Merge branch 'main' into aeisenberg/enable-kotlin-tests

pr-checks/checks/build-mode-autobuild.yml

@@ -0,0 +1,29 @@
+name: "Build mode autobuild"
+description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
+operatingSystems: ["ubuntu"]
+versions: ["nightly-latest"]
+steps:
+  - name: Set up Java test repo configuration
+    run: |
+      mv * .github ../action/tests/multi-language-repo/
+      mv ../action/tests/multi-language-repo/.github/workflows .github
+      mv ../action/tests/java-repo/* .
+
+  - uses: ./../action/init
+    id: init
+    with:
+      build-mode: autobuild
+      db-location: "${{ runner.temp }}/customDbLocation"
+      languages: java
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - name: Validate database build mode
+    run: |
+      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+      build_mode=$(yq eval '.buildMode' "$metadata_path")
+      if [[ "$build_mode" != "autobuild" ]]; then
+        echo "Expected build mode to be 'autobuild' but was $build_mode"
+        exit 1
+      fi
+
+  - uses: ./../action/analyze

pr-checks/checks/build-mode-manual.yml

@@ -0,0 +1,31 @@
+name: "Build mode manual"
+description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
+operatingSystems: ["ubuntu"]
+versions: ["nightly-latest"]
+steps:
+  - uses: ./../action/init
+    id: init
+    with:
+      build-mode: manual
+      db-location: "${{ runner.temp }}/customDbLocation"
+      languages: java
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - name: Validate database build mode
+    run: |
+      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+      build_mode=$(yq eval '.buildMode' "$metadata_path")
+      if [[ "$build_mode" != "manual" ]]; then
+        echo "Expected build mode to be 'manual' but was $build_mode"
+        exit 1
+      fi
+
+  - uses: ./../action/.github/actions/setup-swift
+    with:
+      codeql-path: ${{ steps.init.outputs.codeql-path }}
+
+  - name: Build code
+    shell: bash
+    run: ./build.sh
+
+  - uses: ./../action/analyze

pr-checks/checks/build-mode-none.yml

@@ -0,0 +1,27 @@
+name: "Build mode none"
+description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
+operatingSystems: ["ubuntu"]
+versions: ["latest", "nightly-latest"]
+steps:
+  - uses: ./../action/init
+    id: init
+    with:
+      build-mode: none
+      db-location: "${{ runner.temp }}/customDbLocation"
+      languages: java
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - name: Validate database build mode
+    run: |
+      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+      build_mode=$(yq eval '.buildMode' "$metadata_path")
+      if [[ "$build_mode" != "none" ]]; then
+        echo "Expected build mode to be 'none' but was $build_mode"
+        exit 1
+      fi
+
+  # The latest nightly supports omitting the autobuild Action when the build mode is specified.
+  - uses: ./../action/autobuild
+    if: matrix.version != 'nightly-latest'
+
+  - uses: ./../action/analyze

pr-checks/checks/build-mode-rollback.yml

@@ -0,0 +1,31 @@
+name: "Build mode rollback"
+description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
+operatingSystems: ["ubuntu"]
+versions: ["nightly-latest"]
+env:
+  CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
+steps:
+  - name: Set up Java test repo configuration
+    run: |
+      mv * .github ../action/tests/multi-language-repo/
+      mv ../action/tests/multi-language-repo/.github/workflows .github
+      mv ../action/tests/java-repo/* .
+
+  - uses: ./../action/init
+    id: init
+    with:
+      build-mode: none
+      db-location: "${{ runner.temp }}/customDbLocation"
+      languages: java
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - name: Validate database build mode
+    run: |
+      metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
+      build_mode=$(yq eval '.buildMode' "$metadata_path")
+      if [[ "$build_mode" != "autobuild" ]]; then
+        echo "Expected build mode to be 'autobuild' but was $build_mode"
+        exit 1
+      fi
+
+  - uses: ./../action/analyze

pr-checks/checks/config-export.yml

@@ -1,8 +1,6 @@
 name: "Config export"
 description: "Tests that the code scanning configuration file is exported to SARIF correctly."
 versions: ["latest", "nightly-latest"]
-env:
-  CODEQL_PASS_CONFIG_TO_CLI: true
 steps:
   - uses: ./../action/init
     with:
@@ -20,7 +18,7 @@ steps:
       path: "${{ runner.temp }}/results/javascript.sarif"
       retention-days: 7
   - name: Check config properties appear in SARIF
-    uses: actions/github-script@v6
+    uses: actions/github-script@v7
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
     with:
@@ -35,13 +33,13 @@ steps:
           core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
         }
         if (configSummary.disableDefaultQueries !== false) {
-          core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' + 
+          core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
             `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
         }
         const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
         // Use JSON.stringify to deep-equal the arrays.
         if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
-          core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` + 
+          core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
             `${JSON.stringify(configSummary.queries)}.`);
         }
         core.info('Finished config export tests.');

pr-checks/checks/config-input.yml

@@ -0,0 +1,33 @@
+name: "Config input"
+description: "Tests specifying configuration using the config input"
+operatingSystems: ["ubuntu"]
+versions: ["latest"]
+steps:
+  - name: Copy queries into workspace
+    run: |
+      cp -a ../action/queries .
+
+  - uses: ./../action/init
+    with:
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+      languages: javascript
+      build-mode: none
+      config: |
+        disable-default-queries: true
+        queries:
+          - name: Run custom query
+            uses: ./queries/default-setup-environment-variables.ql
+        paths-ignore:
+          - tests
+          - lib
+
+  - uses: ./../action/analyze
+    with:
+      output: ${{ runner.temp }}/results
+
+  - name: Check SARIF
+    uses: ./../action/.github/actions/check-sarif
+    with:
+      sarif-file: ${{ runner.temp }}/results/javascript.sarif
+      queries-run: javascript/codeql-action/default-setup-env-vars
+      queries-not-run: javascript/codeql-action/default-setup-context-properties

pr-checks/checks/cpp-deptrace-disabled.yml

@@ -0,0 +1,26 @@
+name: "C/C++: disabling autoinstalling dependencies (Linux)"
+description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
+operatingSystems: ["ubuntu"]
+versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with CLIs < 2.15.0
+env:
+  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
+steps:
+  - name: Test setup
+    shell: bash
+    run: |
+      cp -a ../action/tests/cpp-autobuild autobuild-dir
+  - uses: ./../action/init
+    with:
+      languages: cpp
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/autobuild
+    with:
+      working-directory: autobuild-dir
+    env:
+      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
+  - shell: bash
+    run: |
+      if ls /usr/bin/errno; then
+        echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
+        exit 1
+      fi

pr-checks/checks/cpp-deptrace-enabled-on-macos.yml

@@ -0,0 +1,28 @@
+name: "C/C++: autoinstalling dependencies is skipped (macOS)"
+description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
+operatingSystems: ["macos"]
+versions: ["nightly-latest"]  # This is not released yet, will come with 2.15.2
+env:
+  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
+steps:
+  - name: Test setup
+    shell: bash
+    run: |
+      cp -a ../action/tests/cpp-autobuild autobuild-dir
+  - uses: ./../action/init
+    with:
+      languages: cpp
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/autobuild
+    with:
+      working-directory: autobuild-dir
+    env:
+      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
+  - shell: bash
+    run: |
+      if ! ls /usr/bin/errno; then
+        echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
+      else
+        echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
+        exit 1
+      fi

pr-checks/checks/cpp-deptrace-enabled.yml

@@ -0,0 +1,26 @@
+name: "C/C++: autoinstalling dependencies (Linux)"
+description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
+operatingSystems: ["ubuntu"]
+versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with CLIs < 2.15.0
+env:
+  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
+steps:
+  - name: Test setup
+    shell: bash
+    run: |
+      cp -a ../action/tests/cpp-autobuild autobuild-dir
+  - uses: ./../action/init
+    with:
+      languages: cpp
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/autobuild
+    with:
+      working-directory: autobuild-dir
+    env:
+      CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
+  - shell: bash
+    run: |
+      if ! ls /usr/bin/errno; then
+        echo "Did not autoinstall errno"
+        exit 1
+      fi

pr-checks/checks/diagnostics-export.yml

@@ -38,7 +38,7 @@ steps:
       path: "${{ runner.temp }}/results/javascript.sarif"
       retention-days: 7
   - name: Check diagnostics appear in SARIF
-    uses: actions/github-script@v6
+    uses: actions/github-script@v7
     env:
       SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
     with:
@@ -66,7 +66,7 @@ steps:
           core.setFailed(
             'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
               `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
-              `${statusPageNotifications.length}. All notification reporting descriptors: ` + 
+              `${statusPageNotifications.length}. All notification reporting descriptors: ` +
               `${JSON.stringify(toolExecutionNotifications)}.`
           );
         }

pr-checks/checks/export-file-baseline-information.yml

@@ -1,14 +1,14 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
 versions: ["nightly-latest"]
+env:
+  CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
 steps:
   - uses: ./../action/init
     id: init
     with:
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
-    env:
-      CODEQL_FILE_BASELINE_INFORMATION: true
   - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{ steps.init.outputs.codeql-path }}
@@ -18,8 +18,6 @@ steps:
   - uses: ./../action/analyze
     with:
       output: "${{ runner.temp }}/results"
-    env:
-      CODEQL_FILE_BASELINE_INFORMATION: true
   - name: Upload SARIF
     uses: actions/upload-artifact@v3
     with:
@@ -30,13 +28,13 @@ steps:
     shell: bash
     run: |
       cd "$RUNNER_TEMP/results"
-      expected_baseline_languages="cpp cs go java js py rb"
+      expected_baseline_languages="c csharp go java kotlin javascript python ruby"
       if [[ $RUNNER_OS != "Windows" ]]; then
         expected_baseline_languages+=" swift"
       fi
 
       for lang in ${expected_baseline_languages}; do
-        rule_name="${lang}/baseline/expected-extracted-files"
+        rule_name="cli/expected-extracted-files/${lang}"
         found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
           select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
         if [[ "${found_notification}" != "true" ]]; then

pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml

@@ -5,7 +5,7 @@ operatingSystems: ["ubuntu"]
 # pinned to a version which does not support statically linked binaries for indirect tracing
 versions: ["stable-v2.14.6"]
 steps:
-  - uses: actions/setup-go@v4
+  - uses: actions/setup-go@v5
     with:
       # We need a Go version that ships with statically linked binaries on Linux
       go-version: ">=1.21.0"
@@ -14,7 +14,7 @@ steps:
       languages: go
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   # Deliberately change Go after the `init` step
-  - uses: actions/setup-go@v4
+  - uses: actions/setup-go@v5
     with:
       go-version: "1.20"
   - name: Build code
@@ -25,7 +25,7 @@ steps:
       output: "${{ runner.temp }}/results"
       upload-database: false
   - name: Check diagnostic appears in SARIF
-    uses: actions/github-script@v6
+    uses: actions/github-script@v7
     env:
       SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
     with:

pr-checks/checks/go-indirect-tracing-workaround.yml

@@ -5,7 +5,7 @@ operatingSystems: ["ubuntu"]
 # pinned to a version which does not support statically linked binaries for indirect tracing
 versions: ["stable-v2.14.6"]
 steps:
-  - uses: actions/setup-go@v4
+  - uses: actions/setup-go@v5
     with:
       # We need a Go version that ships with statically linked binaries on Linux
       go-version: ">=1.21.0"

pr-checks/checks/go-tracing-autobuilder.yml

@@ -4,9 +4,12 @@ operatingSystems: ["ubuntu", "macos"]
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
-  - uses: actions/setup-go@v4
+  - uses: actions/setup-go@v5
     with:
-      go-version: "~1.21.1"
+      go-version: "~1.22.0"
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
+      cache: false
   - uses: ./../action/init
     with:
       languages: go

pr-checks/checks/go-tracing-custom-build-steps.yml

@@ -2,9 +2,12 @@ name: "Go: tracing with custom build steps"
 description: "Checks that Go tracing traces the build when using custom build steps"
 operatingSystems: ["ubuntu", "macos"]
 steps:
-  - uses: actions/setup-go@v4
+  - uses: actions/setup-go@v5
     with:
-      go-version: "~1.21.1"
+      go-version: "~1.22.0"
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
+      cache: false
   - uses: ./../action/init
     with:
       languages: go

pr-checks/checks/go-tracing-legacy-workflow.yml

@@ -4,9 +4,12 @@ operatingSystems: ["ubuntu", "macos"]
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
-  - uses: actions/setup-go@v4
+  - uses: actions/setup-go@v5
     with:
-      go-version: "~1.21.1"
+      go-version: "~1.22.0"
+      # to avoid potentially misleading autobuilder results where we expect it to download
+      # dependencies successfully, but they actually come from a warm cache
+      cache: false
   - uses: ./../action/init
     with:
       languages: go

pr-checks/checks/multi-language-autodetect.yml

@@ -61,8 +61,8 @@ steps:
       fi
 
   - name: Check language autodetect for Swift
-    if: >- 
-      env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' || 
+    if: >-
+      env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' ||
           (runner.os != 'Windows' && matrix.version == 'nightly-latest')
     shell: bash
     run: |

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -1,10 +1,6 @@
 name: "Packaging: Config and input passed to the CLI"
 description: "Checks that specifying packages using a combination of a config file and input to the Action works"
 versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
-
-env:
-  CODEQL_PASS_CONFIG_TO_CLI: true
-
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/with-checkout-path.yml

@@ -1,29 +1,35 @@
 name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
+versions: ["latest"]
 steps:
+  # This ensures we don't accidentally use the original checkout for any part of the test.
+  - name: Delete original checkout
+    shell: bash
+    run: |
+      # delete the original checkout so we don't accidentally use it.
+      # Actions does not support deleting the current working directory, so we
+      # delete the contents of the directory instead.
+      rm -rf ./* .github .git
   # Check out the actions repo again, but at a different location.
   # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
   - uses: actions/checkout@v4
     with:
       ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
       path: x/y/z/some-path
+
   - uses: ./../action/init
     with:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
       # it's enough to test one compiled language and one interpreted language
       languages: csharp,javascript
-      source-path: x/y/z/some-path/tests/multi-language-repo
-      debug: true
-  - name: Build code (non-windows)
+      source-root: x/y/z/some-path/tests/multi-language-repo
+
+  - name: Build code
     shell: bash
-    if: ${{ runner.os != 'Windows' }}
+    working-directory: x/y/z/some-path/tests/multi-language-repo
     run: |
-      $CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
-  - name: Build code (windows)
-    shell: bash
-    if: ${{ runner.os == 'Windows' }}
-    run: |
-      x/y/z/some-path/tests/multi-language-repo/build.sh
+      ./build.sh
+
   - uses: ./../action/analyze
     with:
       checkout_path: x/y/z/some-path/tests/multi-language-repo