Merge branch 'main' into aeisenberg/specify-versions

2024-05-08 11:45:08 -07:00 · 2024-05-08 11:45:08 -07:00 · 9fba755525
commit 9fba755525
parent 43beef629f 7d9b7a1870
17 changed files with 146 additions and 67 deletions
--- a/.github/actions/release-initialise/action.yml
+++ b/.github/actions/release-initialise/action.yml
@ -18,12 +18,12 @@ runs:
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
-        python-version: 3.8
+        python-version: 3.12

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
-        pip install PyGithub==1.55 requests
+        pip install PyGithub==2.3.0 requests
      shell: bash

    - name: Update git config
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,8 +6,13 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the

 ## [UNRELEASED]

+No user facing changes.
+
+## 3.25.4 - 08 May 2024
+
 - Update default CodeQL bundle version to 2.17.2. [#2270](https://github.com/github/codeql-action/pull/2270)
 - Add a compatibility matrix of supported CodeQL Action, CodeQL CLI, and GitHub Enterprise Server versions to the [README.md](README.md). [#2273](https://github.com/github/codeql-action/pull/2273)
+- Avoid printing out a warning for a missing `on.push` trigger when the CodeQL Action is triggered via a `workflow_call` event. [#2274](https://github.com/github/codeql-action/pull/2274)

 ## 3.25.3 - 25 Apr 2024

--- a/lib/cli-errors.js
+++ b/lib/cli-errors.js
@ -117,6 +117,7 @@ function ensureEndsInPeriod(text) {
 var CliConfigErrorCategory;
 (function (CliConfigErrorCategory) {
    CliConfigErrorCategory["ExternalRepositoryCloneFailed"] = "ExternalRepositoryCloneFailed";
+    CliConfigErrorCategory["GracefulOutOfMemory"] = "GracefulOutOfMemory";
    CliConfigErrorCategory["GradleBuildFailed"] = "GradleBuildFailed";
    CliConfigErrorCategory["IncompatibleWithActionVersion"] = "IncompatibleWithActionVersion";
    CliConfigErrorCategory["InitCalledTwice"] = "InitCalledTwice";
@ -127,6 +128,7 @@ var CliConfigErrorCategory;
    CliConfigErrorCategory["NoSourceCodeSeen"] = "NoSourceCodeSeen";
    CliConfigErrorCategory["NoSupportedBuildCommandSucceeded"] = "NoSupportedBuildCommandSucceeded";
    CliConfigErrorCategory["NoSupportedBuildSystemDetected"] = "NoSupportedBuildSystemDetected";
+    CliConfigErrorCategory["PackCannotBeFound"] = "PackCannotBeFound";
    CliConfigErrorCategory["SwiftBuildFailed"] = "SwiftBuildFailed";
    CliConfigErrorCategory["UnsupportedBuildMode"] = "UnsupportedBuildMode";
 })(CliConfigErrorCategory || (exports.CliConfigErrorCategory = CliConfigErrorCategory = {}));
@ -140,6 +142,9 @@ exports.cliErrorsConfig = {
            new RegExp("Failed to clone external Git repository"),
        ],
    },
+    [CliConfigErrorCategory.GracefulOutOfMemory]: {
+        cliErrorMessageCandidates: [new RegExp("CodeQL is out of memory.")],
+    },
    [CliConfigErrorCategory.GradleBuildFailed]: {
        cliErrorMessageCandidates: [
            new RegExp("[autobuild] FAILURE: Build failed with an exception."),
@ -195,6 +200,11 @@ exports.cliErrorsConfig = {
            new RegExp("No supported build system detected"),
        ],
    },
+    [CliConfigErrorCategory.PackCannotBeFound]: {
+        cliErrorMessageCandidates: [
+            new RegExp("Query pack .* cannot be found\\. Check the spelling of the pack\\."),
+        ],
+    },
    [CliConfigErrorCategory.SwiftBuildFailed]: {
        cliErrorMessageCandidates: [
            new RegExp("\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command"),
--- a/lib/cli-errors.js.map
+++ b/lib/cli-errors.js.map
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@ -520,6 +520,8 @@ function shouldConsiderConfigurationError(processingErrors) {
 */
 function shouldConsiderInvalidRequest(processingErrors) {
    return processingErrors.every((error) => error.startsWith("rejecting SARIF") ||
+        error.startsWith("an invalid URI was provided as a SARIF location") ||
+        error.startsWith("locationFromSarifResult: expected artifact location") ||
        error.startsWith("could not convert rules: invalid security severity value, is not a number") ||
        /^SARIF URI scheme [^\s]* did not match the checkout URI scheme [^\s]*/.test(error));
 }
--- a/lib/upload-lib.js.map
+++ b/lib/upload-lib.js.map
--- a/lib/workflow.js
+++ b/lib/workflow.js
@ -35,9 +35,6 @@ const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
 const environment_1 = require("./environment");
 const util_1 = require("./util");
-function isObject(o) {
-    return o !== null && typeof o === "object";
-}
 const GLOB_PATTERN = new RegExp("(\\*\\*?)");
 function escapeRegExp(string) {
    return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
@ -144,35 +141,31 @@ async function getWorkflowErrors(doc, codeql) {
            }
        }
    }
-    let missingPush = false;
-    if (doc.on === undefined) {
-        // this is not a valid config
-    }
-    else if (typeof doc.on === "string") {
-        if (doc.on === "pull_request") {
-            missingPush = true;
-        }
-    }
-    else if (Array.isArray(doc.on)) {
-        const hasPush = doc.on.includes("push");
-        const hasPullRequest = doc.on.includes("pull_request");
-        if (hasPullRequest && !hasPush) {
-            missingPush = true;
-        }
-    }
-    else if (isObject(doc.on)) {
-        const hasPush = Object.prototype.hasOwnProperty.call(doc.on, "push");
-        const hasPullRequest = Object.prototype.hasOwnProperty.call(doc.on, "pull_request");
-        if (!hasPush && hasPullRequest) {
-            missingPush = true;
-        }
-    }
-    if (missingPush) {
+    // If there is no push trigger, we will not be able to analyze the default branch.
+    // So add a warning to the user to add a push trigger.
+    // If there is a workflow_call trigger, we don't need a push trigger since we assume
+    // that the workflow_call trigger is called from a workflow that has a push trigger.
+    const hasPushTrigger = hasWorkflowTrigger("push", doc);
+    const hasPullRequestTrigger = hasWorkflowTrigger("pull_request", doc);
+    const hasWorkflowCallTrigger = hasWorkflowTrigger("workflow_call", doc);
+    if (hasPullRequestTrigger && !hasPushTrigger && !hasWorkflowCallTrigger) {
        errors.push(exports.WorkflowErrors.MissingPushHook);
    }
    return errors;
 }
 exports.getWorkflowErrors = getWorkflowErrors;
+function hasWorkflowTrigger(triggerName, doc) {
+    if (!doc.on) {
+        return false;
+    }
+    if (typeof doc.on === "string") {
+        return doc.on === triggerName;
+    }
+    if (Array.isArray(doc.on)) {
+        return doc.on.includes(triggerName);
+    }
+    return Object.prototype.hasOwnProperty.call(doc.on, triggerName);
+}
 async function validateWorkflow(codeql, logger) {
    let workflow;
    try {
--- a/lib/workflow.js.map
+++ b/lib/workflow.js.map
--- a/lib/workflow.test.js
+++ b/lib/workflow.test.js
@ -373,6 +373,29 @@ async function testLanguageAliases(t, matrixLanguages, aliases, expectedErrorMes
  on: ["push"]
  `), await (0, codeql_1.getCodeQLForTesting)()), []));
 });
+(0, ava_1.default)("getWorkflowErrors() should not report a warning if there is a workflow_call trigger", async (t) => {
+    const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
+    name: "CodeQL"
+    on:
+      workflow_call:
+    `), await (0, codeql_1.getCodeQLForTesting)());
+    t.deepEqual(...errorCodes(errors, []));
+});
+(0, ava_1.default)("getWorkflowErrors() should not report a warning if there is a workflow_call trigger as a string", async (t) => {
+    const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
+    name: "CodeQL"
+    on: workflow_call
+    `), await (0, codeql_1.getCodeQLForTesting)());
+    t.deepEqual(...errorCodes(errors, []));
+});
+(0, ava_1.default)("getWorkflowErrors() should not report a warning if there is a workflow_call trigger as an array", async (t) => {
+    const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
+    name: "CodeQL"
+    on:
+      - workflow_call
+    `), await (0, codeql_1.getCodeQLForTesting)());
+    t.deepEqual(...errorCodes(errors, []));
+});
 (0, ava_1.default)("getCategoryInputOrThrow returns category for simple workflow with category", (t) => {
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
    t.is((0, workflow_1.getCategoryInputOrThrow)(yaml.load(`
--- a/lib/workflow.test.js.map
+++ b/lib/workflow.test.js.map
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "3.25.4",
+  "version": "3.25.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "3.25.4",
+  "version": "3.25.5",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "3.25.4",
+      "version": "3.25.5",
      "license": "MIT",
      "dependencies": {
        "@actions/artifact": "^1.1.2",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "3.25.4",
+  "version": "3.25.5",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
--- a/src/cli-errors.ts
+++ b/src/cli-errors.ts
@ -122,6 +122,7 @@ function ensureEndsInPeriod(text: string): string {
 /** Error messages from the CLI that we consider configuration errors and handle specially. */
 export enum CliConfigErrorCategory {
  ExternalRepositoryCloneFailed = "ExternalRepositoryCloneFailed",
+  GracefulOutOfMemory = "GracefulOutOfMemory",
  GradleBuildFailed = "GradleBuildFailed",
  IncompatibleWithActionVersion = "IncompatibleWithActionVersion",
  InitCalledTwice = "InitCalledTwice",
@ -132,6 +133,7 @@ export enum CliConfigErrorCategory {
  NoSourceCodeSeen = "NoSourceCodeSeen",
  NoSupportedBuildCommandSucceeded = "NoSupportedBuildCommandSucceeded",
  NoSupportedBuildSystemDetected = "NoSupportedBuildSystemDetected",
+  PackCannotBeFound = "PackCannotBeFound",
  SwiftBuildFailed = "SwiftBuildFailed",
  UnsupportedBuildMode = "UnsupportedBuildMode",
 }
@ -156,6 +158,9 @@ export const cliErrorsConfig: Record<
      new RegExp("Failed to clone external Git repository"),
    ],
  },
+  [CliConfigErrorCategory.GracefulOutOfMemory]: {
+    cliErrorMessageCandidates: [new RegExp("CodeQL is out of memory.")],
+  },
  [CliConfigErrorCategory.GradleBuildFailed]: {
    cliErrorMessageCandidates: [
      new RegExp("[autobuild] FAILURE: Build failed with an exception."),
@ -220,6 +225,13 @@ export const cliErrorsConfig: Record<
      new RegExp("No supported build system detected"),
    ],
  },
+  [CliConfigErrorCategory.PackCannotBeFound]: {
+    cliErrorMessageCandidates: [
+      new RegExp(
+        "Query pack .* cannot be found\\. Check the spelling of the pack\\.",
+      ),
+    ],
+  },
  [CliConfigErrorCategory.SwiftBuildFailed]: {
    cliErrorMessageCandidates: [
      new RegExp(
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@ -775,6 +775,8 @@ function shouldConsiderInvalidRequest(processingErrors: string[]): boolean {
  return processingErrors.every(
    (error) =>
      error.startsWith("rejecting SARIF") ||
+      error.startsWith("an invalid URI was provided as a SARIF location") ||
+      error.startsWith("locationFromSarifResult: expected artifact location") ||
      error.startsWith(
        "could not convert rules: invalid security severity value, is not a number",
      ) ||
--- a/src/workflow.test.ts
+++ b/src/workflow.test.ts
@ -643,6 +643,44 @@ test("getWorkflowErrors() should not report an error if PRs are totally unconfig
  );
 });

+test("getWorkflowErrors() should not report a warning if there is a workflow_call trigger", async (t) => {
+  const errors = await getWorkflowErrors(
+    yaml.load(`
+    name: "CodeQL"
+    on:
+      workflow_call:
+    `) as Workflow,
+    await getCodeQLForTesting(),
+  );
+
+  t.deepEqual(...errorCodes(errors, []));
+});
+
+test("getWorkflowErrors() should not report a warning if there is a workflow_call trigger as a string", async (t) => {
+  const errors = await getWorkflowErrors(
+    yaml.load(`
+    name: "CodeQL"
+    on: workflow_call
+    `) as Workflow,
+    await getCodeQLForTesting(),
+  );
+
+  t.deepEqual(...errorCodes(errors, []));
+});
+
+test("getWorkflowErrors() should not report a warning if there is a workflow_call trigger as an array", async (t) => {
+  const errors = await getWorkflowErrors(
+    yaml.load(`
+    name: "CodeQL"
+    on:
+      - workflow_call
+    `) as Workflow,
+    await getCodeQLForTesting(),
+  );
+
+  t.deepEqual(...errorCodes(errors, []));
+});
+
 test("getCategoryInputOrThrow returns category for simple workflow with category", (t) => {
  process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
  t.is(
--- a/src/workflow.ts
+++ b/src/workflow.ts
@ -47,10 +47,6 @@ export interface Workflow {
  on?: string | string[] | WorkflowTriggers;
 }

-function isObject(o: unknown): o is object {
-  return o !== null && typeof o === "object";
-}
-
 const GLOB_PATTERN = new RegExp("(\\*\\*?)");

 function escapeRegExp(string) {
@ -193,39 +189,37 @@ export async function getWorkflowErrors(
    }
  }

-  let missingPush = false;
+  // If there is no push trigger, we will not be able to analyze the default branch.
+  // So add a warning to the user to add a push trigger.
+  // If there is a workflow_call trigger, we don't need a push trigger since we assume
+  // that the workflow_call trigger is called from a workflow that has a push trigger.
+  const hasPushTrigger = hasWorkflowTrigger("push", doc);
+  const hasPullRequestTrigger = hasWorkflowTrigger("pull_request", doc);
+  const hasWorkflowCallTrigger = hasWorkflowTrigger("workflow_call", doc);

-  if (doc.on === undefined) {
-    // this is not a valid config
-  } else if (typeof doc.on === "string") {
-    if (doc.on === "pull_request") {
-      missingPush = true;
-    }
-  } else if (Array.isArray(doc.on)) {
-    const hasPush = doc.on.includes("push");
-    const hasPullRequest = doc.on.includes("pull_request");
-    if (hasPullRequest && !hasPush) {
-      missingPush = true;
-    }
-  } else if (isObject(doc.on)) {
-    const hasPush = Object.prototype.hasOwnProperty.call(doc.on, "push");
-    const hasPullRequest = Object.prototype.hasOwnProperty.call(
-      doc.on,
-      "pull_request",
-    );
-
-    if (!hasPush && hasPullRequest) {
-      missingPush = true;
-    }
-  }
-
-  if (missingPush) {
+  if (hasPullRequestTrigger && !hasPushTrigger && !hasWorkflowCallTrigger) {
    errors.push(WorkflowErrors.MissingPushHook);
  }

  return errors;
 }

+function hasWorkflowTrigger(triggerName: string, doc: Workflow): boolean {
+  if (!doc.on) {
+    return false;
+  }
+
+  if (typeof doc.on === "string") {
+    return doc.on === triggerName;
+  }
+
+  if (Array.isArray(doc.on)) {
+    return doc.on.includes(triggerName);
+  }
+
+  return Object.prototype.hasOwnProperty.call(doc.on, triggerName);
+}
+
 export async function validateWorkflow(
  codeql: CodeQL,
  logger: Logger,