Merge pull request #354 from github/update-v1-094554cf

Merge main into v1

.github/workflows/integration-testing.yml

@@ -6,7 +6,27 @@ on:
   pull_request:
 
 jobs:
+  # This job and check-node-modules below dupliacte checks from `pr-checks.yml`.
+  # We run them here as well to gate the more expensive checks which wouldn't
+  # even be executing the correct code if these fail.
+  check-js:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Check generated JavaScript
+      run: .github/workflows/script/check-js.sh
+
+  check-node-modules:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Check node modules up to date
+      run: .github/workflows/script/check-node-modules.sh
+
   multi-language-repo_test-autodetect-languages:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -40,6 +60,7 @@ jobs:
         fi
 
   multi-language-repo_test-custom-queries-and-remote-config:
+    needs: [check-js, check-node-modules]
     strategy:
       fail-fast: false
       matrix:
@@ -69,6 +90,7 @@ jobs:
 
   # Currently is not possible to analyze Go in conjunction with other languages in macos
   multi-language-repo_test-go-custom-queries:
+    needs: [check-js, check-node-modules]
     strategy:
       fail-fast: false
       matrix:
@@ -99,6 +121,7 @@ jobs:
         TEST_MODE: true
 
   go-custom-tracing:
+    needs: [check-js, check-node-modules]
     strategy:
       fail-fast: false
       matrix:
@@ -130,6 +153,7 @@ jobs:
         TEST_MODE: true
 
   go-custom-tracing-autobuild:
+    needs: [check-js, check-node-modules]
     # No need to test Go autobuild on multiple OSes since
     # we're testing Go custom tracing with a manual build on all OSes.
     runs-on: ubuntu-latest
@@ -153,6 +177,7 @@ jobs:
         TEST_MODE: true
 
   multi-language-repo_rubocop:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -184,6 +209,7 @@ jobs:
         TEST_MODE: true
 
   test-proxy:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
     container:
       image: ubuntu:18.04
@@ -211,6 +237,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-javascript-ubuntu:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -237,6 +264,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-javascript-windows:
+    needs: [check-js, check-node-modules]
     runs-on: windows-latest
 
     steps:
@@ -259,6 +287,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-javascript-macos:
+    needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
     steps:
@@ -281,6 +310,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-ubuntu:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -315,6 +345,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-windows:
+    needs: [check-js, check-node-modules]
     runs-on: windows-latest
 
     steps:
@@ -350,6 +381,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-macos:
+    needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
     steps:
@@ -386,6 +418,7 @@ jobs:
 
 
   runner-analyze-csharp-autobuild-ubuntu:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -419,6 +452,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-autobuild-windows:
+    needs: [check-js, check-node-modules]
     runs-on: windows-latest
 
     steps:
@@ -453,6 +487,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-autobuild-macos:
+    needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
     steps:
@@ -487,6 +522,7 @@ jobs:
         TEST_MODE: true
 
   runner-upload-sarif:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}

.github/workflows/pr-checks.yml

@@ -20,25 +20,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Check generated JavaScript
-      run: |
-        # Sanity check that repo is clean to start with
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then this workflow needs attention...
-          >&2 echo "Failed: Repo should be clean before testing!"
-          exit 1
-        fi
-        # Wipe the lib directory incase there are extra unnecessary files in there
-        rm -rf lib
-        # Generate the JavaScript files
-        npm run-script build
-        # Check that repo is still clean
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then the PR needs attention
-          >&2 echo "Failed: JavaScript files are not up to date. Run 'npm run-script build' to update"
-          git status
-          exit 1
-        fi
-        echo "Success: JavaScript files are up to date"
+      run: .github/workflows/script/check-js.sh
 
   check-node-modules:
     runs-on: ubuntu-latest
@@ -46,27 +28,10 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Check node modules up to date
-      run: |
-        # Sanity check that repo is clean to start with
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then this workflow needs attention...
-          >&2 echo "Failed: Repo should be clean before testing!"
-          exit 1
-        fi
-        # Reinstall modules and then clean to remove absolute paths
-        # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
-        npm ci
-        npm run removeNPMAbsolutePaths
-        # Check that repo is still clean
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then the PR needs attention
-          >&2 echo "Failed: node_modules are not up to date. Run 'npm ci' and 'npm run removeNPMAbsolutePaths' to update"
-          git status
-          exit 1
-        fi
-        echo "Success: node_modules are up to date"
+      run: .github/workflows/script/check-node-modules.sh
 
   npm-test:
+    needs: [check-js, check-node-modules]
     strategy:
       matrix:
         os: [ubuntu-latest,macos-latest]

.github/workflows/script/check-js.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eu
+
+# Sanity check that repo is clean to start with
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then this workflow needs attention...
+    >&2 echo "Failed: Repo should be clean before testing!"
+    exit 1
+fi
+# Wipe the lib directory incase there are extra unnecessary files in there
+rm -rf lib
+# Generate the JavaScript files
+npm run-script build
+# Check that repo is still clean
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then the PR needs attention
+    >&2 echo "Failed: JavaScript files are not up to date. Run 'npm run-script build' to update"
+    git status
+    exit 1
+fi
+echo "Success: JavaScript files are up to date"

.github/workflows/script/check-node-modules.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eu
+
+# Sanity check that repo is clean to start with
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then this workflow needs attention...
+    >&2 echo "Failed: Repo should be clean before testing!"
+    exit 1
+fi
+# Reinstall modules and then clean to remove absolute paths
+# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
+npm ci
+npm run removeNPMAbsolutePaths
+# Check that repo is still clean
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then the PR needs attention
+    >&2 echo "Failed: node_modules are not up to date. Run 'npm ci' and 'npm run removeNPMAbsolutePaths' to update"
+    git status
+    exit 1
+fi
+echo "Success: node_modules are up to date"

lib/actions-util.js

@@ -107,6 +107,7 @@ function escapeRegExp(string) {
 }
 function patternToRegExp(value) {
     return new RegExp(`^${value
+        .toString()
         .split(GLOB_PATTERN)
         .reduce(function (arr, cur) {
         if (cur === "**") {

lib/actions-util.test.js

@@ -11,6 +11,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
+const yaml = __importStar(require("js-yaml"));
 const sinon_1 = __importDefault(require("sinon"));
 const actionsutil = __importStar(require("./actions-util"));
 const testing_utils_1 = require("./testing-utils");
@@ -290,4 +291,27 @@ ava_1.default("patternIsSuperset()", (t) => {
     t.true(actionsutil.patternIsSuperset("/robin/*/release/*", "/robin/moose/release/goose"));
     t.false(actionsutil.patternIsSuperset("/robin/moose/release/goose", "/robin/*/release/*"));
 });
+ava_1.default("validateWorkflow() when branches contain dots", (t) => {
+    const errors = actionsutil.validateWorkflow(yaml.safeLoad(`
+  on:
+    push:
+      branches: [4.1, master]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: [4.1, master]
+`));
+    t.deepEqual(errors, []);
+});
+ava_1.default("validateWorkflow() when on.push has a trailing comma", (t) => {
+    const errors = actionsutil.validateWorkflow(yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master, ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+`));
+    t.deepEqual(errors, []);
+});
 //# sourceMappingURL=actions-util.test.js.map

node_modules/ini/ini.js

@@ -15,7 +15,7 @@ function encode (obj, opt) {
   if (typeof opt === 'string') {
     opt = {
       section: opt,
-      whitespace: false
+      whitespace: false,
     }
   } else {
     opt = opt || {}
@@ -30,27 +30,25 @@ function encode (obj, opt) {
       val.forEach(function (item) {
         out += safe(k + '[]') + separator + safe(item) + '\n'
       })
-    } else if (val && typeof val === 'object') {
+    } else if (val && typeof val === 'object')
       children.push(k)
-    } else {
+    else
       out += safe(k) + separator + safe(val) + eol
-    }
   })
 
-  if (opt.section && out.length) {
+  if (opt.section && out.length)
     out = '[' + safe(opt.section) + ']' + eol + out
-  }
 
   children.forEach(function (k, _, __) {
     var nk = dotSplit(k).join('\\.')
     var section = (opt.section ? opt.section + '.' : '') + nk
     var child = encode(obj[k], {
       section: section,
-      whitespace: opt.whitespace
+      whitespace: opt.whitespace,
     })
-    if (out.length && child.length) {
+    if (out.length && child.length)
       out += eol
-    }
+
     out += child
   })
 
@@ -62,7 +60,7 @@ function dotSplit (str) {
     .replace(/\\\./g, '\u0001')
     .split(/\./).map(function (part) {
       return part.replace(/\1/g, '\\.')
-      .replace(/\2LITERAL\\1LITERAL\2/g, '\u0001')
+        .replace(/\2LITERAL\\1LITERAL\2/g, '\u0001')
     })
 }
 
@@ -75,15 +73,25 @@ function decode (str) {
   var lines = str.split(/[\r\n]+/g)
 
   lines.forEach(function (line, _, __) {
-    if (!line || line.match(/^\s*[;#]/)) return
+    if (!line || line.match(/^\s*[;#]/))
+      return
     var match = line.match(re)
-    if (!match) return
+    if (!match)
+      return
     if (match[1] !== undefined) {
       section = unsafe(match[1])
+      if (section === '__proto__') {
+        // not allowed
+        // keep parsing the section, but don't attach it.
+        p = {}
+        return
+      }
       p = out[section] = out[section] || {}
       return
     }
     var key = unsafe(match[2])
+    if (key === '__proto__')
+      return
     var value = match[3] ? unsafe(match[4]) : true
     switch (value) {
       case 'true':
@@ -94,20 +102,20 @@ function decode (str) {
     // Convert keys with '[]' suffix to an array
     if (key.length > 2 && key.slice(-2) === '[]') {
       key = key.substring(0, key.length - 2)
-      if (!p[key]) {
+      if (key === '__proto__')
+        return
+      if (!p[key])
         p[key] = []
-      } else if (!Array.isArray(p[key])) {
+      else if (!Array.isArray(p[key]))
         p[key] = [p[key]]
-      }
     }
 
     // safeguard against resetting a previously defined
     // array by accidentally forgetting the brackets
-    if (Array.isArray(p[key])) {
+    if (Array.isArray(p[key]))
       p[key].push(value)
-    } else {
+    else
       p[key] = value
-    }
   })
 
   // {a:{y:1},"a.b":{x:2}} --> {a:{y:1,b:{x:2}}}
@@ -115,9 +123,9 @@ function decode (str) {
   Object.keys(out).filter(function (k, _, __) {
     if (!out[k] ||
       typeof out[k] !== 'object' ||
-      Array.isArray(out[k])) {
+      Array.isArray(out[k]))
       return false
-    }
+
     // see if the parent section is also an object.
     // if so, add it to that, and mark this one for deletion
     var parts = dotSplit(k)
@@ -125,12 +133,15 @@ function decode (str) {
     var l = parts.pop()
     var nl = l.replace(/\\\./g, '.')
     parts.forEach(function (part, _, __) {
-      if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+      if (part === '__proto__')
+        return
+      if (!p[part] || typeof p[part] !== 'object')
+        p[part] = {}
       p = p[part]
     })
-    if (p === out && nl === l) {
+    if (p === out && nl === l)
       return false
-    }
+
     p[nl] = out[k]
     return true
   }).forEach(function (del, _, __) {
@@ -152,18 +163,20 @@ function safe (val) {
     (val.length > 1 &&
      isQuoted(val)) ||
     val !== val.trim())
-      ? JSON.stringify(val)
-      : val.replace(/;/g, '\\;').replace(/#/g, '\\#')
+    ? JSON.stringify(val)
+    : val.replace(/;/g, '\\;').replace(/#/g, '\\#')
 }
 
 function unsafe (val, doUnesc) {
   val = (val || '').trim()
   if (isQuoted(val)) {
     // remove the single quotes before calling JSON.parse
-    if (val.charAt(0) === "'") {
+    if (val.charAt(0) === "'")
       val = val.substr(1, val.length - 2)
-    }
-    try { val = JSON.parse(val) } catch (_) {}
+
+    try {
+      val = JSON.parse(val)
+    } catch (_) {}
   } else {
     // walk the val to find the first not-escaped ; character
     var esc = false
@@ -171,23 +184,22 @@ function unsafe (val, doUnesc) {
     for (var i = 0, l = val.length; i < l; i++) {
       var c = val.charAt(i)
       if (esc) {
-        if ('\\;#'.indexOf(c) !== -1) {
+        if ('\\;#'.indexOf(c) !== -1)
           unesc += c
-        } else {
+        else
           unesc += '\\' + c
-        }
+
         esc = false
-      } else if (';#'.indexOf(c) !== -1) {
+      } else if (';#'.indexOf(c) !== -1)
         break
-      } else if (c === '\\') {
+      else if (c === '\\')
         esc = true
-      } else {
+      else
         unesc += c
-      }
     }
-    if (esc) {
+    if (esc)
       unesc += '\\'
-    }
+
     return unesc.trim()
   }
   return val

node_modules/ini/package.json

@@ -2,26 +2,29 @@
   "author": "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me/)",
   "name": "ini",
   "description": "An ini encoder/decoder for node",
-  "version": "1.3.5",
+  "version": "1.3.8",
   "repository": {
     "type": "git",
     "url": "git://github.com/isaacs/ini.git"
   },
   "main": "ini.js",
   "scripts": {
-    "pretest": "standard ini.js",
-    "test": "tap test/*.js --100 -J",
+    "eslint": "eslint",
+    "lint": "npm run eslint -- ini.js test/*.js",
+    "lintfix": "npm run lint -- --fix",
+    "test": "tap",
+    "posttest": "npm run lint",
     "preversion": "npm test",
     "postversion": "npm publish",
-    "postpublish": "git push origin --all; git push origin --tags"
+    "prepublishOnly": "git push origin --follow-tags"
   },
-  "engines": {
-    "node": "*"
-  },
-  "dependencies": {},
   "devDependencies": {
-    "standard": "^10.0.3",
-    "tap": "^10.7.3 || 11"
+    "eslint": "^7.9.0",
+    "eslint-plugin-import": "^2.22.0",
+    "eslint-plugin-node": "^11.1.0",
+    "eslint-plugin-promise": "^4.2.1",
+    "eslint-plugin-standard": "^4.0.1",
+    "tap": "14"
   },
   "license": "ISC",
   "files": [

package-lock.json

@@ -2435,9 +2435,9 @@
       "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4="
     },
     "ini": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz",
-      "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==",
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
       "dev": true
     },
     "irregular-plurals": {

runner/package-lock.json

@@ -2072,9 +2072,9 @@
       "dev": true
     },
     "ini": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.5.tgz",
-      "integrity": "sha512-RZY5huIKCMRWDUqZlEi72f/lmXKMvuszcMBduliQ3nnWbx9X/ZBQO7DijMEYS9EhHBb2qacRUMtC7svLwe0lcw==",
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
       "dev": true
     },
     "interpret": {

src/actions-util.test.ts

@@ -1,4 +1,5 @@
 import test from "ava";
+import * as yaml from "js-yaml";
 import sinon from "sinon";
 
 import * as actionsutil from "./actions-util";
@@ -400,3 +401,34 @@ test("patternIsSuperset()", (t) => {
     )
   );
 });
+
+test("validateWorkflow() when branches contain dots", (t) => {
+  const errors = actionsutil.validateWorkflow(
+    yaml.safeLoad(`
+  on:
+    push:
+      branches: [4.1, master]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: [4.1, master]
+`)
+  );
+
+  t.deepEqual(errors, []);
+});
+
+test("validateWorkflow() when on.push has a trailing comma", (t) => {
+  const errors = actionsutil.validateWorkflow(
+    yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master, ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+`)
+  );
+
+  t.deepEqual(errors, []);
+});

src/actions-util.ts

@@ -143,6 +143,7 @@ function escapeRegExp(string) {
 function patternToRegExp(value) {
   return new RegExp(
     `^${value
+      .toString()
       .split(GLOB_PATTERN)
       .reduce(function (arr, cur) {
         if (cur === "**") {