github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-01-04 21:50:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/rust-test

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-08-11 17:01:23 +02:00
parent bf1dd6901d c6dcdfa33a
commit 9f966bbbf5
57 changed files with 1123 additions and 796 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/pull_request_template.md vendored
View File

@@ -1,5 +1,14 @@
### Risk assessment
For internal use only. Please select the risk level of this change:
- **Low risk:** Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.
- **High risk:** Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.
### Merge / deployment checklist
- [ ] Confirm this change is backwards compatible with existing workflows.
- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
- Confirm this change is backwards compatible with existing workflows.
- Consider adding a [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) entry for this change.
- Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) and docs have been updated if necessary.

7
.github/workflows/__extract-direct-to-toolcache.yml → .github/workflows/__bundle-toolcache.yml generated vendored
View File

@@ -3,7 +3,7 @@
# pr-checks/sync.sh
# to regenerate this file.
name: PR Check - Extract directly to toolcache
name: 'PR Check - Bundle: Caching checks'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
@@ -22,7 +22,7 @@ on:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
extract-direct-to-toolcache:
bundle-toolcache:
strategy:
fail-fast: false
matrix:
@@ -33,7 +33,7 @@ jobs:
version: linked
- os: windows-latest
version: linked
name: Extract directly to toolcache
name: 'Bundle: Caching checks'
permissions:
contents: read
security-events: read
@@ -92,5 +92,4 @@ jobs:
throw new Error('Multiple CodeQL versions found in toolcache');
}
env:
CODEQL_ACTION_EXTRACT_TOOLCACHE: true
CODEQL_ACTION_TEST_MODE: true

7
.github/workflows/__zstd-bundle.yml → .github/workflows/__bundle-zstd.yml generated vendored
View File

@@ -3,7 +3,7 @@
# pr-checks/sync.sh
# to regenerate this file.
name: PR Check - Zstandard bundle
name: 'PR Check - Bundle: Zstandard checks'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
@@ -22,7 +22,7 @@ on:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
zstd-bundle:
bundle-zstd:
strategy:
fail-fast: false
matrix:
@@ -33,7 +33,7 @@ jobs:
version: linked
- os: windows-latest
version: linked
name: Zstandard bundle
name: 'Bundle: Zstandard checks'
permissions:
contents: read
security-events: read
@@ -109,5 +109,4 @@ jobs:
);
}
env:
CODEQL_ACTION_ZSTD_BUNDLE: true
CODEQL_ACTION_TEST_MODE: true

69
.github/workflows/__overlay-init-fallback.yml generated vendored Normal file
View File

@@ -0,0 +1,69 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pr-checks/sync.sh
# to regenerate this file.
name: PR Check - Overlay database init fallback
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
overlay-init-fallback:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
name: Overlay database init fallback
permissions:
contents: read
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: actions # Any language without overlay support will do
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_OVERLAY_DATABASE_MODE: overlay-base
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases/actions"
if ! grep -q 'overlayBaseDatabase: false' codeql-database.yml ; then
echo "This test needs to be updated to use a non-overlay language."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

110
.github/workflows/__zstd-bundle-streaming.yml generated vendored
View File

@@ -1,110 +0,0 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pr-checks/sync.sh
# to regenerate this file.
name: PR Check - Zstandard bundle (streaming)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
zstd-bundle-streaming:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: linked
- os: ubuntu-latest
version: linked
name: Zstandard bundle (streaming)
permissions:
contents: read
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Remove CodeQL from toolcache
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const path = require('path');
const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
if (codeqlPath !== undefined) {
fs.rmdirSync(codeqlPath, { recursive: true });
}
- id: init
uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-zstd-bundle.sarif
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check diagnostic with expected tools URL appears in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'codeql-action/bundle-download-telemetry'
);
if (downloadTelemetryNotifications.length !== 1) {
core.setFailed(
'Expected exactly one reporting descriptor in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}
const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
console.log(`Found tools URL: ${toolsUrl}`);
if (!toolsUrl.endsWith('.tar.zst')) {
core.setFailed(
`Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
);
}
env:
CODEQL_ACTION_ZSTD_BUNDLE: true
CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
CODEQL_ACTION_TEST_MODE: true