Merge pull request #834 from github/update-v1.0.25-f44219c9

Merge main into v1

.github/workflows/__debug-artifacts.yml

@@ -41,6 +41,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__go-custom-queries.yml

@@ -44,6 +44,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: actions/setup-go@v2
       with:
         go-version: ^1.13.1

.github/workflows/__multi-language-autodetect.yml

@@ -41,6 +41,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         db-location: ${{ runner.temp }}/customDbLocation

.github/workflows/__packaging-config-inputs-js.yml

@@ -35,6 +35,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__packaging-config-js.yml

@@ -35,6 +35,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging.yml

.github/workflows/__packaging-inputs-js.yml

@@ -35,6 +35,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging2.yml

.github/workflows/__remote-config.yml

@@ -44,6 +44,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         tools: ${{ steps.prepare-test.outputs.tools-url }}

.github/workflows/__split-workflow.yml

@@ -35,6 +35,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml

.github/workflows/__test-local-codeql.yml

@@ -35,6 +35,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - name: Fetch a CodeQL bundle
       shell: bash
       env:

.github/workflows/__unset-environment.yml

@@ -41,6 +41,8 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
+    - name: Initialize dotnet
+      run: dotnet restore
     - uses: ./../action/init
       with:
         db-location: ${{ runner.temp }}/customDbLocation

.github/workflows/pr-checks.yml

@@ -163,6 +163,9 @@ jobs:
           cd ../action/runner
           npm install
           npm run build-runner
+      
+      - name: Initialize dotnet
+        run: dotnet restore
 
       - name: Run init
         run: |
@@ -200,6 +203,9 @@ jobs:
           cd ../action/runner
           npm install
           npm run build-runner
+      
+      - name: Initialize dotnet
+        run: dotnet restore
 
       - name: Run init
         run: |
@@ -246,6 +252,9 @@ jobs:
           npm install
           npm run build-runner
 
+      - name: Initialize dotnet
+        run: dotnet restore
+
       - name: Run init
         run: |
           ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CodeQL Action and CodeQL Runner Changelog
 
+## 1.0.25 - 06 Dec 2021
+
+No user facing changes.
+
 ## 1.0.24 - 23 Nov 2021
 
 - Update default CodeQL bundle version to 2.7.2. [#827](https://github.com/github/codeql-action/pull/827)

lib/database-upload.js

@@ -42,11 +42,13 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
         return;
     }
     const client = (0, api_client_1.getApiClient)(apiDetails);
+    let useUploadDomain;
     try {
-        await client.request("GET /repos/:owner/:repo/code-scanning/codeql/databases", {
+        const response = await client.request("GET /repos/:owner/:repo/code-scanning/codeql/databases", {
             owner: repositoryNwo.owner,
             repo: repositoryNwo.repo,
         });
+        useUploadDomain = response.data["uploads_domain_enabled"];
     }
     catch (e) {
         if (util.isHTTPError(e) && e.status === 404) {
@@ -60,15 +62,32 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
     }
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
     for (const language of config.languages) {
-        // Upload the database bundle
+        // Upload the database bundle.
+        // Although we are uploading arbitrary file contents to the API, it's worth
+        // noting that it's the API's job to validate that the contents is acceptable.
+        // This API method is available to anyone with write access to the repo.
         const payload = fs.readFileSync(await (0, util_1.bundleDb)(config, language, codeql));
         try {
-            await client.request(`PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language`, {
-                owner: repositoryNwo.owner,
-                repo: repositoryNwo.repo,
-                language,
-                data: payload,
-            });
+            if (useUploadDomain) {
+                await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
+                    owner: repositoryNwo.owner,
+                    repo: repositoryNwo.repo,
+                    language,
+                    name: `${language}-database`,
+                    data: payload,
+                    headers: {
+                        authorization: `token ${apiDetails.auth}`,
+                    },
+                });
+            }
+            else {
+                await client.request(`PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language`, {
+                    owner: repositoryNwo.owner,
+                    repo: repositoryNwo.repo,
+                    language,
+                    data: payload,
+                });
+            }
             logger.debug(`Successfully uploaded database for ${language}`);
         }
         catch (e) {

lib/database-upload.js.map

@@ -1 +1 @@
-{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,UAAU,CAAC,CAAC;IACxC,IAAI;QACF,MAAM,MAAM,CAAC,OAAO,CAClB,wDAAwD,EACxD;YACE,KAAK,EAAE,aAAa,CAAC,KAAK;YAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;SACzB,CACF,CAAC;KACH;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3C,MAAM,CAAC,KAAK,CACV,kEAAkE,CACnE,CAAC;SACH;aAAM;YACL,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,EAAE,CAAC,CAAC;SACpE;QACD,OAAO;KACR;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,6BAA6B;QAC7B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAC1E,IAAI;YACF,MAAM,MAAM,CAAC,OAAO,CAClB,kEAAkE,EAClE;gBACE,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,QAAQ;gBACR,IAAI,EAAE,OAAO;aACd,CACF,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAjED,0CAiEC"}
+{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,UAAU,CAAC,CAAC;IACxC,IAAI,eAAwB,CAAC;IAC7B,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CACnC,wDAAwD,EACxD;YACE,KAAK,EAAE,aAAa,CAAC,KAAK;YAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;SACzB,CACF,CAAC;QACF,eAAe,GAAG,QAAQ,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;KAC3D;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3C,MAAM,CAAC,KAAK,CACV,kEAAkE,CACnE,CAAC;SACH;aAAM;YACL,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,EAAE,CAAC,CAAC;SACpE;QACD,OAAO;KACR;IAED,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,8BAA8B;QAC9B,2EAA2E;QAC3E,8EAA8E;QAC9E,wEAAwE;QACxE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAC1E,IAAI;YACF,IAAI,eAAe,EAAE;gBACnB,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;oBACE,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;qBAC1C;iBACF,CACF,CAAC;aACH;iBAAM;gBACL,MAAM,MAAM,CAAC,OAAO,CAClB,kEAAkE,EAClE;oBACE,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,OAAO;iBACd,CACF,CAAC;aACH;YACD,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAtFD,0CAsFC"}

lib/database-upload.test.js

@@ -81,19 +81,29 @@ function getRecordingLogger(messages) {
         endGroup: () => undefined,
     };
 }
-function mockHttpRequests(optInStatusCode, databaseUploadStatusCode) {
+function mockHttpRequests(optInStatusCode, useUploadDomain, databaseUploadStatusCode) {
     // Passing an auth token is required, so we just use a dummy value
     const client = github.getOctokit("123");
     const requestSpy = sinon.stub(client, "request");
     const optInSpy = requestSpy.withArgs("GET /repos/:owner/:repo/code-scanning/codeql/databases");
     if (optInStatusCode < 300) {
-        optInSpy.resolves(undefined);
+        optInSpy.resolves({
+            status: optInStatusCode,
+            data: {
+                useUploadDomain,
+            },
+            headers: {},
+            url: "GET /repos/:owner/:repo/code-scanning/codeql/databases",
+        });
     }
     else {
         optInSpy.throws(new util_1.HTTPError("some error message", optInStatusCode));
     }
     if (databaseUploadStatusCode !== undefined) {
-        const databaseUploadSpy = requestSpy.withArgs("PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language");
+        const url = useUploadDomain
+            ? "POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name"
+            : "PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language";
+        const databaseUploadSpy = requestSpy.withArgs(url);
         if (databaseUploadStatusCode < 300) {
             databaseUploadSpy.resolves(undefined);
         }
@@ -213,7 +223,7 @@ function mockHttpRequests(optInStatusCode, databaseUploadStatusCode) {
             .withArgs("upload-database")
             .returns("true");
         sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
-        mockHttpRequests(204, 500);
+        mockHttpRequests(200, false, 500);
         (0, codeql_1.setCodeQL)({
             async databaseBundle(_, outputFilePath) {
                 fs.writeFileSync(outputFilePath, "");
@@ -226,7 +236,7 @@ function mockHttpRequests(optInStatusCode, databaseUploadStatusCode) {
                 "Failed to upload database for javascript: Error: some error message") !== undefined);
     });
 });
-(0, ava_1.default)("Successfully uploading a database", async (t) => {
+(0, ava_1.default)("Successfully uploading a database to api.github.com", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
         sinon
@@ -234,7 +244,27 @@ function mockHttpRequests(optInStatusCode, databaseUploadStatusCode) {
             .withArgs("upload-database")
             .returns("true");
         sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
-        mockHttpRequests(204, 201);
+        mockHttpRequests(200, false, 201);
+        (0, codeql_1.setCodeQL)({
+            async databaseBundle(_, outputFilePath) {
+                fs.writeFileSync(outputFilePath, "");
+            },
+        });
+        const loggedMessages = [];
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), testApiDetails, getRecordingLogger(loggedMessages));
+        t.assert(loggedMessages.find((v) => v.type === "debug" &&
+            v.message === "Successfully uploaded database for javascript") !== undefined);
+    });
+});
+(0, ava_1.default)("Successfully uploading a database to uploads.github.com", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        sinon
+            .stub(actionsUtil, "getRequiredInput")
+            .withArgs("upload-database")
+            .returns("true");
+        sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
+        mockHttpRequests(200, true, 201);
         (0, codeql_1.setCodeQL)({
             async databaseBundle(_, outputFilePath) {
                 fs.writeFileSync(outputFilePath, "");

lib/util.js

@@ -486,9 +486,15 @@ exports.codeQlVersionAbove = codeQlVersionAbove;
 async function bundleDb(config, language, codeql) {
     const databasePath = getCodeQLDatabasePath(config, language);
     const databaseBundlePath = path.resolve(config.dbLocation, `${databasePath}.zip`);
-    if (!fs.existsSync(databaseBundlePath)) {
-        await codeql.databaseBundle(databasePath, databaseBundlePath);
+    // For a tiny bit of added safety, delete the file if it exists.
+    // The file is probably from an earlier call to this function, either
+    // as part of this action step or a previous one, but it could also be
+    // from somewhere else or someone trying to make the action upload a
+    // non-database file.
+    if (fs.existsSync(databaseBundlePath)) {
+        fs.rmSync(databaseBundlePath, { recursive: true });
     }
+    await codeql.databaseBundle(databasePath, databaseBundlePath);
     return databaseBundlePath;
 }
 exports.bundleDb = bundleDb;

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "1.0.24",
+      "version": "1.0.25",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^0.5.2",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/debug-artifacts.yml

@@ -2,6 +2,8 @@ name: "Debug artifact upload"
 description: "Checks that debugging artifacts are correctly uploaded"
 os: ["ubuntu-latest", "macos-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       tools: ${{ steps.prepare-test.outputs.tools-url }}

pr-checks/checks/go-custom-queries.yml

@@ -1,6 +1,8 @@
 name: "Go: Custom queries"
 description: "Checks that Go works in conjunction with a config file specifying custom queries"
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: actions/setup-go@v2
     with:
       go-version: "^1.13.1"

pr-checks/checks/multi-language-autodetect.yml

@@ -2,6 +2,8 @@ name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
 os: ["ubuntu-latest", "macos-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       db-location: "${{ runner.temp }}/customDbLocation"

pr-checks/checks/packaging-config-inputs-js.yml

@@ -3,6 +3,8 @@ description: "Checks that specifying packages using a combination of a config fi
 versions: ["nightly-20210831"] # This CLI version is known to work with package used in this test
 os: ["ubuntu-latest", "macos-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging3.yml"

pr-checks/checks/packaging-config-js.yml

@@ -3,6 +3,8 @@ description: "Checks that specifying packages using only a config file works"
 versions: ["nightly-20210831"] # This CLI version is known to work with package used in this test
 os: ["ubuntu-latest", "macos-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging.yml"

pr-checks/checks/packaging-inputs-js.yml

@@ -3,6 +3,8 @@ description: "Checks that specifying packages using the input to the Action work
 versions: ["nightly-20210831"] # This CLI version is known to work with package used in this test
 os: ["ubuntu-latest", "macos-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging2.yml"

pr-checks/checks/remote-config.yml

@@ -1,6 +1,8 @@
 name: "Remote config file"
 description: "Checks that specifying packages using only a config file works"
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       tools: ${{ steps.prepare-test.outputs.tools-url }}

pr-checks/checks/split-workflow.yml

@@ -3,6 +3,8 @@ description: "Tests a split-up workflow in which we first build a database and l
 versions: ["nightly-20210831"] # This CLI version is known to work with package used in this test
 os: ["ubuntu-latest", "macos-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging3.yml"

pr-checks/checks/test-local-codeql.yml

@@ -3,6 +3,8 @@ description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["nightly-latest"]
 os: ["ubuntu-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - name: Fetch a CodeQL bundle
     shell: bash
     env:

pr-checks/checks/unset-environment.yml

@@ -2,6 +2,8 @@ name: "Test unsetting environment variables"
 description: "An end-to-end integration test that unsets some environment variables"
 os: ["ubuntu-latest"]
 steps:
+  - name: Initialize dotnet
+    run: dotnet restore
   - uses: ./../action/init
     with:
       db-location: "${{ runner.temp }}/customDbLocation"

runner/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-runner",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {

runner/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-runner",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "private": true,
   "description": "CodeQL runner",
   "scripts": {

src/database-upload.test.ts

@@ -82,6 +82,7 @@ function getRecordingLogger(messages: LoggedMessage[]): Logger {
 
 function mockHttpRequests(
   optInStatusCode: number,
+  useUploadDomain?: boolean,
   databaseUploadStatusCode?: number
 ) {
   // Passing an auth token is required, so we just use a dummy value
@@ -93,15 +94,23 @@ function mockHttpRequests(
     "GET /repos/:owner/:repo/code-scanning/codeql/databases"
   );
   if (optInStatusCode < 300) {
-    optInSpy.resolves(undefined);
+    optInSpy.resolves({
+      status: optInStatusCode,
+      data: {
+        useUploadDomain,
+      },
+      headers: {},
+      url: "GET /repos/:owner/:repo/code-scanning/codeql/databases",
+    });
   } else {
     optInSpy.throws(new HTTPError("some error message", optInStatusCode));
   }
 
   if (databaseUploadStatusCode !== undefined) {
-    const databaseUploadSpy = requestSpy.withArgs(
-      "PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language"
-    );
+    const url = useUploadDomain
+      ? "POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name"
+      : "PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language";
+    const databaseUploadSpy = requestSpy.withArgs(url);
     if (databaseUploadStatusCode < 300) {
       databaseUploadSpy.resolves(undefined);
     } else {
@@ -303,7 +312,7 @@ test("Don't crash if uploading a database fails", async (t) => {
       .returns("true");
     sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
 
-    mockHttpRequests(204, 500);
+    mockHttpRequests(200, false, 500);
 
     setCodeQL({
       async databaseBundle(_: string, outputFilePath: string) {
@@ -329,7 +338,7 @@ test("Don't crash if uploading a database fails", async (t) => {
   });
 });
 
-test("Successfully uploading a database", async (t) => {
+test("Successfully uploading a database to api.github.com", async (t) => {
   await withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
     sinon
@@ -338,7 +347,41 @@ test("Successfully uploading a database", async (t) => {
       .returns("true");
     sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
 
-    mockHttpRequests(204, 201);
+    mockHttpRequests(200, false, 201);
+
+    setCodeQL({
+      async databaseBundle(_: string, outputFilePath: string) {
+        fs.writeFileSync(outputFilePath, "");
+      },
+    });
+
+    const loggedMessages = [] as LoggedMessage[];
+    await uploadDatabases(
+      testRepoName,
+      getTestConfig(tmpDir),
+      testApiDetails,
+      getRecordingLogger(loggedMessages)
+    );
+    t.assert(
+      loggedMessages.find(
+        (v) =>
+          v.type === "debug" &&
+          v.message === "Successfully uploaded database for javascript"
+      ) !== undefined
+    );
+  });
+});
+
+test("Successfully uploading a database to uploads.github.com", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    sinon
+      .stub(actionsUtil, "getRequiredInput")
+      .withArgs("upload-database")
+      .returns("true");
+    sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
+
+    mockHttpRequests(200, true, 201);
 
     setCodeQL({
       async databaseBundle(_: string, outputFilePath: string) {

src/database-upload.ts

@@ -33,14 +33,16 @@ export async function uploadDatabases(
   }
 
   const client = getApiClient(apiDetails);
+  let useUploadDomain: boolean;
   try {
-    await client.request(
+    const response = await client.request(
       "GET /repos/:owner/:repo/code-scanning/codeql/databases",
       {
         owner: repositoryNwo.owner,
         repo: repositoryNwo.repo,
       }
     );
+    useUploadDomain = response.data["uploads_domain_enabled"];
   } catch (e) {
     if (util.isHTTPError(e) && e.status === 404) {
       logger.debug(
@@ -55,18 +57,37 @@ export async function uploadDatabases(
 
   const codeql = await getCodeQL(config.codeQLCmd);
   for (const language of config.languages) {
-    // Upload the database bundle
+    // Upload the database bundle.
+    // Although we are uploading arbitrary file contents to the API, it's worth
+    // noting that it's the API's job to validate that the contents is acceptable.
+    // This API method is available to anyone with write access to the repo.
     const payload = fs.readFileSync(await bundleDb(config, language, codeql));
     try {
-      await client.request(
-        `PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language`,
-        {
-          owner: repositoryNwo.owner,
-          repo: repositoryNwo.repo,
-          language,
-          data: payload,
-        }
-      );
+      if (useUploadDomain) {
+        await client.request(
+          `POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`,
+          {
+            owner: repositoryNwo.owner,
+            repo: repositoryNwo.repo,
+            language,
+            name: `${language}-database`,
+            data: payload,
+            headers: {
+              authorization: `token ${apiDetails.auth}`,
+            },
+          }
+        );
+      } else {
+        await client.request(
+          `PUT /repos/:owner/:repo/code-scanning/codeql/databases/:language`,
+          {
+            owner: repositoryNwo.owner,
+            repo: repositoryNwo.repo,
+            language,
+            data: payload,
+          }
+        );
+      }
       logger.debug(`Successfully uploaded database for ${language}`);
     } catch (e) {
       console.log(e);

src/util.ts

@@ -559,9 +559,15 @@ export async function bundleDb(
     config.dbLocation,
     `${databasePath}.zip`
   );
-  if (!fs.existsSync(databaseBundlePath)) {
-    await codeql.databaseBundle(databasePath, databaseBundlePath);
+  // For a tiny bit of added safety, delete the file if it exists.
+  // The file is probably from an earlier call to this function, either
+  // as part of this action step or a previous one, but it could also be
+  // from somewhere else or someone trying to make the action upload a
+  // non-database file.
+  if (fs.existsSync(databaseBundlePath)) {
+    fs.rmSync(databaseBundlePath, { recursive: true });
   }
+  await codeql.databaseBundle(databasePath, databaseBundlePath);
   return databaseBundlePath;
 }