Allow query-filters for code-quality

Bump @actions/io from 1.1.3 to 2.0.0

.github/actions/release-initialise/action.yml

@@ -16,9 +16,9 @@ runs:
       shell: bash
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
-        python-version: 3.12
+        python-version: '3.12'
 
     - name: Install dependencies
       run: |

.github/workflows/__bundle-zstd.yml

@@ -79,7 +79,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ${{ matrix.os }}-zstd-bundle.sarif
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__config-export.yml

@@ -67,7 +67,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__diagnostics-export.yml

@@ -78,7 +78,7 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
       - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__export-file-baseline-information.yml

@@ -85,7 +85,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__job-run-uuid-sarif.yml

@@ -64,7 +64,7 @@ jobs:
         with:
           output: ${{ runner.temp }}/results
       - name: Upload SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
           path: ${{ runner.temp }}/results/javascript.sarif

.github/workflows/__quality-queries.yml

@@ -83,7 +83,7 @@ jobs:
           post-processed-sarif-path: ${{ runner.temp }}/post-processed
       - name: Upload security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -91,14 +91,14 @@ jobs:
           retention-days: 7
       - name: Upload quality SARIF
         if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: |
             quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
           path: ${{ runner.temp }}/results/javascript.quality.sarif
           retention-days: 7
       - name: Upload post-processed SARIF
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: |
             post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json

.github/workflows/__rubocop-multi-language.yml

@@ -56,7 +56,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
+        uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/check-expected-release-files.yml

@@ -15,7 +15,7 @@ defaults:
 
 jobs:
   check-expected-release-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     permissions:
       contents: read

.github/workflows/debug-artifacts-failure-safe.yml

@@ -79,7 +79,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
       - name: Check expected artifacts exist
         run: |
           LANGUAGES="cpp csharp go java javascript python"

.github/workflows/debug-artifacts-safe.yml

@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
       - name: Check expected artifacts exist
         run: |
           VERSIONS="stable-v2.20.3 default linked nightly-latest"

.github/workflows/label-pr-size.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   sizeup:
     name: Label PR with size
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
 
     steps:
       - name: Run sizeup

.github/workflows/post-release-mergeback.yml

@@ -24,7 +24,7 @@ defaults:
 
 jobs:
   merge-back:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     if: github.repository == 'github/codeql-action'
     env:
@@ -48,6 +48,9 @@ jobs:
         with:
           fetch-depth: 0  # ensure we have all tags and can push commits
       - uses: actions/setup-node@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
 
       - name: Update git config
         run: |

.github/workflows/prepare-release.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   prepare:
     name: "Prepare release"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.repository == 'github/codeql-action'
 
     permissions:

.github/workflows/publish-immutable-action.yml

@@ -1,8 +1,10 @@
 name: 'Publish Immutable Action Version'
 
 on:
-  release:
-    types: [published]
+  push:
+    tags:
+      # Match version tags, but not the major version tags.
+      - 'v[0-9]+.**'
 
 defaults:
   run:
@@ -10,30 +12,16 @@ defaults:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: read
       id-token: write
       packages: write
 
     steps:
-      - name: Check release name
-        id: check
-        env:
-          RELEASE_NAME: ${{ github.event.release.name }}
-        run: |
-          echo "Release name: ${{ github.event.release.name }}"
-          if [[ $RELEASE_NAME == v* ]]; then
-            echo "This is a CodeQL Action release. Create an Immutable Action"
-            echo "is-action-release=true" >> $GITHUB_OUTPUT
-          else
-            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
-            echo "is-action-release=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Checking out
-        if: steps.check.outputs.is-action-release == 'true'
+      - name: Checkout repository
         uses: actions/checkout@v5
-      - name: Publish
-        if: steps.check.outputs.is-action-release == 'true'
+
+      - name: Publish immutable release
         id: publish
         uses: actions/publish-immutable-action@v0.0.4

.github/workflows/update-bundle.yml

@@ -20,7 +20,7 @@ defaults:
 jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: write # needed to push commits
       pull-requests: write # needed to create pull requests

.github/workflows/update-release-branch.yml

@@ -26,7 +26,7 @@ jobs:
 
   update:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.event_name == 'workflow_dispatch'
     needs: [prepare]
     env:
@@ -77,7 +77,7 @@ jobs:
 
   backport:
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -9,7 +9,7 @@ jobs:
   update-supported-enterprise-server-versions:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: github.repository == 'github/codeql-action'
     permissions:
       contents: write # needed to push commits

CHANGELOG.md

@@ -6,6 +6,14 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
+## 4.31.2 - 30 Oct 2025
+
+No user facing changes.
+
+## 4.31.1 - 30 Oct 2025
+
+- The `add-snippets` input has been removed from the `analyze` action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.
+
 ## 4.31.0 - 24 Oct 2025
 
 - Bump minimum CodeQL bundle version to 2.17.6. [#3223](https://github.com/github/codeql-action/pull/3223)

analyze/action.yml

@@ -32,14 +32,10 @@ inputs:
       and 13GB for macOS).
     required: false
   add-snippets:
-    description: Specify whether or not to add code snippets to the output sarif file.
+    description: Does not have any effect.
     required: false
-    default: "false"
     deprecationMessage: >-
-      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
-      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
-      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
-      a no operation. No alternative is available.
+      The input "add-snippets" has been removed and no longer has any effect.
   skip-queries:
     description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
     required: false

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.31.1",
+  "version": "4.31.3",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -24,23 +24,20 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "^2.3.1",
+    "@actions/artifact": "^4.0.0",
     "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2",
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
     "@actions/glob": "^0.5.0",
-    "@actions/http-client": "^2.2.3",
-    "@actions/io": "^1.1.3",
+    "@actions/http-client": "^3.0.0",
+    "@actions/io": "^2.0.0",
     "@actions/tool-cache": "^2.0.2",
     "@octokit/plugin-retry": "^6.0.0",
-    "@octokit/request-error": "^7.0.1",
+    "@octokit/request-error": "^7.0.2",
     "@schemastore/package": "0.0.10",
     "archiver": "^7.0.1",
-    "check-disk-space": "^3.4.0",
-    "console-log-level": "^1.4.1",
-    "del": "^8.0.0",
     "fast-deep-equal": "^3.1.3",
     "follow-redirects": "^1.15.11",
     "get-folder-size": "^5.0.0",
@@ -48,29 +45,28 @@
     "jsonschema": "1.4.1",
     "long": "^5.3.2",
     "node-forge": "^1.3.1",
-    "octokit": "^5.0.4",
+    "octokit": "^5.0.5",
     "semver": "^7.7.3",
     "uuid": "^13.0.0"
   },
   "devDependencies": {
     "@ava/typescript": "6.0.0",
-    "@eslint/compat": "^1.4.0",
+    "@eslint/compat": "^1.4.1",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.38.0",
+    "@eslint/js": "^9.39.0",
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
-    "@octokit/types": "^15.0.0",
-    "@types/archiver": "^6.0.3",
-    "@types/console-log-level": "^1.4.5",
+    "@octokit/types": "^16.0.0",
+    "@types/archiver": "^7.0.0",
     "@types/follow-redirects": "^1.14.4",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.19.9",
     "@types/node-forge": "^1.3.14",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^17.0.4",
-    "@typescript-eslint/eslint-plugin": "^8.46.1",
+    "@typescript-eslint/eslint-plugin": "^8.46.3",
     "@typescript-eslint/parser": "^8.41.0",
     "ava": "^6.4.1",
-    "esbuild": "^0.25.11",
+    "esbuild": "^0.25.12",
     "eslint": "^8.57.1",
     "eslint-import-resolver-typescript": "^3.8.7",
     "eslint-plugin-filenames": "^1.3.2",

pr-checks/checks/bundle-zstd.yml

@@ -27,7 +27,7 @@ steps:
       output: ${{ runner.temp }}/results
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: ${{ matrix.os }}-zstd-bundle.sarif
       path: ${{ runner.temp }}/results/javascript.sarif

pr-checks/checks/config-export.yml

@@ -12,7 +12,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/diagnostics-export.yml

@@ -25,7 +25,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/export-file-baseline-information.yml

@@ -17,7 +17,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/job-run-uuid-sarif.yml

@@ -11,7 +11,7 @@ steps:
     with:
       output: "${{ runner.temp }}/results"
   - name: Upload SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
       path: "${{ runner.temp }}/results/javascript.sarif"

pr-checks/checks/quality-queries.yml

@@ -39,7 +39,7 @@ steps:
       post-processed-sarif-path: "${{ runner.temp }}/post-processed"
   - name: Upload security SARIF
     if: contains(matrix.analysis-kinds, 'code-scanning')
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
@@ -47,14 +47,14 @@ steps:
       retention-days: 7
   - name: Upload quality SARIF
     if: contains(matrix.analysis-kinds, 'code-quality')
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: |
         quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
       path: "${{ runner.temp }}/results/javascript.quality.sarif"
       retention-days: 7
   - name: Upload post-processed SARIF
-    uses: actions/upload-artifact@v4
+    uses: actions/upload-artifact@v5
     with:
       name: |
         post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json

pr-checks/checks/rubocop-multi-language.yml

@@ -4,7 +4,7 @@ description: "Tests using RuboCop to analyze a multi-language repository and the
 versions: ["default"]
 steps:
   - name: Set up Ruby
-    uses: ruby/setup-ruby@ab177d40ee5483edb974554986f56b33477e21d0 # v1.265.0
+    uses: ruby/setup-ruby@d5126b9b3579e429dd52e51e68624dda2e05be25 # v1.267.0
     with:
       ruby-version: 2.6
   - name: Install Code Scanning integration

scripts/check-node-modules.sh

@@ -9,9 +9,15 @@ if [ "$GITHUB_ACTIONS" = "true" ]; then
 fi
 
 # Check if npm install is likely needed before proceeding
-if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then
-  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..."
+if [ ! -d node_modules ]; then
+  echo "Running 'npm install' because 'node_modules' directory is missing."
+  npm install
+elif [ package.json -nt package-lock.json ]; then
+  echo "Running 'npm install' because 'package-lock.json' appears to be outdated."
+  npm install
+elif [ package-lock.json -nt node_modules/.package-lock.json ]; then
+  echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated."
   npm install
 else
-  echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date."
+  echo "Skipping 'npm install' because everything appears to be up-to-date."
 fi

src/analyze-action-env.test.ts

@@ -78,7 +78,7 @@ test("analyze action with RAM & threads from environment variables", async (t) =
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=4992");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=4992");
   });
 });

src/analyze-action-input.test.ts

@@ -76,7 +76,7 @@ test("analyze action with RAM & threads from action inputs", async (t) => {
     t.deepEqual(runFinalizeStub.firstCall.args[1], "--threads=-1");
     t.deepEqual(runFinalizeStub.firstCall.args[2], "--ram=3012");
     t.assert(runQueriesStub.calledOnce);
-    t.deepEqual(runQueriesStub.firstCall.args[3], "--threads=-1");
+    t.deepEqual(runQueriesStub.firstCall.args[2], "--threads=-1");
     t.deepEqual(runQueriesStub.firstCall.args[1], "--ram=3012");
   });
 });

src/analyze-action.ts

@@ -30,6 +30,7 @@ import {
   DependencyCacheUploadStatusReport,
   uploadDependencyCaches,
 } from "./dependency-caching";
+import { getDiffInformedAnalysisBranches } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { KnownLanguage } from "./languages";
@@ -301,8 +302,14 @@ async function run() {
       logger,
     );
 
-    // Setup diff informed analysis if needed (based on whether init created the file)
-    const diffRangePackDir = await setupDiffInformedQueryRun(logger);
+    const branches = await getDiffInformedAnalysisBranches(
+      codeql,
+      features,
+      logger,
+    );
+    const diffRangePackDir = branches
+      ? await setupDiffInformedQueryRun(branches, logger)
+      : undefined;
 
     await warnIfGoInstalledAfterInit(config, logger);
     await runAutobuildIfLegacyGoWorkflow(config, logger);
@@ -317,10 +324,16 @@ async function run() {
     );
 
     if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
+      // Warn if the removed `add-snippets` input is used.
+      if (actionsUtil.getOptionalInput("add-snippets") !== undefined) {
+        logger.warning(
+          "The `add-snippets` input has been removed and no longer has any effect.",
+        );
+      }
+
       runStats = await runQueries(
         outputDir,
         memory,
-        util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
         threads,
         diffRangePackDir,
         actionsUtil.getOptionalInput("category"),

src/analyze.test.ts

@@ -37,7 +37,6 @@ test("status report fields", async (t) => {
     setupActionsVars(tmpDir, tmpDir);
 
     const memoryFlag = "";
-    const addSnippetsFlag = "";
     const threadsFlag = "";
     sinon.stub(uploadLib, "validateSarifFileSchema");
 
@@ -103,7 +102,6 @@ test("status report fields", async (t) => {
       const statusReport = await runQueries(
         tmpDir,
         memoryFlag,
-        addSnippetsFlag,
         threadsFlag,
         undefined,
         undefined,

src/analyze.ts

@@ -3,10 +3,9 @@ import * as path from "path";
 import { performance } from "perf_hooks";
 
 import * as io from "@actions/io";
-import * as del from "del";
 import * as yaml from "js-yaml";
 
-import { getTemporaryDirectory, getRequiredInput } from "./actions-util";
+import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
 import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
@@ -15,7 +14,8 @@ import { getJavaTempDependencyDir } from "./dependency-caching";
 import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import {
   DiffThunkRange,
-  readDiffRangesJsonFile,
+  writeDiffRangesJsonFile,
+  getPullRequestEditedDiffRanges,
 } from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { FeatureEnablement, Feature } from "./feature-flags";
@@ -281,36 +281,16 @@ async function finalizeDatabaseCreation(
  * the diff range information, or `undefined` if the feature is disabled.
  */
 export async function setupDiffInformedQueryRun(
+  branches: PullRequestBranches,
   logger: Logger,
 ): Promise<string | undefined> {
   return await withGroupAsync(
     "Generating diff range extension pack",
     async () => {
-      // Only use precomputed diff ranges; never recompute here.
-      let diffRanges: DiffThunkRange[] | undefined;
-      try {
-        diffRanges = readDiffRangesJsonFile(logger);
-      } catch (e) {
-        logger.debug(
-          `Failed to read precomputed diff ranges: ${util.getErrorMessage(e)}`,
-        );
-        diffRanges = undefined;
-      }
-
-      if (diffRanges === undefined) {
-        logger.info(
-          "No precomputed diff ranges found; skipping diff-informed analysis stage.",
-        );
-        return undefined;
-      }
-
-      const fileCount = new Set(
-        diffRanges.filter((r) => r.path).map((r) => r.path),
-      ).size;
       logger.info(
-        `Using precomputed diff ranges (${diffRanges.length} ranges across ${fileCount} files).`,
+        `Calculating diff ranges for ${branches.base}...${branches.head}`,
       );
-
+      const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
       const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
       if (packDir === undefined) {
         logger.warning(
@@ -385,22 +365,14 @@ extensions:
 `;
 
   let data = ranges
-    .map((range) => {
-      // Diff-informed queries expect the file path to be absolute. CodeQL always
-      // uses forward slashes as the path separator, so on Windows we need to
-      // replace any backslashes with forward slashes.
-      const filename = path
-        .join(getRequiredInput("checkout_path"), range.path)
-        .replaceAll(path.sep, "/");
-
-      // Using yaml.dump() with `forceQuotes: true` ensures that all special
-      // characters are escaped, and that the path is always rendered as a
-      // quoted string on a single line.
-      return (
-        `      - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
-        `${range.startLine}, ${range.endLine}]\n`
-      );
-    })
+    .map(
+      (range) =>
+        // Using yaml.dump() with `forceQuotes: true` ensures that all special
+        // characters are escaped, and that the path is always rendered as a
+        // quoted string on a single line.
+        `      - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
+        `${range.startLine}, ${range.endLine}]\n`,
+    )
     .join("");
   if (!data) {
     // Ensure that the data extension is not empty, so that a pull request with
@@ -415,6 +387,10 @@ extensions:
     `Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`,
   );
 
+  // Write the diff ranges to a JSON file, for action-side alert filtering by the
+  // upload-lib module.
+  writeDiffRangesJsonFile(logger, ranges);
+
   return diffRangeDir;
 }
 
@@ -460,7 +436,6 @@ export function addSarifExtension(
 export async function runQueries(
   sarifFolder: string,
   memoryFlag: string,
-  addSnippetsFlag: string,
   threadsFlag: string,
   diffRangePackDir: string | undefined,
   automationDetailsId: string | undefined,
@@ -650,7 +625,6 @@ export async function runQueries(
       databasePath,
       queries,
       sarifFile,
-      addSnippetsFlag,
       threadsFlag,
       enableDebugLogging ? "-vv" : "-v",
       sarifRunPropertyFlag,
@@ -694,7 +668,7 @@ export async function runFinalize(
   logger: Logger,
 ): Promise<DatabaseCreationTimings> {
   try {
-    await del.deleteAsync(outputDir, { force: true });
+    await fs.promises.rm(outputDir, { force: true, recursive: true });
   } catch (error: any) {
     if (error?.code !== "ENOENT") {
       throw error;

src/api-client.test.ts

@@ -169,4 +169,32 @@ test("wrapApiConfigurationError correctly wraps specific configuration errors",
     res,
     new util.ConfigurationError("Resource not accessible by integration"),
   );
+
+  // Enablement errors.
+  const enablementErrorMessages = [
+    "Code Security must be enabled for this repository to use code scanning",
+    "Advanced Security must be enabled for this repository to use code scanning",
+    "Code Scanning is not enabled for this repository. Please enable code scanning in the repository settings.",
+  ];
+  const transforms = [
+    (msg: string) => msg,
+    (msg: string) => msg.toLowerCase(),
+    (msg: string) => msg.toLocaleUpperCase(),
+  ];
+
+  for (const enablementErrorMessage of enablementErrorMessages) {
+    for (const transform of transforms) {
+      const enablementError = new util.HTTPError(
+        transform(enablementErrorMessage),
+        403,
+      );
+      res = api.wrapApiConfigurationError(enablementError);
+      t.deepEqual(
+        res,
+        new util.ConfigurationError(
+          api.getFeatureEnablementError(enablementError.message),
+        ),
+      );
+    }
+  }
 });

src/api-client.ts

@@ -1,7 +1,6 @@
 import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
-import consoleLogLevel from "console-log-level";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
 import { Logger } from "./logging";
@@ -50,7 +49,12 @@ function createApiClientWithDetails(
     githubUtils.getOctokitOptions(auth, {
       baseUrl: apiDetails.apiURL,
       userAgent: `CodeQL-Action/${getActionVersion()}`,
-      log: consoleLogLevel({ level: "debug" }),
+      log: {
+        debug: core.debug,
+        info: core.info,
+        warn: core.warning,
+        error: core.error,
+      },
     }),
   );
 }
@@ -279,6 +283,20 @@ export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
   });
 }
 
+function isEnablementError(msg: string) {
+  return [
+    /Code Security must be enabled/i,
+    /Advanced Security must be enabled/i,
+    /Code Scanning is not enabled/i,
+  ].some((pattern) => pattern.test(msg));
+}
+
+// TODO: Move to `error-messages.ts` after refactoring import order to avoid cycle
+// since `error-messages.ts` currently depends on this file.
+export function getFeatureEnablementError(message: string): string {
+  return `Please verify that the necessary features are enabled: ${message}`;
+}
+
 export function wrapApiConfigurationError(e: unknown) {
   const httpError = asHTTPError(e);
   if (httpError !== undefined) {
@@ -300,6 +318,11 @@ export function wrapApiConfigurationError(e: unknown) {
         "Please check that your token is valid and has the required permissions: contents: read, security-events: write",
       );
     }
+    if (httpError.status === 403 && isEnablementError(httpError.message)) {
+      return new ConfigurationError(
+        getFeatureEnablementError(httpError.message),
+      );
+    }
     if (httpError.status === 429) {
       return new ConfigurationError("API rate limit exceeded");
     }

src/codeql.test.ts

@@ -5,7 +5,6 @@ import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as toolcache from "@actions/tool-cache";
 import test, { ExecutionContext } from "ava";
-import * as del from "del";
 import * as yaml from "js-yaml";
 import nock from "nock";
 import * as sinon from "sinon";
@@ -557,7 +556,7 @@ const injectedConfigMacro = test.macro({
       const augmentedConfig = yaml.load(fs.readFileSync(configFile, "utf8"));
       t.deepEqual(augmentedConfig, expectedConfig);
 
-      await del.deleteAsync(configFile, { force: true });
+      await fs.promises.rm(configFile, { force: true });
     });
   },
 
@@ -1046,7 +1045,7 @@ test("Avoids duplicating --overwrite flag if specified in CODEQL_ACTION_EXTRA_OP
   );
   t.truthy(configArg, "Should have injected a codescanning config");
   const configFile = configArg!.split("=")[1];
-  await del.deleteAsync(configFile, { force: true });
+  await fs.promises.rm(configFile, { force: true });
 });
 
 export function stubToolRunnerConstructor(

src/codeql.ts

@@ -167,7 +167,6 @@ export interface CodeQL {
     databasePath: string,
     querySuitePaths: string[] | undefined,
     sarifFile: string,
-    addSnippetsFlag: string,
     threadsFlag: string,
     verbosityFlag: string | undefined,
     sarifRunPropertyFlag: string | undefined,
@@ -817,7 +816,6 @@ export async function getCodeQLForCmd(
       databasePath: string,
       querySuitePaths: string[] | undefined,
       sarifFile: string,
-      addSnippetsFlag: string,
       threadsFlag: string,
       verbosityFlag: string,
       sarifRunPropertyFlag: string | undefined,
@@ -836,7 +834,6 @@ export async function getCodeQLForCmd(
         "--format=sarif-latest",
         verbosityFlag,
         `--output=${sarifFile}`,
-        addSnippetsFlag,
         "--print-diagnostics-summary",
         "--print-metrics-summary",
         "--sarif-add-baseline-file-info",

src/config-utils.test.ts

@@ -210,7 +210,6 @@ test("load code quality config", async (t) => {
       computedConfig: {
         "disable-default-queries": true,
         queries: [{ uses: "code-quality" }],
-        "query-filters": [],
       },
       tempDir,
       codeQLCmd: codeql.getPath(),
@@ -256,7 +255,6 @@ test("initActionState doesn't throw if there are queries configured in the repos
     const computedConfig: configUtils.UserConfig = {
       "disable-default-queries": true,
       queries: [{ uses: "code-quality" }],
-      "query-filters": [],
     };
 
     const expectedConfig = createTestConfig({

src/config-utils.ts

@@ -776,8 +776,7 @@ function userConfigFromActionPath(tempDir: string): string {
 function hasQueryCustomisation(userConfig: UserConfig): boolean {
   return (
     isDefined(userConfig["disable-default-queries"]) ||
-    isDefined(userConfig.queries) ||
-    isDefined(userConfig["query-filters"])
+    isDefined(userConfig.queries)
   );
 }
 
@@ -839,7 +838,6 @@ export async function initConfig(
     // Set the query customisation options for Code Quality only analysis.
     config.computedConfig["disable-default-queries"] = true;
     config.computedConfig.queries = queries;
-    config.computedConfig["query-filters"] = [];
   }
 
   // The choice of overlay database mode depends on the selection of languages

src/debug-artifacts.ts

@@ -5,7 +5,6 @@ import * as artifact from "@actions/artifact";
 import * as artifactLegacy from "@actions/artifact-legacy";
 import * as core from "@actions/core";
 import archiver from "archiver";
-import * as del from "del";
 
 import { getOptionalInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
@@ -345,7 +344,7 @@ async function createPartialDatabaseBundle(
   );
   // See `bundleDb` for explanation behind deleting existing db bundle.
   if (fs.existsSync(databaseBundlePath)) {
-    await del.deleteAsync(databaseBundlePath, { force: true });
+    await fs.promises.rm(databaseBundlePath, { force: true });
   }
   const output = fs.createWriteStream(databaseBundlePath);
   const zip = archiver("zip");

src/diff-informed-analysis-utils.test.ts

@@ -188,6 +188,10 @@ test(
 );
 
 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
   return exportedForTesting.getDiffRanges(
     {
       filename: "test.txt",
@@ -207,7 +211,7 @@ test("getDiffRanges: file diff too large", async (t) => {
   const diffRanges = runGetDiffRanges(1000000, undefined);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 0,
       endLine: 0,
     },
@@ -228,7 +232,7 @@ test("getDiffRanges: diff thunk with single addition range", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 53,
       endLine: 54,
     },
@@ -264,7 +268,7 @@ test("getDiffRanges: diff thunk with single update range", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 53,
       endLine: 53,
     },
@@ -286,12 +290,12 @@ test("getDiffRanges: diff thunk with addition ranges", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 53,
       endLine: 53,
     },
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 55,
       endLine: 55,
     },
@@ -318,12 +322,12 @@ test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 54,
       endLine: 54,
     },
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 57,
       endLine: 58,
     },
@@ -353,12 +357,12 @@ test("getDiffRanges: multiple diff thunks", async (t) => {
   ]);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 53,
       endLine: 54,
     },
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 153,
       endLine: 154,
     },
@@ -369,7 +373,7 @@ test("getDiffRanges: no diff context lines", async (t) => {
   const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
   t.deepEqual(diffRanges, [
     {
-      path: "test.txt",
+      path: "/checkout/path/test.txt",
       startLine: 50,
       endLine: 51,
     },

src/diff-informed-analysis-utils.ts

@@ -191,7 +191,12 @@ function getDiffRanges(
   fileDiff: FileDiff,
   logger: Logger,
 ): DiffThunkRange[] | undefined {
-  const filename = fileDiff.filename;
+  // Diff-informed queries expect the file path to be absolute. CodeQL always
+  // uses forward slashes as the path separator, so on Windows we need to
+  // replace any backslashes with forward slashes.
+  const filename = path
+    .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
+    .replaceAll(path.sep, "/");
 
   if (fileDiff.patch === undefined) {
     if (fileDiff.changes === 0) {

src/environment.ts

@@ -137,4 +137,10 @@ export enum EnvVar {
    * This setting is more specific than `CODEQL_ACTION_TEST_MODE`, which implies this option.
    */
   SKIP_SARIF_UPLOAD = "CODEQL_ACTION_SKIP_SARIF_UPLOAD",
+
+  /**
+   * Whether to skip workflow validation. Intended for internal use, where we know that
+   * the workflow is valid and validation is not necessary.
+   */
+  SKIP_WORKFLOW_VALIDATION = "CODEQL_ACTION_SKIP_WORKFLOW_VALIDATION",
 }

src/init-action.ts

@@ -34,11 +34,6 @@ import {
   logUnwrittenDiagnostics,
   makeDiagnostic,
 } from "./diagnostics";
-import {
-  getPullRequestEditedDiffRanges,
-  writeDiffRangesJsonFile,
-  getDiffInformedAnalysisBranches,
-} from "./diff-informed-analysis-utils";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
 import { loadPropertiesFromApi } from "./feature-flags/properties";
@@ -51,7 +46,7 @@ import {
   runDatabaseInitCluster,
 } from "./init";
 import { KnownLanguage } from "./languages";
-import { getActionsLogger, Logger, withGroupAsync } from "./logging";
+import { getActionsLogger, Logger } from "./logging";
 import {
   downloadOverlayBaseDatabaseFromCache,
   OverlayBaseDatabaseDownloadStats,
@@ -91,7 +86,7 @@ import {
   getErrorMessage,
   BuildMode,
 } from "./util";
-import { validateWorkflow } from "./workflow";
+import { checkWorkflow } from "./workflow";
 
 /**
  * Sends a status report indicating that the `init` Action is starting.
@@ -293,16 +288,9 @@ async function run() {
     toolsSource = initCodeQLResult.toolsSource;
     zstdAvailability = initCodeQLResult.zstdAvailability;
 
-    core.startGroup("Validating workflow");
-    const validateWorkflowResult = await validateWorkflow(codeql, logger);
-    if (validateWorkflowResult === undefined) {
-      logger.info("Detected no issues with the code scanning workflow.");
-    } else {
-      logger.warning(
-        `Unable to validate code scanning workflow: ${validateWorkflowResult}`,
-      );
-    }
-    core.endGroup();
+    // Check the workflow for problems. If there are any problems, they are reported
+    // to the workflow log. No exceptions are thrown.
+    await checkWorkflow(logger, codeql);
 
     // Set CODEQL_ENABLE_EXPERIMENTAL_FEATURES for Rust if between 2.19.3 (included) and 2.22.1 (excluded)
     // We need to set this environment variable before initializing the config, otherwise Rust
@@ -363,7 +351,6 @@ async function run() {
     });
 
     await checkInstallPython311(config.languages, codeql);
-    await computeAndPersistDiffRanges(codeql, features, logger);
   } catch (unwrappedError) {
     const error = wrapError(unwrappedError);
     core.setFailed(error.message);
@@ -776,43 +763,6 @@ async function run() {
   );
 }
 
-/**
- * Compute and persist diff ranges when diff-informed analysis
- * is enabled (feature flag + PR context). This writes the standard pr-diff-range.json
- * file for later reuse in the analyze step. Failures are logged but non-fatal.
- */
-async function computeAndPersistDiffRanges(
-  codeql: CodeQL,
-  features: Features,
-  logger: Logger,
-): Promise<void> {
-  try {
-    await withGroupAsync("Compute PR diff ranges", async () => {
-      const branches = await getDiffInformedAnalysisBranches(
-        codeql,
-        features,
-        logger,
-      );
-      if (!branches) {
-        return;
-      }
-      const ranges = await getPullRequestEditedDiffRanges(branches, logger);
-      if (ranges === undefined) {
-        return;
-      }
-      writeDiffRangesJsonFile(logger, ranges);
-      const distinctFiles = new Set(ranges.map((r) => r.path)).size;
-      logger.info(
-        `Persisted ${ranges.length} diff range(s) across ${distinctFiles} file(s).`,
-      );
-    });
-  } catch (e) {
-    logger.warning(
-      `Failed to compute and persist PR diff ranges: ${getErrorMessage(e)}`,
-    );
-  }
-}
-
 function getTrapCachingEnabled(): boolean {
   // If the workflow specified something always respect that
   const trapCaching = getOptionalInput("trap-caching");

src/logging.ts

@@ -13,7 +13,15 @@ export interface Logger {
 }
 
 export function getActionsLogger(): Logger {
-  return core;
+  return {
+    debug: core.debug,
+    info: core.info,
+    warning: core.warning,
+    error: core.error,
+    isDebug: core.isDebug,
+    startGroup: core.startGroup,
+    endGroup: core.endGroup,
+  };
 }
 
 export function getRunnerLogger(debugMode: boolean): Logger {

src/tar.ts

@@ -9,7 +9,7 @@ import * as semver from "semver";
 
 import { CommandInvocationError } from "./actions-util";
 import { Logger } from "./logging";
-import { assertNever, cleanUpGlob, isBinaryAccessible } from "./util";
+import { assertNever, cleanUpPath, isBinaryAccessible } from "./util";
 
 const MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
 const MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
@@ -217,7 +217,7 @@ export async function extractTarZst(
       });
     });
   } catch (e) {
-    await cleanUpGlob(dest, "extraction destination directory", logger);
+    await cleanUpPath(dest, "extraction destination directory", logger);
     throw e;
   }
 }

src/tools-download.ts

@@ -12,7 +12,7 @@ import * as semver from "semver";
 
 import { formatDuration, Logger } from "./logging";
 import * as tar from "./tar";
-import { cleanUpGlob, getErrorMessage, getRequiredEnvParam } from "./util";
+import { cleanUpPath, getErrorMessage, getRequiredEnvParam } from "./util";
 
 /**
  * High watermark to use when streaming the download and extraction of the CodeQL tools.
@@ -130,7 +130,7 @@ export async function downloadAndExtract(
 
     // If we failed during processing, we want to clean up the destination directory
     // before we try again.
-    await cleanUpGlob(dest, "CodeQL bundle", logger);
+    await cleanUpPath(dest, "CodeQL bundle", logger);
   }
 
   const toolsDownloadStart = performance.now();
@@ -167,7 +167,7 @@ export async function downloadAndExtract(
       )}).`,
     );
   } finally {
-    await cleanUpGlob(archivedBundlePath, "CodeQL bundle archive", logger);
+    await cleanUpPath(archivedBundlePath, "CodeQL bundle archive", logger);
   }
 
   return {

src/upload-lib.ts

@@ -1140,9 +1140,10 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
     return sarif;
   }
 
+  const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
+
   for (const run of sarif.runs) {
     if (run.results) {
-      const preAlertCount = run.results.length;
       run.results = run.results.filter((result) => {
         const locations = [
           ...(result.locations || []).map((loc) => loc.physicalLocation),
@@ -1155,6 +1156,11 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
           if (!locationUri || locationStartLine === undefined) {
             return false;
           }
+          // CodeQL always uses forward slashes as the path separator, so on Windows we
+          // need to replace any backslashes with forward slashes.
+          const locationPath = path
+            .join(checkoutPath, locationUri)
+            .replaceAll(path.sep, "/");
           // Alert filtering here replicates the same behavior as the restrictAlertsTo
           // extensible predicate in CodeQL. See the restrictAlertsTo documentation
           // https://codeql.github.com/codeql-standard-libraries/csharp/codeql/util/AlertFiltering.qll/predicate.AlertFiltering$restrictAlertsTo.3.html
@@ -1162,16 +1168,13 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
           // of an alert location.
           return diffRanges.some(
             (range) =>
-              range.path === locationUri &&
+              range.path === locationPath &&
               ((range.startLine <= locationStartLine &&
                 range.endLine >= locationStartLine) ||
                 (range.startLine === 0 && range.endLine === 0)),
           );
         });
       });
-
-      const postAlertCount = run.results.length;
-      logger.info(`Filtered ${preAlertCount - postAlertCount} alerts based on diff range.`);
     }
   }
 

src/util.test.ts

@@ -101,16 +101,6 @@ test("getMemoryFlag() throws if the ram input is < 0 or NaN", async (t) => {
   }
 });
 
-test("getAddSnippetsFlag() should return the correct flag", (t) => {
-  t.deepEqual(util.getAddSnippetsFlag(true), "--sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag("true"), "--sarif-add-snippets");
-
-  t.deepEqual(util.getAddSnippetsFlag(false), "--no-sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag(undefined), "--no-sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag("false"), "--no-sarif-add-snippets");
-  t.deepEqual(util.getAddSnippetsFlag("foo bar"), "--no-sarif-add-snippets");
-});
-
 test("getThreadsFlag() should return the correct --threads flag", (t) => {
   const numCpus = os.cpus().length;
 
@@ -534,3 +524,12 @@ test("getCgroupCpuCountFromCpus returns undefined if the CPU file exists but is
     );
   });
 });
+
+test("checkDiskUsage succeeds and produces positive numbers", async (t) => {
+  process.env["GITHUB_WORKSPACE"] = os.tmpdir();
+  const diskUsage = await util.checkDiskUsage(getRunnerLogger(true));
+  if (t.truthy(diskUsage)) {
+    t.true(diskUsage.numAvailableBytes > 0);
+    t.true(diskUsage.numTotalBytes > 0);
+  }
+});

src/util.ts

@@ -1,12 +1,11 @@
 import * as fs from "fs";
+import * as fsPromises from "fs/promises";
 import * as os from "os";
 import * as path from "path";
 
 import * as core from "@actions/core";
 import * as exec from "@actions/exec/lib/exec";
 import * as io from "@actions/io";
-import checkDiskSpace from "check-disk-space";
-import * as del from "del";
 import getFolderSize from "get-folder-size";
 import * as yaml from "js-yaml";
 import * as semver from "semver";
@@ -167,7 +166,7 @@ export async function withTmpDir<T>(
 ): Promise<T> {
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "codeql-action-"));
   const result = await body(tmpDir);
-  await del.deleteAsync(tmpDir, { force: true });
+  await fs.promises.rm(tmpDir, { force: true, recursive: true });
   return result;
 }
 
@@ -343,21 +342,6 @@ export function getMemoryFlag(
   return `--ram=${megabytes}`;
 }
 
-/**
- * Get the codeql flag to specify whether to add code snippets to the sarif file.
- *
- * @returns string
- */
-export function getAddSnippetsFlag(
-  userInput: string | boolean | undefined,
-): string {
-  if (typeof userInput === "string") {
-    // have to process specifically because any non-empty string is truthy
-    userInput = userInput.toLowerCase() === "true";
-  }
-  return userInput ? "--sarif-add-snippets" : "--no-sarif-add-snippets";
-}
-
 /**
  * Get the value of the codeql `--threads` flag specified for the `threads`
  * input. If no value was specified, all available threads will be used.
@@ -756,7 +740,7 @@ export async function bundleDb(
   // from somewhere else or someone trying to make the action upload a
   // non-database file.
   if (fs.existsSync(databaseBundlePath)) {
-    await del.deleteAsync(databaseBundlePath, { force: true });
+    await fs.promises.rm(databaseBundlePath, { force: true });
   }
   await codeql.databaseBundle(databasePath, databaseBundlePath, dbName);
   return databaseBundlePath;
@@ -1099,24 +1083,17 @@ export async function checkDiskUsage(
   logger: Logger,
 ): Promise<DiskUsage | undefined> {
   try {
-    // We avoid running the `df` binary under the hood for macOS ARM runners with SIP disabled.
-    if (
-      process.platform === "darwin" &&
-      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await checkSipEnablement(logger))
-    ) {
-      return undefined;
-    }
-
-    const diskUsage = await checkDiskSpace(
+    const diskUsage = await fsPromises.statfs(
       getRequiredEnvParam("GITHUB_WORKSPACE"),
     );
-    const mbInBytes = 1024 * 1024;
-    const gbInBytes = 1024 * 1024 * 1024;
-    if (diskUsage.free < 2 * gbInBytes) {
+
+    const blockSizeInBytes = diskUsage.bsize;
+    const numBlocksPerMb = (1024 * 1024) / blockSizeInBytes;
+    const numBlocksPerGb = (1024 * 1024 * 1024) / blockSizeInBytes;
+    if (diskUsage.bavail < 2 * numBlocksPerGb) {
       const message =
         "The Actions runner is running low on disk space " +
-        `(${(diskUsage.free / mbInBytes).toPrecision(4)} MB available).`;
+        `(${(diskUsage.bavail / numBlocksPerMb).toPrecision(4)} MB available).`;
       if (process.env[EnvVar.HAS_WARNED_ABOUT_DISK_SPACE] !== "true") {
         logger.warning(message);
       } else {
@@ -1125,8 +1102,8 @@ export async function checkDiskUsage(
       core.exportVariable(EnvVar.HAS_WARNED_ABOUT_DISK_SPACE, "true");
     }
     return {
-      numAvailableBytes: diskUsage.free,
-      numTotalBytes: diskUsage.size,
+      numAvailableBytes: diskUsage.bavail * blockSizeInBytes,
+      numTotalBytes: diskUsage.blocks * blockSizeInBytes,
     };
   } catch (error) {
     logger.warning(
@@ -1263,19 +1240,13 @@ export async function checkSipEnablement(
   }
 }
 
-export async function cleanUpGlob(glob: string, name: string, logger: Logger) {
+export async function cleanUpPath(file: string, name: string, logger: Logger) {
   logger.debug(`Cleaning up ${name}.`);
   try {
-    const deletedPaths = await del.deleteAsync(glob, { force: true });
-    if (deletedPaths.length === 0) {
-      logger.warning(
-        `Failed to clean up ${name}: no files found matching ${glob}.`,
-      );
-    } else if (deletedPaths.length === 1) {
-      logger.debug(`Cleaned up ${name}.`);
-    } else {
-      logger.debug(`Cleaned up ${name} (${deletedPaths.length} files).`);
-    }
+    await fs.promises.rm(file, {
+      force: true,
+      recursive: true,
+    });
   } catch (e) {
     logger.warning(`Failed to clean up ${name}: ${e}.`);
   }

src/workflow.test.ts

@@ -2,9 +2,17 @@ import test, { ExecutionContext } from "ava";
 import * as yaml from "js-yaml";
 import * as sinon from "sinon";
 
-import { getCodeQLForTesting } from "./codeql";
-import { setupTests } from "./testing-utils";
+import * as actionsUtil from "./actions-util";
+import { createStubCodeQL, getCodeQLForTesting } from "./codeql";
+import { EnvVar } from "./environment";
 import {
+  checkExpectedLogMessages,
+  getRecordingLogger,
+  LoggedMessage,
+  setupTests,
+} from "./testing-utils";
+import {
+  checkWorkflow,
   CodedError,
   formatWorkflowCause,
   formatWorkflowErrors,
@@ -13,6 +21,7 @@ import {
   Workflow,
   WorkflowErrors,
 } from "./workflow";
+import * as workflow from "./workflow";
 
 function errorCodes(
   actual: CodedError[],
@@ -870,3 +879,78 @@ test("getCategoryInputOrThrow throws error for workflow with multiple calls to a
     },
   );
 });
+
+test("checkWorkflow - validates workflow if `SKIP_WORKFLOW_VALIDATION` is not set", async (t) => {
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  sinon.stub(actionsUtil, "isDynamicWorkflow").returns(false);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+  validateWorkflow.resolves(undefined);
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(
+    validateWorkflow.calledOnce,
+    "`checkWorkflow` unexpectedly did not call `validateWorkflow`",
+  );
+  checkExpectedLogMessages(t, messages, [
+    "Detected no issues with the code scanning workflow.",
+  ]);
+});
+
+test("checkWorkflow - logs problems with workflow validation", async (t) => {
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  sinon.stub(actionsUtil, "isDynamicWorkflow").returns(false);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+  validateWorkflow.resolves("problem");
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(
+    validateWorkflow.calledOnce,
+    "`checkWorkflow` unexpectedly did not call `validateWorkflow`",
+  );
+  checkExpectedLogMessages(t, messages, [
+    "Unable to validate code scanning workflow: problem",
+  ]);
+});
+
+test("checkWorkflow - skips validation if `SKIP_WORKFLOW_VALIDATION` is `true`", async (t) => {
+  process.env[EnvVar.SKIP_WORKFLOW_VALIDATION] = "true";
+
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  sinon.stub(actionsUtil, "isDynamicWorkflow").returns(false);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(
+    validateWorkflow.notCalled,
+    "`checkWorkflow` called `validateWorkflow` unexpectedly",
+  );
+  t.is(messages.length, 0);
+});
+
+test("checkWorkflow - skips validation for `dynamic` workflows", async (t) => {
+  const messages: LoggedMessage[] = [];
+  const codeql = createStubCodeQL({});
+
+  const isDynamicWorkflow = sinon
+    .stub(actionsUtil, "isDynamicWorkflow")
+    .returns(true);
+  const validateWorkflow = sinon.stub(workflow.internal, "validateWorkflow");
+
+  await checkWorkflow(getRecordingLogger(messages), codeql);
+
+  t.assert(isDynamicWorkflow.calledOnce);
+  t.assert(
+    validateWorkflow.notCalled,
+    "`checkWorkflow` called `validateWorkflow` unexpectedly",
+  );
+  t.is(messages.length, 0);
+});

src/workflow.ts

@@ -5,8 +5,10 @@ import zlib from "zlib";
 import * as core from "@actions/core";
 import * as yaml from "js-yaml";
 
+import { isDynamicWorkflow } from "./actions-util";
 import * as api from "./api-client";
 import { CodeQL } from "./codeql";
+import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import {
   getRequiredEnvParam,
@@ -216,7 +218,7 @@ function hasWorkflowTrigger(triggerName: string, doc: Workflow): boolean {
   return Object.prototype.hasOwnProperty.call(doc.on, triggerName);
 }
 
-export async function validateWorkflow(
+async function validateWorkflow(
   codeql: CodeQL,
   logger: Logger,
 ): Promise<undefined | string> {
@@ -462,3 +464,36 @@ export function getCheckoutPathInputOrThrow(
     ) || getRequiredEnvParam("GITHUB_WORKSPACE") // if unspecified, checkout_path defaults to ${{ github.workspace }}
   );
 }
+
+/**
+ * A wrapper around `validateWorkflow` which reports the outcome.
+ *
+ * @param logger The logger to use.
+ * @param codeql The CodeQL instance.
+ */
+export async function checkWorkflow(logger: Logger, codeql: CodeQL) {
+  // Check the workflow for problems, unless `SKIP_WORKFLOW_VALIDATION` is `true`
+  // or the workflow trigger is `dynamic`.
+  if (
+    !isDynamicWorkflow() &&
+    process.env[EnvVar.SKIP_WORKFLOW_VALIDATION] !== "true"
+  ) {
+    core.startGroup("Validating workflow");
+    const validateWorkflowResult = await internal.validateWorkflow(
+      codeql,
+      logger,
+    );
+    if (validateWorkflowResult === undefined) {
+      logger.info("Detected no issues with the code scanning workflow.");
+    } else {
+      logger.debug(
+        `Unable to validate code scanning workflow: ${validateWorkflowResult}`,
+      );
+    }
+    core.endGroup();
+  }
+}
+
+export const internal = {
+  validateWorkflow,
+};