ts-api-utils": "^2.5.0" @@ -2551,7 +2551,7 @@ "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "@typescript-eslint/parser": "^8.58.2", + "@typescript-eslint/parser": "^8.59.1", "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0", "typescript": ">=4.8.4 <6.1.0" } @@ -2567,16 +2567,16 @@ } }, "node_modules/@typescript-eslint/parser": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.2.tgz", - "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.1.tgz", + "integrity": "sha512-HDQH9O/47Dxi1ceDhBXdaldtf/WV9yRYMjbjCuNk3qnaTD564qwv61Y7+gTxwxRKzSrgO5uhtw584igXVuuZkA==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/scope-manager": "8.58.2", - "@typescript-eslint/types": "8.58.2", - "@typescript-eslint/typescript-estree": "8.58.2", - "@typescript-eslint/visitor-keys": "8.58.2", + "@typescript-eslint/scope-manager": "8.59.1", + "@typescript-eslint/types": "8.59.1", + "@typescript-eslint/typescript-estree": "8.59.1", + "@typescript-eslint/visitor-keys": "8.59.1", "debug": "^4.4.3" }, "engines": { @@ -2610,14 +2610,14 @@ } }, "node_modules/@typescript-eslint/project-service": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.2.tgz", - "integrity": "sha512-Cq6UfpZZk15+r87BkIh5rDpi38W4b+Sjnb8wQCPPDDweS/LRCFjCyViEbzHk5Ck3f2QDfgmlxqSa7S7clDtlfg==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.1.tgz", + "integrity": "sha512-+MuHQlHiEr00Of/IQbE/MmEoi44znZHbR/Pz7Opq4HryUOlRi+/44dro9Ycy8Fyo+/024IWtw8m4JUMCGTYxDg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/tsconfig-utils": "^8.58.2", - "@typescript-eslint/types": "^8.58.2", + "@typescript-eslint/tsconfig-utils": "^8.59.1", + "@typescript-eslint/types": "^8.59.1", "debug": "^4.4.3" }, "engines": { @@ -2650,14 +2650,14 @@ } }, "node_modules/@typescript-eslint/scope-manager": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.2.tgz", - "integrity": "sha512-SgmyvDPexWETQek+qzZnrG6844IaO02UVyOLhI4wpo82dpZJY9+6YZCKAMFzXb7qhx37mFK1QcPQ18tud+vo6Q==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.1.tgz", + "integrity": "sha512-LwuHQI4pDOYVKvmH2dkaJo6YZCSgouVgnS/z7yBPKBMvgtBvyLqiLy9Z6b7+m/TRcX1NFYUqZetI5Y+aT4GEfg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.58.2", - "@typescript-eslint/visitor-keys": "8.58.2" + "@typescript-eslint/types": "8.59.1", + "@typescript-eslint/visitor-keys": "8.59.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2668,9 +2668,9 @@ } }, "node_modules/@typescript-eslint/tsconfig-utils": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.2.tgz", - "integrity": "sha512-3SR+RukipDvkkKp/d0jP0dyzuls3DbGmwDpVEc5wqk5f38KFThakqAAO0XMirWAE+kT00oTauTbzMFGPoAzB0A==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.1.tgz", + "integrity": "sha512-/0nEyPbX7gRsk0Uwfe4ALwwgxuA66d/l2mhRDNlAvaj4U3juhUtJNq0DsY8M2AYwwb9rEq2hrC3IcIcEt++iJA==", "dev": true, "license": "MIT", "engines": { @@ -2685,15 +2685,15 @@ } }, "node_modules/@typescript-eslint/type-utils": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.2.tgz", - "integrity": "sha512-Z7EloNR/B389FvabdGeTo2XMs4W9TjtPiO9DAsmT0yom0bwlPyRjkJ1uCdW1DvrrrYP50AJZ9Xc3sByZA9+dcg==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.1.tgz", + "integrity": "sha512-klWPBR2ciQHS3f++ug/mVnWKPjBUo7icEL3FAO1lhAR1Z1i5NQYZ1EannMSRYcq5qCv5wNALlXr6fksRHyYl7w==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.58.2", - "@typescript-eslint/typescript-estree": "8.58.2", - "@typescript-eslint/utils": "8.58.2", + "@typescript-eslint/types": "8.59.1", + "@typescript-eslint/typescript-estree": "8.59.1", + "@typescript-eslint/utils": "8.59.1", "debug": "^4.4.3", "ts-api-utils": "^2.5.0" }, @@ -2728,9 +2728,9 @@ } }, "node_modules/@typescript-eslint/types": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.2.tgz", - "integrity": "sha512-9TukXyATBQf/Jq9AMQXfvurk+G5R2MwfqQGDR2GzGz28HvY/lXNKGhkY+6IOubwcquikWk5cjlgPvD2uAA7htQ==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.1.tgz", + "integrity": "sha512-ZDCjgccSdYPw5Bxh+my4Z0lJU96ZDN7jbBzvmEn0FZx3RtU1C7VWl6NbDx94bwY3V5YsgwRzJPOgeY2Q/nLG8A==", "dev": true, "license": "MIT", "engines": { @@ -2742,16 +2742,16 @@ } }, "node_modules/@typescript-eslint/typescript-estree": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.2.tgz", - "integrity": "sha512-ELGuoofuhhoCvNbQjFFiobFcGgcDCEm0ThWdmO4Z0UzLqPXS3KFvnEZ+SHewwOYHjM09tkzOWXNTv9u6Gqtyuw==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.1.tgz", + "integrity": "sha512-OUd+vJS05sSkOip+BkZ/2NS8RMxrAAJemsC6vU3kmfLyeaJT0TftHkV9mcx2107MmsBVXXexhVu4F0TZXyMl4g==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/project-service": "8.58.2", - "@typescript-eslint/tsconfig-utils": "8.58.2", - "@typescript-eslint/types": "8.58.2", - "@typescript-eslint/visitor-keys": "8.58.2", + "@typescript-eslint/project-service": "8.59.1", + "@typescript-eslint/tsconfig-utils": "8.59.1", + "@typescript-eslint/types": "8.59.1", + "@typescript-eslint/visitor-keys": "8.59.1", "debug": "^4.4.3", "minimatch": "^10.2.2", "semver": "^7.7.3", @@ -2827,16 +2827,16 @@ } }, "node_modules/@typescript-eslint/utils": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.2.tgz", - "integrity": "sha512-QZfjHNEzPY8+l0+fIXMvuQ2sJlplB4zgDZvA+NmvZsZv3EQwOcc1DuIU1VJUTWZ/RKouBMhDyNaBMx4sWvrzRA==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.1.tgz", + "integrity": "sha512-3pIeoXhCeYH9FSCBI8P3iNwJlGuzPlYKkTlen2O9T1DSeeg8UG8jstq6BLk+Mda0qup7mgk4z4XL4OzRaxZ8LA==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.9.1", - "@typescript-eslint/scope-manager": "8.58.2", - "@typescript-eslint/types": "8.58.2", - "@typescript-eslint/typescript-estree": "8.58.2" + "@typescript-eslint/scope-manager": "8.59.1", + "@typescript-eslint/types": "8.59.1", + "@typescript-eslint/typescript-estree": "8.59.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2851,13 +2851,13 @@ } }, "node_modules/@typescript-eslint/visitor-keys": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.2.tgz", - "integrity": "sha512-f1WO2Lx8a9t8DARmcWAUPJbu0G20bJlj8L4z72K00TMeJAoyLr/tHhI/pzYBLrR4dXWkcxO1cWYZEOX8DKHTqA==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.1.tgz", + "integrity": "sha512-LdDNl6C5iJExcM0Yh0PwAIBb9PrSiCsWamF/JyEZawm3kFDnRoaq3LGE4bpyRao/fWeGKKyw7icx0YxrLFC5Cg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.58.2", + "@typescript-eslint/types": "8.59.1", "eslint-visitor-keys": "^5.0.0" }, "engines": { @@ -3271,7 +3271,9 @@ } }, "node_modules/ajv": { - "version": "6.12.6", + "version": "6.15.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz", + "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==", "dev": true, "license": "MIT", "dependencies": { @@ -4725,25 +4727,25 @@ } }, "node_modules/eslint": { - "version": "9.39.2", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.2.tgz", - "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==", + "version": "9.39.4", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.39.4.tgz", + "integrity": "sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.1", - "@eslint/config-array": "^0.21.1", + "@eslint/config-array": "^0.21.2", "@eslint/config-helpers": "^0.4.2", "@eslint/core": "^0.17.0", - "@eslint/eslintrc": "^3.3.1", - "@eslint/js": "9.39.2", + "@eslint/eslintrc": "^3.3.5", + "@eslint/js": "9.39.4", "@eslint/plugin-kit": "^0.4.1", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", "@types/estree": "^1.0.6", - "ajv": "^6.12.4", + "ajv": "^6.14.0", "chalk": "^4.0.0", "cross-spawn": "^7.0.6", "debug": "^4.3.2", @@ -4762,7 +4764,7 @@ "is-glob": "^4.0.0", "json-stable-stringify-without-jsonify": "^1.0.1", "lodash.merge": "^4.6.2", - "minimatch": "^3.1.2", + "minimatch": "^3.1.5", "natural-compare": "^1.4.0", "optionator": "^0.9.3" }, @@ -9771,9 +9773,9 @@ } }, "node_modules/typescript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz", - "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "dev": true, "license": "Apache-2.0", "bin": { @@ -9785,16 +9787,16 @@ } }, "node_modules/typescript-eslint": { - "version": "8.58.2", - "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.2.tgz", - "integrity": "sha512-V8iSng9mRbdZjl54VJ9NKr6ZB+dW0J3TzRXRGcSbLIej9jV86ZRtlYeTKDR/QLxXykocJ5icNzbsl2+5TzIvcQ==", + "version": "8.59.1", + "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.1.tgz", + "integrity": "sha512-xqDcFVBmlrltH64lklOVp1wYxgJr6LVdg3NamBgH2OOQDLFdTKfIZXF5PfghrnXQKXZGTQs8tr1vL7fJvq8CTQ==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/eslint-plugin": "8.58.2", - "@typescript-eslint/parser": "8.58.2", - "@typescript-eslint/typescript-estree": "8.58.2", - "@typescript-eslint/utils": "8.58.2" + "@typescript-eslint/eslint-plugin": "8.59.1", + "@typescript-eslint/parser": "8.59.1", + "@typescript-eslint/typescript-estree": "8.59.1", + "@typescript-eslint/utils": "8.59.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -10388,7 +10390,7 @@ "yaml": "^2.8.3" }, "devDependencies": { - "@types/node": "^20.19.9", + "@types/node": "^20.19.39", "tsx": "^4.21.0" } } diff --git a/package.json b/package.json index d32144614..171833b55 100644 --- a/package.json +++ b/package.json @@ -50,14 +50,14 @@ "@types/archiver": "^7.0.0", "@types/follow-redirects": "^1.14.4", "@types/js-yaml": "^4.0.9", - "@types/node": "^20.19.9", + "@types/node": "^20.19.39", "@types/node-forge": "^1.3.14", "@types/sarif": "^2.1.7", "@types/semver": "^7.7.1", "@types/sinon": "^21.0.1", "ava": "^7.0.0", "esbuild": "^0.28.0", - "eslint": "^9.39.2", + "eslint": "^9.39.4", "eslint-import-resolver-typescript": "^4.4.4", "eslint-plugin-github": "^6.0.0", "eslint-plugin-import-x": "^4.16.2", @@ -67,8 +67,8 @@ "globals": "^17.5.0", "nock": "^14.0.12", "sinon": "^21.1.2", - "typescript": "^6.0.2", - "typescript-eslint": "^8.58.2" + "typescript": "^6.0.3", + "typescript-eslint": "^8.59.1" }, "overrides": { "@actions/tool-cache": { diff --git a/pr-checks/package.json b/pr-checks/package.json index f5d574689..0189318ed 100644 --- a/pr-checks/package.json +++ b/pr-checks/package.json @@ -10,7 +10,7 @@ "yaml": "^2.8.3" }, "devDependencies": { - "@types/node": "^20.19.9", + "@types/node": "^20.19.39", "tsx": "^4.21.0" } } From 1848b73afaca43060a19cef9ded4a6c751c536ad Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 18:01:54 +0000 Subject: [PATCH 07/40] Rebuild --- src/config-utils.test.ts | 20 ++++++++++---------- src/debug-artifacts.ts | 2 +- src/feature-flags.ts | 2 +- src/init-action-post-helper.test.ts | 2 +- src/upload-sarif.test.ts | 2 +- src/workflow.test.ts | 2 +- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/config-utils.test.ts b/src/config-utils.test.ts index 25aa41433..bc386f172 100644 --- a/src/config-utils.test.ts +++ b/src/config-utils.test.ts @@ -1214,7 +1214,7 @@ test.serial( features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript], codeScanningConfig: { packs: ["some-custom-pack@1.0.0"], - } as UserConfig, + }, isDefaultBranch: true, }, { @@ -1464,7 +1464,7 @@ test.serial( ], codeScanningConfig: { "disable-default-queries": true, - } as UserConfig, + }, isDefaultBranch: true, }, { @@ -1483,7 +1483,7 @@ test.serial( ], codeScanningConfig: { packs: ["some-custom-pack@1.0.0"], - } as UserConfig, + }, isDefaultBranch: true, }, { @@ -1502,7 +1502,7 @@ test.serial( ], codeScanningConfig: { queries: [{ uses: "some-query.ql" }], - } as UserConfig, + }, isDefaultBranch: true, }, { @@ -1521,7 +1521,7 @@ test.serial( ], codeScanningConfig: { "query-filters": [{ include: { "security-severity": "high" } }], - } as UserConfig, + }, isDefaultBranch: true, }, { @@ -1590,7 +1590,7 @@ test.serial( features: [Feature.OverlayAnalysis, Feature.OverlayAnalysisJavascript], codeScanningConfig: { packs: ["some-custom-pack@1.0.0"], - } as UserConfig, + }, isPullRequest: true, }, { @@ -1741,7 +1741,7 @@ test.serial( ], codeScanningConfig: { "disable-default-queries": true, - } as UserConfig, + }, isPullRequest: true, }, { @@ -1760,7 +1760,7 @@ test.serial( ], codeScanningConfig: { packs: ["some-custom-pack@1.0.0"], - } as UserConfig, + }, isPullRequest: true, }, { @@ -1779,7 +1779,7 @@ test.serial( ], codeScanningConfig: { queries: [{ uses: "some-query.ql" }], - } as UserConfig, + }, isPullRequest: true, }, { @@ -1798,7 +1798,7 @@ test.serial( ], codeScanningConfig: { "query-filters": [{ include: { "security-severity": "high" } }], - } as UserConfig, + }, isPullRequest: true, }, { diff --git a/src/debug-artifacts.ts b/src/debug-artifacts.ts index ec6940500..016fcdf7c 100644 --- a/src/debug-artifacts.ts +++ b/src/debug-artifacts.ts @@ -263,7 +263,7 @@ export function getArtifactSuffix(matrix: string | undefined): string { try { const matrixObject = JSON.parse(matrix); if (json.isObject(matrixObject)) { - for (const matrixKey of Object.keys(matrixObject as object).sort()) + for (const matrixKey of Object.keys(matrixObject).sort()) suffix += `-${matrixObject[matrixKey]}`; } else { core.warning("User-specified `matrix` input is not an object."); diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 80adce550..d28800e9b 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -386,7 +386,7 @@ class OfflineFeatures implements FeatureEnablement { getFeatureConfig(feature: Feature): FeatureConfig { // Narrow the type to FeatureConfig to avoid type errors. To avoid unsafe use of `as`, we // check that the required properties exist using `satisfies`. - return featureConfig[feature] satisfies FeatureConfig as FeatureConfig; + return featureConfig[feature] satisfies FeatureConfig; } /** diff --git a/src/init-action-post-helper.test.ts b/src/init-action-post-helper.test.ts index 8c687b4e9..22efad98c 100644 --- a/src/init-action-post-helper.test.ts +++ b/src/init-action-post-helper.test.ts @@ -601,7 +601,7 @@ async function testFailedSarifUpload( uploadFiles.resolves({ sarifID: "42", statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 }, - } as uploadLib.UploadResult); + }); const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing"); const features = [] as Feature[]; diff --git a/src/upload-sarif.test.ts b/src/upload-sarif.test.ts index fcd5c3108..bf5d28530 100644 --- a/src/upload-sarif.test.ts +++ b/src/upload-sarif.test.ts @@ -67,7 +67,7 @@ const postProcessAndUploadSarifMacro = test.macro({ const analysisConfig = getAnalysisConfig(analysisKind); uploadPostProcessedFiles .withArgs(logger, sinon.match.any, analysisConfig, sinon.match.any) - .resolves(expectedResult[analysisKind as AnalysisKind]?.uploadResult); + .resolves(expectedResult[analysisKind]?.uploadResult); } const fullSarifPaths = sarifFiles.map(toFullPath); diff --git a/src/workflow.test.ts b/src/workflow.test.ts index 67f969040..bc5075dd0 100644 --- a/src/workflow.test.ts +++ b/src/workflow.test.ts @@ -422,7 +422,7 @@ async function testLanguageAliases( ], }, }, - } as Workflow, + }, codeql, ); From 1b5632783cc2c3a7cbe006c984f5584851ab9484 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 18:32:28 +0100 Subject: [PATCH 08/40] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b0d604e3..9c32d5ee7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Added an experimental change which, when analyzing a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis when the latest version does not yet have a cached overlay-base database. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) ## 4.35.3 - 01 May 2026 From 01bc9be56a239c5044ac4528461d0d2387904c14 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 7 May 2026 11:00:54 +0100 Subject: [PATCH 09/40] Filter to code scanning only --- CHANGELOG.md | 2 +- lib/analyze-action.js | 19 ++++++--- lib/init-action-post.js | 19 ++++++--- lib/init-action.js | 31 +++++++++----- lib/setup-codeql-action.js | 19 ++++++--- lib/upload-lib.js | 19 ++++++--- lib/upload-sarif-action.js | 19 ++++++--- src/codeql.test.ts | 10 +++++ src/codeql.ts | 3 ++ src/init-action.ts | 4 ++ src/init.ts | 2 + src/setup-codeql-action.ts | 1 + src/setup-codeql.test.ts | 85 ++++++++++++++++++++++++++++++++++++++ src/setup-codeql.ts | 13 ++++-- src/upload-lib.ts | 1 + 15 files changed, 202 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c32d5ee7..39bfb13a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -- Added an experimental change which, when analyzing a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis when the latest version does not yet have a cached overlay-base database. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) +- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis when the latest version does not yet have a cached overlay-base database. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) ## 4.35.3 - 01 May 2026 diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 6d2b9f7a5..68ca02cf6 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -91711,8 +91711,8 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw } return overlayVersions; } -async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { - if (!isAnalyzingPullRequest()) { +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( @@ -91729,7 +91729,7 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature } return defaultCliVersion.enabledVersions[0]; } -async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -91826,6 +91826,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -91845,6 +91846,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -92046,7 +92048,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -92057,6 +92059,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, @@ -92217,7 +92220,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) { try { const { codeqlFolder, @@ -92232,6 +92235,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -94927,7 +94931,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -94942,6 +94946,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true @@ -95100,6 +95105,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo codeQLDefaultVersionInfo, void 0, // rawLanguages: upload-lib does not run analysis + false, + // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis features, logger ); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index ed46f610b..16d0bc507 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -132682,8 +132682,8 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw } return overlayVersions; } -async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { - if (!isAnalyzingPullRequest()) { +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( @@ -132700,7 +132700,7 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature } return defaultCliVersion.enabledVersions[0]; } -async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -132797,6 +132797,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -132816,6 +132817,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -133017,7 +133019,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -133028,6 +133030,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, @@ -133155,7 +133158,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) { try { const { codeqlFolder, @@ -133170,6 +133173,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -135426,7 +135430,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -135441,6 +135445,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true @@ -135599,6 +135604,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo codeQLDefaultVersionInfo, void 0, // rawLanguages: upload-lib does not run analysis + false, + // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis features, logger ); diff --git a/lib/init-action.js b/lib/init-action.js index 8424fffe0..7753d29fd 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86358,11 +86358,11 @@ function isAnalyzingPullRequest() { } // src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind3) => { - AnalysisKind3["CodeScanning"] = "code-scanning"; - AnalysisKind3["CodeQuality"] = "code-quality"; - AnalysisKind3["RiskAssessment"] = "risk-assessment"; - return AnalysisKind3; +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; })(AnalysisKind || {}); var compatibilityMatrix = { ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]), @@ -90640,8 +90640,8 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw } return overlayVersions; } -async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { - if (!isAnalyzingPullRequest()) { +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( @@ -90658,7 +90658,7 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature } return defaultCliVersion.enabledVersions[0]; } -async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -90755,6 +90755,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -90774,6 +90775,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -90975,7 +90977,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -90986,6 +90988,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, @@ -91135,7 +91138,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) { try { const { codeqlFolder, @@ -91150,6 +91153,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -91739,7 +91743,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -91754,6 +91758,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true @@ -92539,6 +92544,9 @@ async function run(startedAt) { const rawLanguages = getRawLanguagesNoAutodetect( getOptionalInput("languages") ); + const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes( + "code-scanning" /* CodeScanning */ + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, @@ -92546,6 +92554,7 @@ async function run(startedAt) { gitHubVersion.type, codeQLDefaultVersionInfo, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index f63f90a7e..64ad2f567 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -88082,8 +88082,8 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw } return overlayVersions; } -async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { - if (!isAnalyzingPullRequest()) { +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( @@ -88100,7 +88100,7 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature } return defaultCliVersion.enabledVersions[0]; } -async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -88197,6 +88197,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -88216,6 +88217,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -88417,7 +88419,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -88428,6 +88430,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, @@ -88555,7 +88558,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) { try { const { codeqlFolder, @@ -88570,6 +88573,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -89159,7 +89163,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -89174,6 +89178,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true @@ -89476,6 +89481,8 @@ async function run(startedAt) { codeQLDefaultVersionInfo, void 0, // rawLanguages: currently, setup-codeql is not language aware + false, + // useOverlayAwareDefaultCliVersion: setup-codeql is not language aware features, logger ); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 5b9dd54b7..73465a343 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -90737,8 +90737,8 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw } return overlayVersions; } -async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { - if (!isAnalyzingPullRequest()) { +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( @@ -90755,7 +90755,7 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature } return defaultCliVersion.enabledVersions[0]; } -async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -90852,6 +90852,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -90871,6 +90872,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -91072,7 +91074,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -91083,6 +91085,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, @@ -91210,7 +91213,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) { try { const { codeqlFolder, @@ -91225,6 +91228,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -92946,7 +92950,7 @@ var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -92961,6 +92965,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true @@ -93119,6 +93124,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo codeQLDefaultVersionInfo, void 0, // rawLanguages: upload-lib does not run analysis + false, + // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis features, logger ); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index eca5b7f00..d376638ca 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -91414,8 +91414,8 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw } return overlayVersions; } -async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { - if (!isAnalyzingPullRequest()) { +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( @@ -91432,7 +91432,7 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature } return defaultCliVersion.enabledVersions[0]; } -async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -91529,6 +91529,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -91548,6 +91549,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiD const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -91749,7 +91751,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -91760,6 +91762,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, @@ -91887,7 +91890,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger, checkVersion) { try { const { codeqlFolder, @@ -91902,6 +91905,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger ); @@ -93623,7 +93627,7 @@ var core13 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, useOverlayAwareDefaultCliVersion, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -93638,6 +93642,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true @@ -93725,6 +93730,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo codeQLDefaultVersionInfo, void 0, // rawLanguages: upload-lib does not run analysis + false, + // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis features, logger ); diff --git a/src/codeql.test.ts b/src/codeql.test.ts index 60756101f..5169961ad 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -73,6 +73,7 @@ async function installIntoToolcache({ ? { enabledVersions: [{ cliVersion, tagName }] } : SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion createFeatures([]), getRunnerLogger(true), false, @@ -145,6 +146,7 @@ test.serial( util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -178,6 +180,7 @@ test.serial( util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -218,6 +221,7 @@ test.serial( util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -269,6 +273,7 @@ for (const { util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -314,6 +319,7 @@ for (const toolcacheVersion of [ util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -359,6 +365,7 @@ test.serial( ], }, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -406,6 +413,7 @@ test.serial( ], }, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -446,6 +454,7 @@ test.serial( util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, @@ -488,6 +497,7 @@ test.serial( util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, getRunnerLogger(true), false, diff --git a/src/codeql.ts b/src/codeql.ts index 046d3e719..66ed8cebe 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -306,6 +306,7 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; * @param variant * @param defaultCliVersion * @param rawLanguages Raw set of languages. + * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version. * @param features Information about the features that are enabled. * @param logger * @param checkVersion Whether to check that CodeQL CLI meets the minimum @@ -319,6 +320,7 @@ export async function setupCodeQL( variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, + useOverlayAwareDefaultCliVersion: boolean, features: FeatureEnablement, logger: Logger, checkVersion: boolean, @@ -343,6 +345,7 @@ export async function setupCodeQL( variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, ); diff --git a/src/init-action.ts b/src/init-action.ts index 96745e203..b529b6804 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -304,6 +304,9 @@ async function run(startedAt: Date) { const rawLanguages = configUtils.getRawLanguagesNoAutodetect( getOptionalInput("languages"), ); + const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes( + AnalysisKind.CodeScanning, + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, @@ -311,6 +314,7 @@ async function run(startedAt: Date) { gitHubVersion.type, codeQLDefaultVersionInfo, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, ); diff --git a/src/init.ts b/src/init.ts index ef1f426d0..2533d9a89 100644 --- a/src/init.ts +++ b/src/init.ts @@ -40,6 +40,7 @@ export async function initCodeQL( variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, + useOverlayAwareDefaultCliVersion: boolean, features: FeatureEnablement, logger: Logger, ): Promise<{ @@ -63,6 +64,7 @@ export async function initCodeQL( variant, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, true, diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index 5e6c82442..b9091a18b 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -146,6 +146,7 @@ async function run(startedAt: Date): Promise { gitHubVersion.type, codeQLDefaultVersionInfo, undefined, // rawLanguages: currently, setup-codeql is not language aware + false, // useOverlayAwareDefaultCliVersion: setup-codeql is not language aware features, logger, ); diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 39f2422bd..463dc61ae 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -108,6 +108,7 @@ test.serial( `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -132,6 +133,7 @@ test.serial( "linked", SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -158,6 +160,7 @@ test.serial( "latest", SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -215,6 +218,7 @@ test.serial( GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, logger, ); @@ -271,6 +275,7 @@ test.serial( GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion features, logger, ); @@ -323,6 +328,7 @@ test.serial( "nightly", SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -385,6 +391,7 @@ test.serial( undefined, SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -440,6 +447,7 @@ test.serial( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -508,6 +516,7 @@ const toolcacheInputFallbackMacro = test.macro({ "toolcache", SAMPLE_DEFAULT_CLI_VERSION, undefined, // rawLanguages + false, // useOverlayAwareDefaultCliVersion SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -640,6 +649,82 @@ const overlayMatchEnabledVersions = { toolsFeatureFlagsValid: true, }; +test.serial( + "getCodeQLSource uses overlay-aware default version when requested for a PR", + async (t) => { + await withTmpDir(async (tmpDir) => { + setupActionsVars(tmpDir, tmpDir); + process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch"; + process.env["CODE_SCANNING_BASE_BRANCH"] = "main"; + + sinon.stub(api, "getAutomationID").resolves("test/"); + const listStub = sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); + sinon + .stub(toolcache, "find") + .withArgs("CodeQL", "2.20.1") + .returns("/path/to/codeql-2.20.1"); + + const source = await setupCodeql.getCodeQLSource( + undefined, + overlayMatchEnabledVersions, + ["javascript"], + true, + SAMPLE_DOTCOM_API_DETAILS, + GitHubVariant.DOTCOM, + false, + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + + t.assert(listStub.calledOnce); + t.is(source.sourceType, "toolcache"); + t.is(source.toolsVersion, "2.20.1"); + }); + }, +); + +test.serial( + "getCodeQLSource skips overlay-aware default version when not requested", + async (t) => { + await withTmpDir(async (tmpDir) => { + setupActionsVars(tmpDir, tmpDir); + process.env["CODE_SCANNING_REF"] = "refs/heads/feature-branch"; + process.env["CODE_SCANNING_BASE_BRANCH"] = "main"; + + sinon.stub(api, "getAutomationID").resolves("test/"); + const listStub = sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); + sinon + .stub(toolcache, "find") + .withArgs("CodeQL", "2.20.2") + .returns("/path/to/codeql-2.20.2"); + + const source = await setupCodeql.getCodeQLSource( + undefined, + overlayMatchEnabledVersions, + ["javascript"], + false, + SAMPLE_DOTCOM_API_DETAILS, + GitHubVariant.DOTCOM, + false, + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + + t.assert(listStub.notCalled); + t.is(source.sourceType, "toolcache"); + t.is(source.toolsVersion, "2.20.2"); + }); + }, +); + test.serial( "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc", async (t) => { diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 108214735..53deca53b 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -360,16 +360,17 @@ export async function getEnabledVersionsWithOverlayBaseDatabases( /** * Resolves the newest enabled default CLI version that has a cached overlay-base database for the - * relevant languages, if analyzing a pull request and one exists. Otherwise, falls back to the - * newest enabled default CLI version. + * relevant languages, if running a Code Scanning analysis for a pull request and one exists. + * Otherwise, falls back to the newest enabled default CLI version. */ async function resolveDefaultCliVersion( defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, + useOverlayAwareDefaultCliVersion: boolean, features: FeatureEnablement, logger: Logger, ): Promise { - if (!isAnalyzingPullRequest()) { + if (!useOverlayAwareDefaultCliVersion || !isAnalyzingPullRequest()) { return defaultCliVersion.enabledVersions[0]; } @@ -396,6 +397,7 @@ async function resolveDefaultCliVersion( * @param toolsInput The argument provided for the `tools` input, if any. * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action. * @param rawLanguages Raw set of languages. + * @param useOverlayAwareDefaultCliVersion Whether to select an overlay-aware default CLI version. * @param apiDetails Information about the GitHub API. * @param variant The GitHub variant we are running on. * @param tarSupportsZstd Whether zstd is supported by `tar`. @@ -408,6 +410,7 @@ export async function getCodeQLSource( toolsInput: string | undefined, defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, + useOverlayAwareDefaultCliVersion: boolean, apiDetails: api.GitHubApiDetails, variant: util.GitHubVariant, tarSupportsZstd: boolean, @@ -568,6 +571,7 @@ export async function getCodeQLSource( const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, ); @@ -590,6 +594,7 @@ export async function getCodeQLSource( const version = await resolveDefaultCliVersion( defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, features, logger, ); @@ -930,6 +935,7 @@ export async function setupCodeQLBundle( variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, + useOverlayAwareDefaultCliVersion: boolean, features: FeatureEnablement, logger: Logger, ): Promise { @@ -944,6 +950,7 @@ export async function setupCodeQLBundle( toolsInput, defaultCliVersion, rawLanguages, + useOverlayAwareDefaultCliVersion, apiDetails, variant, zstdAvailability.available, diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 5db40f26d..83331aeed 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -166,6 +166,7 @@ async function combineSarifFilesUsingCLI( gitHubVersion.type, codeQLDefaultVersionInfo, undefined, // rawLanguages: upload-lib does not run analysis + false, // useOverlayAwareDefaultCliVersion: upload-lib does not run analysis features, logger, ); From 7525c68ea1b9c447eeb392cade7ee92837c299b1 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 7 May 2026 11:01:15 +0100 Subject: [PATCH 10/40] Nit: Dedupe languages --- lib/analyze-action.js | 7 ++++--- lib/init-action-post.js | 7 ++++--- lib/init-action.js | 7 ++++--- lib/setup-codeql-action.js | 7 ++++--- lib/upload-lib.js | 7 ++++--- lib/upload-sarif-action.js | 7 ++++--- src/overlay/caching.test.ts | 26 ++++++++++++++++++++++++++ src/overlay/caching.ts | 7 ++++--- 8 files changed, 54 insertions(+), 21 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 68ca02cf6..0cec7d688 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -91155,9 +91155,10 @@ async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { ); return void 0; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== void 0) - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== void 0)) + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` ); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 16d0bc507..d2eb3e969 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -132126,9 +132126,10 @@ async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { ); return void 0; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== void 0) - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== void 0)) + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` ); diff --git a/lib/init-action.js b/lib/init-action.js index 7753d29fd..0283461a0 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -90084,9 +90084,10 @@ async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { ); return void 0; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== void 0) - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== void 0)) + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` ); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 64ad2f567..23329efa9 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -87526,9 +87526,10 @@ async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { ); return void 0; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== void 0) - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== void 0)) + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` ); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 73465a343..b2a5c4269 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -90181,9 +90181,10 @@ async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { ); return void 0; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== void 0) - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== void 0)) + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` ); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index d376638ca..b865d858f 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -90858,9 +90858,10 @@ async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { ); return void 0; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== void 0) - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== void 0)) + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` ); diff --git a/src/overlay/caching.test.ts b/src/overlay/caching.test.ts index 3a2266a4a..0c4c5e863 100644 --- a/src/overlay/caching.test.ts +++ b/src/overlay/caching.test.ts @@ -391,6 +391,32 @@ test.serial( }, ); +test.serial( + "getCodeQlVersionsForOverlayBaseDatabases de-duplicates resolved language aliases", + async (t) => { + const logger = getRunnerLogger(true); + + sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/"); + const listActionsCachesStub = sinon + .stub(apiClient, "listActionsCaches") + .resolves([ + { + key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.25.0-abc123-1-1", + }, + ]); + + const result = await getCodeQlVersionsForOverlayBaseDatabases( + ["javascript", "typescript", "Python", "python"], + logger, + ); + t.deepEqual(result, ["2.25.0"]); + sinon.assert.calledOnceWithExactly( + listActionsCachesStub, + "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-", + ); + }, +); + test.serial( "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata", async (t) => { diff --git a/src/overlay/caching.ts b/src/overlay/caching.ts index 268c20c12..c4557cd4e 100644 --- a/src/overlay/caching.ts +++ b/src/overlay/caching.ts @@ -461,9 +461,10 @@ export async function getCodeQlVersionsForOverlayBaseDatabases( ); return undefined; } - const cacheKeyPrefix = await getCacheKeyPrefixBase( - languages.filter((l) => l !== undefined), - ); + const dedupedLanguages = [ + ...new Set(languages.filter((l) => l !== undefined)), + ]; + const cacheKeyPrefix = await getCacheKeyPrefixBase(dedupedLanguages); logger.debug( `Searching for overlay-base databases in Actions cache with ` + From 9f82f88f07f7e4effe8006b9354a8ae7ce7263a8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 12:49:13 +0000 Subject: [PATCH 11/40] Update default bundle to codeql-bundle-v2.25.4 --- lib/analyze-action.js | 4 ++-- lib/autobuild-action.js | 4 ++-- lib/defaults.json | 8 ++++---- lib/init-action-post.js | 4 ++-- lib/init-action.js | 4 ++-- lib/setup-codeql-action.js | 4 ++-- lib/start-proxy-action.js | 4 ++-- lib/upload-lib.js | 4 ++-- lib/upload-sarif-action.js | 4 ++-- src/defaults.json | 8 ++++---- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 5d1779110..a0d645e56 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -89739,8 +89739,8 @@ var path6 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 17c427eda..5ac767b0a 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -86226,8 +86226,8 @@ var path5 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs3 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 91936465e..edd817575 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.25.3", - "cliVersion": "2.25.3", - "priorBundleVersion": "codeql-bundle-v2.25.2", - "priorCliVersion": "2.25.2" + "bundleVersion": "codeql-bundle-v2.25.4", + "cliVersion": "2.25.4", + "priorBundleVersion": "codeql-bundle-v2.25.3", + "priorCliVersion": "2.25.3" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 2794b130e..93d18db70 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -130901,8 +130901,8 @@ var path6 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/lib/init-action.js b/lib/init-action.js index 3769eab06..9a7cd36d7 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -87279,8 +87279,8 @@ var path7 = __toESM(require("path")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 72a24cede..1217a8e53 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -86067,8 +86067,8 @@ var path5 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 256c358c0..90d38d06c 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -103064,8 +103064,8 @@ var path = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/git-utils.ts var core6 = __toESM(require_core()); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index c0a9964c1..ff8b73486 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -89347,8 +89347,8 @@ var fs5 = __toESM(require("fs")); var semver5 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 83c55ee86..03f908ea5 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89018,8 +89018,8 @@ var path5 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.3"; -var cliVersion = "2.25.3"; +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/src/defaults.json b/src/defaults.json index 91936465e..edd817575 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.25.3", - "cliVersion": "2.25.3", - "priorBundleVersion": "codeql-bundle-v2.25.2", - "priorCliVersion": "2.25.2" + "bundleVersion": "codeql-bundle-v2.25.4", + "cliVersion": "2.25.4", + "priorBundleVersion": "codeql-bundle-v2.25.3", + "priorCliVersion": "2.25.3" } From ae1b9155d331333bd3a526ae3fa105fbcf73ab36 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 12:49:22 +0000 Subject: [PATCH 12/40] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b0d604e3..fc2b3c83a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881) ## 4.35.3 - 01 May 2026 From aaef09c48db2dd7f0100363de1785963a34cd706 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 13:21:45 +0000 Subject: [PATCH 13/40] Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.305.0 to 1.306.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/0cb964fd540e0a24c900370abf38a33466142735...c4e5b1316158f92e3d49443a9d58b31d25ac0f8f) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.306.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/__rubocop-multi-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 33e78dd70..4e0fabe53 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Set up Ruby - uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0 + uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0 with: ruby-version: 2.6 - name: Install Code Scanning integration From 17eabb2500031486a71e00ecbcb72c73804a6c9f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 13:23:54 +0000 Subject: [PATCH 14/40] Rebuild --- pr-checks/checks/rubocop-multi-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index 504dce1cd..fdf6c913b 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -5,7 +5,7 @@ versions: - default steps: - name: Set up Ruby - uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1.305.0 + uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0 with: ruby-version: 2.6 - name: Install Code Scanning integration From 6e3f985e4fc409a188c7701b68c4dec158c9ced3 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 7 May 2026 14:26:43 +0100 Subject: [PATCH 15/40] Add wrapper for `test.macro` --- src/testing-utils.ts | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/src/testing-utils.ts b/src/testing-utils.ts index fcb7149b5..cdfb37c73 100644 --- a/src/testing-utils.ts +++ b/src/testing-utils.ts @@ -2,7 +2,11 @@ import { TextDecoder } from "node:util"; import path from "path"; import * as github from "@actions/github"; -import { ExecutionContext, TestFn } from "ava"; +import test, { + type ExecutionContext, + type MacroDeclarationOptions, + type TestFn, +} from "ava"; import nock from "nock"; import * as sinon from "sinon"; @@ -85,8 +89,8 @@ function wrapOutput(context: TestContext) { }; } -export function setupTests(test: TestFn) { - const typedTest = test as TestFn; +export function setupTests(testFn: TestFn) { + const typedTest = testFn as TestFn; typedTest.beforeEach((t) => { // Set an empty CodeQL object so that all method calls will fail @@ -139,6 +143,26 @@ export function setupTests(test: TestFn) { }); } +/** + * Declare a reusable test implementation, with better type safety than `test.macro`. + */ +export function makeMacro( + decl: MacroDeclarationOptions, +) { + const m = test.macro(decl); + + const wrapper = (name: string, ...args: Args) => test(name, m, ...args); + wrapper.test = (...args: Args) => test(m, ...args); + wrapper.serial = (name: string, ...args: Args) => + test.serial(name, m, ...args); + // Make the implementation available as `fn`. We don't call it `exec` so + // that results from this function are not valid arguments to `test` + // or `test.serial`. + wrapper.fn = decl.exec; + + return wrapper; +} + /** * Default values for environment variables typically set in an Actions * environment. Tests can override individual variables by passing them in the From df77e87896689b5c736433984c5df14d86c63d56 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 7 May 2026 14:27:28 +0100 Subject: [PATCH 16/40] Update test macro snippet --- .vscode/tests.code-snippets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vscode/tests.code-snippets b/.vscode/tests.code-snippets index 3ee5ceb75..7c2457202 100644 --- a/.vscode/tests.code-snippets +++ b/.vscode/tests.code-snippets @@ -19,7 +19,7 @@ "scope": "javascript, typescript", "prefix": "testMacro", "body": [ - "const ${1:nameMacro} = test.macro({", + "const ${1:nameMacro} = makeMacro({", " exec: async (t: ExecutionContext) => {},", "", " title: (providedTitle = \"\") => `${2:common title} - \\${providedTitle}`,", From 922d6fb888d665134eb982b150b8912dbd48e21a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 7 May 2026 14:59:27 +0100 Subject: [PATCH 17/40] Use `makeMacro` instead of `test.macro` --- src/codeql.test.ts | 39 ++--- src/config-utils.test.ts | 177 ++++++++--------------- src/config/db-config.test.ts | 113 ++++++--------- src/diff-informed-analysis-utils.test.ts | 33 ++--- src/init-action-post-helper.test.ts | 12 +- src/init.test.ts | 42 ++---- src/overlay/caching.test.ts | 39 ++--- src/setup-codeql.test.ts | 12 +- src/start-proxy.test.ts | 37 ++--- src/status-report.test.ts | 15 +- src/upload-sarif.test.ts | 19 +-- 11 files changed, 200 insertions(+), 338 deletions(-) diff --git a/src/codeql.test.ts b/src/codeql.test.ts index eccad6895..08310df2a 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -33,6 +33,7 @@ import { mockBundleDownloadApi, makeVersionInfo, createTestConfig, + makeMacro, } from "./testing-utils"; import { ToolsDownloadStatusReport } from "./tools-download"; import * as util from "./util"; @@ -540,7 +541,7 @@ test.serial("getExtraOptions throws for bad content", (t) => { }); // Test macro for ensuring different variants of injected augmented configurations -const injectedConfigMacro = test.macro({ +const injectedConfigMacro = makeMacro({ exec: async ( t: ExecutionContext, augmentationProperties: AugmentationProperties, @@ -590,9 +591,8 @@ const injectedConfigMacro = test.macro({ `databaseInitCluster() injected config: ${providedTitle}`, }); -test.serial( +injectedConfigMacro.serial( "basic", - injectedConfigMacro, { ...defaultAugmentationProperties, }, @@ -600,9 +600,8 @@ test.serial( {}, ); -test.serial( +injectedConfigMacro.serial( "injected packs from input", - injectedConfigMacro, { ...defaultAugmentationProperties, packsInput: ["xxx", "yyy"], @@ -613,9 +612,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "injected packs from input with existing packs combines", - injectedConfigMacro, { ...defaultAugmentationProperties, packsInputCombines: true, @@ -635,9 +633,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "injected packs from input with existing packs overrides", - injectedConfigMacro, { ...defaultAugmentationProperties, packsInput: ["xxx", "yyy"], @@ -655,9 +652,8 @@ test.serial( ); // similar, but with queries -test.serial( +injectedConfigMacro.serial( "injected queries from input", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInput: [{ uses: "xxx" }, { uses: "yyy" }], @@ -675,9 +671,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "injected queries from input overrides", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInput: [{ uses: "xxx" }, { uses: "yyy" }], @@ -699,9 +694,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "injected queries from input combines", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInputCombines: true, @@ -727,9 +721,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "injected queries from input combines 2", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInputCombines: true, @@ -749,9 +742,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "injected queries and packs, but empty", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInputCombines: true, @@ -768,9 +760,8 @@ test.serial( {}, ); -test.serial( +injectedConfigMacro.serial( "repo property queries have the highest precedence", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInputCombines: true, @@ -790,9 +781,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "repo property queries combines with queries input", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInputCombines: false, @@ -817,9 +807,8 @@ test.serial( }, ); -test.serial( +injectedConfigMacro.serial( "repo property queries combines everything else", - injectedConfigMacro, { ...defaultAugmentationProperties, queriesInputCombines: true, diff --git a/src/config-utils.test.ts b/src/config-utils.test.ts index 25aa41433..e8ca45d2f 100644 --- a/src/config-utils.test.ts +++ b/src/config-utils.test.ts @@ -34,6 +34,7 @@ import { LoggedMessage, mockCodeQLVersion, createTestConfig, + makeMacro, } from "./testing-utils"; import { GitHubVariant, @@ -1034,10 +1035,9 @@ const defaultOverlayDatabaseModeTestSetup: OverlayDatabaseModeTestSetup = { repositoryProperties: {}, }; -const checkOverlayEnablementMacro = test.macro({ +const checkOverlayEnablementMacro = makeMacro({ exec: async ( t: ExecutionContext, - _title: string, setupOverrides: Partial, expected: | { @@ -1131,11 +1131,10 @@ const checkOverlayEnablementMacro = test.macro({ } }); }, - title: (_, title) => `checkOverlayEnablement: ${title}`, + title: (title) => `checkOverlayEnablement: ${title}`, }); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Environment variable override - Overlay", { overlayDatabaseEnvVar: "overlay", @@ -1146,8 +1145,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Environment variable override - OverlayBase", { overlayDatabaseEnvVar: "overlay-base", @@ -1158,8 +1156,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Environment variable override - None", { overlayDatabaseEnvVar: "none", @@ -1169,8 +1166,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Ignore invalid environment variable", { overlayDatabaseEnvVar: "invalid-mode", @@ -1180,8 +1176,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Ignore feature flag when analyzing non-default branch", { languages: [BuiltInLanguage.javascript], @@ -1192,8 +1187,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch when feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1206,8 +1200,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch when feature enabled with custom analysis", { languages: [BuiltInLanguage.javascript], @@ -1223,8 +1216,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch when code-scanning feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1240,8 +1232,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch if runner disk space is too low", { languages: [BuiltInLanguage.javascript], @@ -1260,8 +1251,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch if we can't determine runner disk space", { languages: [BuiltInLanguage.javascript], @@ -1277,8 +1267,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch if runner disk space is too low and skip resource checks flag is enabled", { languages: [BuiltInLanguage.javascript], @@ -1299,8 +1288,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch if runner disk space is below v2 limit and v2 resource checks enabled", { languages: [BuiltInLanguage.javascript], @@ -1320,8 +1308,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks enabled", { languages: [BuiltInLanguage.javascript], @@ -1342,8 +1329,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch if runner disk space is between v2 and v1 limits and v2 resource checks not enabled", { languages: [BuiltInLanguage.javascript], @@ -1362,8 +1348,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch if memory flag is too low", { languages: [BuiltInLanguage.javascript], @@ -1379,8 +1364,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch if memory flag is too low but CodeQL >= 2.24.3", { languages: [BuiltInLanguage.javascript], @@ -1398,8 +1382,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay-base database on default branch if memory flag is too low and skip resource checks flag is enabled", { languages: [BuiltInLanguage.javascript], @@ -1417,8 +1400,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when cached status indicates previous failure", { languages: [BuiltInLanguage.javascript], @@ -1435,8 +1417,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when cached status indicates previous failure", { languages: [BuiltInLanguage.javascript], @@ -1453,8 +1434,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when code-scanning feature enabled with disable-default-queries", { languages: [BuiltInLanguage.javascript], @@ -1472,8 +1452,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when code-scanning feature enabled with packs", { languages: [BuiltInLanguage.javascript], @@ -1491,8 +1470,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when code-scanning feature enabled with queries", { languages: [BuiltInLanguage.javascript], @@ -1510,8 +1488,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when code-scanning feature enabled with query-filters", { languages: [BuiltInLanguage.javascript], @@ -1529,8 +1506,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when only language-specific feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1542,8 +1518,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when only code-scanning feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1555,8 +1530,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay-base database on default branch when language-specific feature disabled", { languages: [BuiltInLanguage.javascript], @@ -1568,8 +1542,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay analysis on PR when feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1582,8 +1555,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay analysis on PR when feature enabled with custom analysis", { languages: [BuiltInLanguage.javascript], @@ -1599,8 +1571,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay analysis on PR when code-scanning feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1616,8 +1587,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR if runner disk space is too low", { languages: [BuiltInLanguage.javascript], @@ -1636,8 +1606,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay analysis on PR if runner disk space is too low and skip resource checks flag is enabled", { languages: [BuiltInLanguage.javascript], @@ -1658,8 +1627,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR if we can't determine runner disk space", { languages: [BuiltInLanguage.javascript], @@ -1675,8 +1643,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR if memory flag is too low", { languages: [BuiltInLanguage.javascript], @@ -1692,8 +1659,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay analysis on PR if memory flag is too low but CodeQL >= 2.24.3", { languages: [BuiltInLanguage.javascript], @@ -1711,8 +1677,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay analysis on PR if memory flag is too low and skip resource checks flag is enabled", { languages: [BuiltInLanguage.javascript], @@ -1730,8 +1695,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when code-scanning feature enabled with disable-default-queries", { languages: [BuiltInLanguage.javascript], @@ -1749,8 +1713,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when code-scanning feature enabled with packs", { languages: [BuiltInLanguage.javascript], @@ -1768,8 +1731,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when code-scanning feature enabled with queries", { languages: [BuiltInLanguage.javascript], @@ -1787,8 +1749,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when code-scanning feature enabled with query-filters", { languages: [BuiltInLanguage.javascript], @@ -1806,8 +1767,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when only language-specific feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1819,8 +1779,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when only code-scanning feature enabled", { languages: [BuiltInLanguage.javascript], @@ -1832,8 +1791,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis on PR when language-specific feature disabled", { languages: [BuiltInLanguage.javascript], @@ -1845,8 +1803,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay PR analysis by env", { overlayDatabaseEnvVar: "overlay", @@ -1857,8 +1814,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay PR analysis by env on a runner with low disk space", { overlayDatabaseEnvVar: "overlay", @@ -1870,8 +1826,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay PR analysis by feature flag", { languages: [BuiltInLanguage.javascript], @@ -1884,8 +1839,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Fallback due to autobuild with traced language", { overlayDatabaseEnvVar: "overlay", @@ -1897,8 +1851,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Fallback due to no build mode with traced language", { overlayDatabaseEnvVar: "overlay", @@ -1910,8 +1863,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Fallback due to old CodeQL version", { overlayDatabaseEnvVar: "overlay", @@ -1922,8 +1874,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Fallback due to missing git root", { overlayDatabaseEnvVar: "overlay", @@ -1934,8 +1885,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Fallback due to old git version with submodules", { overlayDatabaseEnvVar: "overlay", @@ -1947,8 +1897,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Fallback when git version cannot be determined and repo has submodules", { overlayDatabaseEnvVar: "overlay", @@ -1960,8 +1909,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay enabled when git version cannot be determined and repo has no submodules", { overlayDatabaseEnvVar: "overlay", @@ -1974,8 +1922,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay when disabled via repository property", { languages: [BuiltInLanguage.javascript], @@ -1990,8 +1937,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Overlay not disabled when repository property is false", { languages: [BuiltInLanguage.javascript], @@ -2007,8 +1953,7 @@ test.serial( }, ); -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "Environment variable override takes precedence over repository property", { overlayDatabaseEnvVar: "overlay", @@ -2024,8 +1969,7 @@ test.serial( // Exercise language-specific overlay analysis features code paths for (const language in BuiltInLanguage) { - test.serial( - checkOverlayEnablementMacro, + checkOverlayEnablementMacro.serial( `Check default overlay analysis feature for ${language}`, { languages: [language], @@ -2042,8 +1986,7 @@ for (const language in BuiltInLanguage) { // overlay analysis enabled, even when the base overlay feature flag is on. // Using swift here as it doesn't currently have overlay support — update this if // swift gains overlay support. -test.serial( - checkOverlayEnablementMacro, +checkOverlayEnablementMacro.serial( "No overlay analysis for language without per-language overlay feature flag", { languages: [BuiltInLanguage.swift], diff --git a/src/config/db-config.test.ts b/src/config/db-config.test.ts index d0c11d268..ca0061e13 100644 --- a/src/config/db-config.test.ts +++ b/src/config/db-config.test.ts @@ -7,6 +7,7 @@ import { checkExpectedLogMessages, getRecordingLogger, LoggedMessage, + makeMacro, } from "../testing-utils"; import { ConfigurationError, prettyPrintPack } from "../util"; @@ -15,7 +16,7 @@ import * as dbConfig from "./db-config"; /** * Test macro for ensuring the packs block is valid */ -const parsePacksMacro = test.macro({ +const parsePacksMacro = makeMacro({ exec: ( t: ExecutionContext, packsInput: string, @@ -33,7 +34,7 @@ const parsePacksMacro = test.macro({ /** * Test macro for testing when the packs block is invalid */ -const parsePacksErrorMacro = test.macro({ +const parsePacksErrorMacro = makeMacro({ exec: ( t: ExecutionContext, packsInput: string, @@ -49,34 +50,32 @@ const parsePacksErrorMacro = test.macro({ /** * Test macro for testing when the packs block is invalid */ -const invalidPackNameMacro = test.macro({ - exec: (t: ExecutionContext, name: string) => - parsePacksErrorMacro.exec( +const invalidPackNameMacro = makeMacro({ + exec: (t: ExecutionContext, arg: string) => + parsePacksErrorMacro.fn( t, - name, + arg, [BuiltInLanguage.cpp], - new RegExp(`^"${name}" is not a valid pack$`), + new RegExp(`^"${arg}" is not a valid pack$`), ), title: (_providedTitle: string | undefined, arg: string | undefined) => `Invalid pack string: ${arg}`, }); -test("no packs", parsePacksMacro, "", [], undefined); -test("two packs", parsePacksMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], { +parsePacksMacro("no packs", "", [], undefined); +parsePacksMacro("two packs", "a/b,c/d@1.2.3", [BuiltInLanguage.cpp], { [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"], }); -test( +parsePacksMacro( "two packs with spaces", - parsePacksMacro, " a/b , c/d@1.2.3 ", [BuiltInLanguage.cpp], { [BuiltInLanguage.cpp]: ["a/b", "c/d@1.2.3"], }, ); -test( +parsePacksErrorMacro( "two packs with language", - parsePacksErrorMacro, "a/b,c/d@1.2.3", [BuiltInLanguage.cpp, BuiltInLanguage.java], new RegExp( @@ -85,9 +84,8 @@ test( ), ); -test( +parsePacksMacro( "packs with other valid names", - parsePacksMacro, [ // ranges are ok "c/d@1.0", @@ -123,23 +121,23 @@ test( }, ); -test(invalidPackNameMacro, "c"); // all packs require at least a scope and a name -test(invalidPackNameMacro, "c-/d"); -test(invalidPackNameMacro, "-c/d"); -test(invalidPackNameMacro, "c/d_d"); -test(invalidPackNameMacro, "c/d@@"); -test(invalidPackNameMacro, "c/d@1.0.0:"); -test(invalidPackNameMacro, "c/d:"); -test(invalidPackNameMacro, "c/d:/a"); -test(invalidPackNameMacro, "@1.0.0:a"); -test(invalidPackNameMacro, "c/d@../a"); -test(invalidPackNameMacro, "c/d@b/../a"); -test(invalidPackNameMacro, "c/d:z@1"); +invalidPackNameMacro.test("c"); // all packs require at least a scope and a name +invalidPackNameMacro.test("c-/d"); +invalidPackNameMacro.test("-c/d"); +invalidPackNameMacro.test("c/d_d"); +invalidPackNameMacro.test("c/d@@"); +invalidPackNameMacro.test("c/d@1.0.0:"); +invalidPackNameMacro.test("c/d:"); +invalidPackNameMacro.test("c/d:/a"); +invalidPackNameMacro.test("@1.0.0:a"); +invalidPackNameMacro.test("c/d@../a"); +invalidPackNameMacro.test("c/d@b/../a"); +invalidPackNameMacro.test("c/d:z@1"); /** * Test macro for pretty printing pack specs */ -const packSpecPrettyPrintingMacro = test.macro({ +const packSpecPrettyPrintingMacro = makeMacro({ exec: (t: ExecutionContext, packStr: string, packObj: dbConfig.Pack) => { const parsed = dbConfig.parsePacksSpecification(packStr); t.deepEqual(parsed, packObj, "parsed pack spec is correct"); @@ -163,36 +161,35 @@ const packSpecPrettyPrintingMacro = test.macro({ ) => `Prettyprint pack spec: '${packStr}'`, }); -test(packSpecPrettyPrintingMacro, "a/b", { +packSpecPrettyPrintingMacro.test("a/b", { name: "a/b", version: undefined, path: undefined, }); -test(packSpecPrettyPrintingMacro, "a/b@~1.2.3", { +packSpecPrettyPrintingMacro.test("a/b@~1.2.3", { name: "a/b", version: "~1.2.3", path: undefined, }); -test(packSpecPrettyPrintingMacro, "a/b@~1.2.3:abc/def", { +packSpecPrettyPrintingMacro.test("a/b@~1.2.3:abc/def", { name: "a/b", version: "~1.2.3", path: "abc/def", }); -test(packSpecPrettyPrintingMacro, "a/b:abc/def", { +packSpecPrettyPrintingMacro.test("a/b:abc/def", { name: "a/b", version: undefined, path: "abc/def", }); -test(packSpecPrettyPrintingMacro, " a/b:abc/def ", { +packSpecPrettyPrintingMacro.test(" a/b:abc/def ", { name: "a/b", version: undefined, path: "abc/def", }); -const calculateAugmentationMacro = test.macro({ +const calculateAugmentationMacro = makeMacro({ exec: async ( t: ExecutionContext, - _title: string, rawPacksInput: string | undefined, rawQueriesInput: string | undefined, languages: Language[], @@ -207,11 +204,10 @@ const calculateAugmentationMacro = test.macro({ ); t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties); }, - title: (_, title) => `Calculate Augmentation: ${title}`, + title: (title) => `Calculate Augmentation: ${title}`, }); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "All empty", undefined, undefined, @@ -222,8 +218,7 @@ test( }, ); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "With queries", undefined, " a, b , c, d", @@ -235,8 +230,7 @@ test( }, ); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "With queries combining", undefined, " + a, b , c, d ", @@ -249,8 +243,7 @@ test( }, ); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "With packs", " codeql/a , codeql/b , codeql/c , codeql/d ", undefined, @@ -262,8 +255,7 @@ test( }, ); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "With packs combining", " + codeql/a, codeql/b, codeql/c, codeql/d", undefined, @@ -276,8 +268,7 @@ test( }, ); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "With repo property queries", undefined, undefined, @@ -294,8 +285,7 @@ test( }, ); -test( - calculateAugmentationMacro, +calculateAugmentationMacro( "With repo property queries combining", undefined, undefined, @@ -312,10 +302,9 @@ test( }, ); -const calculateAugmentationErrorMacro = test.macro({ +const calculateAugmentationErrorMacro = makeMacro({ exec: async ( t: ExecutionContext, - _title: string, rawPacksInput: string | undefined, rawQueriesInput: string | undefined, languages: Language[], @@ -333,11 +322,10 @@ const calculateAugmentationErrorMacro = test.macro({ { message: expectedError }, ); }, - title: (_, title) => `Calculate Augmentation Error: ${title}`, + title: (title) => `Calculate Augmentation Error: ${title}`, }); -test( - calculateAugmentationErrorMacro, +calculateAugmentationErrorMacro( "Plus (+) with nothing else (queries)", undefined, " + ", @@ -346,8 +334,7 @@ test( /The workflow property "queries" is invalid/, ); -test( - calculateAugmentationErrorMacro, +calculateAugmentationErrorMacro( "Plus (+) with nothing else (packs)", " + ", undefined, @@ -356,8 +343,7 @@ test( /The workflow property "packs" is invalid/, ); -test( - calculateAugmentationErrorMacro, +calculateAugmentationErrorMacro( "Plus (+) with nothing else (repo property queries)", undefined, undefined, @@ -368,8 +354,7 @@ test( /The repository property "github-codeql-extra-queries" is invalid/, ); -test( - calculateAugmentationErrorMacro, +calculateAugmentationErrorMacro( "Packs input with multiple languages", " + a/b, c/d ", undefined, @@ -378,8 +363,7 @@ test( /Cannot specify a 'packs' input in a multi-language analysis/, ); -test( - calculateAugmentationErrorMacro, +calculateAugmentationErrorMacro( "Packs input with no languages", " + a/b, c/d ", undefined, @@ -388,8 +372,7 @@ test( /No languages specified/, ); -test( - calculateAugmentationErrorMacro, +calculateAugmentationErrorMacro( "Invalid packs", " a-pack-without-a-scope ", undefined, diff --git a/src/diff-informed-analysis-utils.test.ts b/src/diff-informed-analysis-utils.test.ts index bec0c2c0a..0ea71db95 100644 --- a/src/diff-informed-analysis-utils.test.ts +++ b/src/diff-informed-analysis-utils.test.ts @@ -16,6 +16,7 @@ import { mockCodeQLVersion, mockFeatureFlagApiEndpoint, setupActionsVars, + makeMacro, } from "./testing-utils"; import { GitHubVariant, withTmpDir } from "./util"; import type { GitHubVersion } from "./util"; @@ -42,10 +43,9 @@ const defaultTestCase: DiffInformedAnalysisTestCase = { codeQLVersion: "2.21.0", }; -const testShouldPerformDiffInformedAnalysis = test.macro({ +const testShouldPerformDiffInformedAnalysis = makeMacro({ exec: async ( t: ExecutionContext, - _title: string, partialTestCase: Partial, expectedResult: boolean, ) => { @@ -94,18 +94,16 @@ const testShouldPerformDiffInformedAnalysis = test.macro({ getPullRequestBranchesStub.restore(); }); }, - title: (_, title) => `shouldPerformDiffInformedAnalysis: ${title}`, + title: (title) => `shouldPerformDiffInformedAnalysis: ${title}`, }); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns true in the default test case", {}, true, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns false when feature flag is disabled from the API", { featureEnabled: false, @@ -113,8 +111,7 @@ test.serial( false, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns false when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to false", { featureEnabled: true, @@ -123,8 +120,7 @@ test.serial( false, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns true when CODEQL_ACTION_DIFF_INFORMED_QUERIES is set to true", { featureEnabled: false, @@ -133,8 +129,7 @@ test.serial( true, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns false for CodeQL version 2.20.0", { codeQLVersion: "2.20.0", @@ -142,8 +137,7 @@ test.serial( false, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns false for invalid GHES version", { gitHubVersion: { @@ -154,8 +148,7 @@ test.serial( false, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns false for GHES version 3.18.5", { gitHubVersion: { @@ -166,8 +159,7 @@ test.serial( false, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns true for GHES version 3.19.0", { gitHubVersion: { @@ -178,8 +170,7 @@ test.serial( true, ); -test.serial( - testShouldPerformDiffInformedAnalysis, +testShouldPerformDiffInformedAnalysis.serial( "returns false when not a pull request", { pullRequestBranches: undefined, diff --git a/src/init-action-post-helper.test.ts b/src/init-action-post-helper.test.ts index 8c687b4e9..e36835294 100644 --- a/src/init-action-post-helper.test.ts +++ b/src/init-action-post-helper.test.ts @@ -19,6 +19,7 @@ import { createFeatures, createTestConfig, DEFAULT_ACTIONS_VARS, + makeMacro, makeVersionInfo, RecordingLogger, setupActionsVars, @@ -796,7 +797,7 @@ test.serial( }, ); -const skippedUploadTest = test.macro({ +const skippedUploadTest = makeMacro({ exec: async ( t: ExecutionContext, config: Partial, @@ -823,9 +824,8 @@ const skippedUploadTest = test.macro({ `tryUploadSarifIfRunFailed - skips upload ${providedTitle}`, }); -test.serial( +skippedUploadTest.serial( "without CodeQL command", - skippedUploadTest, // No codeQLCmd { analysisKinds: [AnalysisKind.RiskAssessment], @@ -834,9 +834,8 @@ test.serial( "CodeQL command not found", ); -test.serial( +skippedUploadTest.serial( "if no language is configured", - skippedUploadTest, // No explicit language configuration { analysisKinds: [AnalysisKind.RiskAssessment], @@ -845,9 +844,8 @@ test.serial( "Unexpectedly, the configuration is not for a single language.", ); -test.serial( +skippedUploadTest.serial( "if multiple languages is configured", - skippedUploadTest, // Multiple explicit languages configured { analysisKinds: [AnalysisKind.RiskAssessment], diff --git a/src/init.test.ts b/src/init.test.ts index f7add6a9a..88ad0c9b1 100644 --- a/src/init.test.ts +++ b/src/init.test.ts @@ -22,6 +22,7 @@ import { createTestConfig, getRecordingLogger, setupTests, + makeMacro, } from "./testing-utils"; import { ConfigurationError, withTmpDir } from "./util"; @@ -158,10 +159,9 @@ type PackInfo = { qlpackFileName?: string; }; -const testCheckPacksForOverlayCompatibility = test.macro({ +const testCheckPacksForOverlayCompatibility = makeMacro({ exec: async ( t: ExecutionContext, - _title: string, { cliOverlayVersion, languages, @@ -234,11 +234,10 @@ const testCheckPacksForOverlayCompatibility = test.macro({ ); }); }, - title: (_, title) => `checkPacksForOverlayCompatibility: ${title}`, + title: (title) => `checkPacksForOverlayCompatibility: ${title}`, }); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns false when CLI does not support overlay", { cliOverlayVersion: undefined, @@ -253,8 +252,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns true when there are no query packs", { cliOverlayVersion: 2, @@ -264,8 +262,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns true when query pack has not been compiled", { cliOverlayVersion: 2, @@ -281,8 +278,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns true when query pack has expected overlay version", { cliOverlayVersion: 2, @@ -297,8 +293,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns true when query packs for all languages to analyze are compatible", { cliOverlayVersion: 2, @@ -317,8 +312,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns true when query pack for a language not analyzed is incompatible", { cliOverlayVersion: 2, @@ -337,8 +331,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns false when query pack for a language to analyze is incompatible", { cliOverlayVersion: 2, @@ -357,8 +350,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns false when query pack is missing .packinfo", { cliOverlayVersion: 2, @@ -377,8 +369,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns false when query pack has different overlay version", { cliOverlayVersion: 2, @@ -397,8 +388,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns false when query pack is missing overlayVersion in .packinfo", { cliOverlayVersion: 2, @@ -417,8 +407,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns false when .packinfo is not valid JSON", { cliOverlayVersion: 2, @@ -437,8 +426,7 @@ test( }, ); -test( - testCheckPacksForOverlayCompatibility, +testCheckPacksForOverlayCompatibility( "returns true when query pack uses codeql-pack.yml filename", { cliOverlayVersion: 2, diff --git a/src/overlay/caching.test.ts b/src/overlay/caching.test.ts index 3a2266a4a..bc7b69901 100644 --- a/src/overlay/caching.test.ts +++ b/src/overlay/caching.test.ts @@ -13,6 +13,7 @@ import { BuiltInLanguage } from "../languages"; import { getRunnerLogger } from "../logging"; import { createTestConfig, + makeMacro, mockCodeQLVersion, setupTests, } from "../testing-utils"; @@ -51,10 +52,9 @@ const defaultDownloadTestCase: DownloadOverlayBaseDatabaseTestCase = { resolveDatabaseOutput: { overlayBaseSpecifier: "20250626:XXX" }, }; -const testDownloadOverlayBaseDatabaseFromCache = test.macro({ +const testDownloadOverlayBaseDatabaseFromCache = makeMacro({ exec: async ( t, - _title: string, partialTestCase: Partial, expectDownloadSuccess: boolean, ) => { @@ -142,18 +142,16 @@ const testDownloadOverlayBaseDatabaseFromCache = test.macro({ } }); }, - title: (_, title) => `downloadOverlayBaseDatabaseFromCache: ${title}`, + title: (title) => `downloadOverlayBaseDatabaseFromCache: ${title}`, }); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns stats when successful", {}, true, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when mode is OverlayDatabaseMode.OverlayBase", { overlayDatabaseMode: OverlayDatabaseMode.OverlayBase, @@ -161,8 +159,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when mode is OverlayDatabaseMode.None", { overlayDatabaseMode: OverlayDatabaseMode.None, @@ -170,8 +167,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when caching is disabled", { useOverlayDatabaseCaching: false, @@ -179,8 +175,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined in test mode", { isInTestMode: true, @@ -188,8 +183,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when cache miss", { restoreCacheResult: undefined, @@ -197,8 +191,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when download fails", { restoreCacheResult: new Error("Download failed"), @@ -206,8 +199,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when downloaded database is invalid", { hasBaseDatabaseOidsFile: false, @@ -215,8 +207,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when downloaded database doesn't have an overlayBaseSpecifier", { resolveDatabaseOutput: {}, @@ -224,8 +215,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when resolving database metadata fails", { resolveDatabaseOutput: new Error("Failed to resolve database metadata"), @@ -233,8 +223,7 @@ test.serial( false, ); -test.serial( - testDownloadOverlayBaseDatabaseFromCache, +testDownloadOverlayBaseDatabaseFromCache.serial( "returns undefined when filesystem error occurs", { tryGetFolderBytesSucceeds: false, diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 555352bd2..fc0ac7b0f 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -20,6 +20,7 @@ import { createFeatures, getRecordingLogger, initializeFeatures, + makeMacro, mockBundleDownloadApi, setupActionsVars, setupTests, @@ -473,7 +474,7 @@ test.serial( }, ); -const toolcacheInputFallbackMacro = test.macro({ +const toolcacheInputFallbackMacro = makeMacro({ exec: async ( t: ExecutionContext, featureList: Feature[], @@ -533,9 +534,8 @@ const toolcacheInputFallbackMacro = test.macro({ `getCodeQLSource falls back to downloading the CLI if ${providedTitle}`, }); -test.serial( +toolcacheInputFallbackMacro.serial( "the toolcache doesn't have a CodeQL CLI when tools == toolcache", - toolcacheInputFallbackMacro, [Feature.AllowToolcacheInput], { GITHUB_EVENT_NAME: "dynamic" }, [], @@ -545,9 +545,8 @@ test.serial( ], ); -test.serial( +toolcacheInputFallbackMacro.serial( "the workflow trigger is not `dynamic`", - toolcacheInputFallbackMacro, [Feature.AllowToolcacheInput], { GITHUB_EVENT_NAME: "pull_request" }, [], @@ -556,9 +555,8 @@ test.serial( ], ); -test.serial( +toolcacheInputFallbackMacro.serial( "the feature flag is not enabled", - toolcacheInputFallbackMacro, [], { GITHUB_EVENT_NAME: "dynamic" }, [], diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts index 621b8d499..b2dbc81a4 100644 --- a/src/start-proxy.test.ts +++ b/src/start-proxy.test.ts @@ -18,6 +18,7 @@ import { assertNotLogged, checkExpectedLogMessages, createFeatures, + makeMacro, makeTestToken, RecordingLogger, setupTests, @@ -32,7 +33,7 @@ import { setupTests(test); -const sendFailedStatusReportTest = test.macro({ +const sendFailedStatusReportTest = makeMacro({ exec: async ( t: ExecutionContext, err: Error, @@ -88,16 +89,14 @@ const sendFailedStatusReportTest = test.macro({ title: (providedTitle = "") => `sendFailedStatusReport - ${providedTitle}`, }); -test.serial( +sendFailedStatusReportTest.serial( "reports generic error message for non-StartProxyError error", - sendFailedStatusReportTest, new Error("Something went wrong today"), "Error from start-proxy Action omitted (Error).", ); -test.serial( +sendFailedStatusReportTest.serial( "reports generic error message for non-StartProxyError error with safe error message", - sendFailedStatusReportTest, new Error( startProxyExports.getStartProxyErrorMessage( startProxyExports.StartProxyErrorType.DownloadFailed, @@ -106,9 +105,8 @@ test.serial( "Error from start-proxy Action omitted (Error).", ); -test.serial( +sendFailedStatusReportTest.serial( "reports generic error message for ConfigurationError error", - sendFailedStatusReportTest, new ConfigurationError("Something went wrong today"), "Error from start-proxy Action omitted (ConfigurationError).", "user-error", @@ -414,7 +412,7 @@ test("getCredentials accepts OIDC configurations", (t) => { } }); -const getCredentialsMacro = test.macro({ +const getCredentialsMacro = makeMacro({ exec: async ( t: ExecutionContext, credentials: startProxyExports.RawCredential[], @@ -440,9 +438,8 @@ const getCredentialsMacro = test.macro({ title: (providedTitle = "") => `getCredentials - ${providedTitle}`, }); -test( +getCredentialsMacro( "warns for PAT-like password without a username", - getCredentialsMacro, [ { type: "git_server", @@ -470,9 +467,8 @@ test( }, ); -test( +getCredentialsMacro( "no warning for PAT-like password with a username", - getCredentialsMacro, [ { type: "git_server", @@ -502,9 +498,8 @@ test( }, ); -test( +getCredentialsMacro( "warns for PAT-like token without a username", - getCredentialsMacro, [ { type: "git_server", @@ -532,9 +527,8 @@ test( }, ); -test( +getCredentialsMacro( "no warning for PAT-like token with a username", - getCredentialsMacro, [ { type: "git_server", @@ -796,7 +790,7 @@ test.serial( }, ); -const wrapFailureTest = test.macro({ +const wrapFailureTest = makeMacro({ exec: async ( t: ExecutionContext, setup: () => void, @@ -827,9 +821,8 @@ test.serial("downloadProxy - returns file path on success", async (t) => { }); }); -test.serial( +wrapFailureTest.serial( "downloadProxy", - wrapFailureTest, () => { sinon.stub(toolcache, "downloadTool").throws(); }, @@ -848,9 +841,8 @@ test.serial("extractProxy - returns file path on success", async (t) => { }); }); -test.serial( +wrapFailureTest.serial( "extractProxy", - wrapFailureTest, () => { sinon.stub(toolcache, "extractTar").throws(); }, @@ -874,9 +866,8 @@ test.serial("cacheProxy - returns file path on success", async (t) => { }); }); -test.serial( +wrapFailureTest.serial( "cacheProxy", - wrapFailureTest, () => { sinon.stub(toolcache, "cacheDir").throws(); }, diff --git a/src/status-report.test.ts b/src/status-report.test.ts index 8302e411f..52132b764 100644 --- a/src/status-report.test.ts +++ b/src/status-report.test.ts @@ -19,6 +19,7 @@ import { setupTests, setupActionsVars, createTestConfig, + makeMacro, } from "./testing-utils"; import { BuildMode, ConfigurationError, withTmpDir, wrapError } from "./util"; @@ -291,10 +292,9 @@ test.serial( }, ); -const testCreateInitWithConfigStatusReport = test.macro({ +const testCreateInitWithConfigStatusReport = makeMacro({ exec: async ( t, - _title: string, config: Config, expectedReportProperties: Partial, ) => { @@ -337,11 +337,10 @@ const testCreateInitWithConfigStatusReport = test.macro({ } }); }, - title: (_, title) => `createInitWithConfigStatusReport: ${title}`, + title: (title) => `createInitWithConfigStatusReport: ${title}`, }); -test.serial( - testCreateInitWithConfigStatusReport, +testCreateInitWithConfigStatusReport.serial( "returns a value", createTestConfig({ buildMode: BuildMode.None, @@ -355,8 +354,7 @@ test.serial( }, ); -test.serial( - testCreateInitWithConfigStatusReport, +testCreateInitWithConfigStatusReport.serial( "includes packs for a single language", createTestConfig({ buildMode: BuildMode.None, @@ -372,8 +370,7 @@ test.serial( }, ); -test.serial( - testCreateInitWithConfigStatusReport, +testCreateInitWithConfigStatusReport.serial( "includes packs for multiple languages", createTestConfig({ buildMode: BuildMode.None, diff --git a/src/upload-sarif.test.ts b/src/upload-sarif.test.ts index fcd5c3108..4bfc7268e 100644 --- a/src/upload-sarif.test.ts +++ b/src/upload-sarif.test.ts @@ -6,7 +6,7 @@ import * as sinon from "sinon"; import { AnalysisKind, getAnalysisConfig } from "./analyses"; import { getRunnerLogger } from "./logging"; -import { createFeatures, setupTests } from "./testing-utils"; +import { createFeatures, makeMacro, setupTests } from "./testing-utils"; import { UploadResult } from "./upload-lib"; import * as uploadLib from "./upload-lib"; import { postProcessAndUploadSarif } from "./upload-sarif"; @@ -43,7 +43,7 @@ function mockPostProcessSarifFiles() { return postProcessSarifFiles; } -const postProcessAndUploadSarifMacro = test.macro({ +const postProcessAndUploadSarifMacro = makeMacro({ exec: async ( t: ExecutionContext, sarifFiles: string[], @@ -123,9 +123,8 @@ const postProcessAndUploadSarifMacro = test.macro({ title: (providedTitle = "") => `processAndUploadSarif - ${providedTitle}`, }); -test.serial( +postProcessAndUploadSarifMacro.serial( "SARIF file", - postProcessAndUploadSarifMacro, ["test.sarif"], (tempDir) => path.join(tempDir, "test.sarif"), { @@ -138,9 +137,8 @@ test.serial( }, ); -test.serial( +postProcessAndUploadSarifMacro.serial( "JSON file", - postProcessAndUploadSarifMacro, ["test.json"], (tempDir) => path.join(tempDir, "test.json"), { @@ -153,9 +151,8 @@ test.serial( }, ); -test.serial( +postProcessAndUploadSarifMacro.serial( "Code Scanning files", - postProcessAndUploadSarifMacro, ["test.json", "test.sarif"], undefined, { @@ -169,9 +166,8 @@ test.serial( }, ); -test.serial( +postProcessAndUploadSarifMacro.serial( "Code Quality file", - postProcessAndUploadSarifMacro, ["test.quality.sarif"], (tempDir) => path.join(tempDir, "test.quality.sarif"), { @@ -184,9 +180,8 @@ test.serial( }, ); -test.serial( +postProcessAndUploadSarifMacro.serial( "Mixed files", - postProcessAndUploadSarifMacro, ["test.sarif", "test.quality.sarif"], undefined, { From d032ee8c476a34c29f935e35e654c48d0fa90b68 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 10 Apr 2026 12:18:17 +0100 Subject: [PATCH 18/40] Do not run `bundle-metadata.ts` as part of `npm run build` --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d32144614..32ce693fd 100644 --- a/package.json +++ b/package.json @@ -5,7 +5,7 @@ "description": "CodeQL action", "scripts": { "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs && npx tsx ./pr-checks/bundle-metadata.ts", + "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", "lint": "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", From 0c80cee8061e24785c6ad1b079c5f4314b827b75 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 7 May 2026 15:39:42 +0100 Subject: [PATCH 19/40] Add explicit error on Windows --- lib/analyze-action-post.js | 3 +++ lib/init-action-post.js | 3 +++ lib/start-proxy-action-post.js | 3 +++ lib/upload-sarif-action-post.js | 3 +++ src/artifact-scanner.ts | 4 ++++ 5 files changed, 16 insertions(+) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index fe47faa57..b7ee97d89 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -128728,6 +128728,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}` ); } + if (process.platform === "win32") { + throw new Error("Scanning archives is not supported on Windows."); + } const result = { scannedFiles: 0, findings: [] diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 2794b130e..57b06ab2f 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -133650,6 +133650,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}` ); } + if (process.platform === "win32") { + throw new Error("Scanning archives is not supported on Windows."); + } const result = { scannedFiles: 0, findings: [] diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 9c40cb5e6..414118377 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -127590,6 +127590,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}` ); } + if (process.platform === "win32") { + throw new Error("Scanning archives is not supported on Windows."); + } const result = { scannedFiles: 0, findings: [] diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 12d1b216c..cce51af70 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -127577,6 +127577,9 @@ async function scanArchiveFile(archivePath, relativeArchivePath, extractDir, log `Maximum archive extraction depth (${MAX_DEPTH}) reached for ${archivePath}` ); } + if (process.platform === "win32") { + throw new Error("Scanning archives is not supported on Windows."); + } const result = { scannedFiles: 0, findings: [] diff --git a/src/artifact-scanner.ts b/src/artifact-scanner.ts index 90c424197..5f238811a 100644 --- a/src/artifact-scanner.ts +++ b/src/artifact-scanner.ts @@ -156,6 +156,10 @@ async function scanArchiveFile( ); } + if (process.platform === "win32") { + throw new Error("Scanning archives is not supported on Windows."); + } + const result: ScanResult = { scannedFiles: 0, findings: [], From 9739ad2d182c072da0d01a6887f7f39620f71b1e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 15:21:52 +0000 Subject: [PATCH 20/40] Update changelog for v4.35.4 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc2b3c83a..21ce549c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.35.4 - 07 May 2026 - Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881) From 162709656926887731e0f28af95d7c95f7d76f3b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 15:54:04 +0000 Subject: [PATCH 21/40] Update changelog and version after v4.35.4 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21ce549c8..746386293 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.35.4 - 07 May 2026 - Update default CodeQL bundle version to [2.25.4](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#3881](https://github.com/github/codeql-action/pull/3881) diff --git a/package-lock.json b/package-lock.json index 06055b9be..7e584388b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.35.4", + "version": "4.35.5", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.35.4", + "version": "4.35.5", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index d32144614..6cdc0f800 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.35.4", + "version": "4.35.5", "private": true, "description": "CodeQL action", "scripts": { From 272ada693fa1ea75875a3eab499446c881ac9125 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 15:58:38 +0000 Subject: [PATCH 22/40] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index b7ee97d89..0f1b66059 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -126877,7 +126877,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index a0d645e56..7b3ec243c 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88803,7 +88803,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 5ac767b0a..be61bdeab 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -85608,7 +85608,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 57d7534f8..b972b1ece 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -129987,7 +129987,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/init-action.js b/lib/init-action.js index 9a7cd36d7..b7cdc23b7 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86162,7 +86162,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index c103fb1be..e1fa46a53 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -85616,7 +85616,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 1217a8e53..e86bbb192 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -85703,7 +85703,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 414118377..6f70d7093 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -126824,7 +126824,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 90d38d06c..39fd56a80 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -102813,7 +102813,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-lib.js b/lib/upload-lib.js index ff8b73486..f1f90b4c2 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88509,7 +88509,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index cce51af70..11873a244 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -126824,7 +126824,7 @@ function getTemporaryDirectory() { return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP"); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } var persistedInputsKey = "persisted_inputs"; var restoreInputs = function() { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 03f908ea5..75e8744be 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88537,7 +88537,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.35.4"; + return "4.35.5"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); From efc9b0a9e31d53e02f313d87cefb11699d45a3bd Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 7 May 2026 18:44:08 +0100 Subject: [PATCH 23/40] Improve changelog note Co-authored-by: Michael B. Gale --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 39bfb13a1..4db281a48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis when the latest version does not yet have a cached overlay-base database. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) +- Added an experimental change which, when running a Code Scanning analysis for a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) ## 4.35.3 - 01 May 2026 From 4f815a68d336d164041499068d5944c9edb80fff Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 7 May 2026 18:48:25 +0100 Subject: [PATCH 24/40] Minor: Introduce constant to avoid duplication --- lib/analyze-action.js | 18 ++++++------------ lib/autobuild-action.js | 18 ++++++------------ lib/init-action-post.js | 18 ++++++------------ lib/init-action.js | 18 ++++++------------ lib/setup-codeql-action.js | 18 ++++++------------ lib/start-proxy-action.js | 18 ++++++------------ lib/upload-sarif-action.js | 18 ++++++------------ src/feature-flags.ts | 19 +++++++------------ 8 files changed, 49 insertions(+), 96 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 7746a12f2..3fcae5133 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -90122,6 +90122,10 @@ function isSupportedToolsFeature(versionInfo, feature) { var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -90348,12 +90352,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -90536,12 +90535,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 7515699f2..e03e79d14 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -86538,6 +86538,10 @@ function isSupportedToolsFeature(versionInfo, feature) { // src/feature-flags.ts var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -86764,12 +86768,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -86952,12 +86951,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/lib/init-action-post.js b/lib/init-action-post.js index ad2b0a737..85e878ac9 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -131299,6 +131299,10 @@ function isSafeArtifactUpload(codeQlVersion) { var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -131525,12 +131529,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -131713,12 +131712,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/lib/init-action.js b/lib/init-action.js index 4bc423b6b..0eaa4ed11 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -87655,6 +87655,10 @@ function isSupportedToolsFeature(versionInfo, feature) { var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -87881,12 +87885,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -88069,12 +88068,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 57b2835b2..29896e043 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -86443,6 +86443,10 @@ function isSupportedToolsFeature(versionInfo, feature) { var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -86669,12 +86673,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -86857,12 +86856,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index eef3a477a..ee67ed723 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -103177,6 +103177,10 @@ var semver3 = __toESM(require_semver2()); // src/feature-flags.ts var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -103403,12 +103407,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -103591,12 +103590,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 7c87d8062..f644db648 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -89408,6 +89408,10 @@ function isSupportedToolsFeature(versionInfo, feature) { var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +var LINKED_CODEQL_VERSION = { + cliVersion, + tagName: bundleVersion +}; var featureConfig = { ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, @@ -89634,12 +89638,7 @@ var OfflineFeatures = class { logger; async getEnabledDefaultCliVersions(_variant) { return { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; } /** @@ -89822,12 +89821,7 @@ var GitHubFeatureFlags = class { `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - enabledVersions: [ - { - cliVersion, - tagName: bundleVersion - } - ] + enabledVersions: [LINKED_CODEQL_VERSION] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 84253cfa6..e31f8bea7 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -29,6 +29,11 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; */ export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +const LINKED_CODEQL_VERSION: CodeQLVersionInfo = { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, +}; + export interface CodeQLVersionInfo { /** The version number of the CodeQL CLI, e.g. `2.19.0`. */ cliVersion: string; @@ -420,12 +425,7 @@ class OfflineFeatures implements FeatureEnablement { _variant: util.GitHubVariant, ): Promise { return { - enabledVersions: [ - { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, - }, - ], + enabledVersions: [LINKED_CODEQL_VERSION], }; } @@ -680,12 +680,7 @@ class GitHubFeatureFlags { `shipped with the Action. This is ${defaults.cliVersion}.`, ); const result: CodeQLDefaultVersionInfo = { - enabledVersions: [ - { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, - }, - ], + enabledVersions: [LINKED_CODEQL_VERSION], }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; From 2a950b930c5bd4cb160f0c4f451a3910fb6da99f Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 8 May 2026 17:54:17 +0100 Subject: [PATCH 25/40] Enable overlay-aware version selection in `setup-codeql` --- lib/setup-codeql-action.js | 571 ++++++++++++++++++++----------------- setup-codeql/action.yml | 19 ++ src/setup-codeql-action.ts | 10 +- 3 files changed, 343 insertions(+), 257 deletions(-) diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 29896e043..118f19e37 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -85857,6 +85857,66 @@ function isAnalyzingPullRequest() { return getPullRequestBranches() !== void 0; } +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var compatibilityMatrix = { + ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]), + ["code-quality" /* CodeQuality */]: /* @__PURE__ */ new Set(["code-scanning" /* CodeScanning */]), + ["risk-assessment" /* RiskAssessment */]: /* @__PURE__ */ new Set() +}; +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); +async function parseAnalysisKinds(input) { + const components = input.split(","); + if (components.length < 1) { + throw new ConfigurationError( + "At least one analysis kind must be configured." + ); + } + for (const component of components) { + if (!supportedAnalysisKinds.has(component)) { + throw new ConfigurationError(`Unknown analysis kind: ${component}`); + } + } + return Array.from( + new Set(components.map((component) => component)) + ); +} +var cachedAnalysisKinds; +async function getAnalysisKinds(logger, skipCache = false) { + if (!skipCache && cachedAnalysisKinds !== void 0) { + return cachedAnalysisKinds; + } + const analysisKinds = await parseAnalysisKinds( + getRequiredInput("analysis-kinds") + ); + const qualityQueriesInput = getOptionalInput("quality-queries"); + if (qualityQueriesInput !== void 0) { + logger.warning( + "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead." + ); + } + if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) { + analysisKinds.push("code-quality" /* CodeQuality */); + } + for (const analysisKind of analysisKinds) { + for (const otherAnalysisKind of analysisKinds) { + if (analysisKind === otherAnalysisKind) continue; + if (!compatibilityMatrix[analysisKind].has(otherAnalysisKind)) { + throw new ConfigurationError( + `${analysisKind} and ${otherAnalysisKind} cannot be enabled at the same time` + ); + } + } + } + cachedAnalysisKinds = analysisKinds; + return cachedAnalysisKinds; +} + // src/api-client.ts var core5 = __toESM(require_core()); var githubUtils = __toESM(require_utils4()); @@ -86124,10 +86184,146 @@ function wrapApiConfigurationError(e) { return e; } +// src/config-utils.ts +var core9 = __toESM(require_core()); + +// src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); +var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver2 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/diagnostics.ts +var import_fs = require("fs"); +var import_path = __toESM(require("path")); + +// src/logging.ts +var core7 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core7.debug, + info: core7.info, + warning: core7.warning, + error: core7.error, + isDebug: core7.isDebug, + startGroup: core7.startGroup, + endGroup: core7.endGroup + }; +} +function formatDuration(durationMs) { + if (durationMs < 1e3) { + return `${durationMs}ms`; + } + if (durationMs < 60 * 1e3) { + return `${(durationMs / 1e3).toFixed(1)}s`; + } + const minutes = Math.floor(durationMs / (60 * 1e3)); + const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); + return `${minutes}m${seconds}s`; +} + +// src/diagnostics.ts +var unwrittenDiagnostics = []; +var unwrittenDefaultLanguageDiagnostics = []; +var diagnosticCounter = 0; +function makeDiagnostic(id, name, data = void 0) { + return { + ...data, + timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), + source: { ...data?.source, id, name } + }; +} +function addDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + if ((0, import_fs.existsSync)(databasePath)) { + writeDiagnostic(config, language, diagnostic); + } else { + logger.debug( + `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` + ); + unwrittenDiagnostics.push({ diagnostic, language }); + } +} +function addNoLanguageDiagnostic(config, diagnostic) { + if (config !== void 0) { + addDiagnostic( + config, + // Arbitrarily choose the first language. We could also choose all languages, but that + // increases the risk of misinterpreting the data. + config.languages[0], + diagnostic + ); + } else { + unwrittenDefaultLanguageDiagnostics.push(diagnostic); + } +} +function writeDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + const diagnosticsPath = import_path.default.resolve( + databasePath, + "diagnostic", + "codeql-action" + ); + try { + (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); + const uniqueSuffix = (diagnosticCounter++).toString(); + const sanitizedTimestamp = diagnostic.timestamp.replace( + /[^a-zA-Z0-9.-]/g, + "" + ); + const jsonPath = import_path.default.resolve( + diagnosticsPath, + `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` + ); + (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); + } catch (err) { + logger.warning(`Unable to write diagnostic message to database: ${err}`); + logger.debug(JSON.stringify(diagnostic)); + } +} +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} + // src/feature-flags.ts var fs5 = __toESM(require("fs")); -var path5 = __toESM(require("path")); -var semver4 = __toESM(require_semver2()); +var path6 = __toESM(require("path")); +var semver5 = __toESM(require_semver2()); // src/defaults.json var bundleVersion = "codeql-bundle-v2.25.4"; @@ -86135,19 +86331,19 @@ var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); -var path4 = __toESM(require("path")); +var path5 = __toESM(require("path")); // src/git-utils.ts var fs3 = __toESM(require("fs")); -var path3 = __toESM(require("path")); -var core6 = __toESM(require_core()); +var path4 = __toESM(require("path")); +var core8 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver2 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core6.debug(`Running git command: git ${args.join(" ")}`); + core8.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -86168,7 +86364,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -86230,7 +86426,7 @@ var getGitRoot = async function(sourceRoot) { } }; function hasSubmodules(gitRoot) { - return fs3.existsSync(path3.join(gitRoot, ".gitmodules")); + return fs3.existsSync(path4.join(gitRoot, ".gitmodules")); } var getFileOidsUnderPath = async function(basePath) { const gitRoot = await getGitRoot(basePath); @@ -86297,7 +86493,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core6.debug( + core8.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -86362,7 +86558,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) { const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger); const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])]; const changedFilesJson = JSON.stringify({ changes: changedFiles }); - const overlayChangesFile = path4.join( + const overlayChangesFile = path5.join( getTemporaryDirectory(), "overlay-changes.json" ); @@ -86428,13 +86624,13 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { return [...new Set(diffRanges.map((r) => r.path))]; } const relativePaths = diffRanges.map( - (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/") + (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/") ).filter((rel) => !rel.startsWith("..")); return [...new Set(relativePaths)]; } // src/tools-features.ts -var semver3 = __toESM(require_semver2()); +var semver4 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } @@ -86774,7 +86970,7 @@ var Features = class extends OfflineFeatures { super(logger); this.gitHubFeatureFlags = new GitHubFeatureFlags( repositoryNwo, - path5.join(tempDir, FEATURE_FLAGS_FILE_NAME), + path6.join(tempDir, FEATURE_FLAGS_FILE_NAME), logger ); } @@ -86833,7 +87029,7 @@ var GitHubFeatureFlags = class { DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length ).replace(/_/g, "."); - if (!semver4.valid(version)) { + if (!semver5.valid(version)) { this.logger.warning( `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.` ); @@ -86850,7 +87046,7 @@ var GitHubFeatureFlags = class { const response = await this.getAllFeatures(); const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0).sort(semver4.rcompare); + ).filter((f) => f !== void 0).sort(semver5.rcompare); if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` @@ -86994,6 +87190,99 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) { } } +// src/languages/builtin.json +var builtin_default = { + languages: [ + "actions", + "cpp", + "csharp", + "go", + "java", + "javascript", + "python", + "ruby", + "rust", + "swift" + ], + aliases: { + c: "cpp", + "c-c++": "cpp", + "c-cpp": "cpp", + "c#": "csharp", + "c++": "cpp", + "java-kotlin": "java", + "javascript-typescript": "javascript", + kotlin: "java", + typescript: "javascript" + } +}; + +// src/languages/index.ts +var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} + +// src/overlay/status.ts +var actionsCache = __toESM(require_cache4()); + +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache4()); + +// src/config-utils.ts +var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4; +var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6; +var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3; +var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6; +var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024; +function getRawLanguagesNoAutodetect(languagesInput) { + return (languagesInput || "").split(",").map((x) => x.trim().toLowerCase()).filter((x) => x.length > 0); +} +var OVERLAY_ANALYSIS_FEATURES = { + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */ +}; +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + const augmentedConfig = cloneObject(cliConfig); + if (extraQueryExclusions.length === 0) { + return augmentedConfig; + } + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} + // src/init.ts var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); @@ -87254,241 +87543,6 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } -// src/config-utils.ts -var core9 = __toESM(require_core()); - -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var crypto2 = __toESM(require("crypto")); -var core7 = __toESM(require_core()); -var cacheKeyHashLength = 16; -function createCacheKeyHash(components) { - const componentsJson = JSON.stringify(components); - return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); -} - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver5 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/diagnostics.ts -var import_fs = require("fs"); -var import_path = __toESM(require("path")); - -// src/logging.ts -var core8 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core8.debug, - info: core8.info, - warning: core8.warning, - error: core8.error, - isDebug: core8.isDebug, - startGroup: core8.startGroup, - endGroup: core8.endGroup - }; -} -function formatDuration(durationMs) { - if (durationMs < 1e3) { - return `${durationMs}ms`; - } - if (durationMs < 60 * 1e3) { - return `${(durationMs / 1e3).toFixed(1)}s`; - } - const minutes = Math.floor(durationMs / (60 * 1e3)); - const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); - return `${minutes}m${seconds}s`; -} - -// src/diagnostics.ts -var unwrittenDiagnostics = []; -var unwrittenDefaultLanguageDiagnostics = []; -var diagnosticCounter = 0; -function makeDiagnostic(id, name, data = void 0) { - return { - ...data, - timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), - source: { ...data?.source, id, name } - }; -} -function addDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - if ((0, import_fs.existsSync)(databasePath)) { - writeDiagnostic(config, language, diagnostic); - } else { - logger.debug( - `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` - ); - unwrittenDiagnostics.push({ diagnostic, language }); - } -} -function addNoLanguageDiagnostic(config, diagnostic) { - if (config !== void 0) { - addDiagnostic( - config, - // Arbitrarily choose the first language. We could also choose all languages, but that - // increases the risk of misinterpreting the data. - config.languages[0], - diagnostic - ); - } else { - unwrittenDefaultLanguageDiagnostics.push(diagnostic); - } -} -function writeDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - const diagnosticsPath = import_path.default.resolve( - databasePath, - "diagnostic", - "codeql-action" - ); - try { - (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); - const uniqueSuffix = (diagnosticCounter++).toString(); - const sanitizedTimestamp = diagnostic.timestamp.replace( - /[^a-zA-Z0-9.-]/g, - "" - ); - const jsonPath = import_path.default.resolve( - diagnosticsPath, - `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` - ); - (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); - } catch (err) { - logger.warning(`Unable to write diagnostic message to database: ${err}`); - logger.debug(JSON.stringify(diagnostic)); - } -} -function makeTelemetryDiagnostic(id, name, attributes) { - return makeDiagnostic(id, name, { - attributes, - visibility: { - cliSummaryTable: false, - statusPage: false, - telemetry: true - } - }); -} - -// src/languages/builtin.json -var builtin_default = { - languages: [ - "actions", - "cpp", - "csharp", - "go", - "java", - "javascript", - "python", - "ruby", - "rust", - "swift" - ], - aliases: { - c: "cpp", - "c-c++": "cpp", - "c-cpp": "cpp", - "c#": "csharp", - "c++": "cpp", - "java-kotlin": "java", - "javascript-typescript": "javascript", - kotlin: "java", - typescript: "javascript" - } -}; - -// src/languages/index.ts -var builtInLanguageSet = new Set(builtin_default.languages); -function isBuiltInLanguage(language) { - return builtInLanguageSet.has(language); -} -function parseBuiltInLanguage(language) { - language = language.trim().toLowerCase(); - language = builtin_default.aliases[language] ?? language; - if (isBuiltInLanguage(language)) { - return language; - } - return void 0; -} - -// src/overlay/status.ts -var actionsCache = __toESM(require_cache4()); - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache4()); - -// src/config-utils.ts -var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB = 2e4; -var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_MB * 1e6; -var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB = 14e3; -var OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_BYTES = OVERLAY_MINIMUM_AVAILABLE_DISK_SPACE_V2_MB * 1e6; -var OVERLAY_MINIMUM_MEMORY_MB = 5 * 1024; -var OVERLAY_ANALYSIS_FEATURES = { - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */ -}; -function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { - const augmentedConfig = cloneObject(cliConfig); - if (extraQueryExclusions.length === 0) { - return augmentedConfig; - } - augmentedConfig["query-filters"] = [ - // Ordering matters. If the first filter is an inclusion, it implicitly - // excludes all queries that are not included. If it is an exclusion, - // it implicitly includes all queries that are not excluded. So user - // filters (if any) should always be first to preserve intent. - ...augmentedConfig["query-filters"] || [], - ...extraQueryExclusions - ]; - if (augmentedConfig["query-filters"]?.length === 0) { - delete augmentedConfig["query-filters"]; - } - return augmentedConfig; -} - // src/setup-codeql.ts var fs8 = __toESM(require("fs")); var path8 = __toESM(require("path")); @@ -89468,16 +89522,23 @@ async function run(startedAt) { } const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = getRawLanguagesNoAutodetect( + getOptionalInput("languages") + ); + const analysisKinds = await getAnalysisKinds(logger); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, - void 0, - // rawLanguages: currently, setup-codeql is not language aware - false, - // useOverlayAwareDefaultCliVersion: setup-codeql is not language aware + rawLanguages, + // Only consider the languages for overlay-aware version selection if the + // user has told us what they intend to analyze and Code Scanning is among + // the configured analysis kinds. Without `languages`, the subsequent + // `init` invocation may analyze a different set; without Code Scanning, + // overlay analysis is not in use anyway. + rawLanguages.length > 0 && analysisKinds.includes("code-scanning" /* CodeScanning */), features, logger ); diff --git a/setup-codeql/action.yml b/setup-codeql/action.yml index b7b52b9a3..d9f7ccb40 100644 --- a/setup-codeql/action.yml +++ b/setup-codeql/action.yml @@ -19,6 +19,25 @@ inputs: If not specified, the Action will check in several places until it finds the CodeQL tools. required: false + languages: + description: >- + A comma-separated list of CodeQL languages that will be analyzed in subsequent + `github/codeql-action/init` and `github/codeql-action/analyze` invocations. If specified, the + Action may use this list to select a CodeQL CLI version that is best suited to analyzing those + languages, for example by preferring a version that has a cached overlay-base database for the + specified languages. This input is not remembered and must also be passed to + `github/codeql-action/init`. + required: false + analysis-kinds: + description: >- + [Internal] A comma-separated list of analysis kinds that subsequent + `github/codeql-action/init` invocations will enable. If specified, the Action may use this + list to select a CodeQL CLI version that is best suited to those analysis kinds. This input is + not remembered and must also be passed to `github/codeql-action/init`. + + Available options are the same as for the `analysis-kinds` input on the `init` Action. + default: 'code-scanning' + required: true token: description: GitHub token to use for authenticating with this instance of GitHub. default: ${{ github.token }} diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index b9091a18b..c23553c98 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -7,8 +7,10 @@ import { getRequiredInput, getTemporaryDirectory, } from "./actions-util"; +import { AnalysisKind, getAnalysisKinds } from "./analyses"; import { getGitHubVersion } from "./api-client"; import { CodeQL } from "./codeql"; +import { getRawLanguagesNoAutodetect } from "./config-utils"; import { EnvVar } from "./environment"; import { initFeatures } from "./feature-flags"; import { initCodeQL } from "./init"; @@ -139,14 +141,18 @@ async function run(startedAt: Date): Promise { const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = getRawLanguagesNoAutodetect( + getOptionalInput("languages"), + ); + const analysisKinds = await getAnalysisKinds(logger); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, - undefined, // rawLanguages: currently, setup-codeql is not language aware - false, // useOverlayAwareDefaultCliVersion: setup-codeql is not language aware + rawLanguages, + analysisKinds.includes(AnalysisKind.CodeScanning), features, logger, ); From 9a8523487521a38598130492b67894c80d257d22 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 8 May 2026 17:55:10 +0100 Subject: [PATCH 26/40] Add JSDoc for `getRawLanguagesNoAutodetect` --- src/config-utils.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/config-utils.ts b/src/config-utils.ts index 0b0701007..860f4651f 100644 --- a/src/config-utils.ts +++ b/src/config-utils.ts @@ -407,6 +407,7 @@ export async function getLanguages( return languages; } +/** Parses the `languages` input into a list of languages without checking if they are supported by CodeQL. */ export function getRawLanguagesNoAutodetect( languagesInput: string | undefined, ): string[] { From 540699dccac493fc29e2fa3914b7d408d147991a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 8 May 2026 17:59:21 +0100 Subject: [PATCH 27/40] Remove `makeOverlayMatchFeatures` indirection --- lib/setup-codeql-action.js | 7 +----- src/setup-codeql.test.ts | 46 +++++++++++--------------------------- 2 files changed, 14 insertions(+), 39 deletions(-) diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 118f19e37..bda595c5c 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -89533,12 +89533,7 @@ async function run(startedAt) { gitHubVersion.type, codeQLDefaultVersionInfo, rawLanguages, - // Only consider the languages for overlay-aware version selection if the - // user has told us what they intend to analyze and Code Scanning is among - // the configured analysis kinds. Without `languages`, the subsequent - // `init` invocation may analyze a different set; without Code Scanning, - // overlay analysis is not in use anyway. - rawLanguages.length > 0 && analysisKinds.includes("code-scanning" /* CodeScanning */), + analysisKinds.includes("code-scanning" /* CodeScanning */), features, logger ); diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index c3acb25ab..0a5fb686e 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -618,26 +618,6 @@ test.serial( }, ); -function makeOverlayMatchFeatures(opts: { - matchFlagEnabled?: boolean; - dryRunFlagEnabled?: boolean; -}): FeatureEnablement { - return { - getEnabledDefaultCliVersions: async () => { - throw new Error("not implemented"); - }, - getValue: async (feature) => { - if (feature === Feature.OverlayAnalysisMatchCodeqlVersion) { - return opts.matchFlagEnabled ?? false; - } - if (feature === Feature.OverlayAnalysisMatchCodeqlVersionDryRun) { - return opts.dryRunFlagEnabled ?? false; - } - return false; - }, - }; -} - const overlayMatchEnabledVersions = { enabledVersions: [ { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, @@ -674,7 +654,7 @@ test.serial( SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); @@ -712,7 +692,7 @@ test.serial( SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); @@ -744,7 +724,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); t.deepEqual(result, [ @@ -767,7 +747,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -782,7 +762,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, undefined, - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -802,7 +782,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -822,7 +802,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({ matchFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); t.deepEqual(result, [ @@ -839,7 +819,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({}), + createFeatures([]), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -863,7 +843,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({ dryRunFlagEnabled: true }), + createFeatures([Feature.OverlayAnalysisMatchCodeqlVersionDryRun]), getRunnerLogger(true), ); t.deepEqual( @@ -891,10 +871,10 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures({ - matchFlagEnabled: true, - dryRunFlagEnabled: true, - }), + createFeatures([ + Feature.OverlayAnalysisMatchCodeqlVersion, + Feature.OverlayAnalysisMatchCodeqlVersionDryRun, + ]), getRunnerLogger(true), ); t.deepEqual(result, [ From 42d7f625793307414a4622f105d5a0c3a736fa01 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 8 May 2026 18:00:59 +0100 Subject: [PATCH 28/40] Remove dead code --- src/setup-codeql.test.ts | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 0a5fb686e..0453b0347 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -7,7 +7,7 @@ import * as sinon from "sinon"; import * as actionsUtil from "./actions-util"; import * as api from "./api-client"; -import { Feature, FeatureEnablement } from "./feature-flags"; +import { Feature } from "./feature-flags"; import { getRunnerLogger } from "./logging"; import * as setupCodeql from "./setup-codeql"; import * as tar from "./tar"; @@ -19,7 +19,6 @@ import { checkExpectedLogMessages, createFeatures, getRecordingLogger, - initializeFeatures, makeMacro, mockBundleDownloadApi, setupActionsVars, @@ -34,14 +33,6 @@ import { setupTests(test); -// TODO: Remove when when we no longer need to pass in features (https://github.com/github/codeql-action/issues/2600) -const expectedFeatureEnablement: FeatureEnablement = initializeFeatures( - true, -) as FeatureEnablement; -expectedFeatureEnablement.getValue = function (feature: Feature) { - // eslint-disable-next-line @typescript-eslint/no-unsafe-return - return expectedFeatureEnablement[feature]; -}; test.beforeEach(() => { initializeEnvironment("1.2.3"); }); From 87ac48dae6f9d9e77e639a7ec90fd51f8efb985c Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 8 May 2026 18:05:35 +0100 Subject: [PATCH 29/40] Improve error message --- lib/analyze-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/setup-codeql-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action.js | 2 +- src/setup-codeql.ts | 3 ++- 7 files changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 3fcae5133..446472b87 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -91666,7 +91666,7 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}` ); return []; } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 85e878ac9..8e12e0ec6 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -132637,7 +132637,7 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}` ); return []; } diff --git a/lib/init-action.js b/lib/init-action.js index 0eaa4ed11..1ed7e5490 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -90595,7 +90595,7 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}` ); return []; } diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index bda595c5c..243a749cb 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -88091,7 +88091,7 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}` ); return []; } diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 83b6166f5..b649b5672 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -90698,7 +90698,7 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}` ); return []; } diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index f644db648..522ab1aba 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -91369,7 +91369,7 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + `Could not list overlay-base databases in the Actions cache while choosing a default CodeQL CLI version, falling back to the highest enabled version. Details: ${getErrorMessage(e)}` ); return []; } diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 53deca53b..3db0b6ca4 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -308,7 +308,8 @@ export async function getEnabledVersionsWithOverlayBaseDatabases( ); } catch (e) { logger.warning( - `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}`, + "Could not list overlay-base databases in the Actions cache while choosing a default " + + `CodeQL CLI version, falling back to the highest enabled version. Details: ${util.getErrorMessage(e)}`, ); return []; } From b4ea7aa65a1433818f16580fd800a1877403b196 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 8 May 2026 18:55:48 +0100 Subject: [PATCH 30/40] Improve tests --- src/setup-codeql.test.ts | 64 +++++++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 21 deletions(-) diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 0453b0347..49d4d66aa 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -9,6 +9,7 @@ import * as actionsUtil from "./actions-util"; import * as api from "./api-client"; import { Feature } from "./feature-flags"; import { getRunnerLogger } from "./logging"; +import { getCacheRestoreKeyPrefix } from "./overlay/caching"; import * as setupCodeql from "./setup-codeql"; import * as tar from "./tar"; import { @@ -18,6 +19,7 @@ import { SAMPLE_DOTCOM_API_DETAILS, checkExpectedLogMessages, createFeatures, + createTestConfig, getRecordingLogger, makeMacro, mockBundleDownloadApi, @@ -618,6 +620,18 @@ const overlayMatchEnabledVersions = { toolsFeatureFlagsValid: true, }; +async function fakeOverlayBaseCacheKey( + language: string, + cliVersion: string, + suffix: string, +): Promise { + const prefix = await getCacheRestoreKeyPrefix( + createTestConfig({ languages: [language] }), + cliVersion, + ); + return `${prefix}${suffix}`; +} + test.serial( "getCodeQLSource uses overlay-aware default version when requested for a PR", async (t) => { @@ -629,7 +643,7 @@ test.serial( sinon.stub(api, "getAutomationID").resolves("test/"); const listStub = sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"), }, ]); sinon @@ -667,7 +681,7 @@ test.serial( sinon.stub(api, "getAutomationID").resolves("test/"); const listStub = sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"), }, ]); sinon @@ -699,16 +713,17 @@ test.serial( async (t) => { sinon.stub(api, "getAutomationID").resolves("test/"); sinon.stub(api, "listActionsCaches").resolves([ + // Flag-enabled versions present in the cache, listed in non-descending + // order so the test exercises the sort. + { + key: await fakeOverlayBaseCacheKey("javascript", "2.20.0", "ghi-3-1"), + }, + { + key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "def-2-1"), + }, // Newer than any flag-enabled version: should be filtered out. { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.21.0-abc-1-1", - }, - // Flag-enabled versions present in the cache. - { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-def-2-1", - }, - { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.0-ghi-3-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.21.0", "abc-1-1"), }, ]); @@ -731,7 +746,7 @@ test.serial( sinon.stub(api, "getAutomationID").resolves("test/"); sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.19.0-abc-1-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.19.0", "abc-1-1"), }, ]); @@ -745,24 +760,31 @@ test.serial( }, ); -test.serial( - "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", - async (t) => { +const noLanguagesMacro = makeMacro({ + exec: async ( + t: ExecutionContext, + rawLanguages: string[] | undefined, + ) => { const listStub = sinon.stub(api, "listActionsCaches").resolves([]); const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, - undefined, + rawLanguages, createFeatures([Feature.OverlayAnalysisMatchCodeqlVersion]), getRunnerLogger(true), ); t.deepEqual(result, []); t.assert( listStub.notCalled, - "Should not list Actions caches without rawLanguages.", + "Should not list Actions caches without any rawLanguages.", ); }, -); + title: (providedTitle = "") => + `getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is ${providedTitle}`, +}); + +noLanguagesMacro.serial("undefined", undefined); +noLanguagesMacro.serial("an empty array", []); test.serial( "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws", @@ -781,12 +803,12 @@ test.serial( ); test.serial( - "getEnabledVersionsWithOverlayBaseDatabases includes the highest version when it is cached", + "getEnabledVersionsWithOverlayBaseDatabases returns versions present in the cache", async (t) => { sinon.stub(api, "getAutomationID").resolves("test/"); sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.2-abc-1-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.20.2", "abc-1-1"), }, ]); @@ -827,7 +849,7 @@ test.serial( sinon.stub(api, "getAutomationID").resolves("test/"); const listStub = sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"), }, ]); @@ -855,7 +877,7 @@ test.serial( sinon.stub(api, "getAutomationID").resolves("test/"); sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + key: await fakeOverlayBaseCacheKey("javascript", "2.20.1", "abc-1-1"), }, ]); From 2f2dbd2e78fdfcbfe2a8484e3a9c6125af375a0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 19:05:11 +0000 Subject: [PATCH 31/40] Bump fast-xml-builder from 1.1.5 to 1.2.0 Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-builder/compare/v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- package-lock.json | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index b6250ea4c..638458e32 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5670,9 +5670,9 @@ "license": "MIT" }, "node_modules/fast-xml-builder": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", - "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz", + "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==", "funding": [ { "type": "github", @@ -5681,7 +5681,8 @@ ], "license": "MIT", "dependencies": { - "path-expression-matcher": "^1.1.3" + "path-expression-matcher": "^1.5.0", + "xml-naming": "^0.1.0" } }, "node_modules/fast-xml-parser": { @@ -10223,6 +10224,21 @@ "node": "^20.17.0 || >=22.9.0" } }, + "node_modules/xml-naming": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz", + "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/NaturalIntelligence" + } + ], + "license": "MIT", + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/y18n": { "version": "5.0.8", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", From 70419e32737de18f4a5e3e1fc15a56c19e953814 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 12 May 2026 14:49:49 +0100 Subject: [PATCH 32/40] Throw error if multiple analysis kinds are specified --- lib/analyze-action-post.js | 135 +-- lib/analyze-action.js | 999 ++++++++++----------- lib/autobuild-action.js | 119 +-- lib/init-action-post.js | 393 ++++----- lib/init-action.js | 1352 +++++++++++++++-------------- lib/resolve-environment-action.js | 117 +-- lib/setup-codeql-action.js | 5 + lib/start-proxy-action-post.js | 111 +-- lib/start-proxy-action.js | 5 + lib/upload-lib.js | 1259 +++++++++++++-------------- lib/upload-sarif-action-post.js | 433 ++++----- lib/upload-sarif-action.js | 151 ++-- src/analyses.test.ts | 61 +- src/analyses.ts | 17 +- src/feature-flags.ts | 7 + src/init-action.ts | 4 +- 16 files changed, 2645 insertions(+), 2523 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 0f1b66059..3a63a9687 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -127358,65 +127358,8 @@ var fs4 = __toESM(require("fs")); var path5 = __toESM(require("path")); var core9 = __toESM(require_core()); -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core6 = __toESM(require_core()); - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} -function withGroup(groupName, f) { - core7.startGroup(groupName); - try { - return f(); - } finally { - core7.endGroup(); - } -} - // src/feature-flags.ts -var semver5 = __toESM(require_semver2()); +var semver4 = __toESM(require_semver2()); // src/overlay/index.ts var fs3 = __toESM(require("fs")); @@ -127425,14 +127368,14 @@ var path4 = __toESM(require("path")); // src/git-utils.ts var fs2 = __toESM(require("fs")); var path3 = __toESM(require("path")); -var core8 = __toESM(require_core()); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); + core6.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -127453,7 +127396,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -127582,7 +127525,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( + core6.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -127719,17 +127662,22 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { } // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } var SafeArtifactUploadVersion = "2.20.3"; function isSafeArtifactUpload(codeQlVersion) { - return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion); + return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion); } // src/feature-flags.ts var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -127938,6 +127886,63 @@ var featureConfig = { } }; +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core7 = __toESM(require_core()); + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} +function withGroup(groupName, f) { + core8.startGroup(groupName); + try { + return f(); + } finally { + core8.endGroup(); + } +} + // src/languages/builtin.json var builtin_default = { languages: [ diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 7b3ec243c..6ca15fa59 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -88977,84 +88977,10 @@ function fixCodeQualityCategory(logger, category) { return category; } -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); -var codeQualityQueries = ["code-quality"]; -var CodeScanning = { - kind: "code-scanning" /* CodeScanning */, - name: "code scanning", - target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, - sarifExtension: ".sarif", - sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), - fixCategory: (_, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_SARIF_", - transformPayload: (payload) => payload -}; -var CodeQuality = { - kind: "code-quality" /* CodeQuality */, - name: "code quality", - target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, - sarifExtension: ".quality.sarif", - sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), - fixCategory: fixCodeQualityCategory, - sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", - transformPayload: (payload) => payload -}; -function addAssessmentId(payload) { - const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); - const assessmentId = parseInt(rawAssessmentId, 10); - if (Number.isNaN(assessmentId)) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` - ); - } - if (assessmentId < 0) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` - ); - } - return { sarif: payload.sarif, assessment_id: assessmentId }; -} -var RiskAssessment = { - kind: "risk-assessment" /* RiskAssessment */, - name: "code scanning risk assessment", - target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, - sarifExtension: ".csra.sarif", - sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), - fixCategory: (_, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", - transformPayload: addAssessmentId -}; -function getAnalysisConfig(kind) { - switch (kind) { - case "code-scanning" /* CodeScanning */: - return CodeScanning; - case "code-quality" /* CodeQuality */: - return CodeQuality; - case "risk-assessment" /* RiskAssessment */: - return RiskAssessment; - } -} -var SarifScanOrder = [ - RiskAssessment, - CodeQuality, - CodeScanning -]; - -// src/analyze.ts -var fs13 = __toESM(require("fs")); -var path12 = __toESM(require("path")); -var import_perf_hooks2 = require("perf_hooks"); -var io5 = __toESM(require_io()); - -// src/autobuild.ts -var core12 = __toESM(require_core()); +// src/feature-flags.ts +var fs5 = __toESM(require("fs")); +var path5 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); // src/api-client.ts var core5 = __toESM(require_core()); @@ -89331,432 +89257,25 @@ function wrapApiConfigurationError(e) { return e; } -// src/codeql.ts -var fs12 = __toESM(require("fs")); -var path11 = __toESM(require("path")); -var core11 = __toESM(require_core()); -var toolrunner3 = __toESM(require_toolrunner()); - -// src/cli-errors.ts -var SUPPORTED_PLATFORMS = [ - ["linux", "x64"], - ["win32", "x64"], - ["darwin", "x64"], - ["darwin", "arm64"] -]; -var CliError = class extends Error { - exitCode; - stderr; - constructor({ cmd, args, exitCode, stderr }) { - const prettyCommand = prettyPrintInvocation(cmd, args); - const fatalErrors = extractFatalErrors(stderr); - const autobuildErrors = extractAutobuildErrors(stderr); - let message; - if (fatalErrors) { - message = `Encountered a fatal error while running "${prettyCommand}". Exit code was ${exitCode} and error was: ${ensureEndsInPeriod( - fatalErrors.trim() - )} See the logs for more details.`; - } else if (autobuildErrors) { - message = `We were unable to automatically build your code. Please provide manual build steps. See ${"https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed" /* AUTOMATIC_BUILD_FAILED */} for more information. Encountered the following error: ${autobuildErrors}`; - } else { - const lastLine = ensureEndsInPeriod( - stderr.trim().split("\n").pop()?.trim() || "n/a" - ); - message = `Encountered a fatal error while running "${prettyCommand}". Exit code was ${exitCode} and last log line was: ${lastLine} See the logs for more details.`; - } - super(message); - this.exitCode = exitCode; - this.stderr = stderr; - } -}; -function extractFatalErrors(error3) { - const fatalErrorRegex = /.*fatal (internal )?error occurr?ed(. Details)?:/gi; - let fatalErrors = []; - let lastFatalErrorIndex; - let match; - while ((match = fatalErrorRegex.exec(error3)) !== null) { - if (lastFatalErrorIndex !== void 0) { - fatalErrors.push(error3.slice(lastFatalErrorIndex, match.index).trim()); - } - lastFatalErrorIndex = match.index; - } - if (lastFatalErrorIndex !== void 0) { - const lastError = error3.slice(lastFatalErrorIndex).trim(); - if (fatalErrors.length === 0) { - return lastError; - } - const isOneLiner = !fatalErrors.some((e) => e.includes("\n")); - if (isOneLiner) { - fatalErrors = fatalErrors.map(ensureEndsInPeriod); - } - return [ - ensureEndsInPeriod(lastError), - "Context:", - ...fatalErrors.reverse() - ].join(isOneLiner ? " " : "\n"); - } - return void 0; -} -function extractAutobuildErrors(error3) { - const pattern = /.*\[autobuild\] \[ERROR\] (.*)/gi; - let errorLines = [...error3.matchAll(pattern)].map((match) => match[1]); - if (errorLines.length > 10) { - errorLines = errorLines.slice(0, 10); - errorLines.push("(truncated)"); - } - return errorLines.join("\n") || void 0; -} -var cliErrorsConfig = { - ["AutobuildError" /* AutobuildError */]: { - cliErrorMessageCandidates: [ - new RegExp("We were unable to automatically build your code") - ] - }, - ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: { - cliErrorMessageCandidates: [new RegExp("Could not create temp directory")] - }, - ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: { - cliErrorMessageCandidates: [ - new RegExp("Failed to clone external Git repository") - ] - }, - ["GradleBuildFailed" /* GradleBuildFailed */]: { - cliErrorMessageCandidates: [ - new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.") - ] - }, - // Version of CodeQL CLI is incompatible with this version of the CodeQL Action - ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: { - cliErrorMessageCandidates: [ - new RegExp("is not compatible with this CodeQL CLI") - ] - }, - ["InitCalledTwice" /* InitCalledTwice */]: { - cliErrorMessageCandidates: [ - new RegExp( - "Refusing to create databases .* but could not process any of it" - ) - ], - additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?` - }, - ["InvalidConfigFile" /* InvalidConfigFile */]: { - cliErrorMessageCandidates: [ - new RegExp("Config file .* is not valid"), - new RegExp("The supplied config file is empty") - ] - }, - ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: { - cliErrorMessageCandidates: [ - new RegExp("Specifier for external repository is invalid") - ] - }, - // Expected source location for database creation does not exist - ["InvalidSourceRoot" /* InvalidSourceRoot */]: { - cliErrorMessageCandidates: [new RegExp("Invalid source root")] - }, - ["MavenBuildFailed" /* MavenBuildFailed */]: { - cliErrorMessageCandidates: [ - new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal") - ] - }, - ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: { - cliErrorMessageCandidates: [ - new RegExp("Could not auto-detect a suitable build method") - ] - }, - ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: { - cliErrorMessageCandidates: [ - new RegExp( - "Could not detect a suitable build command for the source checkout" - ) - ] - }, - // Usually when a manual build script has failed, or if an autodetected language - // was unintended to have CodeQL analysis run on it. - ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: { - exitCode: 32, - cliErrorMessageCandidates: [ - new RegExp( - "CodeQL detected code written in .* but could not process any of it" - ), - new RegExp( - "CodeQL did not detect any code written in languages supported by CodeQL" - ) - ] - }, - ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: { - cliErrorMessageCandidates: [ - new RegExp("No supported build command succeeded") - ] - }, - ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: { - cliErrorMessageCandidates: [ - new RegExp("No supported build system detected") - ] - }, - ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: { - cliErrorMessageCandidates: [ - new RegExp("CodeQL is out of memory."), - new RegExp("out of disk"), - new RegExp("No space left on device") - ], - additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory" - }, - ["PackCannotBeFound" /* PackCannotBeFound */]: { - cliErrorMessageCandidates: [ - new RegExp( - "Query pack .* cannot be found\\. Check the spelling of the pack\\." - ), - new RegExp( - "is not a .ql file, .qls file, a directory, or a query pack specification." - ) - ] - }, - ["PackMissingAuth" /* PackMissingAuth */]: { - cliErrorMessageCandidates: [ - new RegExp("GitHub Container registry .* 403 Forbidden"), - new RegExp( - "Do you need to specify a token to authenticate to the registry?" - ) - ] - }, - ["SwiftBuildFailed" /* SwiftBuildFailed */]: { - cliErrorMessageCandidates: [ - new RegExp( - "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command" - ) - ] - }, - ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: { - cliErrorMessageCandidates: [ - new RegExp("\\[incompatible-os\\]"), - new RegExp("Swift analysis is only supported on macOS") - ] - }, - ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: { - cliErrorMessageCandidates: [ - new RegExp( - "does not support the .* build mode. Please try using one of the following build modes instead" - ) - ] - }, - ["NotFoundInRegistry" /* NotFoundInRegistry */]: { - cliErrorMessageCandidates: [ - new RegExp("'.*' not found in the registry '.*'") - ] - } -}; -function getCliConfigCategoryIfExists(cliError) { - for (const [category, configuration] of Object.entries(cliErrorsConfig)) { - if (cliError.exitCode !== void 0 && configuration.exitCode !== void 0 && cliError.exitCode === configuration.exitCode) { - return category; - } - for (const e of configuration.cliErrorMessageCandidates) { - if (cliError.message.match(e) || cliError.stderr.match(e)) { - return category; - } - } - } - return void 0; -} -function isUnsupportedPlatform() { - return !SUPPORTED_PLATFORMS.some( - ([platform2, arch2]) => platform2 === process.platform && arch2 === process.arch - ); -} -function getUnsupportedPlatformError(cliError) { - return new ConfigurationError( - `The CodeQL CLI does not support the platform/architecture combination of ${process.platform}/${process.arch} (see ${"https://codeql.github.com/docs/codeql-overview/system-requirements/" /* SYSTEM_REQUIREMENTS */}). The underlying error was: ${cliError.message}` - ); -} -function wrapCliConfigurationError(cliError) { - if (isUnsupportedPlatform()) { - return getUnsupportedPlatformError(cliError); - } - const cliConfigErrorCategory = getCliConfigCategoryIfExists(cliError); - if (cliConfigErrorCategory === void 0) { - return cliError; - } - let errorMessageBuilder = cliError.message; - const additionalErrorMessageToAppend = cliErrorsConfig[cliConfigErrorCategory].additionalErrorMessageToAppend; - if (additionalErrorMessageToAppend !== void 0) { - errorMessageBuilder = `${errorMessageBuilder} ${additionalErrorMessageToAppend}`; - } - return new ConfigurationError(errorMessageBuilder); -} - -// src/config-utils.ts -var fs7 = __toESM(require("fs")); -var path7 = __toESM(require("path")); -var core9 = __toESM(require_core()); - -// src/caching-utils.ts -var crypto2 = __toESM(require("crypto")); -var core6 = __toESM(require_core()); -async function getTotalCacheSize(paths, logger, quiet = false) { - const sizes = await Promise.all( - paths.map((cacheDir) => tryGetFolderBytes(cacheDir, logger, quiet)) - ); - return sizes.map((a) => a || 0).reduce((a, b) => a + b, 0); -} -function shouldStoreCache(kind) { - return kind === "full" /* Full */ || kind === "store" /* Store */; -} -var cacheKeyHashLength = 16; -function createCacheKeyHash(components) { - const componentsJson = JSON.stringify(components); - return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); -} - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/diagnostics.ts -var import_fs = require("fs"); -var import_path = __toESM(require("path")); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} -async function withGroupAsync(groupName, f) { - core7.startGroup(groupName); - try { - return await f(); - } finally { - core7.endGroup(); - } -} -function formatDuration(durationMs) { - if (durationMs < 1e3) { - return `${durationMs}ms`; - } - if (durationMs < 60 * 1e3) { - return `${(durationMs / 1e3).toFixed(1)}s`; - } - const minutes = Math.floor(durationMs / (60 * 1e3)); - const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); - return `${minutes}m${seconds}s`; -} - -// src/diagnostics.ts -var unwrittenDiagnostics = []; -var unwrittenDefaultLanguageDiagnostics = []; -var diagnosticCounter = 0; -function makeDiagnostic(id, name, data = void 0) { - return { - ...data, - timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), - source: { ...data?.source, id, name } - }; -} -function addDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - if ((0, import_fs.existsSync)(databasePath)) { - writeDiagnostic(config, language, diagnostic); - } else { - logger.debug( - `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` - ); - unwrittenDiagnostics.push({ diagnostic, language }); - } -} -function addNoLanguageDiagnostic(config, diagnostic) { - if (config !== void 0) { - addDiagnostic( - config, - // Arbitrarily choose the first language. We could also choose all languages, but that - // increases the risk of misinterpreting the data. - config.languages[0], - diagnostic - ); - } else { - unwrittenDefaultLanguageDiagnostics.push(diagnostic); - } -} -function writeDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - const diagnosticsPath = import_path.default.resolve( - databasePath, - "diagnostic", - "codeql-action" - ); - try { - (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); - const uniqueSuffix = (diagnosticCounter++).toString(); - const sanitizedTimestamp = diagnostic.timestamp.replace( - /[^a-zA-Z0-9.-]/g, - "" - ); - const jsonPath = import_path.default.resolve( - diagnosticsPath, - `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` - ); - (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); - } catch (err) { - logger.warning(`Unable to write diagnostic message to database: ${err}`); - logger.debug(JSON.stringify(diagnostic)); - } -} - -// src/diff-informed-analysis-utils.ts -var fs6 = __toESM(require("fs")); - -// src/feature-flags.ts -var fs5 = __toESM(require("fs")); -var path6 = __toESM(require("path")); -var semver5 = __toESM(require_semver2()); - // src/defaults.json var bundleVersion = "codeql-bundle-v2.25.4"; var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); -var path5 = __toESM(require("path")); +var path4 = __toESM(require("path")); // src/git-utils.ts var fs3 = __toESM(require("fs")); -var path4 = __toESM(require("path")); -var core8 = __toESM(require_core()); +var path3 = __toESM(require("path")); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); + core6.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -89777,7 +89296,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -89873,7 +89392,7 @@ var getGitRoot = async function(sourceRoot) { } }; function hasSubmodules(gitRoot) { - return fs3.existsSync(path4.join(gitRoot, ".gitmodules")); + return fs3.existsSync(path3.join(gitRoot, ".gitmodules")); } var getFileOidsUnderPath = async function(basePath) { const gitRoot = await getGitRoot(basePath); @@ -89940,7 +89459,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( + core6.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -90005,7 +89524,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) { const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger); const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])]; const changedFilesJson = JSON.stringify({ changes: changedFiles }); - const overlayChangesFile = path5.join( + const overlayChangesFile = path4.join( getTemporaryDirectory(), "overlay-changes.json" ); @@ -90071,13 +89590,13 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { return [...new Set(diffRanges.map((r) => r.path))]; } const relativePaths = diffRanges.map( - (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/") + (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/") ).filter((rel) => !rel.startsWith("..")); return [...new Set(relativePaths)]; } // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } @@ -90087,6 +89606,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -90404,7 +89928,7 @@ var Features = class extends OfflineFeatures { super(logger); this.gitHubFeatureFlags = new GitHubFeatureFlags( repositoryNwo, - path6.join(tempDir, FEATURE_FLAGS_FILE_NAME), + path5.join(tempDir, FEATURE_FLAGS_FILE_NAME), logger ); } @@ -90463,7 +89987,7 @@ var GitHubFeatureFlags = class { DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length ).replace(/_/g, "."); - if (!semver5.valid(version)) { + if (!semver4.valid(version)) { this.logger.warning( `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.` ); @@ -90622,7 +90146,486 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) { } } +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); +var codeQualityQueries = ["code-quality"]; +var CodeScanning = { + kind: "code-scanning" /* CodeScanning */, + name: "code scanning", + target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, + sarifExtension: ".sarif", + sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), + fixCategory: (_, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_SARIF_", + transformPayload: (payload) => payload +}; +var CodeQuality = { + kind: "code-quality" /* CodeQuality */, + name: "code quality", + target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, + sarifExtension: ".quality.sarif", + sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), + fixCategory: fixCodeQualityCategory, + sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", + transformPayload: (payload) => payload +}; +function addAssessmentId(payload) { + const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); + const assessmentId = parseInt(rawAssessmentId, 10); + if (Number.isNaN(assessmentId)) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` + ); + } + if (assessmentId < 0) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` + ); + } + return { sarif: payload.sarif, assessment_id: assessmentId }; +} +var RiskAssessment = { + kind: "risk-assessment" /* RiskAssessment */, + name: "code scanning risk assessment", + target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, + sarifExtension: ".csra.sarif", + sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), + fixCategory: (_, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", + transformPayload: addAssessmentId +}; +function getAnalysisConfig(kind) { + switch (kind) { + case "code-scanning" /* CodeScanning */: + return CodeScanning; + case "code-quality" /* CodeQuality */: + return CodeQuality; + case "risk-assessment" /* RiskAssessment */: + return RiskAssessment; + } +} +var SarifScanOrder = [ + RiskAssessment, + CodeQuality, + CodeScanning +]; + +// src/analyze.ts +var fs13 = __toESM(require("fs")); +var path12 = __toESM(require("path")); +var import_perf_hooks2 = require("perf_hooks"); +var io5 = __toESM(require_io()); + +// src/autobuild.ts +var core12 = __toESM(require_core()); + +// src/codeql.ts +var fs12 = __toESM(require("fs")); +var path11 = __toESM(require("path")); +var core11 = __toESM(require_core()); +var toolrunner3 = __toESM(require_toolrunner()); + +// src/cli-errors.ts +var SUPPORTED_PLATFORMS = [ + ["linux", "x64"], + ["win32", "x64"], + ["darwin", "x64"], + ["darwin", "arm64"] +]; +var CliError = class extends Error { + exitCode; + stderr; + constructor({ cmd, args, exitCode, stderr }) { + const prettyCommand = prettyPrintInvocation(cmd, args); + const fatalErrors = extractFatalErrors(stderr); + const autobuildErrors = extractAutobuildErrors(stderr); + let message; + if (fatalErrors) { + message = `Encountered a fatal error while running "${prettyCommand}". Exit code was ${exitCode} and error was: ${ensureEndsInPeriod( + fatalErrors.trim() + )} See the logs for more details.`; + } else if (autobuildErrors) { + message = `We were unable to automatically build your code. Please provide manual build steps. See ${"https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/automatic-build-failed" /* AUTOMATIC_BUILD_FAILED */} for more information. Encountered the following error: ${autobuildErrors}`; + } else { + const lastLine = ensureEndsInPeriod( + stderr.trim().split("\n").pop()?.trim() || "n/a" + ); + message = `Encountered a fatal error while running "${prettyCommand}". Exit code was ${exitCode} and last log line was: ${lastLine} See the logs for more details.`; + } + super(message); + this.exitCode = exitCode; + this.stderr = stderr; + } +}; +function extractFatalErrors(error3) { + const fatalErrorRegex = /.*fatal (internal )?error occurr?ed(. Details)?:/gi; + let fatalErrors = []; + let lastFatalErrorIndex; + let match; + while ((match = fatalErrorRegex.exec(error3)) !== null) { + if (lastFatalErrorIndex !== void 0) { + fatalErrors.push(error3.slice(lastFatalErrorIndex, match.index).trim()); + } + lastFatalErrorIndex = match.index; + } + if (lastFatalErrorIndex !== void 0) { + const lastError = error3.slice(lastFatalErrorIndex).trim(); + if (fatalErrors.length === 0) { + return lastError; + } + const isOneLiner = !fatalErrors.some((e) => e.includes("\n")); + if (isOneLiner) { + fatalErrors = fatalErrors.map(ensureEndsInPeriod); + } + return [ + ensureEndsInPeriod(lastError), + "Context:", + ...fatalErrors.reverse() + ].join(isOneLiner ? " " : "\n"); + } + return void 0; +} +function extractAutobuildErrors(error3) { + const pattern = /.*\[autobuild\] \[ERROR\] (.*)/gi; + let errorLines = [...error3.matchAll(pattern)].map((match) => match[1]); + if (errorLines.length > 10) { + errorLines = errorLines.slice(0, 10); + errorLines.push("(truncated)"); + } + return errorLines.join("\n") || void 0; +} +var cliErrorsConfig = { + ["AutobuildError" /* AutobuildError */]: { + cliErrorMessageCandidates: [ + new RegExp("We were unable to automatically build your code") + ] + }, + ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: { + cliErrorMessageCandidates: [new RegExp("Could not create temp directory")] + }, + ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: { + cliErrorMessageCandidates: [ + new RegExp("Failed to clone external Git repository") + ] + }, + ["GradleBuildFailed" /* GradleBuildFailed */]: { + cliErrorMessageCandidates: [ + new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.") + ] + }, + // Version of CodeQL CLI is incompatible with this version of the CodeQL Action + ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: { + cliErrorMessageCandidates: [ + new RegExp("is not compatible with this CodeQL CLI") + ] + }, + ["InitCalledTwice" /* InitCalledTwice */]: { + cliErrorMessageCandidates: [ + new RegExp( + "Refusing to create databases .* but could not process any of it" + ) + ], + additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?` + }, + ["InvalidConfigFile" /* InvalidConfigFile */]: { + cliErrorMessageCandidates: [ + new RegExp("Config file .* is not valid"), + new RegExp("The supplied config file is empty") + ] + }, + ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: { + cliErrorMessageCandidates: [ + new RegExp("Specifier for external repository is invalid") + ] + }, + // Expected source location for database creation does not exist + ["InvalidSourceRoot" /* InvalidSourceRoot */]: { + cliErrorMessageCandidates: [new RegExp("Invalid source root")] + }, + ["MavenBuildFailed" /* MavenBuildFailed */]: { + cliErrorMessageCandidates: [ + new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal") + ] + }, + ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: { + cliErrorMessageCandidates: [ + new RegExp("Could not auto-detect a suitable build method") + ] + }, + ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: { + cliErrorMessageCandidates: [ + new RegExp( + "Could not detect a suitable build command for the source checkout" + ) + ] + }, + // Usually when a manual build script has failed, or if an autodetected language + // was unintended to have CodeQL analysis run on it. + ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: { + exitCode: 32, + cliErrorMessageCandidates: [ + new RegExp( + "CodeQL detected code written in .* but could not process any of it" + ), + new RegExp( + "CodeQL did not detect any code written in languages supported by CodeQL" + ) + ] + }, + ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: { + cliErrorMessageCandidates: [ + new RegExp("No supported build command succeeded") + ] + }, + ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: { + cliErrorMessageCandidates: [ + new RegExp("No supported build system detected") + ] + }, + ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: { + cliErrorMessageCandidates: [ + new RegExp("CodeQL is out of memory."), + new RegExp("out of disk"), + new RegExp("No space left on device") + ], + additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory" + }, + ["PackCannotBeFound" /* PackCannotBeFound */]: { + cliErrorMessageCandidates: [ + new RegExp( + "Query pack .* cannot be found\\. Check the spelling of the pack\\." + ), + new RegExp( + "is not a .ql file, .qls file, a directory, or a query pack specification." + ) + ] + }, + ["PackMissingAuth" /* PackMissingAuth */]: { + cliErrorMessageCandidates: [ + new RegExp("GitHub Container registry .* 403 Forbidden"), + new RegExp( + "Do you need to specify a token to authenticate to the registry?" + ) + ] + }, + ["SwiftBuildFailed" /* SwiftBuildFailed */]: { + cliErrorMessageCandidates: [ + new RegExp( + "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command" + ) + ] + }, + ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: { + cliErrorMessageCandidates: [ + new RegExp("\\[incompatible-os\\]"), + new RegExp("Swift analysis is only supported on macOS") + ] + }, + ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: { + cliErrorMessageCandidates: [ + new RegExp( + "does not support the .* build mode. Please try using one of the following build modes instead" + ) + ] + }, + ["NotFoundInRegistry" /* NotFoundInRegistry */]: { + cliErrorMessageCandidates: [ + new RegExp("'.*' not found in the registry '.*'") + ] + } +}; +function getCliConfigCategoryIfExists(cliError) { + for (const [category, configuration] of Object.entries(cliErrorsConfig)) { + if (cliError.exitCode !== void 0 && configuration.exitCode !== void 0 && cliError.exitCode === configuration.exitCode) { + return category; + } + for (const e of configuration.cliErrorMessageCandidates) { + if (cliError.message.match(e) || cliError.stderr.match(e)) { + return category; + } + } + } + return void 0; +} +function isUnsupportedPlatform() { + return !SUPPORTED_PLATFORMS.some( + ([platform2, arch2]) => platform2 === process.platform && arch2 === process.arch + ); +} +function getUnsupportedPlatformError(cliError) { + return new ConfigurationError( + `The CodeQL CLI does not support the platform/architecture combination of ${process.platform}/${process.arch} (see ${"https://codeql.github.com/docs/codeql-overview/system-requirements/" /* SYSTEM_REQUIREMENTS */}). The underlying error was: ${cliError.message}` + ); +} +function wrapCliConfigurationError(cliError) { + if (isUnsupportedPlatform()) { + return getUnsupportedPlatformError(cliError); + } + const cliConfigErrorCategory = getCliConfigCategoryIfExists(cliError); + if (cliConfigErrorCategory === void 0) { + return cliError; + } + let errorMessageBuilder = cliError.message; + const additionalErrorMessageToAppend = cliErrorsConfig[cliConfigErrorCategory].additionalErrorMessageToAppend; + if (additionalErrorMessageToAppend !== void 0) { + errorMessageBuilder = `${errorMessageBuilder} ${additionalErrorMessageToAppend}`; + } + return new ConfigurationError(errorMessageBuilder); +} + +// src/config-utils.ts +var fs7 = __toESM(require("fs")); +var path7 = __toESM(require("path")); +var core9 = __toESM(require_core()); + +// src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); +var core7 = __toESM(require_core()); +async function getTotalCacheSize(paths, logger, quiet = false) { + const sizes = await Promise.all( + paths.map((cacheDir) => tryGetFolderBytes(cacheDir, logger, quiet)) + ); + return sizes.map((a) => a || 0).reduce((a, b) => a + b, 0); +} +function shouldStoreCache(kind) { + return kind === "full" /* Full */ || kind === "store" /* Store */; +} +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/diagnostics.ts +var import_fs = require("fs"); +var import_path = __toESM(require("path")); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} +async function withGroupAsync(groupName, f) { + core8.startGroup(groupName); + try { + return await f(); + } finally { + core8.endGroup(); + } +} +function formatDuration(durationMs) { + if (durationMs < 1e3) { + return `${durationMs}ms`; + } + if (durationMs < 60 * 1e3) { + return `${(durationMs / 1e3).toFixed(1)}s`; + } + const minutes = Math.floor(durationMs / (60 * 1e3)); + const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); + return `${minutes}m${seconds}s`; +} + +// src/diagnostics.ts +var unwrittenDiagnostics = []; +var unwrittenDefaultLanguageDiagnostics = []; +var diagnosticCounter = 0; +function makeDiagnostic(id, name, data = void 0) { + return { + ...data, + timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), + source: { ...data?.source, id, name } + }; +} +function addDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + if ((0, import_fs.existsSync)(databasePath)) { + writeDiagnostic(config, language, diagnostic); + } else { + logger.debug( + `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` + ); + unwrittenDiagnostics.push({ diagnostic, language }); + } +} +function addNoLanguageDiagnostic(config, diagnostic) { + if (config !== void 0) { + addDiagnostic( + config, + // Arbitrarily choose the first language. We could also choose all languages, but that + // increases the risk of misinterpreting the data. + config.languages[0], + diagnostic + ); + } else { + unwrittenDefaultLanguageDiagnostics.push(diagnostic); + } +} +function writeDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + const diagnosticsPath = import_path.default.resolve( + databasePath, + "diagnostic", + "codeql-action" + ); + try { + (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); + const uniqueSuffix = (diagnosticCounter++).toString(); + const sanitizedTimestamp = diagnostic.timestamp.replace( + /[^a-zA-Z0-9.-]/g, + "" + ); + const jsonPath = import_path.default.resolve( + diagnosticsPath, + `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` + ); + (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); + } catch (err) { + logger.warning(`Unable to write diagnostic message to database: ${err}`); + logger.debug(JSON.stringify(diagnostic)); + } +} + // src/diff-informed-analysis-utils.ts +var fs6 = __toESM(require("fs")); function readDiffRangesJsonFile(logger) { const jsonFilePath = getDiffRangesJsonFilePath(); if (!fs6.existsSync(jsonFilePath)) { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index be61bdeab..642dd5ffe 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -86171,59 +86171,10 @@ var fs5 = __toESM(require("fs")); var path6 = __toESM(require("path")); var core9 = __toESM(require_core()); -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core6 = __toESM(require_core()); - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} - // src/feature-flags.ts var fs4 = __toESM(require("fs")); var path5 = __toESM(require("path")); -var semver5 = __toESM(require_semver2()); +var semver4 = __toESM(require_semver2()); // src/defaults.json var bundleVersion = "codeql-bundle-v2.25.4"; @@ -86236,14 +86187,14 @@ var path4 = __toESM(require("path")); // src/git-utils.ts var fs2 = __toESM(require("fs")); var path3 = __toESM(require("path")); -var core8 = __toESM(require_core()); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); + core6.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -86264,7 +86215,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -86393,7 +86344,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( + core6.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -86530,7 +86481,7 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { } // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } @@ -86539,6 +86490,11 @@ function isSupportedToolsFeature(versionInfo, feature) { var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -86915,7 +86871,7 @@ var GitHubFeatureFlags = class { DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length ).replace(/_/g, "."); - if (!semver5.valid(version)) { + if (!semver4.valid(version)) { this.logger.warning( `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.` ); @@ -87074,6 +87030,55 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) { } } +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core7 = __toESM(require_core()); + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} + // src/languages/builtin.json var builtin_default = { languages: [ diff --git a/lib/init-action-post.js b/lib/init-action-post.js index b972b1ece..dc71c1c38 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -130716,189 +130716,10 @@ var fs8 = __toESM(require("fs")); var path8 = __toESM(require("path")); var core9 = __toESM(require_core()); -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); -var CodeScanning = { - kind: "code-scanning" /* CodeScanning */, - name: "code scanning", - target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, - sarifExtension: ".sarif", - sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), - fixCategory: (_2, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_SARIF_", - transformPayload: (payload) => payload -}; -var CodeQuality = { - kind: "code-quality" /* CodeQuality */, - name: "code quality", - target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, - sarifExtension: ".quality.sarif", - sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), - fixCategory: fixCodeQualityCategory, - sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", - transformPayload: (payload) => payload -}; -function addAssessmentId(payload) { - const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); - const assessmentId = parseInt(rawAssessmentId, 10); - if (Number.isNaN(assessmentId)) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` - ); - } - if (assessmentId < 0) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` - ); - } - return { sarif: payload.sarif, assessment_id: assessmentId }; -} -var RiskAssessment = { - kind: "risk-assessment" /* RiskAssessment */, - name: "code scanning risk assessment", - target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, - sarifExtension: ".csra.sarif", - sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), - fixCategory: (_2, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", - transformPayload: addAssessmentId -}; - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/diagnostics.ts -var import_fs = require("fs"); -var import_path = __toESM(require("path")); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} -function withGroup(groupName, f) { - core7.startGroup(groupName); - try { - return f(); - } finally { - core7.endGroup(); - } -} -function formatDuration(durationMs) { - if (durationMs < 1e3) { - return `${durationMs}ms`; - } - if (durationMs < 60 * 1e3) { - return `${(durationMs / 1e3).toFixed(1)}s`; - } - const minutes = Math.floor(durationMs / (60 * 1e3)); - const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); - return `${minutes}m${seconds}s`; -} - -// src/diagnostics.ts -var unwrittenDiagnostics = []; -var unwrittenDefaultLanguageDiagnostics = []; -var diagnosticCounter = 0; -function makeDiagnostic(id, name, data = void 0) { - return { - ...data, - timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), - source: { ...data?.source, id, name } - }; -} -function addDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - if ((0, import_fs.existsSync)(databasePath)) { - writeDiagnostic(config, language, diagnostic); - } else { - logger.debug( - `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` - ); - unwrittenDiagnostics.push({ diagnostic, language }); - } -} -function addNoLanguageDiagnostic(config, diagnostic) { - if (config !== void 0) { - addDiagnostic( - config, - // Arbitrarily choose the first language. We could also choose all languages, but that - // increases the risk of misinterpreting the data. - config.languages[0], - diagnostic - ); - } else { - unwrittenDefaultLanguageDiagnostics.push(diagnostic); - } -} -function writeDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - const diagnosticsPath = import_path.default.resolve( - databasePath, - "diagnostic", - "codeql-action" - ); - try { - (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); - const uniqueSuffix = (diagnosticCounter++).toString(); - const sanitizedTimestamp = diagnostic.timestamp.replace( - /[^a-zA-Z0-9.-]/g, - "" - ); - const jsonPath = import_path.default.resolve( - diagnosticsPath, - `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` - ); - (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); - } catch (err) { - logger.warning(`Unable to write diagnostic message to database: ${err}`); - logger.debug(JSON.stringify(diagnostic)); - } -} - -// src/diff-informed-analysis-utils.ts -var fs6 = __toESM(require("fs")); - // src/feature-flags.ts var fs5 = __toESM(require("fs")); -var path6 = __toESM(require("path")); -var semver5 = __toESM(require_semver2()); +var path5 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); // src/defaults.json var bundleVersion = "codeql-bundle-v2.25.4"; @@ -130906,19 +130727,19 @@ var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); -var path5 = __toESM(require("path")); +var path4 = __toESM(require("path")); // src/git-utils.ts var fs3 = __toESM(require("fs")); -var path4 = __toESM(require("path")); -var core8 = __toESM(require_core()); +var path3 = __toESM(require("path")); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); + core7.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -130939,7 +130760,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -131035,7 +130856,7 @@ var getGitRoot = async function(sourceRoot) { } }; function hasSubmodules(gitRoot) { - return fs3.existsSync(path4.join(gitRoot, ".gitmodules")); + return fs3.existsSync(path3.join(gitRoot, ".gitmodules")); } var getFileOidsUnderPath = async function(basePath) { const gitRoot = await getGitRoot(basePath); @@ -131102,7 +130923,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( + core7.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -131167,7 +130988,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) { const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger); const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])]; const changedFilesJson = JSON.stringify({ changes: changedFiles }); - const overlayChangesFile = path5.join( + const overlayChangesFile = path4.join( getTemporaryDirectory(), "overlay-changes.json" ); @@ -131233,19 +131054,19 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { return [...new Set(diffRanges.map((r) => r.path))]; } const relativePaths = diffRanges.map( - (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/") + (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/") ).filter((rel) => !rel.startsWith("..")); return [...new Set(relativePaths)]; } // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } var SafeArtifactUploadVersion = "2.20.3"; function isSafeArtifactUpload(codeQlVersion) { - return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion); + return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion); } // src/feature-flags.ts @@ -131253,6 +131074,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -131570,7 +131396,7 @@ var Features = class extends OfflineFeatures { super(logger); this.gitHubFeatureFlags = new GitHubFeatureFlags( repositoryNwo, - path6.join(tempDir, FEATURE_FLAGS_FILE_NAME), + path5.join(tempDir, FEATURE_FLAGS_FILE_NAME), logger ); } @@ -131629,7 +131455,7 @@ var GitHubFeatureFlags = class { DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length ).replace(/_/g, "."); - if (!semver5.valid(version)) { + if (!semver4.valid(version)) { this.logger.warning( `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.` ); @@ -131788,7 +131614,184 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) { } } +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); +var CodeScanning = { + kind: "code-scanning" /* CodeScanning */, + name: "code scanning", + target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, + sarifExtension: ".sarif", + sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), + fixCategory: (_2, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_SARIF_", + transformPayload: (payload) => payload +}; +var CodeQuality = { + kind: "code-quality" /* CodeQuality */, + name: "code quality", + target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, + sarifExtension: ".quality.sarif", + sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), + fixCategory: fixCodeQualityCategory, + sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", + transformPayload: (payload) => payload +}; +function addAssessmentId(payload) { + const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); + const assessmentId = parseInt(rawAssessmentId, 10); + if (Number.isNaN(assessmentId)) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` + ); + } + if (assessmentId < 0) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` + ); + } + return { sarif: payload.sarif, assessment_id: assessmentId }; +} +var RiskAssessment = { + kind: "risk-assessment" /* RiskAssessment */, + name: "code scanning risk assessment", + target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, + sarifExtension: ".csra.sarif", + sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), + fixCategory: (_2, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", + transformPayload: addAssessmentId +}; + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/diagnostics.ts +var import_fs = require("fs"); +var import_path = __toESM(require("path")); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} +function withGroup(groupName, f) { + core8.startGroup(groupName); + try { + return f(); + } finally { + core8.endGroup(); + } +} +function formatDuration(durationMs) { + if (durationMs < 1e3) { + return `${durationMs}ms`; + } + if (durationMs < 60 * 1e3) { + return `${(durationMs / 1e3).toFixed(1)}s`; + } + const minutes = Math.floor(durationMs / (60 * 1e3)); + const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); + return `${minutes}m${seconds}s`; +} + +// src/diagnostics.ts +var unwrittenDiagnostics = []; +var unwrittenDefaultLanguageDiagnostics = []; +var diagnosticCounter = 0; +function makeDiagnostic(id, name, data = void 0) { + return { + ...data, + timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), + source: { ...data?.source, id, name } + }; +} +function addDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + if ((0, import_fs.existsSync)(databasePath)) { + writeDiagnostic(config, language, diagnostic); + } else { + logger.debug( + `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` + ); + unwrittenDiagnostics.push({ diagnostic, language }); + } +} +function addNoLanguageDiagnostic(config, diagnostic) { + if (config !== void 0) { + addDiagnostic( + config, + // Arbitrarily choose the first language. We could also choose all languages, but that + // increases the risk of misinterpreting the data. + config.languages[0], + diagnostic + ); + } else { + unwrittenDefaultLanguageDiagnostics.push(diagnostic); + } +} +function writeDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + const diagnosticsPath = import_path.default.resolve( + databasePath, + "diagnostic", + "codeql-action" + ); + try { + (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); + const uniqueSuffix = (diagnosticCounter++).toString(); + const sanitizedTimestamp = diagnostic.timestamp.replace( + /[^a-zA-Z0-9.-]/g, + "" + ); + const jsonPath = import_path.default.resolve( + diagnosticsPath, + `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` + ); + (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); + } catch (err) { + logger.warning(`Unable to write diagnostic message to database: ${err}`); + logger.debug(JSON.stringify(diagnostic)); + } +} + // src/diff-informed-analysis-utils.ts +var fs6 = __toESM(require("fs")); function readDiffRangesJsonFile(logger) { const jsonFilePath = getDiffRangesJsonFilePath(); if (!fs6.existsSync(jsonFilePath)) { diff --git a/lib/init-action.js b/lib/init-action.js index b7cdc23b7..c6f67eec4 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -86357,66 +86357,10 @@ function isAnalyzingPullRequest() { return getPullRequestBranches() !== void 0; } -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind3) => { - AnalysisKind3["CodeScanning"] = "code-scanning"; - AnalysisKind3["CodeQuality"] = "code-quality"; - AnalysisKind3["RiskAssessment"] = "risk-assessment"; - return AnalysisKind3; -})(AnalysisKind || {}); -var compatibilityMatrix = { - ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]), - ["code-quality" /* CodeQuality */]: /* @__PURE__ */ new Set(["code-scanning" /* CodeScanning */]), - ["risk-assessment" /* RiskAssessment */]: /* @__PURE__ */ new Set() -}; -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); -async function parseAnalysisKinds(input) { - const components = input.split(","); - if (components.length < 1) { - throw new ConfigurationError( - "At least one analysis kind must be configured." - ); - } - for (const component of components) { - if (!supportedAnalysisKinds.has(component)) { - throw new ConfigurationError(`Unknown analysis kind: ${component}`); - } - } - return Array.from( - new Set(components.map((component) => component)) - ); -} -var cachedAnalysisKinds; -async function getAnalysisKinds(logger, skipCache = false) { - if (!skipCache && cachedAnalysisKinds !== void 0) { - return cachedAnalysisKinds; - } - const analysisKinds = await parseAnalysisKinds( - getRequiredInput("analysis-kinds") - ); - const qualityQueriesInput = getOptionalInput("quality-queries"); - if (qualityQueriesInput !== void 0) { - logger.warning( - "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead." - ); - } - if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) { - analysisKinds.push("code-quality" /* CodeQuality */); - } - for (const analysisKind of analysisKinds) { - for (const otherAnalysisKind of analysisKinds) { - if (analysisKind === otherAnalysisKind) continue; - if (!compatibilityMatrix[analysisKind].has(otherAnalysisKind)) { - throw new ConfigurationError( - `${analysisKind} and ${otherAnalysisKind} cannot be enabled at the same time` - ); - } - } - } - cachedAnalysisKinds = analysisKinds; - return cachedAnalysisKinds; -} -var codeQualityQueries = ["code-quality"]; +// src/feature-flags.ts +var fs5 = __toESM(require("fs")); +var path5 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); // src/api-client.ts var core5 = __toESM(require_core()); @@ -86682,618 +86626,22 @@ function wrapApiConfigurationError(e) { return e; } -// src/caching-utils.ts -var crypto2 = __toESM(require("crypto")); -var core6 = __toESM(require_core()); -async function getTotalCacheSize(paths, logger, quiet = false) { - const sizes = await Promise.all( - paths.map((cacheDir) => tryGetFolderBytes(cacheDir, logger, quiet)) - ); - return sizes.map((a) => a || 0).reduce((a, b) => a + b, 0); -} -function shouldRestoreCache(kind) { - return kind === "full" /* Full */ || kind === "restore" /* Restore */; -} -function getCachingKind(input) { - switch (input) { - case void 0: - case "none": - case "off": - case "false": - return "none" /* None */; - case "full": - case "on": - case "true": - return "full" /* Full */; - case "store": - return "store" /* Store */; - case "restore": - return "restore" /* Restore */; - default: - core6.warning( - `Unrecognized 'dependency-caching' input: ${input}. Defaulting to 'none'.` - ); - return "none" /* None */; - } -} -var cacheKeyHashLength = 16; -function createCacheKeyHash(components) { - const componentsJson = JSON.stringify(components); - return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); -} -function getDependencyCachingEnabled() { - const dependencyCaching = getOptionalInput("dependency-caching") || process.env["CODEQL_ACTION_DEPENDENCY_CACHING" /* DEPENDENCY_CACHING */]; - if (dependencyCaching !== void 0) return getCachingKind(dependencyCaching); - if (!isHostedRunner()) return "none" /* None */; - if (!isDefaultSetup()) return "none" /* None */; - return "none" /* None */; -} - -// src/config-utils.ts -var fs9 = __toESM(require("fs")); -var path10 = __toESM(require("path")); -var import_perf_hooks = require("perf_hooks"); -var core9 = __toESM(require_core()); - -// src/config/db-config.ts -var path3 = __toESM(require("path")); -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/error-messages.ts -var PACKS_PROPERTY = "packs"; -function getConfigFileOutsideWorkspaceErrorMessage(configFile) { - return `The configuration file "${configFile}" is outside of the workspace`; -} -function getConfigFileDoesNotExistErrorMessage(configFile) { - return `The configuration file "${configFile}" does not exist`; -} -function getConfigFileParseErrorMessage(configFile, message) { - return `Cannot parse "${configFile}": ${message}`; -} -function getInvalidConfigFileMessage(configFile, messages) { - const andMore = messages.length > 10 ? `, and ${messages.length - 10} more.` : "."; - return `The configuration file "${configFile}" is invalid: ${messages.slice(0, 10).join(", ")}${andMore}`; -} -function getConfigFileRepoFormatInvalidMessage(configFile) { - let error3 = `The configuration file "${configFile}" is not a supported remote file reference.`; - error3 += " Expected format //@"; - return error3; -} -function getConfigFileFormatInvalidMessage(configFile) { - return `The configuration file "${configFile}" could not be read`; -} -function getConfigFileDirectoryGivenMessage(configFile) { - return `The configuration file "${configFile}" looks like a directory, not a file`; -} -function getEmptyCombinesError() { - return `A '+' was used to specify that you want to add extra arguments to the configuration, but no extra arguments were specified. Please either remove the '+' or specify some extra arguments.`; -} -function getConfigFilePropertyError(configFile, property, error3) { - if (configFile === void 0) { - return `The workflow property "${property}" is invalid: ${error3}`; - } else { - return `The configuration file "${configFile}" is invalid: property "${property}" ${error3}`; - } -} -function getRepoPropertyError(propertyName, error3) { - return `The repository property "${propertyName}" is invalid: ${error3}`; -} -function getPacksStrInvalid(packStr, configFile) { - return configFile ? getConfigFilePropertyError( - configFile, - PACKS_PROPERTY, - `"${packStr}" is not a valid pack` - ) : `"${packStr}" is not a valid pack`; -} -function getNoLanguagesError() { - return "Did not detect any languages to analyze. Please update input in workflow or check that GitHub detects the correct languages in your repository."; -} -function getUnknownLanguagesError(languages) { - return `Did not recognize the following languages: ${languages.join(", ")}`; -} - -// src/feature-flags/properties.ts -var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-"; -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -function isString2(value) { - return typeof value === "string"; -} -var stringProperty = { - validate: isString2, - parse: parseStringRepositoryProperty -}; -var booleanProperty = { - // The value from the API should come as a string, which we then parse into a boolean. - validate: isString2, - parse: parseBooleanRepositoryProperty -}; -var repositoryPropertyParsers = { - ["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty, - ["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty, - ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty -}; -async function loadPropertiesFromApi(logger, repositoryNwo) { - try { - const response = await getRepositoryProperties(repositoryNwo); - const remoteProperties = response.data; - if (!Array.isArray(remoteProperties)) { - throw new Error( - `Expected repository properties API to return an array, but got: ${JSON.stringify(response.data)}` - ); - } - logger.debug( - `Retrieved ${remoteProperties.length} repository properties: ${remoteProperties.map((p) => p.property_name).join(", ")}` - ); - const properties = {}; - const unrecognisedProperties = []; - for (const property of remoteProperties) { - if (property.property_name === void 0) { - throw new Error( - `Expected repository property object to have a 'property_name', but got: ${JSON.stringify(property)}` - ); - } - if (isKnownPropertyName(property.property_name)) { - setProperty2(properties, property.property_name, property.value, logger); - } else if (property.property_name.startsWith(GITHUB_CODEQL_PROPERTY_PREFIX) && !isDynamicWorkflow()) { - unrecognisedProperties.push(property.property_name); - } - } - if (Object.keys(properties).length === 0) { - logger.debug("No known repository properties were found."); - } else { - logger.debug( - "Loaded the following values for the repository properties:" - ); - for (const [property, value] of Object.entries(properties).sort( - ([nameA], [nameB]) => nameA.localeCompare(nameB) - )) { - logger.debug(` ${property}: ${value}`); - } - } - if (unrecognisedProperties.length > 0) { - const unrecognisedPropertyList = unrecognisedProperties.map((name) => `'${name}'`).join(", "); - logger.warning( - `Found repository properties (${unrecognisedPropertyList}), which look like CodeQL Action repository properties, but which are not understood by this version of the CodeQL Action. Do you need to update to a newer version?` - ); - } - return properties; - } catch (e) { - throw new Error( - `Encountered an error while trying to determine repository properties: ${e}` - ); - } -} -function setProperty2(properties, name, value, logger) { - const propertyOptions = repositoryPropertyParsers[name]; - if (propertyOptions.validate(value)) { - properties[name] = propertyOptions.parse(name, value, logger); - } else { - throw new Error( - `Unexpected value for repository property '${name}' (${typeof value}), got: ${JSON.stringify(value)}` - ); - } -} -function parseBooleanRepositoryProperty(name, value, logger) { - if (value !== "true" && value !== "false") { - logger.warning( - `Repository property '${name}' has unexpected value '${value}'. Expected 'true' or 'false'. Defaulting to false.` - ); - } - return value === "true"; -} -function parseStringRepositoryProperty(_name, value) { - return value; -} -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); -function isKnownPropertyName(name) { - return KNOWN_REPOSITORY_PROPERTY_NAMES.has(name); -} - -// src/config/db-config.ts -function shouldCombine(inputValue) { - return !!inputValue?.trim().startsWith("+"); -} -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function parsePacksSpecification(packStr) { - if (typeof packStr !== "string") { - throw new ConfigurationError(getPacksStrInvalid(packStr)); - } - packStr = packStr.trim(); - const atIndex = packStr.indexOf("@"); - const colonIndex = packStr.indexOf(":", atIndex); - const packStart = 0; - const versionStart = atIndex + 1 || void 0; - const pathStart = colonIndex + 1 || void 0; - const packEnd = Math.min( - atIndex > 0 ? atIndex : Infinity, - colonIndex > 0 ? colonIndex : Infinity, - packStr.length - ); - const versionEnd = versionStart ? Math.min(colonIndex > 0 ? colonIndex : Infinity, packStr.length) : void 0; - const pathEnd = pathStart ? packStr.length : void 0; - const packName = packStr.slice(packStart, packEnd).trim(); - const version = versionStart ? packStr.slice(versionStart, versionEnd).trim() : void 0; - const packPath = pathStart ? packStr.slice(pathStart, pathEnd).trim() : void 0; - if (!PACK_IDENTIFIER_PATTERN.test(packName)) { - throw new ConfigurationError(getPacksStrInvalid(packStr)); - } - if (version) { - try { - new semver2.Range(version); - } catch { - throw new ConfigurationError(getPacksStrInvalid(packStr)); - } - } - if (packPath && (path3.isAbsolute(packPath) || // Permit using "/" instead of "\" on Windows - // Use `x.split(y).join(z)` as a polyfill for `x.replaceAll(y, z)` since - // if we used a regex we'd need to escape the path separator on Windows - // which seems more awkward. - path3.normalize(packPath).split(path3.sep).join("/") !== packPath.split(path3.sep).join("/"))) { - throw new ConfigurationError(getPacksStrInvalid(packStr)); - } - if (!packPath && pathStart) { - throw new ConfigurationError(getPacksStrInvalid(packStr)); - } - return { - name: packName, - version, - path: packPath - }; -} -function validatePackSpecification(pack) { - return prettyPrintPack(parsePacksSpecification(pack)); -} -function parsePacksFromInput(rawPacksInput, languages, packsInputCombines) { - if (!rawPacksInput?.trim()) { - return void 0; - } - if (languages.length > 1) { - throw new ConfigurationError( - "Cannot specify a 'packs' input in a multi-language analysis. Use a codeql-config.yml file instead and specify packs by language." - ); - } else if (languages.length === 0) { - throw new ConfigurationError( - "No languages specified. Cannot process the packs input." - ); - } - rawPacksInput = rawPacksInput.trim(); - if (packsInputCombines) { - rawPacksInput = rawPacksInput.trim().substring(1).trim(); - if (!rawPacksInput) { - throw new ConfigurationError( - getConfigFilePropertyError( - void 0, - "packs", - "A '+' was used in the 'packs' input to specify that you wished to add some packs to your CodeQL analysis. However, no packs were specified. Please either remove the '+' or specify some packs." - ) - ); - } - } - return { - [languages[0]]: rawPacksInput.split(",").reduce((packs, pack) => { - packs.push(validatePackSpecification(pack)); - return packs; - }, []) - }; -} -async function calculateAugmentation(rawPacksInput, rawQueriesInput, repositoryProperties, languages) { - const packsInputCombines = shouldCombine(rawPacksInput); - const packsInput = parsePacksFromInput( - rawPacksInput, - languages, - packsInputCombines - ); - const queriesInputCombines = shouldCombine(rawQueriesInput); - const queriesInput = parseQueriesFromInput( - rawQueriesInput, - queriesInputCombines - ); - const repoExtraQueries = repositoryProperties["github-codeql-extra-queries" /* EXTRA_QUERIES */]; - const repoExtraQueriesCombines = shouldCombine(repoExtraQueries); - const repoPropertyQueries = { - combines: repoExtraQueriesCombines, - input: parseQueriesFromInput( - repoExtraQueries, - repoExtraQueriesCombines, - new ConfigurationError( - getRepoPropertyError( - "github-codeql-extra-queries" /* EXTRA_QUERIES */, - getEmptyCombinesError() - ) - ) - ) - }; - return { - packsInputCombines, - packsInput: packsInput?.[languages[0]], - queriesInput, - queriesInputCombines, - repoPropertyQueries - }; -} -function parseQueriesFromInput(rawQueriesInput, queriesInputCombines, errorToThrow) { - if (!rawQueriesInput) { - return void 0; - } - const trimmedInput = queriesInputCombines ? rawQueriesInput.trim().slice(1).trim() : rawQueriesInput?.trim() ?? ""; - if (queriesInputCombines && trimmedInput.length === 0) { - if (errorToThrow) { - throw errorToThrow; - } - throw new ConfigurationError( - getConfigFilePropertyError( - void 0, - "queries", - "A '+' was used in the 'queries' input to specify that you wished to add some packs to your CodeQL analysis. However, no packs were specified. Please either remove the '+' or specify some packs." - ) - ); - } - return trimmedInput.split(",").map((query) => ({ uses: query.trim() })); -} -function combineQueries(logger, config, augmentationProperties) { - const result = []; - if (augmentationProperties.repoPropertyQueries?.input) { - logger.info( - `Found query configuration in the repository properties (${"github-codeql-extra-queries" /* EXTRA_QUERIES */}): ${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}` - ); - if (!augmentationProperties.repoPropertyQueries.combines) { - logger.info( - `The queries configured in the repository properties don't allow combining with other query settings. Any queries configured elsewhere will be ignored.` - ); - return augmentationProperties.repoPropertyQueries.input; - } else { - result.push(...augmentationProperties.repoPropertyQueries.input); - } - } - if (augmentationProperties.queriesInput) { - if (!augmentationProperties.queriesInputCombines) { - return result.concat(augmentationProperties.queriesInput); - } else { - result.push(...augmentationProperties.queriesInput); - } - } - if (config.queries) { - result.push(...config.queries); - } - return result; -} -function generateCodeScanningConfig(logger, originalUserInput, augmentationProperties) { - const augmentedConfig = cloneObject(originalUserInput); - augmentedConfig.queries = combineQueries( - logger, - augmentedConfig, - augmentationProperties - ); - logger.debug( - `Combined queries: ${augmentedConfig.queries?.map((q) => q.uses).join(",")}` - ); - if (augmentedConfig.queries?.length === 0) { - delete augmentedConfig.queries; - } - if (augmentationProperties.packsInput) { - if (augmentationProperties.packsInputCombines) { - if (Array.isArray(augmentedConfig.packs)) { - augmentedConfig.packs = (augmentedConfig.packs || []).concat( - augmentationProperties.packsInput - ); - } else if (!augmentedConfig.packs) { - augmentedConfig.packs = augmentationProperties.packsInput; - } else { - const language = Object.keys(augmentedConfig.packs)[0]; - augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput); - } - } else { - augmentedConfig.packs = augmentationProperties.packsInput; - } - } - if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) { - delete augmentedConfig.packs; - } - return augmentedConfig; -} -function parseUserConfig(logger, pathInput, contents, validateConfig) { - try { - const schema2 = ( - // eslint-disable-next-line @typescript-eslint/no-require-imports - require_db_config_schema() - ); - const doc = load(contents); - if (validateConfig) { - const result = new jsonschema.Validator().validate(doc, schema2); - if (result.errors.length > 0) { - for (const error3 of result.errors) { - logger.error(error3.stack); - } - throw new ConfigurationError( - getInvalidConfigFileMessage( - pathInput, - result.errors.map((e) => e.stack) - ) - ); - } - } - return doc; - } catch (error3) { - if (error3 instanceof YAMLException) { - throw new ConfigurationError( - getConfigFileParseErrorMessage(pathInput, error3.message) - ); - } - throw error3; - } -} - -// src/diagnostics.ts -var import_fs = require("fs"); -var import_path = __toESM(require("path")); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} -async function withGroupAsync(groupName, f) { - core7.startGroup(groupName); - try { - return await f(); - } finally { - core7.endGroup(); - } -} -function formatDuration(durationMs) { - if (durationMs < 1e3) { - return `${durationMs}ms`; - } - if (durationMs < 60 * 1e3) { - return `${(durationMs / 1e3).toFixed(1)}s`; - } - const minutes = Math.floor(durationMs / (60 * 1e3)); - const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); - return `${minutes}m${seconds}s`; -} - -// src/diagnostics.ts -var unwrittenDiagnostics = []; -var unwrittenDefaultLanguageDiagnostics = []; -var diagnosticCounter = 0; -function makeDiagnostic(id, name, data = void 0) { - return { - ...data, - timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), - source: { ...data?.source, id, name } - }; -} -function addDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - if ((0, import_fs.existsSync)(databasePath)) { - writeDiagnostic(config, language, diagnostic); - } else { - logger.debug( - `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` - ); - unwrittenDiagnostics.push({ diagnostic, language }); - } -} -function addNoLanguageDiagnostic(config, diagnostic) { - if (config !== void 0) { - addDiagnostic( - config, - // Arbitrarily choose the first language. We could also choose all languages, but that - // increases the risk of misinterpreting the data. - config.languages[0], - diagnostic - ); - } else { - unwrittenDefaultLanguageDiagnostics.push(diagnostic); - } -} -function writeDiagnostic(config, language, diagnostic) { - const logger = getActionsLogger(); - const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; - const diagnosticsPath = import_path.default.resolve( - databasePath, - "diagnostic", - "codeql-action" - ); - try { - (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); - const uniqueSuffix = (diagnosticCounter++).toString(); - const sanitizedTimestamp = diagnostic.timestamp.replace( - /[^a-zA-Z0-9.-]/g, - "" - ); - const jsonPath = import_path.default.resolve( - diagnosticsPath, - `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` - ); - (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); - } catch (err) { - logger.warning(`Unable to write diagnostic message to database: ${err}`); - logger.debug(JSON.stringify(diagnostic)); - } -} -function logUnwrittenDiagnostics() { - const logger = getActionsLogger(); - const num = unwrittenDiagnostics.length; - if (num > 0) { - logger.warning( - `${num} diagnostic(s) could not be written to the database and will not appear on the Tool Status Page.` - ); - for (const unwritten of unwrittenDiagnostics) { - logger.debug(JSON.stringify(unwritten.diagnostic)); - } - } -} -function flushDiagnostics(config) { - const logger = getActionsLogger(); - const diagnosticsCount = unwrittenDiagnostics.length + unwrittenDefaultLanguageDiagnostics.length; - logger.debug(`Writing ${diagnosticsCount} diagnostic(s) to database.`); - for (const unwritten of unwrittenDiagnostics) { - writeDiagnostic(config, unwritten.language, unwritten.diagnostic); - } - for (const unwritten of unwrittenDefaultLanguageDiagnostics) { - addNoLanguageDiagnostic(config, unwritten); - } - unwrittenDiagnostics = []; - unwrittenDefaultLanguageDiagnostics = []; -} -function makeTelemetryDiagnostic(id, name, attributes) { - return makeDiagnostic(id, name, { - attributes, - visibility: { - cliSummaryTable: false, - statusPage: false, - telemetry: true - } - }); -} - -// src/diff-informed-analysis-utils.ts -var fs6 = __toESM(require("fs")); - -// src/feature-flags.ts -var fs5 = __toESM(require("fs")); -var path7 = __toESM(require("path")); -var semver5 = __toESM(require_semver2()); - // src/defaults.json var bundleVersion = "codeql-bundle-v2.25.4"; var cliVersion = "2.25.4"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); -var path6 = __toESM(require("path")); +var path4 = __toESM(require("path")); // src/git-utils.ts var fs3 = __toESM(require("fs")); var os2 = __toESM(require("os")); -var path5 = __toESM(require("path")); -var core8 = __toESM(require_core()); +var path3 = __toESM(require("path")); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); var GIT_MINIMUM_VERSION_FOR_OVERLAY_WITH_SUBMODULES = "2.36.0"; var GitVersionInfo = class { constructor(truncatedVersion, fullVersion) { @@ -87303,7 +86651,7 @@ var GitVersionInfo = class { truncatedVersion; fullVersion; isAtLeast(minVersion) { - return semver3.gte(this.truncatedVersion, minVersion); + return semver2.gte(this.truncatedVersion, minVersion); } }; async function getGitVersionOrThrow() { @@ -87321,7 +86669,7 @@ async function getGitVersionOrThrow() { var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); + core6.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -87342,7 +86690,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -87404,7 +86752,7 @@ var getGitRoot = async function(sourceRoot) { } }; function hasSubmodules(gitRoot) { - return fs3.existsSync(path5.join(gitRoot, ".gitmodules")); + return fs3.existsSync(path3.join(gitRoot, ".gitmodules")); } var getFileOidsUnderPath = async function(basePath) { const gitRoot = await getGitRoot(basePath); @@ -87471,7 +86819,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( + core6.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -87562,7 +86910,7 @@ async function writeOverlayChangesFile(config, sourceRoot, logger) { const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger); const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])]; const changedFilesJson = JSON.stringify({ changes: changedFiles }); - const overlayChangesFile = path6.join( + const overlayChangesFile = path4.join( getTemporaryDirectory(), "overlay-changes.json" ); @@ -87628,13 +86976,13 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { return [...new Set(diffRanges.map((r) => r.path))]; } const relativePaths = diffRanges.map( - (r) => path6.relative(sourceRoot, path6.join(repoRoot, r.path)).replaceAll(path6.sep, "/") + (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/") ).filter((rel) => !rel.startsWith("..")); return [...new Set(relativePaths)]; } // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } @@ -87644,6 +86992,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -87961,7 +87314,7 @@ var Features = class extends OfflineFeatures { super(logger); this.gitHubFeatureFlags = new GitHubFeatureFlags( repositoryNwo, - path7.join(tempDir, FEATURE_FLAGS_FILE_NAME), + path5.join(tempDir, FEATURE_FLAGS_FILE_NAME), logger ); } @@ -88020,7 +87373,7 @@ var GitHubFeatureFlags = class { DEFAULT_VERSION_FEATURE_FLAG_PREFIX.length, f.length - DEFAULT_VERSION_FEATURE_FLAG_SUFFIX.length ).replace(/_/g, "."); - if (!semver5.valid(version)) { + if (!semver4.valid(version)) { this.logger.warning( `Ignoring feature flag ${f} as it does not specify a valid CodeQL version.` ); @@ -88179,7 +87532,662 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) { } } +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind3) => { + AnalysisKind3["CodeScanning"] = "code-scanning"; + AnalysisKind3["CodeQuality"] = "code-quality"; + AnalysisKind3["RiskAssessment"] = "risk-assessment"; + return AnalysisKind3; +})(AnalysisKind || {}); +var compatibilityMatrix = { + ["code-scanning" /* CodeScanning */]: /* @__PURE__ */ new Set(["code-quality" /* CodeQuality */]), + ["code-quality" /* CodeQuality */]: /* @__PURE__ */ new Set(["code-scanning" /* CodeScanning */]), + ["risk-assessment" /* RiskAssessment */]: /* @__PURE__ */ new Set() +}; +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); +async function parseAnalysisKinds(input) { + const components = input.split(","); + if (components.length < 1) { + throw new ConfigurationError( + "At least one analysis kind must be configured." + ); + } + for (const component of components) { + if (!supportedAnalysisKinds.has(component)) { + throw new ConfigurationError(`Unknown analysis kind: ${component}`); + } + } + return Array.from( + new Set(components.map((component) => component)) + ); +} +var cachedAnalysisKinds; +async function getAnalysisKinds(logger, features, skipCache = false) { + if (!skipCache && cachedAnalysisKinds !== void 0) { + return cachedAnalysisKinds; + } + const analysisKinds = await parseAnalysisKinds( + getRequiredInput("analysis-kinds") + ); + const qualityQueriesInput = getOptionalInput("quality-queries"); + if (qualityQueriesInput !== void 0) { + logger.warning( + "The `quality-queries` input is deprecated and will be removed in a future version of the CodeQL Action. Use the `analysis-kinds` input to configure different analysis kinds instead." + ); + } + if (!analysisKinds.includes("code-quality" /* CodeQuality */) && qualityQueriesInput !== void 0) { + analysisKinds.push("code-quality" /* CodeQuality */); + } + for (const analysisKind of analysisKinds) { + for (const otherAnalysisKind of analysisKinds) { + if (analysisKind === otherAnalysisKind) continue; + if (!compatibilityMatrix[analysisKind].has(otherAnalysisKind)) { + throw new ConfigurationError( + `${analysisKind} and ${otherAnalysisKind} cannot be enabled at the same time` + ); + } + } + } + if (!isInTestMode() && analysisKinds.length > 1 && !await features.getValue("allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */)) { + throw new ConfigurationError( + "The `analysis-kinds` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. Specifying multiple values as input is no longer supported." + ); + } + cachedAnalysisKinds = analysisKinds; + return cachedAnalysisKinds; +} +var codeQualityQueries = ["code-quality"]; + +// src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); +var core7 = __toESM(require_core()); +async function getTotalCacheSize(paths, logger, quiet = false) { + const sizes = await Promise.all( + paths.map((cacheDir) => tryGetFolderBytes(cacheDir, logger, quiet)) + ); + return sizes.map((a) => a || 0).reduce((a, b) => a + b, 0); +} +function shouldRestoreCache(kind) { + return kind === "full" /* Full */ || kind === "restore" /* Restore */; +} +function getCachingKind(input) { + switch (input) { + case void 0: + case "none": + case "off": + case "false": + return "none" /* None */; + case "full": + case "on": + case "true": + return "full" /* Full */; + case "store": + return "store" /* Store */; + case "restore": + return "restore" /* Restore */; + default: + core7.warning( + `Unrecognized 'dependency-caching' input: ${input}. Defaulting to 'none'.` + ); + return "none" /* None */; + } +} +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} +function getDependencyCachingEnabled() { + const dependencyCaching = getOptionalInput("dependency-caching") || process.env["CODEQL_ACTION_DEPENDENCY_CACHING" /* DEPENDENCY_CACHING */]; + if (dependencyCaching !== void 0) return getCachingKind(dependencyCaching); + if (!isHostedRunner()) return "none" /* None */; + if (!isDefaultSetup()) return "none" /* None */; + return "none" /* None */; +} + +// src/config-utils.ts +var fs9 = __toESM(require("fs")); +var path10 = __toESM(require("path")); +var import_perf_hooks = require("perf_hooks"); +var core9 = __toESM(require_core()); + +// src/config/db-config.ts +var path6 = __toESM(require("path")); +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/error-messages.ts +var PACKS_PROPERTY = "packs"; +function getConfigFileOutsideWorkspaceErrorMessage(configFile) { + return `The configuration file "${configFile}" is outside of the workspace`; +} +function getConfigFileDoesNotExistErrorMessage(configFile) { + return `The configuration file "${configFile}" does not exist`; +} +function getConfigFileParseErrorMessage(configFile, message) { + return `Cannot parse "${configFile}": ${message}`; +} +function getInvalidConfigFileMessage(configFile, messages) { + const andMore = messages.length > 10 ? `, and ${messages.length - 10} more.` : "."; + return `The configuration file "${configFile}" is invalid: ${messages.slice(0, 10).join(", ")}${andMore}`; +} +function getConfigFileRepoFormatInvalidMessage(configFile) { + let error3 = `The configuration file "${configFile}" is not a supported remote file reference.`; + error3 += " Expected format //@"; + return error3; +} +function getConfigFileFormatInvalidMessage(configFile) { + return `The configuration file "${configFile}" could not be read`; +} +function getConfigFileDirectoryGivenMessage(configFile) { + return `The configuration file "${configFile}" looks like a directory, not a file`; +} +function getEmptyCombinesError() { + return `A '+' was used to specify that you want to add extra arguments to the configuration, but no extra arguments were specified. Please either remove the '+' or specify some extra arguments.`; +} +function getConfigFilePropertyError(configFile, property, error3) { + if (configFile === void 0) { + return `The workflow property "${property}" is invalid: ${error3}`; + } else { + return `The configuration file "${configFile}" is invalid: property "${property}" ${error3}`; + } +} +function getRepoPropertyError(propertyName, error3) { + return `The repository property "${propertyName}" is invalid: ${error3}`; +} +function getPacksStrInvalid(packStr, configFile) { + return configFile ? getConfigFilePropertyError( + configFile, + PACKS_PROPERTY, + `"${packStr}" is not a valid pack` + ) : `"${packStr}" is not a valid pack`; +} +function getNoLanguagesError() { + return "Did not detect any languages to analyze. Please update input in workflow or check that GitHub detects the correct languages in your repository."; +} +function getUnknownLanguagesError(languages) { + return `Did not recognize the following languages: ${languages.join(", ")}`; +} + +// src/feature-flags/properties.ts +var GITHUB_CODEQL_PROPERTY_PREFIX = "github-codeql-"; +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +function isString2(value) { + return typeof value === "string"; +} +var stringProperty = { + validate: isString2, + parse: parseStringRepositoryProperty +}; +var booleanProperty = { + // The value from the API should come as a string, which we then parse into a boolean. + validate: isString2, + parse: parseBooleanRepositoryProperty +}; +var repositoryPropertyParsers = { + ["github-codeql-disable-overlay" /* DISABLE_OVERLAY */]: booleanProperty, + ["github-codeql-extra-queries" /* EXTRA_QUERIES */]: stringProperty, + ["github-codeql-file-coverage-on-prs" /* FILE_COVERAGE_ON_PRS */]: booleanProperty +}; +async function loadPropertiesFromApi(logger, repositoryNwo) { + try { + const response = await getRepositoryProperties(repositoryNwo); + const remoteProperties = response.data; + if (!Array.isArray(remoteProperties)) { + throw new Error( + `Expected repository properties API to return an array, but got: ${JSON.stringify(response.data)}` + ); + } + logger.debug( + `Retrieved ${remoteProperties.length} repository properties: ${remoteProperties.map((p) => p.property_name).join(", ")}` + ); + const properties = {}; + const unrecognisedProperties = []; + for (const property of remoteProperties) { + if (property.property_name === void 0) { + throw new Error( + `Expected repository property object to have a 'property_name', but got: ${JSON.stringify(property)}` + ); + } + if (isKnownPropertyName(property.property_name)) { + setProperty2(properties, property.property_name, property.value, logger); + } else if (property.property_name.startsWith(GITHUB_CODEQL_PROPERTY_PREFIX) && !isDynamicWorkflow()) { + unrecognisedProperties.push(property.property_name); + } + } + if (Object.keys(properties).length === 0) { + logger.debug("No known repository properties were found."); + } else { + logger.debug( + "Loaded the following values for the repository properties:" + ); + for (const [property, value] of Object.entries(properties).sort( + ([nameA], [nameB]) => nameA.localeCompare(nameB) + )) { + logger.debug(` ${property}: ${value}`); + } + } + if (unrecognisedProperties.length > 0) { + const unrecognisedPropertyList = unrecognisedProperties.map((name) => `'${name}'`).join(", "); + logger.warning( + `Found repository properties (${unrecognisedPropertyList}), which look like CodeQL Action repository properties, but which are not understood by this version of the CodeQL Action. Do you need to update to a newer version?` + ); + } + return properties; + } catch (e) { + throw new Error( + `Encountered an error while trying to determine repository properties: ${e}` + ); + } +} +function setProperty2(properties, name, value, logger) { + const propertyOptions = repositoryPropertyParsers[name]; + if (propertyOptions.validate(value)) { + properties[name] = propertyOptions.parse(name, value, logger); + } else { + throw new Error( + `Unexpected value for repository property '${name}' (${typeof value}), got: ${JSON.stringify(value)}` + ); + } +} +function parseBooleanRepositoryProperty(name, value, logger) { + if (value !== "true" && value !== "false") { + logger.warning( + `Repository property '${name}' has unexpected value '${value}'. Expected 'true' or 'false'. Defaulting to false.` + ); + } + return value === "true"; +} +function parseStringRepositoryProperty(_name, value) { + return value; +} +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); +function isKnownPropertyName(name) { + return KNOWN_REPOSITORY_PROPERTY_NAMES.has(name); +} + +// src/config/db-config.ts +function shouldCombine(inputValue) { + return !!inputValue?.trim().startsWith("+"); +} +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function parsePacksSpecification(packStr) { + if (typeof packStr !== "string") { + throw new ConfigurationError(getPacksStrInvalid(packStr)); + } + packStr = packStr.trim(); + const atIndex = packStr.indexOf("@"); + const colonIndex = packStr.indexOf(":", atIndex); + const packStart = 0; + const versionStart = atIndex + 1 || void 0; + const pathStart = colonIndex + 1 || void 0; + const packEnd = Math.min( + atIndex > 0 ? atIndex : Infinity, + colonIndex > 0 ? colonIndex : Infinity, + packStr.length + ); + const versionEnd = versionStart ? Math.min(colonIndex > 0 ? colonIndex : Infinity, packStr.length) : void 0; + const pathEnd = pathStart ? packStr.length : void 0; + const packName = packStr.slice(packStart, packEnd).trim(); + const version = versionStart ? packStr.slice(versionStart, versionEnd).trim() : void 0; + const packPath = pathStart ? packStr.slice(pathStart, pathEnd).trim() : void 0; + if (!PACK_IDENTIFIER_PATTERN.test(packName)) { + throw new ConfigurationError(getPacksStrInvalid(packStr)); + } + if (version) { + try { + new semver5.Range(version); + } catch { + throw new ConfigurationError(getPacksStrInvalid(packStr)); + } + } + if (packPath && (path6.isAbsolute(packPath) || // Permit using "/" instead of "\" on Windows + // Use `x.split(y).join(z)` as a polyfill for `x.replaceAll(y, z)` since + // if we used a regex we'd need to escape the path separator on Windows + // which seems more awkward. + path6.normalize(packPath).split(path6.sep).join("/") !== packPath.split(path6.sep).join("/"))) { + throw new ConfigurationError(getPacksStrInvalid(packStr)); + } + if (!packPath && pathStart) { + throw new ConfigurationError(getPacksStrInvalid(packStr)); + } + return { + name: packName, + version, + path: packPath + }; +} +function validatePackSpecification(pack) { + return prettyPrintPack(parsePacksSpecification(pack)); +} +function parsePacksFromInput(rawPacksInput, languages, packsInputCombines) { + if (!rawPacksInput?.trim()) { + return void 0; + } + if (languages.length > 1) { + throw new ConfigurationError( + "Cannot specify a 'packs' input in a multi-language analysis. Use a codeql-config.yml file instead and specify packs by language." + ); + } else if (languages.length === 0) { + throw new ConfigurationError( + "No languages specified. Cannot process the packs input." + ); + } + rawPacksInput = rawPacksInput.trim(); + if (packsInputCombines) { + rawPacksInput = rawPacksInput.trim().substring(1).trim(); + if (!rawPacksInput) { + throw new ConfigurationError( + getConfigFilePropertyError( + void 0, + "packs", + "A '+' was used in the 'packs' input to specify that you wished to add some packs to your CodeQL analysis. However, no packs were specified. Please either remove the '+' or specify some packs." + ) + ); + } + } + return { + [languages[0]]: rawPacksInput.split(",").reduce((packs, pack) => { + packs.push(validatePackSpecification(pack)); + return packs; + }, []) + }; +} +async function calculateAugmentation(rawPacksInput, rawQueriesInput, repositoryProperties, languages) { + const packsInputCombines = shouldCombine(rawPacksInput); + const packsInput = parsePacksFromInput( + rawPacksInput, + languages, + packsInputCombines + ); + const queriesInputCombines = shouldCombine(rawQueriesInput); + const queriesInput = parseQueriesFromInput( + rawQueriesInput, + queriesInputCombines + ); + const repoExtraQueries = repositoryProperties["github-codeql-extra-queries" /* EXTRA_QUERIES */]; + const repoExtraQueriesCombines = shouldCombine(repoExtraQueries); + const repoPropertyQueries = { + combines: repoExtraQueriesCombines, + input: parseQueriesFromInput( + repoExtraQueries, + repoExtraQueriesCombines, + new ConfigurationError( + getRepoPropertyError( + "github-codeql-extra-queries" /* EXTRA_QUERIES */, + getEmptyCombinesError() + ) + ) + ) + }; + return { + packsInputCombines, + packsInput: packsInput?.[languages[0]], + queriesInput, + queriesInputCombines, + repoPropertyQueries + }; +} +function parseQueriesFromInput(rawQueriesInput, queriesInputCombines, errorToThrow) { + if (!rawQueriesInput) { + return void 0; + } + const trimmedInput = queriesInputCombines ? rawQueriesInput.trim().slice(1).trim() : rawQueriesInput?.trim() ?? ""; + if (queriesInputCombines && trimmedInput.length === 0) { + if (errorToThrow) { + throw errorToThrow; + } + throw new ConfigurationError( + getConfigFilePropertyError( + void 0, + "queries", + "A '+' was used in the 'queries' input to specify that you wished to add some packs to your CodeQL analysis. However, no packs were specified. Please either remove the '+' or specify some packs." + ) + ); + } + return trimmedInput.split(",").map((query) => ({ uses: query.trim() })); +} +function combineQueries(logger, config, augmentationProperties) { + const result = []; + if (augmentationProperties.repoPropertyQueries?.input) { + logger.info( + `Found query configuration in the repository properties (${"github-codeql-extra-queries" /* EXTRA_QUERIES */}): ${augmentationProperties.repoPropertyQueries.input.map((q) => q.uses).join(", ")}` + ); + if (!augmentationProperties.repoPropertyQueries.combines) { + logger.info( + `The queries configured in the repository properties don't allow combining with other query settings. Any queries configured elsewhere will be ignored.` + ); + return augmentationProperties.repoPropertyQueries.input; + } else { + result.push(...augmentationProperties.repoPropertyQueries.input); + } + } + if (augmentationProperties.queriesInput) { + if (!augmentationProperties.queriesInputCombines) { + return result.concat(augmentationProperties.queriesInput); + } else { + result.push(...augmentationProperties.queriesInput); + } + } + if (config.queries) { + result.push(...config.queries); + } + return result; +} +function generateCodeScanningConfig(logger, originalUserInput, augmentationProperties) { + const augmentedConfig = cloneObject(originalUserInput); + augmentedConfig.queries = combineQueries( + logger, + augmentedConfig, + augmentationProperties + ); + logger.debug( + `Combined queries: ${augmentedConfig.queries?.map((q) => q.uses).join(",")}` + ); + if (augmentedConfig.queries?.length === 0) { + delete augmentedConfig.queries; + } + if (augmentationProperties.packsInput) { + if (augmentationProperties.packsInputCombines) { + if (Array.isArray(augmentedConfig.packs)) { + augmentedConfig.packs = (augmentedConfig.packs || []).concat( + augmentationProperties.packsInput + ); + } else if (!augmentedConfig.packs) { + augmentedConfig.packs = augmentationProperties.packsInput; + } else { + const language = Object.keys(augmentedConfig.packs)[0]; + augmentedConfig.packs[language] = augmentedConfig.packs[language].concat(augmentationProperties.packsInput); + } + } else { + augmentedConfig.packs = augmentationProperties.packsInput; + } + } + if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) { + delete augmentedConfig.packs; + } + return augmentedConfig; +} +function parseUserConfig(logger, pathInput, contents, validateConfig) { + try { + const schema2 = ( + // eslint-disable-next-line @typescript-eslint/no-require-imports + require_db_config_schema() + ); + const doc = load(contents); + if (validateConfig) { + const result = new jsonschema.Validator().validate(doc, schema2); + if (result.errors.length > 0) { + for (const error3 of result.errors) { + logger.error(error3.stack); + } + throw new ConfigurationError( + getInvalidConfigFileMessage( + pathInput, + result.errors.map((e) => e.stack) + ) + ); + } + } + return doc; + } catch (error3) { + if (error3 instanceof YAMLException) { + throw new ConfigurationError( + getConfigFileParseErrorMessage(pathInput, error3.message) + ); + } + throw error3; + } +} + +// src/diagnostics.ts +var import_fs = require("fs"); +var import_path = __toESM(require("path")); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} +async function withGroupAsync(groupName, f) { + core8.startGroup(groupName); + try { + return await f(); + } finally { + core8.endGroup(); + } +} +function formatDuration(durationMs) { + if (durationMs < 1e3) { + return `${durationMs}ms`; + } + if (durationMs < 60 * 1e3) { + return `${(durationMs / 1e3).toFixed(1)}s`; + } + const minutes = Math.floor(durationMs / (60 * 1e3)); + const seconds = Math.floor(durationMs % (60 * 1e3) / 1e3); + return `${minutes}m${seconds}s`; +} + +// src/diagnostics.ts +var unwrittenDiagnostics = []; +var unwrittenDefaultLanguageDiagnostics = []; +var diagnosticCounter = 0; +function makeDiagnostic(id, name, data = void 0) { + return { + ...data, + timestamp: data?.timestamp ?? (/* @__PURE__ */ new Date()).toISOString(), + source: { ...data?.source, id, name } + }; +} +function addDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + if ((0, import_fs.existsSync)(databasePath)) { + writeDiagnostic(config, language, diagnostic); + } else { + logger.debug( + `Writing a diagnostic for ${language}, but the database at ${databasePath} does not exist yet.` + ); + unwrittenDiagnostics.push({ diagnostic, language }); + } +} +function addNoLanguageDiagnostic(config, diagnostic) { + if (config !== void 0) { + addDiagnostic( + config, + // Arbitrarily choose the first language. We could also choose all languages, but that + // increases the risk of misinterpreting the data. + config.languages[0], + diagnostic + ); + } else { + unwrittenDefaultLanguageDiagnostics.push(diagnostic); + } +} +function writeDiagnostic(config, language, diagnostic) { + const logger = getActionsLogger(); + const databasePath = language ? getCodeQLDatabasePath(config, language) : config.dbLocation; + const diagnosticsPath = import_path.default.resolve( + databasePath, + "diagnostic", + "codeql-action" + ); + try { + (0, import_fs.mkdirSync)(diagnosticsPath, { recursive: true }); + const uniqueSuffix = (diagnosticCounter++).toString(); + const sanitizedTimestamp = diagnostic.timestamp.replace( + /[^a-zA-Z0-9.-]/g, + "" + ); + const jsonPath = import_path.default.resolve( + diagnosticsPath, + `codeql-action-${sanitizedTimestamp}-${uniqueSuffix}.json` + ); + (0, import_fs.writeFileSync)(jsonPath, JSON.stringify(diagnostic)); + } catch (err) { + logger.warning(`Unable to write diagnostic message to database: ${err}`); + logger.debug(JSON.stringify(diagnostic)); + } +} +function logUnwrittenDiagnostics() { + const logger = getActionsLogger(); + const num = unwrittenDiagnostics.length; + if (num > 0) { + logger.warning( + `${num} diagnostic(s) could not be written to the database and will not appear on the Tool Status Page.` + ); + for (const unwritten of unwrittenDiagnostics) { + logger.debug(JSON.stringify(unwritten.diagnostic)); + } + } +} +function flushDiagnostics(config) { + const logger = getActionsLogger(); + const diagnosticsCount = unwrittenDiagnostics.length + unwrittenDefaultLanguageDiagnostics.length; + logger.debug(`Writing ${diagnosticsCount} diagnostic(s) to database.`); + for (const unwritten of unwrittenDiagnostics) { + writeDiagnostic(config, unwritten.language, unwritten.diagnostic); + } + for (const unwritten of unwrittenDefaultLanguageDiagnostics) { + addNoLanguageDiagnostic(config, unwritten); + } + unwrittenDiagnostics = []; + unwrittenDefaultLanguageDiagnostics = []; +} +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} + // src/diff-informed-analysis-utils.ts +var fs6 = __toESM(require("fs")); async function shouldPerformDiffInformedAnalysis(codeql, features, logger) { return await getDiffInformedAnalysisBranches(codeql, features, logger) !== void 0; } @@ -92342,7 +92350,7 @@ async function run(startedAt) { ); let analysisKinds; try { - analysisKinds = await getAnalysisKinds(logger); + analysisKinds = await getAnalysisKinds(logger, features); } catch (err) { logger.debug( `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}` @@ -92391,7 +92399,7 @@ async function run(startedAt) { logger.info("Experimental Rust analysis enabled"); } } - analysisKinds = await getAnalysisKinds(logger); + analysisKinds = await getAnalysisKinds(logger, features); const debugMode = getOptionalInput("debug") === "true" || core15.isDebug(); const repositoryProperties = repositoryPropertiesResult.orElse({}); const fileCoverageResult = await getFileCoverageInformationEnabled( diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index e1fa46a53..c0322b31a 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -86170,57 +86170,8 @@ var fs4 = __toESM(require("fs")); var path5 = __toESM(require("path")); var core9 = __toESM(require_core()); -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core6 = __toESM(require_core()); - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} - // src/feature-flags.ts -var semver5 = __toESM(require_semver2()); +var semver4 = __toESM(require_semver2()); // src/overlay/index.ts var fs3 = __toESM(require("fs")); @@ -86229,14 +86180,14 @@ var path4 = __toESM(require("path")); // src/git-utils.ts var fs2 = __toESM(require("fs")); var path3 = __toESM(require("path")); -var core8 = __toESM(require_core()); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { let stdout = ""; let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); + core6.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -86257,7 +86208,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage, o if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error3; } }; @@ -86386,7 +86337,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( + core6.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -86523,13 +86474,18 @@ async function getDiffRangeFilePaths(sourceRoot, logger) { } // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); function isSupportedToolsFeature(versionInfo, feature) { return !!versionInfo.features && versionInfo.features[feature]; } // src/feature-flags.ts var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -86738,6 +86694,55 @@ var featureConfig = { } }; +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core7 = __toESM(require_core()); + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} + // src/languages/builtin.json var builtin_default = { languages: [ diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index e86bbb192..1e9a8dc4e 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -86381,6 +86381,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 6f70d7093..8bda754c6 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -126977,63 +126977,14 @@ var fs = __toESM(require("fs")); var path = __toESM(require("path")); var core9 = __toESM(require_core()); -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core6 = __toESM(require_core()); - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} - // src/feature-flags.ts -var semver5 = __toESM(require_semver2()); +var semver4 = __toESM(require_semver2()); // src/git-utils.ts -var core8 = __toESM(require_core()); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); // src/overlay/index.ts var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8"; @@ -127046,10 +126997,15 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9"; var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9"; // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); // src/feature-flags.ts var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -127258,6 +127214,55 @@ var featureConfig = { } }; +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core7 = __toESM(require_core()); + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib2()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} + // src/languages/builtin.json var builtin_default = { languages: [ diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 39fd56a80..4d45f0a5f 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -103178,6 +103178,11 @@ var semver3 = __toESM(require_semver2()); var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index f1f90b4c2..764989a01 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88655,64 +88655,8 @@ function fixCodeQualityCategory(logger, category) { return category; } -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); -var CodeScanning = { - kind: "code-scanning" /* CodeScanning */, - name: "code scanning", - target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, - sarifExtension: ".sarif", - sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), - fixCategory: (_, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_SARIF_", - transformPayload: (payload) => payload -}; -var CodeQuality = { - kind: "code-quality" /* CodeQuality */, - name: "code quality", - target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, - sarifExtension: ".quality.sarif", - sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), - fixCategory: fixCodeQualityCategory, - sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", - transformPayload: (payload) => payload -}; -function addAssessmentId(payload) { - const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); - const assessmentId = parseInt(rawAssessmentId, 10); - if (Number.isNaN(assessmentId)) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` - ); - } - if (assessmentId < 0) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` - ); - } - return { sarif: payload.sarif, assessment_id: assessmentId }; -} -var RiskAssessment = { - kind: "risk-assessment" /* RiskAssessment */, - name: "code scanning risk assessment", - target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, - sarifExtension: ".csra.sarif", - sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), - fixCategory: (_, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", - transformPayload: addAssessmentId -}; -var SarifScanOrder = [ - RiskAssessment, - CodeQuality, - CodeScanning -]; +// src/feature-flags.ts +var semver4 = __toESM(require_semver2()); // src/api-client.ts var core5 = __toESM(require_core()); @@ -88964,6 +88908,625 @@ function wrapApiConfigurationError(e) { return e; } +// src/defaults.json +var bundleVersion = "codeql-bundle-v2.25.4"; +var cliVersion = "2.25.4"; + +// src/overlay/index.ts +var fs4 = __toESM(require("fs")); +var path4 = __toESM(require("path")); + +// src/git-utils.ts +var fs3 = __toESM(require("fs")); +var path3 = __toESM(require("path")); +var core6 = __toESM(require_core()); +var toolrunner2 = __toESM(require_toolrunner()); +var io3 = __toESM(require_io()); +var semver2 = __toESM(require_semver2()); +var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { + let stdout = ""; + let stderr = ""; + core6.debug(`Running git command: git ${args.join(" ")}`); + try { + await new toolrunner2.ToolRunner(await io3.which("git", true), args, { + silent: true, + listeners: { + stdout: (data) => { + stdout += data.toString(); + }, + stderr: (data) => { + stderr += data.toString(); + } + }, + cwd: workingDirectory, + ...options + }).exec(); + return stdout; + } catch (error3) { + let reason = stderr; + if (stderr.includes("not a git repository")) { + reason = "The checkout path provided to the action does not appear to be a git repository."; + } + core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + throw error3; + } +}; +var getCommitOid = async function(checkoutPath, ref = "HEAD") { + try { + const stdout = await runGitCommand( + checkoutPath, + ["rev-parse", ref], + "Continuing with commit SHA from user input or environment." + ); + return stdout.trim(); + } catch { + return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA"); + } +}; +var determineBaseBranchHeadCommitOid = async function(checkoutPathOverride) { + if (getWorkflowEventName() !== "pull_request") { + return void 0; + } + const mergeSha = getRequiredEnvParam("GITHUB_SHA"); + const checkoutPath = checkoutPathOverride ?? getOptionalInput("checkout_path"); + try { + let commitOid = ""; + let baseOid = ""; + let headOid = ""; + const stdout = await runGitCommand( + checkoutPath, + ["show", "-s", "--format=raw", mergeSha], + "Will calculate the base branch SHA on the server." + ); + for (const data of stdout.split("\n")) { + if (data.startsWith("commit ") && commitOid === "") { + commitOid = data.substring(7); + } else if (data.startsWith("parent ")) { + if (baseOid === "") { + baseOid = data.substring(7); + } else if (headOid === "") { + headOid = data.substring(7); + } + } + } + if (commitOid === mergeSha && headOid.length === 40 && baseOid.length === 40) { + return baseOid; + } + return void 0; + } catch { + return void 0; + } +}; +var decodeGitFilePath = function(filePath) { + if (filePath.startsWith('"') && filePath.endsWith('"')) { + filePath = filePath.substring(1, filePath.length - 1); + return filePath.replace( + /\\([abfnrtv\\"]|[0-7]{1,3})/g, + (_match, seq2) => { + switch (seq2[0]) { + case "a": + return "\x07"; + case "b": + return "\b"; + case "f": + return "\f"; + case "n": + return "\n"; + case "r": + return "\r"; + case "t": + return " "; + case "v": + return "\v"; + case "\\": + return "\\"; + case '"': + return '"'; + default: + return String.fromCharCode(parseInt(seq2, 8)); + } + } + ); + } + return filePath; +}; +var getGitRoot = async function(sourceRoot) { + try { + const stdout = await runGitCommand( + sourceRoot, + ["rev-parse", "--show-toplevel"], + `Cannot find Git repository root from the source root ${sourceRoot}.` + ); + return stdout.trim(); + } catch { + return void 0; + } +}; +function hasSubmodules(gitRoot) { + return fs3.existsSync(path3.join(gitRoot, ".gitmodules")); +} +var getFileOidsUnderPath = async function(basePath) { + const gitRoot = await getGitRoot(basePath); + const mayHaveSubmodules = gitRoot === void 0 ? true : hasSubmodules(gitRoot); + const args = mayHaveSubmodules ? ["ls-files", "--recurse-submodules", "--stage"] : ["ls-files", "--stage"]; + const stdout = await runGitCommand( + basePath, + args, + "Cannot list Git OIDs of tracked files." + ); + const fileOidMap = {}; + const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/; + for (const line of stdout.split("\n")) { + if (line) { + const match = line.match(regex); + if (match) { + const oid = match[1]; + const filePath = decodeGitFilePath(match[2]); + fileOidMap[filePath] = oid; + } else { + throw new Error(`Unexpected "git ls-files" output: ${line}`); + } + } + } + return fileOidMap; +}; +function getRefFromEnv() { + let refEnv; + try { + refEnv = getRequiredEnvParam("GITHUB_REF"); + } catch (e) { + const maybeRef = process.env["CODE_SCANNING_REF"]; + if (maybeRef === void 0 || maybeRef.length === 0) { + throw e; + } + refEnv = maybeRef; + } + return refEnv; +} +async function getRef() { + const refInput = getOptionalInput("ref"); + const shaInput = getOptionalInput("sha"); + const checkoutPath = getOptionalInput("checkout_path") || getOptionalInput("source-root") || getRequiredEnvParam("GITHUB_WORKSPACE"); + const hasRefInput = !!refInput; + const hasShaInput = !!shaInput; + if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) { + throw new ConfigurationError( + "Both 'ref' and 'sha' are required if one of them is provided." + ); + } + const ref = refInput || getRefFromEnv(); + const sha = shaInput || getRequiredEnvParam("GITHUB_SHA"); + if (refInput) { + return refInput; + } + const pull_ref_regex = /refs\/pull\/(\d+)\/merge/; + if (!pull_ref_regex.test(ref)) { + return ref; + } + const head = await getCommitOid(checkoutPath, "HEAD"); + const hasChangedRef = sha !== head && await getCommitOid( + checkoutPath, + ref.replace(/^refs\/pull\//, "refs/remotes/pull/") + ) !== head; + if (hasChangedRef) { + const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); + core6.debug( + `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` + ); + return newRef; + } else { + return ref; + } +} +function removeRefsHeadsPrefix(ref) { + return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref; +} +async function isAnalyzingDefaultBranch() { + if (process.env.CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH === "true") { + return true; + } + let currentRef = await getRef(); + currentRef = removeRefsHeadsPrefix(currentRef); + const event = getWorkflowEvent(); + let defaultBranch = event?.repository?.default_branch; + if (getWorkflowEventName() === "schedule") { + defaultBranch = removeRefsHeadsPrefix(getRefFromEnv()); + } + return currentRef === defaultBranch; +} + +// src/overlay/index.ts +var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8"; +var CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0"; +var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1"; +var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2"; +var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8"; +var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9"; +var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9"; +var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9"; +async function writeBaseDatabaseOidsFile(config, sourceRoot) { + const gitFileOids = await getFileOidsUnderPath(sourceRoot); + const gitFileOidsJson = JSON.stringify(gitFileOids); + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + await fs4.promises.writeFile(baseDatabaseOidsFilePath, gitFileOidsJson); +} +async function readBaseDatabaseOidsFile(config, logger) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + try { + const contents = await fs4.promises.readFile( + baseDatabaseOidsFilePath, + "utf-8" + ); + return JSON.parse(contents); + } catch (e) { + logger.error( + `Failed to read overlay-base file OIDs from ${baseDatabaseOidsFilePath}: ${e.message || e}` + ); + throw e; + } +} +async function writeOverlayChangesFile(config, sourceRoot, logger) { + const baseFileOids = await readBaseDatabaseOidsFile(config, logger); + const overlayFileOids = await getFileOidsUnderPath(sourceRoot); + const oidChangedFiles = computeChangedFiles(baseFileOids, overlayFileOids); + logger.info( + `Found ${oidChangedFiles.length} changed file(s) under ${sourceRoot} from OID comparison.` + ); + const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger); + const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])]; + const changedFilesJson = JSON.stringify({ changes: changedFiles }); + const overlayChangesFile = path4.join( + getTemporaryDirectory(), + "overlay-changes.json" + ); + logger.debug( + `Writing overlay changed files to ${overlayChangesFile}: ${changedFilesJson}` + ); + await fs4.promises.writeFile(overlayChangesFile, changedFilesJson); + return overlayChangesFile; +} +function computeChangedFiles(baseFileOids, overlayFileOids) { + const changes = []; + for (const [file, oid] of Object.entries(overlayFileOids)) { + if (!(file in baseFileOids) || baseFileOids[file] !== oid) { + changes.push(file); + } + } + for (const file of Object.keys(baseFileOids)) { + if (!(file in overlayFileOids)) { + changes.push(file); + } + } + return changes; +} +async function getDiffRangeFilePaths(sourceRoot, logger) { + const jsonFilePath = getDiffRangesJsonFilePath(); + if (!fs4.existsSync(jsonFilePath)) { + logger.debug( + `No diff ranges JSON file found at ${jsonFilePath}; skipping.` + ); + return []; + } + let contents; + try { + contents = await fs4.promises.readFile(jsonFilePath, "utf8"); + } catch (e) { + logger.warning( + `Failed to read diff ranges JSON file at ${jsonFilePath}: ${e}` + ); + return []; + } + let diffRanges; + try { + diffRanges = JSON.parse(contents); + } catch (e) { + logger.warning( + `Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}` + ); + return []; + } + logger.debug( + `Read ${diffRanges.length} diff range(s) from ${jsonFilePath} for overlay changes.` + ); + const repoRoot = await getGitRoot(sourceRoot); + if (repoRoot === void 0) { + if (getOptionalInput("source-root")) { + throw new Error( + "Cannot determine git root to convert diff range paths relative to source-root. Failing to avoid omitting files from the analysis." + ); + } + logger.warning( + "Cannot determine git root; returning diff range paths as-is." + ); + return [...new Set(diffRanges.map((r) => r.path))]; + } + const relativePaths = diffRanges.map( + (r) => path4.relative(sourceRoot, path4.join(repoRoot, r.path)).replaceAll(path4.sep, "/") + ).filter((rel) => !rel.startsWith("..")); + return [...new Set(relativePaths)]; +} + +// src/tools-features.ts +var semver3 = __toESM(require_semver2()); +function isSupportedToolsFeature(versionInfo, feature) { + return !!versionInfo.features && versionInfo.features[feature]; +} + +// src/feature-flags.ts +var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; +var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, + ["allow_toolcache_input" /* AllowToolcacheInput */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", + minimumVersion: void 0 + }, + ["cleanup_trap_caches" /* CleanupTrapCaches */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES", + minimumVersion: void 0 + }, + ["cpp_dependency_installation_enabled" /* CppDependencyInstallation */]: { + defaultValue: false, + envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES", + legacyApi: true, + minimumVersion: "2.15.0" + }, + ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN", + minimumVersion: void 0 + }, + ["csharp_new_cache_key" /* CsharpNewCacheKey */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY", + minimumVersion: void 0 + }, + ["diff_informed_queries" /* DiffInformedQueries */]: { + defaultValue: true, + envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES", + minimumVersion: "2.21.0" + }, + ["disable_csharp_buildless" /* DisableCsharpBuildless */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS", + minimumVersion: void 0 + }, + ["disable_java_buildless_enabled" /* DisableJavaBuildlessEnabled */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS", + legacyApi: true, + minimumVersion: void 0 + }, + ["disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */]: { + defaultValue: false, + envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS", + legacyApi: true, + minimumVersion: void 0 + }, + ["export_diagnostics_enabled" /* ExportDiagnosticsEnabled */]: { + defaultValue: true, + envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS", + legacyApi: true, + minimumVersion: void 0 + }, + ["force_nightly" /* ForceNightly */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_FORCE_NIGHTLY", + minimumVersion: void 0 + }, + ["ignore_generated_files" /* IgnoreGeneratedFiles */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", + minimumVersion: void 0 + }, + ["java_network_debugging" /* JavaNetworkDebugging */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", + minimumVersion: void 0 + }, + ["overlay_analysis" /* OverlayAnalysis */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION + }, + // Per-language overlay feature flags. Each has minimumVersion set to the + // minimum CLI version that supports overlay analysis for that language. + // Only languages that are GA or in staff-ship should have feature flags here. + ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP + }, + ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP + }, + ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO + }, + ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA + }, + ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT + }, + ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON + }, + ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY + }, + ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP + }, + ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP + }, + ["overlay_analysis_go" /* OverlayAnalysisGo */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO + }, + ["overlay_analysis_java" /* OverlayAnalysisJava */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA + }, + ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT + }, + ["overlay_analysis_python" /* OverlayAnalysisPython */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON + }, + ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY", + minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY + }, + // Other overlay-related feature flags + ["overlay_analysis_disable_trap_caching" /* OverlayAnalysisDisableTrapCaching */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", + minimumVersion: void 0 + }, + ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", + minimumVersion: void 0 + }, + ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK", + minimumVersion: void 0 + }, + ["overlay_analysis_status_save" /* OverlayAnalysisStatusSave */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE", + minimumVersion: void 0 + }, + ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS", + minimumVersion: void 0 + }, + ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_QA_TELEMETRY", + legacyApi: true, + minimumVersion: void 0 + }, + ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS", + minimumVersion: void 0, + toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */ + }, + ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES", + minimumVersion: void 0 + }, + ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE", + minimumVersion: void 0 + }, + ["upload_overlay_db_to_api" /* UploadOverlayDbToApi */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API", + minimumVersion: void 0, + toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */ + }, + ["validate_db_config" /* ValidateDbConfig */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG", + minimumVersion: void 0 + } +}; + +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); +var CodeScanning = { + kind: "code-scanning" /* CodeScanning */, + name: "code scanning", + target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, + sarifExtension: ".sarif", + sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), + fixCategory: (_, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_SARIF_", + transformPayload: (payload) => payload +}; +var CodeQuality = { + kind: "code-quality" /* CodeQuality */, + name: "code quality", + target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, + sarifExtension: ".quality.sarif", + sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), + fixCategory: fixCodeQualityCategory, + sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", + transformPayload: (payload) => payload +}; +function addAssessmentId(payload) { + const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); + const assessmentId = parseInt(rawAssessmentId, 10); + if (Number.isNaN(assessmentId)) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` + ); + } + if (assessmentId < 0) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` + ); + } + return { sarif: payload.sarif, assessment_id: assessmentId }; +} +var RiskAssessment = { + kind: "risk-assessment" /* RiskAssessment */, + name: "code scanning risk assessment", + target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, + sarifExtension: ".csra.sarif", + sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), + fixCategory: (_, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", + transformPayload: addAssessmentId +}; +var SarifScanOrder = [ + RiskAssessment, + CodeQuality, + CodeScanning +]; + // src/codeql.ts var fs10 = __toESM(require("fs")); var path9 = __toESM(require("path")); @@ -89224,11 +89787,11 @@ var path6 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); -var semver2 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); // src/feature-flags/properties.ts var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { @@ -89254,16 +89817,16 @@ var import_fs = require("fs"); var import_path = __toESM(require("path")); // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function getActionsLogger() { return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup }; } function formatDuration(durationMs) { @@ -89342,566 +89905,6 @@ function writeDiagnostic(config, language, diagnostic) { // src/diff-informed-analysis-utils.ts var fs5 = __toESM(require("fs")); - -// src/feature-flags.ts -var semver5 = __toESM(require_semver2()); - -// src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.4"; -var cliVersion = "2.25.4"; - -// src/overlay/index.ts -var fs4 = __toESM(require("fs")); -var path5 = __toESM(require("path")); - -// src/git-utils.ts -var fs3 = __toESM(require("fs")); -var path4 = __toESM(require("path")); -var core8 = __toESM(require_core()); -var toolrunner2 = __toESM(require_toolrunner()); -var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); -var runGitCommand = async function(workingDirectory, args, customErrorMessage, options) { - let stdout = ""; - let stderr = ""; - core8.debug(`Running git command: git ${args.join(" ")}`); - try { - await new toolrunner2.ToolRunner(await io3.which("git", true), args, { - silent: true, - listeners: { - stdout: (data) => { - stdout += data.toString(); - }, - stderr: (data) => { - stderr += data.toString(); - } - }, - cwd: workingDirectory, - ...options - }).exec(); - return stdout; - } catch (error3) { - let reason = stderr; - if (stderr.includes("not a git repository")) { - reason = "The checkout path provided to the action does not appear to be a git repository."; - } - core8.info(`git call failed. ${customErrorMessage} Error: ${reason}`); - throw error3; - } -}; -var getCommitOid = async function(checkoutPath, ref = "HEAD") { - try { - const stdout = await runGitCommand( - checkoutPath, - ["rev-parse", ref], - "Continuing with commit SHA from user input or environment." - ); - return stdout.trim(); - } catch { - return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA"); - } -}; -var determineBaseBranchHeadCommitOid = async function(checkoutPathOverride) { - if (getWorkflowEventName() !== "pull_request") { - return void 0; - } - const mergeSha = getRequiredEnvParam("GITHUB_SHA"); - const checkoutPath = checkoutPathOverride ?? getOptionalInput("checkout_path"); - try { - let commitOid = ""; - let baseOid = ""; - let headOid = ""; - const stdout = await runGitCommand( - checkoutPath, - ["show", "-s", "--format=raw", mergeSha], - "Will calculate the base branch SHA on the server." - ); - for (const data of stdout.split("\n")) { - if (data.startsWith("commit ") && commitOid === "") { - commitOid = data.substring(7); - } else if (data.startsWith("parent ")) { - if (baseOid === "") { - baseOid = data.substring(7); - } else if (headOid === "") { - headOid = data.substring(7); - } - } - } - if (commitOid === mergeSha && headOid.length === 40 && baseOid.length === 40) { - return baseOid; - } - return void 0; - } catch { - return void 0; - } -}; -var decodeGitFilePath = function(filePath) { - if (filePath.startsWith('"') && filePath.endsWith('"')) { - filePath = filePath.substring(1, filePath.length - 1); - return filePath.replace( - /\\([abfnrtv\\"]|[0-7]{1,3})/g, - (_match, seq2) => { - switch (seq2[0]) { - case "a": - return "\x07"; - case "b": - return "\b"; - case "f": - return "\f"; - case "n": - return "\n"; - case "r": - return "\r"; - case "t": - return " "; - case "v": - return "\v"; - case "\\": - return "\\"; - case '"': - return '"'; - default: - return String.fromCharCode(parseInt(seq2, 8)); - } - } - ); - } - return filePath; -}; -var getGitRoot = async function(sourceRoot) { - try { - const stdout = await runGitCommand( - sourceRoot, - ["rev-parse", "--show-toplevel"], - `Cannot find Git repository root from the source root ${sourceRoot}.` - ); - return stdout.trim(); - } catch { - return void 0; - } -}; -function hasSubmodules(gitRoot) { - return fs3.existsSync(path4.join(gitRoot, ".gitmodules")); -} -var getFileOidsUnderPath = async function(basePath) { - const gitRoot = await getGitRoot(basePath); - const mayHaveSubmodules = gitRoot === void 0 ? true : hasSubmodules(gitRoot); - const args = mayHaveSubmodules ? ["ls-files", "--recurse-submodules", "--stage"] : ["ls-files", "--stage"]; - const stdout = await runGitCommand( - basePath, - args, - "Cannot list Git OIDs of tracked files." - ); - const fileOidMap = {}; - const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/; - for (const line of stdout.split("\n")) { - if (line) { - const match = line.match(regex); - if (match) { - const oid = match[1]; - const filePath = decodeGitFilePath(match[2]); - fileOidMap[filePath] = oid; - } else { - throw new Error(`Unexpected "git ls-files" output: ${line}`); - } - } - } - return fileOidMap; -}; -function getRefFromEnv() { - let refEnv; - try { - refEnv = getRequiredEnvParam("GITHUB_REF"); - } catch (e) { - const maybeRef = process.env["CODE_SCANNING_REF"]; - if (maybeRef === void 0 || maybeRef.length === 0) { - throw e; - } - refEnv = maybeRef; - } - return refEnv; -} -async function getRef() { - const refInput = getOptionalInput("ref"); - const shaInput = getOptionalInput("sha"); - const checkoutPath = getOptionalInput("checkout_path") || getOptionalInput("source-root") || getRequiredEnvParam("GITHUB_WORKSPACE"); - const hasRefInput = !!refInput; - const hasShaInput = !!shaInput; - if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) { - throw new ConfigurationError( - "Both 'ref' and 'sha' are required if one of them is provided." - ); - } - const ref = refInput || getRefFromEnv(); - const sha = shaInput || getRequiredEnvParam("GITHUB_SHA"); - if (refInput) { - return refInput; - } - const pull_ref_regex = /refs\/pull\/(\d+)\/merge/; - if (!pull_ref_regex.test(ref)) { - return ref; - } - const head = await getCommitOid(checkoutPath, "HEAD"); - const hasChangedRef = sha !== head && await getCommitOid( - checkoutPath, - ref.replace(/^refs\/pull\//, "refs/remotes/pull/") - ) !== head; - if (hasChangedRef) { - const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core8.debug( - `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` - ); - return newRef; - } else { - return ref; - } -} -function removeRefsHeadsPrefix(ref) { - return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref; -} -async function isAnalyzingDefaultBranch() { - if (process.env.CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH === "true") { - return true; - } - let currentRef = await getRef(); - currentRef = removeRefsHeadsPrefix(currentRef); - const event = getWorkflowEvent(); - let defaultBranch = event?.repository?.default_branch; - if (getWorkflowEventName() === "schedule") { - defaultBranch = removeRefsHeadsPrefix(getRefFromEnv()); - } - return currentRef === defaultBranch; -} - -// src/overlay/index.ts -var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8"; -var CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0"; -var CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1"; -var CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2"; -var CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8"; -var CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT = "2.23.9"; -var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9"; -var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9"; -async function writeBaseDatabaseOidsFile(config, sourceRoot) { - const gitFileOids = await getFileOidsUnderPath(sourceRoot); - const gitFileOidsJson = JSON.stringify(gitFileOids); - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - await fs4.promises.writeFile(baseDatabaseOidsFilePath, gitFileOidsJson); -} -async function readBaseDatabaseOidsFile(config, logger) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - try { - const contents = await fs4.promises.readFile( - baseDatabaseOidsFilePath, - "utf-8" - ); - return JSON.parse(contents); - } catch (e) { - logger.error( - `Failed to read overlay-base file OIDs from ${baseDatabaseOidsFilePath}: ${e.message || e}` - ); - throw e; - } -} -async function writeOverlayChangesFile(config, sourceRoot, logger) { - const baseFileOids = await readBaseDatabaseOidsFile(config, logger); - const overlayFileOids = await getFileOidsUnderPath(sourceRoot); - const oidChangedFiles = computeChangedFiles(baseFileOids, overlayFileOids); - logger.info( - `Found ${oidChangedFiles.length} changed file(s) under ${sourceRoot} from OID comparison.` - ); - const diffRangeFiles = await getDiffRangeFilePaths(sourceRoot, logger); - const changedFiles = [.../* @__PURE__ */ new Set([...oidChangedFiles, ...diffRangeFiles])]; - const changedFilesJson = JSON.stringify({ changes: changedFiles }); - const overlayChangesFile = path5.join( - getTemporaryDirectory(), - "overlay-changes.json" - ); - logger.debug( - `Writing overlay changed files to ${overlayChangesFile}: ${changedFilesJson}` - ); - await fs4.promises.writeFile(overlayChangesFile, changedFilesJson); - return overlayChangesFile; -} -function computeChangedFiles(baseFileOids, overlayFileOids) { - const changes = []; - for (const [file, oid] of Object.entries(overlayFileOids)) { - if (!(file in baseFileOids) || baseFileOids[file] !== oid) { - changes.push(file); - } - } - for (const file of Object.keys(baseFileOids)) { - if (!(file in overlayFileOids)) { - changes.push(file); - } - } - return changes; -} -async function getDiffRangeFilePaths(sourceRoot, logger) { - const jsonFilePath = getDiffRangesJsonFilePath(); - if (!fs4.existsSync(jsonFilePath)) { - logger.debug( - `No diff ranges JSON file found at ${jsonFilePath}; skipping.` - ); - return []; - } - let contents; - try { - contents = await fs4.promises.readFile(jsonFilePath, "utf8"); - } catch (e) { - logger.warning( - `Failed to read diff ranges JSON file at ${jsonFilePath}: ${e}` - ); - return []; - } - let diffRanges; - try { - diffRanges = JSON.parse(contents); - } catch (e) { - logger.warning( - `Failed to parse diff ranges JSON file at ${jsonFilePath}: ${e}` - ); - return []; - } - logger.debug( - `Read ${diffRanges.length} diff range(s) from ${jsonFilePath} for overlay changes.` - ); - const repoRoot = await getGitRoot(sourceRoot); - if (repoRoot === void 0) { - if (getOptionalInput("source-root")) { - throw new Error( - "Cannot determine git root to convert diff range paths relative to source-root. Failing to avoid omitting files from the analysis." - ); - } - logger.warning( - "Cannot determine git root; returning diff range paths as-is." - ); - return [...new Set(diffRanges.map((r) => r.path))]; - } - const relativePaths = diffRanges.map( - (r) => path5.relative(sourceRoot, path5.join(repoRoot, r.path)).replaceAll(path5.sep, "/") - ).filter((rel) => !rel.startsWith("..")); - return [...new Set(relativePaths)]; -} - -// src/tools-features.ts -var semver4 = __toESM(require_semver2()); -function isSupportedToolsFeature(versionInfo, feature) { - return !!versionInfo.features && versionInfo.features[feature]; -} - -// src/feature-flags.ts -var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; -var featureConfig = { - ["allow_toolcache_input" /* AllowToolcacheInput */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", - minimumVersion: void 0 - }, - ["cleanup_trap_caches" /* CleanupTrapCaches */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES", - minimumVersion: void 0 - }, - ["cpp_dependency_installation_enabled" /* CppDependencyInstallation */]: { - defaultValue: false, - envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES", - legacyApi: true, - minimumVersion: "2.15.0" - }, - ["csharp_cache_bmn" /* CsharpCacheBuildModeNone */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_CSHARP_CACHE_BMN", - minimumVersion: void 0 - }, - ["csharp_new_cache_key" /* CsharpNewCacheKey */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_CSHARP_NEW_CACHE_KEY", - minimumVersion: void 0 - }, - ["diff_informed_queries" /* DiffInformedQueries */]: { - defaultValue: true, - envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES", - minimumVersion: "2.21.0" - }, - ["disable_csharp_buildless" /* DisableCsharpBuildless */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS", - minimumVersion: void 0 - }, - ["disable_java_buildless_enabled" /* DisableJavaBuildlessEnabled */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS", - legacyApi: true, - minimumVersion: void 0 - }, - ["disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */]: { - defaultValue: false, - envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS", - legacyApi: true, - minimumVersion: void 0 - }, - ["export_diagnostics_enabled" /* ExportDiagnosticsEnabled */]: { - defaultValue: true, - envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS", - legacyApi: true, - minimumVersion: void 0 - }, - ["force_nightly" /* ForceNightly */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_FORCE_NIGHTLY", - minimumVersion: void 0 - }, - ["ignore_generated_files" /* IgnoreGeneratedFiles */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_IGNORE_GENERATED_FILES", - minimumVersion: void 0 - }, - ["java_network_debugging" /* JavaNetworkDebugging */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_JAVA_NETWORK_DEBUGGING", - minimumVersion: void 0 - }, - ["overlay_analysis" /* OverlayAnalysis */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION - }, - // Per-language overlay feature flags. Each has minimumVersion set to the - // minimum CLI version that supports overlay analysis for that language. - // Only languages that are GA or in staff-ship should have feature flags here. - ["overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP - }, - ["overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP - }, - ["overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_GO", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO - }, - ["overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVA", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA - }, - ["overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_JAVASCRIPT", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT - }, - ["overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_PYTHON", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON - }, - ["overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY - }, - ["overlay_analysis_cpp" /* OverlayAnalysisCpp */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP - }, - ["overlay_analysis_csharp" /* OverlayAnalysisCsharp */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP - }, - ["overlay_analysis_go" /* OverlayAnalysisGo */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO - }, - ["overlay_analysis_java" /* OverlayAnalysisJava */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVA - }, - ["overlay_analysis_javascript" /* OverlayAnalysisJavascript */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT - }, - ["overlay_analysis_python" /* OverlayAnalysisPython */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON - }, - ["overlay_analysis_ruby" /* OverlayAnalysisRuby */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY", - minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY - }, - // Other overlay-related feature flags - ["overlay_analysis_disable_trap_caching" /* OverlayAnalysisDisableTrapCaching */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", - minimumVersion: void 0 - }, - ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", - minimumVersion: void 0 - }, - ["overlay_analysis_status_check" /* OverlayAnalysisStatusCheck */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK", - minimumVersion: void 0 - }, - ["overlay_analysis_status_save" /* OverlayAnalysisStatusSave */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE", - minimumVersion: void 0 - }, - ["overlay_analysis_skip_resource_checks" /* OverlayAnalysisSkipResourceChecks */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_SKIP_RESOURCE_CHECKS", - minimumVersion: void 0 - }, - ["qa_telemetry_enabled" /* QaTelemetryEnabled */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_QA_TELEMETRY", - legacyApi: true, - minimumVersion: void 0 - }, - ["skip_file_coverage_on_prs" /* SkipFileCoverageOnPrs */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_SKIP_FILE_COVERAGE_ON_PRS", - minimumVersion: void 0, - toolsFeature: "suppressesMissingFileBaselineWarning" /* SuppressesMissingFileBaselineWarning */ - }, - ["start_proxy_remove_unused_registries" /* StartProxyRemoveUnusedRegistries */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_START_PROXY_REMOVE_UNUSED_REGISTRIES", - minimumVersion: void 0 - }, - ["start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_START_PROXY_USE_FEATURES_RELEASE", - minimumVersion: void 0 - }, - ["upload_overlay_db_to_api" /* UploadOverlayDbToApi */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_UPLOAD_OVERLAY_DB_TO_API", - minimumVersion: void 0, - toolsFeature: "bundleSupportsOverlay" /* BundleSupportsOverlay */ - }, - ["validate_db_config" /* ValidateDbConfig */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_VALIDATE_DB_CONFIG", - minimumVersion: void 0 - } -}; - -// src/diff-informed-analysis-utils.ts function readDiffRangesJsonFile(logger) { const jsonFilePath = getDiffRangesJsonFilePath(); if (!fs5.existsSync(jsonFilePath)) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 11873a244..0c6453af0 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -126983,223 +126983,14 @@ var import_archiver = __toESM(require_archiver()); // src/analyze.ts var io5 = __toESM(require_io()); -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/autobuild.ts -var core12 = __toESM(require_core()); - -// src/codeql.ts -var core11 = __toESM(require_core()); -var toolrunner3 = __toESM(require_toolrunner()); - -// src/cli-errors.ts -var cliErrorsConfig = { - ["AutobuildError" /* AutobuildError */]: { - cliErrorMessageCandidates: [ - new RegExp("We were unable to automatically build your code") - ] - }, - ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: { - cliErrorMessageCandidates: [new RegExp("Could not create temp directory")] - }, - ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: { - cliErrorMessageCandidates: [ - new RegExp("Failed to clone external Git repository") - ] - }, - ["GradleBuildFailed" /* GradleBuildFailed */]: { - cliErrorMessageCandidates: [ - new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.") - ] - }, - // Version of CodeQL CLI is incompatible with this version of the CodeQL Action - ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: { - cliErrorMessageCandidates: [ - new RegExp("is not compatible with this CodeQL CLI") - ] - }, - ["InitCalledTwice" /* InitCalledTwice */]: { - cliErrorMessageCandidates: [ - new RegExp( - "Refusing to create databases .* but could not process any of it" - ) - ], - additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?` - }, - ["InvalidConfigFile" /* InvalidConfigFile */]: { - cliErrorMessageCandidates: [ - new RegExp("Config file .* is not valid"), - new RegExp("The supplied config file is empty") - ] - }, - ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: { - cliErrorMessageCandidates: [ - new RegExp("Specifier for external repository is invalid") - ] - }, - // Expected source location for database creation does not exist - ["InvalidSourceRoot" /* InvalidSourceRoot */]: { - cliErrorMessageCandidates: [new RegExp("Invalid source root")] - }, - ["MavenBuildFailed" /* MavenBuildFailed */]: { - cliErrorMessageCandidates: [ - new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal") - ] - }, - ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: { - cliErrorMessageCandidates: [ - new RegExp("Could not auto-detect a suitable build method") - ] - }, - ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: { - cliErrorMessageCandidates: [ - new RegExp( - "Could not detect a suitable build command for the source checkout" - ) - ] - }, - // Usually when a manual build script has failed, or if an autodetected language - // was unintended to have CodeQL analysis run on it. - ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: { - exitCode: 32, - cliErrorMessageCandidates: [ - new RegExp( - "CodeQL detected code written in .* but could not process any of it" - ), - new RegExp( - "CodeQL did not detect any code written in languages supported by CodeQL" - ) - ] - }, - ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: { - cliErrorMessageCandidates: [ - new RegExp("No supported build command succeeded") - ] - }, - ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: { - cliErrorMessageCandidates: [ - new RegExp("No supported build system detected") - ] - }, - ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: { - cliErrorMessageCandidates: [ - new RegExp("CodeQL is out of memory."), - new RegExp("out of disk"), - new RegExp("No space left on device") - ], - additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory" - }, - ["PackCannotBeFound" /* PackCannotBeFound */]: { - cliErrorMessageCandidates: [ - new RegExp( - "Query pack .* cannot be found\\. Check the spelling of the pack\\." - ), - new RegExp( - "is not a .ql file, .qls file, a directory, or a query pack specification." - ) - ] - }, - ["PackMissingAuth" /* PackMissingAuth */]: { - cliErrorMessageCandidates: [ - new RegExp("GitHub Container registry .* 403 Forbidden"), - new RegExp( - "Do you need to specify a token to authenticate to the registry?" - ) - ] - }, - ["SwiftBuildFailed" /* SwiftBuildFailed */]: { - cliErrorMessageCandidates: [ - new RegExp( - "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command" - ) - ] - }, - ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: { - cliErrorMessageCandidates: [ - new RegExp("\\[incompatible-os\\]"), - new RegExp("Swift analysis is only supported on macOS") - ] - }, - ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: { - cliErrorMessageCandidates: [ - new RegExp( - "does not support the .* build mode. Please try using one of the following build modes instead" - ) - ] - }, - ["NotFoundInRegistry" /* NotFoundInRegistry */]: { - cliErrorMessageCandidates: [ - new RegExp("'.*' not found in the registry '.*'") - ] - } -}; - -// src/config-utils.ts -var core9 = __toESM(require_core()); - -// src/caching-utils.ts -var core6 = __toESM(require_core()); - -// src/config/db-config.ts -var jsonschema = __toESM(require_lib5()); -var semver2 = __toESM(require_semver2()); - -// src/feature-flags/properties.ts -var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { - RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; - RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; - RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; - return RepositoryPropertyName2; -})(RepositoryPropertyName || {}); -var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( - Object.values(RepositoryPropertyName) -); - -// src/config/db-config.ts -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); - -// src/logging.ts -var core7 = __toESM(require_core()); -function getActionsLogger() { - return { - debug: core7.debug, - info: core7.info, - warning: core7.warning, - error: core7.error, - isDebug: core7.isDebug, - startGroup: core7.startGroup, - endGroup: core7.endGroup - }; -} -function withGroup(groupName, f) { - core7.startGroup(groupName); - try { - return f(); - } finally { - core7.endGroup(); - } -} - // src/feature-flags.ts -var semver5 = __toESM(require_semver2()); +var semver4 = __toESM(require_semver2()); // src/git-utils.ts -var core8 = __toESM(require_core()); +var core6 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); -var semver3 = __toESM(require_semver2()); +var semver2 = __toESM(require_semver2()); // src/overlay/index.ts var CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8"; @@ -127212,14 +127003,19 @@ var CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON = "2.23.9"; var CODEQL_OVERLAY_MINIMUM_VERSION_RUBY = "2.23.9"; // src/tools-features.ts -var semver4 = __toESM(require_semver2()); +var semver3 = __toESM(require_semver2()); var SafeArtifactUploadVersion = "2.20.3"; function isSafeArtifactUpload(codeQlVersion) { - return !codeQlVersion ? true : semver4.gte(codeQlVersion, SafeArtifactUploadVersion); + return !codeQlVersion ? true : semver3.gte(codeQlVersion, SafeArtifactUploadVersion); } // src/feature-flags.ts var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -127428,6 +127224,215 @@ var featureConfig = { } }; +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/autobuild.ts +var core12 = __toESM(require_core()); + +// src/codeql.ts +var core11 = __toESM(require_core()); +var toolrunner3 = __toESM(require_toolrunner()); + +// src/cli-errors.ts +var cliErrorsConfig = { + ["AutobuildError" /* AutobuildError */]: { + cliErrorMessageCandidates: [ + new RegExp("We were unable to automatically build your code") + ] + }, + ["CouldNotCreateTempDir" /* CouldNotCreateTempDir */]: { + cliErrorMessageCandidates: [new RegExp("Could not create temp directory")] + }, + ["ExternalRepositoryCloneFailed" /* ExternalRepositoryCloneFailed */]: { + cliErrorMessageCandidates: [ + new RegExp("Failed to clone external Git repository") + ] + }, + ["GradleBuildFailed" /* GradleBuildFailed */]: { + cliErrorMessageCandidates: [ + new RegExp("\\[autobuild\\] FAILURE: Build failed with an exception.") + ] + }, + // Version of CodeQL CLI is incompatible with this version of the CodeQL Action + ["IncompatibleWithActionVersion" /* IncompatibleWithActionVersion */]: { + cliErrorMessageCandidates: [ + new RegExp("is not compatible with this CodeQL CLI") + ] + }, + ["InitCalledTwice" /* InitCalledTwice */]: { + cliErrorMessageCandidates: [ + new RegExp( + "Refusing to create databases .* but could not process any of it" + ) + ], + additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?` + }, + ["InvalidConfigFile" /* InvalidConfigFile */]: { + cliErrorMessageCandidates: [ + new RegExp("Config file .* is not valid"), + new RegExp("The supplied config file is empty") + ] + }, + ["InvalidExternalRepoSpecifier" /* InvalidExternalRepoSpecifier */]: { + cliErrorMessageCandidates: [ + new RegExp("Specifier for external repository is invalid") + ] + }, + // Expected source location for database creation does not exist + ["InvalidSourceRoot" /* InvalidSourceRoot */]: { + cliErrorMessageCandidates: [new RegExp("Invalid source root")] + }, + ["MavenBuildFailed" /* MavenBuildFailed */]: { + cliErrorMessageCandidates: [ + new RegExp("\\[autobuild\\] \\[ERROR\\] Failed to execute goal") + ] + }, + ["NoBuildCommandAutodetected" /* NoBuildCommandAutodetected */]: { + cliErrorMessageCandidates: [ + new RegExp("Could not auto-detect a suitable build method") + ] + }, + ["NoBuildMethodAutodetected" /* NoBuildMethodAutodetected */]: { + cliErrorMessageCandidates: [ + new RegExp( + "Could not detect a suitable build command for the source checkout" + ) + ] + }, + // Usually when a manual build script has failed, or if an autodetected language + // was unintended to have CodeQL analysis run on it. + ["NoSourceCodeSeen" /* NoSourceCodeSeen */]: { + exitCode: 32, + cliErrorMessageCandidates: [ + new RegExp( + "CodeQL detected code written in .* but could not process any of it" + ), + new RegExp( + "CodeQL did not detect any code written in languages supported by CodeQL" + ) + ] + }, + ["NoSupportedBuildCommandSucceeded" /* NoSupportedBuildCommandSucceeded */]: { + cliErrorMessageCandidates: [ + new RegExp("No supported build command succeeded") + ] + }, + ["NoSupportedBuildSystemDetected" /* NoSupportedBuildSystemDetected */]: { + cliErrorMessageCandidates: [ + new RegExp("No supported build system detected") + ] + }, + ["OutOfMemoryOrDisk" /* OutOfMemoryOrDisk */]: { + cliErrorMessageCandidates: [ + new RegExp("CodeQL is out of memory."), + new RegExp("out of disk"), + new RegExp("No space left on device") + ], + additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory" + }, + ["PackCannotBeFound" /* PackCannotBeFound */]: { + cliErrorMessageCandidates: [ + new RegExp( + "Query pack .* cannot be found\\. Check the spelling of the pack\\." + ), + new RegExp( + "is not a .ql file, .qls file, a directory, or a query pack specification." + ) + ] + }, + ["PackMissingAuth" /* PackMissingAuth */]: { + cliErrorMessageCandidates: [ + new RegExp("GitHub Container registry .* 403 Forbidden"), + new RegExp( + "Do you need to specify a token to authenticate to the registry?" + ) + ] + }, + ["SwiftBuildFailed" /* SwiftBuildFailed */]: { + cliErrorMessageCandidates: [ + new RegExp( + "\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command" + ) + ] + }, + ["SwiftIncompatibleOs" /* SwiftIncompatibleOs */]: { + cliErrorMessageCandidates: [ + new RegExp("\\[incompatible-os\\]"), + new RegExp("Swift analysis is only supported on macOS") + ] + }, + ["UnsupportedBuildMode" /* UnsupportedBuildMode */]: { + cliErrorMessageCandidates: [ + new RegExp( + "does not support the .* build mode. Please try using one of the following build modes instead" + ) + ] + }, + ["NotFoundInRegistry" /* NotFoundInRegistry */]: { + cliErrorMessageCandidates: [ + new RegExp("'.*' not found in the registry '.*'") + ] + } +}; + +// src/config-utils.ts +var core9 = __toESM(require_core()); + +// src/caching-utils.ts +var core7 = __toESM(require_core()); + +// src/config/db-config.ts +var jsonschema = __toESM(require_lib5()); +var semver5 = __toESM(require_semver2()); + +// src/feature-flags/properties.ts +var RepositoryPropertyName = /* @__PURE__ */ ((RepositoryPropertyName2) => { + RepositoryPropertyName2["DISABLE_OVERLAY"] = "github-codeql-disable-overlay"; + RepositoryPropertyName2["EXTRA_QUERIES"] = "github-codeql-extra-queries"; + RepositoryPropertyName2["FILE_COVERAGE_ON_PRS"] = "github-codeql-file-coverage-on-prs"; + return RepositoryPropertyName2; +})(RepositoryPropertyName || {}); +var KNOWN_REPOSITORY_PROPERTY_NAMES = new Set( + Object.values(RepositoryPropertyName) +); + +// src/config/db-config.ts +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); + +// src/logging.ts +var core8 = __toESM(require_core()); +function getActionsLogger() { + return { + debug: core8.debug, + info: core8.info, + warning: core8.warning, + error: core8.error, + isDebug: core8.isDebug, + startGroup: core8.startGroup, + endGroup: core8.endGroup + }; +} +function withGroup(groupName, f) { + core8.startGroup(groupName); + try { + return f(); + } finally { + core8.endGroup(); + } +} + // src/languages/builtin.json var builtin_default = { languages: [ diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 75e8744be..4f22c134d 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88693,74 +88693,10 @@ function fixCodeQualityCategory(logger, category) { return category; } -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - AnalysisKind2["RiskAssessment"] = "risk-assessment"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); -var CodeScanning = { - kind: "code-scanning" /* CodeScanning */, - name: "code scanning", - target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, - sarifExtension: ".sarif", - sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), - fixCategory: (_, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_SARIF_", - transformPayload: (payload) => payload -}; -var CodeQuality = { - kind: "code-quality" /* CodeQuality */, - name: "code quality", - target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, - sarifExtension: ".quality.sarif", - sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), - fixCategory: fixCodeQualityCategory, - sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", - transformPayload: (payload) => payload -}; -function addAssessmentId(payload) { - const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); - const assessmentId = parseInt(rawAssessmentId, 10); - if (Number.isNaN(assessmentId)) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` - ); - } - if (assessmentId < 0) { - throw new Error( - `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` - ); - } - return { sarif: payload.sarif, assessment_id: assessmentId }; -} -var RiskAssessment = { - kind: "risk-assessment" /* RiskAssessment */, - name: "code scanning risk assessment", - target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, - sarifExtension: ".csra.sarif", - sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), - fixCategory: (_, category) => category, - sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", - transformPayload: addAssessmentId -}; -function getAnalysisConfig(kind) { - switch (kind) { - case "code-scanning" /* CodeScanning */: - return CodeScanning; - case "code-quality" /* CodeQuality */: - return CodeQuality; - case "risk-assessment" /* RiskAssessment */: - return RiskAssessment; - } -} -var SarifScanOrder = [ - RiskAssessment, - CodeQuality, - CodeScanning -]; +// src/feature-flags.ts +var fs5 = __toESM(require("fs")); +var path5 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); // src/api-client.ts var core5 = __toESM(require_core()); @@ -89012,11 +88948,6 @@ function wrapApiConfigurationError(e) { return e; } -// src/feature-flags.ts -var fs5 = __toESM(require("fs")); -var path5 = __toESM(require("path")); -var semver4 = __toESM(require_semver2()); - // src/defaults.json var bundleVersion = "codeql-bundle-v2.25.4"; var cliVersion = "2.25.4"; @@ -89366,6 +89297,11 @@ var DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_"; var DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; var CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; var featureConfig = { + ["allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: void 0 + }, ["allow_toolcache_input" /* AllowToolcacheInput */]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", @@ -89901,6 +89837,75 @@ function initFeatures(gitHubVersion, repositoryNwo, tempDir, logger) { } } +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + AnalysisKind2["RiskAssessment"] = "risk-assessment"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); +var CodeScanning = { + kind: "code-scanning" /* CodeScanning */, + name: "code scanning", + target: "PUT /repos/:owner/:repo/code-scanning/analysis" /* CODE_SCANNING */, + sarifExtension: ".sarif", + sarifPredicate: (name) => name.endsWith(CodeScanning.sarifExtension) && !CodeQuality.sarifPredicate(name) && !RiskAssessment.sarifPredicate(name), + fixCategory: (_, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_SARIF_", + transformPayload: (payload) => payload +}; +var CodeQuality = { + kind: "code-quality" /* CodeQuality */, + name: "code quality", + target: "PUT /repos/:owner/:repo/code-quality/analysis" /* CODE_QUALITY */, + sarifExtension: ".quality.sarif", + sarifPredicate: (name) => name.endsWith(CodeQuality.sarifExtension), + fixCategory: fixCodeQualityCategory, + sentinelPrefix: "CODEQL_UPLOAD_QUALITY_SARIF_", + transformPayload: (payload) => payload +}; +function addAssessmentId(payload) { + const rawAssessmentId = getRequiredEnvParam("CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */); + const assessmentId = parseInt(rawAssessmentId, 10); + if (Number.isNaN(assessmentId)) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be NaN: ${rawAssessmentId}` + ); + } + if (assessmentId < 0) { + throw new Error( + `${"CODEQL_ACTION_RISK_ASSESSMENT_ID" /* RISK_ASSESSMENT_ID */} must not be negative: ${rawAssessmentId}` + ); + } + return { sarif: payload.sarif, assessment_id: assessmentId }; +} +var RiskAssessment = { + kind: "risk-assessment" /* RiskAssessment */, + name: "code scanning risk assessment", + target: "PUT /repos/:owner/:repo/code-scanning/risk-assessment" /* RISK_ASSESSMENT */, + sarifExtension: ".csra.sarif", + sarifPredicate: (name) => name.endsWith(RiskAssessment.sarifExtension), + fixCategory: (_, category) => category, + sentinelPrefix: "CODEQL_UPLOAD_CSRA_SARIF_", + transformPayload: addAssessmentId +}; +function getAnalysisConfig(kind) { + switch (kind) { + case "code-scanning" /* CodeScanning */: + return CodeScanning; + case "code-quality" /* CodeQuality */: + return CodeQuality; + case "risk-assessment" /* RiskAssessment */: + return RiskAssessment; + } +} +var SarifScanOrder = [ + RiskAssessment, + CodeQuality, + CodeScanning +]; + // src/logging.ts var core7 = __toESM(require_core()); function getActionsLogger() { diff --git a/src/analyses.test.ts b/src/analyses.test.ts index 293b4be6d..02df6134c 100644 --- a/src/analyses.test.ts +++ b/src/analyses.test.ts @@ -16,7 +16,7 @@ import { } from "./analyses"; import { EnvVar } from "./environment"; import { getRunnerLogger } from "./logging"; -import { setupTests } from "./testing-utils"; +import { createFeatures, setupTests } from "./testing-utils"; import { AssessmentPayload } from "./upload-lib/types"; import { ConfigurationError } from "./util"; @@ -53,24 +53,54 @@ test("Parsing analysis kinds requires at least one analysis kind", async (t) => test.serial( "getAnalysisKinds - returns expected analysis kinds for `analysis-kinds` input", async (t) => { + process.env[EnvVar.TEST_MODE] = "true"; + const features = createFeatures([]); const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); requiredInputStub .withArgs("analysis-kinds") .returns("code-scanning,code-quality"); - const result = await getAnalysisKinds(getRunnerLogger(true), true); + const result = await getAnalysisKinds( + getRunnerLogger(true), + features, + true, + ); t.assert(result.includes(AnalysisKind.CodeScanning)); t.assert(result.includes(AnalysisKind.CodeQuality)); }, ); +test.serial( + "getAnalysisKinds - throws for multiple analysis kinds outside of test mode", + async (t) => { + process.env[EnvVar.TEST_MODE] = "false"; + const features = createFeatures([]); + const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); + requiredInputStub + .withArgs("analysis-kinds") + .returns("code-scanning,code-quality"); + await t.throwsAsync( + getAnalysisKinds(getRunnerLogger(true), features, true), + { + instanceOf: ConfigurationError, + }, + ); + }, +); + test.serial( "getAnalysisKinds - includes `code-quality` when deprecated `quality-queries` input is used", async (t) => { + process.env[EnvVar.TEST_MODE] = "true"; + const features = createFeatures([]); const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); requiredInputStub.withArgs("analysis-kinds").returns("code-scanning"); const optionalInputStub = sinon.stub(actionsUtil, "getOptionalInput"); optionalInputStub.withArgs("quality-queries").returns("code-quality"); - const result = await getAnalysisKinds(getRunnerLogger(true), true); + const result = await getAnalysisKinds( + getRunnerLogger(true), + features, + true, + ); t.assert(result.includes(AnalysisKind.CodeScanning)); t.assert(result.includes(AnalysisKind.CodeQuality)); }, @@ -79,9 +109,12 @@ test.serial( test.serial( "getAnalysisKinds - throws if `analysis-kinds` input is invalid", async (t) => { + const features = createFeatures([]); const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); requiredInputStub.withArgs("analysis-kinds").returns("no-such-thing"); - await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true)); + await t.throwsAsync( + getAnalysisKinds(getRunnerLogger(true), features, true), + ); }, ); @@ -98,11 +131,17 @@ for (let i = 0; i < analysisKinds.length; i++) { test.serial( `getAnalysisKinds - allows ${analysisKind} with ${otherAnalysis}`, async (t) => { + process.env[EnvVar.TEST_MODE] = "true"; + const features = createFeatures([]); const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); requiredInputStub .withArgs("analysis-kinds") .returns([analysisKind, otherAnalysis].join(",")); - const result = await getAnalysisKinds(getRunnerLogger(true), true); + const result = await getAnalysisKinds( + getRunnerLogger(true), + features, + true, + ); t.is(result.length, 2); }, ); @@ -110,14 +149,18 @@ for (let i = 0; i < analysisKinds.length; i++) { test.serial( `getAnalysisKinds - throws if ${analysisKind} is enabled with ${otherAnalysis}`, async (t) => { + const features = createFeatures([]); const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); requiredInputStub .withArgs("analysis-kinds") .returns([analysisKind, otherAnalysis].join(",")); - await t.throwsAsync(getAnalysisKinds(getRunnerLogger(true), true), { - instanceOf: ConfigurationError, - message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`, - }); + await t.throwsAsync( + getAnalysisKinds(getRunnerLogger(true), features, true), + { + instanceOf: ConfigurationError, + message: `${analysisKind} and ${otherAnalysis} cannot be enabled at the same time`, + }, + ); }, ); } diff --git a/src/analyses.ts b/src/analyses.ts index 11063a372..69247ab78 100644 --- a/src/analyses.ts +++ b/src/analyses.ts @@ -4,13 +4,14 @@ import { getRequiredInput, } from "./actions-util"; import { EnvVar } from "./environment"; +import { Feature, FeatureEnablement } from "./feature-flags"; import { Logger } from "./logging"; import { AssessmentPayload, BasePayload, UploadPayload, } from "./upload-lib/types"; -import { ConfigurationError, getRequiredEnvParam } from "./util"; +import { ConfigurationError, getRequiredEnvParam, isInTestMode } from "./util"; export enum AnalysisKind { CodeScanning = "code-scanning", @@ -77,6 +78,7 @@ let cachedAnalysisKinds: AnalysisKind[] | undefined; */ export async function getAnalysisKinds( logger: Logger, + features: FeatureEnablement, skipCache: boolean = false, ): Promise { if (!skipCache && cachedAnalysisKinds !== undefined) { @@ -120,6 +122,19 @@ export async function getAnalysisKinds( } } + // Throw an error if we have multiple inputs for `analysis-kinds` outside of test mode. + if ( + !isInTestMode() && + analysisKinds.length > 1 && + !(await features.getValue(Feature.AllowMultipleAnalysisKinds)) + ) { + throw new ConfigurationError( + "The `analysis-kinds` input is experimental and for GitHub-internal use only. " + + "Its behaviour may change at any time or be removed entirely. " + + "Specifying multiple values as input is no longer supported.", + ); + } + // Cache the analysis kinds and return them. cachedAnalysisKinds = analysisKinds; return cachedAnalysisKinds; diff --git a/src/feature-flags.ts b/src/feature-flags.ts index d28800e9b..50f10d6ed 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -44,6 +44,8 @@ export interface CodeQLDefaultVersionInfo { * Legacy features should end with `_enabled`. */ export enum Feature { + /** Controls whether we allow multiple values for the `analysis-kinds` input. */ + AllowMultipleAnalysisKinds = "allow_multiple_analysis_kinds", AllowToolcacheInput = "allow_toolcache_input", CleanupTrapCaches = "cleanup_trap_caches", CppDependencyInstallation = "cpp_dependency_installation_enabled", @@ -124,6 +126,11 @@ export type FeatureConfig = { }; export const featureConfig = { + [Feature.AllowMultipleAnalysisKinds]: { + defaultValue: false, + envVar: "CODEQL_ACTION_ALLOW_MULTIPLE_ANALYSIS_KINDS", + minimumVersion: undefined, + }, [Feature.AllowToolcacheInput]: { defaultValue: false, envVar: "CODEQL_ACTION_ALLOW_TOOLCACHE_INPUT", diff --git a/src/init-action.ts b/src/init-action.ts index 859dcefa2..7d4659680 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -281,7 +281,7 @@ async function run(startedAt: Date) { // successful, the results are cached so that we don't duplicate the work in normal runs. let analysisKinds: AnalysisKind[] | undefined; try { - analysisKinds = await getAnalysisKinds(logger); + analysisKinds = await getAnalysisKinds(logger, features); } catch (err) { logger.debug( `Failed to parse analysis kinds for 'starting' status report: ${getErrorMessage(err)}`, @@ -346,7 +346,7 @@ async function run(startedAt: Date) { } } - analysisKinds = await getAnalysisKinds(logger); + analysisKinds = await getAnalysisKinds(logger, features); const debugMode = getOptionalInput("debug") === "true" || core.isDebug(); const repositoryProperties = repositoryPropertiesResult.orElse({}); const fileCoverageResult = await getFileCoverageInformationEnabled( From 12c1d88854f69bb8872b08e1f9e976d083e204f2 Mon Sep 17 00:00:00 2001 From: Mads Navntoft Date: Tue, 12 May 2026 15:32:54 +0200 Subject: [PATCH 33/40] Bump five transitive dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps the following to their latest patched versions: brace-expansion (under readdir-glob): 2.0.2 → 2.1.0 picomatch (under micromatch): 2.3.1 → 2.3.2 picomatch (top level): 4.0.3 → 4.0.4 flatted: 3.3.3 → 3.4.2 js-yaml (under supertap): 3.14.1 → 3.14.2 The brace-expansion bump requires removing the brace-expansion override in package.json, which had been pinning resolution below the existing ^2.0.1 constraint declared by readdir-glob. --- package-lock.json | 31 ++++++++++++++++--------------- package.json | 1 - 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/package-lock.json b/package-lock.json index 638458e32..2692749f8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5806,9 +5806,9 @@ } }, "node_modules/flatted": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz", - "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", "dev": true, "license": "ISC" }, @@ -7341,9 +7341,9 @@ } }, "node_modules/micromatch/node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", "dev": true, "license": "MIT", "engines": { @@ -7889,9 +7889,9 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", - "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dev": true, "license": "MIT", "engines": { @@ -8064,9 +8064,9 @@ } }, "node_modules/readdir-glob/node_modules/brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz", + "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0" @@ -8883,10 +8883,11 @@ } }, "node_modules/supertap/node_modules/js-yaml": { - "version": "3.14.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz", - "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==", + "version": "3.14.2", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", + "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", "dev": true, + "license": "MIT", "dependencies": { "argparse": "^1.0.7", "esprima": "^4.0.0" diff --git a/package.json b/package.json index e40fedf97..3bd6d87ec 100644 --- a/package.json +++ b/package.json @@ -89,7 +89,6 @@ "eslint-plugin-jsx-a11y": { "semver": ">=6.3.1" }, - "brace-expansion@2.0.1": "2.0.2", "glob": "^11.1.0", "undici": "^6.24.0" } From 2ca0fbdca8acc748377789ee1d0ae1b4af4b8d9a Mon Sep 17 00:00:00 2001 From: Mads Navntoft Date: Tue, 12 May 2026 15:33:04 +0200 Subject: [PATCH 34/40] Rebuild --- lib/analyze-action-post.js | 22 ++++++++++++---------- lib/init-action-post.js | 22 ++++++++++++---------- lib/start-proxy-action-post.js | 22 ++++++++++++---------- lib/upload-sarif-action-post.js | 22 ++++++++++++---------- 4 files changed, 48 insertions(+), 40 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 0f1b66059..c45eaf601 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -85670,13 +85670,15 @@ var require_brace_expansion2 = __commonJS({ parts.push.apply(parts, p); return parts; } - function expandTop(str2) { + function expandTop(str2, options) { if (!str2) return []; + options = options || {}; + var max = options.max == null ? Infinity : options.max; if (str2.substr(0, 2) === "{}") { str2 = "\\{\\}" + str2.substr(2); } - return expand2(escapeBraces(str2), true).map(unescapeBraces); + return expand2(escapeBraces(str2), max, true).map(unescapeBraces); } function embrace(str2) { return "{" + str2 + "}"; @@ -85690,14 +85692,14 @@ var require_brace_expansion2 = __commonJS({ function gte6(i, y) { return i >= y; } - function expand2(str2, isTop) { + function expand2(str2, max, isTop) { var expansions = []; var m = balanced("{", "}", str2); if (!m) return [str2]; var pre = m.pre; - var post = m.post.length ? expand2(m.post, false) : [""]; + var post = m.post.length ? expand2(m.post, max, false) : [""]; if (/\$$/.test(m.pre)) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && k < max; k++) { var expansion = pre + "{" + m.body + "}" + post[k]; expansions.push(expansion); } @@ -85709,7 +85711,7 @@ var require_brace_expansion2 = __commonJS({ if (!isSequence && !isOptions) { if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; - return expand2(str2); + return expand2(str2, max, true); } return [str2]; } @@ -85719,7 +85721,7 @@ var require_brace_expansion2 = __commonJS({ } else { n = parseCommaParts(m.body); if (n.length === 1) { - n = expand2(n[0], false).map(embrace); + n = expand2(n[0], max, false).map(embrace); if (n.length === 1) { return post.map(function(p) { return m.pre + n[0] + p; @@ -85732,7 +85734,7 @@ var require_brace_expansion2 = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -85765,11 +85767,11 @@ var require_brace_expansion2 = __commonJS({ } else { N = []; for (var j = 0; j < n.length; j++) { - N.push.apply(N, expand2(n[j], false)); + N.push.apply(N, expand2(n[j], max, false)); } } for (var j = 0; j < N.length; j++) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && expansions.length < max; k++) { var expansion = pre + N[j] + post[k]; if (!isTop || isSequence || expansion) expansions.push(expansion); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index b972b1ece..d15e63d1a 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -85670,13 +85670,15 @@ var require_brace_expansion2 = __commonJS({ parts.push.apply(parts, p); return parts; } - function expandTop(str2) { + function expandTop(str2, options) { if (!str2) return []; + options = options || {}; + var max = options.max == null ? Infinity : options.max; if (str2.substr(0, 2) === "{}") { str2 = "\\{\\}" + str2.substr(2); } - return expand2(escapeBraces(str2), true).map(unescapeBraces); + return expand2(escapeBraces(str2), max, true).map(unescapeBraces); } function embrace(str2) { return "{" + str2 + "}"; @@ -85690,14 +85692,14 @@ var require_brace_expansion2 = __commonJS({ function gte6(i, y) { return i >= y; } - function expand2(str2, isTop) { + function expand2(str2, max, isTop) { var expansions = []; var m = balanced("{", "}", str2); if (!m) return [str2]; var pre = m.pre; - var post = m.post.length ? expand2(m.post, false) : [""]; + var post = m.post.length ? expand2(m.post, max, false) : [""]; if (/\$$/.test(m.pre)) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && k < max; k++) { var expansion = pre + "{" + m.body + "}" + post[k]; expansions.push(expansion); } @@ -85709,7 +85711,7 @@ var require_brace_expansion2 = __commonJS({ if (!isSequence && !isOptions) { if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; - return expand2(str2); + return expand2(str2, max, true); } return [str2]; } @@ -85719,7 +85721,7 @@ var require_brace_expansion2 = __commonJS({ } else { n = parseCommaParts(m.body); if (n.length === 1) { - n = expand2(n[0], false).map(embrace); + n = expand2(n[0], max, false).map(embrace); if (n.length === 1) { return post.map(function(p) { return m.pre + n[0] + p; @@ -85732,7 +85734,7 @@ var require_brace_expansion2 = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -85765,11 +85767,11 @@ var require_brace_expansion2 = __commonJS({ } else { N = []; for (var j = 0; j < n.length; j++) { - N.push.apply(N, expand2(n[j], false)); + N.push.apply(N, expand2(n[j], max, false)); } } for (var j = 0; j < N.length; j++) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && expansions.length < max; k++) { var expansion = pre + N[j] + post[k]; if (!isTop || isSequence || expansion) expansions.push(expansion); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 6f70d7093..bb020051d 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -84282,13 +84282,15 @@ var require_brace_expansion2 = __commonJS({ parts.push.apply(parts, p); return parts; } - function expandTop(str2) { + function expandTop(str2, options) { if (!str2) return []; + options = options || {}; + var max = options.max == null ? Infinity : options.max; if (str2.substr(0, 2) === "{}") { str2 = "\\{\\}" + str2.substr(2); } - return expand2(escapeBraces(str2), true).map(unescapeBraces); + return expand2(escapeBraces(str2), max, true).map(unescapeBraces); } function embrace(str2) { return "{" + str2 + "}"; @@ -84302,14 +84304,14 @@ var require_brace_expansion2 = __commonJS({ function gte6(i, y) { return i >= y; } - function expand2(str2, isTop) { + function expand2(str2, max, isTop) { var expansions = []; var m = balanced("{", "}", str2); if (!m) return [str2]; var pre = m.pre; - var post = m.post.length ? expand2(m.post, false) : [""]; + var post = m.post.length ? expand2(m.post, max, false) : [""]; if (/\$$/.test(m.pre)) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && k < max; k++) { var expansion = pre + "{" + m.body + "}" + post[k]; expansions.push(expansion); } @@ -84321,7 +84323,7 @@ var require_brace_expansion2 = __commonJS({ if (!isSequence && !isOptions) { if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; - return expand2(str2); + return expand2(str2, max, true); } return [str2]; } @@ -84331,7 +84333,7 @@ var require_brace_expansion2 = __commonJS({ } else { n = parseCommaParts(m.body); if (n.length === 1) { - n = expand2(n[0], false).map(embrace); + n = expand2(n[0], max, false).map(embrace); if (n.length === 1) { return post.map(function(p) { return m.pre + n[0] + p; @@ -84344,7 +84346,7 @@ var require_brace_expansion2 = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -84377,11 +84379,11 @@ var require_brace_expansion2 = __commonJS({ } else { N = []; for (var j = 0; j < n.length; j++) { - N.push.apply(N, expand2(n[j], false)); + N.push.apply(N, expand2(n[j], max, false)); } } for (var j = 0; j < N.length; j++) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && expansions.length < max; k++) { var expansion = pre + N[j] + post[k]; if (!isTop || isSequence || expansion) expansions.push(expansion); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 11873a244..aa194bb31 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -76458,13 +76458,15 @@ var require_brace_expansion = __commonJS({ parts.push.apply(parts, p); return parts; } - function expandTop(str2) { + function expandTop(str2, options) { if (!str2) return []; + options = options || {}; + var max = options.max == null ? Infinity : options.max; if (str2.substr(0, 2) === "{}") { str2 = "\\{\\}" + str2.substr(2); } - return expand2(escapeBraces(str2), true).map(unescapeBraces); + return expand2(escapeBraces(str2), max, true).map(unescapeBraces); } function embrace(str2) { return "{" + str2 + "}"; @@ -76478,14 +76480,14 @@ var require_brace_expansion = __commonJS({ function gte6(i, y) { return i >= y; } - function expand2(str2, isTop) { + function expand2(str2, max, isTop) { var expansions = []; var m = balanced("{", "}", str2); if (!m) return [str2]; var pre = m.pre; - var post = m.post.length ? expand2(m.post, false) : [""]; + var post = m.post.length ? expand2(m.post, max, false) : [""]; if (/\$$/.test(m.pre)) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && k < max; k++) { var expansion = pre + "{" + m.body + "}" + post[k]; expansions.push(expansion); } @@ -76497,7 +76499,7 @@ var require_brace_expansion = __commonJS({ if (!isSequence && !isOptions) { if (m.post.match(/,(?!,).*\}/)) { str2 = m.pre + "{" + m.body + escClose + m.post; - return expand2(str2); + return expand2(str2, max, true); } return [str2]; } @@ -76507,7 +76509,7 @@ var require_brace_expansion = __commonJS({ } else { n = parseCommaParts(m.body); if (n.length === 1) { - n = expand2(n[0], false).map(embrace); + n = expand2(n[0], max, false).map(embrace); if (n.length === 1) { return post.map(function(p) { return m.pre + n[0] + p; @@ -76520,7 +76522,7 @@ var require_brace_expansion = __commonJS({ var x = numeric(n[0]); var y = numeric(n[1]); var width = Math.max(n[0].length, n[1].length); - var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1; + var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1; var test = lte; var reverse = y < x; if (reverse) { @@ -76553,11 +76555,11 @@ var require_brace_expansion = __commonJS({ } else { N = []; for (var j = 0; j < n.length; j++) { - N.push.apply(N, expand2(n[j], false)); + N.push.apply(N, expand2(n[j], max, false)); } } for (var j = 0; j < N.length; j++) { - for (var k = 0; k < post.length; k++) { + for (var k = 0; k < post.length && expansions.length < max; k++) { var expansion = pre + N[j] + post[k]; if (!isTop || isSequence || expansion) expansions.push(expansion); From 312a2fee968d17552828b941776d9a3185adf6c8 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 12 May 2026 15:03:58 +0100 Subject: [PATCH 35/40] Add changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 746386293..db23331b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- An error is now thrown if multiple inputs are provided for the GitHub-internal `analysis-kinds` input. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892) ## 4.35.4 - 07 May 2026 From 201a96b5417bdc74abe78e0fb1d28b23088af75f Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 12 May 2026 15:25:40 +0100 Subject: [PATCH 36/40] Use overlay-aware version for code scanning exclusively --- lib/init-action.js | 4 +--- lib/setup-codeql-action.js | 2 +- src/init-action.ts | 6 +++--- src/setup-codeql-action.ts | 3 ++- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/init-action.js b/lib/init-action.js index 1ed7e5490..7b21c181c 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -92539,9 +92539,7 @@ async function run(startedAt) { const rawLanguages = getRawLanguagesNoAutodetect( getOptionalInput("languages") ); - const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes( - "code-scanning" /* CodeScanning */ - ); + const useOverlayAwareDefaultCliVersion = analysisKinds?.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 243a749cb..d3a585c78 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -89533,7 +89533,7 @@ async function run(startedAt) { gitHubVersion.type, codeQLDefaultVersionInfo, rawLanguages, - analysisKinds.includes("code-scanning" /* CodeScanning */), + analysisKinds.length === 1 && analysisKinds[0] === "code-scanning" /* CodeScanning */, features, logger ); diff --git a/src/init-action.ts b/src/init-action.ts index b529b6804..a6521f4f0 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -304,9 +304,9 @@ async function run(startedAt: Date) { const rawLanguages = configUtils.getRawLanguagesNoAutodetect( getOptionalInput("languages"), ); - const useOverlayAwareDefaultCliVersion = !!analysisKinds?.includes( - AnalysisKind.CodeScanning, - ); + const useOverlayAwareDefaultCliVersion = + analysisKinds?.length === 1 && + analysisKinds[0] === AnalysisKind.CodeScanning; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index c23553c98..86d4a9feb 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -152,7 +152,8 @@ async function run(startedAt: Date): Promise { gitHubVersion.type, codeQLDefaultVersionInfo, rawLanguages, - analysisKinds.includes(AnalysisKind.CodeScanning), + analysisKinds.length === 1 && + analysisKinds[0] === AnalysisKind.CodeScanning, features, logger, ); From 257b3d3fc8c43360913681efccc21bc2f00429bc Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 12 May 2026 15:46:28 +0100 Subject: [PATCH 37/40] Enable only `code-scanning` --- CHANGELOG.md | 2 +- lib/init-action.js | 6 ++++-- src/analyses.test.ts | 16 +++++++++------- src/analyses.ts | 12 +++++++++--- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index db23331b5..a5270ebc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -- An error is now thrown if multiple inputs are provided for the GitHub-internal `analysis-kinds` input. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892) +- If multiple inputs are provided for the GitHub-internal `analysis-kinds` input, only `code-scanning` will be enabled. The `analysis-kinds` input is experimental, for GitHub-internal use only, and may change without notice at any time. [#3892](https://github.com/github/codeql-action/pull/3892) ## 4.35.4 - 07 May 2026 diff --git a/lib/init-action.js b/lib/init-action.js index c6f67eec4..5cdc800db 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -87589,9 +87589,11 @@ async function getAnalysisKinds(logger, features, skipCache = false) { } } if (!isInTestMode() && analysisKinds.length > 1 && !await features.getValue("allow_multiple_analysis_kinds" /* AllowMultipleAnalysisKinds */)) { - throw new ConfigurationError( - "The `analysis-kinds` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. Specifying multiple values as input is no longer supported." + logger.error( + "The `analysis-kinds` input is experimental and for GitHub-internal use only. Its behaviour may change at any time or be removed entirely. Specifying multiple values as input is no longer supported. Continuing with only `analysis-kinds: code-scanning`." ); + cachedAnalysisKinds = ["code-scanning" /* CodeScanning */]; + return cachedAnalysisKinds; } cachedAnalysisKinds = analysisKinds; return cachedAnalysisKinds; diff --git a/src/analyses.test.ts b/src/analyses.test.ts index 02df6134c..57848ebd3 100644 --- a/src/analyses.test.ts +++ b/src/analyses.test.ts @@ -16,7 +16,7 @@ import { } from "./analyses"; import { EnvVar } from "./environment"; import { getRunnerLogger } from "./logging"; -import { createFeatures, setupTests } from "./testing-utils"; +import { createFeatures, RecordingLogger, setupTests } from "./testing-utils"; import { AssessmentPayload } from "./upload-lib/types"; import { ConfigurationError } from "./util"; @@ -70,19 +70,21 @@ test.serial( ); test.serial( - "getAnalysisKinds - throws for multiple analysis kinds outside of test mode", + "getAnalysisKinds - only use `code-scanning` for multiple analysis kinds outside of test mode", async (t) => { process.env[EnvVar.TEST_MODE] = "false"; const features = createFeatures([]); + const logger = new RecordingLogger(); const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput"); requiredInputStub .withArgs("analysis-kinds") .returns("code-scanning,code-quality"); - await t.throwsAsync( - getAnalysisKinds(getRunnerLogger(true), features, true), - { - instanceOf: ConfigurationError, - }, + const result = await getAnalysisKinds(logger, features, true); + t.deepEqual(result, [AnalysisKind.CodeScanning]); + t.assert( + logger.hasMessage( + "Continuing with only `analysis-kinds: code-scanning`.", + ), ); }, ); diff --git a/src/analyses.ts b/src/analyses.ts index 69247ab78..a2dd5e8db 100644 --- a/src/analyses.ts +++ b/src/analyses.ts @@ -122,17 +122,23 @@ export async function getAnalysisKinds( } } - // Throw an error if we have multiple inputs for `analysis-kinds` outside of test mode. + // Log an error if we have multiple inputs for `analysis-kinds` outside of test mode, + // and enable only `code-scanning`. if ( !isInTestMode() && analysisKinds.length > 1 && !(await features.getValue(Feature.AllowMultipleAnalysisKinds)) ) { - throw new ConfigurationError( + logger.error( "The `analysis-kinds` input is experimental and for GitHub-internal use only. " + "Its behaviour may change at any time or be removed entirely. " + - "Specifying multiple values as input is no longer supported.", + "Specifying multiple values as input is no longer supported. " + + "Continuing with only `analysis-kinds: code-scanning`.", ); + + // Only enable Code Scanning. + cachedAnalysisKinds = [AnalysisKind.CodeScanning]; + return cachedAnalysisKinds; } // Cache the analysis kinds and return them. From 8d217609b05d7a35904ca7475a82f7bbb1a2b64d Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 12 May 2026 16:21:44 +0100 Subject: [PATCH 38/40] Nit: Tweak JSDoc for `getRawLanguagesNoAutodetect` --- src/config-utils.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config-utils.ts b/src/config-utils.ts index 860f4651f..9f5f61c4e 100644 --- a/src/config-utils.ts +++ b/src/config-utils.ts @@ -407,7 +407,7 @@ export async function getLanguages( return languages; } -/** Parses the `languages` input into a list of languages without checking if they are supported by CodeQL. */ +/** Splits the `languages` input into a list of raw languages without checking if they are supported by CodeQL. */ export function getRawLanguagesNoAutodetect( languagesInput: string | undefined, ): string[] { From 2a6fe1608c7d5b1e0cb3d8e19d51c4ff1ca47a0d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 18:28:51 +0000 Subject: [PATCH 39/40] Bump actions/create-github-app-token Bumps the actions-minor group with 1 update in the /.github/workflows directory: [actions/create-github-app-token](https://github.com/actions/create-github-app-token). Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/post-release-mergeback.yml | 2 +- .github/workflows/rollback-release.yml | 2 +- .github/workflows/update-release-branch.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index 5e1b3c3cd..50b31d1f5 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -131,7 +131,7 @@ jobs: echo "::endgroup::" - name: Generate token - uses: actions/create-github-app-token@v3.1.1 + uses: actions/create-github-app-token@v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml index 65eac6c7b..ba10430f7 100644 --- a/.github/workflows/rollback-release.yml +++ b/.github/workflows/rollback-release.yml @@ -136,7 +136,7 @@ jobs: - name: Generate token if: github.event_name == 'workflow_dispatch' - uses: actions/create-github-app-token@v3.1.1 + uses: actions/create-github-app-token@v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index 991b4ae9a..147689ace 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -93,7 +93,7 @@ jobs: pull-requests: write # needed to create pull request steps: - name: Generate token - uses: actions/create-github-app-token@v3.1.1 + uses: actions/create-github-app-token@v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} From 4041a11865997c316ce6a07449512369a0e809be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 18:29:17 +0000 Subject: [PATCH 40/40] Bump the npm-minor group across 1 directory with 3 updates Bumps the npm-minor group with 3 updates in the / directory: [globals](https://github.com/sindresorhus/globals), [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) and [yaml](https://github.com/eemeli/yaml). Updates `globals` from 17.5.0 to 17.6.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0) Updates `typescript-eslint` from 8.59.1 to 8.59.2 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.2/packages/typescript-eslint) Updates `yaml` from 2.8.3 to 2.8.4 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](https://github.com/eemeli/yaml/compare/v2.8.3...v2.8.4) --- updated-dependencies: - dependency-name: globals dependency-version: 17.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.59.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: yaml dependency-version: 2.8.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor ... Signed-off-by: dependabot[bot] --- package-lock.json | 146 ++++++++++++++++++++--------------------- package.json | 4 +- pr-checks/package.json | 2 +- 3 files changed, 76 insertions(+), 76 deletions(-) diff --git a/package-lock.json b/package-lock.json index 2692749f8..48052b773 100644 --- a/package-lock.json +++ b/package-lock.json @@ -57,11 +57,11 @@ "eslint-plugin-jsdoc": "^62.9.0", "eslint-plugin-no-async-foreach": "^0.1.1", "glob": "^11.1.0", - "globals": "^17.5.0", + "globals": "^17.6.0", "nock": "^14.0.12", "sinon": "^21.1.2", "typescript": "^6.0.3", - "typescript-eslint": "^8.59.1" + "typescript-eslint": "^8.59.2" } }, "node_modules/@aashutoshrathi/word-wrap": { @@ -2528,17 +2528,17 @@ "license": "MIT" }, "node_modules/@typescript-eslint/eslint-plugin": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.1.tgz", - "integrity": "sha512-BOziFIfE+6osHO9FoJG4zjoHUcvI7fTNBSpdAwrNH0/TLvzjsk2oo8XSSOT2HhqUyhZPfHv4UOffoJ9oEEQ7Ag==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.2.tgz", + "integrity": "sha512-j/bwmkBvHUtPNxzuWe5z6BEk3q54YRyGlBXkSsmfoih7zNrBvl5A9A98anlp/7JbyZcWIJ8KXo/3Tq/DjFLtuQ==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/regexpp": "^4.12.2", - "@typescript-eslint/scope-manager": "8.59.1", - "@typescript-eslint/type-utils": "8.59.1", - "@typescript-eslint/utils": "8.59.1", - "@typescript-eslint/visitor-keys": "8.59.1", + "@typescript-eslint/scope-manager": "8.59.2", + "@typescript-eslint/type-utils": "8.59.2", + "@typescript-eslint/utils": "8.59.2", + "@typescript-eslint/visitor-keys": "8.59.2", "ignore": "^7.0.5", "natural-compare": "^1.4.0", "ts-api-utils": "^2.5.0" @@ -2551,7 +2551,7 @@ "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "@typescript-eslint/parser": "^8.59.1", + "@typescript-eslint/parser": "^8.59.2", "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0", "typescript": ">=4.8.4 <6.1.0" } @@ -2567,16 +2567,16 @@ } }, "node_modules/@typescript-eslint/parser": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.1.tgz", - "integrity": "sha512-HDQH9O/47Dxi1ceDhBXdaldtf/WV9yRYMjbjCuNk3qnaTD564qwv61Y7+gTxwxRKzSrgO5uhtw584igXVuuZkA==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.2.tgz", + "integrity": "sha512-plR3pp6D+SSUn1HM7xvSkx12/DhoHInI2YF35KAcVFNZvlC0gtrWqx7Qq1oH2Ssgi0vlFRCTbP+DZc7B9+TtsQ==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/scope-manager": "8.59.1", - "@typescript-eslint/types": "8.59.1", - "@typescript-eslint/typescript-estree": "8.59.1", - "@typescript-eslint/visitor-keys": "8.59.1", + "@typescript-eslint/scope-manager": "8.59.2", + "@typescript-eslint/types": "8.59.2", + "@typescript-eslint/typescript-estree": "8.59.2", + "@typescript-eslint/visitor-keys": "8.59.2", "debug": "^4.4.3" }, "engines": { @@ -2610,14 +2610,14 @@ } }, "node_modules/@typescript-eslint/project-service": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.1.tgz", - "integrity": "sha512-+MuHQlHiEr00Of/IQbE/MmEoi44znZHbR/Pz7Opq4HryUOlRi+/44dro9Ycy8Fyo+/024IWtw8m4JUMCGTYxDg==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.2.tgz", + "integrity": "sha512-+2hqvEkeyf/0FBor67duF0Ll7Ot8jyKzDQOSrxazF/danillRq2DwR9dLptsXpoZQqxE1UisSmoZewrlPas9Vw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/tsconfig-utils": "^8.59.1", - "@typescript-eslint/types": "^8.59.1", + "@typescript-eslint/tsconfig-utils": "^8.59.2", + "@typescript-eslint/types": "^8.59.2", "debug": "^4.4.3" }, "engines": { @@ -2650,14 +2650,14 @@ } }, "node_modules/@typescript-eslint/scope-manager": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.1.tgz", - "integrity": "sha512-LwuHQI4pDOYVKvmH2dkaJo6YZCSgouVgnS/z7yBPKBMvgtBvyLqiLy9Z6b7+m/TRcX1NFYUqZetI5Y+aT4GEfg==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.2.tgz", + "integrity": "sha512-JzfyEpEtOU89CcFSwyNS3mu4MLvLSXqnmX05+aKBDM+TdR5jzcGOEBwxwGNxrEQ7p/z6kK2WyioCGBf2zZBnvg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.59.1", - "@typescript-eslint/visitor-keys": "8.59.1" + "@typescript-eslint/types": "8.59.2", + "@typescript-eslint/visitor-keys": "8.59.2" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2668,9 +2668,9 @@ } }, "node_modules/@typescript-eslint/tsconfig-utils": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.1.tgz", - "integrity": "sha512-/0nEyPbX7gRsk0Uwfe4ALwwgxuA66d/l2mhRDNlAvaj4U3juhUtJNq0DsY8M2AYwwb9rEq2hrC3IcIcEt++iJA==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.2.tgz", + "integrity": "sha512-BKK4alN7oi4C/zv4VqHQ+uRU+lTa6JGIZ7s1juw7b3RHo9OfKB+bKX3u0iVZetdsUCBBkSbdWbarJbmN0fTeSw==", "dev": true, "license": "MIT", "engines": { @@ -2685,15 +2685,15 @@ } }, "node_modules/@typescript-eslint/type-utils": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.1.tgz", - "integrity": "sha512-klWPBR2ciQHS3f++ug/mVnWKPjBUo7icEL3FAO1lhAR1Z1i5NQYZ1EannMSRYcq5qCv5wNALlXr6fksRHyYl7w==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.2.tgz", + "integrity": "sha512-nhqaj1nmTdVVl/BP5omXNRGO38jn5iosis2vbdmupF2txCf8ylWT8lx+JlvMYYVqzGVKtjojUFoQ3JRWK+mfzQ==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.59.1", - "@typescript-eslint/typescript-estree": "8.59.1", - "@typescript-eslint/utils": "8.59.1", + "@typescript-eslint/types": "8.59.2", + "@typescript-eslint/typescript-estree": "8.59.2", + "@typescript-eslint/utils": "8.59.2", "debug": "^4.4.3", "ts-api-utils": "^2.5.0" }, @@ -2728,9 +2728,9 @@ } }, "node_modules/@typescript-eslint/types": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.1.tgz", - "integrity": "sha512-ZDCjgccSdYPw5Bxh+my4Z0lJU96ZDN7jbBzvmEn0FZx3RtU1C7VWl6NbDx94bwY3V5YsgwRzJPOgeY2Q/nLG8A==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.2.tgz", + "integrity": "sha512-e82GVOE8Ps3E++Egvb6Y3Dw0S10u8NkQ9KXmtRhCWJJ8kDhOJTvtMAWnFL16kB1583goCWXsr0NieKCZMs2/0Q==", "dev": true, "license": "MIT", "engines": { @@ -2742,16 +2742,16 @@ } }, "node_modules/@typescript-eslint/typescript-estree": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.1.tgz", - "integrity": "sha512-OUd+vJS05sSkOip+BkZ/2NS8RMxrAAJemsC6vU3kmfLyeaJT0TftHkV9mcx2107MmsBVXXexhVu4F0TZXyMl4g==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.2.tgz", + "integrity": "sha512-o0XPGNwcWw+FIwStOWn+BwBuEmL6QXP0rsvAFg7ET1dey1Nr6Wb1ac8p5HEsK0ygO/6mUxlk+YWQD9xcb/nnXg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/project-service": "8.59.1", - "@typescript-eslint/tsconfig-utils": "8.59.1", - "@typescript-eslint/types": "8.59.1", - "@typescript-eslint/visitor-keys": "8.59.1", + "@typescript-eslint/project-service": "8.59.2", + "@typescript-eslint/tsconfig-utils": "8.59.2", + "@typescript-eslint/types": "8.59.2", + "@typescript-eslint/visitor-keys": "8.59.2", "debug": "^4.4.3", "minimatch": "^10.2.2", "semver": "^7.7.3", @@ -2780,9 +2780,9 @@ } }, "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": { - "version": "5.0.5", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz", - "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==", + "version": "5.0.6", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz", + "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==", "dev": true, "license": "MIT", "dependencies": { @@ -2827,16 +2827,16 @@ } }, "node_modules/@typescript-eslint/utils": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.1.tgz", - "integrity": "sha512-3pIeoXhCeYH9FSCBI8P3iNwJlGuzPlYKkTlen2O9T1DSeeg8UG8jstq6BLk+Mda0qup7mgk4z4XL4OzRaxZ8LA==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.2.tgz", + "integrity": "sha512-Juw3EinkXqjaffxz6roowvV7GZT/kET5vSKKZT6upl5TXdWkLkYmNPXwDDL2Vkt2DPn0nODIS4egC/0AGxKo/Q==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.9.1", - "@typescript-eslint/scope-manager": "8.59.1", - "@typescript-eslint/types": "8.59.1", - "@typescript-eslint/typescript-estree": "8.59.1" + "@typescript-eslint/scope-manager": "8.59.2", + "@typescript-eslint/types": "8.59.2", + "@typescript-eslint/typescript-estree": "8.59.2" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2851,13 +2851,13 @@ } }, "node_modules/@typescript-eslint/visitor-keys": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.1.tgz", - "integrity": "sha512-LdDNl6C5iJExcM0Yh0PwAIBb9PrSiCsWamF/JyEZawm3kFDnRoaq3LGE4bpyRao/fWeGKKyw7icx0YxrLFC5Cg==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.2.tgz", + "integrity": "sha512-NwjLUnGy8/Zfx23fl50tRC8rYaYnM52xNRYFAXvmiil9yh1+K6aRVQMnzW6gQB/1DLgWt977lYQn7C+wtgXZiA==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.59.1", + "@typescript-eslint/types": "8.59.2", "eslint-visitor-keys": "^5.0.0" }, "engines": { @@ -6121,9 +6121,9 @@ } }, "node_modules/globals": { - "version": "17.5.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz", - "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==", + "version": "17.6.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-17.6.0.tgz", + "integrity": "sha512-sepffkT8stwnIYbsMBpoCHJuJM5l98FUF2AnE07hfvE0m/qp3R586hw4jF4uadbhvg1ooIdzuu7CsfD2jzCaNA==", "dev": true, "license": "MIT", "engines": { @@ -9789,16 +9789,16 @@ } }, "node_modules/typescript-eslint": { - "version": "8.59.1", - "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.1.tgz", - "integrity": "sha512-xqDcFVBmlrltH64lklOVp1wYxgJr6LVdg3NamBgH2OOQDLFdTKfIZXF5PfghrnXQKXZGTQs8tr1vL7fJvq8CTQ==", + "version": "8.59.2", + "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.2.tgz", + "integrity": "sha512-pJw051uomb3ZeCzGTpRb8RbEqB5Y4WWet8gl/GcTlU35BSx0PVdZ86/bqkQCyKKuraVQEK7r6kBHQXF+fBhkoQ==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/eslint-plugin": "8.59.1", - "@typescript-eslint/parser": "8.59.1", - "@typescript-eslint/typescript-estree": "8.59.1", - "@typescript-eslint/utils": "8.59.1" + "@typescript-eslint/eslint-plugin": "8.59.2", + "@typescript-eslint/parser": "8.59.2", + "@typescript-eslint/typescript-estree": "8.59.2", + "@typescript-eslint/utils": "8.59.2" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -10261,9 +10261,9 @@ } }, "node_modules/yaml": { - "version": "2.8.3", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz", - "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==", + "version": "2.8.4", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.4.tgz", + "integrity": "sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==", "license": "ISC", "bin": { "yaml": "bin.mjs" @@ -10404,7 +10404,7 @@ "@octokit/core": "^7.0.6", "@octokit/plugin-paginate-rest": ">=9.2.2", "@octokit/plugin-rest-endpoint-methods": "^17.0.0", - "yaml": "^2.8.3" + "yaml": "^2.8.4" }, "devDependencies": { "@types/node": "^20.19.39", diff --git a/package.json b/package.json index 3bd6d87ec..d46e50792 100644 --- a/package.json +++ b/package.json @@ -64,11 +64,11 @@ "eslint-plugin-jsdoc": "^62.9.0", "eslint-plugin-no-async-foreach": "^0.1.1", "glob": "^11.1.0", - "globals": "^17.5.0", + "globals": "^17.6.0", "nock": "^14.0.12", "sinon": "^21.1.2", "typescript": "^6.0.3", - "typescript-eslint": "^8.59.1" + "typescript-eslint": "^8.59.2" }, "overrides": { "@actions/tool-cache": { diff --git a/pr-checks/package.json b/pr-checks/package.json index 0189318ed..2741560f6 100644 --- a/pr-checks/package.json +++ b/pr-checks/package.json @@ -7,7 +7,7 @@ "@octokit/core": "^7.0.6", "@octokit/plugin-paginate-rest": ">=9.2.2", "@octokit/plugin-rest-endpoint-methods": "^17.0.0", - "yaml": "^2.8.3" + "yaml": "^2.8.4" }, "devDependencies": { "@types/node": "^20.19.39",