robojerk/codeql-action

Merge pull request #982 from github/update-v1.1.5-5b59d878

Browse source 
Merge main into v1
This commit is contained in:
Chuan-kai Lin 2022-03-15 12:38:22 -07:00 committed by GitHub
commit 8834766498
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
57 changed files with 239 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -65,6 +65,7 @@ jobs:
- os: windows-2022
version: nightly-latest
name: "Analyze: 'ref' and 'sha' from inputs"
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__debug-artifacts.yml generated vendored
View file

@ -49,6 +49,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Debug artifact upload
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -27,6 +27,7 @@ jobs:
- os: ubuntu-latest
version: latest
name: Extractor ram and threads options test
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -65,6 +65,7 @@ jobs:
- os: windows-2022
version: nightly-latest
name: 'Go: Custom queries'
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__go-custom-tracing-autobuild.yml generated vendored
View file

@ -49,6 +49,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: 'Go: Autobuild custom tracing'
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__go-custom-tracing.yml generated vendored
View file

@ -65,6 +65,7 @@ jobs:
- os: windows-2022
version: nightly-latest
name: 'Go: Custom tracing'
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -31,6 +31,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Custom source root
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -49,6 +49,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Multi-language repository
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -29,6 +29,7 @@ jobs:
- os: macos-latest
version: nightly-20210831
name: 'Packaging: Config and input'
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -29,6 +29,7 @@ jobs:
- os: macos-latest
version: nightly-20210831
name: 'Packaging: Config file'
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -29,6 +29,7 @@ jobs:
- os: macos-latest
version: nightly-20210831
name: 'Packaging: Action input'
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__remote-config.yml generated vendored
View file

@ -65,6 +65,7 @@ jobs:
- os: windows-2022
version: nightly-latest
name: Remote config file
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -37,6 +37,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: RuboCop multi-language
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__split-workflow.yml generated vendored
View file

@ -29,6 +29,7 @@ jobs:
- os: macos-latest
version: nightly-20210831
name: Split workflow
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -27,6 +27,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Local CodeQL bundle
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__test-proxy.yml generated vendored
View file

@ -27,6 +27,7 @@ jobs:
- os: ubuntu-latest
version: latest
name: Proxy test
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__test-ruby.yml generated vendored
View file

@ -37,6 +37,7 @@ jobs:
- os: macos-latest
version: nightly-latest
name: Ruby analysis
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__unset-environment.yml generated vendored
View file

@ -37,6 +37,7 @@ jobs:
- os: ubuntu-latest
version: nightly-latest
name: Test unsetting environment variables
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

1
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -65,6 +65,7 @@ jobs:
- os: windows-2022
version: nightly-latest
name: "Upload-sarif: 'ref' and 'sha' from inputs"
timeout-minutes: 30
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository

2
.github/workflows/check-expected-release-files.yml vendored
View file

@ -20,6 +20,6 @@ jobs:
run: |
bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
set -x
for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz" "codeql-runner-linux" "codeql-runner-macos" "codeql-runner-win.exe"; do
for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
done

16
.github/workflows/pr-checks.yml vendored
View file

@ -13,6 +13,7 @@ jobs:
lint-js:
name: Lint
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
@ -21,6 +22,7 @@ jobs:
check-js:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
@ -30,6 +32,7 @@ jobs:
check-node-modules:
name: Check modules up to date
runs-on: macos-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
@ -39,6 +42,7 @@ jobs:
verify-pr-checks:
name: Verify PR checks up to date
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
@ -60,6 +64,7 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
@ -69,6 +74,7 @@ jobs:
runner-analyze-javascript-ubuntu:
name: Runner ubuntu JS analyze
needs: [check-js, check-node-modules]
timeout-minutes: 30
runs-on: ubuntu-latest
steps:
@ -97,6 +103,7 @@ jobs:
runner-analyze-javascript-windows:
name: Runner windows JS analyze
needs: [check-js, check-node-modules]
timeout-minutes: 30
runs-on: windows-latest
steps:
@ -121,6 +128,7 @@ jobs:
runner-analyze-javascript-macos:
name: Runner macos JS analyze
needs: [check-js, check-node-modules]
timeout-minutes: 30
runs-on: macos-latest
steps:
@ -145,6 +153,7 @@ jobs:
runner-analyze-csharp-ubuntu:
name: Runner ubuntu C# analyze
needs: [check-js, check-node-modules]
timeout-minutes: 30
runs-on: ubuntu-latest
steps:
@ -184,6 +193,7 @@ jobs:
needs: [check-js, check-node-modules]
# Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
# `windows-latest`.
timeout-minutes: 30
runs-on: windows-2019
steps:
@ -228,6 +238,7 @@ jobs:
runner-analyze-csharp-macos:
name: Runner macos C# analyze
timeout-minutes: 30
needs: [check-js, check-node-modules]
runs-on: macos-latest
@ -266,6 +277,7 @@ jobs:
runner-analyze-csharp-autobuild-ubuntu:
name: Runner ubuntu autobuild C# analyze
timeout-minutes: 30
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest
@ -301,6 +313,7 @@ jobs:
TEST_MODE: true
runner-analyze-csharp-autobuild-windows:
timeout-minutes: 30
name: Runner windows autobuild C# analyze
needs: [check-js, check-node-modules]
# Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
@ -343,6 +356,7 @@ jobs:
name: Runner macos autobuild C# analyze
needs: [check-js, check-node-modules]
runs-on: macos-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v2
@ -380,6 +394,7 @@ jobs:
name: Runner upload sarif
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest
timeout-minutes: 30
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
@ -402,6 +417,7 @@ jobs:
name: Runner ubuntu extractor RAM and threads options
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v2

1
.github/workflows/python-deps.yml vendored
View file

@ -10,6 +10,7 @@ on:
jobs:
test-setup-python-scripts:
timeout-minutes: 30
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false

1
.github/workflows/release-runner.yml vendored
View file

@ -9,6 +9,7 @@ on:
jobs:
release-runner:
timeout-minutes: 30
runs-on: ubuntu-latest
env:
RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"

1
.github/workflows/split.yml vendored
View file

@ -26,6 +26,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 30
env:
CLI_RELEASE: "${{ github.event.inputs.cli-release }}"
RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"

1
.github/workflows/update-dependencies.yml vendored
View file

@ -6,6 +6,7 @@ on:
jobs:
update:
name: Update dependencies
timeout-minutes: 30
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
steps:

1
.github/workflows/update-release-branch.yml vendored
View file

@ -9,6 +9,7 @@ on:
jobs:
update:
timeout-minutes: 30
runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }}
steps:

2
.github/workflows/update-supported-enterprise-server-versions.yml vendored
View file

@ -6,6 +6,8 @@ on:
jobs:
update-supported-enterprise-server-versions:
name: Update Supported Enterprise Server Versions
timeout-minutes: 30
runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }}

10
CHANGELOG.md
View file

@ -1,4 +1,12 @@
# CodeQL Action and CodeQL Runner Changelog
# CodeQL Action Changelog
## 1.1.5 - 15 Mar 2022
- Update default CodeQL bundle version to 2.8.3.
- The CodeQL runner is now deprecated and no longer being released. For more information, see [CodeQL runner deprecation](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
- Fix two bugs that cause action failures with GHES 3.3 or earlier. [#978](https://github.com/github/codeql-action/pull/978)
- Fix `not a permitted key` invalid requests with GHES 3.1 or earlier
- Fix `RUNNER_ARCH environment variable must be set` errors with GHES 3.3 or earlier
## 1.1.4 - 07 Mar 2022

21
CONTRIBUTING.md
View file

@ -63,7 +63,7 @@ Here are a few things you can do that will increase the likelihood of your pull
1. The first step of releasing a new version of the `codeql-action` is running the "Update release branch" workflow.
This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `v1` release branch.
A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
1. The workflow run will open a pull request titled "Merge main into v1". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks.
1. Review the checklist items in the pull request description.
Once you've checked off all but the last of these, approve the PR and automerge it.
@ -72,6 +72,25 @@ Here are a few things you can do that will increase the likelihood of your pull
Approve the mergeback PR and automerge it. Once the mergeback has been merged into main, the release is complete.
## Keeping the PR checks up to date (admin access required)
Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. Managing these PR checks manually is time consuming and complex. Here is a semi-automated approach.
To regenerate the PR jobs for the action:
1. From a terminal, run the following commands (replace `SHA` with the sha of the commit whose checks you want to use, typically this should be the latest from `main`):
```sh
SHA= ####
CHECKS="$(gh api repos/github/codeql-action/commits/${SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "Update dependencies" or . == "Update Supported Enterprise Server Versions" | not)]')"
echo "{\"contexts\": ${CHECKS}}" > checks.json
gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json
gh api -X "PATCH" repos/github/codeql-action/branches/v1/protection/required_status_checks --input checks.json
````
2. Go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules have been updated.
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)

14
lib/actions-util.js generated
View file

@ -500,7 +500,6 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
core.exportVariable(sharedEnv.CODEQL_WORKFLOW_STARTED_AT, workflowStartedAt);
}
const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
const runnerArch = (0, util_1.getRequiredEnvParam)("RUNNER_ARCH");
// If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action
// See https://github.com/actions/runner/issues/803
const actionRef = isRunningLocalAction()
@ -520,7 +519,6 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
action_started_at: actionStartedAt.toISOString(),
status,
runner_os: runnerOs,
runner_arch: runnerArch,
};
// Add optional parameters
if (cause) {
@ -539,6 +537,11 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
if (matrix) {
statusReport.matrix_vars = matrix;
}
if ("RUNNER_ARCH" in process.env) {
// RUNNER_ARCH is available only in GHES 3.4 and later
// Values other than X86, X64, ARM, or ARM64 are discarded server side
statusReport.runner_arch = process.env["RUNNER_ARCH"];
}
if (runnerOs === "Windows" || runnerOs === "macOS") {
statusReport.runner_os_release = os.release();
}
@ -559,6 +562,13 @@ const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code sc
* Returns whether sending the status report was successful of not.
*/
async function sendStatusReport(statusReport) {
const gitHubVersion = await api.getGitHubVersionActionsOnly();
if ((0, util_1.isGitHubGhesVersionBelow)(gitHubVersion, "3.2.0")) {
// GHES 3.1 and earlier versions reject unexpected properties, which means
// that they will reject status reports with newly added properties.
// Inhibiting status reporting for GHES < 3.2 avoids such failures.
return true;
}
const statusReportJSON = JSON.stringify(statusReport);
core.debug(`Sending status report: ${statusReportJSON}`);
// If in test mode we don't want to upload the results

2
lib/actions-util.js.map
View file

File diff suppressed because one or more lines are too long

34
lib/api-client.js generated
View file

@ -22,12 +22,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
exports.getGitHubVersionActionsOnly = exports.getActionsApiClient = exports.getApiClient = exports.DisallowedAPIVersionReason = void 0;
const path = __importStar(require("path"));
const githubUtils = __importStar(require("@actions/github/lib/utils"));
const retry = __importStar(require("@octokit/plugin-retry"));
const console_log_level_1 = __importDefault(require("console-log-level"));
const actions_util_1 = require("./actions-util");
const util = __importStar(require("./util"));
const util_1 = require("./util");
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json");
@ -57,15 +58,36 @@ function getApiUrl(githubUrl) {
url.pathname = path.join(url.pathname, "api", "v3");
return url.toString();
}
function getApiDetails() {
return {
auth: (0, actions_util_1.getRequiredInput)("token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
};
}
// Temporary function to aid in the transition to running on and off of github actions.
// Once all code has been converted this function should be removed or made canonical
// and called only from the action entrypoints.
function getActionsApiClient() {
const apiDetails = {
auth: (0, actions_util_1.getRequiredInput)("token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
};
return (0, exports.getApiClient)(apiDetails);
return (0, exports.getApiClient)(getApiDetails());
}
exports.getActionsApiClient = getActionsApiClient;
let cachedGitHubVersion = undefined;
/**
* Report the GitHub server version. This is a wrapper around
* util.getGitHubVersion() that automatically supplies GitHub API details using
* GitHub Action inputs. If you need to get the GitHub server version from the
* Runner, please call util.getGitHubVersion() instead.
*
* @returns GitHub version
*/
async function getGitHubVersionActionsOnly() {
if (!util.isActions) {
throw new Error("This getGitHubVersion() function works only in an action");
}
if (cachedGitHubVersion === undefined) {
cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
}
return cachedGitHubVersion;
}
exports.getGitHubVersionActionsOnly = getGitHubVersionActionsOnly;
//# sourceMappingURL=api-client.js.map

2
lib/api-client.js.map
View file

@ -1 +1 @@
{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,iCAAsD;AAEtD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAdW,QAAA,YAAY,gBAcvB;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,IAAA,oBAAY,EAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAPD,kDAOC"}
{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAkD;AAClD,6CAA+B;AAC/B,iCAAqE;AAErE,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEvC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeM,MAAM,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,UAAU,IAAA,cAAO,GAAE,IAAI,GAAG,CAAC,OAAO,EAAE;QAC/C,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAdW,QAAA,YAAY,gBAcvB;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB;IACjC,OAAO,IAAA,oBAAY,EAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAFD,kDAEC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAE/D;;;;;;;GAOG;AACI,KAAK,UAAU,2BAA2B;IAC/C,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE;QACnB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;KAC7E;IACD,IAAI,mBAAmB,KAAK,SAAS,EAAE;QACrC,mBAAmB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,kEAQC"}

4
lib/config-utils.test.js generated
View file

@ -914,7 +914,7 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", "~0.0.2");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", "~0.0.2");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", "~0.1.0");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", "~0.1.0");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
//# sourceMappingURL=config-utils.test.js.map

2
lib/defaults.json
View file

@ -1,3 +1,3 @@
{
"bundleVersion": "codeql-bundle-20220224"
"bundleVersion": "codeql-bundle-20220311"
}

3
lib/init-action.js generated
View file

@ -22,6 +22,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
const path = __importStar(require("path"));
const core = __importStar(require("@actions/core"));
const actions_util_1 = require("./actions-util");
const api_client_1 = require("./api-client");
const codeql_1 = require("./codeql");
const feature_flags_1 = require("./feature-flags");
const init_1 = require("./init");
@ -78,7 +79,7 @@ async function run() {
externalRepoAuth: (0, actions_util_1.getOptionalInput)("external-repository-token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
};
const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
(0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger, util_1.Mode.actions);
const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
const featureFlags = new feature_flags_1.GitHubFeatureFlags(gitHubVersion, apiDetails, repositoryNwo, logger);

2
lib/init-action.js.map
View file

File diff suppressed because one or more lines are too long

3
lib/upload-sarif-action.js generated
View file

@ -21,6 +21,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true });
const core = __importStar(require("@actions/core"));
const actionsUtil = __importStar(require("./actions-util"));
const api_client_1 = require("./api-client");
const logging_1 = require("./logging");
const repository_1 = require("./repository");
const upload_lib = __importStar(require("./upload-lib"));
@ -46,7 +47,7 @@ async function run() {
auth: actionsUtil.getRequiredInput("token"),
url: (0, util_1.getRequiredEnvParam)("GITHUB_SERVER_URL"),
};
const gitHubVersion = await (0, util_1.getGitHubVersion)(apiDetails);
const gitHubVersion = await (0, api_client_1.getGitHubVersionActionsOnly)();
const uploadResult = await upload_lib.uploadFromActions(actionsUtil.getRequiredInput("sarif_file"), gitHubVersion, apiDetails, (0, logging_1.getActionsLogger)());
core.setOutput("sarif-id", uploadResult.sarifID);
if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {

2
lib/upload-sarif-action.js.map
View file

@ -1 +1 @@
{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAKgB;AAEhB,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,uBAAgB,EAAC,UAAU,CAAC,CAAC;QAEzD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAA2D;AAC3D,uCAA6C;AAC7C,6CAAkD;AAClD,yDAA2C;AAC3C,iCAA0E;AAE1E,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAMvC,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C;IAE1C,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,cAAc,EACd,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,GAAG,WAAW;KACf,CAAC;IACF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,UAAU,EACV,SAAS,CACV,CACF,CAAC,EACF;QACA,OAAO;KACR;IAED,IAAI;QACF,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;SAC9C,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAA,wCAA2B,GAAE,CAAC;QAE1D,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,iBAAiB,CACrD,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,aAAa,EACb,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE;YAClE,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,UAAU,EACV,IAAA,0BAAgB,GAAE,CACnB,CAAC;SACH;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;KACrE;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,cAAc,EACd,WAAW,CAAC,gBAAgB,CAAC,KAAK,CAAC,EACnC,SAAS,EACT,OAAO,EACP,KAAK,CACN,CACF,CAAC;QACF,OAAO;KACR;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

9
lib/util.js generated
View file

@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
const fs = __importStar(require("fs"));
const os = __importStar(require("os"));
const path = __importStar(require("path"));
@ -500,6 +500,11 @@ function isHTTPError(arg) {
return (arg === null || arg === void 0 ? void 0 : arg.status) !== undefined && Number.isInteger(arg.status);
}
exports.isHTTPError = isHTTPError;
function isGitHubGhesVersionBelow(gitHubVersion, expectedVersion) {
return (gitHubVersion.type === GitHubVariant.GHES &&
semver.lt(gitHubVersion.version, expectedVersion));
}
exports.isGitHubGhesVersionBelow = isGitHubGhesVersionBelow;
async function codeQlVersionAbove(codeql, requiredVersion) {
return semver.gte(await codeql.getVersion(), requiredVersion);
}
@ -534,7 +539,7 @@ exports.isGoodVersion = isGoodVersion;
*/
exports.ML_POWERED_JS_QUERIES_PACK = {
packName: "codeql/javascript-experimental-atm-queries",
version: "~0.0.2",
version: "~0.1.0",
};
/**
* Get information about ML-powered JS queries to populate status reports with.

2
lib/util.js.map
View file

File diff suppressed because one or more lines are too long

7
lib/util.test.js generated
View file

@ -262,4 +262,11 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
});
});
}
(0, ava_1.default)("isGitHubGhesVersionBelow", async (t) => {
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.DOTCOM }, "3.2.0"));
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHAE }, "3.2.0"));
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.3.0" }, "3.2.0"));
t.falsy(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.2.0" }, "3.2.0"));
t.true(util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHES, version: "3.1.2" }, "3.2.0"));
});
//# sourceMappingURL=util.test.js.map

2
lib/util.test.js.map
View file

File diff suppressed because one or more lines are too long

2
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "1.1.4",
"version": "1.1.5",
"lockfileVersion": 2,
"requires": true,
"packages": {

4
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "1.1.4",
"version": "1.1.5",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "1.1.4",
"version": "1.1.5",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^1.0.0",

4
package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "1.1.4",
"version": "1.1.5",
"private": true,
"description": "CodeQL action",
"scripts": {
@ -75,4 +75,4 @@
"resolutions": {
"glob-parent": ">=5.1.2"
}
}
}

1
pr-checks/sync.py
View file

@ -85,6 +85,7 @@ for file in os.listdir('checks'):
}
},
'name': checkSpecification['name'],
'timeout-minutes': 30,
'runs-on': '${{ matrix.os }}',
'steps': steps
}

2
runner/package-lock.json generated
View file

@ -1,6 +1,6 @@
{
"name": "codeql-runner",
"version": "1.1.4",
"version": "1.1.5",
"lockfileVersion": 1,
"requires": true,
"dependencies": {

4
runner/package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql-runner",
"version": "1.1.4",
"version": "1.1.5",
"private": true,
"description": "CodeQL runner",
"scripts": {
@ -14,4 +14,4 @@
"webpack": "^5.50.0",
"webpack-cli": "^4.7.2"
}
}
}

18
src/actions-util.ts
View file

@ -12,6 +12,7 @@ import * as sharedEnv from "./shared-environment";
import {
getRequiredEnvParam,
GITHUB_DOTCOM_URL,
isGitHubGhesVersionBelow,
isHTTPError,
UserError,
} from "./util";
@ -600,7 +601,7 @@ export interface StatusReportBase {
/** Action runner operating system (context runner.os). */
runner_os: string;
/** Action runner hardware architecture (context runner.arch). */
runner_arch: string;
runner_arch?: string;
/** Action runner operating system release (x.y.z from os.release()). */
runner_os_release?: string;
}
@ -651,7 +652,6 @@ export async function createStatusReportBase(
);
}
const runnerOs = getRequiredEnvParam("RUNNER_OS");
const runnerArch = getRequiredEnvParam("RUNNER_ARCH");
// If running locally then the GITHUB_ACTION_REF cannot be trusted as it may be for the previous action
// See https://github.com/actions/runner/issues/803
@ -673,7 +673,6 @@ export async function createStatusReportBase(
action_started_at: actionStartedAt.toISOString(),
status,
runner_os: runnerOs,
runner_arch: runnerArch,
};
// Add optional parameters
@ -695,6 +694,11 @@ export async function createStatusReportBase(
if (matrix) {
statusReport.matrix_vars = matrix;
}
if ("RUNNER_ARCH" in process.env) {
// RUNNER_ARCH is available only in GHES 3.4 and later
// Values other than X86, X64, ARM, or ARM64 are discarded server side
statusReport.runner_arch = process.env["RUNNER_ARCH"];
}
if (runnerOs === "Windows" || runnerOs === "macOS") {
statusReport.runner_os_release = os.release();
}
@ -723,6 +727,14 @@ const INCOMPATIBLE_MSG =
export async function sendStatusReport<S extends StatusReportBase>(
statusReport: S
): Promise<boolean> {
const gitHubVersion = await api.getGitHubVersionActionsOnly();
if (isGitHubGhesVersionBelow(gitHubVersion, "3.2.0")) {
// GHES 3.1 and earlier versions reject unexpected properties, which means
// that they will reject status reports with newly added properties.
// Inhibiting status reporting for GHES < 3.2 avoids such failures.
return true;
}
const statusReportJSON = JSON.stringify(statusReport);
core.debug(`Sending status report: ${statusReportJSON}`);
// If in test mode we don't want to upload the results

37
src/api-client.ts
View file

@ -5,7 +5,8 @@ import * as retry from "@octokit/plugin-retry";
import consoleLogLevel from "console-log-level";
import { getRequiredInput } from "./actions-util";
import { getMode, getRequiredEnvParam } from "./util";
import * as util from "./util";
import { getMode, getRequiredEnvParam, GitHubVersion } from "./util";
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json");
@ -58,14 +59,36 @@ function getApiUrl(githubUrl: string): string {
return url.toString();
}
function getApiDetails() {
return {
auth: getRequiredInput("token"),
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
};
}
// Temporary function to aid in the transition to running on and off of github actions.
// Once all code has been converted this function should be removed or made canonical
// and called only from the action entrypoints.
export function getActionsApiClient() {
const apiDetails = {
auth: getRequiredInput("token"),
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
};
return getApiClient(apiDetails);
return getApiClient(getApiDetails());
}
let cachedGitHubVersion: GitHubVersion | undefined = undefined;
/**
* Report the GitHub server version. This is a wrapper around
* util.getGitHubVersion() that automatically supplies GitHub API details using
* GitHub Action inputs. If you need to get the GitHub server version from the
* Runner, please call util.getGitHubVersion() instead.
*
* @returns GitHub version
*/
export async function getGitHubVersionActionsOnly(): Promise<GitHubVersion> {
if (!util.isActions) {
throw new Error("This getGitHubVersion() function works only in an action");
}
if (cachedGitHubVersion === undefined) {
cachedGitHubVersion = await util.getGitHubVersion(getApiDetails());
}
return cachedGitHubVersion;
}

4
src/config-utils.test.ts
View file

@ -1811,7 +1811,7 @@ test(
true,
undefined,
"security-extended",
"~0.0.2"
"~0.1.0"
);
test(
mlPoweredQueriesMacro,
@ -1819,7 +1819,7 @@ test(
true,
undefined,
"security-and-quality",
"~0.0.2"
"~0.1.0"
);
test(
mlPoweredQueriesMacro,

2
src/defaults.json
View file

@ -1,3 +1,3 @@
{
"bundleVersion": "codeql-bundle-20220224"
"bundleVersion": "codeql-bundle-20220311"
}

4
src/init-action.ts
View file

@ -13,6 +13,7 @@ import {
StatusReportBase,
validateWorkflow,
} from "./actions-util";
import { getGitHubVersionActionsOnly } from "./api-client";
import { CodeQL, CODEQL_VERSION_NEW_TRACING } from "./codeql";
import * as configUtils from "./config-utils";
import { GitHubFeatureFlags } from "./feature-flags";
@ -31,7 +32,6 @@ import {
initializeEnvironment,
Mode,
checkGitHubVersionInRange,
getGitHubVersion,
codeQlVersionAbove,
enrichEnvironment,
getMemoryFlagValue,
@ -135,7 +135,7 @@ async function run() {
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
};
const gitHubVersion = await getGitHubVersion(apiDetails);
const gitHubVersion = await getGitHubVersionActionsOnly();
checkGitHubVersionInRange(gitHubVersion, logger, Mode.actions);
const repositoryNwo = parseRepositoryNwo(

10
src/upload-sarif-action.ts
View file

@ -1,15 +1,11 @@
import * as core from "@actions/core";
import * as actionsUtil from "./actions-util";
import { getGitHubVersionActionsOnly } from "./api-client";
import { getActionsLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import * as upload_lib from "./upload-lib";
import {
getGitHubVersion,
getRequiredEnvParam,
initializeEnvironment,
Mode,
} from "./util";
import { getRequiredEnvParam, initializeEnvironment, Mode } from "./util";
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json");
@ -55,7 +51,7 @@ async function run() {
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
};
const gitHubVersion = await getGitHubVersion(apiDetails);
const gitHubVersion = await getGitHubVersionActionsOnly();
const uploadResult = await upload_lib.uploadFromActions(
actionsUtil.getRequiredInput("sarif_file"),

27
src/util.test.ts
View file

@ -353,3 +353,30 @@ for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
});
});
}
test("isGitHubGhesVersionBelow", async (t) => {
t.falsy(
util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.DOTCOM }, "3.2.0")
);
t.falsy(
util.isGitHubGhesVersionBelow({ type: util.GitHubVariant.GHAE }, "3.2.0")
);
t.falsy(
util.isGitHubGhesVersionBelow(
{ type: util.GitHubVariant.GHES, version: "3.3.0" },
"3.2.0"
)
);
t.falsy(
util.isGitHubGhesVersionBelow(
{ type: util.GitHubVariant.GHES, version: "3.2.0" },
"3.2.0"
)
);
t.true(
util.isGitHubGhesVersionBelow(
{ type: util.GitHubVariant.GHES, version: "3.1.2" },
"3.2.0"
)
);
});

12
src/util.ts
View file

@ -594,6 +594,16 @@ export function isHTTPError(arg: any): arg is HTTPError {
return arg?.status !== undefined && Number.isInteger(arg.status);
}
export function isGitHubGhesVersionBelow(
gitHubVersion: GitHubVersion,
expectedVersion: string
): boolean {
return (
gitHubVersion.type === GitHubVariant.GHES &&
semver.lt(gitHubVersion.version, expectedVersion)
);
}
export async function codeQlVersionAbove(
codeql: CodeQL,
requiredVersion: string
@ -636,7 +646,7 @@ export function isGoodVersion(versionSpec: string) {
*/
export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
packName: "codeql/javascript-experimental-atm-queries",
version: "~0.0.2",
version: "~0.1.0",
};
/**