diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 499b123165..89138c523c 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -48,6 +48,10 @@ jobs: include: - os: ubuntu-latest version: nightly-latest + - os: macos-latest + version: nightly-latest + - os: windows-latest + version: nightly-latest name: All-platform bundle if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 2159072adf..30d5c532c6 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Analyze: 'ref' and 'sha' from inputs" if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml deleted file mode 100644 index 9294edfb84..0000000000 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ /dev/null @@ -1,104 +0,0 @@ -# Warning: This file is generated automatically, and should not be modified. -# Instead, please modify the template in the pr-checks directory and run: -# pr-checks/sync.sh -# to regenerate this file. - -name: PR Check - Autobuild direct tracing -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GO111MODULE: auto -on: - push: - branches: - - main - - releases/v* - pull_request: - types: - - opened - - synchronize - - reopened - - ready_for_review - schedule: - - cron: '0 5 * * *' - workflow_dispatch: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' - workflow_call: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' -defaults: - run: - shell: bash -concurrency: - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - group: ${{ github.workflow }}-${{ github.ref }} -jobs: - autobuild-direct-tracing: - strategy: - fail-fast: false - matrix: - include: - - os: ubuntu-latest - version: linked - - os: windows-latest - version: linked - - os: ubuntu-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest - name: Autobuild direct tracing - if: github.triggering_actor != 'dependabot[bot]' - permissions: - contents: read - security-events: read - timeout-minutes: 45 - runs-on: ${{ matrix.os }} - steps: - - name: Check out repository - uses: actions/checkout@v5 - - name: Prepare test - id: prepare-test - uses: ./.github/actions/prepare-test - with: - version: ${{ matrix.version }} - use-all-platform-bundle: 'false' - setup-kotlin: 'true' - - name: Install Java - uses: actions/setup-java@v5 - with: - java-version: ${{ inputs.java-version || '17' }} - distribution: temurin - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: ${{ runner.temp }}/customDbLocation - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze - env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true - CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml similarity index 98% rename from .github/workflows/__test-autobuild-working-dir.yml rename to .github/workflows/__autobuild-working-dir.yml index b55018c736..3a3ca9e5f0 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__autobuild-working-dir.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-autobuild-working-dir: + autobuild-working-dir: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index a6e880cf00..878c941a47 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -21,9 +21,19 @@ on: schedule: - cron: '0 5 * * *' workflow_dispatch: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' workflow_call: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' defaults: run: shell: bash @@ -37,6 +47,12 @@ jobs: matrix: include: - os: ubuntu-latest + version: linked + - os: windows-latest + version: linked + - os: ubuntu-latest + version: nightly-latest + - os: windows-latest version: nightly-latest name: Build mode autobuild if: github.triggering_actor != 'dependabot[bot]' @@ -55,6 +71,11 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' + - name: Install Java + uses: actions/setup-java@v5 + with: + java-version: ${{ inputs.java-version || '17' }} + distribution: temurin - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ @@ -69,6 +90,11 @@ jobs: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" @@ -78,6 +104,14 @@ jobs: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 1b89d3a186..c6666b0f63 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -38,16 +38,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Config export if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index f9f29ff4fa..d8707c799e 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -38,16 +38,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Diagnostic export if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__global-proxy.yml similarity index 99% rename from .github/workflows/__test-proxy.yml rename to .github/workflows/__global-proxy.yml index 8504a44010..bd5d64b5f4 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__global-proxy.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-proxy: + global-proxy: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index 5d98643b09..bbbc55bf12 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Download using registries' if: github.triggering_actor != 'dependabot[bot]' permissions: @@ -118,8 +106,6 @@ jobs: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__local-bundle.yml similarity index 99% rename from .github/workflows/__test-local-codeql.yml rename to .github/workflows/__local-bundle.yml index eee756a2a8..7f840b5dc6 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__local-bundle.yml @@ -41,7 +41,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-local-codeql: + local-bundle: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 8917e4a0eb..0e08cf70fc 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input passed to the CLI' if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 777683b0f3..de3070bafa 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input' if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index d1abda7e3a..9c9dadadaf 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config file' if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 711a600bc0..2aa63c3c3d 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Action input' if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml index 1b5cd0c393..c4aa5ffaf1 100644 --- a/.github/workflows/__quality-queries.yml +++ b/.github/workflows/__quality-queries.yml @@ -45,24 +45,6 @@ jobs: - os: ubuntu-latest version: linked analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning - - os: macos-latest - version: linked - analysis-kinds: code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning - - os: windows-latest - version: linked - analysis-kinds: code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning,code-quality - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning @@ -72,24 +54,6 @@ jobs: - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: macos-latest - version: nightly-latest - analysis-kinds: code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: windows-latest - version: nightly-latest - analysis-kinds: code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality name: Quality queries input if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 7ddd6e663d..2203f3316c 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Resolve environment if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index 15bc871d94..d9bcbb20fe 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: 'Upload-sarif: code quality endpoint' if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index d6970ea18d..8202ab1363 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Upload-sarif: 'ref' and 'sha' from inputs" if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index aa6c9651df..e12c9846a3 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked name: Use a custom `checkout_path` if: github.triggering_actor != 'dependabot[bot]' permissions: diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index c11f479718..c6dc41f299 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -42,16 +42,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest # Code-Scanning config not created because environment variable is not set name: Code Scanning Configuration tests diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index fa80525f90..2fd737de86 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -55,17 +55,20 @@ jobs: run: .github/workflows/script/check-js.sh - name: Verify PR checks up to date + if: always() run: .github/workflows/script/verify-pr-checks.sh - name: Run unit tests + if: always() run: npm test - name: Run pr-checks tests + if: always() working-directory: pr-checks run: python -m unittest discover - name: Lint - if: matrix.os != 'windows-latest' + if: always() && matrix.os != 'windows-latest' run: npm run lint-ci - name: Upload sarif diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml index 937c413f90..8d8e872fa7 100644 --- a/.github/workflows/rollback-release.yml +++ b/.github/workflows/rollback-release.yml @@ -10,6 +10,10 @@ on: required: true # Only for dry-runs of changes to the workflow. push: + # Don't run dry-run on release branches, to avoid an issue where the + # "new" tag determined by the "Prepare release" job already exists. + branches-ignore: + - releases/v* paths: - .github/workflows/rollback-release.yml - .github/actions/prepare-mergeback-branch/** diff --git a/.github/workflows/script/check-js.sh b/.github/workflows/script/check-js.sh index f8f5d19d08..57638dcf25 100755 --- a/.github/workflows/script/check-js.sh +++ b/.github/workflows/script/check-js.sh @@ -16,6 +16,18 @@ if [ ! -z "$(git status --porcelain)" ]; then # If we get a fail here then the PR needs attention >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update" git status + + echo "### Transpiled JS diff" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```diff' >> $GITHUB_STEP_SUMMARY + git diff --output="$RUNNER_TEMP/js.diff" + cat "$RUNNER_TEMP/js.diff" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + + # Reset bundled files to allow other checks to test for changes + git checkout lib + + # Fail this check exit 1 fi echo "Success: JavaScript files are up to date" diff --git a/.github/workflows/script/verify-pr-checks.sh b/.github/workflows/script/verify-pr-checks.sh index cf9e79bada..6aa1381e2c 100755 --- a/.github/workflows/script/verify-pr-checks.sh +++ b/.github/workflows/script/verify-pr-checks.sh @@ -20,6 +20,14 @@ if [ ! -z "$(git status --porcelain)" ]; then git diff git status >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update" + + echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```diff' >> $GITHUB_STEP_SUMMARY + git diff --output="$RUNNER_TEMP/workflows.diff" + cat "$RUNNER_TEMP/workflows.diff" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + exit 1 fi -echo "Success: PR checks are up to date" \ No newline at end of file +echo "Success: PR checks are up to date" diff --git a/.vscode/settings.json b/.vscode/settings.json index 629fb7b542..f417dd2a6e 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -8,6 +8,11 @@ "build": true, "lib": true, }, + "search.exclude": { + "**/node_modules": true, + "build": true, + "lib": true, + }, // Installing a new Node package often triggers VS Code's git limit warnings as there is typically // an intermediate stage where many files are modified. This setting suppresses these warnings. "git.ignoreLimitWarning": true, diff --git a/CHANGELOG.md b/CHANGELOG.md index c9e4e8a184..ab3bbca6b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## 3.30.5 - 26 Sep 2025 + +- We fixed a bug that was introduced in `3.30.4` with `upload-sarif` which resulted in files without a `.sarif` extension not getting uploaded. [#3160](https://github.com/github/codeql-action/pull/3160) + ## 3.30.4 - 25 Sep 2025 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 83fff23936..493ae847cf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,6 +20,7 @@ Before you start, ensure that you have a recent version of node (16 or higher) i * Transpile the TypeScript to JavaScript: `npm run build`. Note that the JavaScript files are committed to git. * Run tests: `npm run test`. You’ll need to ensure that the JavaScript files are up-to-date first by running the command above. * Run the linter: `npm run lint`. +* Run tests for a specific path: `npm run ava -- ./src/filename.test.ts` or `npm run ava -- ./src/feature-flags/` This project also includes configuration to run tests from VSCode (with support for breakpoints) - open the test file you wish to run and choose "Debug AVA test file" from the Run menu in the Run panel. diff --git a/justfile b/justfile index c951b4b063..ed9d9eb1db 100644 --- a/justfile +++ b/justfile @@ -22,7 +22,7 @@ test: build # Run the tests for a single file test_file filename: build - npx ava --serial --verbose {{filename}} + npm run ava {{filename}} [doc("Refresh the .js build artefacts in the lib directory")] [confirm] diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 4a01511046..4466b39598 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26438,16 +26438,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c7e6b7b1a1..221434663a 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32287,16 +32287,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, @@ -92265,17 +92266,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -92285,9 +92275,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index f6a3cdd902..cf4e82a6bb 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26438,16 +26438,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 65dadeb7de..63f65d1e55 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32287,16 +32287,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, @@ -130208,17 +130209,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -130228,9 +130218,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/lib/init-action.js b/lib/init-action.js index e8cd76dc98..703107c5ad 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32287,16 +32287,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, @@ -89037,17 +89038,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url; @@ -89057,9 +89047,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index f63ac24681..816fa8eed2 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26438,16 +26438,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 8507bab0e0..98cff4159e 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26438,16 +26438,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 32691c1cca..56006078a3 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44966,16 +44966,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 78ccf503c9..9d5c04e842 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33584,16 +33584,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, @@ -90036,17 +90037,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -90056,9 +90046,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 95ddd53074..2bad6677a0 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26438,16 +26438,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 88e26e3ca8..59c660b275 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32287,16 +32287,17 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, @@ -90737,17 +90738,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -90757,9 +90747,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; @@ -93425,7 +93424,7 @@ async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPat sarifPath, analysis.sarifPredicate ); - } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) { + } else if (pathStats.isFile() && (analysis.sarifPredicate(sarifPath) || analysis.kind === "code-scanning" /* CodeScanning */ && !CodeQuality.sarifPredicate(sarifPath))) { sarifFiles = [sarifPath]; } else { return void 0; diff --git a/package-lock.json b/package-lock.json index 2974494647..b6da79aac6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "license": "MIT", "dependencies": { "@actions/artifact": "^2.3.1", diff --git a/package.json b/package.json index 96fe4d3aa1..89183893e8 100644 --- a/package.json +++ b/package.json @@ -1,15 +1,16 @@ { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "private": true, "description": "CodeQL action", "scripts": { "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - "build": "npm run transpile && node build.mjs", + "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", "lint": "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - "test": "npm run transpile && ava src/ --serial --verbose", + "ava": "npm run transpile && ava --serial --verbose", + "test": "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", "transpile": "tsc --build --verbose" }, diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index 332f129308..3396be22a7 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -1,7 +1,7 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] -operatingSystems: ["ubuntu"] useAllPlatformBundle: "true" installGo: true steps: diff --git a/pr-checks/checks/autobuild-action.yml b/pr-checks/checks/autobuild-action.yml index ac67a81fef..91ae7834cc 100644 --- a/pr-checks/checks/autobuild-action.yml +++ b/pr-checks/checks/autobuild-action.yml @@ -1,5 +1,6 @@ name: "autobuild-action" description: "Tests that the C# autobuild action works" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["linked"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/autobuild-direct-tracing.yml b/pr-checks/checks/autobuild-direct-tracing.yml deleted file mode 100644 index 1e9d2d9002..0000000000 --- a/pr-checks/checks/autobuild-direct-tracing.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: "Autobuild direct tracing" -description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled" -operatingSystems: ["ubuntu", "windows"] -versions: ["linked", "nightly-latest"] -installJava: "true" -env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true -steps: - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: "${{ runner.temp }}/customDbLocation" - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/autobuild-working-dir.yml similarity index 96% rename from pr-checks/checks/test-autobuild-working-dir.yml rename to pr-checks/checks/autobuild-working-dir.yml index eda3677f67..77c1f73c84 100644 --- a/pr-checks/checks/test-autobuild-working-dir.yml +++ b/pr-checks/checks/autobuild-working-dir.yml @@ -1,7 +1,6 @@ name: "Autobuild working directory" description: "Tests working-directory input of autobuild action" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - name: Test setup run: | diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 7e840d15a2..26b8626f22 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -1,7 +1,8 @@ name: "Build mode autobuild" description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'" -operatingSystems: ["ubuntu"] -versions: ["nightly-latest"] +operatingSystems: ["ubuntu", "windows"] +versions: ["linked", "nightly-latest"] +installJava: "true" steps: - name: Set up Java test repo configuration run: | @@ -17,6 +18,11 @@ steps: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" @@ -26,4 +32,12 @@ steps: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze diff --git a/pr-checks/checks/build-mode-manual.yml b/pr-checks/checks/build-mode-manual.yml index 64009c2eeb..f1815b7ff0 100644 --- a/pr-checks/checks/build-mode-manual.yml +++ b/pr-checks/checks/build-mode-manual.yml @@ -1,6 +1,5 @@ name: "Build mode manual" description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] installGo: true steps: diff --git a/pr-checks/checks/build-mode-none.yml b/pr-checks/checks/build-mode-none.yml index 4d23614a90..669ea7915e 100644 --- a/pr-checks/checks/build-mode-none.yml +++ b/pr-checks/checks/build-mode-none.yml @@ -1,6 +1,5 @@ name: "Build mode none" description: "An end-to-end integration test of a Java repository built using 'build-mode: none'" -operatingSystems: ["ubuntu"] versions: ["linked", "nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/build-mode-rollback.yml b/pr-checks/checks/build-mode-rollback.yml index 1d935314e2..49bcfdd1f0 100644 --- a/pr-checks/checks/build-mode-rollback.yml +++ b/pr-checks/checks/build-mode-rollback.yml @@ -1,6 +1,5 @@ name: "Build mode rollback" description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled." -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] env: CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true diff --git a/pr-checks/checks/cleanup-db-cluster-dir.yml b/pr-checks/checks/cleanup-db-cluster-dir.yml index 1c181a57e6..d2cacf47eb 100644 --- a/pr-checks/checks/cleanup-db-cluster-dir.yml +++ b/pr-checks/checks/cleanup-db-cluster-dir.yml @@ -1,6 +1,5 @@ name: "Clean up database cluster directory" description: "The database cluster directory is cleaned up if it is not empty." -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Add a file to the database cluster directory diff --git a/pr-checks/checks/config-input.yml b/pr-checks/checks/config-input.yml index 5807e85946..f139ff90e6 100644 --- a/pr-checks/checks/config-input.yml +++ b/pr-checks/checks/config-input.yml @@ -1,7 +1,6 @@ name: "Config input" description: "Tests specifying configuration using the config input" installNode: true -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Copy queries into workspace diff --git a/pr-checks/checks/cpp-deptrace-disabled.yml b/pr-checks/checks/cpp-deptrace-disabled.yml index 1073d0194a..5b6e82726a 100644 --- a/pr-checks/checks/cpp-deptrace-disabled.yml +++ b/pr-checks/checks/cpp-deptrace-disabled.yml @@ -1,6 +1,5 @@ name: "C/C++: disabling autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/cpp-deptrace-enabled.yml b/pr-checks/checks/cpp-deptrace-enabled.yml index f92f29d212..e35910a756 100644 --- a/pr-checks/checks/cpp-deptrace-enabled.yml +++ b/pr-checks/checks/cpp-deptrace-enabled.yml @@ -1,6 +1,5 @@ name: "C/C++: autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index 2eb0e6d525..f7698f885e 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -1,5 +1,6 @@ name: "Export file baseline information" description: "Tests that file baseline information is exported when the feature is enabled" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] installGo: true env: diff --git a/pr-checks/checks/extractor-ram-threads.yml b/pr-checks/checks/extractor-ram-threads.yml index 435c9f41e6..43638af180 100644 --- a/pr-checks/checks/extractor-ram-threads.yml +++ b/pr-checks/checks/extractor-ram-threads.yml @@ -1,7 +1,6 @@ name: "Extractor ram and threads options test" description: "Tests passing RAM and threads limits to extractors" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/global-proxy.yml similarity index 97% rename from pr-checks/checks/test-proxy.yml rename to pr-checks/checks/global-proxy.yml index 39efb214e1..1d64125748 100644 --- a/pr-checks/checks/test-proxy.yml +++ b/pr-checks/checks/global-proxy.yml @@ -1,7 +1,6 @@ name: "Proxy test" description: "Tests using a proxy specified by the https_proxy environment variable" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] container: image: ubuntu:22.04 container-init-steps: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index 39ec0096ab..10acfeb439 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when Go is changed after init step" description: "Checks that we emit a diagnostic if Go is changed after the init step" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 0078a2e450..c5083b6015 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when `file` is not installed" description: "Checks that we emit a diagnostic if the `file` program is not installed" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/go-indirect-tracing-workaround.yml b/pr-checks/checks/go-indirect-tracing-workaround.yml index 5c6690128f..222b964c78 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround.yml @@ -1,7 +1,6 @@ name: "Go: workaround for indirect tracing" description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/init-with-registries.yml b/pr-checks/checks/init-with-registries.yml index bc45d255aa..cedc62aab0 100644 --- a/pr-checks/checks/init-with-registries.yml +++ b/pr-checks/checks/init-with-registries.yml @@ -62,8 +62,6 @@ steps: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/pr-checks/checks/javascript-source-root.yml b/pr-checks/checks/javascript-source-root.yml index 9c933576e1..b06dc7bfa2 100644 --- a/pr-checks/checks/javascript-source-root.yml +++ b/pr-checks/checks/javascript-source-root.yml @@ -1,7 +1,6 @@ name: "Custom source root" description: "Checks that the argument specifying a non-default source root works" versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs -operatingSystems: ["ubuntu"] steps: - name: Move codeql-action run: | diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml index 196e321780..9c0f843d40 100644 --- a/pr-checks/checks/job-run-uuid-sarif.yml +++ b/pr-checks/checks/job-run-uuid-sarif.yml @@ -1,6 +1,5 @@ name: "Job run UUID added to SARIF" description: "Tests that the job run UUID is added to the SARIF output" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/language-aliases.yml b/pr-checks/checks/language-aliases.yml index 16f5f044f9..b0db1288a3 100644 --- a/pr-checks/checks/language-aliases.yml +++ b/pr-checks/checks/language-aliases.yml @@ -1,7 +1,6 @@ name: "Language aliases" description: "Tests that language aliases are resolved correctly" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/local-bundle.yml similarity index 95% rename from pr-checks/checks/test-local-codeql.yml rename to pr-checks/checks/local-bundle.yml index 1e41e5dd3d..c16c2bf503 100644 --- a/pr-checks/checks/test-local-codeql.yml +++ b/pr-checks/checks/local-bundle.yml @@ -1,7 +1,6 @@ name: "Local CodeQL bundle" description: "Tests using a CodeQL bundle from a local file rather than a URL" versions: ["linked"] -operatingSystems: ["ubuntu"] installGo: true steps: - name: Fetch latest CodeQL bundle diff --git a/pr-checks/checks/overlay-init-fallback.yml b/pr-checks/checks/overlay-init-fallback.yml index 44d19d79c3..bfcfd27e79 100644 --- a/pr-checks/checks/overlay-init-fallback.yml +++ b/pr-checks/checks/overlay-init-fallback.yml @@ -1,7 +1,6 @@ name: "Overlay database init fallback" description: "Tests that overlay init action succeeds with non-overlay packs" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index 2be248a5f2..27bcf070db 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -1,6 +1,5 @@ name: "RuboCop multi-language" description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF" -operatingSystems: ["ubuntu"] # This check doesn't use CodeQL, so the `version` matrix variable is unused. versions: ["default"] steps: diff --git a/pr-checks/checks/rust.yml b/pr-checks/checks/rust.yml index 67920538d7..c19fc986da 100644 --- a/pr-checks/checks/rust.yml +++ b/pr-checks/checks/rust.yml @@ -8,7 +8,6 @@ versions: - linked - default - nightly-latest -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index ba67db39f0..97332e4c94 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -1,7 +1,6 @@ name: Submit SARIF after failure description: Check that a SARIF file is submitted for the workflow run if it fails versions: ["linked", "default", "nightly-latest"] -operatingSystems: ["ubuntu"] env: # Internal-only environment variable used to indicate that the post-init Action diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 550953980a..866a610304 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -29,12 +29,6 @@ "nightly-latest" ] -def is_os_and_version_excluded(os, version, exclude_params): - for exclude_param in exclude_params: - if exclude_param[0] == os and exclude_param[1] == version: - return True - return False - # When updating the ruamel.yaml version here, update the PR check in # `.github/workflows/pr-checks.yml` too. header = """# Warning: This file is generated automatically, and should not be modified. @@ -78,22 +72,17 @@ def writeHeader(checkStream): if 'inputs' in checkSpecification: workflowInputs = checkSpecification['inputs'] - excludedOsesAndVersions = checkSpecification.get('excludeOsAndVersionCombination', []) for version in checkSpecification.get('versions', defaultTestVersions): if version == "latest": raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?') runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"] - operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu", "macos", "windows"]) + operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"]) for operatingSystem in operatingSystems: runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)] for runnerImage in runnerImagesForOs: - # Skip appending this combination to the matrix if it is explicitly excluded. - if is_os_and_version_excluded(operatingSystem, version, excludedOsesAndVersions): - continue - matrix.append({ 'os': runnerImage, 'version': version diff --git a/scripts/check-node-modules.sh b/scripts/check-node-modules.sh new file mode 100755 index 0000000000..3fc2c74374 --- /dev/null +++ b/scripts/check-node-modules.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +# Check if running in GitHub Actions +if [ "$GITHUB_ACTIONS" = "true" ]; then + echo "Running in a GitHub Actions workflow; not running 'npm install'" + exit 0 +fi + +# Check if npm install is likely needed before proceeding +if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then + echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..." + npm install +else + echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date." +fi diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index e147a31129..127bb1b930 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -298,31 +298,6 @@ export async function getCodeQLSource( }; } - /** - * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced. - * - * We use the special value of 'linked' to prioritize the version in `defaults.json` over the - * version specified by the feature flags on Dotcom and over any pinned cached version on - * Enterprise Server. - * - * Previously we have been using 'latest' to force the shipped tools, but this was not clear - * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for - * backwards compatibility. - */ - const forceShippedTools = - toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`, - ); - - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.", - ); - } - } - /** CLI version number, for example 2.12.6. */ let cliVersion: string | undefined; /** Tag name of the CodeQL bundle, for example `codeql-bundle-20230120`. */ @@ -344,9 +319,33 @@ export async function getCodeQLSource( toolsInput = await getNightlyToolsUrl(logger); } + /** + * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced. + * + * We use the special value of 'linked' to prioritize the version in `defaults.json` over the + * version specified by the feature flags on Dotcom and over any pinned cached version on + * Enterprise Server. + * + * Previously we have been using 'latest' to force the shipped tools, but this was not clear + * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for + * backwards compatibility. + */ + const forceShippedTools = + toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); + if (forceShippedTools) { cliVersion = defaults.cliVersion; tagName = defaults.bundleVersion; + + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion}, the version shipped with the Action.`, + ); + + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.", + ); + } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. tagName = tryGetTagNameFromUrl(toolsInput, logger); diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index aa1a5a4443..4da0427490 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -61,7 +61,12 @@ async function findAndUpload( sarifPath, analysis.sarifPredicate, ); - } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) { + } else if ( + pathStats.isFile() && + (analysis.sarifPredicate(sarifPath) || + (analysis.kind === analyses.AnalysisKind.CodeScanning && + !analyses.CodeQuality.sarifPredicate(sarifPath))) + ) { sarifFiles = [sarifPath]; } else { return undefined;