robojerk/codeql-action

Merge branch 'main' into henrymercer/reenable-swift-autobuild-checks

Browse source
This commit is contained in:
Henry Mercer 2024-06-17 11:30:15 +01:00 committed by GitHub
commit c884bf6268
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2165 changed files with 178121 additions and 283727 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pr-checks/checks/all-platform-bundle.yml
View file

@ -15,5 +15,3 @@ steps:
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
upload-database: false

1
pr-checks/checks/analyze-ref-input.yml
View file

@ -12,6 +12,5 @@ steps:
run: ./build.sh
- uses: ./../action/analyze
with:
upload-database: false
ref: 'refs/heads/main'
sha: '5e235361806c361d4d3f8859e3c897658025a9a2'

4
pr-checks/checks/autobuild-action.yml
View file

@ -1,6 +1,6 @@
name: "autobuild-action"
description: "Tests that the C# autobuild action works"
versions: ["latest"]
versions: ["linked"]
steps:
- uses: ./../action/init
with:
@ -16,8 +16,6 @@ steps:
CORECLR_PROFILER: ""
CORECLR_PROFILER_PATH_64: ""
- uses: ./../action/analyze
with:
upload-database: false
- name: Check database
shell: bash
run: |

34
pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml Normal file
View file

@ -0,0 +1,34 @@
name: "Autobuild direct tracing (custom working directory)"
description: >
An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
with direct tracing enabled and a custom working directory specified as the input to the
autobuild Action.
operatingSystems: ["ubuntu", "windows"]
versions: ["linked", "nightly-latest"]
env:
CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
steps:
- name: Test setup
shell: bash
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...
cp -a ../action/tests/java-repo autobuild-dir
# ... and fails if attempted in the current directory
echo > build.gradle
- uses: ./../action/init
with:
build-mode: autobuild
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check that indirect tracing is disabled
shell: bash
run: |
if [[ ! -z "${CODEQL_RUNNER}" ]]; then
echo "Expected indirect tracing to be disabled, but the" \
"CODEQL_RUNNER environment variable is set."
exit 1
fi
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
- uses: ./../action/analyze

32
pr-checks/checks/autobuild-direct-tracing.yml Normal file
View file

@ -0,0 +1,32 @@
name: "Autobuild direct tracing"
description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled"
operatingSystems: ["ubuntu", "windows"]
versions: ["linked", "nightly-latest"]
env:
CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
steps:
- name: Set up Java test repo configuration
shell: bash
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: autobuild
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check that indirect tracing is disabled
shell: bash
run: |
if [[ ! -z "${CODEQL_RUNNER}" ]]; then
echo "Expected indirect tracing to be disabled, but the" \
"CODEQL_RUNNER environment variable is set."
exit 1
fi
- uses: ./../action/analyze

29
pr-checks/checks/build-mode-autobuild.yml Normal file
View file

@ -0,0 +1,29 @@
name: "Build mode autobuild"
description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
operatingSystems: ["ubuntu"]
versions: ["nightly-latest"]
steps:
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: autobuild
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "autobuild" ]]; then
echo "Expected build mode to be 'autobuild' but was $build_mode"
exit 1
fi
- uses: ./../action/analyze

31
pr-checks/checks/build-mode-manual.yml Normal file
View file

@ -0,0 +1,31 @@
name: "Build mode manual"
description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
operatingSystems: ["ubuntu"]
versions: ["nightly-latest"]
steps:
- uses: ./../action/init
id: init
with:
build-mode: manual
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "manual" ]]; then
echo "Expected build mode to be 'manual' but was $build_mode"
exit 1
fi
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze

27
pr-checks/checks/build-mode-none.yml Normal file
View file

@ -0,0 +1,27 @@
name: "Build mode none"
description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
operatingSystems: ["ubuntu"]
versions: ["linked", "nightly-latest"]
steps:
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "none" ]]; then
echo "Expected build mode to be 'none' but was $build_mode"
exit 1
fi
# The latest nightly supports omitting the autobuild Action when the build mode is specified.
- uses: ./../action/autobuild
if: matrix.version != 'nightly-latest'
- uses: ./../action/analyze

31
pr-checks/checks/build-mode-rollback.yml Normal file
View file

@ -0,0 +1,31 @@
name: "Build mode rollback"
description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
operatingSystems: ["ubuntu"]
versions: ["nightly-latest"]
env:
CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
steps:
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "autobuild" ]]; then
echo "Expected build mode to be 'autobuild' but was $build_mode"
exit 1
fi
- uses: ./../action/analyze

25
pr-checks/checks/cleanup-db-cluster-dir.yml Normal file
View file

@ -0,0 +1,25 @@
name: "Clean up database cluster directory"
description: "The database cluster directory is cleaned up if it is not empty."
operatingSystems: ["ubuntu"]
versions: ["linked"]
steps:
- name: Add a file to the database cluster directory
run: |
mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: "${{ runner.temp }}/customDbLocation"
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate file cleaned up
run: |
if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
echo "File was not cleaned up"
exit 1
fi
echo "File was cleaned up"

10
pr-checks/checks/config-export.yml
View file

@ -1,8 +1,6 @@
name: "Config export"
description: "Tests that the code scanning configuration file is exported to SARIF correctly."
versions: ["latest", "nightly-latest"]
env:
CODEQL_PASS_CONFIG_TO_CLI: true
versions: ["linked", "nightly-latest"]
steps:
- uses: ./../action/init
with:
@ -20,7 +18,7 @@ steps:
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check config properties appear in SARIF
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
with:
@ -35,13 +33,13 @@ steps:
core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
}
if (configSummary.disableDefaultQueries !== false) {
core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
`${JSON.stringify(configSummary.disableDefaultQueries)}.`);
}
const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
// Use JSON.stringify to deep-equal the arrays.
if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
`${JSON.stringify(configSummary.queries)}.`);
}
core.info('Finished config export tests.');

33
pr-checks/checks/config-input.yml Normal file
View file

@ -0,0 +1,33 @@
name: "Config input"
description: "Tests specifying configuration using the config input"
operatingSystems: ["ubuntu"]
versions: ["linked"]
steps:
- name: Copy queries into workspace
run: |
cp -a ../action/queries .
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: javascript
build-mode: none
config: |
disable-default-queries: true
queries:
- name: Run custom query
uses: ./queries/default-setup-environment-variables.ql
paths-ignore:
- tests
- lib
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Check SARIF
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/codeql-action/default-setup-env-vars
queries-not-run: javascript/codeql-action/default-setup-context-properties

26
pr-checks/checks/cpp-deptrace-disabled.yml Normal file
View file

@ -0,0 +1,26 @@
name: "C/C++: disabling autoinstalling dependencies (Linux)"
description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
operatingSystems: ["ubuntu"]
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with CLIs < 2.15.0
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
- shell: bash
run: |
if ls /usr/bin/errno; then
echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
exit 1
fi

28
pr-checks/checks/cpp-deptrace-enabled-on-macos.yml Normal file
View file

@ -0,0 +1,28 @@
name: "C/C++: autoinstalling dependencies is skipped (macOS)"
description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
operatingSystems: ["macos"]
versions: ["nightly-latest"] # This is not released yet, will come with 2.15.2
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
- shell: bash
run: |
if ! ls /usr/bin/errno; then
echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
else
echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
exit 1
fi

26
pr-checks/checks/cpp-deptrace-enabled.yml Normal file
View file

@ -0,0 +1,26 @@
name: "C/C++: autoinstalling dependencies (Linux)"
description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
operatingSystems: ["ubuntu"]
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with CLIs < 2.15.0
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
- shell: bash
run: |
if ! ls /usr/bin/errno; then
echo "Did not autoinstall errno"
exit 1
fi

10
pr-checks/checks/diagnostics-export.yml
View file

@ -1,8 +1,8 @@
name: "Diagnostic export"
description: "Tests that manually added diagnostics are correctly exported to SARIF."
# Test on 2.12.5 (which requires a workaround in the Action), the latest release, and the latest
# Test on 2.12.6 (which requires a workaround in the Action), the latest release, and the latest
# nightly.
versions: ["stable-20230317", "latest", "nightly-latest"]
versions: ["stable-20230403", "linked", "nightly-latest"]
env:
CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
steps:
@ -17,7 +17,7 @@ steps:
CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
run: |
for i in {1..2}; do
# Use the same location twice to test the workaround for the bug in CodeQL CLI 2.12.5 that
# Use the same location twice to test the workaround for the bug in CodeQL CLI 2.12.6 that
# produces an invalid diagnostic with multiple identical location objects.
"$CODEQL_PATH" database add-diagnostic \
"$RUNNER_TEMP/codeql_databases/javascript" \
@ -38,7 +38,7 @@ steps:
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check diagnostics appear in SARIF
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
with:
@ -66,7 +66,7 @@ steps:
core.setFailed(
'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}

2
pr-checks/checks/extractor-ram-threads.yml
View file

@ -1,6 +1,6 @@
name: "Extractor ram and threads options test"
description: "Tests passing RAM and threads limits to extractors"
versions: ["latest"]
versions: ["linked"]
operatingSystems: ["ubuntu"]
steps:
- uses: ./../action/init

5
pr-checks/checks/go-custom-queries.yml
View file

@ -3,6 +3,9 @@ description: "Checks that Go works in conjunction with a config file specifying
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: actions/setup-go@v5
with:
go-version: ">=1.21.0"
- uses: ./../action/init
with:
languages: go
@ -12,5 +15,3 @@ steps:
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
upload-database: false

6
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml
View file

@ -5,7 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["stable-v2.14.6"]
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: ">=1.21.0"
@ -14,7 +14,7 @@ steps:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
# Deliberately change Go after the `init` step
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "1.20"
- name: Build code
@ -25,7 +25,7 @@ steps:
output: "${{ runner.temp }}/results"
upload-database: false
- name: Check diagnostic appears in SARIF
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
with:

50
pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml Normal file
View file

@ -0,0 +1,50 @@
name: "Go: diagnostic when `file` is not installed"
description: "Checks that we emit a diagnostic if the `file` program is not installed"
# only Linux is affected
operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["stable-v2.14.6"]
steps:
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: ">=1.21.0"
- name: Remove `file` program
run: |
echo $(which file)
sudo rm -rf $(which file)
echo $(which file)
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: go build main.go
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
upload-database: false
- name: Check diagnostic appears in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const statusPageNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
);
if (statusPageNotifications.length !== 1) {
core.setFailed(
'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}

4
pr-checks/checks/go-indirect-tracing-workaround.yml
View file

@ -5,7 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["stable-v2.14.6"]
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: ">=1.21.0"
@ -17,8 +17,6 @@ steps:
shell: bash
run: go build main.go
- uses: ./../action/analyze
with:
upload-database: false
- shell: bash
run: |
if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then

9
pr-checks/checks/go-tracing-autobuilder.yml
View file

@ -4,17 +4,18 @@ operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "~1.21.1"
go-version: "~1.22.0"
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
- uses: ./../action/analyze
with:
upload-database: false
- shell: bash
run: |
if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then

9
pr-checks/checks/go-tracing-custom-build-steps.yml
View file

@ -2,9 +2,12 @@ name: "Go: tracing with custom build steps"
description: "Checks that Go tracing traces the build when using custom build steps"
operatingSystems: ["ubuntu", "macos"]
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "~1.21.1"
go-version: "~1.22.0"
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go
@ -13,8 +16,6 @@ steps:
shell: bash
run: go build main.go
- uses: ./../action/analyze
with:
upload-database: false
- shell: bash
run: |
# Once we start running Bash 4.2 in all environments, we can replace the

9
pr-checks/checks/go-tracing-legacy-workflow.yml
View file

@ -4,16 +4,17 @@ operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "~1.21.1"
go-version: "~1.22.0"
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
upload-database: false
- shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"

2
pr-checks/checks/init-with-registries.yml
View file

@ -7,7 +7,7 @@ description: "Checks that specifying a registries block and associated auth work
versions: [
# This feature is not compatible with older CLIs
"default",
"latest",
"linked",
"nightly-latest",
]

4
pr-checks/checks/javascript-source-root.yml
View file

@ -1,6 +1,6 @@
name: "Custom source root"
description: "Checks that the argument specifying a non-default source root works"
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
operatingSystems: ["ubuntu"]
steps:
- name: Move codeql-action
@ -15,9 +15,7 @@ steps:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
upload-database: false
skip-queries: true
upload: never
- name: Assert database exists
shell: bash
run: |

2
pr-checks/checks/language-aliases.yml
View file

@ -1,6 +1,6 @@
name: "Language aliases"
description: "Tests that language aliases are resolved correctly"
versions: ["latest"]
versions: ["linked"]
operatingSystems: ["ubuntu"]
steps:
- uses: ./../action/init

11
pr-checks/checks/multi-language-autodetect.yml
View file

@ -1,7 +1,12 @@
name: "Multi-language repository"
description: "An end-to-end integration test of a multi-language repository using automatic language detection"
operatingSystems: ["ubuntu", "macos"]
# TODO: Add ubuntu back for `nightly-latest` and `latest` once CLI v2.17.4 is available.
operatingSystems: ["macos"]
steps:
- uses: actions/setup-go@v5
with:
go-version: ">=1.21.0"
- uses: ./../action/init
id: init
with:
@ -61,9 +66,7 @@ steps:
fi
- name: Check language autodetect for Swift
if: >-
env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' ||
(runner.os != 'Windows' && matrix.version == 'nightly-latest')
if: runner.os != 'Windows' && matrix.version != 'stable-20230403'
shell: bash
run: |
SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

6
pr-checks/checks/packaging-codescanning-config-inputs-js.yml
View file

@ -1,10 +1,6 @@
name: "Packaging: Config and input passed to the CLI"
description: "Checks that specifying packages using a combination of a config file and input to the Action works"
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
env:
CODEQL_PASS_CONFIG_TO_CLI: true
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:

2
pr-checks/checks/packaging-config-inputs-js.yml
View file

@ -1,6 +1,6 @@
name: "Packaging: Config and input"
description: "Checks that specifying packages using a combination of a config file and input to the Action works"
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:

2
pr-checks/checks/packaging-config-js.yml
View file

@ -1,6 +1,6 @@
name: "Packaging: Config file"
description: "Checks that specifying packages using only a config file works"
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:

2
pr-checks/checks/packaging-inputs-js.yml
View file

@ -1,6 +1,6 @@
name: "Packaging: Action input"
description: "Checks that specifying packages using the input to the Action works"
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:

2
pr-checks/checks/resolve-environment-action.yml
View file

@ -1,6 +1,6 @@
name: "Resolve environment"
description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript"
versions: ["stable-v2.13.4", "default", "latest", "nightly-latest"]
versions: ["stable-v2.13.4", "default", "linked", "nightly-latest"]
steps:
- uses: ./../action/init
with:

2
pr-checks/checks/ruby.yml
View file

@ -1,6 +1,6 @@
name: "Ruby analysis"
description: "Tests creation of a Ruby database"
versions: ["latest", "default", "nightly-latest"]
versions: ["linked", "default", "nightly-latest"]
operatingSystems: ["ubuntu", "macos"]
steps:
- uses: ./../action/init

7
pr-checks/checks/scaling-reserved-ram.yml
View file

@ -1,9 +1,14 @@
name: "Scaling reserved RAM"
description: "An end-to-end integration test of a multi-language repository with the scaling_reserved_ram feature flag enabled"
operatingSystems: ["ubuntu", "macos"]
# TODO: Add ubuntu back for `nightly-latest` and `latest` once CLI v2.17.4 is available.
operatingSystems: ["macos"]
env:
CODEQL_ACTION_SCALING_RESERVED_RAM: true
steps:
- uses: actions/setup-go@v5
with:
go-version: ">=1.21.0"
- uses: ./../action/init
id: init
with:

2
pr-checks/checks/split-workflow.yml
View file

@ -1,7 +1,7 @@
name: "Split workflow"
description: "Tests a split-up workflow in which we first build a database and later analyze it"
operatingSystems: ["ubuntu", "macos"]
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs
steps:
- uses: ./../action/init
with:

2
pr-checks/checks/submit-sarif-failure.yml
View file

@ -1,6 +1,6 @@
name: Submit SARIF after failure
description: Check that a SARIF file is submitted for the workflow run if it fails
versions: ["latest", "default", "nightly-latest"]
versions: ["linked", "default", "nightly-latest"]
operatingSystems: ["ubuntu"]
env:

5
pr-checks/checks/swift-custom-build.yml
View file

@ -1,7 +1,8 @@
name: "Swift analysis using a custom build command"
description: "Tests creation of a Swift database using custom build"
versions: ["latest", "default", "nightly-latest"]
operatingSystems: ["ubuntu", "macos"]
versions: ["linked", "default", "nightly-latest"]
# TODO: Add ubuntu back for `nightly-latest` and `latest` once CLI v2.17.4 is available.
operatingSystems: ["macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:

4
pr-checks/checks/test-autobuild-working-dir.yml
View file

@ -1,6 +1,6 @@
name: "Autobuild working directory"
description: "Tests working-directory input of autobuild action"
versions: ["latest"]
versions: ["linked"]
operatingSystems: ["ubuntu"]
steps:
- name: Test setup
@ -18,8 +18,6 @@ steps:
with:
working-directory: autobuild-dir
- uses: ./../action/analyze
with:
upload-database: false
- name: Check database
shell: bash
run: |

2
pr-checks/checks/test-local-codeql.yml
View file

@ -20,5 +20,3 @@ steps:
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
upload-database: false

4
pr-checks/checks/test-proxy.yml
View file

@ -1,6 +1,6 @@
name: "Proxy test"
description: "Tests using a proxy specified by the https_proxy environment variable"
versions: ["latest"]
versions: ["linked"]
operatingSystems: ["ubuntu"]
container:
image: ubuntu:22.04
@ -18,5 +18,3 @@ steps:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
upload-database: false

7
pr-checks/checks/unset-environment.yml
View file

@ -1,6 +1,8 @@
name: "Test unsetting environment variables"
description: "An end-to-end integration test that unsets some environment variables"
operatingSystems: ["ubuntu"]
# TODO: Switch back to all versions once CLI v2.17.4 is available and running on ubuntu again.
versions: ["stable-v2.14.6", "stable-v2.15.5", "stable-v2.16.6", "linked", "default", "nightly-latest"]
operatingSystems: ["macos"] # TODO: Switch back to ubuntu for `nightly-latest` and `latest` once CLI v2.17.4 is available.
steps:
- uses: ./../action/init
id: init
@ -10,6 +12,9 @@ steps:
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
- name: Build code
shell: bash
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a

2
pr-checks/checks/upload-ref-sha-input.yml
View file

@ -10,9 +10,9 @@ steps:
- name: Build code
shell: bash
run: ./build.sh
# Generate some SARIF we can upload with the upload-sarif step
- uses: ./../action/analyze
with:
upload-database: false
ref: 'refs/heads/main'
sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
upload: never

34
pr-checks/checks/with-checkout-path.yml
View file

@ -1,42 +1,40 @@
name: "Use a custom `checkout_path`"
description: "Checks that a custom `checkout_path` will find the proper commit_oid"
versions: ["linked"]
steps:
# This ensures we don't accidentally use the original checkout for any part of the test.
- name: Delete original checkout
shell: bash
run: |
# delete the original checkout so we don't accidentally use it.
# Actions does not support deleting the current working directory, so we
# delete the contents of the directory instead.
rm -rf ./* .github .git
# Check out the actions repo again, but at a different location.
# choose an arbitrary SHA so that we can later test that the commit_oid is not from main
- uses: actions/checkout@v4
with:
ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
path: x/y/z/some-path
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
# it's enough to test one compiled language and one interpreted language
languages: csharp,javascript
source-path: x/y/z/some-path/tests/multi-language-repo
debug: true
- name: Build code (non-windows)
source-root: x/y/z/some-path/tests/multi-language-repo
- name: Build code
shell: bash
if: ${{ runner.os != 'Windows' }}
working-directory: x/y/z/some-path/tests/multi-language-repo
run: |
$CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
- name: Build code (windows)
shell: bash
if: ${{ runner.os == 'Windows' }}
run: |
x/y/z/some-path/tests/multi-language-repo/build.sh
./build.sh
- uses: ./../action/analyze
with:
checkout_path: x/y/z/some-path/tests/multi-language-repo
ref: v1.1.0
sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
upload: never
upload-database: false
- uses: ./../action/upload-sarif
with:
ref: v1.1.0
sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
checkout_path: x/y/z/some-path/tests/multi-language-repo
- name: Verify SARIF after upload
shell: bash

80
pr-checks/sync.py Normal file → Executable file
View file

@ -1,26 +1,28 @@
#!/usr/bin/env python
import ruamel.yaml
from ruamel.yaml.scalarstring import FoldedScalarString
import os
from ruamel.yaml.scalarstring import FoldedScalarString, SingleQuotedScalarString
import pathlib
import textwrap
# The default set of CodeQL Bundle versions to use for the PR checks.
defaultTestVersions = [
# The oldest supported CodeQL version: 2.10.5. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
"stable-20220908",
# The last CodeQL release in the 2.11 series: 2.11.6.
"stable-20221211",
# The last CodeQL release in the 2.12 series: 2.12.7.
"stable-20230418",
# The oldest supported CodeQL version: 2.12.6. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
"stable-20230403",
# The last CodeQL release in the 2.13 series: 2.13.5.
"stable-v2.13.5",
# The last CodeQL release in the 2.14 series: 2.14.6.
"stable-v2.14.6",
# The last CodeQL release in the 2.15 series: 2.15.5.
"stable-v2.15.5",
# The last CodeQL release in the 2.16 series: 2.16.6.
"stable-v2.16.6",
# The default version of CodeQL for Dotcom, as determined by feature flags.
"default",
# The version of CodeQL shipped with the Action in `defaults.json`. During the release process
# for a new CodeQL release, there will be a period of time during which this will be newer than
# the default version on Dotcom.
"latest",
"linked",
# A nightly build directly from the our private repo, built in the last 24 hours.
"nightly-latest"
]
@ -46,10 +48,13 @@ def writeHeader(checkStream):
yaml = ruamel.yaml.YAML()
yaml.Representer = NonAliasingRTRepresenter
yaml.indent(mapping=2, sequence=4, offset=2)
this_dir = pathlib.Path(__file__).resolve().parent
allJobs = {}
for file in os.listdir('checks'):
with open(f"checks/{file}", 'r') as checkStream:
for file in (this_dir / 'checks').glob('*.yml'):
with open(file, 'r') as checkStream:
checkSpecification = yaml.load(checkStream)
matrix = []
@ -60,16 +65,39 @@ for file in os.listdir('checks'):
if image.startswith(operatingSystem)]
for runnerImage in runnerImages:
matrix.append({
'os': runnerImage,
'version': version
})
# Prior to CLI v2.15.1, ARM runners were not supported by the build tracer.
# "macos-latest" is now an ARM runner, so we run tests on the old CLIs on Intel runners instead.
if version in ["stable-20230403", "stable-v2.13.4", "stable-v2.13.5", "stable-v2.14.6"] and runnerImage == "macos-latest":
matrix.append({
'os': "macos-12",
'version': version
})
else:
matrix.append({
'os': runnerImage,
'version': version
})
useAllPlatformBundle = "false" # Default to false
if checkSpecification.get('useAllPlatformBundle'):
useAllPlatformBundle = checkSpecification['useAllPlatformBundle']
steps = [
{
'name': 'Setup Python on MacOS',
'uses': 'actions/setup-python@v5',
# Ensure that this is serialized as a folded (`>`) string to preserve the readability
# of the generated workflow.
'if': FoldedScalarString(textwrap.dedent('''
runner.os == 'macOS' && (
matrix.version == 'stable-20230403' ||
matrix.version == 'stable-v2.13.5' ||
matrix.version == 'stable-v2.14.6')
''').strip()),
'with': {
'python-version': '3.11'
}
},
{
'name': 'Check out repository',
'uses': 'actions/checkout@v4'
@ -83,26 +111,13 @@ for file in os.listdir('checks'):
'use-all-platform-bundle': useAllPlatformBundle
}
},
# We don't support Swift on Windows or prior versions of the CLI.
{
'name': 'Set environment variable for Swift enablement',
# Ensure that this is serialized as a folded (`>`) string to preserve the readability
# of the generated workflow.
'if': FoldedScalarString(textwrap.dedent('''
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211'
)
''').strip()),
'shell': 'bash',
'run': 'echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV'
},
]
steps.extend(checkSpecification['steps'])
checkJob = {
'strategy': {
'fail-fast': False,
'matrix': {
'include': matrix
}
@ -126,9 +141,9 @@ for file in os.listdir('checks'):
checkJob['env'] = checkJob.get('env', {})
if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
checkName = file[:len(file) - 4]
checkName = file.stem
with open(f"../.github/workflows/__{checkName}.yml", 'w') as output_stream:
with open(this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml", 'w') as output_stream:
writeHeader(output_stream)
yaml.dump({
'name': f"PR Check - {checkSpecification['name']}",
@ -141,11 +156,12 @@ for file in os.listdir('checks'):
},
'on': {
'push': {
'branches': ['main', 'releases/v2']
'branches': ['main', 'releases/v*']
},
'pull_request': {
'types': ["opened", "synchronize", "reopened", "ready_for_review"]
},
'schedule': [{'cron': SingleQuotedScalarString('0 5 * * *')}],
'workflow_dispatch': {}
},
'jobs': {