Add NODE_ENV as safe environment variable

Add basic eslint enforcement
Add wrapper around core.exportVariable
2026-05-27 08:55:05 +00:00 · 2026-05-22 15:14:24 +01:00 · 2026-05-22 15:03:52 +01:00 · 2026-05-22 15:03:52 +01:00 · 2026-05-22 13:45:07 +01:00 · 2026-05-22 11:28:10 +00:00
23 changed files with 564 additions and 521 deletions
@@ -2,6 +2,10 @@
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 ## [UNRELEASED]
 No user facing changes.
 ## 4.36.0 - 22 May 2026
 - _Breaking change_: Bump the minimum required CodeQL bundle version to 2.19.4. [#3894](https://github.com/github/codeql-action/pull/3894)
@@ -140,6 +140,18 @@ export default [
      "no-async-foreach/no-async-foreach": "error",
      "no-sequences": "error",
      "no-shadow": "off",
      // A basic check that we don't use `exportVariable` from `@actions/core`. This rule depends on
      // the module being imported as `core`, but that is a good enough check for us.
      "no-restricted-syntax": [
        "error",
        {
          selector:
            "MemberExpression[object.name='core'][property.name='exportVariable']",
          message: "Use `exportVariable` from `environment.ts` instead.",
        },
      ],
      // This is overly restrictive with unsetting `EnvVar`s
      "@typescript-eslint/no-dynamic-delete": "off",
      "@typescript-eslint/no-shadow": "error",
@@ -157,6 +169,15 @@ export default [
      ],
    },
  },
  {
    files: ["src/environment.ts"],
    // We allow `exportVariable` from `@actions/core` to be used in this file
    // since it defines the wrapper around it that other modules use.
    rules: {
      "no-restricted-syntax": "off",
    },
  },
  {
    files: ["**/*.ts", "**/*.js"],
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.36.0",
+      "version": "4.36.1",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.36.0",
+  "version": "4.36.1",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -23,7 +23,8 @@ predicate isSafeForDefaultSetup(string envVar) {
      "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
      "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
      "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
-      "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
+      "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE",
      "NODE_ENV"
    ]
 }
@@ -28,7 +28,7 @@ import {
  DependencyCacheUploadStatusReport,
  uploadDependencyCaches,
 } from "./dependency-caching";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { BuiltInLanguage } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
@@ -284,7 +284,7 @@ async function run(startedAt: Date) {
    const apiDetails = getApiDetails();
    const outputDir = actionsUtil.getRequiredInput("output");
-    core.exportVariable(EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
+    exportVariable(EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
    const threads = util.getThreadsFlag(
      actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"],
      logger,
@@ -444,7 +444,7 @@ async function run(startedAt: Date) {
        `expect-error input was set to true but no error was thrown.`,
      );
    }
-    core.exportVariable(EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
+    exportVariable(EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
  } catch (unwrappedError) {
    const error = util.wrapError(unwrappedError);
    if (
@@ -3,7 +3,7 @@ import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
 import { getActionVersion, getRequiredInput } from "./actions-util";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
@@ -216,7 +216,7 @@ export async function getAnalysisKey(): Promise<string> {
  const jobName = getRequiredEnvParam("GITHUB_JOB");
  analysisKey = `${workflowPath}:${jobName}`;
-  core.exportVariable(EnvVar.ANALYSIS_KEY, analysisKey);
+  exportVariable(EnvVar.ANALYSIS_KEY, analysisKey);
  return analysisKey;
 }
@@ -9,7 +9,7 @@ import { getGitHubVersion } from "./api-client";
 import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Language } from "./languages";
 import { Logger, getActionsLogger } from "./logging";
 import {
@@ -137,7 +137,7 @@ async function run(startedAt: Date) {
    return;
  }
-  core.exportVariable(EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY, "true");
+  exportVariable(EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY, "true");
  await sendCompletedStatusReport(config, logger, startedAt, languages ?? []);
 }
@@ -1,11 +1,9 @@
 import * as core from "@actions/core";
 import { getTemporaryDirectory, getWorkflowEventName } from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { DocUrl } from "./doc-url";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Feature, featureConfig, initFeatures } from "./feature-flags";
 import { BuiltInLanguage, Language } from "./languages";
 import { Logger } from "./logging";
@@ -136,16 +134,16 @@ export async function setupCppAutobuild(codeql: CodeQL, logger: Logger) {
            : ""
        }`,
      );
-      core.exportVariable(envVar, "false");
+      exportVariable(envVar, "false");
    } else {
      logger.info(
        `Enabling ${featureName}. This can be disabled by setting the ${envVar} environment variable to 'false'. See ${DocUrl.DEFINE_ENV_VARIABLES} for more information.`,
      );
-      core.exportVariable(envVar, "true");
+      exportVariable(envVar, "true");
    }
  } else {
    logger.info(`Disabling ${featureName}.`);
-    core.exportVariable(envVar, "false");
+    exportVariable(envVar, "false");
  }
 }
@@ -165,7 +163,7 @@ export async function runAutobuild(
    await codeQL.runAutobuild(config, language);
  }
  if (language === BuiltInLanguage.go) {
-    core.exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
+    exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
  }
  logger.endGroup();
 }
@@ -15,7 +15,7 @@ import * as api from "./api-client";
 import { CliError, wrapCliConfigurationError } from "./cli-errors";
 import { appendExtraQueryExclusions, type Config } from "./config-utils";
 import { DocUrl } from "./doc-url";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import {
  CodeQLDefaultVersionInfo,
  Feature,
@@ -1096,7 +1096,7 @@ async function getCodeQLForCmd(
        }' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to ` +
        "continue using this version of the CodeQL Action.",
    );
-    core.exportVariable(EnvVar.SUPPRESS_DEPRECATED_SOON_WARNING, "true");
+    exportVariable(EnvVar.SUPPRESS_DEPRECATED_SOON_WARNING, "true");
  }
  return codeql;
 }
@@ -2,7 +2,6 @@ import * as fs from "fs";
 import * as path from "path";
 import { performance } from "perf_hooks";
 import * as core from "@actions/core";
 import * as yaml from "js-yaml";
 import {
@@ -32,7 +31,7 @@ import {
  makeTelemetryDiagnostic,
 } from "./diagnostics";
 import { prepareDiffInformedAnalysis } from "./diff-informed-analysis-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import * as errorMessages from "./error-messages";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import {
@@ -1045,10 +1044,10 @@ async function setCppTrapCachingEnvironmentVariables(
      );
    } else if (config.trapCaches[BuiltInLanguage.cpp]) {
      logger.info("Enabling TRAP caching for C/C++.");
-      core.exportVariable(envVar, "true");
+      exportVariable(envVar, "true");
    } else {
      logger.debug(`Disabling TRAP caching for C/C++.`);
-      core.exportVariable(envVar, "false");
+      exportVariable(envVar, "false");
    }
  }
 }
@@ -11,7 +11,7 @@ import { dbIsFinalized } from "./analyze";
 import { scanArtifactsForTokens } from "./artifact-scanner";
 import { type CodeQL } from "./codeql";
 import { Config } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import * as json from "./json";
 import { Language } from "./languages";
 import { Logger, withGroup } from "./logging";
@@ -330,7 +330,7 @@ export async function uploadArtifacts(
  // some issues early.
  if (isInTestMode()) {
    await scanArtifactsForTokens(toUpload, logger);
-    core.exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
+    exportVariable("CODEQL_ACTION_ARTIFACT_SCAN_FINISHED", "true");
  }
  const suffix = getArtifactSuffix(getOptionalInput("matrix"));
@@ -1,3 +1,5 @@
 import * as core from "@actions/core";
 /**
 * Environment variables used by the CodeQL Action.
 *
@@ -154,3 +156,29 @@ export enum EnvVar {
  /** Used by Code Scanning Risk Assessment to communicate the assessment ID to the CodeQL Action. */
  RISK_ASSESSMENT_ID = "CODEQL_ACTION_RISK_ASSESSMENT_ID",
 }
 /**
 * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
 *
 * In test mode, we skip several uploads (SARIF results, status reports, DBs, ...).
 */
 export function isInTestMode(): boolean {
  return process.env[EnvVar.TEST_MODE] === "true";
 }
 /**
 * Wrapper around `core.exportVariable` which does not call `core.exportVariable`
 * when running unit tests. This is important, because otherwise `core.exportVariable`
 * sets environment variables for other steps in a workflow when we run unit tests in CI.
 */
 export function exportVariable(name: string, val: any): void {
  if (process.env["NODE_ENV"] === "test") {
    // Setting the environment variable for the current process is OK since we reset
    // those at the end of each test. This allows tests to pass that rely on that
    // part of the `core.exportVariable` behaviour.
    process.env[name] = val;
  } else {
    // Call `core.exportVariable` whenever we are not in a test environment.
    core.exportVariable(name, val);
  }
 }
@@ -20,7 +20,7 @@ import {
  DependencyCachingUsageReport,
  getDependencyCacheUsage,
 } from "./dependency-caching";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { initFeatures } from "./feature-flags";
 import * as gitUtils from "./git-utils";
 import * as initActionPostHelper from "./init-action-post-helper";
@@ -157,7 +157,7 @@ function getFinalJobStatus(config: Config | undefined): JobStatus {
  let jobStatus: JobStatus;
  if (process.env[EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY] === "true") {
-    core.exportVariable(EnvVar.JOB_STATUS, JobStatus.SuccessStatus);
+    exportVariable(EnvVar.JOB_STATUS, JobStatus.SuccessStatus);
    jobStatus = JobStatus.SuccessStatus;
  } else if (config !== undefined) {
    // - We have computed a CodeQL config
@@ -182,7 +182,7 @@ function getFinalJobStatus(config: Config | undefined): JobStatus {
  // This shouldn't be necessary, but in the odd case that we run more than one
  // `init` post step, ensure the job status is consistent between them.
-  core.exportVariable(EnvVar.JOB_STATUS, jobStatus);
+  exportVariable(EnvVar.JOB_STATUS, jobStatus);
  return jobStatus;
 }
@@ -37,7 +37,7 @@ import {
  makeDiagnostic,
  makeTelemetryDiagnostic,
 } from "./diagnostics";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { Feature, FeatureEnablement, initFeatures } from "./feature-flags";
 import {
  loadPropertiesFromApi,
@@ -255,9 +255,9 @@ async function run(startedAt: Date) {
    // Create a unique identifier for this run.
    const jobRunUuid = uuidV4();
    logger.info(`Job run UUID is ${jobRunUuid}.`);
-    core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+    exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
-    core.exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
+    exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
    configFile = getOptionalInput("config-file");
@@ -343,7 +343,7 @@ async function run(startedAt: Date) {
        );
      }
      if (semver.lt(actualVer, publicPreview)) {
-        core.exportVariable(EnvVar.EXPERIMENTAL_FEATURES, "true");
+        exportVariable(EnvVar.EXPERIMENTAL_FEATURES, "true");
        logger.info("Experimental Rust analysis enabled");
      }
    }
@@ -508,7 +508,7 @@ async function run(startedAt: Date) {
    // Forward Go flags
    const goFlags = process.env["GOFLAGS"];
    if (goFlags) {
-      core.exportVariable("GOFLAGS", goFlags);
+      exportVariable("GOFLAGS", goFlags);
      core.warning(
        "Passing the GOFLAGS env parameter to the init action is deprecated. Please move this to the analyze action.",
      );
@@ -554,7 +554,7 @@ async function run(startedAt: Date) {
            // Store the original location of our wrapper script somewhere where we can
            // later retrieve it from and cross-check that it hasn't been changed.
-            core.exportVariable(EnvVar.GO_BINARY_LOCATION, goWrapperPath);
+            exportVariable(EnvVar.GO_BINARY_LOCATION, goWrapperPath);
          } catch (e) {
            logger.warning(
              `Analyzing Go on Linux, but failed to install wrapper script. Tracing custom builds may fail: ${e}`,
@@ -563,7 +563,7 @@ async function run(startedAt: Date) {
        } else {
          // Store the location of the original Go binary, so we can check that no setup tasks were performed after the
          // `init` Action ran.
-          core.exportVariable(EnvVar.GO_BINARY_LOCATION, goBinaryPath);
+          exportVariable(EnvVar.GO_BINARY_LOCATION, goBinaryPath);
        }
      } catch (e) {
        logger.warning(
@@ -598,12 +598,12 @@ async function run(startedAt: Date) {
    // threads it would ask extractors to use. See help text for the "--ram" and "--threads"
    // options at https://codeql.github.com/docs/codeql-cli/manual/database-trace-command/
    // for details.
-    core.exportVariable(
+    exportVariable(
      "CODEQL_RAM",
      process.env["CODEQL_RAM"] ||
        getCodeQLMemoryLimit(getOptionalInput("ram"), logger).toString(),
    );
-    core.exportVariable(
+    exportVariable(
      "CODEQL_THREADS",
      process.env["CODEQL_THREADS"] ||
        getThreadsFlagValue(getOptionalInput("threads"), logger).toString(),
@@ -611,7 +611,7 @@ async function run(startedAt: Date) {
    // Disable Kotlin extractor if feature flag set
    if (await features.getValue(Feature.DisableKotlinAnalysisEnabled)) {
-      core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
+      exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
    }
    const kotlinLimitVar =
@@ -620,7 +620,7 @@ async function run(startedAt: Date) {
      (await codeQlVersionAtLeast(codeql, "2.20.3")) &&
      !(await codeQlVersionAtLeast(codeql, "2.20.4"))
    ) {
-      core.exportVariable(kotlinLimitVar, "2.1.20");
+      exportVariable(kotlinLimitVar, "2.1.20");
    }
    // Restore dependency cache(s), if they exist.
@@ -669,10 +669,7 @@ async function run(startedAt: Date) {
      config.buildMode === BuildMode.None &&
      config.languages.includes(BuiltInLanguage.java)
    ) {
-      core.exportVariable(
+      exportVariable(EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS, "true");
        EnvVar.JAVA_EXTRACTOR_MINIMIZE_DEPENDENCY_JARS,
        "true",
      );
    }
    const { registriesAuthTokens, qlconfigFile } =
@@ -729,7 +726,7 @@ async function run(startedAt: Date) {
    const tracerConfig = await getCombinedTracerConfig(codeql, config);
    if (tracerConfig !== undefined) {
      for (const [key, value] of Object.entries(tracerConfig.env)) {
-        core.exportVariable(key, value);
+        exportVariable(key, value);
      }
    }
@@ -740,7 +737,7 @@ async function run(startedAt: Date) {
        getOptionalEnvVar(JavaEnvVars.JAVA_TOOL_OPTIONS) || "";
      // Add the network debugging options.
-      core.exportVariable(
+      exportVariable(
        JavaEnvVars.JAVA_TOOL_OPTIONS,
        `${existingJavaToolOptions} -Djavax.net.debug=all`,
      );
@@ -1,13 +1,13 @@
 import * as fs from "fs";
 import path from "path";
 import * as core from "@actions/core";
 import * as github from "@actions/github";
 import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 import * as actionsUtil from "./actions-util";
 import { createStubCodeQL } from "./codeql";
 import * as environment from "./environment";
 import { Feature } from "./feature-flags";
 import {
  checkPacksForOverlayCompatibility,
@@ -545,7 +545,7 @@ test.serial(
 test.serial(
  "file coverage deprecation warning for org-owned repo with default setup recommends repo property",
  (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
    github.context.payload = {
      repository: {
@@ -572,7 +572,7 @@ test.serial(
 test.serial(
  "file coverage deprecation warning for org-owned repo with advanced setup recommends env var and repo property",
  (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
    github.context.payload = {
      repository: {
@@ -600,7 +600,7 @@ test.serial(
 test.serial(
  "file coverage deprecation warning for user-owned repo with default setup recommends advanced setup",
  (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
    github.context.payload = {
      repository: {
@@ -626,7 +626,7 @@ test.serial(
 test.serial(
  "file coverage deprecation warning for user-owned repo with advanced setup recommends env var",
  (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
    github.context.payload = {
      repository: {
@@ -651,7 +651,7 @@ test.serial(
 test.serial(
  "file coverage deprecation warning for unknown owner type with default setup recommends advanced setup",
  (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    sinon.stub(actionsUtil, "isDefaultSetup").returns(true);
    github.context.payload = { repository: undefined };
    const messages: LoggedMessage[] = [];
@@ -672,7 +672,7 @@ test.serial(
 test.serial(
  "file coverage deprecation warning for unknown owner type with advanced setup recommends env var",
  (t) => {
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    sinon.stub(actionsUtil, "isDefaultSetup").returns(false);
    github.context.payload = { repository: undefined };
    const messages: LoggedMessage[] = [];
@@ -694,7 +694,7 @@ test.serial(
  (t) => {
    process.env["CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION"] =
      "true";
-    const exportVariableStub = sinon.stub(core, "exportVariable");
+    const exportVariableStub = sinon.stub(environment, "exportVariable");
    const messages: LoggedMessage[] = [];
    logFileCoverageOnPrsDeprecationWarning(getRecordingLogger(messages));
    t.is(messages.length, 0);
@@ -1,7 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
 import * as core from "@actions/core";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as github from "@actions/github";
 import * as io from "@actions/io";
@@ -16,7 +15,7 @@ import {
 import { GitHubApiDetails } from "./api-client";
 import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import {
  CodeQLDefaultVersionInfo,
  Feature,
@@ -418,5 +417,5 @@ export function logFileCoverageOnPrsDeprecationWarning(logger: Logger): void {
  }
  logger.warning(message);
-  core.exportVariable(EnvVar.DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION, "true");
+  exportVariable(EnvVar.DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION, "true");
 }
@@ -8,6 +8,7 @@ import * as sinon from "sinon";
 import * as actionsUtil from "../actions-util";
 import * as apiClient from "../api-client";
 import type { ResolveDatabaseOutput } from "../codeql";
 import * as environment from "../environment";
 import * as gitUtils from "../git-utils";
 import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
@@ -82,7 +83,7 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
      sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-      sinon.stub(utils, "isInTestMode").returns(testCase.isInTestMode);
+      sinon.stub(environment, "isInTestMode").returns(testCase.isInTestMode);
      if (testCase.restoreCacheResult instanceof Error) {
        sinon
@@ -11,7 +11,7 @@ import { AnalysisKind, getAnalysisKinds } from "./analyses";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
 import { getRawLanguagesNoAutodetect } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { initFeatures } from "./feature-flags";
 import { initCodeQL } from "./init";
 import { getActionsLogger, Logger } from "./logging";
@@ -125,7 +125,7 @@ async function run(startedAt: Date): Promise<void> {
    const jobRunUuid = uuidV4();
    logger.info(`Job run UUID is ${jobRunUuid}.`);
-    core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+    exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
    const statusReportBase = await createStatusReportBase(
      ActionName.SetupCodeQL,
@@ -165,7 +165,7 @@ async function run(startedAt: Date): Promise<void> {
    core.setOutput("codeql-path", codeql.getPath());
    core.setOutput("codeql-version", (await codeql.getVersion()).version);
-    core.exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
+    exportVariable(EnvVar.SETUP_CODEQL_ACTION_HAS_RUN, "true");
  } catch (unwrappedError) {
    const error = wrapError(unwrappedError);
    core.setFailed(error.message);
@@ -15,7 +15,7 @@ import { getAnalysisKey, getApiClient } from "./api-client";
 import { parseRegistriesWithoutCredentials, type Config } from "./config-utils";
 import { DependencyCacheRestoreStatusReport } from "./dependency-caching";
 import { DocUrl } from "./doc-url";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { getRef } from "./git-utils";
 import { Logger } from "./logging";
 import { OverlayBaseDatabaseDownloadStats } from "./overlay/caching";
@@ -216,12 +216,12 @@ export function getJobStatusDisplayName(status: JobStatus): string {
 */
 function setJobStatusIfUnsuccessful(actionStatus: ActionStatus) {
  if (actionStatus === "user-error") {
-    core.exportVariable(
+    exportVariable(
      EnvVar.JOB_STATUS,
      process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
    );
  } else if (actionStatus === "failure" || actionStatus === "aborted") {
-    core.exportVariable(
+    exportVariable(
      EnvVar.JOB_STATUS,
      process.env[EnvVar.JOB_STATUS] ?? JobStatus.FailureStatus,
    );
@@ -280,7 +280,7 @@ export async function createStatusReportBase(
    let workflowStartedAt = process.env[EnvVar.WORKFLOW_STARTED_AT];
    if (workflowStartedAt === undefined) {
      workflowStartedAt = actionStartedAt.toISOString();
-      core.exportVariable(EnvVar.WORKFLOW_STARTED_AT, workflowStartedAt);
+      exportVariable(EnvVar.WORKFLOW_STARTED_AT, workflowStartedAt);
    }
    const runnerOs = getRequiredEnvParam("RUNNER_OS");
    const codeQlCliVersion = getCachedCodeQlVersion();
@@ -289,7 +289,7 @@ export async function createStatusReportBase(
    // re-export the testing environment variable so that it is available to subsequent steps,
    // even if it was only set for this step
    if (testingEnvironment) {
-      core.exportVariable(EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
+      exportVariable(EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
    }
    const isSteadyStateDefaultSetupRun =
      process.env["CODE_SCANNING_IS_STEADY_STATE_DEFAULT_SETUP"] === "true";
@@ -14,7 +14,7 @@ import { getGitHubVersion, wrapApiConfigurationError } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
 import { getConfig } from "./config-utils";
 import { readDiffRangesJsonFile } from "./diff-informed-analysis-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable } from "./environment";
 import { FeatureEnablement } from "./feature-flags";
 import * as fingerprints from "./fingerprints";
 import * as gitUtils from "./git-utils";
@@ -126,7 +126,7 @@ async function combineSarifFilesUsingCLI(
      logger.warning(
        `Uploading multiple SARIF runs with the same category is deprecated ${deprecationWarningMessage}. Please update your workflow to upload a single run per category. ${deprecationMoreInformationMessage}`,
      );
-      core.exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
+      exportVariable("CODEQL_MERGE_SARIF_DEPRECATION_WARNING", "true");
    }
    // If not, use the naive method of combining the files.
@@ -1023,7 +1023,7 @@ export function validateUniqueCategory(
          `Category: (${id ? id : "none"}) Tool: (${tool ? tool : "none"})`,
      );
    }
-    core.exportVariable(sentinelEnvVar, sentinelEnvVar);
+    exportVariable(sentinelEnvVar, sentinelEnvVar);
  }
 }
@@ -13,11 +13,13 @@ import * as apiCompatibility from "./api-compatibility.json";
 import type { CodeQL, VersionInfo } from "./codeql";
 import type { Pack } from "./config/db-config";
 import type { Config } from "./config-utils";
-import { EnvVar } from "./environment";
+import { EnvVar, exportVariable, isInTestMode } from "./environment";
 import * as json from "./json";
 import { Language } from "./languages";
 import { Logger } from "./logging";
 export { isInTestMode } from "./environment";
 /**
 * The name of the file containing the base database OIDs, as stored in the
 * root of the database location.
@@ -515,7 +517,7 @@ export function checkGitHubVersionInRange(
    );
  }
  hasBeenWarnedAboutVersion = true;
-  core.exportVariable(CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR, true);
+  exportVariable(CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR, true);
 }
 export enum DisallowedAPIVersionReason {
@@ -559,11 +561,11 @@ export function assertNever(value: never): never {
 * knowing what version of CodeQL we're running.
 */
 export function initializeEnvironment(version: string) {
-  core.exportVariable(EnvVar.FEATURE_MULTI_LANGUAGE, "false");
+  exportVariable(EnvVar.FEATURE_MULTI_LANGUAGE, "false");
-  core.exportVariable(EnvVar.FEATURE_SANDWICH, "false");
+  exportVariable(EnvVar.FEATURE_SANDWICH, "false");
-  core.exportVariable(EnvVar.FEATURE_SARIF_COMBINE, "true");
+  exportVariable(EnvVar.FEATURE_SARIF_COMBINE, "true");
-  core.exportVariable(EnvVar.FEATURE_WILL_UPLOAD, "true");
+  exportVariable(EnvVar.FEATURE_WILL_UPLOAD, "true");
-  core.exportVariable(EnvVar.VERSION, version);
+  exportVariable(EnvVar.VERSION, version);
 }
 /**
@@ -708,15 +710,6 @@ export function isGoodVersion(versionSpec: string) {
  return !BROKEN_VERSIONS.includes(versionSpec);
 }
 /**
 * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
 *
 * In test mode, we skip several uploads (SARIF results, status reports, DBs, ...).
 */
 export function isInTestMode(): boolean {
  return process.env[EnvVar.TEST_MODE] === "true";
 }
 /**
 * Returns whether we specifically want to skip uploading SARIF files.
 */
@@ -935,7 +928,7 @@ export async function checkDiskUsage(
      } else {
        logger.debug(message);
      }
-      core.exportVariable(EnvVar.HAS_WARNED_ABOUT_DISK_SPACE, "true");
+      exportVariable(EnvVar.HAS_WARNED_ABOUT_DISK_SPACE, "true");
    }
    return {
      numAvailableBytes: diskUsage.bavail * blockSizeInBytes,
@@ -984,7 +977,7 @@ export function checkActionVersion(
          "https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/",
      );
      // set LOG_VERSION_DEPRECATION env var to prevent the warning from being logged multiple times
-      core.exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");
+      exportVariable(EnvVar.LOG_VERSION_DEPRECATION, "true");
    }
  }
 }
Author	SHA1	Message	Date
Michael B. Gale	8041026692	Add `NODE_ENV` as safe environment variable	2026-05-22 15:14:24 +01:00
Michael B. Gale	d3b3ffb888	Add basic eslint enforcement	2026-05-22 15:03:52 +01:00
Michael B. Gale	dc5f2b964a	Add wrapper around `core.exportVariable`	2026-05-22 15:03:52 +01:00
Michael B. Gale	ffebdc8cf8	Move `isInTestMode` to `environment.ts`	2026-05-22 13:45:07 +01:00
Óscar San José	0fb8a6672b	Merge pull request #3928 from github/mergeback/v4.36.0-to-main-7211b7c8 Mergeback v4.36.0 refs/heads/releases/v4 into main	2026-05-22 11:28:10 +00:00
github-actions[bot]	80795fb0d4	Rebuild	2026-05-22 11:08:00 +00:00
github-actions[bot]	0cd24d8654	Update changelog and version after v4.36.0	2026-05-22 11:07:48 +00:00