Merge branch 'main' into henrymercer/enable-features-on-ghes

.github/workflows/rebuild.yml

@@ -0,0 +1,58 @@
+name: Rebuild Action
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  rebuild:
+    name: Rebuild Action
+    runs-on: ubuntu-latest
+    if: github.event.label.name == 'Rebuild'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Remove label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
+            --remove-label "Rebuild"
+
+      - name: Compile TypeScript
+        run: |
+          npm install
+          npm run lint -- --fix
+          npm run build
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+
+      - name: Generate workflows
+        run: |
+          cd pr-checks
+          python -m pip install --upgrade pip
+          pip install ruamel.yaml==0.17.31
+          python3 sync.py
+
+      - name: Check for changes and push
+        env:
+          BRANCH: ${{ github.event.pull_request.head.ref }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git config --global user.name "github-actions[bot]"
+            git commit -am "Rebuild"
+            git push origin "HEAD:$BRANCH"
+            echo "Pushed a commit to rebuild the Action." \
+              "Please mark the PR as ready for review to trigger PR checks." |
+              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
+            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
+          fi

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+repos:
+  - repo: local
+    hooks:
+      - id: compile-ts
+        name: Compile typescript
+        files: \.[tj]s$
+        language: system
+        entry: npm run build
+        pass_filenames: false
+      - id: lint-ts
+        name: Lint typescript code
+        files: \.ts$
+        language: system
+        entry: npm run lint -- --fix
+      - id: pr-checks-sync
+        name: Synchronize PR check workflows
+        files: ^.github/workflows/__.*\.yml$|^pr-checks
+        language: system
+        entry: python3 pr-checks/sync.py
+        pass_filenames: false

lib/codeql.js

@@ -484,10 +484,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             if (querySuitePath) {
                 codeqlArgs.push(querySuitePath);
             }
-            if (await features.getValue(feature_flags_1.Feature.EvaluatorIntraLayerParallelismEnabled, this)) {
+            if (await features.getValue(feature_flags_1.Feature.EvaluatorFineGrainedParallelismEnabled, this)) {
                 codeqlArgs.push("--intra-layer-parallelism");
             }
-            else if (await util.codeQlVersionAbove(this, feature_flags_1.CODEQL_VERSION_INTRA_LAYER_PARALLELISM)) {
+            else if (await util.codeQlVersionAbove(this, feature_flags_1.CODEQL_VERSION_FINE_GRAINED_PARALLELISM)) {
                 codeqlArgs.push("--no-intra-layer-parallelism");
             }
             await runTool(cmd, codeqlArgs);

lib/feature-flags.js

@@ -37,10 +37,10 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
  */
 exports.CODEQL_VERSION_BUNDLE_SEMANTICALLY_VERSIONED = "2.13.4";
 /**
- * Versions 2.14.0+ of the CodeQL CLI support intra-layer parallelism (aka fine-grained parallelism) options, but we
- * limit to 2.14.6 onwards, since that's the version that has mitigations against OOM failures.
+ * Evaluator fine-grained parallelism (aka intra-layer parallelism) is only safe to enable in 2.15.1 onwards.
+ * (Some earlier versions recognize the command-line flag, but they contain a bug which makes it unsafe to use).
  */
-exports.CODEQL_VERSION_INTRA_LAYER_PARALLELISM = "2.14.6";
+exports.CODEQL_VERSION_FINE_GRAINED_PARALLELISM = "2.15.1";
 /**
  * Feature enablement as returned by the GitHub API endpoint.
  *
@@ -53,7 +53,7 @@ var Feature;
     Feature["CppDependencyInstallation"] = "cpp_dependency_installation_enabled";
     Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
     Feature["DisablePythonDependencyInstallationEnabled"] = "disable_python_dependency_installation_enabled";
-    Feature["EvaluatorIntraLayerParallelismEnabled"] = "evaluator_intra_layer_parallelism_enabled";
+    Feature["EvaluatorFineGrainedParallelismEnabled"] = "evaluator_fine_grained_parallelism_enabled";
     Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
     Feature["QaTelemetryEnabled"] = "qa_telemetry_enabled";
 })(Feature || (exports.Feature = Feature = {}));
@@ -78,9 +78,9 @@ exports.featureConfig = {
         minimumVersion: "2.11.6",
         defaultValue: true,
     },
-    [Feature.EvaluatorIntraLayerParallelismEnabled]: {
-        envVar: "CODEQL_EVALUATOR_INTRA_LAYER_PARALLELISM",
-        minimumVersion: exports.CODEQL_VERSION_INTRA_LAYER_PARALLELISM,
+    [Feature.EvaluatorFineGrainedParallelismEnabled]: {
+        envVar: "CODEQL_EVALUATOR_FINE_GRAINED_PARALLELISM",
+        minimumVersion: exports.CODEQL_VERSION_FINE_GRAINED_PARALLELISM,
         defaultValue: false,
     },
     [Feature.ExportDiagnosticsEnabled]: {

pr-checks/sync.py

@@ -1,6 +1,8 @@
+#!/usr/bin/env python
+
 import ruamel.yaml
 from ruamel.yaml.scalarstring import FoldedScalarString
-import os
+import pathlib
 import textwrap
 
 # The default set of CodeQL Bundle versions to use for the PR checks.
@@ -47,9 +49,11 @@ def writeHeader(checkStream):
 yaml = ruamel.yaml.YAML()
 yaml.Representer = NonAliasingRTRepresenter
 
+this_dir = pathlib.Path(__file__).resolve().parent
+
 allJobs = {}
-for file in os.listdir('checks'):
-    with open(f"checks/{file}", 'r') as checkStream:
+for file in (this_dir / 'checks').glob('*.yml'):
+    with open(file, 'r') as checkStream:
         checkSpecification = yaml.load(checkStream)
 
     matrix = []
@@ -126,9 +130,9 @@ for file in os.listdir('checks'):
     checkJob['env'] = checkJob.get('env', {})
     if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
         checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
-    checkName = file[:len(file) - 4]
+    checkName = file.stem
 
-    with open(f"../.github/workflows/__{checkName}.yml", 'w') as output_stream:
+    with open(this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml", 'w') as output_stream:
         writeHeader(output_stream)
         yaml.dump({
             'name': f"PR Check - {checkSpecification['name']}",

src/codeql.ts

@@ -15,7 +15,7 @@ import * as api from "./api-client";
 import type { Config } from "./config-utils";
 import { EnvVar } from "./environment";
 import {
-  CODEQL_VERSION_INTRA_LAYER_PARALLELISM,
+  CODEQL_VERSION_FINE_GRAINED_PARALLELISM,
   CodeQLDefaultVersionInfo,
   Feature,
   FeatureEnablement,
@@ -858,7 +858,7 @@ export async function getCodeQLForCmd(
       }
       if (
         await features.getValue(
-          Feature.EvaluatorIntraLayerParallelismEnabled,
+          Feature.EvaluatorFineGrainedParallelismEnabled,
           this,
         )
       ) {
@@ -866,7 +866,7 @@ export async function getCodeQLForCmd(
       } else if (
         await util.codeQlVersionAbove(
           this,
-          CODEQL_VERSION_INTRA_LAYER_PARALLELISM,
+          CODEQL_VERSION_FINE_GRAINED_PARALLELISM,
         )
       ) {
         codeqlArgs.push("--no-intra-layer-parallelism");

src/feature-flags.ts

@@ -19,10 +19,10 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 export const CODEQL_VERSION_BUNDLE_SEMANTICALLY_VERSIONED = "2.13.4";
 
 /**
- * Versions 2.14.0+ of the CodeQL CLI support intra-layer parallelism (aka fine-grained parallelism) options, but we
- * limit to 2.14.6 onwards, since that's the version that has mitigations against OOM failures.
+ * Evaluator fine-grained parallelism (aka intra-layer parallelism) is only safe to enable in 2.15.1 onwards.
+ * (Some earlier versions recognize the command-line flag, but they contain a bug which makes it unsafe to use).
  */
-export const CODEQL_VERSION_INTRA_LAYER_PARALLELISM = "2.14.6";
+export const CODEQL_VERSION_FINE_GRAINED_PARALLELISM = "2.15.1";
 
 export interface CodeQLDefaultVersionInfo {
   cliVersion: string;
@@ -49,7 +49,7 @@ export enum Feature {
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   DisablePythonDependencyInstallationEnabled = "disable_python_dependency_installation_enabled",
-  EvaluatorIntraLayerParallelismEnabled = "evaluator_intra_layer_parallelism_enabled",
+  EvaluatorFineGrainedParallelismEnabled = "evaluator_fine_grained_parallelism_enabled",
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   QaTelemetryEnabled = "qa_telemetry_enabled",
 }
@@ -78,9 +78,9 @@ export const featureConfig: Record<
     minimumVersion: "2.11.6",
     defaultValue: true,
   },
-  [Feature.EvaluatorIntraLayerParallelismEnabled]: {
-    envVar: "CODEQL_EVALUATOR_INTRA_LAYER_PARALLELISM",
-    minimumVersion: CODEQL_VERSION_INTRA_LAYER_PARALLELISM,
+  [Feature.EvaluatorFineGrainedParallelismEnabled]: {
+    envVar: "CODEQL_EVALUATOR_FINE_GRAINED_PARALLELISM",
+    minimumVersion: CODEQL_VERSION_FINE_GRAINED_PARALLELISM,
     defaultValue: false,
   },
   [Feature.ExportDiagnosticsEnabled]: {