github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-01-06 14:40:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into mbg/ci/rollback-release

Browse Source
This commit is contained in:
Michael B. Gale
2025-08-29 15:22:49 +01:00
parent b06d325850 02ab253bd2
commit 9389ce0cc4
23861 changed files with 1135209 additions and 5266725 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/actions/prepare-mergeback-branch/action.yml vendored
View File

@@ -60,8 +60,8 @@ runs:
Please do the following:
- [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
- [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
- [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
- [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
- [ ] Mark the PR as ready for review to trigger the full set of PR checks.
- [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
selected rather than "Squash and merge" or "Rebase and merge".
@@ -74,7 +74,7 @@ runs:
--head "${NEW_BRANCH}" \
--base "${BASE_BRANCH}" \
--title "${pr_title}" \
--label "Update dependencies" \
--label "Rebuild" \
--body "${pr_body}" \
--assignee "${GITHUB_ACTOR}" \
--draft

39
.github/actions/setup-swift/action.yml vendored
View File

@@ -1,39 +0,0 @@
name: "Set up Swift on Linux"
description: Sets up an appropriate Swift version on Linux.
inputs:
codeql-path:
description: Path to the CodeQL CLI executable.
required: true
runs:
using: "composite"
steps:
- name: Get Swift version
id: get_swift_version
if: runner.os == 'Linux'
shell: bash
env:
CODEQL_PATH: ${{ inputs.codeql-path }}
run: |
SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
VERSION="null"
else
VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
# Specify 5.x.0, otherwise setup Action will default to latest minor version.
if [ $VERSION = "5.7" ]; then
VERSION="5.7.0"
elif [ $VERSION = "5.8" ]; then
VERSION="5.8.0"
elif [ $VERSION = "5.9" ]; then
VERSION="5.9.0"
# setup-swift does not yet support v5.9.1 Remove this when it does.
elif [ $VERSION = "5.9.1" ]; then
VERSION="5.9.0"
fi
fi
echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
- uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
with:
swift-version: "${{ steps.get_swift_version.outputs.version }}"

2
.github/dependabot.yml vendored
View File

@@ -5,7 +5,7 @@ updates:
schedule:
interval: weekly
labels:
- Update dependencies
- Rebuild
# Ignore incompatible dependency updates
ignore:
# There is a type incompatibility issue between v0.0.9 and our other dependencies.

8
.github/update-release-branch.py vendored
View File

@@ -97,8 +97,8 @@ def open_pr(
body.append(' - [ ] Ensure the docs team is aware of any documentation changes that need to be released.')
if not is_primary_release:
body.append(' - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.')
body.append(' - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.')
body.append(' - [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.')
body.append(' - [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.')
body.append(' - [ ] Mark the PR as ready for review to trigger the full set of PR checks.')
body.append(' - [ ] Approve and merge this PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.')
@@ -108,7 +108,7 @@ def open_pr(
body.append(' - [ ] Merge all backport PRs to older release branches, that will automatically be created once this PR is merged.')
title = f'Merge {source_branch} into {target_branch}'
labels = ['Update dependencies'] if not is_primary_release else []
labels = ['Rebuild'] if not is_primary_release else []
# Create the pull request
# PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft so that
@@ -389,7 +389,7 @@ def main():
# Migrate the package version number from a vLatest version number to a vOlder version number
print(f'Setting version number to {version} in package.json')
replace_version_package_json(get_current_version(), version) # We rely on the `Update dependencies` workflow to update package-lock.json
replace_version_package_json(get_current_version(), version) # We rely on the `Rebuild` workflow to update package-lock.json
run_git('add', 'package.json')
# Migrate the changelog notes from vLatest version numbers to vOlder version numbers

2
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View File

@@ -65,7 +65,7 @@ jobs:
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Java
uses: actions/setup-java@v4
uses: actions/setup-java@v5
with:
java-version: ${{ inputs.java-version || '17' }}
distribution: temurin

2
.github/workflows/__autobuild-direct-tracing.yml generated vendored
View File

@@ -65,7 +65,7 @@ jobs:
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Install Java
uses: actions/setup-java@v4
uses: actions/setup-java@v5
with:
java-version: ${{ inputs.java-version || '17' }}
distribution: temurin

7
.github/workflows/__config-input.yml generated vendored
View File

@@ -41,6 +41,13 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

4
.github/workflows/__export-file-baseline-information.yml generated vendored
View File

@@ -72,10 +72,6 @@ jobs:
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
if: runner.os == 'macOS'
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- name: Build code
shell: bash
run: ./build.sh

10
.github/workflows/__multi-language-autodetect.yml generated vendored
View File

@@ -93,6 +93,11 @@ jobs:
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Use Xcode 16
shell: bash
if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
run: sudo xcode-select -s "/Applications/Xcode_16.app"
- uses: ./../action/init
id: init
with:
@@ -101,11 +106,6 @@ jobs:
|| '' }}
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
if: runner.os == 'macOS'
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- name: Build code
shell: bash
run: ./build.sh

7
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View File

@@ -67,6 +67,13 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

7
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View File

@@ -67,6 +67,13 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

7
.github/workflows/__packaging-config-js.yml generated vendored
View File

@@ -67,6 +67,13 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

7
.github/workflows/__packaging-inputs-js.yml generated vendored
View File

@@ -67,6 +67,13 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

2
.github/workflows/__rubocop-multi-language.yml generated vendored
View File

@@ -49,7 +49,7 @@ jobs:
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Ruby
uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0
uses: ruby/setup-ruby@efbf473cab83af4468e8606cc33eca9281bb213f # v1.256.0
with:
ruby-version: 2.6
- name: Install Code Scanning integration

3
.github/workflows/__swift-autobuild.yml generated vendored
View File

@@ -54,9 +54,6 @@ jobs:
languages: swift
build-mode: autobuild
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd

7
.github/workflows/__swift-custom-build.yml generated vendored
View File

@@ -67,14 +67,15 @@ jobs:
with:
go-version: ${{ inputs.go-version || '>=1.21.0' }}
cache: false
- name: Use Xcode 16
shell: bash
if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
run: sudo xcode-select -s "/Applications/Xcode_16.app"
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd

10
.github/workflows/codescanning-config-cli.yml vendored
View File

@@ -55,6 +55,16 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

49
.github/workflows/expected-queries-runs.yml vendored
View File

@@ -1,49 +0,0 @@
name: Check queries that ran
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
expected-queries:
name: Expected Queries Tests
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
runs-on: ubuntu-latest
permissions:
contents: read
security-events: read
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: linked
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Check Sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection
queries-not-run: foo,bar

2
.github/workflows/post-release-mergeback.yml vendored
View File

@@ -3,7 +3,7 @@
# tag
# 2. Updates the `vN` tag to refer to this merge commit.
# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
# Typically, this is two commits one to update the version number and one to update dependencies.
# Typically, this is two commits one to update the version number and one to rebuild.
name: Tag release and merge back
on:

109
.github/workflows/pr-checks.yml vendored
View File

@@ -9,89 +9,58 @@ on:
workflow_dispatch:
jobs:
check-js:
name: Check JS
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
contents: read
security-events: write # needed to upload ESLint results
strategy:
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Lint
id: lint
run: npm run-script lint-ci
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: eslint.sarif
category: eslint
- name: Check generated JS
run: .github/workflows/script/check-js.sh
check-node-modules:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check modules up to date
permissions:
contents: read
runs-on: macos-latest
timeout-minutes: 45
steps:
- uses: actions/checkout@v5
- name: Check node modules up to date
run: .github/workflows/script/check-node-modules.sh
check-file-contents:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check file contents
permissions:
contents: read
runs-on: ubuntu-latest
timeout-minutes: 45
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.11
# Ensure the generated PR check workflows are up to date.
- name: Verify PR checks up to date
run: .github/workflows/script/verify-pr-checks.sh
npm-test:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Unit Test
needs: [check-js, check-node-modules]
unit-tests:
name: Unit Tests
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
contents: read
security-events: write # needed to upload ESLint results
runs-on: ${{ matrix.os }}
timeout-minutes: 45
steps:
- uses: actions/checkout@v5
- name: npm test
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20.x'
cache: 'npm'
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.11
- name: Install dependencies
run: |
# Run any commands referenced in package.json using Bash, otherwise
# we won't be able to find them on Windows.
# Use the system Bash shell to ensure we can run commands like `npm ci`
# that are not available in the default shell on Windows.
npm config set script-shell bash
npm test
npm ci
- name: Verify compiled JS up to date
run: .github/workflows/script/check-js.sh
- name: Verify PR checks up to date
run: .github/workflows/script/verify-pr-checks.sh
- name: Run unit tests
run: npm test
- name: Lint
if: matrix.os != 'windows-latest'
run: npm run lint-ci
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v3
if: matrix.os == 'ubuntu-latest'
with:
sarif_file: eslint.sarif
category: eslint
check-node-version:
if: github.event.pull_request

10
.github/workflows/query-filters.yml vendored
View File

@@ -25,6 +25,16 @@ jobs:
steps:
- name: Check out repository
uses: actions/checkout@v5
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test

2
.github/workflows/rebuild.yml vendored
View File

@@ -63,7 +63,7 @@ jobs:
- name: Compile TypeScript
run: |
npm install
npm ci
npm run lint -- --fix
npm run build

20
.github/workflows/script/check-node-modules.sh vendored
View File

@@ -1,20 +0,0 @@
#!/bin/bash
set -eu
# Sanity check that repo is clean to start with
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then this workflow needs attention...
>&2 echo "Failed: Repo should be clean before testing!"
exit 1
fi
"$(dirname "$0")/update-node-modules.sh" check-only
# Check that repo is still clean
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then the PR needs attention
>&2 echo "Failed: node_modules are not up to date. Add the 'Update dependencies' label to your PR to update them. Note it is important that node modules are updated on macOS and not any other operating system as there is one dependency (fsevents) that is needed for macOS and may not be installed if dependencies are updated on a Windows or Linux machine."
git status
exit 1
fi
echo "Success: node_modules are up to date"

21
.github/workflows/script/update-node-modules.sh vendored
View File

@@ -1,21 +0,0 @@
#!/bin/bash
set -eu
if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
>&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
exit 1
fi
npm install --force -g npm@9.2.0
# clean the npm cache to ensure we don't have any files owned by root
sudo npm cache clean --force
if [ "$1" = "update" ]; then
npm install
fi
# Reinstall modules and then clean to remove absolute paths
# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
npm ci
npm run removeNPMAbsolutePaths

45
.github/workflows/update-dependencies.yml vendored
View File

@@ -1,45 +0,0 @@
name: Update dependencies
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, labeled]
jobs:
update:
name: Update dependencies
timeout-minutes: 45
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
permissions:
contents: write # needed to push the updated dependencies
pull-requests: write # needed to comment on the PR
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Remove PR label
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
REPOSITORY: '${{ github.repository }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
run: |
gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
- name: Push updated dependencies
env:
BRANCH: '${{ github.head_ref }}'
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: |
git fetch origin "$BRANCH" --depth=1
git checkout "origin/$BRANCH"
.github/workflows/script/update-node-modules.sh update
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git add node_modules
git commit -am "Update checked-in dependencies"
git push origin "HEAD:$BRANCH"
echo "Pushed a commit to update the checked-in dependencies." \
"Please mark the PR as ready for review to trigger PR checks." |
gh pr comment --body-file - --repo github/codeql-action "${{ github.event.pull_request.number }}"
gh pr ready --undo --repo github/codeql-action "${{ github.event.pull_request.number }}"
fi