From e74e30ba7f608759eec402c879f5239615c36a9b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 12 Jun 2025 00:17:16 +0000 Subject: [PATCH 01/27] Update supported GitHub Enterprise Server versions --- lib/api-compatibility.json | 2 +- src/api-compatibility.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/api-compatibility.json b/lib/api-compatibility.json index 6dabeea1c..58f645ff2 100644 --- a/lib/api-compatibility.json +++ b/lib/api-compatibility.json @@ -1 +1 @@ -{ "maximumVersion": "3.18", "minimumVersion": "3.13" } +{ "maximumVersion": "3.18", "minimumVersion": "3.14" } diff --git a/src/api-compatibility.json b/src/api-compatibility.json index efa09acf9..cb3dd14fa 100644 --- a/src/api-compatibility.json +++ b/src/api-compatibility.json @@ -1 +1 @@ -{"maximumVersion": "3.18", "minimumVersion": "3.13"} +{"maximumVersion": "3.18", "minimumVersion": "3.14"} From 6b9b66d6f90dfbf3e390320ba7ce48abfda4b709 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:31:06 +0100 Subject: [PATCH 02/27] Add workflow for updating release used by `start-proxy` --- .github/workflows/update-proxy-release.yml | 72 ++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/update-proxy-release.yml diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml new file mode 100644 index 000000000..b62074228 --- /dev/null +++ b/.github/workflows/update-proxy-release.yml @@ -0,0 +1,72 @@ +name: Update dependency proxy release assets +on: + workflow_dispatch: + inputs: + tag: + description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets" + type: string + required: true + +jobs: + update: + name: Update code and create PR + timeout-minutes: 15 + runs-on: macos-latest + permissions: + contents: write # needed to push the updated files + pull-requests: write # needed to create the PR + steps: + - name: Install Node + uses: actions/setup-node@v4 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # ensure we have all tags and can push commits + + - name: Update git config + shell: bash + run: | + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config --global user.name "github-actions[bot]" + + - name: Update release tag and version + shell: bash + run: | + NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache + sed -i '' 's|https://github.com/github/codeql-action/releases/download/codeql-bundle-[0-9.]*/|https://github.com/github/codeql-action/releases/download/${{ inputs.tag }}/|g' ./src/start-proxy-action.ts + sed -i '' "s/\"v2.0.[0-9]*\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts + + - name: Push changes and open PR + shell: bash + env: + BRANCH: "dependency-proxy/${{ inputs.tag }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + set -exu + pr_title="Update release used by `start-proxy` to ${{ inputs.tag }}" + pr_body=$(cat << EOF + This PR updates the `start-proxy` action to use the private registry proxy binaries that + are attached as release assets to the `${{ inputs.tag }}` release. + + + Please do the following before merging: + + - [ ] Verify that the changes to the code are correct. + EOF + ) + + git checkout -b "$BRANCH" + + npm run build + git add ./src/start-proxy-action.ts + git add ./lib + git commit -m "$pr_title" + + git push origin "$BRANCH" + gh pr create \ + --head "$BRANCH" \ + --base "main" \ + --title "${pr_title}" \ + --body "${pr_body}" \ + --draft From 0180811a94de059a9420a522e8068d61e99a1ccf Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:34:21 +0100 Subject: [PATCH 03/27] Use environment variable to store release tag --- .github/workflows/update-proxy-release.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index b62074228..f5b21d6a2 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -15,6 +15,8 @@ jobs: permissions: contents: write # needed to push the updated files pull-requests: write # needed to create the PR + env: + RELEASE_TAG: ${{ inputs.tag }} steps: - name: Install Node uses: actions/setup-node@v4 @@ -34,20 +36,20 @@ jobs: shell: bash run: | NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache - sed -i '' 's|https://github.com/github/codeql-action/releases/download/codeql-bundle-[0-9.]*/|https://github.com/github/codeql-action/releases/download/${{ inputs.tag }}/|g' ./src/start-proxy-action.ts + sed -i '' "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-[0-9.]*/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts sed -i '' "s/\"v2.0.[0-9]*\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts - name: Push changes and open PR shell: bash env: - BRANCH: "dependency-proxy/${{ inputs.tag }}" + BRANCH: "dependency-proxy/$RELEASE_TAG" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | set -exu - pr_title="Update release used by `start-proxy` to ${{ inputs.tag }}" + pr_title="Update release used by `start-proxy` to $RELEASE_TAG" pr_body=$(cat << EOF This PR updates the `start-proxy` action to use the private registry proxy binaries that - are attached as release assets to the `${{ inputs.tag }}` release. + are attached as release assets to the `$RELEASE_TAG` release. Please do the following before merging: From e8ad3afb1e33fc0b34c9b187e43d9635c46baeb9 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:34:52 +0100 Subject: [PATCH 04/27] Add `push` trigger for testing --- .github/workflows/update-proxy-release.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index f5b21d6a2..61d88cc53 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -1,5 +1,8 @@ name: Update dependency proxy release assets on: + push: + branches: + - mbg/update-proxy-binaries # for testing workflow_dispatch: inputs: tag: @@ -16,7 +19,7 @@ jobs: contents: write # needed to push the updated files pull-requests: write # needed to create the PR env: - RELEASE_TAG: ${{ inputs.tag }} + RELEASE_TAG: ${{ inputs.tag || 'codeql-bundle-v2.22.0' }} steps: - name: Install Node uses: actions/setup-node@v4 From 286556a968509349a3a7977161db2bca69e26c15 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:41:56 +0100 Subject: [PATCH 05/27] Fix `pr_title` quotes --- .github/workflows/update-proxy-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 61d88cc53..d131eb869 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -49,7 +49,7 @@ jobs: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | set -exu - pr_title="Update release used by `start-proxy` to $RELEASE_TAG" + pr_title="Update release used by \`start-proxy\` to $RELEASE_TAG" pr_body=$(cat << EOF This PR updates the `start-proxy` action to use the private registry proxy binaries that are attached as release assets to the `$RELEASE_TAG` release. From 7ca4105454aaf9bea30f2835db61d9add8898772 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:45:06 +0100 Subject: [PATCH 06/27] Fix branch name --- .github/workflows/update-proxy-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index d131eb869..a3363b21a 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -45,7 +45,7 @@ jobs: - name: Push changes and open PR shell: bash env: - BRANCH: "dependency-proxy/$RELEASE_TAG" + BRANCH: "dependency-proxy/${{ env.RELEASE_TAG }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | set -exu From 37a3fcc3af9cf362bf9cda779104e04e7b74db9d Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:45:26 +0100 Subject: [PATCH 07/27] Improve PR title formatting --- .github/workflows/update-proxy-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index a3363b21a..c414a1c24 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -49,7 +49,7 @@ jobs: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | set -exu - pr_title="Update release used by \`start-proxy\` to $RELEASE_TAG" + pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`" pr_body=$(cat << EOF This PR updates the `start-proxy` action to use the private registry proxy binaries that are attached as release assets to the `$RELEASE_TAG` release. From c55fb0ab89a8b55674f0ae2704641f4d17361e9e Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:46:30 +0100 Subject: [PATCH 08/27] Fix `pr_body` contents --- .github/workflows/update-proxy-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index c414a1c24..cda32086f 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -51,13 +51,13 @@ jobs: set -exu pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`" pr_body=$(cat << EOF - This PR updates the `start-proxy` action to use the private registry proxy binaries that - are attached as release assets to the `$RELEASE_TAG` release. + This PR updates the \`start-proxy\` action to use the private registry proxy binaries that + are attached as release assets to the \`$RELEASE_TAG\` release. Please do the following before merging: - - [ ] Verify that the changes to the code are correct. + - [ ] Verify that the changes to the code are correct. EOF ) From fcd0ad43d517b69a96cfa8cf0dfaf1470d3f6cb3 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:47:58 +0100 Subject: [PATCH 09/27] Start with `main` --- .github/workflows/update-proxy-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index cda32086f..96e42b9e2 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -28,6 +28,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 # ensure we have all tags and can push commits + ref: main - name: Update git config shell: bash From 46cafbca67362b3679572f160b23571248a1456b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 12:56:13 +0100 Subject: [PATCH 10/27] Add missing `v` to regex --- .github/workflows/update-proxy-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 96e42b9e2..5cc07072d 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -40,7 +40,7 @@ jobs: shell: bash run: | NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache - sed -i '' "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-[0-9.]*/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts + sed -i '' "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]*/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts sed -i '' "s/\"v2.0.[0-9]*\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts - name: Push changes and open PR From e044b152ab374f73f124eca93fbcac405ca7dc01 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 14:49:06 +0100 Subject: [PATCH 11/27] Check that the release tag has the expected format --- .github/workflows/update-proxy-release.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 5cc07072d..09320570b 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -21,6 +21,14 @@ jobs: env: RELEASE_TAG: ${{ inputs.tag || 'codeql-bundle-v2.22.0' }} steps: + - name: Check release tag format + shell: bash + run: | + if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Invalid release tag: expected a CodeQL bundle tag in the 'codeql-bundle-vM.N.P' format." + exit 1 + fi + - name: Install Node uses: actions/setup-node@v4 @@ -40,8 +48,8 @@ jobs: shell: bash run: | NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache - sed -i '' "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]*/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts - sed -i '' "s/\"v2.0.[0-9]*\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts + sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts + sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts - name: Push changes and open PR shell: bash From cce0287569a34dbba8933e3b66b47a357b218d6c Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 14:55:54 +0100 Subject: [PATCH 12/27] Check that the release exists --- .github/workflows/update-proxy-release.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 09320570b..9d9d9f4cb 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -29,6 +29,13 @@ jobs: exit 1 fi + - name: Check that the release exists + shell: bash + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + (gh release view --repo ${{ github.event.repository.full_name }} --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1 + - name: Install Node uses: actions/setup-node@v4 From 9ee60a6e32f5a5a81bf2e3a9fa596cdfc71feccb Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 14:58:00 +0100 Subject: [PATCH 13/27] Run on Ubuntu --- .github/workflows/update-proxy-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 9d9d9f4cb..82d479824 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -14,7 +14,7 @@ jobs: update: name: Update code and create PR timeout-minutes: 15 - runs-on: macos-latest + runs-on: ubuntu-latest permissions: contents: write # needed to push the updated files pull-requests: write # needed to create the PR From 6a3692d673d8a04b729a8468fd331197ea69aea6 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 15:00:45 +0100 Subject: [PATCH 14/27] Construct target branch name in `checks` step --- .github/workflows/update-proxy-release.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 82d479824..b945a01f0 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -22,6 +22,7 @@ jobs: RELEASE_TAG: ${{ inputs.tag || 'codeql-bundle-v2.22.0' }} steps: - name: Check release tag format + id: checks shell: bash run: | if ! [[ $RELEASE_TAG =~ ^codeql-bundle-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then @@ -29,6 +30,8 @@ jobs: exit 1 fi + echo "target_branch=dependency-proxy/$RELEASE_TAG" >> $GITHUB_OUTPUT + - name: Check that the release exists shell: bash env: @@ -61,7 +64,6 @@ jobs: - name: Push changes and open PR shell: bash env: - BRANCH: "dependency-proxy/${{ env.RELEASE_TAG }}" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | set -exu @@ -77,16 +79,16 @@ jobs: EOF ) - git checkout -b "$BRANCH" + git checkout -b "${{ steps.checks.outputs.target_branch }}" npm run build git add ./src/start-proxy-action.ts git add ./lib git commit -m "$pr_title" - git push origin "$BRANCH" + git push origin "${{ steps.checks.outputs.target_branch }}" gh pr create \ - --head "$BRANCH" \ + --head "${{ steps.checks.outputs.target_branch }}" \ --base "main" \ --title "${pr_title}" \ --body "${pr_body}" \ From 0cec254fa194f63bd8da71136285050fd7d4be29 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 15:05:31 +0100 Subject: [PATCH 15/27] Use `--dry-run` for non-`workflow_dispatch` events --- .github/workflows/update-proxy-release.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index b945a01f0..47bacbf15 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -61,6 +61,17 @@ jobs: sed -i "s|https://github.com/github/codeql-action/releases/download/codeql-bundle-v[0-9.]\+/|https://github.com/github/codeql-action/releases/download/$RELEASE_TAG/|g" ./src/start-proxy-action.ts sed -i "s/\"v2.0.[0-9]\+\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts + - name: Compile TypeScript and commit changes + shell: bash + run: | + set -exu + git checkout -b "${{ steps.checks.outputs.target_branch }}" + + npm run build + git add ./src/start-proxy-action.ts + git add ./lib + git commit -m "Update release used by \`start-proxy\` action" + - name: Push changes and open PR shell: bash env: @@ -79,17 +90,10 @@ jobs: EOF ) - git checkout -b "${{ steps.checks.outputs.target_branch }}" - - npm run build - git add ./src/start-proxy-action.ts - git add ./lib - git commit -m "$pr_title" - git push origin "${{ steps.checks.outputs.target_branch }}" gh pr create \ --head "${{ steps.checks.outputs.target_branch }}" \ --base "main" \ --title "${pr_title}" \ --body "${pr_body}" \ - --draft + ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }} From 6e22e41a25249a484a4a9189e9cd595569e80f0e Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 23 Jun 2025 15:05:50 +0100 Subject: [PATCH 16/27] Add reminder to mark PR as ready for review to trigger CI --- .github/workflows/update-proxy-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 47bacbf15..3d0e9209e 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -87,6 +87,7 @@ jobs: Please do the following before merging: - [ ] Verify that the changes to the code are correct. + - [ ] Mark the PR as ready for review to trigger the CI. EOF ) From bbfc5bef5badead8851e78df27b8a0c70505743b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 24 Jun 2025 11:30:24 +0100 Subject: [PATCH 17/27] Replace inline expressions with environment variables --- .github/workflows/update-proxy-release.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 3d0e9209e..297991349 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -37,7 +37,7 @@ jobs: env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | - (gh release view --repo ${{ github.event.repository.full_name }} --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1 + (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1 - name: Install Node uses: actions/setup-node@v4 @@ -63,9 +63,11 @@ jobs: - name: Compile TypeScript and commit changes shell: bash + env: + TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }} run: | set -exu - git checkout -b "${{ steps.checks.outputs.target_branch }}" + git checkout -b "$TARGET_BRANCH" npm run build git add ./src/start-proxy-action.ts @@ -76,6 +78,8 @@ jobs: shell: bash env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + TARGET_BRANCH: ${{ steps.checks.outputs.target_branch }} + PR_FLAG: ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }} run: | set -exu pr_title="Update release used by \`start-proxy\` to \`$RELEASE_TAG\`" @@ -91,10 +95,10 @@ jobs: EOF ) - git push origin "${{ steps.checks.outputs.target_branch }}" + git push origin "$TARGET_BRANCH" gh pr create \ - --head "${{ steps.checks.outputs.target_branch }}" \ + --head "$TARGET_BRANCH" \ --base "main" \ --title "${pr_title}" \ --body "${pr_body}" \ - ${{ (github.event_name == 'workflow_dispatch' && '--draft') || '--dry-run' }} + $PR_FLAG From 2e3b93fe41263fbfb6eb096825b4d14bd8aed22c Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 24 Jun 2025 11:34:13 +0100 Subject: [PATCH 18/27] Remove push trigger that was used for testing --- .github/workflows/update-proxy-release.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 297991349..9e294f178 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -1,8 +1,5 @@ name: Update dependency proxy release assets on: - push: - branches: - - mbg/update-proxy-binaries # for testing workflow_dispatch: inputs: tag: @@ -19,7 +16,7 @@ jobs: contents: write # needed to push the updated files pull-requests: write # needed to create the PR env: - RELEASE_TAG: ${{ inputs.tag || 'codeql-bundle-v2.22.0' }} + RELEASE_TAG: ${{ inputs.tag }} steps: - name: Check release tag format id: checks From 35083eedc1d56d5f4e3a8f22123e5cbedf2a18d8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Jun 2025 11:09:10 +0000 Subject: [PATCH 19/27] Update release used by `start-proxy` action --- lib/start-proxy-action.js | 4 ++-- src/start-proxy-action.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 0b9368536..a6bd08d6c 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -43,8 +43,8 @@ const logging_1 = require("./logging"); const start_proxy_1 = require("./start-proxy"); const util = __importStar(require("./util")); const UPDATEJOB_PROXY = "update-job-proxy"; -const UPDATEJOB_PROXY_VERSION = "v2.0.20250424171100"; -const UPDATEJOB_PROXY_URL_PREFIX = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.21.1/"; +const UPDATEJOB_PROXY_VERSION = "v2.0.20250624110901"; +const UPDATEJOB_PROXY_URL_PREFIX = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.0/"; const KEY_SIZE = 2048; const KEY_EXPIRY_YEARS = 2; const CERT_SUBJECT = [ diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index 100e867df..1efedb7d5 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -11,9 +11,9 @@ import { Credential, getCredentials } from "./start-proxy"; import * as util from "./util"; const UPDATEJOB_PROXY = "update-job-proxy"; -const UPDATEJOB_PROXY_VERSION = "v2.0.20250424171100"; +const UPDATEJOB_PROXY_VERSION = "v2.0.20250624110901"; const UPDATEJOB_PROXY_URL_PREFIX = - "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.21.1/"; + "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.0/"; const KEY_SIZE = 2048; const KEY_EXPIRY_YEARS = 2; From f7258be2564dc8c8d94498f4a728d80e1537949f Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 24 Jun 2025 12:26:04 +0100 Subject: [PATCH 20/27] Add initial Copilot instructions --- .github/copilot-instructions.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/copilot-instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 000000000..bc2de026f --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,5 @@ +# CodeQL Action - Copilot Instructions + +The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` is closely mirrors the TypeScript code it is generated from. + +GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that starts with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores. From 6b78c6eca23d8ee75eee5ab45c9366c5e6f0c7f4 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 24 Jun 2025 12:27:18 +0100 Subject: [PATCH 21/27] Update .github/copilot-instructions.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/copilot-instructions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index bc2de026f..7dfd363e7 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -1,5 +1,5 @@ # CodeQL Action - Copilot Instructions -The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` is closely mirrors the TypeScript code it is generated from. +The CodeQL Action is written in TypeScript and compiled to JavaScript. Both the TypeScript sources and the **generated** JavaScript code are contained in this repository. The TypeScript sources are contained in the `src` directory and the JavaScript code is contained in the `lib` directory. A GitHub Actions workflow checks that the JavaScript code in `lib` is up-to-date. Therefore, you should not review any changes to the contents of the `lib` folder and it is expected that the JavaScript code in `lib` closely mirrors the TypeScript code it is generated from. GitHub Actions workflows in the `.github/workflows` directory whose filenames start with two underscores (e.g. `__all-platform-bundle.yml`) are automatically generated using the `pr-checks/sync.sh` script from template files in the `pr-checks/checks` directory. Therefore, you do not need to review files in the `.github/workflows` directory that starts with two underscores. However, you should review changes to the `pr-checks` directory as well as workflows in the `.github/workflows` directory that do not start with underscores. From 2b4afc20b636de8884609ee2a501a68a67766f26 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Jun 2025 14:13:10 +0000 Subject: [PATCH 22/27] Update default bundle to codeql-bundle-v2.22.1 --- lib/defaults.json | 8 ++++---- src/defaults.json | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/defaults.json b/lib/defaults.json index 26b1ed0ac..7dff90930 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.22.0", - "cliVersion": "2.22.0", - "priorBundleVersion": "codeql-bundle-v2.21.4", - "priorCliVersion": "2.21.4" + "bundleVersion": "codeql-bundle-v2.22.1", + "cliVersion": "2.22.1", + "priorBundleVersion": "codeql-bundle-v2.22.0", + "priorCliVersion": "2.22.0" } diff --git a/src/defaults.json b/src/defaults.json index e02af898f..b99e6e688 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.22.0", - "cliVersion": "2.22.0", - "priorBundleVersion": "codeql-bundle-v2.21.4", - "priorCliVersion": "2.21.4" + "bundleVersion": "codeql-bundle-v2.22.1", + "cliVersion": "2.22.1", + "priorBundleVersion": "codeql-bundle-v2.22.0", + "priorCliVersion": "2.22.0" } From f3bfb9860305f6e80e048f4785d6bee33bf77356 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Jun 2025 14:13:14 +0000 Subject: [PATCH 23/27] Add changelog note --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d81420a0c..a7366cc9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] - Fix bug in PR analysis where user-provided `include` query filter fails to exclude non-included queries. [#2938](https://github.com/github/codeql-action/pull/2938) +- Update default CodeQL bundle version to 2.22.1. [#2950](https://github.com/github/codeql-action/pull/2950) ## 3.29.0 - 11 Jun 2025 From 973250f3d233f50890a597fef853ae3b2a538a31 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 26 Jun 2025 17:41:45 +0200 Subject: [PATCH 24/27] Swift: recreate a default Swift package to fix test --- tests/multi-language-repo/.gitignore | 9 +++++++ tests/multi-language-repo/Package.swift | 25 ++++++-------------- tests/multi-language-repo/Sources/main.swift | 4 ++++ 3 files changed, 20 insertions(+), 18 deletions(-) create mode 100644 tests/multi-language-repo/.gitignore create mode 100644 tests/multi-language-repo/Sources/main.swift diff --git a/tests/multi-language-repo/.gitignore b/tests/multi-language-repo/.gitignore new file mode 100644 index 000000000..3b2981208 --- /dev/null +++ b/tests/multi-language-repo/.gitignore @@ -0,0 +1,9 @@ +.DS_Store +/.build +/Packages +/*.xcodeproj +xcuserdata/ +DerivedData/ +.swiftpm/config/registries.json +.swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata +.netrc diff --git a/tests/multi-language-repo/Package.swift b/tests/multi-language-repo/Package.swift index 9c557cdb8..ff2b07e41 100644 --- a/tests/multi-language-repo/Package.swift +++ b/tests/multi-language-repo/Package.swift @@ -1,26 +1,15 @@ -// swift-tools-version: 5.7 +// swift-tools-version: 5.8 // The swift-tools-version declares the minimum version of Swift required to build this package. import PackageDescription let package = Package( - name: "helloWorld", - products: [ - // Products define the executables and libraries a package produces, and make them visible to other packages. - .library( - name: "helloWorld", - targets: ["helloWorld"]), - ], - dependencies: [ - // Dependencies declare other packages that this package depends on. - // .package(url: /* package url */, from: "1.0.0"), - ], + name: "multi-language-repo", targets: [ - // Targets are the basic building blocks of a package. A target can define a module or a test suite. - // Targets can depend on other targets in this package, and on products in packages this package depends on. - .target( - name: "helloWorld", - path: "swift-custom-build/helloWorld" - ) + // Targets are the basic building blocks of a package, defining a module or a test suite. + // Targets can depend on other targets in this package and products from dependencies. + .executableTarget( + name: "multi-language-repo", + path: "Sources"), ] ) diff --git a/tests/multi-language-repo/Sources/main.swift b/tests/multi-language-repo/Sources/main.swift new file mode 100644 index 000000000..44e20d5ac --- /dev/null +++ b/tests/multi-language-repo/Sources/main.swift @@ -0,0 +1,4 @@ +// The Swift Programming Language +// https://docs.swift.org/swift-book + +print("Hello, world!") From 27c4fb1eef772029c0bbeed96d8538a2af79e541 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 10:15:45 +0000 Subject: [PATCH 25/27] Update changelog for v3.29.1 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7366cc9b..53348986f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 3.29.1 - 27 Jun 2025 - Fix bug in PR analysis where user-provided `include` query filter fails to exclude non-included queries. [#2938](https://github.com/github/codeql-action/pull/2938) - Update default CodeQL bundle version to 2.22.1. [#2950](https://github.com/github/codeql-action/pull/2950) From baf20c9b52be83d9e7f00b5994a9af767b65978b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 10:44:54 +0000 Subject: [PATCH 26/27] Update changelog and version after v3.29.1 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53348986f..629fbf9c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 3.29.1 - 27 Jun 2025 - Fix bug in PR analysis where user-provided `include` query filter fails to exclude non-included queries. [#2938](https://github.com/github/codeql-action/pull/2938) diff --git a/package-lock.json b/package-lock.json index 817560cf8..79ff14061 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "3.29.1", + "version": "3.29.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "3.29.1", + "version": "3.29.2", "license": "MIT", "dependencies": { "@actions/artifact": "^2.3.1", diff --git a/package.json b/package.json index 4ae885838..385207031 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.29.1", + "version": "3.29.2", "private": true, "description": "CodeQL action", "scripts": { From 2e3a72539c66a6f6b136fc4e339a37345bfce4f0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 10:52:35 +0000 Subject: [PATCH 27/27] Update checked-in dependencies --- node_modules/.package-lock.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index 2bb25482e..c26cc2f87 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.29.1", + "version": "3.29.2", "lockfileVersion": 3, "requires": true, "packages": {