Test required input

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Contact GitHub Support
-    url: https://support.github.com/contact?subject=Code+Scanning+Beta+Support&tags=code-scanning-support
-    about: Contact Support about code scanning

.github/workflows/codeql.yml

@@ -1,6 +1,6 @@
 name: "CodeQL action"
 
-on: [push, pull_request]
+on: [push]
 
 jobs:
   build:
@@ -11,18 +11,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
-      with:
-        # Must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head of the pull request.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-
     - uses: ./init
       with:
-        languages: javascript
         config-file: ./.github/codeql/codeql-config.yml
     - uses: ./analyze

.github/workflows/integration-testing.yml

@@ -1,10 +1,14 @@
 name: "Integration Testing"
 
-on: [push, pull_request]
+on: [push]
 
 jobs:
   multi-language-repo_test-autodetect-languages:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
 
     steps:
     - uses: actions/checkout@v2
@@ -12,8 +16,9 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
     - uses: ./../action/init
     - name: Build code
       shell: bash
@@ -21,18 +26,6 @@ jobs:
     - uses: ./../action/analyze
       env:
         TEST_MODE: true
-    - run: |
-        cd "$CODEQL_ACTION_DATABASE_DIR"
-        if [ "$(ls | wc -l)" != 6 ] || \
-           [[ ! -d cpp ]] || \
-           [[ ! -d csharp ]] || \
-           [[ ! -d go ]] || \
-           [[ ! -d java ]] || \
-           [[ ! -d javascript ]] || \
-           [[ ! -d python ]]; then
-          echo "Did not find expected number of databases. Database dir contains: $(ls)"
-          exit 1
-        fi
 
   multi-language-repo_test-custom-queries:
     strategy:
@@ -47,8 +40,9 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
     - uses: ./../action/init
       with:
         languages: cpp,csharp,java,javascript,python
@@ -78,8 +72,9 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
     - uses: ./../action/init
       with:
         languages: go
@@ -101,8 +96,9 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        mv * .github ../action/
-        mv ../action/tests/multi-language-repo/{*,.github} .
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
@@ -121,4 +117,4 @@ jobs:
       with:
         sarif_file: rubocop.sarif
       env:
-        TEST_MODE: true
+        TEST_MODE: true

README.md

@@ -18,7 +18,6 @@ name: "Code Scanning - Action"
 
 on:
   push:
-  pull_request:
   schedule:
     - cron: '0 0 * * 0'
 
@@ -34,17 +33,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-        with:
-          # Must fetch at least the immediate parents so that if this is
-          # a pull request then we can checkout the head of the pull request.
-          # Only include this option if you are running this workflow on pull requests.
-          fetch-depth: 2
-
-      # If this run was triggered by a pull request event then checkout
-      # the head of the pull request instead of the merge commit.
-      # Only include this step if you are running this workflow on pull requests.
-      - run: git checkout HEAD^2
-        if: ${{ github.event_name == 'pull_request' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

init/action.yml

@@ -8,7 +8,7 @@ inputs:
     default: https://github.com/github/codeql-action/releases/download/codeql-bundle-20200427/codeql-bundle.tar.gz
   languages:
     description: The languages to be analysed
-    required: false
+    required: true
   token:
     default: ${{ github.token }}
   config-file:

lib/upload-lib.js

@@ -133,7 +133,7 @@ async function uploadFiles(sarifFiles) {
             return false;
         }
         core.exportVariable(sentinelEnvVar, sentinelEnvVar);
-        const commitOid = await util.getCommitOid();
+        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
         const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
         const ref = util.getRef();
         const analysisKey = await util.getAnalysisKey();

lib/util.js

@@ -11,7 +11,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
-const exec = __importStar(require("@actions/exec"));
 const http = __importStar(require("@actions/http-client"));
 const auth = __importStar(require("@actions/http-client/auth"));
 const octokit = __importStar(require("@octokit/rest"));
@@ -34,6 +33,12 @@ function should_abort(actionName, requireInitActionHasRun) {
         core.setFailed('GITHUB_REF must be set.');
         return true;
     }
+    // Should abort if called on a merge commit for a pull request.
+    if (ref.startsWith('refs/pull/')) {
+        core.warning('The CodeQL ' + actionName + ' action is intended for workflows triggered on `push` events, '
+            + 'but the current workflow is running on a pull request. Aborting.');
+        return true;
+    }
     // If the init action is required, then check the it completed successfully.
     if (requireInitActionHasRun && process.env[sharedEnv.CODEQL_ACTION_INIT_COMPLETED] === undefined) {
         core.setFailed('The CodeQL ' + actionName + ' action cannot be used unless the CodeQL init action is run first. Aborting.');
@@ -146,21 +151,6 @@ async function getLanguages() {
     return languages;
 }
 exports.getLanguages = getLanguages;
-/**
- * Gets the SHA of the commit that is currently checked out.
- */
-async function getCommitOid() {
-    let commitOid = '';
-    await exec.exec('git', ['rev-parse', 'HEAD'], {
-        silent: true,
-        listeners: {
-            stdout: (data) => { commitOid += data.toString(); },
-            stderr: (data) => { process.stderr.write(data); }
-        }
-    });
-    return commitOid.trim();
-}
-exports.getCommitOid = getCommitOid;
 /**
  * Get the path of the currently executing workflow.
  */
@@ -206,20 +196,8 @@ exports.getAnalysisKey = getAnalysisKey;
  * Get the ref currently being analyzed.
  */
 function getRef() {
-    // Will be in the form "refs/heads/master" on a push event
-    // or in the form "refs/pull/N/merge" on a pull_request event
-    const ref = getRequiredEnvParam('GITHUB_REF');
-    // For pull request refs we want to convert from the 'merge' ref
-    // to the 'head' ref, as that is what we want to analyse.
-    // There should have been some code earlier in the workflow to do
-    // the checkout, but we have no way of verifying that here.
-    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-    if (pull_ref_regex.test(ref)) {
-        return ref.replace(pull_ref_regex, 'refs/pull/$1/head');
-    }
-    else {
-        return ref;
-    }
+    // it's in the form "refs/heads/master"
+    return getRequiredEnvParam('GITHUB_REF');
 }
 exports.getRef = getRef;
 /**

src/upload-lib.ts

@@ -136,7 +136,7 @@ async function uploadFiles(sarifFiles: string[]): Promise<boolean> {
         }
         core.exportVariable(sentinelEnvVar, sentinelEnvVar);
 
-        const commitOid = await util.getCommitOid();
+        const commitOid = util.getRequiredEnvParam('GITHUB_SHA');
         const workflowRunIDStr = util.getRequiredEnvParam('GITHUB_RUN_ID');
         const ref = util.getRef();
         const analysisKey = await util.getAnalysisKey();

src/util.ts

@@ -1,5 +1,4 @@
 import * as core from '@actions/core';
-import * as exec from '@actions/exec';
 import * as http from '@actions/http-client';
 import * as auth from '@actions/http-client/auth';
 import * as octokit from '@octokit/rest';
@@ -26,6 +25,13 @@ export function should_abort(actionName: string, requireInitActionHasRun: boolea
         return true;
     }
 
+    // Should abort if called on a merge commit for a pull request.
+    if (ref.startsWith('refs/pull/')) {
+        core.warning('The CodeQL ' + actionName + ' action is intended for workflows triggered on `push` events, '
+            + 'but the current workflow is running on a pull request. Aborting.');
+        return true;
+    }
+
     // If the init action is required, then check the it completed successfully.
     if (requireInitActionHasRun && process.env[sharedEnv.CODEQL_ACTION_INIT_COMPLETED] === undefined) {
         core.setFailed('The CodeQL ' + actionName + ' action cannot be used unless the CodeQL init action is run first. Aborting.');
@@ -146,21 +152,6 @@ export async function getLanguages(): Promise<string[]> {
     return languages;
 }
 
-/**
- * Gets the SHA of the commit that is currently checked out.
- */
-export async function getCommitOid(): Promise<string> {
-    let commitOid = '';
-    await exec.exec('git', ['rev-parse', 'HEAD'], {
-        silent: true,
-        listeners: {
-            stdout: (data) => { commitOid += data.toString(); },
-            stderr: (data) => { process.stderr.write(data); }
-        }
-    });
-    return commitOid.trim();
-}
-
 /**
  * Get the path of the currently executing workflow.
  */
@@ -213,20 +204,8 @@ export async function getAnalysisKey(): Promise<string> {
  * Get the ref currently being analyzed.
  */
 export function getRef(): string {
-    // Will be in the form "refs/heads/master" on a push event
-    // or in the form "refs/pull/N/merge" on a pull_request event
-    const ref = getRequiredEnvParam('GITHUB_REF');
-
-    // For pull request refs we want to convert from the 'merge' ref
-    // to the 'head' ref, as that is what we want to analyse.
-    // There should have been some code earlier in the workflow to do
-    // the checkout, but we have no way of verifying that here.
-    const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-    if (pull_ref_regex.test(ref)) {
-        return ref.replace(pull_ref_regex, 'refs/pull/$1/head');
-    } else {
-        return ref;
-    }
+    // it's in the form "refs/heads/master"
+    return getRequiredEnvParam('GITHUB_REF');
 }
 
 interface StatusReport {