Merge pull request #1995 from github/update-v2.22.7-10f05151c

Merge main into releases/v2

.github/workflows/python312-windows.yml

@@ -38,4 +38,5 @@ jobs:
     - name: Analyze
       uses: ./../action/analyze
       with:
+        upload: false
         upload-database: false

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 2.22.7 - 16 Nov 2023
+
+- Add a deprecation warning for customers using CodeQL version 2.11.5 and earlier. These versions of CodeQL were discontinued on 8 November 2023 alongside GitHub Enterprise Server 3.7, and will be unsupported by CodeQL Action v2.23.0 and later. [#1993](https://github.com/github/codeql-action/pull/1993)
+  - If you are using one of these versions, please update to CodeQL CLI version 2.11.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
+  - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.10.5 and 2.11.5, you can replace `github/codeql-action/*@v2` by `github/codeql-action/*@v2.22.7` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
+
 ## 2.22.6 - 14 Nov 2023
 
 - Customers running Python analysis on macOS using version 2.14.6 or earlier of the CodeQL CLI should upgrade to CodeQL CLI version 2.15.0 or later. If you do not wish to upgrade the CodeQL CLI, ensure that you are using Python version 3.11 or earlier, as CodeQL version 2.14.6 and earlier do not support Python 3.12. You can achieve this by adding a [`setup-python`](https://github.com/actions/setup-python) step to your code scanning workflow before the step that invokes `github/codeql-action/init`.

lib/codeql.js

@@ -77,15 +77,15 @@ const CODEQL_MINIMUM_VERSION = "2.10.5";
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
  */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.10.5";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.11.6";
 /**
  * This is the version of GHES that was most recently deprecated.
  */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.6";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.7";
 /**
  * This is the deprecation date for the version of GHES that was most recently deprecated.
  */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2023-09-12";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2023-11-08";
 /*
  * Versions of CodeQL that version-flag certain functionality in the Action.
  * For convenience, please keep these in descending order. Once a version

lib/init-action-post-helper.js

@@ -24,12 +24,13 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.run = exports.tryUploadSarifIfRunFailed = void 0;
-const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
+const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
+const repository_1 = require("./repository");
 const uploadLib = __importStar(require("./upload-lib"));
 const util_1 = require("./util");
 const workflow_1 = require("./workflow");
@@ -73,10 +74,12 @@ async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
         // We call 'database export-diagnostics' to find any per-database diagnostics.
         await codeql.databaseExportDiagnostics(databasePath, sarifFile, category, config.tempDir, logger);
     }
-    core.info(`Uploading failed SARIF file ${sarifFile}`);
+    logger.info(`Uploading failed SARIF file ${sarifFile}`);
     const uploadResult = await uploadLib.uploadFromActions(sarifFile, checkoutPath, category, logger, { considerInvalidRequestUserError: false });
     await uploadLib.waitForProcessing(repositoryNwo, uploadResult.sarifID, logger, { isUnsuccessfulExecution: true });
-    return uploadResult?.statusReport ?? {};
+    return uploadResult
+        ? { ...uploadResult.statusReport, sarifID: uploadResult.sarifID }
+        : {};
 }
 async function tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger) {
     if (process.env[environment_1.EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
@@ -114,9 +117,12 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
         throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
             `but the result was instead ${error}.`);
     }
+    if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
+        await removeUploadedSarif(uploadFailedSarifResult, logger);
+    }
     // Upload appropriate Actions artifacts for debugging
     if (config.debugMode) {
-        core.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");
+        logger.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");
         await uploadDatabaseBundleDebugArtifact(config, logger);
         await uploadLogsDebugArtifact(config);
         await printDebugLogs(config);
@@ -124,4 +130,55 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
     return uploadFailedSarifResult;
 }
 exports.run = run;
+async function removeUploadedSarif(uploadFailedSarifResult, logger) {
+    const sarifID = uploadFailedSarifResult.sarifID;
+    if (sarifID) {
+        logger.startGroup("Deleting failed SARIF upload");
+        logger.info(`In test mode, therefore deleting the failed analysis to avoid impacting tool status for the Action repository. SARIF ID to delete: ${sarifID}.`);
+        const client = (0, api_client_1.getApiClient)();
+        try {
+            const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+            // Wait to make sure the analysis is ready for download before requesting it.
+            await (0, util_1.delay)(5000);
+            // Get the analysis associated with the uploaded sarif
+            const analysisInfo = await client.request("GET /repos/:owner/:repo/code-scanning/analyses?sarif_id=:sarif_id", {
+                owner: repositoryNwo.owner,
+                repo: repositoryNwo.repo,
+                sarif_id: sarifID,
+            });
+            // Delete the analysis.
+            if (analysisInfo.data.length === 1) {
+                const analysis = analysisInfo.data[0];
+                logger.info(`Analysis ID to delete: ${analysis.id}.`);
+                try {
+                    await client.request("DELETE /repos/:owner/:repo/code-scanning/analyses/:analysis_id?confirm_delete", {
+                        owner: repositoryNwo.owner,
+                        repo: repositoryNwo.repo,
+                        analysis_id: analysis.id,
+                    });
+                    logger.info(`Analysis deleted.`);
+                }
+                catch (e) {
+                    const origMessage = (0, util_1.getErrorMessage)(e);
+                    const newMessage = origMessage.includes("No analysis found for analysis ID")
+                        ? `Analysis ${analysis.id} does not exist. It was likely already deleted.`
+                        : origMessage;
+                    throw new Error(newMessage);
+                }
+            }
+            else {
+                throw new Error(`Expected to find exactly one analysis with sarif_id ${sarifID}. Found ${analysisInfo.data.length}.`);
+            }
+        }
+        catch (e) {
+            throw new Error(`Failed to delete uploaded SARIF analysis. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+        }
+        finally {
+            logger.endGroup();
+        }
+    }
+    else {
+        logger.warning("Could not delete the uploaded SARIF analysis because a SARIF ID wasn't provided by the API when uploading the SARIF file.");
+    }
+}
 //# sourceMappingURL=init-action-post-helper.js.map

lib/init-action-post-helper.test.js

@@ -341,6 +341,7 @@ async function testFailedSarifUpload(t, actionsWorkflow, { category, databaseExi
     const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)(features), (0, logging_1.getRunnerLogger)(true));
     if (expectUpload) {
         t.deepEqual(result, {
+            sarifID: "42",
             raw_upload_size_bytes: 20,
             zipped_upload_size_bytes: 10,
         });

lib/util.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkDiskUsage = exports.prettyPrintPack = exports.wrapError = exports.fixInvalidNotificationsInFile = exports.fixInvalidNotifications = exports.parseMatrixInput = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.isInTestMode = exports.supportExpectDiscardedCache = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.initializeEnvironment = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.getMemoryFlagValueForPlatform = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.checkDiskUsage = exports.prettyPrintPack = exports.getErrorMessage = exports.wrapError = exports.fixInvalidNotificationsInFile = exports.fixInvalidNotifications = exports.parseMatrixInput = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.isInTestMode = exports.supportExpectDiscardedCache = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.initializeEnvironment = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.getMemoryFlagValueForPlatform = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -465,7 +465,8 @@ exports.bundleDb = bundleDb;
  * @param opts options
  * @param opts.allowProcessExit if true, the timer will not prevent the process from exiting
  */
-async function delay(milliseconds, { allowProcessExit }) {
+async function delay(milliseconds, opts) {
+    const { allowProcessExit } = opts || {};
     return new Promise((resolve) => {
         const timer = setTimeout(resolve, milliseconds);
         if (allowProcessExit) {
@@ -719,6 +720,10 @@ function wrapError(error) {
     return error instanceof Error ? error : new Error(String(error));
 }
 exports.wrapError = wrapError;
+function getErrorMessage(error) {
+    return error instanceof Error ? error.toString() : String(error);
+}
+exports.getErrorMessage = getErrorMessage;
 function prettyPrintPack(pack) {
     return `${pack.name}${pack.version ? `@${pack.version}` : ""}${pack.path ? `:${pack.path}` : ""}`;
 }

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.22.6",
+  "version": "2.22.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.22.6",
+  "version": "2.22.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.22.6",
+      "version": "2.22.7",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.2",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.22.6",
+  "version": "2.22.7",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

src/codeql.ts

@@ -298,17 +298,17 @@ const CODEQL_MINIMUM_VERSION = "2.10.5";
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
  */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.10.5";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.11.6";
 
 /**
  * This is the version of GHES that was most recently deprecated.
  */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.6";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.7";
 
 /**
  * This is the deprecation date for the version of GHES that was most recently deprecated.
  */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2023-09-12";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2023-11-08";
 
 /*
  * Versions of CodeQL that version-flag certain functionality in the Action.

src/init-action-post-helper.test.ts

@@ -391,6 +391,7 @@ async function testFailedSarifUpload(
   );
   if (expectUpload) {
     t.deepEqual(result, {
+      sarifID: "42",
       raw_upload_size_bytes: 20,
       zipped_upload_size_bytes: 10,
     });

src/init-action-post-helper.ts

@@ -1,15 +1,16 @@
-import * as core from "@actions/core";
-
 import * as actionsUtil from "./actions-util";
+import { getApiClient } from "./api-client";
 import { CODEQL_VERSION_EXPORT_FAILED_SARIF, getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
-import { RepositoryNwo } from "./repository";
+import { RepositoryNwo, parseRepositoryNwo } from "./repository";
 import * as uploadLib from "./upload-lib";
 import {
   codeQlVersionAbove,
+  delay,
+  getErrorMessage,
   getRequiredEnvParam,
   isInTestMode,
   parseMatrixInput,
@@ -29,6 +30,9 @@ export interface UploadFailedSarifResult extends uploadLib.UploadStatusReport {
   upload_failed_run_stack_trace?: string;
   /** Reason why we did not upload a SARIF payload with `executionSuccessful: false`. */
   upload_failed_run_skipped_because?: string;
+
+  /** The internal ID of SARIF analysis. */
+  sarifID?: string;
 }
 
 function createFailedUploadFailedSarifResult(
@@ -93,7 +97,7 @@ async function maybeUploadFailedSarif(
     );
   }
 
-  core.info(`Uploading failed SARIF file ${sarifFile}`);
+  logger.info(`Uploading failed SARIF file ${sarifFile}`);
   const uploadResult = await uploadLib.uploadFromActions(
     sarifFile,
     checkoutPath,
@@ -107,7 +111,9 @@ async function maybeUploadFailedSarif(
     logger,
     { isUnsuccessfulExecution: true },
   );
-  return uploadResult?.statusReport ?? {};
+  return uploadResult
+    ? { ...uploadResult.statusReport, sarifID: uploadResult.sarifID }
+    : {};
 }
 
 export async function tryUploadSarifIfRunFailed(
@@ -180,9 +186,13 @@ export async function run(
     );
   }
 
+  if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
+    await removeUploadedSarif(uploadFailedSarifResult, logger);
+  }
+
   // Upload appropriate Actions artifacts for debugging
   if (config.debugMode) {
-    core.info(
+    logger.info(
       "Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...",
     );
     await uploadDatabaseBundleDebugArtifact(config, logger);
@@ -193,3 +203,77 @@ export async function run(
 
   return uploadFailedSarifResult;
 }
+
+async function removeUploadedSarif(
+  uploadFailedSarifResult: UploadFailedSarifResult,
+  logger: Logger,
+) {
+  const sarifID = uploadFailedSarifResult.sarifID;
+  if (sarifID) {
+    logger.startGroup("Deleting failed SARIF upload");
+    logger.info(
+      `In test mode, therefore deleting the failed analysis to avoid impacting tool status for the Action repository. SARIF ID to delete: ${sarifID}.`,
+    );
+    const client = getApiClient();
+
+    try {
+      const repositoryNwo = parseRepositoryNwo(
+        getRequiredEnvParam("GITHUB_REPOSITORY"),
+      );
+
+      // Wait to make sure the analysis is ready for download before requesting it.
+      await delay(5000);
+
+      // Get the analysis associated with the uploaded sarif
+      const analysisInfo = await client.request(
+        "GET /repos/:owner/:repo/code-scanning/analyses?sarif_id=:sarif_id",
+        {
+          owner: repositoryNwo.owner,
+          repo: repositoryNwo.repo,
+          sarif_id: sarifID,
+        },
+      );
+
+      // Delete the analysis.
+      if (analysisInfo.data.length === 1) {
+        const analysis = analysisInfo.data[0];
+        logger.info(`Analysis ID to delete: ${analysis.id}.`);
+        try {
+          await client.request(
+            "DELETE /repos/:owner/:repo/code-scanning/analyses/:analysis_id?confirm_delete",
+            {
+              owner: repositoryNwo.owner,
+              repo: repositoryNwo.repo,
+              analysis_id: analysis.id,
+            },
+          );
+          logger.info(`Analysis deleted.`);
+        } catch (e) {
+          const origMessage = getErrorMessage(e);
+          const newMessage = origMessage.includes(
+            "No analysis found for analysis ID",
+          )
+            ? `Analysis ${analysis.id} does not exist. It was likely already deleted.`
+            : origMessage;
+          throw new Error(newMessage);
+        }
+      } else {
+        throw new Error(
+          `Expected to find exactly one analysis with sarif_id ${sarifID}. Found ${analysisInfo.data.length}.`,
+        );
+      }
+    } catch (e) {
+      throw new Error(
+        `Failed to delete uploaded SARIF analysis. Reason: ${getErrorMessage(
+          e,
+        )}`,
+      );
+    } finally {
+      logger.endGroup();
+    }
+  } else {
+    logger.warning(
+      "Could not delete the uploaded SARIF analysis because a SARIF ID wasn't provided by the API when uploading the SARIF file.",
+    );
+  }
+}

src/util.ts

@@ -624,8 +624,9 @@ export async function bundleDb(
  */
 export async function delay(
   milliseconds: number,
-  { allowProcessExit }: { allowProcessExit: boolean },
+  opts?: { allowProcessExit: boolean },
 ) {
+  const { allowProcessExit } = opts || {};
   return new Promise((resolve) => {
     const timer = setTimeout(resolve, milliseconds);
     if (allowProcessExit) {
@@ -909,6 +910,10 @@ export function wrapError(error: unknown): Error {
   return error instanceof Error ? error : new Error(String(error));
 }
 
+export function getErrorMessage(error: unknown): string {
+  return error instanceof Error ? error.toString() : String(error);
+}
+
 export function prettyPrintPack(pack: Pack) {
   return `${pack.name}${pack.version ? `@${pack.version}` : ""}${
     pack.path ? `:${pack.path}` : ""