Feature flag to disable python dependency installation

src/analyze.ts

@@ -87,6 +87,20 @@ async function setupPythonExtractor(logger: Logger) {
     return;
   }
 
+  // CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION is the internal environment
+  // variable used by the python extractor. This is set in init-action.ts only if the
+  // feature-flag is enabled.
+  if (
+    (process.env["CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION"] || "")
+      .length > 0
+  ) {
+    logger.warning(
+      "Library extraction is disabled now. Please remove your logic that sets the CODEQL_PYTHON environment variable." +
+        "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7 or CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11."
+    );
+    return;
+  }
+
   const scriptsFolder = path.resolve(__dirname, "../python-setup");
 
   let output = "";

src/feature-flags.ts

@@ -43,6 +43,7 @@ export enum Feature {
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
   UploadFailedSarifEnabled = "upload_failed_sarif_enabled",
+  DisablePythonDependencyInstallation = "disable_python_dependency_installation",
 }
 
 export const featureConfig: Record<
@@ -80,6 +81,16 @@ export const featureConfig: Record<
     minimumVersion: "2.11.3",
     defaultValue: true,
   },
+  [Feature.DisablePythonDependencyInstallation]: {
+    envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+    // Although the python extractor only started supporting not extracting installed
+    // dependencies in 2.13.1, the init-action can still benefit from not installing
+    // dependencies no matter what codeql version we are using, so therefore the
+    // minimumVersion is set to 'undefined'. This means that with an old CodeQL version,
+    // packages available with current python3 installation might get extracted.
+    minimumVersion: undefined,
+    defaultValue: false,
+  },
 };
 
 /**

src/init-action.ts

@@ -277,13 +277,22 @@ async function run() {
       config.languages.includes(Language.python) &&
       getRequiredInput("setup-python-dependencies") === "true"
     ) {
-      try {
-        await installPythonDeps(codeql, logger);
-      } catch (unwrappedError) {
-        const error = wrapError(unwrappedError);
-        logger.warning(
-          `${error.message} You can call this action with 'setup-python-dependencies: false' to disable this process`
-        );
+      if (
+        await features.getValue(
+          Feature.DisablePythonDependencyInstallation,
+          codeql
+        )
+      ) {
+        logger.info("Skipping python dependency installation");
+      } else {
+        try {
+          await installPythonDeps(codeql, logger);
+        } catch (unwrappedError) {
+          const error = wrapError(unwrappedError);
+          logger.warning(
+            `${error.message} You can call this action with 'setup-python-dependencies: false' to disable this process`
+          );
+        }
       }
     }
   } catch (unwrappedError) {
@@ -331,6 +340,19 @@ async function run() {
       core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
     }
 
+    // Disable Python dependency extraction if feature flag set
+    if (
+      await features.getValue(
+        Feature.DisablePythonDependencyInstallation,
+        codeql
+      )
+    ) {
+      core.exportVariable(
+        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
+        "true"
+      );
+    }
+
     const sourceRoot = path.resolve(
       getRequiredEnvParam("GITHUB_WORKSPACE"),
       getOptionalInput("source-root") || ""