github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2025-12-28 02:00:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into go/1.24

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-02-11 22:38:14 +00:00
committed by GitHub
parent 683c0f5360 6063925771
commit a963b41ebd
2584 changed files with 146132 additions and 74525 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/codeql/codeql-actions-config.yml vendored Normal file
View File

@@ -0,0 +1,4 @@
# Configuration for the CodeQL Actions Queries
name: "CodeQL Actions Queries config"
queries:
- uses: security-and-quality

2
.github/releases.ini vendored
View File

@@ -1 +1 @@
OLDEST_SUPPORTED_MAJOR_VERSION=2
OLDEST_SUPPORTED_MAJOR_VERSION=3

7
.github/workflows/__all-platform-bundle.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: All-platform bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__analyze-ref-input.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: "Analyze: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__autobuild-action.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: autobuild-action
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View File

@@ -38,15 +38,10 @@ jobs:
name: Autobuild direct tracing (custom working directory)
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__autobuild-direct-tracing.yml generated vendored
View File

@@ -38,15 +38,10 @@ jobs:
name: Autobuild direct tracing
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__build-mode-autobuild.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Build mode autobuild
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__build-mode-manual.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Build mode manual
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__build-mode-none.yml generated vendored
View File

@@ -34,15 +34,10 @@ jobs:
name: Build mode none
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__build-mode-rollback.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Build mode rollback
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__cleanup-db-cluster-dir.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Clean up database cluster directory
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__config-export.yml generated vendored
View File

@@ -42,15 +42,10 @@ jobs:
name: Config export
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__config-input.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Config input
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__cpp-deptrace-disabled.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: 'C/C++: disabling autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__cpp-deptrace-enabled-on-macos.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__cpp-deptrace-enabled.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: 'C/C++: autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__diagnostics-export.yml generated vendored
View File

@@ -42,15 +42,10 @@ jobs:
name: Diagnostic export
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__export-file-baseline-information.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Export file baseline information
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__extract-direct-to-toolcache.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Extract directly to toolcache
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__extractor-ram-threads.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Extractor ram and threads options test
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-custom-queries.yml generated vendored
View File

@@ -34,15 +34,10 @@ jobs:
name: 'Go: Custom queries'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: 'Go: diagnostic when Go is changed after init step'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: 'Go: diagnostic when `file` is not installed'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-indirect-tracing-workaround.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: 'Go: workaround for indirect tracing'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View File

@@ -62,15 +62,10 @@ jobs:
name: 'Go: tracing with autobuilder step'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View File

@@ -62,15 +62,10 @@ jobs:
name: 'Go: tracing with custom build steps'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View File

@@ -62,15 +62,10 @@ jobs:
name: 'Go: tracing with legacy workflow'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

5
.github/workflows/__init-with-registries.yml generated vendored
View File

@@ -53,11 +53,6 @@ jobs:
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__javascript-source-root.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Custom source root
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__job-run-uuid-sarif.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Job run UUID added to SARIF
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__language-aliases.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Language aliases
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__multi-language-autodetect.yml generated vendored
View File

@@ -62,15 +62,10 @@ jobs:
name: Multi-language repository
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View File

@@ -48,15 +48,10 @@ jobs:
name: 'Packaging: Config and input passed to the CLI'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View File

@@ -48,15 +48,10 @@ jobs:
name: 'Packaging: Config and input'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__packaging-config-js.yml generated vendored
View File

@@ -48,15 +48,10 @@ jobs:
name: 'Packaging: Config file'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__packaging-inputs-js.yml generated vendored
View File

@@ -48,15 +48,10 @@ jobs:
name: 'Packaging: Action input'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__remote-config.yml generated vendored
View File

@@ -34,15 +34,10 @@ jobs:
name: Remote config file
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__resolve-environment-action.yml generated vendored
View File

@@ -48,15 +48,10 @@ jobs:
name: Resolve environment
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

9
.github/workflows/__rubocop-multi-language.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: RuboCop multi-language
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
@@ -51,7 +46,7 @@ jobs:
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@d781c1b4ed31764801bfae177617bb0446f5ef8d # v1.218.0
with:
ruby-version: 2.6
- name: Install Code Scanning integration

7
.github/workflows/__ruby.yml generated vendored
View File

@@ -42,15 +42,10 @@ jobs:
name: Ruby analysis
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__split-workflow.yml generated vendored
View File

@@ -42,15 +42,10 @@ jobs:
name: Split workflow
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__start-proxy.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Start proxy
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

8
.github/workflows/__submit-sarif-failure.yml generated vendored
View File

@@ -36,15 +36,11 @@ jobs:
name: Submit SARIF after failure
permissions:
contents: read
security-events: write
security-events: write # needed to upload the SARIF file
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__swift-autobuild.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Swift analysis using autobuild
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__swift-custom-build.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Swift analysis using a custom build command
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Autobuild working directory
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__test-local-codeql.yml generated vendored
View File

@@ -32,15 +32,10 @@ jobs:
name: Local CodeQL bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__test-proxy.yml generated vendored
View File

@@ -34,7 +34,7 @@ jobs:
name: Proxy test
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
@@ -50,11 +50,6 @@ jobs:
apt-add-repository https://cli.github.com/packages
apt install -y gh
env: {}
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__unset-environment.yml generated vendored
View File

@@ -34,15 +34,10 @@ jobs:
name: Test unsetting environment variables
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__upload-ref-sha-input.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: "Upload-sarif: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__with-checkout-path.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Use a custom `checkout_path`
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__zstd-bundle-streaming.yml generated vendored
View File

@@ -34,15 +34,10 @@ jobs:
name: Zstandard bundle (streaming)
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

7
.github/workflows/__zstd-bundle.yml generated vendored
View File

@@ -36,15 +36,10 @@ jobs:
name: Zstandard bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test

3
.github/workflows/check-expected-release-files.yml vendored
View File

@@ -13,6 +13,9 @@ jobs:
check-expected-release-files:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout CodeQL Action
uses: actions/checkout@v4

29
.github/workflows/codeql.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
versions: ${{ steps.compare.outputs.versions }}
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
@@ -70,7 +70,7 @@ jobs:
echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
build:
analyze-javascript:
needs: [check-codeql-versions]
strategy:
fail-fast: false
@@ -80,6 +80,7 @@ jobs:
runs-on: ${{ matrix.os }}
permissions:
contents: read
security-events: write
steps:
@@ -99,3 +100,27 @@ jobs:
uses: ./analyze
with:
category: "/language:javascript"
analyze-actions:
runs-on: ubuntu-latest
strategy:
fail-fast: false
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: ./init
with:
languages: actions
config-file: ./.github/codeql/codeql-actions-config.yml
- name: Perform CodeQL Analysis
uses: ./analyze
with:
category: "/language:actions"

5
.github/workflows/codescanning-config-cli.yml vendored
View File

@@ -23,6 +23,11 @@ jobs:
code-scanning-config-tests:
continue-on-error: true
permissions:
contents: read
packages: read
security-events: read
strategy:
fail-fast: false
matrix:

49
.github/workflows/debug-artifacts-failure.yml → .github/workflows/debug-artifacts-failure-safe.yml vendored
View File

@@ -19,10 +19,20 @@ on:
workflow_dispatch: {}
jobs:
upload-artifacts:
strategy:
fail-fast: false
matrix:
version:
- stable-v2.20.3
- default
- linked
- nightly-latest
name: Upload debug artifacts after failure in analyze
continue-on-error: true
env:
CODEQL_ACTION_TEST_MODE: true
permissions:
contents: read
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
@@ -34,7 +44,7 @@ jobs:
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: linked
version: ${{ matrix.version }}
- uses: actions/setup-go@v5
with:
go-version: ^1.13.1
@@ -58,6 +68,8 @@ jobs:
name: Download and check debug artifacts after failure in analyze
needs: upload-artifacts
timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Download all artifacts
@@ -66,22 +78,25 @@ jobs:
shell: bash
run: |
LANGUAGES="cpp csharp go java javascript python"
cd "./my-debug-artifacts"
echo "Artifacts from run:"
for language in $LANGUAGES; do
echo "- Checking $language"
if [[ ! -f "my-db-$language-partial.zip" ]] ; then
echo "Missing a partial database bundle for $language"
exit 1
fi
if [[ ! -d "log" ]] ; then
echo "Missing database initialization logs"
exit 1
fi
if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
echo "Missing logs for $language"
exit 1
fi
for version in $VERSIONS; do
echo "Artifacts from version $version:"
pushd "./my-debug-artifacts-${version//./}"
for language in $LANGUAGES; do
echo "- Checking $language"
if [[ ! -f "my-db-$language-partial.zip" ]] ; then
echo "Missing a partial database bundle for $language"
exit 1
fi
if [[ ! -d "log" ]] ; then
echo "Missing database initialization logs"
exit 1
fi
if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
echo "Missing logs for $language"
exit 1
fi
done
popd
done
env:
GO111MODULE: auto

12
.github/workflows/debug-artifacts.yml → .github/workflows/debug-artifacts-safe.yml vendored
View File

@@ -22,11 +22,7 @@ jobs:
fail-fast: false
matrix:
version:
- stable-v2.15.5
- stable-v2.16.6
- stable-v2.17.6
- stable-v2.18.4
- stable-v2.19.4
- stable-v2.20.3
- default
- linked
- nightly-latest
@@ -34,6 +30,8 @@ jobs:
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Check out repository
@@ -64,6 +62,8 @@ jobs:
name: Download and check debug artifacts
needs: upload-artifacts
timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Download all artifacts
@@ -71,7 +71,7 @@ jobs:
- name: Check expected artifacts exist
shell: bash
run: |
VERSIONS="stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 stable-v2.19.4 default linked nightly-latest"
VERSIONS="stable-v2.20.3 default linked nightly-latest"
LANGUAGES="cpp csharp go java javascript python"
for version in $VERSIONS; do
pushd "./my-debug-artifacts-${version//./}"

2
.github/workflows/expected-queries-runs.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
security-events: read
steps:
- name: Check out repository
uses: actions/checkout@v4

6
.github/workflows/post-release-mergeback.yml vendored
View File

@@ -27,6 +27,10 @@ jobs:
BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
permissions:
contents: write # needed to create tags and push commits
pull-requests: write
steps:
- name: Dump environment
run: env
@@ -164,7 +168,7 @@ jobs:
--draft
- name: Generate token
uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69
uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}

37
.github/workflows/pr-checks.yml vendored
View File

@@ -15,12 +15,10 @@ jobs:
timeout-minutes: 45
permissions:
contents: read
security-events: write
security-events: write # needed to upload ESLint results
strategy:
fail-fast: false
matrix:
node-types-version: [16.11, current] # run tests on 16.11 while CodeQL Action v2 is still supported
steps:
- name: Checkout
@@ -32,40 +30,18 @@ jobs:
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v3
# Only upload SARIF for the latest version of Node.js
if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
with:
sarif_file: eslint.sarif
category: eslint
- name: Update version of @types/node
if: matrix.node-types-version != 'current'
env:
NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
run: |
# Export `NODE_TYPES_VERSION` so it's available to jq
export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
echo "${contents}" > package.json
# Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
# However we're not checking in the updated lockfile here, so it's fine to run
# `npm install` on Linux.
npm install
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
# The period in `git add --all .` ensures that we stage deleted files too.
git add --all .
git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
fi
- name: Check generated JS
run: .github/workflows/script/check-js.sh
check-node-modules:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check modules up to date
permissions:
contents: read
runs-on: macos-latest
timeout-minutes: 45
@@ -77,6 +53,8 @@ jobs:
check-file-contents:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check file contents
permissions:
contents: read
runs-on: ubuntu-latest
timeout-minutes: 45
@@ -107,6 +85,8 @@ jobs:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
contents: read
runs-on: ${{ matrix.os }}
timeout-minutes: 45
@@ -127,6 +107,9 @@ jobs:
env:
BASE_REF: ${{ github.base_ref }}
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- id: head-version

2
.github/workflows/python312-windows.yml vendored
View File

@@ -17,6 +17,8 @@ jobs:
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
permissions:
contents: read
runs-on: windows-latest
steps:

2
.github/workflows/query-filters.yml vendored
View File

@@ -20,6 +20,8 @@ jobs:
name: Query Filters Tests
timeout-minutes: 45
runs-on: ubuntu-latest
permissions:
contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
steps:
- name: Check out repository
uses: actions/checkout@v4

3
.github/workflows/rebuild.yml vendored
View File

@@ -11,6 +11,9 @@ jobs:
runs-on: ubuntu-latest
if: github.event.label.name == 'Rebuild'
permissions:
contents: write # needed to push rebuilt commit
pull-requests: write # needed to comment on the PR
steps:
- name: Checkout
uses: actions/checkout@v4

2
.github/workflows/test-codeql-bundle-all.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
name: 'CodeQL Bundle All'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

3
.github/workflows/update-bundle.yml vendored
View File

@@ -17,6 +17,9 @@ jobs:
update-bundle:
if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-latest
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull requests
steps:
- name: Dump environment
run: env

3
.github/workflows/update-dependencies.yml vendored
View File

@@ -9,6 +9,9 @@ jobs:
timeout-minutes: 45
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
permissions:
contents: write # needed to push the updated dependencies
pull-requests: write # needed to comment on the PR
steps:
- name: Checkout repository
uses: actions/checkout@v4

10
.github/workflows/update-release-branch.yml vendored
View File

@@ -22,6 +22,8 @@ jobs:
latest_tag: ${{ steps.versions.outputs.latest_tag }}
backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
@@ -63,6 +65,9 @@ jobs:
REPOSITORY: "${{ github.repository }}"
MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps:
- uses: actions/checkout@v4
with:
@@ -114,9 +119,12 @@ jobs:
env:
SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
TARGET_BRANCH: ${{ matrix.target_branch }}
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps:
- name: Generate token
uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69
uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}

9
.github/workflows/update-supported-enterprise-server-versions.yml vendored
View File

@@ -10,20 +10,23 @@ jobs:
name: Update Supported Enterprise Server Versions
timeout-minutes: 45
runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }}
if: github.repository == 'github/codeql-action'
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps:
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.7"
python-version: "3.13"
- name: Checkout CodeQL Action
uses: actions/checkout@v4
- name: Checkout Enterprise Releases
uses: actions/checkout@v4
with:
repository: github/enterprise-releases
ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
path: ${{ github.workspace }}/enterprise-releases/
- name: Update Supported Enterprise Server Versions
run: |