Ensure unqualified program names are present on PATH before executing them.

src/init.ts

@@ -2,6 +2,7 @@ import * as fs from "fs";
 import * as path from "path";
 
 import * as toolrunnner from "@actions/exec/lib/toolrunner";
+import * as safeWhich from "@chrisgavin/safe-which";
 
 import * as analysisPaths from "./analysis-paths";
 import { CodeQL, setupCodeQL } from "./codeql";
@@ -172,7 +173,7 @@ export async function injectWindowsTracer(
   fs.writeFileSync(injectTracerPath, script);
 
   await new toolrunnner.ToolRunner(
-    "powershell",
+    await safeWhich.safeWhich("powershell"),
     [
       "-ExecutionPolicy",
       "Bypass",
@@ -198,9 +199,10 @@ export async function installPythonDeps(codeql: CodeQL, logger: Logger) {
   if (process.env["ImageOS"] !== undefined) {
     try {
       if (process.platform === "win32") {
-        await new toolrunnner.ToolRunner("powershell", [
-          path.join(scriptsFolder, "install_tools.ps1"),
-        ]).exec();
+        await new toolrunnner.ToolRunner(
+          await safeWhich.safeWhich("powershell"),
+          [path.join(scriptsFolder, "install_tools.ps1")]
+        ).exec();
       } else {
         await new toolrunnner.ToolRunner(
           path.join(scriptsFolder, "install_tools.sh")
@@ -221,7 +223,7 @@ export async function installPythonDeps(codeql: CodeQL, logger: Logger) {
   try {
     const script = "auto_install_packages.py";
     if (process.platform === "win32") {
-      await new toolrunnner.ToolRunner("py", [
+      await new toolrunnner.ToolRunner(await safeWhich.safeWhich("py"), [
         "-3",
         path.join(scriptsFolder, script),
         path.dirname(codeql.getPath()),