Fix toolcache behavior when downloading bundle from another repo

lib/setup-codeql.js

@@ -491,10 +491,11 @@ async function downloadCodeQL(codeqlURL, maybeBundleVersion, maybeCliVersion, ap
         };
     }
     // Try to compute the CLI version for this bundle
-    const cliVersion = maybeCliVersion ||
+    if (maybeCliVersion === undefined &&
-        (variant === util.GitHubVariant.DOTCOM &&
+        variant === util.GitHubVariant.DOTCOM &&
-            (await tryFindCliVersionDotcomOnly(`codeql-bundle-${bundleVersion}`, logger))) ||
+        codeqlURL.includes(`/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/`)) {
-        undefined;
+        maybeCliVersion = await tryFindCliVersionDotcomOnly(`codeql-bundle-${bundleVersion}`, logger);
+    }
     // Include both the CLI version and the bundle version in the toolcache version number. That way
     // if the user requests the same URL again, we can get it from the cache without having to call
     // any of the Releases API.
@@ -504,11 +505,11 @@ async function downloadCodeQL(codeqlURL, maybeBundleVersion, maybeCliVersion, ap
     // CLI release. In principle, it should be enough to just check that the CLI version isn't a
     // pre-release, but the version numbers of CodeQL nightlies have the format `x.y.z+<timestamp>`,
     // and we don't want these nightlies to override stable CLI versions in the toolcache.
-    const toolcacheVersion = cliVersion && cliVersion.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
+    const toolcacheVersion = maybeCliVersion?.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
-        ? `${cliVersion}-${bundleVersion}`
+        ? `${maybeCliVersion}-${bundleVersion}`
         : convertToSemVer(bundleVersion, logger);
     return {
-        toolsVersion: cliVersion || toolcacheVersion,
+        toolsVersion: maybeCliVersion ?? toolcacheVersion,
         codeqlFolder: await toolcache.cacheDir(codeqlExtracted, "CodeQL", toolcacheVersion),
         toolsDownloadDurationMs,
     };

src/setup-codeql.ts

@@ -663,14 +663,17 @@ export async function downloadCodeQL(
   }
 
   // Try to compute the CLI version for this bundle
-  const cliVersion: string | undefined =
+  if (
-    maybeCliVersion ||
+    maybeCliVersion === undefined &&
-    (variant === util.GitHubVariant.DOTCOM &&
+    variant === util.GitHubVariant.DOTCOM &&
-      (await tryFindCliVersionDotcomOnly(
+    codeqlURL.includes(`/${CODEQL_DEFAULT_ACTION_REPOSITORY}/`)
-        `codeql-bundle-${bundleVersion}`,
+  ) {
-        logger
+    maybeCliVersion = await tryFindCliVersionDotcomOnly(
-      ))) ||
+      `codeql-bundle-${bundleVersion}`,
-    undefined;
+      logger
+    );
+  }
+
   // Include both the CLI version and the bundle version in the toolcache version number. That way
   // if the user requests the same URL again, we can get it from the cache without having to call
   // any of the Releases API.
@@ -680,12 +683,11 @@ export async function downloadCodeQL(
   // CLI release. In principle, it should be enough to just check that the CLI version isn't a
   // pre-release, but the version numbers of CodeQL nightlies have the format `x.y.z+<timestamp>`,
   // and we don't want these nightlies to override stable CLI versions in the toolcache.
-  const toolcacheVersion =
+  const toolcacheVersion = maybeCliVersion?.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
-    cliVersion && cliVersion.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
+    ? `${maybeCliVersion}-${bundleVersion}`
-      ? `${cliVersion}-${bundleVersion}`
+    : convertToSemVer(bundleVersion, logger);
-      : convertToSemVer(bundleVersion, logger);
   return {
-    toolsVersion: cliVersion || toolcacheVersion,
+    toolsVersion: maybeCliVersion ?? toolcacheVersion,
     codeqlFolder: await toolcache.cacheDir(
       codeqlExtracted,
       "CodeQL",