robojerk/codeql-action

Merge pull request #1730 from github/update-v2.20.0-d5b7b3823

Browse source 
Merge main into releases/v2
This commit is contained in:
Angela P Wen 2023-06-13 11:22:32 -07:00 committed by GitHub
commit 6c089f53dd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
58 changed files with 138 additions and 209 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -85,9 +85,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -49,9 +49,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__config-export.yml generated vendored
View file

@ -55,9 +55,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__diagnostics-export.yml generated vendored
View file

@ -61,9 +61,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -49,9 +49,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -45,9 +45,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -85,9 +85,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -71,9 +71,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -71,9 +71,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -71,9 +71,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__init-with-registries.yml generated vendored
View file

@ -62,9 +62,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -49,9 +49,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__ml-powered-queries.yml generated vendored
View file

@ -85,9 +85,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -71,9 +71,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -61,9 +61,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -61,9 +61,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -61,9 +61,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -61,9 +61,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__remote-config.yml generated vendored
View file

@ -85,9 +85,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -45,9 +45,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__ruby.yml generated vendored
View file

@ -55,9 +55,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__split-workflow.yml generated vendored
View file

@ -55,9 +55,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -49,9 +49,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -55,9 +55,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -45,9 +45,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -45,9 +45,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__test-proxy.yml generated vendored
View file

@ -45,9 +45,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__unset-environment.yml generated vendored
View file

@ -57,9 +57,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -85,9 +85,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

4
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -85,9 +85,7 @@ jobs:
if: >-
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
shell: bash
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

7
CHANGELOG.md
View file

@ -1,8 +1,12 @@
# CodeQL Action Changelog
## 2.20.0 - 13 Jun 2023
- Bump the version of the Action to 2.20.0. This ensures that users who received a Dependabot upgrade to [`cdcdbb5`](https://github.com/github/codeql-action/commit/cdcdbb579706841c47f7063dda365e292e5cad7a), which was mistakenly marked as Action version 2.13.4, continue to receive updates to the CodeQL Action. Full details in [#1729](https://github.com/github/codeql-action/pull/1729)
## 2.3.6 - 01 Jun 2023
No user facing changes.
- Update default CodeQL bundle version to 2.13.3. [#1698](https://github.com/github/codeql-action/pull/1698)
## 2.3.5 - 25 May 2023
@ -18,7 +22,6 @@ No user facing changes.
- This change does not affect the majority of workflows, and we will not be changing tags for existing bundle releases.
- Some workflows with custom logic that depends on the specific format of the CodeQL bundle tag may need to be updated. For example, if your workflow matches CodeQL bundle tag names against a `codeql-bundle-yyyymmdd` pattern, you should update it to also recognize `codeql-bundle-vx.y.z` tags.
- Remove the requirement for `on.push` and `on.pull_request` to trigger on the same branches. [#1675](https://github.com/github/codeql-action/pull/1675)
- Update default CodeQL bundle version to 2.13.3. [#1698](https://github.com/github/codeql-action/pull/1698)
## 2.3.3 - 04 May 2023

69
lib/actions-util.js generated
View file

@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionVersion = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.getWorkflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionVersion = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
const fs = __importStar(require("fs"));
const os = __importStar(require("os"));
const path = __importStar(require("path"));
@ -104,7 +104,7 @@ exports.getCommitOid = getCommitOid;
* Returns undefined if run by other triggers or the merge base cannot be determined.
*/
const determineMergeBaseCommitOid = async function () {
if (workflowEventName() !== "pull_request") {
if (getWorkflowEventName() !== "pull_request") {
return undefined;
}
const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
@ -155,7 +155,7 @@ exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
*
* This will combine the workflow path and current job name.
* Computing this the first time requires making requests to
* the github API, but after that the result will be cached.
* the GitHub API, but after that the result will be cached.
*/
async function getAnalysisKey() {
const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
@ -395,7 +395,8 @@ async function sendStatusReport(statusReport) {
if ((0, util_1.isHTTPError)(e)) {
switch (e.status) {
case 403:
if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
if (getWorkflowEventName() === "push" &&
process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
"Uploading Code Scanning results requires write access. " +
'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
@ -428,42 +429,36 @@ async function sendStatusReport(statusReport) {
}
}
exports.sendStatusReport = sendStatusReport;
function workflowEventName() {
// If the original event is dynamic CODESCANNING_EVENT_NAME will contain the right info (push/pull_request)
if (process.env["GITHUB_EVENT_NAME"] === "dynamic") {
const value = process.env["CODESCANNING_EVENT_NAME"];
if (value === undefined || value.length === 0) {
return process.env["GITHUB_EVENT_NAME"];
}
return value;
}
return process.env["GITHUB_EVENT_NAME"];
/**
* Returns the name of the event that triggered this workflow.
*
* This will be "dynamic" for default setup workflow runs.
*/
function getWorkflowEventName() {
return (0, util_1.getRequiredEnvParam)("GITHUB_EVENT_NAME");
}
exports.workflowEventName = workflowEventName;
// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
function workflowIsTriggeredByPushEvent() {
return workflowEventName() === "push";
}
// Is dependabot the actor that triggered the current workflow run.
function isDependabotActor() {
return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
}
// Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
// as opposed to running a remote action (i.e. when another repo references us)
exports.getWorkflowEventName = getWorkflowEventName;
/**
* Returns whether the current workflow is executing a local copy of the Action, e.g. we're running
* a workflow on the codeql-action repo itself.
*/
function isRunningLocalAction() {
const relativeScriptPath = getRelativeScriptPath();
return (relativeScriptPath.startsWith("..") || path.isAbsolute(relativeScriptPath));
}
exports.isRunningLocalAction = isRunningLocalAction;
// Get the location where the action is running from.
// This can be used to get the actions name or tell if we're running a local action.
/**
* Get the location where the Action is running from.
*
* This can be used to get the Action's name or tell if we're running a local Action.
*/
function getRelativeScriptPath() {
const runnerTemp = (0, util_1.getRequiredEnvParam)("RUNNER_TEMP");
const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
return path.relative(actionsDirectory, __filename);
}
exports.getRelativeScriptPath = getRelativeScriptPath;
// Reads the contents of GITHUB_EVENT_PATH as a JSON object
/** Returns the contents of `GITHUB_EVENT_PATH` as a JSON object. */
function getWorkflowEvent() {
const eventJsonFile = (0, util_1.getRequiredEnvParam)("GITHUB_EVENT_PATH");
try {
@ -476,10 +471,13 @@ function getWorkflowEvent() {
function removeRefsHeadsPrefix(ref) {
return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref;
}
// Returns whether we are analyzing the default branch for the repository.
// For cases where the repository information might not be available (e.g.,
// dynamic workflows), this can be forced by the environment variable
// CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH.
/**
* Returns whether we are analyzing the default branch for the repository.
*
* This first checks the environment variable `CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH`. This
* environment variable can be set in cases where repository information might not be available, for
* example dynamic workflows.
*/
async function isAnalyzingDefaultBranch() {
if (process.env.CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH === "true") {
return true;
@ -489,7 +487,7 @@ async function isAnalyzingDefaultBranch() {
currentRef = removeRefsHeadsPrefix(currentRef);
const event = getWorkflowEvent();
let defaultBranch = event?.repository?.default_branch;
if (process.env.GITHUB_EVENT_NAME === "schedule") {
if (getWorkflowEventName() === "schedule") {
defaultBranch = removeRefsHeadsPrefix(getRefFromEnv());
}
return currentRef === defaultBranch;
@ -524,7 +522,10 @@ async function printDebugLogs(config) {
}
}
exports.printDebugLogs = printDebugLogs;
// Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload inputs appropriately.
/**
* Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload
* inputs appropriately.
*/
function getUploadValue(input) {
switch (input) {
case undefined:

2
lib/actions-util.js.map
View file

File diff suppressed because one or more lines are too long

9
lib/actions-util.test.js generated
View file

@ -172,6 +172,7 @@ const util_1 = require("./util");
t.deepEqual(process.env.CODEQL_ACTION_VERSION, "1.2.3");
});
(0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
process.env["GITHUB_EVENT_NAME"] = "push";
process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "false";
@ -210,12 +211,4 @@ const util_1 = require("./util");
getAdditionalInputStub.restore();
});
});
(0, ava_1.default)("workflowEventName()", async (t) => {
process.env["GITHUB_EVENT_NAME"] = "push";
t.deepEqual(actionsutil.workflowEventName(), "push");
process.env["GITHUB_EVENT_NAME"] = "dynamic";
t.deepEqual(actionsutil.workflowEventName(), "dynamic");
process.env["CODESCANNING_EVENT_NAME"] = "push";
t.deepEqual(actionsutil.workflowEventName(), "push");
});
//# sourceMappingURL=actions-util.test.js.map

2
lib/actions-util.test.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/analyze.js generated
View file

@ -54,7 +54,7 @@ async function setupPythonExtractor(logger, features, codeql) {
// If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
return;
}
if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallationEnabled, codeql)) {
logger.warning("We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
"\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.");
return;

2
lib/analyze.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/api-compatibility.json
View file

@ -1 +1 @@
{ "maximumVersion": "3.9", "minimumVersion": "3.5" }
{ "maximumVersion": "3.10", "minimumVersion": "3.6" }

4
lib/feature-flags.js generated
View file

@ -36,11 +36,11 @@ var Feature;
(function (Feature) {
Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
Feature["DisablePythonDependencyInstallationEnabled"] = "disable_python_dependency_installation_enabled";
Feature["ExportCodeScanningConfigEnabled"] = "export_code_scanning_config_enabled";
Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
Feature["DisablePythonDependencyInstallation"] = "disable_python_dependency_installation";
})(Feature = exports.Feature || (exports.Feature = {}));
exports.featureConfig = {
[Feature.DisableKotlinAnalysisEnabled]: {
@ -73,7 +73,7 @@ exports.featureConfig = {
minimumVersion: "2.11.3",
defaultValue: true,
},
[Feature.DisablePythonDependencyInstallation]: {
[Feature.DisablePythonDependencyInstallationEnabled]: {
envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
// Although the python extractor only started supporting not extracting installed
// dependencies in 2.13.1, the init-action can still benefit from not installing

2
lib/feature-flags.js.map
View file

File diff suppressed because one or more lines are too long

4
lib/init-action.js generated
View file

@ -136,7 +136,7 @@ async function run() {
(0, actions_util_1.getOptionalInput)("debug") === "true" || core.isDebug(), (0, actions_util_1.getOptionalInput)("debug-artifact-name") || util_1.DEFAULT_DEBUG_ARTIFACT_NAME, (0, actions_util_1.getOptionalInput)("debug-database-name") || util_1.DEFAULT_DEBUG_DATABASE_NAME, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), codeql, (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), gitHubVersion, apiDetails, features, logger);
if (config.languages.includes(languages_1.Language.python) &&
(0, actions_util_1.getRequiredInput)("setup-python-dependencies") === "true") {
if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallationEnabled, codeql)) {
logger.info("Skipping python dependency installation");
}
else {
@ -176,7 +176,7 @@ async function run() {
core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
}
// Disable Python dependency extraction if feature flag set
if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallationEnabled, codeql)) {
core.exportVariable("CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION", "true");
}
const sourceRoot = path.resolve((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), (0, actions_util_1.getOptionalInput)("source-root") || "");

2
lib/init-action.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/trap-caching.js generated
View file

@ -91,7 +91,7 @@ async function downloadTrapCaches(codeql, languages, logger) {
}
let baseSha = "unknown";
const eventPath = process.env.GITHUB_EVENT_PATH;
if (actionsUtil.workflowEventName() === "pull_request" &&
if (actionsUtil.getWorkflowEventName() === "pull_request" &&
eventPath !== undefined) {
const event = JSON.parse(fs.readFileSync(path.resolve(eventPath), "utf-8"));
baseSha = event.pull_request?.base?.sha || baseSha;

2
lib/trap-caching.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/upload-lib.js generated
View file

@ -220,7 +220,7 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
base_ref: undefined,
base_sha: undefined,
};
if (actionsUtil.workflowEventName() === "pull_request") {
if (actionsUtil.getWorkflowEventName() === "pull_request") {
if (commitOid === util.getRequiredEnvParam("GITHUB_SHA") &&
mergeBaseCommitOid) {
// We're uploading results for the merge commit

2
lib/upload-lib.js.map
View file

File diff suppressed because one or more lines are too long

2
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.3.6",
"version": "2.20.0",
"lockfileVersion": 3,
"requires": true,
"packages": {

4
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "2.3.6",
"version": "2.20.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "2.3.6",
"version": "2.20.0",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^1.1.0",

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.3.6",
"version": "2.20.0",
"private": true,
"description": "CodeQL action",
"scripts": {

4
pr-checks/sync.py
View file

@ -81,9 +81,7 @@ for file in os.listdir('checks'):
'if': FoldedScalarString(textwrap.dedent('''
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211' ||
matrix.version == 'cached' ||
matrix.version == 'latest'
matrix.version == '20221211'
)
''').strip()),
'shell': 'bash',

12
src/actions-util.test.ts
View file

@ -214,6 +214,7 @@ test("initializeEnvironment", (t) => {
});
test("isAnalyzingDefaultBranch()", async (t) => {
process.env["GITHUB_EVENT_NAME"] = "push";
process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "false";
@ -264,14 +265,3 @@ test("isAnalyzingDefaultBranch()", async (t) => {
getAdditionalInputStub.restore();
});
});
test("workflowEventName()", async (t) => {
process.env["GITHUB_EVENT_NAME"] = "push";
t.deepEqual(actionsutil.workflowEventName(), "push");
process.env["GITHUB_EVENT_NAME"] = "dynamic";
t.deepEqual(actionsutil.workflowEventName(), "dynamic");
process.env["CODESCANNING_EVENT_NAME"] = "push";
t.deepEqual(actionsutil.workflowEventName(), "push");
});

69
src/actions-util.ts
View file

@ -108,7 +108,7 @@ export const getCommitOid = async function (
export const determineMergeBaseCommitOid = async function (): Promise<
string | undefined
> {
if (workflowEventName() !== "pull_request") {
if (getWorkflowEventName() !== "pull_request") {
return undefined;
}
@ -168,7 +168,7 @@ export const determineMergeBaseCommitOid = async function (): Promise<
*
* This will combine the workflow path and current job name.
* Computing this the first time requires making requests to
* the github API, but after that the result will be cached.
* the GitHub API, but after that the result will be cached.
*/
export async function getAnalysisKey(): Promise<string> {
const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
@ -540,7 +540,10 @@ export async function sendStatusReport<S extends StatusReportBase>(
if (isHTTPError(e)) {
switch (e.status) {
case 403:
if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
if (
getWorkflowEventName() === "push" &&
process.env["GITHUB_ACTOR"] === "dependabot[bot]"
) {
core.setFailed(
'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
"Uploading Code Scanning results requires write access. " +
@ -576,30 +579,19 @@ export async function sendStatusReport<S extends StatusReportBase>(
}
}
export function workflowEventName() {
// If the original event is dynamic CODESCANNING_EVENT_NAME will contain the right info (push/pull_request)
if (process.env["GITHUB_EVENT_NAME"] === "dynamic") {
const value = process.env["CODESCANNING_EVENT_NAME"];
if (value === undefined || value.length === 0) {
return process.env["GITHUB_EVENT_NAME"];
}
return value;
}
return process.env["GITHUB_EVENT_NAME"];
/**
* Returns the name of the event that triggered this workflow.
*
* This will be "dynamic" for default setup workflow runs.
*/
export function getWorkflowEventName() {
return getRequiredEnvParam("GITHUB_EVENT_NAME");
}
// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
function workflowIsTriggeredByPushEvent() {
return workflowEventName() === "push";
}
// Is dependabot the actor that triggered the current workflow run.
function isDependabotActor() {
return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
}
// Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
// as opposed to running a remote action (i.e. when another repo references us)
/**
* Returns whether the current workflow is executing a local copy of the Action, e.g. we're running
* a workflow on the codeql-action repo itself.
*/
export function isRunningLocalAction(): boolean {
const relativeScriptPath = getRelativeScriptPath();
return (
@ -607,15 +599,18 @@ export function isRunningLocalAction(): boolean {
);
}
// Get the location where the action is running from.
// This can be used to get the actions name or tell if we're running a local action.
/**
* Get the location where the Action is running from.
*
* This can be used to get the Action's name or tell if we're running a local Action.
*/
export function getRelativeScriptPath(): string {
const runnerTemp = getRequiredEnvParam("RUNNER_TEMP");
const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
return path.relative(actionsDirectory, __filename);
}
// Reads the contents of GITHUB_EVENT_PATH as a JSON object
/** Returns the contents of `GITHUB_EVENT_PATH` as a JSON object. */
function getWorkflowEvent(): any {
const eventJsonFile = getRequiredEnvParam("GITHUB_EVENT_PATH");
try {
@ -631,10 +626,13 @@ function removeRefsHeadsPrefix(ref: string): string {
return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref;
}
// Returns whether we are analyzing the default branch for the repository.
// For cases where the repository information might not be available (e.g.,
// dynamic workflows), this can be forced by the environment variable
// CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH.
/**
* Returns whether we are analyzing the default branch for the repository.
*
* This first checks the environment variable `CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH`. This
* environment variable can be set in cases where repository information might not be available, for
* example dynamic workflows.
*/
export async function isAnalyzingDefaultBranch(): Promise<boolean> {
if (process.env.CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH === "true") {
return true;
@ -647,7 +645,7 @@ export async function isAnalyzingDefaultBranch(): Promise<boolean> {
const event = getWorkflowEvent();
let defaultBranch = event?.repository?.default_branch;
if (process.env.GITHUB_EVENT_NAME === "schedule") {
if (getWorkflowEventName() === "schedule") {
defaultBranch = removeRefsHeadsPrefix(getRefFromEnv());
}
@ -687,7 +685,10 @@ export async function printDebugLogs(config: Config) {
export type UploadKind = "always" | "failure-only" | "never";
// Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload inputs appropriately.
/**
* Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload
* inputs appropriately.
*/
export function getUploadValue(input: string | undefined): UploadKind {
switch (input) {
case undefined:

5
src/analyze.ts
View file

@ -92,7 +92,10 @@ async function setupPythonExtractor(
}
if (
await features.getValue(Feature.DisablePythonDependencyInstallation, codeql)
await features.getValue(
Feature.DisablePythonDependencyInstallationEnabled,
codeql
)
) {
logger.warning(
"We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +

2
src/api-compatibility.json
View file

@ -1 +1 @@
{"maximumVersion": "3.9", "minimumVersion": "3.5"}
{"maximumVersion": "3.10", "minimumVersion": "3.6"}

4
src/feature-flags.ts
View file

@ -39,11 +39,11 @@ export interface FeatureEnablement {
export enum Feature {
CliConfigFileEnabled = "cli_config_file_enabled",
DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
DisablePythonDependencyInstallationEnabled = "disable_python_dependency_installation_enabled",
ExportCodeScanningConfigEnabled = "export_code_scanning_config_enabled",
ExportDiagnosticsEnabled = "export_diagnostics_enabled",
MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
UploadFailedSarifEnabled = "upload_failed_sarif_enabled",
DisablePythonDependencyInstallation = "disable_python_dependency_installation",
}
export const featureConfig: Record<
@ -81,7 +81,7 @@ export const featureConfig: Record<
minimumVersion: "2.11.3",
defaultValue: true,
},
[Feature.DisablePythonDependencyInstallation]: {
[Feature.DisablePythonDependencyInstallationEnabled]: {
envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
// Although the python extractor only started supporting not extracting installed
// dependencies in 2.13.1, the init-action can still benefit from not installing

4
src/init-action.ts
View file

@ -279,7 +279,7 @@ async function run() {
) {
if (
await features.getValue(
Feature.DisablePythonDependencyInstallation,
Feature.DisablePythonDependencyInstallationEnabled,
codeql
)
) {
@ -343,7 +343,7 @@ async function run() {
// Disable Python dependency extraction if feature flag set
if (
await features.getValue(
Feature.DisablePythonDependencyInstallation,
Feature.DisablePythonDependencyInstallationEnabled,
codeql
)
) {

2
src/trap-caching.ts
View file

@ -99,7 +99,7 @@ export async function downloadTrapCaches(
let baseSha = "unknown";
const eventPath = process.env.GITHUB_EVENT_PATH;
if (
actionsUtil.workflowEventName() === "pull_request" &&
actionsUtil.getWorkflowEventName() === "pull_request" &&
eventPath !== undefined
) {
const event = JSON.parse(fs.readFileSync(path.resolve(eventPath), "utf-8"));

2
src/upload-lib.ts
View file

@ -293,7 +293,7 @@ export function buildPayload(
base_sha: undefined as undefined | string,
};
if (actionsUtil.workflowEventName() === "pull_request") {
if (actionsUtil.getWorkflowEventName() === "pull_request") {
if (
commitOid === util.getRequiredEnvParam("GITHUB_SHA") &&
mergeBaseCommitOid