Merge branch 'main' into henrymercer/use-codeql-2.11.3

.github/workflows/__export-file-baseline-information.yml

@@ -0,0 +1,85 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Export file baseline information
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  export-file-baseline-information:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: Export file baseline information
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+        TEST_MODE: true
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        expected_baseline_languages="cpp csharp go java js python ruby"
+
+        for lang in ${expected_baseline_languages}; do
+          rule_name="${lang}/baseline/expected-extracted-files"
+          found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+            select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+          if [[ "${found_notification}" != "true" ]]; then
+            echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+            exit 1
+          else
+            echo "Found notification '${rule_name}'."
+          fi
+        done
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## [UNRELEASED]
 
 - Update default CodeQL bundle version to 2.11.3. [#1348](https://github.com/github/codeql-action/pull/1348)
+- Update the ML-powered additional query pack for JavaScript to version 0.4.0. [#1351](https://github.com/github/codeql-action/pull/1351)
 
 ## 2.1.31 - 04 Nov 2022
 

lib/analyze-action.js

@@ -42,6 +42,7 @@ const repository_1 = require("./repository");
 const trap_caching_1 = require("./trap-caching");
 const upload_lib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
+const util_1 = require("./util");
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
 async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger) {
@@ -238,6 +239,7 @@ async function runWrapper() {
         core.setFailed(`analyze action failed: ${error}`);
         console.log(error);
     }
+    await (0, util_1.checkForTimeout)();
 }
 void runWrapper();
 //# sourceMappingURL=analyze-action.js.map

lib/analyze.js

@@ -227,7 +227,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
     return statusReport;
     async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
-        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
+        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId, featureEnablement);
     }
     async function cliCanCountLoC() {
         return await util.codeQlVersionAbove(await (0, codeql_1.getCodeQL)(config.codeQLCmd), codeql_1.CODEQL_VERSION_COUNTS_LINES);

lib/codeql.js

@@ -698,7 +698,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             await runTool(cmd, codeqlArgs);
         },
-        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId) {
+        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, featureEnablement) {
             const codeqlArgs = [
                 "database",
                 "interpret-results",
@@ -721,6 +721,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 (await util.codeQlVersionAbove(this, CODEQL_VERSION_SARIF_GROUP))) {
                 codeqlArgs.push("--sarif-category", automationDetailsId);
             }
+            if (await featureEnablement.getValue(feature_flags_1.Feature.FileBaselineInformationEnabled, this)) {
+                codeqlArgs.push("--sarif-add-baseline-file-info");
+            }
             codeqlArgs.push(databasePath);
             if (querySuitePaths) {
                 codeqlArgs.push(...querySuitePaths);

lib/codeql.test.js

@@ -308,14 +308,14 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
     const runnerConstructorStub = stubToolRunnerConstructor();
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
     t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
 });
 (0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
     const runnerConstructorStub = stubToolRunnerConstructor();
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
     t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
 });
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
@@ -564,6 +564,26 @@ const injectedConfigMacro = ava_1.default.macro({
         process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
     }
 });
+(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+    // The version of CodeQL is checked separately to determine feature enablement, and does not
+    // otherwise impact this test, so set it to 0.0.0.
+    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.FileBaselineInformationEnabled]));
+    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
+});
+(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+    // The version of CodeQL is checked upstream to determine feature enablement, so it does not
+    // affect this test.
+    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
+});
 function stubToolRunnerConstructor() {
     const runnerObjectStub = sinon.createStubInstance(toolrunner.ToolRunner);
     runnerObjectStub.exec.resolves(0);

lib/config-utils.test.js

@@ -1032,6 +1032,12 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.9.3+.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.9.3", true, undefined, "security-and-quality", "~0.3.0");
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.11.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-extended", "~0.4.0");
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.11.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-and-quality", "~0.4.0");
 const calculateAugmentationMacro = ava_1.default.macro({
     exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
         const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);

lib/feature-flags.js

@@ -26,6 +26,7 @@ var Feature;
 (function (Feature) {
     Feature["BypassToolcacheEnabled"] = "bypass_toolcache_enabled";
     Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
+    Feature["FileBaselineInformationEnabled"] = "file_baseline_information_enabled";
     Feature["GolangExtractionReconciliationEnabled"] = "golang_extraction_reconciliation_enabled";
     Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
     Feature["TrapCachingEnabled"] = "trap_caching_enabled";
@@ -39,6 +40,10 @@ exports.featureConfig = {
         envVar: "CODEQL_PASS_CONFIG_TO_CLI",
         minimumVersion: "2.11.1",
     },
+    [Feature.FileBaselineInformationEnabled]: {
+        envVar: "CODEQL_FILE_BASELINE_INFORMATION",
+        minimumVersion: "2.11.3",
+    },
     [Feature.GolangExtractionReconciliationEnabled]: {
         envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",
         minimumVersion: undefined,

lib/feature-flags.js.map

@@ -1 +1 @@
-{"version":3,"file":"feature-flags.js","sourceRoot":"","sources":["../src/feature-flags.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,6CAA8D;AAI9D,6CAA+B;AAM/B,IAAY,OAMX;AAND,WAAY,OAAO;IACjB,8DAAmD,CAAA;IACnD,2DAAgD,CAAA;IAChD,6FAAkF,CAAA;IAClF,iEAAsD,CAAA;IACtD,sDAA2C,CAAA;AAC7C,CAAC,EANW,OAAO,GAAP,eAAO,KAAP,eAAO,QAMlB;AAEY,QAAA,aAAa,GAGtB;IACF,CAAC,OAAO,CAAC,sBAAsB,CAAC,EAAE;QAChC,MAAM,EAAE,yBAAyB;QACjC,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE;QAC9B,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,QAAQ;KACzB;IACD,CAAC,OAAO,CAAC,qCAAqC,CAAC,EAAE;QAC/C,MAAM,EAAE,yCAAyC;QACjD,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,uBAAuB,CAAC,EAAE;QACjC,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,OAAO;KACxB;IACD,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;QAC5B,MAAM,EAAE,qBAAqB;QAC7B,cAAc,EAAE,SAAS;KAC1B;CACF,CAAC;AAUF;;;;GAIG;AACH,MAAa,QAAQ;IAGnB,YACE,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAEd,IAAI,CAAC,kBAAkB,GAAG,IAAI,kBAAkB,CAC9C,aAAa,EACb,UAAU,EACV,aAAa,EACb,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAgB,EAAE,MAAe;QAC9C,IAAI,CAAC,MAAM,IAAI,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE;YACpD,MAAM,IAAI,KAAK,CACb,8DAA8D,OAAO,2CAA2C,CACjH,CAAC;SACH;QAED,oDAAoD;QACpD,IAAI,OAAO,KAAK,OAAO,CAAC,sBAAsB,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE;YACrE,OAAO,KAAK,CAAC;SACd;QAED,MAAM,MAAM,GAAG,CACb,OAAO,CAAC,GAAG,CAAC,qBAAa,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CACjD,CAAC,iBAAiB,EAAE,CAAC;QAEtB,sFAAsF;QACtF,IAAI,MAAM,KAAK,OAAO,EAAE;YACtB,OAAO,KAAK,CAAC;SACd;QAED,yEAAyE;QACzE,MAAM,cAAc,GAAG,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC;QAC7D,IAAI,MAAM,IAAI,cAAc,EAAE;YAC5B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,EAAE;gBAC5D,OAAO,KAAK,CAAC;aACd;SACF;QAED,8EAA8E;QAC9E,IAAI,MAAM,KAAK,MAAM,EAAE;YACrB,OAAO,IAAI,CAAC;SACb;QAED,gDAAgD;QAChD,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;CACF;AAlED,4BAkEC;AAED,MAAM,kBAAkB;IAGtB,YACU,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAHd,kBAAa,GAAb,aAAa,CAAoB;QACjC,eAAU,GAAV,UAAU,CAAkB;QAC5B,kBAAa,GAAb,aAAa,CAAe;QAC5B,WAAM,GAAN,MAAM,CAAQ;QAEtB,IAAI;IACN,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAgB;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC7C,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,qCAAqC,OAAO,4BAA4B,CACzE,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,MAAM,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,iBAAiB,KAAK,SAAS,EAAE;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,YAAY,OAAO,uDAAuD,CAC3E,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,OAAO,CAAC,CAAC,iBAAiB,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,WAAW,GACf,IAAI,CAAC,iBAAiB,IAAI,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,iDAAiD;QACjD,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;YACzD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oEAAoE,CACrE,CAAC;YACF,OAAO,EAAE,CAAC;SACX;QACD,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CACnC,8DAA8D,EAC9D;gBACE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,KAAK;gBAC/B,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;aAC9B,CACF,CAAC;YACF,OAAO,QAAQ,CAAC,IAAI,CAAC;SACtB;QAAC,OAAO,CAAC,EAAE;YACV,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE;gBAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,CACjB,gGAAgG;oBAC9F,oEAAoE;oBACpE,qFAAqF;oBACrF,kFAAkF,CAAC,EAAE,CACxF,CAAC;aACH;iBAAM;gBACL,kFAAkF;gBAClF,8EAA8E;gBAC9E,2FAA2F;gBAC3F,eAAe;gBACf,MAAM,IAAI,KAAK,CACb,sEAAsE,CAAC,EAAE,CAC1E,CAAC;aACH;SACF;IACH,CAAC;CACF"}
+{"version":3,"file":"feature-flags.js","sourceRoot":"","sources":["../src/feature-flags.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,6CAA8D;AAI9D,6CAA+B;AAM/B,IAAY,OAOX;AAPD,WAAY,OAAO;IACjB,8DAAmD,CAAA;IACnD,2DAAgD,CAAA;IAChD,+EAAoE,CAAA;IACpE,6FAAkF,CAAA;IAClF,iEAAsD,CAAA;IACtD,sDAA2C,CAAA;AAC7C,CAAC,EAPW,OAAO,GAAP,eAAO,KAAP,eAAO,QAOlB;AAEY,QAAA,aAAa,GAGtB;IACF,CAAC,OAAO,CAAC,sBAAsB,CAAC,EAAE;QAChC,MAAM,EAAE,yBAAyB;QACjC,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE;QAC9B,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,QAAQ;KACzB;IACD,CAAC,OAAO,CAAC,8BAA8B,CAAC,EAAE;QACxC,MAAM,EAAE,kCAAkC;QAC1C,cAAc,EAAE,QAAQ;KACzB;IACD,CAAC,OAAO,CAAC,qCAAqC,CAAC,EAAE;QAC/C,MAAM,EAAE,yCAAyC;QACjD,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,uBAAuB,CAAC,EAAE;QACjC,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,OAAO;KACxB;IACD,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;QAC5B,MAAM,EAAE,qBAAqB;QAC7B,cAAc,EAAE,SAAS;KAC1B;CACF,CAAC;AAUF;;;;GAIG;AACH,MAAa,QAAQ;IAGnB,YACE,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAEd,IAAI,CAAC,kBAAkB,GAAG,IAAI,kBAAkB,CAC9C,aAAa,EACb,UAAU,EACV,aAAa,EACb,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAgB,EAAE,MAAe;QAC9C,IAAI,CAAC,MAAM,IAAI,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE;YACpD,MAAM,IAAI,KAAK,CACb,8DAA8D,OAAO,2CAA2C,CACjH,CAAC;SACH;QAED,oDAAoD;QACpD,IAAI,OAAO,KAAK,OAAO,CAAC,sBAAsB,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE;YACrE,OAAO,KAAK,CAAC;SACd;QAED,MAAM,MAAM,GAAG,CACb,OAAO,CAAC,GAAG,CAAC,qBAAa,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CACjD,CAAC,iBAAiB,EAAE,CAAC;QAEtB,sFAAsF;QACtF,IAAI,MAAM,KAAK,OAAO,EAAE;YACtB,OAAO,KAAK,CAAC;SACd;QAED,yEAAyE;QACzE,MAAM,cAAc,GAAG,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC;QAC7D,IAAI,MAAM,IAAI,cAAc,EAAE;YAC5B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,EAAE;gBAC5D,OAAO,KAAK,CAAC;aACd;SACF;QAED,8EAA8E;QAC9E,IAAI,MAAM,KAAK,MAAM,EAAE;YACrB,OAAO,IAAI,CAAC;SACb;QAED,gDAAgD;QAChD,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;CACF;AAlED,4BAkEC;AAED,MAAM,kBAAkB;IAGtB,YACU,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAHd,kBAAa,GAAb,aAAa,CAAoB;QACjC,eAAU,GAAV,UAAU,CAAkB;QAC5B,kBAAa,GAAb,aAAa,CAAe;QAC5B,WAAM,GAAN,MAAM,CAAQ;QAEtB,IAAI;IACN,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAgB;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC7C,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,qCAAqC,OAAO,4BAA4B,CACzE,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,MAAM,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,iBAAiB,KAAK,SAAS,EAAE;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,YAAY,OAAO,uDAAuD,CAC3E,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,OAAO,CAAC,CAAC,iBAAiB,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,WAAW,GACf,IAAI,CAAC,iBAAiB,IAAI,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,iDAAiD;QACjD,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;YACzD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oEAAoE,CACrE,CAAC;YACF,OAAO,EAAE,CAAC;SACX;QACD,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CACnC,8DAA8D,EAC9D;gBACE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,KAAK;gBAC/B,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;aAC9B,CACF,CAAC;YACF,OAAO,QAAQ,CAAC,IAAI,CAAC;SACtB;QAAC,OAAO,CAAC,EAAE;YACV,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE;gBAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,CACjB,gGAAgG;oBAC9F,oEAAoE;oBACpE,qFAAqF;oBACrF,kFAAkF,CAAC,EAAE,CACxF,CAAC;aACH;iBAAM;gBACL,kFAAkF;gBAClF,8EAA8E;gBAC9E,2FAA2F;gBAC3F,eAAe;gBACf,MAAM,IAAI,KAAK,CACb,sEAAsE,CAAC,EAAE,CAC1E,CAAC;aACH;SACF;IACH,CAAC;CACF"}

lib/init-action-post-helper.js

@@ -28,7 +28,7 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
     const logger = (0, logging_1.getActionsLogger)();
     const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
     if (config === undefined) {
-        throw new Error("Config file could not be found at expected location. Did the 'init' action fail to start?");
+        logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
     }
     // Upload appropriate Actions artifacts for debugging
     if (config === null || config === void 0 ? void 0 : config.debugMode) {

lib/init-action-post-helper.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB;IAExB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;AACH,CAAC;AAxBD,kBAwBC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB;IAExB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;AACH,CAAC;AAxBD,kBAwBC"}

lib/util.js

@@ -22,7 +22,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isHostedRunner = exports.withTimeout = exports.tryGetFolderBytes = exports.isGoExtractionReconciliationEnabled = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.checkActionVersion = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.EnvVar = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DID_AUTOBUILD_GO_ENV_VAR_NAME = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.isGoExtractionReconciliationEnabled = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.checkActionVersion = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.EnvVar = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DID_AUTOBUILD_GO_ENV_VAR_NAME = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.isHostedRunner = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -553,7 +554,10 @@ exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-qu
  */
 async function getMlPoweredJsQueriesPack(codeQL) {
     let version;
-    if (await codeQlVersionAbove(codeQL, "2.9.3")) {
+    if (await codeQlVersionAbove(codeQL, "2.11.3")) {
+        version = "~0.4.0";
+    }
+    else if (await codeQlVersionAbove(codeQL, "2.9.3")) {
         version = `~0.3.0`;
     }
     else if (await codeQlVersionAbove(codeQL, "2.8.4")) {
@@ -716,13 +720,21 @@ async function tryGetFolderBytes(cacheDir, logger) {
     }
 }
 exports.tryGetFolderBytes = tryGetFolderBytes;
+let hadTimeout = false;
 /**
  * Run a promise for a given amount of time, and if it doesn't resolve within
- * that time, call the provided callback and then return undefined.
+ * that time, call the provided callback and then return undefined. Due to the
+ * limitation outlined below, using this helper function is not recommended
+ * unless there is no other option for adding a timeout (e.g. the code that
+ * would need the timeout added is an external library).
  *
  * Important: This does NOT cancel the original promise, so that promise will
  * continue in the background even after the timeout has expired. If the
  * original promise hangs, then this will prevent the process terminating.
+ * If a timeout has occurred then the global hadTimeout variable will get set
+ * to true, and the caller is responsible for forcing the process to exit
+ * if this is the case by calling the `checkForTimeout` function at the end
+ * of execution.
  *
  * @param timeoutMs The timeout in milliseconds.
  * @param promise The promise to run.
@@ -738,14 +750,34 @@ async function withTimeout(timeoutMs, promise, onTimeout) {
     };
     const timeout = new Promise((resolve) => {
         setTimeout(() => {
-            if (!finished)
+            if (!finished) {
+                // Workaround: While the promise racing below will allow the main code
+                // to continue, the process won't normally exit until the asynchronous
+                // task in the background has finished. We set this variable to force
+                // an exit at the end of our code when `checkForTimeout` is called.
+                hadTimeout = true;
                 onTimeout();
+            }
             resolve(undefined);
         }, timeoutMs);
     });
     return await Promise.race([mainTask(), timeout]);
 }
 exports.withTimeout = withTimeout;
+/**
+ * Check if the global hadTimeout variable has been set, and if so then
+ * exit the process to ensure any background tasks that are still running
+ * are killed. This should be called at the end of execution if the
+ * `withTimeout` function has been used.
+ */
+async function checkForTimeout() {
+    if (hadTimeout === true) {
+        core.info("A timeout occurred, force exiting the process after 30 seconds to prevent hanging.");
+        await delay(30000);
+        process.exit();
+    }
+}
+exports.checkForTimeout = checkForTimeout;
 /**
  * This function implements a heuristic to determine whether the
  * runner we are on is hosted by GitHub. It does this by checking

pr-checks/checks/export-file-baseline-information.yml

@@ -0,0 +1,43 @@
+name: "Export file baseline information"
+description: "Tests that file baseline information is exported when the feature is enabled"
+versions: ["nightly-latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+    env:
+      CODEQL_FILE_BASELINE_INFORMATION: true
+      TEST_MODE: true
+  - name: Build code
+    shell: bash
+    run: ./build.sh
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+    env:
+      CODEQL_FILE_BASELINE_INFORMATION: true
+      TEST_MODE: true
+  - name: Upload SARIF
+    uses: actions/upload-artifact@v3
+    with:
+      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      path: "${{ runner.temp }}/results/javascript.sarif"
+      retention-days: 7
+  - name: Check results
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/results"
+      expected_baseline_languages="cpp csharp go java js python ruby"
+
+      for lang in ${expected_baseline_languages}; do
+        rule_name="${lang}/baseline/expected-extracted-files"
+        found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+          select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+        if [[ "${found_notification}" != "true" ]]; then
+          echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+          exit 1
+        else
+          echo "Found notification '${rule_name}'."
+        fi
+      done

src/analyze-action.ts

@@ -27,6 +27,7 @@ import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
 import * as upload_lib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
 import * as util from "./util";
+import { checkForTimeout } from "./util";
 
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
@@ -402,6 +403,7 @@ async function runWrapper() {
     core.setFailed(`analyze action failed: ${error}`);
     console.log(error);
   }
+  await checkForTimeout();
 }
 
 void runWrapper();

src/analyze.ts

@@ -389,7 +389,8 @@ export async function runQueries(
       addSnippetsFlag,
       threadsFlag,
       enableDebugLogging ? "-vv" : "-v",
-      automationDetailsId
+      automationDetailsId,
+      featureEnablement
     );
   }
 

src/codeql.test.ts

@@ -445,7 +445,16 @@ test("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0",
   const runnerConstructorStub = stubToolRunnerConstructor();
   const codeqlObject = await codeql.getCodeQLForTesting();
   sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-  await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([])
+  );
   t.false(
     runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
     "--sarif-add-query-help should be absent, but it is present"
@@ -456,7 +465,16 @@ test("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (
   const runnerConstructorStub = stubToolRunnerConstructor();
   const codeqlObject = await codeql.getCodeQLForTesting();
   sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-  await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([])
+  );
   t.true(
     runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
     "--sarif-add-query-help should be present, but it is absent"
@@ -846,6 +864,56 @@ test("does not use injected config", async (t: ExecutionContext<unknown>) => {
   }
 });
 
+test("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
+  const runnerConstructorStub = stubToolRunnerConstructor();
+  const codeqlObject = await codeql.getCodeQLForTesting();
+  // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+  // The version of CodeQL is checked separately to determine feature enablement, and does not
+  // otherwise impact this test, so set it to 0.0.0.
+  sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([Feature.FileBaselineInformationEnabled])
+  );
+  t.true(
+    runnerConstructorStub.firstCall.args[1].includes(
+      "--sarif-add-baseline-file-info"
+    ),
+    "--sarif-add-baseline-file-info should be present, but it is absent"
+  );
+});
+
+test("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
+  const runnerConstructorStub = stubToolRunnerConstructor();
+  const codeqlObject = await codeql.getCodeQLForTesting();
+  // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+  // The version of CodeQL is checked upstream to determine feature enablement, so it does not
+  // affect this test.
+  sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([])
+  );
+  t.false(
+    runnerConstructorStub.firstCall.args[1].includes(
+      "--sarif-add-baseline-file-info"
+    ),
+    "--sarif-add-baseline-file-info must be absent, but it is present"
+  );
+});
+
 export function stubToolRunnerConstructor(): sinon.SinonStub<
   any[],
   toolrunner.ToolRunner

src/codeql.ts

@@ -173,7 +173,8 @@ export interface CodeQL {
     addSnippetsFlag: string,
     threadsFlag: string,
     verbosityFlag: string | undefined,
-    automationDetailsId: string | undefined
+    automationDetailsId: string | undefined,
+    featureEnablement: FeatureEnablement
   ): Promise<string>;
   /**
    * Run 'codeql database print-baseline'.
@@ -1066,7 +1067,8 @@ async function getCodeQLForCmd(
       addSnippetsFlag: string,
       threadsFlag: string,
       verbosityFlag: string,
-      automationDetailsId: string | undefined
+      automationDetailsId: string | undefined,
+      featureEnablement: FeatureEnablement
     ): Promise<string> {
       const codeqlArgs = [
         "database",
@@ -1092,6 +1094,14 @@ async function getCodeQLForCmd(
       ) {
         codeqlArgs.push("--sarif-category", automationDetailsId);
       }
+      if (
+        await featureEnablement.getValue(
+          Feature.FileBaselineInformationEnabled,
+          this
+        )
+      ) {
+        codeqlArgs.push("--sarif-add-baseline-file-info");
+      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);

src/config-utils.test.ts

@@ -2059,6 +2059,27 @@ test(
   "security-and-quality",
   "~0.3.0"
 );
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.11.3+.
+test(
+  mlPoweredQueriesMacro,
+  "2.11.3",
+  true,
+  undefined,
+  "security-extended",
+  "~0.4.0"
+);
+
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.11.3+.
+test(
+  mlPoweredQueriesMacro,
+  "2.11.3",
+  true,
+  undefined,
+  "security-and-quality",
+  "~0.4.0"
+);
 
 const calculateAugmentationMacro = test.macro({
   exec: async (

src/feature-flags.ts

@@ -11,6 +11,7 @@ export interface FeatureEnablement {
 export enum Feature {
   BypassToolcacheEnabled = "bypass_toolcache_enabled",
   CliConfigFileEnabled = "cli_config_file_enabled",
+  FileBaselineInformationEnabled = "file_baseline_information_enabled",
   GolangExtractionReconciliationEnabled = "golang_extraction_reconciliation_enabled",
   MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
   TrapCachingEnabled = "trap_caching_enabled",
@@ -28,6 +29,10 @@ export const featureConfig: Record<
     envVar: "CODEQL_PASS_CONFIG_TO_CLI",
     minimumVersion: "2.11.1",
   },
+  [Feature.FileBaselineInformationEnabled]: {
+    envVar: "CODEQL_FILE_BASELINE_INFORMATION",
+    minimumVersion: "2.11.3",
+  },
   [Feature.GolangExtractionReconciliationEnabled]: {
     envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",
     minimumVersion: undefined,

src/init-action-post-helper.ts

@@ -13,8 +13,8 @@ export async function run(
 
   const config = await getConfig(actionsUtil.getTemporaryDirectory(), logger);
   if (config === undefined) {
-    throw new Error(
-      "Config file could not be found at expected location. Did the 'init' action fail to start?"
+    logger.warning(
+      "Debugging artifacts are unavailable since the 'init' Action failed before it could produce any."
     );
   }
 

src/util.ts

@@ -672,7 +672,9 @@ export async function getMlPoweredJsQueriesPack(
   codeQL: CodeQL
 ): Promise<string> {
   let version;
-  if (await codeQlVersionAbove(codeQL, "2.9.3")) {
+  if (await codeQlVersionAbove(codeQL, "2.11.3")) {
+    version = "~0.4.0";
+  } else if (await codeQlVersionAbove(codeQL, "2.9.3")) {
     version = `~0.3.0`;
   } else if (await codeQlVersionAbove(codeQL, "2.8.4")) {
     version = `~0.2.0`;
@@ -856,13 +858,22 @@ export async function tryGetFolderBytes(
   }
 }
 
+let hadTimeout = false;
+
 /**
  * Run a promise for a given amount of time, and if it doesn't resolve within
- * that time, call the provided callback and then return undefined.
+ * that time, call the provided callback and then return undefined. Due to the
+ * limitation outlined below, using this helper function is not recommended
+ * unless there is no other option for adding a timeout (e.g. the code that
+ * would need the timeout added is an external library).
  *
  * Important: This does NOT cancel the original promise, so that promise will
  * continue in the background even after the timeout has expired. If the
  * original promise hangs, then this will prevent the process terminating.
+ * If a timeout has occurred then the global hadTimeout variable will get set
+ * to true, and the caller is responsible for forcing the process to exit
+ * if this is the case by calling the `checkForTimeout` function at the end
+ * of execution.
  *
  * @param timeoutMs The timeout in milliseconds.
  * @param promise The promise to run.
@@ -882,7 +893,14 @@ export async function withTimeout<T>(
   };
   const timeout: Promise<undefined> = new Promise((resolve) => {
     setTimeout(() => {
-      if (!finished) onTimeout();
+      if (!finished) {
+        // Workaround: While the promise racing below will allow the main code
+        // to continue, the process won't normally exit until the asynchronous
+        // task in the background has finished. We set this variable to force
+        // an exit at the end of our code when `checkForTimeout` is called.
+        hadTimeout = true;
+        onTimeout();
+      }
       resolve(undefined);
     }, timeoutMs);
   });
@@ -890,6 +908,22 @@ export async function withTimeout<T>(
   return await Promise.race([mainTask(), timeout]);
 }
 
+/**
+ * Check if the global hadTimeout variable has been set, and if so then
+ * exit the process to ensure any background tasks that are still running
+ * are killed. This should be called at the end of execution if the
+ * `withTimeout` function has been used.
+ */
+export async function checkForTimeout() {
+  if (hadTimeout === true) {
+    core.info(
+      "A timeout occurred, force exiting the process after 30 seconds to prevent hanging."
+    );
+    await delay(30_000);
+    process.exit();
+  }
+}
+
 /**
  * This function implements a heuristic to determine whether the
  * runner we are on is hosted by GitHub. It does this by checking