robojerk/codeql-action

Merge branch 'main' into update-bundle/codeql-bundle-v2.14.6

Browse source
This commit is contained in:
Alexander Eyers-Taylor 2023-09-26 13:37:33 +01:00 committed by GitHub
commit cc6542087a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 761 additions and 290 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -5,6 +5,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
## [UNRELEASED]
- Update default CodeQL bundle version to 2.14.6. [#1897](https://github.com/github/codeql-action/pull/1897)
- We are rolling out a feature in October 2023 that will improve the success rate of C/C++ autobuild. [#1889](https://github.com/github/codeql-action/pull/1889)
- Add a warning to help customers avoid inadvertently analyzing the same CodeQL language in multiple matrix jobs. [#1901](https://github.com/github/codeql-action/pull/1901)
## 2.21.8 - 19 Sep 2023

58
lib/autobuild.js generated
View file

@ -1,8 +1,37 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.runAutobuild = exports.determineAutobuildLanguages = void 0;
const core = __importStar(require("@actions/core"));
const actions_util_1 = require("./actions-util");
const api_client_1 = require("./api-client");
const codeql_1 = require("./codeql");
const feature_flags_1 = require("./feature-flags");
const languages_1 = require("./languages");
const repository_1 = require("./repository");
const util_1 = require("./util");
async function determineAutobuildLanguages(config, logger) {
// Attempt to find a language to autobuild
// We want pick the dominant language in the repo from the ones we're able to build
@ -70,9 +99,38 @@ async function determineAutobuildLanguages(config, logger) {
return languages;
}
exports.determineAutobuildLanguages = determineAutobuildLanguages;
async function setupCppAutobuild(codeql, logger) {
const envVar = feature_flags_1.featureConfig[feature_flags_1.Feature.CppDependencyInstallation].envVar;
const featureName = "C++ automatic installation of dependencies";
const envDoc = "https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow";
const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
if (await features.getValue(feature_flags_1.Feature.CppDependencyInstallation, codeql)) {
// disable autoinstall on self-hosted runners unless explicitly requested
if (process.env["RUNNER_ENVIRONMENT"] === "self-hosted" &&
process.env[envVar] !== "true") {
logger.info(`Disabling ${featureName} as we are on a self-hosted runner.${(0, actions_util_1.getWorkflowEventName)() !== "dynamic"
? ` To override this, set the ${envVar} environment variable to 'true' in your workflow (see ${envDoc}).`
: ""}`);
core.exportVariable(envVar, "false");
}
else {
logger.info(`Enabling ${featureName}. This can be disabled by setting the ${envVar} environment variable to 'false' (see ${envDoc}).`);
core.exportVariable(envVar, "true");
}
}
else {
logger.info(`Disabling ${featureName}.`);
core.exportVariable(envVar, "false");
}
}
async function runAutobuild(language, config, logger) {
logger.startGroup(`Attempting to automatically build ${language} code`);
const codeQL = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
if (language === languages_1.Language.cpp) {
await setupCppAutobuild(codeQL, logger);
}
await codeQL.runAutobuild(language);
logger.endGroup();
}

2
lib/autobuild.js.map
View file

@ -1 +1 @@
{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,2CAAyD;AAGlD,KAAK,UAAU,2BAA2B,CAC/C,MAA0B,EAC1B,MAAc;IAEd,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE;QACvB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;KAClB;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE;QAChD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;KAChD;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE;QACpE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;KAC7B;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE;QAC1C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,4BAA4B;YAC5B,0NAA0N,CAC7N,CAAC;KACH;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAtFD,kEAsFC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAA0B,EAC1B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AATD,oCASC"}
{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAkD;AAClD,iCAA6C;AAEtC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B,EAC1B,MAAc;IAEd,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE;QACvB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;KAClB;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE;QAChD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;KAChD;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE;QACpE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;KAC7B;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE;QAC1C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,4BAA4B;YAC5B,0NAA0N,CAC7N,CAAC;KACH;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAtFD,kEAsFC;AAED,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IAC7D,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,MAAM,GACV,wHAAwH,CAAC;IAC3H,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE;QACtE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B;YACA,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,MAAM,IAAI;gBACzG,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SACtC;aAAM;YACL,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,MAAM,IAAI,CAC1H,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;SACrC;KACF;SAAM;QACL,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACtC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAA0B,EAC1B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE;QAC7B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACzC;IACD,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAZD,oCAYC"}

11
lib/feature-flags.js generated
View file

@ -41,9 +41,10 @@ exports.CODEQL_VERSION_BUNDLE_SEMANTICALLY_VERSIONED = "2.13.4";
*/
exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = "2.14.0";
/**
* Versions 2.14.0+ of the CodeQL CLI support intra-layer parallelism (aka fine-grained parallelism) options.
* Versions 2.14.0+ of the CodeQL CLI support intra-layer parallelism (aka fine-grained parallelism) options, but we
* limit to 2.14.6 onwards, since that's the version that has mitigations against OOM failures.
*/
exports.CODEQL_VERSION_INTRA_LAYER_PARALLELISM = "2.14.0";
exports.CODEQL_VERSION_INTRA_LAYER_PARALLELISM = "2.14.6";
/**
* Feature enablement as returned by the GitHub API endpoint.
*
@ -54,6 +55,7 @@ var Feature;
Feature["AnalysisSummaryV2Enabled"] = "analysis_summary_v2_enabled";
Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
Feature["CodeqlJavaLombokEnabled"] = "codeql_java_lombok_enabled";
Feature["CppDependencyInstallation"] = "cpp_dependency_installation_enabled";
Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
Feature["DisablePythonDependencyInstallationEnabled"] = "disable_python_dependency_installation_enabled";
Feature["EvaluatorIntraLayerParallelismEnabled"] = "evaluator_intra_layer_parallelism_enabled";
@ -73,6 +75,11 @@ exports.featureConfig = {
minimumVersion: "2.14.0",
defaultValue: false,
},
[Feature.CppDependencyInstallation]: {
envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES",
minimumVersion: "2.15.0",
defaultValue: false,
},
[Feature.DisableKotlinAnalysisEnabled]: {
envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
minimumVersion: undefined,

2
lib/feature-flags.js.map
View file

File diff suppressed because one or more lines are too long

4
lib/init-action.js generated
View file

@ -121,8 +121,7 @@ async function run() {
const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
core.exportVariable(environment_1.EnvVar.JOB_RUN_UUID, (0, uuid_1.v4)());
try {
const workflowErrors = await (0, workflow_1.validateWorkflow)(logger);
if (!(await (0, status_report_1.sendStatusReport)(await (0, status_report_1.createStatusReportBase)("init", "starting", startedAt, await (0, util_1.checkDiskUsage)(logger), workflowErrors)))) {
if (!(await (0, status_report_1.sendStatusReport)(await (0, status_report_1.createStatusReportBase)("init", "starting", startedAt, await (0, util_1.checkDiskUsage)(logger))))) {
return;
}
const codeQLDefaultVersionInfo = await features.getDefaultCliVersion(gitHubVersion.type);
@ -132,6 +131,7 @@ async function run() {
toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs;
toolsVersion = initCodeQLResult.toolsVersion;
toolsSource = initCodeQLResult.toolsSource;
await (0, workflow_1.validateWorkflow)(codeql, logger);
config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), registriesInput, (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), (0, actions_util_1.getOptionalInput)("config"), getTrapCachingEnabled(),
// Debug mode is enabled if:
// - The `init` Action is passed `debug: true`.

2
lib/init-action.js.map
View file

File diff suppressed because one or more lines are too long

52
lib/workflow.js generated
View file

@ -78,11 +78,57 @@ exports.WorkflowErrors = toCodedErrors({
MissingPushHook: `Please specify an on.push hook to analyze and see code scanning alerts from the default branch on the Security tab.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
});
function getWorkflowErrors(doc) {
/**
* Groups the given list of CodeQL languages by their extractor name.
*
* Resolves to `undefined` if the CodeQL version does not support language aliasing.
*/
async function groupLanguagesByExtractor(languages, codeql) {
const resolveResult = await codeql.betterResolveLanguages();
if (!resolveResult.aliases) {
return undefined;
}
const aliases = resolveResult.aliases;
const languagesByExtractor = {};
for (const language of languages) {
const extractorName = aliases[language] || language;
if (!languagesByExtractor[extractorName]) {
languagesByExtractor[extractorName] = [];
}
languagesByExtractor[extractorName].push(language);
}
return languagesByExtractor;
}
async function getWorkflowErrors(doc, codeql) {
const errors = [];
const jobName = process.env.GITHUB_JOB;
if (jobName) {
const job = doc?.jobs?.[jobName];
if (job?.strategy?.matrix?.language) {
const matrixLanguages = job.strategy.matrix.language;
if (Array.isArray(matrixLanguages)) {
// Map extractors to entries in the `language` matrix parameter. This will allow us to
// detect languages which are analyzed in more than one job.
const matrixLanguagesByExtractor = await groupLanguagesByExtractor(matrixLanguages, codeql);
// If the CodeQL version does not support language aliasing, then `matrixLanguagesByExtractor`
// will be `undefined`. In this case, we cannot detect duplicate languages in the matrix.
if (matrixLanguagesByExtractor !== undefined) {
// Check for duplicate languages in the matrix
for (const [extractor, languages] of Object.entries(matrixLanguagesByExtractor)) {
if (languages.length > 1) {
errors.push({
message: `CodeQL language '${extractor}' is referenced by more than one entry in the ` +
`'language' matrix parameter for job '${jobName}'. This may result in duplicate alerts. ` +
`Please edit the 'language' matrix parameter to keep only one of the following: ${languages
.map((language) => `'${language}'`)
.join(", ")}.`,
code: "DuplicateLanguageInMatrix",
});
}
}
}
}
}
const steps = job?.steps;
if (Array.isArray(steps)) {
for (const step of steps) {
@ -127,7 +173,7 @@ function getWorkflowErrors(doc) {
return errors;
}
exports.getWorkflowErrors = getWorkflowErrors;
async function validateWorkflow(logger) {
async function validateWorkflow(codeql, logger) {
let workflow;
try {
workflow = await getWorkflow(logger);
@ -137,7 +183,7 @@ async function validateWorkflow(logger) {
}
let workflowErrors;
try {
workflowErrors = getWorkflowErrors(workflow);
workflowErrors = await getWorkflowErrors(workflow, codeql);
}
catch (e) {
return `error: getWorkflowErrors() failed: ${String(e)}`;

2
lib/workflow.js.map
View file

File diff suppressed because one or more lines are too long

240
lib/workflow.test.js generated
View file

@ -28,119 +28,114 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true });
const ava_1 = __importDefault(require("ava"));
const yaml = __importStar(require("js-yaml"));
const sinon = __importStar(require("sinon"));
const codeql_1 = require("./codeql");
const testing_utils_1 = require("./testing-utils");
const workflow_1 = require("./workflow");
function errorCodes(actual, expected) {
return [actual.map(({ code }) => code), expected.map(({ code }) => code)];
}
(0, testing_utils_1.setupTests)(ava_1.default);
(0, ava_1.default)("getWorkflowErrors() when on is empty", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: {} });
(0, ava_1.default)("getWorkflowErrors() when on is empty", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({ on: {} }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: ["push"] });
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({ on: ["push"] }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: ["pull_request"] });
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({ on: ["pull_request"] }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.MissingPushHook]));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is valid", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.push is valid", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request", "schedule"],
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["main"] },
},
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: "*" }, pull_request: { branches: "*" } },
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
on:
push:
pull_request:
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", async (t) => {
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: {
push: 1,
pull_request: 1,
},
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: 1,
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: [1],
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { 1: 1 },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: 1 },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: [1] },
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: { steps: 1 } },
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: [undefined] },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(1), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(1, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: {
push: {
branches: 1,
@ -149,25 +144,86 @@ function errorCodes(actual, expected) {
branches: 1,
},
},
}), []));
}, await (0, codeql_1.getCodeQLForTesting)()), []));
});
(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" },
},
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", (t) => {
(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", async (t) => {
process.env.GITHUB_JOB = "test";
const errors = (0, workflow_1.getWorkflowErrors)({
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead]));
});
(0, ava_1.default)("getWorkflowErrors() produces an error for workflow with language name and its alias", async (t) => {
await testLanguageAliases(t, ["java", "kotlin"], { java: ["java-kotlin", "kotlin"] }, [
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java', 'kotlin'.",
]);
});
(0, ava_1.default)("getWorkflowErrors() produces an error for workflow with two aliases same language", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], { java: ["java-kotlin", "kotlin"] }, [
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java-kotlin', 'kotlin'.",
]);
});
(0, ava_1.default)("getWorkflowErrors() does not produce an error for workflow with two distinct languages", async (t) => {
await testLanguageAliases(t, ["java", "typescript"], {
java: ["java-kotlin", "kotlin"],
javascript: ["javascript-typescript", "typescript"],
}, []);
});
(0, ava_1.default)("getWorkflowErrors() does not produce an error if codeql doesn't support language aliases", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], undefined, []);
});
async function testLanguageAliases(t, matrixLanguages, aliases, expectedErrorMessages) {
process.env.GITHUB_JOB = "test";
const codeql = await (0, codeql_1.getCodeQLForTesting)();
sinon.stub(codeql, "betterResolveLanguages").resolves({
aliases: aliases !== undefined
? // Remap from languageName -> aliases to alias -> languageName
Object.assign({}, ...Object.entries(aliases).flatMap(([language, languageAliases]) => languageAliases.map((alias) => ({
[alias]: language,
}))))
: undefined,
extractors: {
java: [
{
extractor_root: "",
},
],
},
});
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
jobs: {
test: {
strategy: {
matrix: {
language: matrixLanguages,
},
},
steps: [
{ uses: "actions/checkout@v2" },
{ uses: "github/codeql-action/init@v2" },
{ uses: "github/codeql-action/analyze@v2" },
],
},
},
}, codeql);
t.is(errors.length, expectedErrorMessages.length);
t.deepEqual(errors.map((e) => e.message), expectedErrorMessages);
}
(0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => {
const message = (0, workflow_1.formatWorkflowErrors)([workflow_1.WorkflowErrors.CheckoutWrongHead]);
t.true(message.startsWith("1 issue was detected with this workflow:"));
@ -213,19 +269,19 @@ function errorCodes(actual, expected) {
t.true((0, workflow_1.patternIsSuperset)("/robin/*/release/*", "/robin/moose/release/goose"));
t.false((0, workflow_1.patternIsSuperset)("/robin/moose/release/goose", "/robin/*/release/*"));
});
(0, ava_1.default)("getWorkflowErrors() when branches contain dots", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when branches contain dots", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
on:
push:
branches: [4.1, master]
pull_request:
# The branches below must be a subset of the branches above
branches: [4.1, master]
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
@ -233,12 +289,12 @@ function errorCodes(actual, expected) {
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => {
(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test";
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
@ -257,12 +313,12 @@ function errorCodes(actual, expected) {
test3:
steps: []
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead]));
});
(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => {
(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test3";
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
@ -281,41 +337,41 @@ function errorCodes(actual, expected) {
test3:
steps: []
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on is missing", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when on is missing", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() with a different on setup", (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() with a different on setup", async (t) => {
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on: "workflow_dispatch"
`)), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
`), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on: [workflow_dispatch]
`)), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
`), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
workflow_dispatch: {}
`)), []));
`), await (0, codeql_1.getCodeQLForTesting)()), []));
});
(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", async (t) => {
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
branches: [master]
`)), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
`), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on: ["push"]
`)), []));
`), await (0, codeql_1.getCodeQLForTesting)()), []));
});
(0, ava_1.default)("getCategoryInputOrThrow returns category for simple workflow with category", (t) => {
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

2
lib/workflow.test.js.map
View file

File diff suppressed because one or more lines are too long

2
queries/default-setup-environment-variables.ql
View file

@ -23,7 +23,7 @@ predicate isSafeForDefaultSetup(string envVar) {
"GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
"GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
"GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
"RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
"RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
]
}

55
src/autobuild.ts
View file

@ -1,7 +1,14 @@
import { getCodeQL } from "./codeql";
import * as core from "@actions/core";
import { getTemporaryDirectory, getWorkflowEventName } from "./actions-util";
import { getGitHubVersion } from "./api-client";
import { CodeQL, getCodeQL } from "./codeql";
import * as configUtils from "./config-utils";
import { Language, isTracedLanguage } from "./languages";
import { Feature, featureConfig, Features } from "./feature-flags";
import { isTracedLanguage, Language } from "./languages";
import { Logger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import { getRequiredEnvParam } from "./util";
export async function determineAutobuildLanguages(
config: configUtils.Config,
@ -91,6 +98,47 @@ export async function determineAutobuildLanguages(
return languages;
}
async function setupCppAutobuild(codeql: CodeQL, logger: Logger) {
const envVar = featureConfig[Feature.CppDependencyInstallation].envVar;
const featureName = "C++ automatic installation of dependencies";
const envDoc =
"https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow";
const gitHubVersion = await getGitHubVersion();
const repositoryNwo = parseRepositoryNwo(
getRequiredEnvParam("GITHUB_REPOSITORY"),
);
const features = new Features(
gitHubVersion,
repositoryNwo,
getTemporaryDirectory(),
logger,
);
if (await features.getValue(Feature.CppDependencyInstallation, codeql)) {
// disable autoinstall on self-hosted runners unless explicitly requested
if (
process.env["RUNNER_ENVIRONMENT"] === "self-hosted" &&
process.env[envVar] !== "true"
) {
logger.info(
`Disabling ${featureName} as we are on a self-hosted runner.${
getWorkflowEventName() !== "dynamic"
? ` To override this, set the ${envVar} environment variable to 'true' in your workflow (see ${envDoc}).`
: ""
}`,
);
core.exportVariable(envVar, "false");
} else {
logger.info(
`Enabling ${featureName}. This can be disabled by setting the ${envVar} environment variable to 'false' (see ${envDoc}).`,
);
core.exportVariable(envVar, "true");
}
} else {
logger.info(`Disabling ${featureName}.`);
core.exportVariable(envVar, "false");
}
}
export async function runAutobuild(
language: Language,
config: configUtils.Config,
@ -98,6 +146,9 @@ export async function runAutobuild(
) {
logger.startGroup(`Attempting to automatically build ${language} code`);
const codeQL = await getCodeQL(config.codeQLCmd);
if (language === Language.cpp) {
await setupCppAutobuild(codeQL, logger);
}
await codeQL.runAutobuild(language);
logger.endGroup();
}

11
src/feature-flags.ts
View file

@ -24,9 +24,10 @@ export const CODEQL_VERSION_BUNDLE_SEMANTICALLY_VERSIONED = "2.13.4";
export const CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = "2.14.0";
/**
* Versions 2.14.0+ of the CodeQL CLI support intra-layer parallelism (aka fine-grained parallelism) options.
* Versions 2.14.0+ of the CodeQL CLI support intra-layer parallelism (aka fine-grained parallelism) options, but we
* limit to 2.14.6 onwards, since that's the version that has mitigations against OOM failures.
*/
export const CODEQL_VERSION_INTRA_LAYER_PARALLELISM = "2.14.0";
export const CODEQL_VERSION_INTRA_LAYER_PARALLELISM = "2.14.6";
export interface CodeQLDefaultVersionInfo {
cliVersion: string;
@ -51,6 +52,7 @@ export enum Feature {
AnalysisSummaryV2Enabled = "analysis_summary_v2_enabled",
CliConfigFileEnabled = "cli_config_file_enabled",
CodeqlJavaLombokEnabled = "codeql_java_lombok_enabled",
CppDependencyInstallation = "cpp_dependency_installation_enabled",
DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
DisablePythonDependencyInstallationEnabled = "disable_python_dependency_installation_enabled",
EvaluatorIntraLayerParallelismEnabled = "evaluator_intra_layer_parallelism_enabled",
@ -74,6 +76,11 @@ export const featureConfig: Record<
minimumVersion: "2.14.0",
defaultValue: false,
},
[Feature.CppDependencyInstallation]: {
envVar: "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES",
minimumVersion: "2.15.0",
defaultValue: false,
},
[Feature.DisableKotlinAnalysisEnabled]: {
envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
minimumVersion: undefined,

5
src/init-action.ts
View file

@ -217,8 +217,6 @@ async function run() {
core.exportVariable(EnvVar.JOB_RUN_UUID, uuidV4());
try {
const workflowErrors = await validateWorkflow(logger);
if (
!(await sendStatusReport(
await createStatusReportBase(
@ -226,7 +224,6 @@ async function run() {
"starting",
startedAt,
await checkDiskUsage(logger),
workflowErrors,
),
))
) {
@ -250,6 +247,8 @@ async function run() {
toolsVersion = initCodeQLResult.toolsVersion;
toolsSource = initCodeQLResult.toolsSource;
await validateWorkflow(codeql, logger);
config = await initConfig(
getOptionalInput("languages"),
getOptionalInput("queries"),

532
src/workflow.test.ts
View file

@ -1,6 +1,8 @@
import test from "ava";
import test, { ExecutionContext } from "ava";
import * as yaml from "js-yaml";
import * as sinon from "sinon";
import { getCodeQLForTesting } from "./codeql";
import { setupTests } from "./testing-utils";
import {
CodedError,
@ -22,227 +24,395 @@ function errorCodes(
setupTests(test);
test("getWorkflowErrors() when on is empty", (t) => {
const errors = getWorkflowErrors({ on: {} });
test("getWorkflowErrors() when on is empty", async (t) => {
const errors = await getWorkflowErrors(
{ on: {} },
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push is an array missing pull_request", (t) => {
const errors = getWorkflowErrors({ on: ["push"] });
test("getWorkflowErrors() when on.push is an array missing pull_request", async (t) => {
const errors = await getWorkflowErrors(
{ on: ["push"] },
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push is an array missing push", (t) => {
const errors = getWorkflowErrors({ on: ["pull_request"] });
test("getWorkflowErrors() when on.push is an array missing push", async (t) => {
const errors = await getWorkflowErrors(
{ on: ["pull_request"] },
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [WorkflowErrors.MissingPushHook]));
});
test("getWorkflowErrors() when on.push is valid", (t) => {
const errors = getWorkflowErrors({
on: ["push", "pull_request"],
});
test("getWorkflowErrors() when on.push is valid", async (t) => {
const errors = await getWorkflowErrors(
{
on: ["push", "pull_request"],
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push is a valid superset", (t) => {
const errors = getWorkflowErrors({
on: ["push", "pull_request", "schedule"],
});
test("getWorkflowErrors() when on.push is a valid superset", async (t) => {
const errors = await getWorkflowErrors(
{
on: ["push", "pull_request", "schedule"],
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = getWorkflowErrors({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
});
test("getWorkflowErrors() when on.push is a correct object", async (t) => {
const errors = await getWorkflowErrors(
{
on: {
push: { branches: ["main"] },
pull_request: { branches: ["main"] },
},
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => {
const errors = getWorkflowErrors({
on: { push: { branches: "*" }, pull_request: { branches: "*" } },
});
test("getWorkflowErrors() when on.pull_requests is a string and correct", async (t) => {
const errors = await getWorkflowErrors(
{
on: { push: { branches: "*" }, pull_request: { branches: "*" } },
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
const errors = getWorkflowErrors(
test("getWorkflowErrors() when on.push is correct with empty objects", async (t) => {
const errors = await getWorkflowErrors(
yaml.load(`
on:
push:
pull_request:
`) as Workflow,
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push is not mismatched", (t) => {
const errors = getWorkflowErrors({
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
test("getWorkflowErrors() when on.push is not mismatched", async (t) => {
const errors = await getWorkflowErrors(
{
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
},
});
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() for a range of malformed workflows", (t) => {
test("getWorkflowErrors() for a range of malformed workflows", async (t) => {
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: {
push: 1,
pull_request: 1,
},
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: 1,
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: [1],
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { 1: 1 },
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { test: 1 },
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { test: [1] },
} as Workflow),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: { test: { steps: 1 } },
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
} as any),
[],
),
);
t.deepEqual(
...errorCodes(
getWorkflowErrors({
on: 1,
jobs: { test: [undefined] },
} as Workflow),
[],
),
);
t.deepEqual(...errorCodes(getWorkflowErrors(1 as Workflow), []));
t.deepEqual(
...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
getWorkflowErrors({
on: {
push: {
branches: 1,
await getWorkflowErrors(
{
on: {
push: 1,
pull_request: 1,
},
pull_request: {
branches: 1,
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: 1,
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: [1],
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { 1: 1 },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: 1 },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: [1] },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: { steps: 1 } },
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: 1,
jobs: { test: [undefined] },
} as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(1 as Workflow, await getCodeQLForTesting()),
[],
),
);
t.deepEqual(
...errorCodes(
await getWorkflowErrors(
{
on: {
push: {
branches: 1,
},
pull_request: {
branches: 1,
},
},
},
} as any),
} as unknown as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
});
test("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => {
const errors = getWorkflowErrors({
on: {
push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" },
test("getWorkflowErrors() when on.pull_request for wildcard branches", async (t) => {
const errors = await getWorkflowErrors(
{
on: {
push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" },
},
},
});
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when HEAD^2 is checked out", (t) => {
test("getWorkflowErrors() when HEAD^2 is checked out", async (t) => {
process.env.GITHUB_JOB = "test";
const errors = getWorkflowErrors({
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
});
const errors = await getWorkflowErrors(
{
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
},
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [WorkflowErrors.CheckoutWrongHead]));
});
test("getWorkflowErrors() produces an error for workflow with language name and its alias", async (t) => {
await testLanguageAliases(
t,
["java", "kotlin"],
{ java: ["java-kotlin", "kotlin"] },
[
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java', 'kotlin'.",
],
);
});
test("getWorkflowErrors() produces an error for workflow with two aliases same language", async (t) => {
await testLanguageAliases(
t,
["java-kotlin", "kotlin"],
{ java: ["java-kotlin", "kotlin"] },
[
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java-kotlin', 'kotlin'.",
],
);
});
test("getWorkflowErrors() does not produce an error for workflow with two distinct languages", async (t) => {
await testLanguageAliases(
t,
["java", "typescript"],
{
java: ["java-kotlin", "kotlin"],
javascript: ["javascript-typescript", "typescript"],
},
[],
);
});
test("getWorkflowErrors() does not produce an error if codeql doesn't support language aliases", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], undefined, []);
});
async function testLanguageAliases(
t: ExecutionContext<unknown>,
matrixLanguages: string[],
aliases: { [languageName: string]: string[] } | undefined,
expectedErrorMessages: string[],
) {
process.env.GITHUB_JOB = "test";
const codeql = await getCodeQLForTesting();
sinon.stub(codeql, "betterResolveLanguages").resolves({
aliases:
aliases !== undefined
? // Remap from languageName -> aliases to alias -> languageName
Object.assign(
{},
...Object.entries(aliases).flatMap(([language, languageAliases]) =>
languageAliases.map((alias) => ({
[alias]: language,
})),
),
)
: undefined,
extractors: {
java: [
{
extractor_root: "",
},
],
},
});
const errors = await getWorkflowErrors(
{
on: ["push", "pull_request"],
jobs: {
test: {
strategy: {
matrix: {
language: matrixLanguages,
},
},
steps: [
{ uses: "actions/checkout@v2" },
{ uses: "github/codeql-action/init@v2" },
{ uses: "github/codeql-action/analyze@v2" },
],
},
},
} as Workflow,
codeql,
);
t.is(errors.length, expectedErrorMessages.length);
t.deepEqual(
errors.map((e) => e.message),
expectedErrorMessages,
);
}
test("formatWorkflowErrors() when there is one error", (t) => {
const message = formatWorkflowErrors([WorkflowErrors.CheckoutWrongHead]);
t.true(message.startsWith("1 issue was detected with this workflow:"));
@ -297,8 +467,8 @@ test("patternIsSuperset()", (t) => {
);
});
test("getWorkflowErrors() when branches contain dots", (t) => {
const errors = getWorkflowErrors(
test("getWorkflowErrors() when branches contain dots", async (t) => {
const errors = await getWorkflowErrors(
yaml.load(`
on:
push:
@ -307,13 +477,14 @@ test("getWorkflowErrors() when branches contain dots", (t) => {
# The branches below must be a subset of the branches above
branches: [4.1, master]
`) as Workflow,
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push has a trailing comma", (t) => {
const errors = getWorkflowErrors(
test("getWorkflowErrors() when on.push has a trailing comma", async (t) => {
const errors = await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on:
@ -323,15 +494,16 @@ test("getWorkflowErrors() when on.push has a trailing comma", (t) => {
# The branches below must be a subset of the branches above
branches: [master]
`) as Workflow,
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => {
test("getWorkflowErrors() should only report the current job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test";
const errors = getWorkflowErrors(
const errors = await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on:
@ -352,15 +524,16 @@ test("getWorkflowErrors() should only report the current job's CheckoutWrongHead
test3:
steps: []
`) as Workflow,
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, [WorkflowErrors.CheckoutWrongHead]));
});
test("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => {
test("getWorkflowErrors() should not report a different job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test3";
const errors = getWorkflowErrors(
const errors = await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on:
@ -381,29 +554,32 @@ test("getWorkflowErrors() should not report a different job's CheckoutWrongHead"
test3:
steps: []
`) as Workflow,
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on is missing", (t) => {
const errors = getWorkflowErrors(
test("getWorkflowErrors() when on is missing", async (t) => {
const errors = await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
`) as Workflow,
await getCodeQLForTesting(),
);
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() with a different on setup", (t) => {
test("getWorkflowErrors() with a different on setup", async (t) => {
t.deepEqual(
...errorCodes(
getWorkflowErrors(
await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on: "workflow_dispatch"
`) as Workflow,
await getCodeQLForTesting(),
),
[],
),
@ -411,11 +587,12 @@ test("getWorkflowErrors() with a different on setup", (t) => {
t.deepEqual(
...errorCodes(
getWorkflowErrors(
await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on: [workflow_dispatch]
`) as Workflow,
await getCodeQLForTesting(),
),
[],
),
@ -423,28 +600,30 @@ test("getWorkflowErrors() with a different on setup", (t) => {
t.deepEqual(
...errorCodes(
getWorkflowErrors(
await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on:
workflow_dispatch: {}
`) as Workflow,
await getCodeQLForTesting(),
),
[],
),
);
});
test("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => {
test("getWorkflowErrors() should not report an error if PRs are totally unconfigured", async (t) => {
t.deepEqual(
...errorCodes(
getWorkflowErrors(
await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on:
push:
branches: [master]
`) as Workflow,
await getCodeQLForTesting(),
),
[],
),
@ -452,11 +631,12 @@ test("getWorkflowErrors() should not report an error if PRs are totally unconfig
t.deepEqual(
...errorCodes(
getWorkflowErrors(
await getWorkflowErrors(
yaml.load(`
name: "CodeQL"
on: ["push"]
`) as Workflow,
await getCodeQLForTesting(),
),
[],
),

69
src/workflow.ts
View file

@ -6,6 +6,7 @@ import * as core from "@actions/core";
import * as yaml from "js-yaml";
import * as api from "./api-client";
import { CodeQL } from "./codeql";
import { EnvVar } from "./environment";
import { Logger } from "./logging";
import { getRequiredEnvParam, isInTestMode } from "./util";
@ -21,6 +22,7 @@ interface WorkflowJob {
name?: string;
"runs-on"?: string;
steps?: WorkflowJobStep[];
strategy?: { matrix: { [key: string]: string[] } };
uses?: string;
}
@ -104,7 +106,37 @@ export const WorkflowErrors = toCodedErrors({
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
});
export function getWorkflowErrors(doc: Workflow): CodedError[] {
/**
* Groups the given list of CodeQL languages by their extractor name.
*
* Resolves to `undefined` if the CodeQL version does not support language aliasing.
*/
async function groupLanguagesByExtractor(
languages: string[],
codeql: CodeQL,
): Promise<{ [extractorName: string]: string[] } | undefined> {
const resolveResult = await codeql.betterResolveLanguages();
if (!resolveResult.aliases) {
return undefined;
}
const aliases = resolveResult.aliases;
const languagesByExtractor: {
[extractorName: string]: string[];
} = {};
for (const language of languages) {
const extractorName = aliases[language] || language;
if (!languagesByExtractor[extractorName]) {
languagesByExtractor[extractorName] = [];
}
languagesByExtractor[extractorName].push(language);
}
return languagesByExtractor;
}
export async function getWorkflowErrors(
doc: Workflow,
codeql: CodeQL,
): Promise<CodedError[]> {
const errors: CodedError[] = [];
const jobName = process.env.GITHUB_JOB;
@ -112,6 +144,38 @@ export function getWorkflowErrors(doc: Workflow): CodedError[] {
if (jobName) {
const job = doc?.jobs?.[jobName];
if (job?.strategy?.matrix?.language) {
const matrixLanguages = job.strategy.matrix.language;
if (Array.isArray(matrixLanguages)) {
// Map extractors to entries in the `language` matrix parameter. This will allow us to
// detect languages which are analyzed in more than one job.
const matrixLanguagesByExtractor = await groupLanguagesByExtractor(
matrixLanguages,
codeql,
);
// If the CodeQL version does not support language aliasing, then `matrixLanguagesByExtractor`
// will be `undefined`. In this case, we cannot detect duplicate languages in the matrix.
if (matrixLanguagesByExtractor !== undefined) {
// Check for duplicate languages in the matrix
for (const [extractor, languages] of Object.entries(
matrixLanguagesByExtractor,
)) {
if (languages.length > 1) {
errors.push({
message:
`CodeQL language '${extractor}' is referenced by more than one entry in the ` +
`'language' matrix parameter for job '${jobName}'. This may result in duplicate alerts. ` +
`Please edit the 'language' matrix parameter to keep only one of the following: ${languages
.map((language) => `'${language}'`)
.join(", ")}.`,
code: "DuplicateLanguageInMatrix",
});
}
}
}
}
}
const steps = job?.steps;
if (Array.isArray(steps)) {
@ -163,6 +227,7 @@ export function getWorkflowErrors(doc: Workflow): CodedError[] {
}
export async function validateWorkflow(
codeql: CodeQL,
logger: Logger,
): Promise<undefined | string> {
let workflow: Workflow;
@ -173,7 +238,7 @@ export async function validateWorkflow(
}
let workflowErrors: CodedError[];
try {
workflowErrors = getWorkflowErrors(workflow);
workflowErrors = await getWorkflowErrors(workflow, codeql);
} catch (e) {
return `error: getWorkflowErrors() failed: ${String(e)}`;
}