Send the external repository token to the CLI

This commit does a few related things:

1. Bumps the minimum version for cli config parsing to 2.10.6
2. Ensures that if cli config parsing is enabled, then remove repos
   are _not_ downloaded by the action. It happens in the CLI.
3. Passes the `--external-repository-token-stdin` option to the CLI
   and passes the appropriate token via stdin if cli config parsing is
   enabled.

lib/codeql.js

@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@@ -72,7 +72,6 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
  */
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
-exports.CODEQL_VERSION_CONFIG_FILES = "2.10.1";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
 const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
@@ -537,9 +536,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                     extraArgs.push("--no-internal-use-lua-tracing");
                 }
             }
+            // A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
+            // Only pass external repository token if a config file is
+            let externalRepositoryToken;
             const configLocation = await generateCodeScanningConfig(codeql, config, featureEnablement);
             if (configLocation) {
                 extraArgs.push(`--codescanning-config=${configLocation}`);
+                externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
+                if (externalRepositoryToken) {
+                    extraArgs.push("--external-repository-token-stdin");
+                }
             }
             await runTool(cmd, [
                 "database",
@@ -549,7 +555,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 `--source-root=${sourceRoot}`,
                 ...extraArgs,
                 ...getExtraOptionsFromEnv(["database", "init"]),
-            ]);
+            ], externalRepositoryToken);
         },
         async runAutobuild(language) {
             const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
@@ -884,7 +890,7 @@ exports.getExtraOptions = getExtraOptions;
  *     status reports on GitHub.com.
  */
 const maxErrorSize = 20000;
-async function runTool(cmd, args = []) {
+async function runTool(cmd, args = [], stdin) {
     let output = "";
     let error = "";
     const exitCode = await new toolrunner.ToolRunner(cmd, args, {
@@ -903,6 +909,7 @@ async function runTool(cmd, args = []) {
             },
         },
         ignoreReturnCode: true,
+        input: Buffer.from(stdin || ""),
     }).exec();
     if (exitCode !== 0)
         throw new CommandInvocationError(cmd, args, exitCode, error, output);