Add NODE_ENV as safe environment variable

Mergeback v4.36.0 refs/heads/releases/v4 into main

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## [UNRELEASED]
+
+No user facing changes.
+
 ## 4.36.0 - 22 May 2026
 
 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)

eslint.config.mjs

@@ -140,6 +140,18 @@ export default [
       "no-async-foreach/no-async-foreach": "error",
       "no-sequences": "error",
       "no-shadow": "off",
+
+      // A basic check that we don't use `exportVariable` from `@actions/core`. This rule depends on
+      // the module being imported as `core`, but that is a good enough check for us.
+      "no-restricted-syntax": [
+        "error",
+        {
+          selector:
+            "MemberExpression[object.name='core'][property.name='exportVariable']",
+          message: "Use `exportVariable` from `environment.ts` instead.",
+        },
+      ],
+
       // This is overly restrictive with unsetting `EnvVar`s
       "@typescript-eslint/no-dynamic-delete": "off",
       "@typescript-eslint/no-shadow": "error",
@@ -157,6 +169,15 @@ export default [
       ],
     },
   },
+  {
+    files: ["src/environment.ts"],
+
+    // We allow `exportVariable` from `@actions/core` to be used in this file
+    // since it defines the wrapper around it that other modules use.
+    rules: {
+      "no-restricted-syntax": "off",
+    },
+  },
   {
     files: ["**/*.ts", "**/*.js"],
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "4.36.0",
+      "version": "4.36.1",
       "license": "MIT",
       "workspaces": [
         "pr-checks"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

queries/default-setup-environment-variables.ql

@@ -23,7 +23,8 @@ predicate isSafeForDefaultSetup(string envVar) {
       "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
       "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
       "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
-      "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
+      "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE",
+      "NODE_ENV"
     ]
 }
 

src/analyze-action.ts

@@ -28,7 +28,7 @@ import {
   DependencyCacheUploadStatusReport,
   uploadDependencyCaches,
 } from "./dependency-caching";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { BuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
@@ -284,7 +284,7 @@ async function run(startedAt: Date) {
 
     const apiDetails = getApiDetails();
     const outputDir = actionsUtil.getRequiredInput("output");
-    core.exportVariable(EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
+    exportVariable(EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
     const threads = util.getThreadsFlag(
       actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"],
       logger,
@@ -444,7 +444,7 @@ async function run(startedAt: Date) {
         `expect-error input was set to true but no error was thrown.`,
       );
     }
-    core.exportVariable(EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
+    exportVariable(EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
   } catch (unwrappedError) {
     const error = util.wrapError(unwrappedError);
     if (

src/api-client.ts

@@ -3,7 +3,7 @@ import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
@@ -216,7 +216,7 @@ export async function getAnalysisKey(): Promise<string> {
   const jobName = getRequiredEnvParam("GITHUB_JOB");
 
   analysisKey = `${workflowPath}:${jobName}`;
-  core.exportVariable(EnvVar.ANALYSIS_KEY, analysisKey);
+  exportVariable(EnvVar.ANALYSIS_KEY, analysisKey);
   return analysisKey;
 }
 

src/autobuild-action.ts

@@ -9,7 +9,7 @@ import { getGitHubVersion } from "./api-client";
 import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Language } from "./languages";
 import { Logger, getActionsLogger } from "./logging";
 import {
@@ -137,7 +137,7 @@ async function run(startedAt: Date) {
     return;
   }
 
-  core.exportVariable(EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY, "true");
+  exportVariable(EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY, "true");
 
   await sendCompletedStatusReport(config, logger, startedAt, languages ?? []);
 }

src/autobuild.ts

@@ -1,11 +1,9 @@
-import * as core from "@actions/core";
-
 import { getTemporaryDirectory, getWorkflowEventName } from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
 import { BuiltInLanguage, Language } from "./languages";
 import { Logger } from "./logging";
@@ -136,16 +134,16 @@ export async function setupCppAutobuild(codeql: CodeQL, logger: Logger) {
             : ""
         }`,
       );
-      core.exportVariable(envVar, "false");
+      exportVariable(envVar, "false");
     } else {
       logger.info(
         `Enabling ${featureName}. This can be disabled by setting the ${envVar} environment variable to 'false'. See ${DocUrl.DEFINE_ENV_VARIABLES} for more information.`,
       );
-      core.exportVariable(envVar, "true");
+      exportVariable(envVar, "true");
     }
   } else {
     logger.info(`Disabling ${featureName}.`);
-    core.exportVariable(envVar, "false");
+    exportVariable(envVar, "false");
   }
 }
 
@@ -165,7 +163,7 @@ export async function runAutobuild(
     await codeQL.runAutobuild(config, language);
   }
   if (language === BuiltInLanguage.go) {
-    core.exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
+    exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
   }
   logger.endGroup();
 }

src/codeql.ts

@@ -15,7 +15,7 @@ import * as api from "./api-client";
 import { CliError, wrapCliConfigurationError } from "./cli-errors";
 import { appendExtraQueryExclusions, type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import {
   CodeQLDefaultVersionInfo,
   Feature,
@@ -1096,7 +1096,7 @@ async function getCodeQLForCmd(
         }' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to ` +
         "continue using this version of the CodeQL Action.",
     );
-    core.exportVariable(EnvVar.SUPPRESS_DEPRECATED_SOON_WARNING, "true");
+    exportVariable(EnvVar.SUPPRESS_DEPRECATED_SOON_WARNING, "true");
   }
   return codeql;
 }

src/config-utils.ts

@@ -2,7 +2,6 @@ import * as fs from "fs";
 import * as path from "path";
 import { performance } from "perf_hooks";
 
-import * as core from "@actions/core";
 import * as yaml from "js-yaml";
 
 import {
@@ -32,7 +31,7 @@ import {
   makeTelemetryDiagnostic,
 } from "./diagnostics";
 import { prepareDiffInformedAnalysis } from "./diff-informed-analysis-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import {
@@ -1045,10 +1044,10 @@ async function setCppTrapCachingEnvironmentVariables(
       );
     } else if (config.trapCaches[BuiltInLanguage.cpp]) {
       logger.info("Enabling TRAP caching for C/C++.");
-      core.exportVariable(envVar, "true");
+      exportVariable(envVar, "true");
     } else {
       logger.debug(`Disabling TRAP caching for C/C++.`);
-      core.exportVariable(envVar, "false");
+      exportVariable(envVar, "false");
     }
   }
 }

src/debug-artifacts.ts

@@ -11,7 +11,7 @@ import { dbIsFinalized } from "./analyze";
 import { scanArtifactsForTokens } from "./artifact-scanner";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import * as json from "./json";
 import { Language } from "./languages";
 import { Logger, withGroup } from "./logging";
@@ -330,7 +330,7 @@ export async function uploadArtifacts(
   // some issues early.
   if (isInTestMode()) {
     await scanArtifactsForTokens(toUpload, logger);
-    core.exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
+    exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
   }
 
   const suffix = getArtifactSuffix(getOptionalInput("matrix"));

src/environment.ts

@@ -1,3 +1,5 @@
+import * as core from "@actions/core";
+
 /**
  * Environment variables used by the CodeQL Action.
  *
@@ -154,3 +156,29 @@ export enum EnvVar {
   /** Used by Code Scanning Risk Assessment to communicate the assessment ID to the CodeQL Action. */
   RISK_ASSESSMENT_ID = "CODEQL_ACTION_RISK_ASSESSMENT_ID",
 }
+
+/**
+ * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
+ *
+ * In test mode, we skip several uploads (SARIF results, status reports, DBs, ...).
+ */
+export function isInTestMode(): boolean {
+  return process.env[EnvVar.TEST_MODE] === "true";
+}
+
+/**
+ * Wrapper around `core.exportVariable` which does not call `core.exportVariable`
+ * when running unit tests. This is important, because otherwise `core.exportVariable`
+ * sets environment variables for other steps in a workflow when we run unit tests in CI.
+ */
+export function exportVariable(name: string, val: any): void {
+  if (process.env["NODE_ENV"] === "test") {
+    // Setting the environment variable for the current process is OK since we reset
+    // those at the end of each test. This allows tests to pass that rely on that
+    // part of the `core.exportVariable` behaviour.
+    process.env[name] = val;
+  } else {
+    // Call `core.exportVariable` whenever we are not in a test environment.
+    core.exportVariable(name, val);
+  }
+}

src/init-action-post.ts

@@ -20,7 +20,7 @@ import {
   DependencyCachingUsageReport,
   getDependencyCacheUsage,
 } from "./dependency-caching";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { initFeatures } from "./feature-flags";
 import * as gitUtils from "./git-utils";
 import * as initActionPostHelper from "./init-action-post-helper";
@@ -157,7 +157,7 @@ function getFinalJobStatus(config: Config | undefined): JobStatus {
   let jobStatus: JobStatus;
 
   if (process.env[EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY] === "true") {
-    core.exportVariable(EnvVar.JOB_STATUS, JobStatus.SuccessStatus);
+    exportVariable(EnvVar.JOB_STATUS, JobStatus.SuccessStatus);
     jobStatus = JobStatus.SuccessStatus;
   } else if (config !== undefined) {
     // - We have computed a CodeQL config
@@ -182,7 +182,7 @@ function getFinalJobStatus(config: Config | undefined): JobStatus {
 
   // This shouldn't be necessary, but in the odd case that we run more than one
   // `init` post step, ensure the job status is consistent between them.
-  core.exportVariable(EnvVar.JOB_STATUS, jobStatus);
+  exportVariable(EnvVar.JOB_STATUS, jobStatus);
   return jobStatus;
 }
 

src/init-action.ts

@@ -37,7 +37,7 @@ import {
   makeDiagnostic,
   makeTelemetryDiagnostic,
 } from "./diagnostics";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import {
   loadPropertiesFromApi,
@@ -255,9 +255,9 @@ async function run(startedAt: Date) {
     // Create a unique identifier for this run.
     const jobRunUuid = uuidV4();
     logger.info(`Job run UUID is ${jobRunUuid}.`);
-    core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+    exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
 
-    core.exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
+    exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
 
     configFile = getOptionalInput("config-file");
 
@@ -343,7 +343,7 @@ async function run(startedAt: Date) {
         );
       }
       if (semver.lt(actualVer, publicPreview)) {
-        core.exportVariable(EnvVar.EXPERIMENTAL_FEATURES, "true");
+        exportVariable(EnvVar.EXPERIMENTAL_FEATURES, "true");
         logger.info("Experimental Rust analysis enabled");
       }
     }
@@ -508,7 +508,7 @@ async function run(startedAt: Date) {
     // Forward Go flags
     const goFlags = process.env["GOFLAGS"];
     if (goFlags) {
-      core.exportVariable("GOFLAGS", goFlags);
+      exportVariable("GOFLAGS", goFlags);
       core.warning(
         "Passing the GOFLAGS env parameter to the init action is deprecated. Please move this to the analyze action.",
       );
@@ -554,7 +554,7 @@ async function run(startedAt: Date) {
 
             // Store the original location of our wrapper script somewhere where we can
             // later retrieve it from and cross-check that it hasn't been changed.
-            core.exportVariable(EnvVar.GO_BINARY_LOCATION, goWrapperPath);
+            exportVariable(EnvVar.GO_BINARY_LOCATION, goWrapperPath);
           } catch (e) {
             logger.warning(
               `Analyzing Go on Linux, but failed to install wrapper script. Tracing custom builds may fail: ${e}`,
@@ -563,7 +563,7 @@ async function run(startedAt: Date) {
         } else {
           // Store the location of the original Go binary, so we can check that no setup tasks were performed after the
           // `init` Action ran.
-          core.exportVariable(EnvVar.GO_BINARY_LOCATION, goBinaryPath);
+          exportVariable(EnvVar.GO_BINARY_LOCATION, goBinaryPath);
         }
       } catch (e) {
         logger.warning(
@@ -598,12 +598,12 @@ async function run(startedAt: Date) {
     // threads it would ask extractors to use. See help text for the "--ram" and "--threads"
     // options at https://codeql.github.com/docs/codeql-cli/manual/database-trace-command/
     // for details.
-    core.exportVariable(
+    exportVariable(
       "CODEQL_RAM",
       process.env["CODEQL_RAM"] ||
         getCodeQLMemoryLimit(getOptionalInput("ram"), logger).toString(),
     );
-    core.exportVariable(
+    exportVariable(
       "CODEQL_THREADS",
       process.env["CODEQL_THREADS"] ||
         getThreadsFlagValue(getOptionalInput("threads"), logger).toString(),
@@ -611,7 +611,7 @@ async function run(startedAt: Date) {
 
     // Disable Kotlin extractor if feature flag set
     if (await features.getValue(Feature.DisableKotlinAnalysisEnabled)) {
-      core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
+      exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
     }
 
     const kotlinLimitVar =
@@ -620,7 +620,7 @@ async function run(startedAt: Date) {
       (await codeQlVersionAtLeast(codeql, "2.20.3")) &&
       !(await codeQlVersionAtLeast(codeql, "2.20.4"))
     ) {
-      core.exportVariable(kotlinLimitVar, "2.1.20");
+      exportVariable(kotlinLimitVar, "2.1.20");
     }
 
     // Restore dependency cache(s), if they exist.
@@ -669,10 +669,7 @@ async function run(startedAt: Date) {
       config.buildMode === BuildMode.None &&
       config.languages.includes(BuiltInLanguage.java)
     ) {
-      core.exportVariable(
-        EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS,
-        "true",
-      );
+      exportVariable(EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS, "true");
     }
 
     const { registriesAuthTokens, qlconfigFile } =
@@ -729,7 +726,7 @@ async function run(startedAt: Date) {
     const tracerConfig = await getCombinedTracerConfig(codeql, config);
     if (tracerConfig !== undefined) {
       for (const [key, value] of Object.entries(tracerConfig.env)) {
-        core.exportVariable(key, value);
+        exportVariable(key, value);
       }
     }
 
@@ -740,7 +737,7 @@ async function run(startedAt: Date) {
         getOptionalEnvVar(JavaEnvVars.JAVA_TOOL_OPTIONS) || "";
 
       // Add the network debugging options.
-      core.exportVariable(
+      exportVariable(
         JavaEnvVars.JAVA_TOOL_OPTIONS,
         `${existingJavaToolOptions} -Djavax.net.debug=all`,
       );

src/init.test.ts

@@ -1,13 +1,13 @@
 import * as fs from "fs";
 import path from "path";
 
-import * as core from "@actions/core";
 import * as github from "@actions/github";
 import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
 import { createStubCodeQL } from "./codeql";
+import * as environment from "./environment";
 import { Feature } from "./feature-flags";
 import {
   checkPacksForOverlayCompatibility,
@@ -545,7 +545,7 @@ test.serial(
 test.serial(
   "file coverage deprecation warning for org-owned repo with default setup recommends repo property",
   (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
     github.context.payload = {
       repository: {
@@ -572,7 +572,7 @@ test.serial(
 test.serial(
   "file coverage deprecation warning for org-owned repo with advanced setup recommends env var and repo property",
   (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
     github.context.payload = {
       repository: {
@@ -600,7 +600,7 @@ test.serial(
 test.serial(
   "file coverage deprecation warning for user-owned repo with default setup recommends advanced setup",
   (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
     github.context.payload = {
       repository: {
@@ -626,7 +626,7 @@ test.serial(
 test.serial(
   "file coverage deprecation warning for user-owned repo with advanced setup recommends env var",
   (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
     github.context.payload = {
       repository: {
@@ -651,7 +651,7 @@ test.serial(
 test.serial(
   "file coverage deprecation warning for unknown owner type with default setup recommends advanced setup",
   (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
     github.context.payload = { repository: undefined };
     const messages: LoggedMessage[] = [];
@@ -672,7 +672,7 @@ test.serial(
 test.serial(
   "file coverage deprecation warning for unknown owner type with advanced setup recommends env var",
   (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
     github.context.payload = { repository: undefined };
     const messages: LoggedMessage[] = [];
@@ -694,7 +694,7 @@ test.serial(
   (t) => {
     process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION"] =
       "true";
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
     const messages: LoggedMessage[] = [];
     logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
     t.is(messages.length, 0);

src/init.ts

@@ -1,7 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
 
-import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as github from "@actions/github";
 import * as io from "@actions/io";
@@ -16,7 +15,7 @@ import {
 import { GitHubApiDetails } from "./api-client";
 import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import {
   CodeQLDefaultVersionInfo,
   Feature,
@@ -418,5 +417,5 @@ export function logFileCoverageOnPrsDeprecationWarning(logger: Logger): void {
   }
 
   logger.warning(message);
-  core.exportVariable(EnvVar.DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION, "true");
+  exportVariable(EnvVar.DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION, "true");
 }

src/overlay/caching.test.ts

@@ -8,6 +8,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "../actions-util";
 import * as apiClient from "../api-client";
 import type { ResolveDatabaseOutput } from "../codeql";
+import * as environment from "../environment";
 import * as gitUtils from "../git-utils";
 import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
@@ -82,7 +83,7 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
 
       sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
 
-      sinon.stub(utils, "isInTestMode").returns(testCase.isInTestMode);
+      sinon.stub(environment, "isInTestMode").returns(testCase.isInTestMode);
 
       if (testCase.restoreCacheResult instanceof Error) {
         sinon

src/setup-codeql-action.ts

@@ -11,7 +11,7 @@ import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
 import { getRawLanguagesNoAutodetect } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
 import { getActionsLogger, Logger } from "./logging";
@@ -125,7 +125,7 @@ async function run(startedAt: Date): Promise<void> {
 
     const jobRunUuid = uuidV4();
     logger.info(`Job run UUID is ${jobRunUuid}.`);
-    core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+    exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
 
     const statusReportBase = await createStatusReportBase(
       ActionName.SetupCodeQL,
@@ -165,7 +165,7 @@ async function run(startedAt: Date): Promise<void> {
     core.setOutput("codeql-path", codeql.getPath());
     core.setOutput("codeql-version", (await codeql.getVersion()).version);
 
-    core.exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
+    exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
   } catch (unwrappedError) {
     const error = wrapError(unwrappedError);
     core.setFailed(error.message);

src/status-report.ts

@@ -15,7 +15,7 @@ import { getAnalysisKey, getApiClient } from "./api-client";
 import { parseRegistriesWithoutCredentials, type Config } from "./config-utils";
 import { DependencyCacheRestoreStatusReport } from "./dependency-caching";
 import { DocUrl } from "./doc-url";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { getRef } from "./git-utils";
 import { Logger } from "./logging";
 import { OverlayBaseDatabaseDownloadStats } from "./overlay/caching";
@@ -216,12 +216,12 @@ export function getJobStatusDisplayName(status: JobStatus): string {
  */
 function setJobStatusIfUnsuccessful(actionStatus: ActionStatus) {
   if (actionStatus === "user-error") {
-    core.exportVariable(
+    exportVariable(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
     );
   } else if (actionStatus === "failure" || actionStatus === "aborted") {
-    core.exportVariable(
+    exportVariable(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.FailureStatus,
     );
@@ -280,7 +280,7 @@ export async function createStatusReportBase(
     let workflowStartedAt = process.env[EnvVar.WORKFLOW_STARTED_AT];
     if (workflowStartedAt === undefined) {
       workflowStartedAt = actionStartedAt.toISOString();
-      core.exportVariable(EnvVar.WORKFLOW_STARTED_AT, workflowStartedAt);
+      exportVariable(EnvVar.WORKFLOW_STARTED_AT, workflowStartedAt);
     }
     const runnerOs = getRequiredEnvParam("RUNNER_OS");
     const codeQlCliVersion = getCachedCodeQlVersion();
@@ -289,7 +289,7 @@ export async function createStatusReportBase(
     // re-export the testing environment variable so that it is available to subsequent steps,
     // even if it was only set for this step
     if (testingEnvironment) {
-      core.exportVariable(EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
+      exportVariable(EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
     }
     const isSteadyStateDefaultSetupRun =
       process.env["CODE_SCANNING_IS_STEADY_STATE_DEFAULT_SETUP"] === "true";

src/upload-lib.ts

@@ -14,7 +14,7 @@ import { getGitHubVersion, wrapApiConfigurationError } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
 import { getConfig } from "./config-utils";
 import { readDiffRangesJsonFile } from "./diff-informed-analysis-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { FeatureEnablement } from "./feature-flags";
 import * as fingerprints from "./fingerprints";
 import * as gitUtils from "./git-utils";
@@ -126,7 +126,7 @@ async function combineSarifFilesUsingCLI(
       logger.warning(
         `Uploading multiple SARIF runs with the same category is deprecated ${deprecationWarningMessage}. Please update your workflow to upload a single run per category. ${deprecationMoreInformationMessage}`,
       );
-      core.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
+      exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
     }
 
     // If not, use the naive method of combining the files.
@@ -1023,7 +1023,7 @@ export function validateUniqueCategory(
           `Category: (${id ? id : "none"}) Tool: (${tool ? tool : "none"})`,
       );
     }
-    core.exportVariable(sentinelEnvVar, sentinelEnvVar);
+    exportVariable(sentinelEnvVar, sentinelEnvVar);
   }
 }
 

src/util.ts

@@ -13,11 +13,13 @@ import * as apiCompatibility from "./api-compatibility.json";
 import type { CodeQL, VersionInfo } from "./codeql";
 import type { Pack } from "./config/db-config";
 import type { Config } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable, isInTestMode } from "./environment";
 import * as json from "./json";
 import { Language } from "./languages";
 import { Logger } from "./logging";
 
+export { isInTestMode } from "./environment";
+
 /**
  * The name of the file containing the base database OIDs, as stored in the
  * root of the database location.
@@ -515,7 +517,7 @@ export function checkGitHubVersionInRange(
     );
   }
   hasBeenWarnedAboutVersion = true;
-  core.exportVariable(CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR, true);
+  exportVariable(CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR, true);
 }
 
 export enum DisallowedAPIVersionReason {
@@ -559,11 +561,11 @@ export function assertNever(value: never): never {
  * knowing what version of CodeQL we're running.
  */
 export function initializeEnvironment(version: string) {
-  core.exportVariable(EnvVar.FEATURE_MULTI_LANGUAGE, "false");
-  core.exportVariable(EnvVar.FEATURE_SANDWICH, "false");
-  core.exportVariable(EnvVar.FEATURE_SARIF_COMBINE, "true");
-  core.exportVariable(EnvVar.FEATURE_WILL_UPLOAD, "true");
-  core.exportVariable(EnvVar.VERSION, version);
+  exportVariable(EnvVar.FEATURE_MULTI_LANGUAGE, "false");
+  exportVariable(EnvVar.FEATURE_SANDWICH, "false");
+  exportVariable(EnvVar.FEATURE_SARIF_COMBINE, "true");
+  exportVariable(EnvVar.FEATURE_WILL_UPLOAD, "true");
+  exportVariable(EnvVar.VERSION, version);
 }
 
 /**
@@ -708,15 +710,6 @@ export function isGoodVersion(versionSpec: string) {
   return !BROKEN_VERSIONS.includes(versionSpec);
 }
 
-/**
- * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
- *
- * In test mode, we skip several uploads (SARIF results, status reports, DBs, ...).
- */
-export function isInTestMode(): boolean {
-  return process.env[EnvVar.TEST_MODE] === "true";
-}
-
 /**
  * Returns whether we specifically want to skip uploading SARIF files.
  */
@@ -935,7 +928,7 @@ export async function checkDiskUsage(
       } else {
         logger.debug(message);
       }
-      core.exportVariable(EnvVar.HAS_WARNED_ABOUT_DISK_SPACE, "true");
+      exportVariable(EnvVar.HAS_WARNED_ABOUT_DISK_SPACE, "true");
     }
     return {
       numAvailableBytes: diskUsage.bavail * blockSizeInBytes,
@@ -984,7 +977,7 @@ export function checkActionVersion(
           "https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/",
       );
       // set LOG_VERSION_DEPRECATION env var to prevent the warning from being logged multiple times
-      core.exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");
+      exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");
     }
   }
 }