robojerk/codeql-action

Merge branch 'main' into aeisenberg/timeout-45-min

Browse source
This commit is contained in:
Henry Mercer 2022-03-21 15:37:09 +00:00 committed by GitHub
commit 5d72058994
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
37 changed files with 314 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/check-expected-release-files.yml vendored
View file

@ -20,6 +20,6 @@ jobs:
run: | run: |
bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")" bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
set -x set -x
for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz" "codeql-runner-linux" "codeql-runner-macos" "codeql-runner-win.exe"; do for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
done done

1
.github/workflows/update-supported-enterprise-server-versions.yml vendored
View file

@ -6,6 +6,7 @@ on:
jobs: jobs:
update-supported-enterprise-server-versions: update-supported-enterprise-server-versions:
name: Update Supported Enterprise Server Versions
timeout-minutes: 45 timeout-minutes: 45
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }} if: ${{ github.repository == 'github/codeql-action' }}

10
CHANGELOG.md
View file

@ -1,9 +1,17 @@
# CodeQL Action and CodeQL Runner Changelog # CodeQL Action Changelog
## [UNRELEASED] ## [UNRELEASED]
No user facing changes. No user facing changes.
## 1.1.5 - 15 Mar 2022
- Update default CodeQL bundle version to 2.8.3.
- The CodeQL runner is now deprecated and no longer being released. For more information, see [CodeQL runner deprecation](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
- Fix two bugs that cause action failures with GHES 3.3 or earlier. [#978](https://github.com/github/codeql-action/pull/978)
- Fix `not a permitted key` invalid requests with GHES 3.1 or earlier
- Fix `RUNNER_ARCH environment variable must be set` errors with GHES 3.3 or earlier
## 1.1.4 - 07 Mar 2022 ## 1.1.4 - 07 Mar 2022
- Update default CodeQL bundle version to 2.8.2. [#950](https://github.com/github/codeql-action/pull/950) - Update default CodeQL bundle version to 2.8.2. [#950](https://github.com/github/codeql-action/pull/950)

21
CONTRIBUTING.md
View file

@ -63,7 +63,7 @@ Here are a few things you can do that will increase the likelihood of your pull
1. The first step of releasing a new version of the `codeql-action` is running the "Update release branch" workflow. 1. The first step of releasing a new version of the `codeql-action` is running the "Update release branch" workflow.
This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `v1` release branch. This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `v1` release branch.
A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml). A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
1. The workflow run will open a pull request titled "Merge main into v1". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks. 1. The workflow run will open a pull request titled "Merge main into v1". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks.
1. Review the checklist items in the pull request description. 1. Review the checklist items in the pull request description.
Once you've checked off all but the last of these, approve the PR and automerge it. Once you've checked off all but the last of these, approve the PR and automerge it.
@ -72,6 +72,25 @@ Here are a few things you can do that will increase the likelihood of your pull
Approve the mergeback PR and automerge it. Once the mergeback has been merged into main, the release is complete. Approve the mergeback PR and automerge it. Once the mergeback has been merged into main, the release is complete.
## Keeping the PR checks up to date (admin access required)
Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. Managing these PR checks manually is time consuming and complex. Here is a semi-automated approach.
To regenerate the PR jobs for the action:
1. From a terminal, run the following commands (replace `SHA` with the sha of the commit whose checks you want to use, typically this should be the latest from `main`):
```sh
SHA= ####
CHECKS="$(gh api repos/github/codeql-action/commits/${SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "Update dependencies" or . == "Update Supported Enterprise Server Versions" | not)]')"
echo "{\"contexts\": ${CHECKS}}" > checks.json
gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json
gh api -X "PATCH" repos/github/codeql-action/branches/v1/protection/required_status_checks --input checks.json
````
2. Go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules have been updated.
## Resources ## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/) - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)

23
lib/actions-util.js generated
View file

@ -30,6 +30,8 @@ const yaml = __importStar(require("js-yaml"));
const api = __importStar(require("./api-client")); const api = __importStar(require("./api-client"));
const sharedEnv = __importStar(require("./shared-environment")); const sharedEnv = __importStar(require("./shared-environment"));
const util_1 = require("./util"); const util_1 = require("./util");
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json");
/** /**
* The utils in this module are meant to be run inside of the action only. * The utils in this module are meant to be run inside of the action only.
* Code paths from the runner should not enter this module. * Code paths from the runner should not enter this module.
@ -500,7 +502,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
core.exportVariable(sharedEnv.CODEQL_WORKFLOW_STARTED_AT, workflowStartedAt); core.exportVariable(sharedEnv.CODEQL_WORKFLOW_STARTED_AT, workflowStartedAt);
} }
const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS"); const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
const runnerArch = (0, util_1.getRequiredEnvParam)("RUNNER_ARCH"); const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
// If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action // If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action
// See https://github.com/actions/runner/issues/803 // See https://github.com/actions/runner/issues/803
const actionRef = isRunningLocalAction() const actionRef = isRunningLocalAction()
@ -520,7 +522,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
action_started_at: actionStartedAt.toISOString(), action_started_at: actionStartedAt.toISOString(),
status, status,
runner_os: runnerOs, runner_os: runnerOs,
runner_arch: runnerArch, action_version: pkg.version,
}; };
// Add optional parameters // Add optional parameters
if (cause) { if (cause) {
@ -539,9 +541,17 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
if (matrix) { if (matrix) {
statusReport.matrix_vars = matrix; statusReport.matrix_vars = matrix;
} }
if ("RUNNER_ARCH" in process.env) {
// RUNNER_ARCH is available only in GHES 3.4 and later
// Values other than X86, X64, ARM, or ARM64 are discarded server side
statusReport.runner_arch = process.env["RUNNER_ARCH"];
}
if (runnerOs === "Windows" || runnerOs === "macOS") { if (runnerOs === "Windows" || runnerOs === "macOS") {
statusReport.runner_os_release = os.release(); statusReport.runner_os_release = os.release();
} }
if (codeQlCliVersion !== undefined) {
statusReport.codeql_cli_version = codeQlCliVersion;
}
return statusReport; return statusReport;
} }
exports.createStatusReportBase = createStatusReportBase; exports.createStatusReportBase = createStatusReportBase;
@ -559,6 +569,13 @@ const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code sc
* Returns whether sending the status report was successful of not. * Returns whether sending the status report was successful of not.
*/ */
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
const gitHubVersion = await api.getGitHubVersionActionsOnly();
if ((0, util_1.isGitHubGhesVersionBelow)(gitHubVersion, "3.2.0")) {
// GHES 3.1 and earlier versions reject unexpected properties, which means
// that they will reject status reports with newly added properties.
// Inhibiting status reporting for GHES < 3.2 avoids such failures.
return true;
}
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
core.debug(`Sending status report: ${statusReportJSON}`); core.debug(`Sending status report: ${statusReportJSON}`);
// If in test mode we don't want to upload the results // If in test mode we don't want to upload the results
@ -656,7 +673,7 @@ async function isAnalyzingDefaultBranch() {
// Get the current ref and trim and refs/heads/ prefix // Get the current ref and trim and refs/heads/ prefix
let currentRef = await getRef(); let currentRef = await getRef();
currentRef = currentRef.startsWith("refs/heads/") currentRef = currentRef.startsWith("refs/heads/")
? currentRef.substr("refs/heads/".length) ? currentRef.slice("refs/heads/".length)
: currentRef; : currentRef;
const event = getWorkflowEvent(); const event = getWorkflowEvent();
const defaultBranch = (_a = event === null || event === void 0 ? void 0 : event.repository) === null || _a === void 0 ? void 0 : _a.default_branch; const defaultBranch = (_a = event === null || event === void 0 ? void 0 : event.repository) === null || _a === void 0 ? void 0 : _a.default_branch;

2
lib/actions-util.js.map
View file

File diff suppressed because one or more lines are too long

34
lib/api-client.js generated
View file

@ -22,12 +22,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod }; return (mod && mod.__esModule) ? mod : { "default": mod };
}; };
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0; exports.getGitHubVersionActionsOnly = exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
const path = __importStar(require("path")); const path = __importStar(require("path"));
const githubUtils = __importStar(require("@actions/github/lib/utils")); const githubUtils = __importStar(require("@actions/github/lib/utils"));
const retry = __importStar(require("@octokit/plugin-retry")); const retry = __importStar(require("@octokit/plugin-retry"));
const console_log_level_1 = __importDefault(require("console-log-level")); const console_log_level_1 = __importDefault(require("console-log-level"));
const actions_util_1 = require("./actions-util"); const actions_util_1 = require("./actions-util");
const util = __importStar(require("./util"));
const util_1 = require("./util"); const util_1 = require("./util");
// eslint-disable-next-line import/no-commonjs // eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json"); const pkg = require("../package.json");
@ -57,15 +58,36 @@ function getApiUrl(githubUrl) {
url.pathname = path.join(url.pathname, "api", "v3"); url.pathname = path.join(url.pathname, "api", "v3");
return url.toString(); return url.toString();
} }
function getApiDetails() {
return {
auth: (0, actions_util_1.getRequiredInput)("token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
};
}
// Temporary function to aid in the transition to running on and off of github actions. // Temporary function to aid in the transition to running on and off of github actions.
// Once all code has been converted this function should be removed or made canonical // Once all code has been converted this function should be removed or made canonical
// and called only from the action entrypoints. // and called only from the action entrypoints.
function getActionsApiClient() { function getActionsApiClient() {
const apiDetails = { return (0, exports.getApiClient)(getApiDetails());
auth: (0, actions_util_1.getRequiredInput)("token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
};
return (0, exports.getApiClient)(apiDetails);
} }
exports.getActionsApiClient = getActionsApiClient; exports.getActionsApiClient = getActionsApiClient;
let cachedGitHubVersion = undefined;
/**
* Report the GitHub server version. This is a wrapper around
* util.getGitHubVersion() that automatically supplies GitHub API details using
* GitHub Action inputs. If you need to get the GitHub server version from the
* Runner, please call util.getGitHubVersion() instead.
*
* @returns GitHub version
*/
async function getGitHubVersionActionsOnly() {
if (!util.isActions()) {
throw new Error("getGitHubVersionActionsOnly() works only in an action");
}
if (cachedGitHubVersion === undefined) {
cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
}
return cachedGitHubVersion;
}
exports.getGitHubVersionActionsOnly = getGitHubVersionActionsOnly;
//# sourceMappingURL=api-client.js.map //# sourceMappingURL=api-client.js.map

2
lib/api-client.js.map
View file

@ -1 +1 @@
{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,iCAAsD;AAEtD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAdW,QAAA,YAAY,gBAcvB;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,IAAA,oBAAY,EAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAPD,kDAOC"} {"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAdW,QAAA,YAAY,gBAcvB;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;KAC1E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}

2
lib/api-compatibility.json
View file

@ -1 +1 @@
{ "maximumVersion": "3.4", "minimumVersion": "3.1" } { "maximumVersion": "3.5", "minimumVersion": "3.1" }

39
lib/codeql.js generated
View file

@ -196,6 +196,19 @@ async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
} }
return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`; return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
} }
/**
* Set up CodeQL CLI access.
*
* @param codeqlURL
* @param apiDetails
* @param tempDir
* @param toolCacheDir
* @param variant
* @param logger
* @param checkVersion Whether to check that CodeQL CLI meets the minimum
* version requirement. Must be set to true outside tests.
* @returns
*/
async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolCacheDir, variant, logger, checkVersion) { async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolCacheDir, variant, logger, checkVersion) {
try { try {
// We use the special value of 'latest' to prioritize the version in the // We use the special value of 'latest' to prioritize the version in the
@ -367,16 +380,26 @@ async function getCodeQLForTesting() {
return getCodeQLForCmd("codeql-for-testing", false); return getCodeQLForCmd("codeql-for-testing", false);
} }
exports.getCodeQLForTesting = getCodeQLForTesting; exports.getCodeQLForTesting = getCodeQLForTesting;
/**
* Return a CodeQL object for CodeQL CLI access.
*
* @param cmd Path to CodeQL CLI
* @param checkVersion Whether to check that CodeQL CLI meets the minimum
* version requirement. Must be set to true outside tests.
* @returns A new CodeQL object
*/
async function getCodeQLForCmd(cmd, checkVersion) { async function getCodeQLForCmd(cmd, checkVersion) {
let cachedVersion = undefined;
const codeql = { const codeql = {
getPath() { getPath() {
return cmd; return cmd;
}, },
async getVersion() { async getVersion() {
if (cachedVersion === undefined) let result = util.getCachedCodeQlVersion();
cachedVersion = runTool(cmd, ["version", "--format=terse"]); if (result === undefined) {
return await cachedVersion; result = await runTool(cmd, ["version", "--format=terse"]);
util.cacheCodeQlVersion(result);
}
return result;
}, },
async printVersion() { async printVersion() {
await runTool(cmd, ["version", "--format=json"]); await runTool(cmd, ["version", "--format=json"]);
@ -672,6 +695,14 @@ async function getCodeQLForCmd(cmd, checkVersion) {
await new toolrunner.ToolRunner(cmd, args).exec(); await new toolrunner.ToolRunner(cmd, args).exec();
}, },
}; };
// To ensure that status reports include the CodeQL CLI version whereever
// possbile, we want to call getVersion(), which populates the version value
// used by status reporting, at the earliest opportunity. But invoking
// getVersion() directly here breaks tests that only pretend to create a
// CodeQL object. So instead we rely on the assumption that all non-test
// callers would set checkVersion to true, and util.codeQlVersionAbove()
// would call getVersion(), so the CLI version would be cached as soon as the
// CodeQL object is created.
if (checkVersion && if (checkVersion &&
!(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))) { !(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))) {
throw new Error(`Expected a CodeQL CLI with version at least ${CODEQL_MINIMUM_VERSION} but got version ${await codeql.getVersion()}`); throw new Error(`Expected a CodeQL CLI with version at least ${CODEQL_MINIMUM_VERSION} but got version ${await codeql.getVersion()}`);

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/config-utils.js generated
View file

@ -435,7 +435,7 @@ async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, r
// should instead be added in addition // should instead be added in addition
function shouldAddConfigFileQueries(queriesInput) { function shouldAddConfigFileQueries(queriesInput) {
if (queriesInput) { if (queriesInput) {
return queriesInput.trimStart().substr(0, 1) === "+"; return queriesInput.trimStart().slice(0, 1) === "+";
} }
return true; return true;
} }

2
lib/config-utils.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/defaults.json
View file

@ -1,3 +1,3 @@
{ {
"bundleVersion": "codeql-bundle-20220224" "bundleVersion": "codeql-bundle-20220311"
} }

5
lib/init-action.js generated
View file

@ -22,6 +22,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
const path = __importStar(require("path")); const path = __importStar(require("path"));
const core = __importStar(require("@actions/core")); const core = __importStar(require("@actions/core"));
const actions_util_1 = require("./actions-util"); const actions_util_1 = require("./actions-util");
const api_client_1 = require("./api-client");
const codeql_1 = require("./codeql"); const codeql_1 = require("./codeql");
const feature_flags_1 = require("./feature-flags"); const feature_flags_1 = require("./feature-flags");
const init_1 = require("./init"); const init_1 = require("./init");
@ -48,7 +49,7 @@ async function sendSuccessStatusReport(startedAt, config, toolsVersion) {
} }
if (queriesInput !== undefined) { if (queriesInput !== undefined) {
queriesInput = queriesInput.startsWith("+") queriesInput = queriesInput.startsWith("+")
? queriesInput.substr(1) ? queriesInput.slice(1)
: queriesInput; : queriesInput;
queries.push(...queriesInput.split(",")); queries.push(...queriesInput.split(","));
} }
@ -78,7 +79,7 @@ async function run() {
externalRepoAuth: (0, actions_util_1.getOptionalInput)("external-repository-token"), externalRepoAuth: (0, actions_util_1.getOptionalInput)("external-repository-token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"), url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
}; };
const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails); const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
(0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions); (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY")); const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger); const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger);

2
lib/init-action.js.map
View file

File diff suppressed because one or more lines are too long

3
lib/upload-sarif-action.js generated
View file

@ -21,6 +21,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
const core = __importStar(require("@actions/core")); const core = __importStar(require("@actions/core"));
const actionsUtil = __importStar(require("./actions-util")); const actionsUtil = __importStar(require("./actions-util"));
const api_client_1 = require("./api-client");
const logging_1 = require("./logging"); const logging_1 = require("./logging");
const repository_1 = require("./repository"); const repository_1 = require("./repository");
const upload_lib = __importStar(require("./upload-lib")); const upload_lib = __importStar(require("./upload-lib"));
@ -46,7 +47,7 @@ async function run() {
auth: actionsUtil.getRequiredInput("token"), auth: actionsUtil.getRequiredInput("token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"), url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
}; };
const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails); const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), gitHubVersion, apiDetails, (0, logging_1.getActionsLogger)()); const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), gitHubVersion, apiDetails, (0, logging_1.getActionsLogger)());
core.setOutput("sarif-id", uploadResult.sarifID); core.setOutput("sarif-id", uploadResult.sarifID);
if (actionsUtil.getRequiredInput("wait-for-processing") === "true") { if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {

2
lib/upload-sarif-action.js.map
View file

@ -1 +1 @@
{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,uBAAgB,EAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"} {"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAA2D;AAC3D,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAA0E;AAE1E,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,wCAA2B,GAAE,CAAC;QAE1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

19
lib/util.js generated
View file

@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod }; return (mod && mod.__esModule) ? mod : { "default": mod };
}; };
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0; exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
const fs = __importStar(require("fs")); const fs = __importStar(require("fs"));
const os = __importStar(require("os")); const os = __importStar(require("os"));
const path = __importStar(require("path")); const path = __importStar(require("path"));
@ -500,6 +500,23 @@ function isHTTPError(arg) {
return (arg === null || arg === void 0 ? void 0 : arg.status) !== undefined && Number.isInteger(arg.status); return (arg === null || arg === void 0 ? void 0 : arg.status) !== undefined && Number.isInteger(arg.status);
} }
exports.isHTTPError = isHTTPError; exports.isHTTPError = isHTTPError;
function isGitHubGhesVersionBelow(gitHubVersion, expectedVersion) {
return (gitHubVersion.type === GitHubVariant.GHES &&
semver.lt(gitHubVersion.version, expectedVersion));
}
exports.isGitHubGhesVersionBelow = isGitHubGhesVersionBelow;
let cachedCodeQlVersion = undefined;
function cacheCodeQlVersion(version) {
if (cachedCodeQlVersion !== undefined) {
throw new Error("cacheCodeQlVersion() should be called only once");
}
cachedCodeQlVersion = version;
}
exports.cacheCodeQlVersion = cacheCodeQlVersion;
function getCachedCodeQlVersion() {
return cachedCodeQlVersion;
}
exports.getCachedCodeQlVersion = getCachedCodeQlVersion;
async function codeQlVersionAbove(codeql, requiredVersion) { async function codeQlVersionAbove(codeql, requiredVersion) {
return semver.gte(await codeql.getVersion(), requiredVersion); return semver.gte(await codeql.getVersion(), requiredVersion);
} }

2
lib/util.js.map
View file

File diff suppressed because one or more lines are too long

7
lib/util.test.js generated
View file

@ -262,4 +262,11 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
}); });
}); });
} }
(0, ava_1.default)("isGitHubGhesVersionBelow", async (t) => {
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.DOTCOM }, "3.2.0"));
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHAE }, "3.2.0"));
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.3.0" }, "3.2.0"));
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.2.0" }, "3.2.0"));
t.true(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.1.2" }, "3.2.0"));
});
//# sourceMappingURL=util.test.js.map //# sourceMappingURL=util.test.js.map

2
lib/util.test.js.map
View file

File diff suppressed because one or more lines are too long

2
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{ {
"name": "codeql", "name": "codeql",
"version": "1.1.5", "version": "1.1.6",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {

4
package-lock.json generated
View file

@ -1,12 +1,12 @@
{ {
"name": "codeql", "name": "codeql",
"version": "1.1.5", "version": "1.1.6",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "codeql", "name": "codeql",
"version": "1.1.5", "version": "1.1.6",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/artifact": "^1.0.0", "@actions/artifact": "^1.0.0",

2
package.json
View file

@ -1,6 +1,6 @@
{ {
"name": "codeql", "name": "codeql",
"version": "1.1.5", "version": "1.1.6",
"private": true, "private": true,
"description": "CodeQL action", "description": "CodeQL action",
"scripts": { "scripts": {

2
runner/package-lock.json generated
View file

@ -1,6 +1,6 @@
{ {
"name": "codeql-runner", "name": "codeql-runner",
"version": "1.1.5", "version": "1.1.6",
"lockfileVersion": 1, "lockfileVersion": 1,
"requires": true, "requires": true,
"dependencies": { "dependencies": {

2
runner/package.json
View file

@ -1,6 +1,6 @@
{ {
"name": "codeql-runner", "name": "codeql-runner",
"version": "1.1.5", "version": "1.1.6",
"private": true, "private": true,
"description": "CodeQL runner", "description": "CodeQL runner",
"scripts": { "scripts": {

33
src/actions-util.ts
View file

@ -10,12 +10,17 @@ import * as yaml from "js-yaml";
import * as api from "./api-client"; import * as api from "./api-client";
import * as sharedEnv from "./shared-environment"; import * as sharedEnv from "./shared-environment";
import { import {
getCachedCodeQlVersion,
getRequiredEnvParam, getRequiredEnvParam,
GITHUB_DOTCOM_URL, GITHUB_DOTCOM_URL,
isGitHubGhesVersionBelow,
isHTTPError, isHTTPError,
UserError, UserError,
} from "./util"; } from "./util";
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json");
/** /**
* The utils in this module are meant to be run inside of the action only. * The utils in this module are meant to be run inside of the action only.
* Code paths from the runner should not enter this module. * Code paths from the runner should not enter this module.
@ -600,9 +605,13 @@ export interface StatusReportBase {
/** Action runner operating system (context runner.os). */ /** Action runner operating system (context runner.os). */
runner_os: string; runner_os: string;
/** Action runner hardware architecture (context runner.arch). */ /** Action runner hardware architecture (context runner.arch). */
runner_arch: string; runner_arch?: string;
/** Action runner operating system release (x.y.z from os.release()). */ /** Action runner operating system release (x.y.z from os.release()). */
runner_os_release?: string; runner_os_release?: string;
/** Action version (x.y.z from package.json). */
action_version: string;
/** CodeQL CLI version (x.y.z from the CLI). */
codeql_cli_version?: string;
} }
export function getActionsStatus( export function getActionsStatus(
@ -651,7 +660,7 @@ export async function createStatusReportBase(
); );
} }
const runnerOs = getRequiredEnvParam("RUNNER_OS"); const runnerOs = getRequiredEnvParam("RUNNER_OS");
const runnerArch = getRequiredEnvParam("RUNNER_ARCH"); const codeQlCliVersion = getCachedCodeQlVersion();
// If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action // If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action
// See https://github.com/actions/runner/issues/803 // See https://github.com/actions/runner/issues/803
@ -673,7 +682,7 @@ export async function createStatusReportBase(
action_started_at: actionStartedAt.toISOString(), action_started_at: actionStartedAt.toISOString(),
status, status,
runner_os: runnerOs, runner_os: runnerOs,
runner_arch: runnerArch, action_version: pkg.version,
}; };
// Add optional parameters // Add optional parameters
@ -695,9 +704,17 @@ export async function createStatusReportBase(
if (matrix) { if (matrix) {
statusReport.matrix_vars = matrix; statusReport.matrix_vars = matrix;
} }
if ("RUNNER_ARCH" in process.env) {
// RUNNER_ARCH is available only in GHES 3.4 and later
// Values other than X86, X64, ARM, or ARM64 are discarded server side
statusReport.runner_arch = process.env["RUNNER_ARCH"];
}
if (runnerOs === "Windows" || runnerOs === "macOS") { if (runnerOs === "Windows" || runnerOs === "macOS") {
statusReport.runner_os_release = os.release(); statusReport.runner_os_release = os.release();
} }
if (codeQlCliVersion !== undefined) {
statusReport.codeql_cli_version = codeQlCliVersion;
}
return statusReport; return statusReport;
} }
@ -723,6 +740,14 @@ const INCOMPATIBLE_MSG =
export async function sendStatusReport<S extends StatusReportBase>( export async function sendStatusReport<S extends StatusReportBase>(
statusReport: S statusReport: S
): Promise<boolean> { ): Promise<boolean> {
const gitHubVersion = await api.getGitHubVersionActionsOnly();
if (isGitHubGhesVersionBelow(gitHubVersion, "3.2.0")) {
// GHES 3.1 and earlier versions reject unexpected properties, which means
// that they will reject status reports with newly added properties.
// Inhibiting status reporting for GHES < 3.2 avoids such failures.
return true;
}
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
core.debug(`Sending status report: ${statusReportJSON}`); core.debug(`Sending status report: ${statusReportJSON}`);
// If in test mode we don't want to upload the results // If in test mode we don't want to upload the results
@ -833,7 +858,7 @@ export async function isAnalyzingDefaultBranch(): Promise<boolean> {
// Get the current ref and trim and refs/heads/ prefix // Get the current ref and trim and refs/heads/ prefix
let currentRef = await getRef(); let currentRef = await getRef();
currentRef = currentRef.startsWith("refs/heads/") currentRef = currentRef.startsWith("refs/heads/")
? currentRef.substr("refs/heads/".length) ? currentRef.slice("refs/heads/".length)
: currentRef; : currentRef;
const event = getWorkflowEvent(); const event = getWorkflowEvent();

37
src/api-client.ts
View file

@ -5,7 +5,8 @@ import * as retry from "@octokit/plugin-retry";
import consoleLogLevel from "console-log-level"; import consoleLogLevel from "console-log-level";
import { getRequiredInput } from "./actions-util"; import { getRequiredInput } from "./actions-util";
import { getMode, getRequiredEnvParam } from "./util"; import * as util from "./util";
import { getMode, getRequiredEnvParam, GitHubVersion } from "./util";
// eslint-disable-next-line import/no-commonjs // eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json"); const pkg = require("../package.json");
@ -58,14 +59,36 @@ function getApiUrl(githubUrl: string): string {
return url.toString(); return url.toString();
} }
function getApiDetails() {
return {
auth: getRequiredInput("token"),
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
};
}
// Temporary function to aid in the transition to running on and off of github actions. // Temporary function to aid in the transition to running on and off of github actions.
// Once all code has been converted this function should be removed or made canonical // Once all code has been converted this function should be removed or made canonical
// and called only from the action entrypoints. // and called only from the action entrypoints.
export function getActionsApiClient() { export function getActionsApiClient() {
const apiDetails = { return getApiClient(getApiDetails());
auth: getRequiredInput("token"), }
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
}; let cachedGitHubVersion: GitHubVersion | undefined = undefined;
return getApiClient(apiDetails); /**
* Report the GitHub server version. This is a wrapper around
* util.getGitHubVersion() that automatically supplies GitHub API details using
* GitHub Action inputs. If you need to get the GitHub server version from the
* Runner, please call util.getGitHubVersion() instead.
*
* @returns GitHub version
*/
export async function getGitHubVersionActionsOnly(): Promise<GitHubVersion> {
if (!util.isActions()) {
throw new Error("getGitHubVersionActionsOnly() works only in an action");
}
if (cachedGitHubVersion === undefined) {
cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
}
return cachedGitHubVersion;
} }

2
src/api-compatibility.json
View file

@ -1 +1 @@
{"maximumVersion": "3.4", "minimumVersion": "3.1"} {"maximumVersion": "3.5", "minimumVersion": "3.1"}

39
src/codeql.ts
View file

@ -367,6 +367,19 @@ async function getCodeQLBundleDownloadURL(
return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`; return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
} }
/**
* Set up CodeQL CLI access.
*
* @param codeqlURL
* @param apiDetails
* @param tempDir
* @param toolCacheDir
* @param variant
* @param logger
* @param checkVersion Whether to check that CodeQL CLI meets the minimum
* version requirement. Must be set to true outside tests.
* @returns
*/
export async function setupCodeQL( export async function setupCodeQL(
codeqlURL: string | undefined, codeqlURL: string | undefined,
apiDetails: api.GitHubApiDetails, apiDetails: api.GitHubApiDetails,
@ -611,19 +624,29 @@ export async function getCodeQLForTesting(): Promise<CodeQL> {
return getCodeQLForCmd("codeql-for-testing", false); return getCodeQLForCmd("codeql-for-testing", false);
} }
/**
* Return a CodeQL object for CodeQL CLI access.
*
* @param cmd Path to CodeQL CLI
* @param checkVersion Whether to check that CodeQL CLI meets the minimum
* version requirement. Must be set to true outside tests.
* @returns A new CodeQL object
*/
async function getCodeQLForCmd( async function getCodeQLForCmd(
cmd: string, cmd: string,
checkVersion: boolean checkVersion: boolean
): Promise<CodeQL> { ): Promise<CodeQL> {
let cachedVersion: undefined | Promise<string> = undefined;
const codeql = { const codeql = {
getPath() { getPath() {
return cmd; return cmd;
}, },
async getVersion() { async getVersion() {
if (cachedVersion === undefined) let result = util.getCachedCodeQlVersion();
cachedVersion = runTool(cmd, ["version", "--format=terse"]); if (result === undefined) {
return await cachedVersion; result = await runTool(cmd, ["version", "--format=terse"]);
util.cacheCodeQlVersion(result);
}
return result;
}, },
async printVersion() { async printVersion() {
await runTool(cmd, ["version", "--format=json"]); await runTool(cmd, ["version", "--format=json"]);
@ -997,6 +1020,14 @@ async function getCodeQLForCmd(
await new toolrunner.ToolRunner(cmd, args).exec(); await new toolrunner.ToolRunner(cmd, args).exec();
}, },
}; };
// To ensure that status reports include the CodeQL CLI version whereever
// possbile, we want to call getVersion(), which populates the version value
// used by status reporting, at the earliest opportunity. But invoking
// getVersion() directly here breaks tests that only pretend to create a
// CodeQL object. So instead we rely on the assumption that all non-test
// callers would set checkVersion to true, and util.codeQlVersionAbove()
// would call getVersion(), so the CLI version would be cached as soon as the
// CodeQL object is created.
if ( if (
checkVersion && checkVersion &&
!(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION)) !(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))

2
src/config-utils.ts
View file

@ -849,7 +849,7 @@ async function addQueriesAndPacksFromWorkflow(
// should instead be added in addition // should instead be added in addition
function shouldAddConfigFileQueries(queriesInput: string | undefined): boolean { function shouldAddConfigFileQueries(queriesInput: string | undefined): boolean {
if (queriesInput) { if (queriesInput) {
return queriesInput.trimStart().substr(0, 1) === "+"; return queriesInput.trimStart().slice(0, 1) === "+";
} }
return true; return true;

2
src/defaults.json
View file

@ -1,3 +1,3 @@
{ {
"bundleVersion": "codeql-bundle-20220224" "bundleVersion": "codeql-bundle-20220311"
} }

6
src/init-action.ts
View file

@ -13,6 +13,7 @@ import {
StatusReportBase, StatusReportBase,
validateWorkflow, validateWorkflow,
} from "./actions-util"; } from "./actions-util";
import { getGitHubVersionActionsOnly } from "./api-client";
import { CodeQL, CODEQL_VERSION_NEW_TRACING } from "./codeql"; import { CodeQL, CODEQL_VERSION_NEW_TRACING } from "./codeql";
import * as configUtils from "./config-utils"; import * as configUtils from "./config-utils";
import { GitHubFeatureFlags } from "./feature-flags"; import { GitHubFeatureFlags } from "./feature-flags";
@ -31,7 +32,6 @@ import {
initializeEnvironment, initializeEnvironment,
Mode, Mode,
checkGitHubVersionInRange, checkGitHubVersionInRange,
getGitHubVersion,
codeQlVersionAbove, codeQlVersionAbove,
enrichEnvironment, enrichEnvironment,
getMemoryFlagValue, getMemoryFlagValue,
@ -99,7 +99,7 @@ async function sendSuccessStatusReport(
} }
if (queriesInput !== undefined) { if (queriesInput !== undefined) {
queriesInput = queriesInput.startsWith("+") queriesInput = queriesInput.startsWith("+")
? queriesInput.substr(1) ? queriesInput.slice(1)
: queriesInput; : queriesInput;
queries.push(...queriesInput.split(",")); queries.push(...queriesInput.split(","));
} }
@ -135,7 +135,7 @@ async function run() {
url: getRequiredEnvParam("GITHUB_SERVER_URL"), url: getRequiredEnvParam("GITHUB_SERVER_URL"),
}; };
const gitHubVersion = await getGitHubVersion(apiDetails); const gitHubVersion = await getGitHubVersionActionsOnly();
checkGitHubVersionInRange(gitHubVersion, logger, Mode.actions); checkGitHubVersionInRange(gitHubVersion, logger, Mode.actions);
const repositoryNwo = parseRepositoryNwo( const repositoryNwo = parseRepositoryNwo(

10
src/upload-sarif-action.ts
View file

@ -1,15 +1,11 @@
import * as core from "@actions/core"; import * as core from "@actions/core";
import * as actionsUtil from "./actions-util"; import * as actionsUtil from "./actions-util";
import { getGitHubVersionActionsOnly } from "./api-client";
import { getActionsLogger } from "./logging"; import { getActionsLogger } from "./logging";
import { parseRepositoryNwo } from "./repository"; import { parseRepositoryNwo } from "./repository";
import * as upload_lib from "./upload-lib"; import * as upload_lib from "./upload-lib";
import { import { getRequiredEnvParam, initializeEnvironment, Mode } from "./util";
getGitHubVersion,
getRequiredEnvParam,
initializeEnvironment,
Mode,
} from "./util";
// eslint-disable-next-line import/no-commonjs // eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json"); const pkg = require("../package.json");
@ -55,7 +51,7 @@ async function run() {
url: getRequiredEnvParam("GITHUB_SERVER_URL"), url: getRequiredEnvParam("GITHUB_SERVER_URL"),
}; };
const gitHubVersion = await getGitHubVersion(apiDetails); const gitHubVersion = await getGitHubVersionActionsOnly();
const uploadResult = await upload_lib.uploadFromActions( const uploadResult = await upload_lib.uploadFromActions(
actionsUtil.getRequiredInput("sarif_file"), actionsUtil.getRequiredInput("sarif_file"),

27
src/util.test.ts
View file

@ -353,3 +353,30 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
}); });
}); });
} }
test("isGitHubGhesVersionBelow", async (t) => {
t.falsy(
util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.DOTCOM }, "3.2.0")
);
t.falsy(
util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHAE }, "3.2.0")
);
t.falsy(
util.isGitHubGhesVersionBelow(
{ type: util.GitHubVariant.GHES, version: "3.3.0" },
"3.2.0"
)
);
t.falsy(
util.isGitHubGhesVersionBelow(
{ type: util.GitHubVariant.GHES, version: "3.2.0" },
"3.2.0"
)
);
t.true(
util.isGitHubGhesVersionBelow(
{ type: util.GitHubVariant.GHES, version: "3.1.2" },
"3.2.0"
)
);
});

23
src/util.ts
View file

@ -594,6 +594,29 @@ export function isHTTPError(arg: any): arg is HTTPError {
return arg?.status !== undefined && Number.isInteger(arg.status); return arg?.status !== undefined && Number.isInteger(arg.status);
} }
export function isGitHubGhesVersionBelow(
gitHubVersion: GitHubVersion,
expectedVersion: string
): boolean {
return (
gitHubVersion.type === GitHubVariant.GHES &&
semver.lt(gitHubVersion.version, expectedVersion)
);
}
let cachedCodeQlVersion: undefined | string = undefined;
export function cacheCodeQlVersion(version: string): void {
if (cachedCodeQlVersion !== undefined) {
throw new Error("cacheCodeQlVersion() should be called only once");
}
cachedCodeQlVersion = version;
}
export function getCachedCodeQlVersion(): undefined | string {
return cachedCodeQlVersion;
}
export async function codeQlVersionAbove( export async function codeQlVersionAbove(
codeql: CodeQL, codeql: CodeQL,
requiredVersion: string requiredVersion: string