Merge pull request #2031 from github/rasmuswl/no-dep-inst-default

Python: Don't install deps by default for all users
2024-01-05 11:18:05 +01:00 · 2024-01-05 11:18:05 +01:00 · 58ff74adc3
commit 58ff74adc3
parent 216127f34a 9926570d4c
10 changed files with 70 additions and 26 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the

 ## [UNRELEASED]

+- We are rolling out a feature in January 2024 that will disable Python dependency installation by default for all users. This improves the speed of analysis while having only a very minor impact on results. You can override this behavior by setting `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION=false` in your workflow, however we plan to remove this ability in future versions of the CodeQL Action. [#2031](https://github.com/github/codeql-action/pull/2031)
 - The CodeQL Action now requires CodeQL version 2.11.6 or later. For more information, see [the corresponding changelog entry for CodeQL Action version 2.22.7](#2227---16-nov-2023). [#2009](https://github.com/github/codeql-action/pull/2009)

 ## 3.22.12 - 22 Dec 2023
--- a/lib/analyze.js
+++ b/lib/analyze.js
@ -56,7 +56,7 @@ async function setupPythonExtractor(logger, features, codeql) {
        // If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
        return;
    }
-    if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallationEnabled, codeql)) {
+    if (await (0, feature_flags_1.isPythonDependencyInstallationDisabled)(codeql, features)) {
        logger.warning("We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
            "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.");
        return;
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/feature-flags.js
+++ b/lib/feature-flags.js
@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.Features = exports.FEATURE_FLAGS_FILE_NAME = exports.featureConfig = exports.Feature = exports.CODEQL_VERSION_FINE_GRAINED_PARALLELISM = exports.CODEQL_VERSION_BUNDLE_SEMANTICALLY_VERSIONED = void 0;
+exports.isPythonDependencyInstallationDisabled = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.Features = exports.FEATURE_FLAGS_FILE_NAME = exports.featureConfig = exports.Feature = exports.CODEQL_VERSION_FINE_GRAINED_PARALLELISM = exports.CODEQL_VERSION_BUNDLE_SEMANTICALLY_VERSIONED = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const semver = __importStar(require("semver"));
@ -53,6 +53,7 @@ var Feature;
    Feature["CppDependencyInstallation"] = "cpp_dependency_installation_enabled";
    Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
    Feature["DisablePythonDependencyInstallationEnabled"] = "disable_python_dependency_installation_enabled";
+    Feature["PythonDefaultIsToSkipDependencyInstallationEnabled"] = "python_default_is_to_skip_dependency_installation_enabled";
    Feature["EvaluatorFineGrainedParallelismEnabled"] = "evaluator_fine_grained_parallelism_enabled";
    Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
    Feature["QaTelemetryEnabled"] = "qa_telemetry_enabled";
@ -103,6 +104,15 @@ exports.featureConfig = {
        minimumVersion: undefined,
        defaultValue: false,
    },
+    [Feature.PythonDefaultIsToSkipDependencyInstallationEnabled]: {
+        // we can reuse the same environment variable as above. If someone has set it to
+        // `true` in their workflow this means dependencies are not installed, setting it to
+        // `false` means dependencies _will_ be installed. The same semantics are applied
+        // here!
+        envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+        minimumVersion: "2.16.0",
+        defaultValue: false,
+    },
 };
 exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 /**
@ -349,4 +359,9 @@ async function logCodeScanningConfigInCli(codeql, features, logger) {
    }
 }
 exports.logCodeScanningConfigInCli = logCodeScanningConfigInCli;
+async function isPythonDependencyInstallationDisabled(codeql, features) {
+    return ((await features.getValue(Feature.DisablePythonDependencyInstallationEnabled, codeql)) ||
+        (await features.getValue(Feature.PythonDefaultIsToSkipDependencyInstallationEnabled, codeql)));
+}
+exports.isPythonDependencyInstallationDisabled = isPythonDependencyInstallationDisabled;
 //# sourceMappingURL=feature-flags.js.map
--- a/lib/feature-flags.js.map
+++ b/lib/feature-flags.js.map
--- a/lib/init-action.js
+++ b/lib/init-action.js
@ -146,7 +146,7 @@ async function run() {
        await (0, init_1.checkInstallPython311)(config.languages, codeql);
        if (config.languages.includes(languages_1.Language.python) &&
            (0, actions_util_1.getRequiredInput)("setup-python-dependencies") === "true") {
-            if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallationEnabled, codeql)) {
+            if (await (0, feature_flags_1.isPythonDependencyInstallationDisabled)(codeql, features)) {
                logger.info("Skipping python dependency installation");
            }
            else {
@ -246,9 +246,14 @@ async function run() {
            }
        }
        // Disable Python dependency extraction if feature flag set
-        if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallationEnabled, codeql)) {
+        if (await (0, feature_flags_1.isPythonDependencyInstallationDisabled)(codeql, features)) {
            core.exportVariable("CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION", "true");
        }
+        else {
+            // From 2.16.0 the default for the python extractor is to not perform any library
+            // extraction, so we need to set this flag to enable it.
+            core.exportVariable("CODEQL_EXTRACTOR_PYTHON_FORCE_ENABLE_LIBRARY_EXTRACTION_UNTIL_2_17_0", "true");
+        }
        const sourceRoot = path.resolve((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), (0, actions_util_1.getOptionalInput)("source-root") || "");
        const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", registriesInput, features, apiDetails, logger);
        if (tracerConfig !== undefined) {
--- a/lib/init-action.js.map
+++ b/lib/init-action.js.map
--- a/src/analyze.ts
+++ b/src/analyze.ts
@ -18,6 +18,7 @@ import {
  Feature,
  logCodeScanningConfigInCli,
  useCodeScanningConfigInCli,
+  isPythonDependencyInstallationDisabled,
 } from "./feature-flags";
 import { isScannedLanguage, Language } from "./languages";
 import { Logger } from "./logging";
@ -104,12 +105,7 @@ async function setupPythonExtractor(
    return;
  }

-  if (
-    await features.getValue(
-      Feature.DisablePythonDependencyInstallationEnabled,
-      codeql,
-    )
-  ) {
+  if (await isPythonDependencyInstallationDisabled(codeql, features)) {
    logger.warning(
      "We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
        "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.",
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@ -49,6 +49,7 @@ export enum Feature {
  CppDependencyInstallation = "cpp_dependency_installation_enabled",
  DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
  DisablePythonDependencyInstallationEnabled = "disable_python_dependency_installation_enabled",
+  PythonDefaultIsToSkipDependencyInstallationEnabled = "python_default_is_to_skip_dependency_installation_enabled",
  EvaluatorFineGrainedParallelismEnabled = "evaluator_fine_grained_parallelism_enabled",
  ExportDiagnosticsEnabled = "export_diagnostics_enabled",
  QaTelemetryEnabled = "qa_telemetry_enabled",
@ -103,6 +104,15 @@ export const featureConfig: Record<
    minimumVersion: undefined,
    defaultValue: false,
  },
+  [Feature.PythonDefaultIsToSkipDependencyInstallationEnabled]: {
+    // we can reuse the same environment variable as above. If someone has set it to
+    // `true` in their workflow this means dependencies are not installed, setting it to
+    // `false` means dependencies _will_ be installed. The same semantics are applied
+    // here!
+    envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+    minimumVersion: "2.16.0",
+    defaultValue: false,
+  },
 };

 /**
@ -474,3 +484,19 @@ export async function logCodeScanningConfigInCli(
    );
  }
 }
+
+export async function isPythonDependencyInstallationDisabled(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+): Promise<boolean> {
+  return (
+    (await features.getValue(
+      Feature.DisablePythonDependencyInstallationEnabled,
+      codeql,
+    )) ||
+    (await features.getValue(
+      Feature.PythonDefaultIsToSkipDependencyInstallationEnabled,
+      codeql,
+    ))
+  );
+}
--- a/src/init-action.ts
+++ b/src/init-action.ts
@ -16,7 +16,11 @@ import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { EnvVar } from "./environment";
-import { Feature, Features } from "./feature-flags";
+import {
+  Feature,
+  Features,
+  isPythonDependencyInstallationDisabled,
+} from "./feature-flags";
 import {
  checkInstallPython311,
  initCodeQL,
@ -293,12 +297,7 @@ async function run() {
      config.languages.includes(Language.python) &&
      getRequiredInput("setup-python-dependencies") === "true"
    ) {
-      if (
-        await features.getValue(
-          Feature.DisablePythonDependencyInstallationEnabled,
-          codeql,
-        )
-      ) {
+      if (await isPythonDependencyInstallationDisabled(codeql, features)) {
        logger.info("Skipping python dependency installation");
      } else {
        try {
@ -446,16 +445,18 @@ async function run() {
    }

    // Disable Python dependency extraction if feature flag set
-    if (
-      await features.getValue(
-        Feature.DisablePythonDependencyInstallationEnabled,
-        codeql,
-      )
-    ) {
+    if (await isPythonDependencyInstallationDisabled(codeql, features)) {
      core.exportVariable(
        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
        "true",
      );
+    } else {
+      // From 2.16.0 the default for the python extractor is to not perform any library
+      // extraction, so we need to set this flag to enable it.
+      core.exportVariable(
+        "CODEQL_EXTRACTOR_PYTHON_FORCE_ENABLE_LIBRARY_EXTRACTION_UNTIL_2_17_0",
+        "true",
+      );
    }

    const sourceRoot = path.resolve(