diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 82313bc87..8953919b9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,18 +20,14 @@ updates: patterns: - "*" - package-ecosystem: github-actions - directory: "/" + directories: + - "/.github/workflows" + - "/.github/actions" schedule: interval: weekly + labels: + - Rebuild groups: actions: patterns: - "*" - - package-ecosystem: github-actions - directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included. - schedule: - interval: weekly - groups: - actions-setup-swift: - patterns: - - "*" diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 40d6d81c9..89138c523 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -48,7 +48,12 @@ jobs: include: - os: ubuntu-latest version: nightly-latest + - os: macos-latest + version: nightly-latest + - os: windows-latest + version: nightly-latest name: All-platform bundle + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -65,7 +70,7 @@ jobs: use-all-platform-bundle: 'true' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index f2f9f45a5..30d5c532c 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -48,11 +48,8 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Analyze: 'ref' and 'sha' from inputs" + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -69,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index c623ca25f..c31576339 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -43,6 +43,7 @@ jobs: - os: windows-latest version: linked name: autobuild-action + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index a0e3d6644..c1de5c19d 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -55,6 +55,7 @@ jobs: - os: windows-latest version: nightly-latest name: Autobuild direct tracing (custom working directory) + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml deleted file mode 100644 index aed873e57..000000000 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ /dev/null @@ -1,103 +0,0 @@ -# Warning: This file is generated automatically, and should not be modified. -# Instead, please modify the template in the pr-checks directory and run: -# pr-checks/sync.sh -# to regenerate this file. - -name: PR Check - Autobuild direct tracing -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GO111MODULE: auto -on: - push: - branches: - - main - - releases/v* - pull_request: - types: - - opened - - synchronize - - reopened - - ready_for_review - schedule: - - cron: '0 5 * * *' - workflow_dispatch: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' - workflow_call: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' -defaults: - run: - shell: bash -concurrency: - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - group: ${{ github.workflow }}-${{ github.ref }} -jobs: - autobuild-direct-tracing: - strategy: - fail-fast: false - matrix: - include: - - os: ubuntu-latest - version: linked - - os: windows-latest - version: linked - - os: ubuntu-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest - name: Autobuild direct tracing - permissions: - contents: read - security-events: read - timeout-minutes: 45 - runs-on: ${{ matrix.os }} - steps: - - name: Check out repository - uses: actions/checkout@v5 - - name: Prepare test - id: prepare-test - uses: ./.github/actions/prepare-test - with: - version: ${{ matrix.version }} - use-all-platform-bundle: 'false' - setup-kotlin: 'true' - - name: Install Java - uses: actions/setup-java@v5 - with: - java-version: ${{ inputs.java-version || '17' }} - distribution: temurin - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: ${{ runner.temp }}/customDbLocation - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze - env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true - CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml similarity index 96% rename from .github/workflows/__test-autobuild-working-dir.yml rename to .github/workflows/__autobuild-working-dir.yml index 853836cbe..3a3ca9e5f 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__autobuild-working-dir.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-autobuild-working-dir: + autobuild-working-dir: strategy: fail-fast: false matrix: @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: linked name: Autobuild working directory + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index e24c170cf..878c941a4 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -21,9 +21,19 @@ on: schedule: - cron: '0 5 * * *' workflow_dispatch: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' workflow_call: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' defaults: run: shell: bash @@ -37,8 +47,15 @@ jobs: matrix: include: - os: ubuntu-latest + version: linked + - os: windows-latest + version: linked + - os: ubuntu-latest + version: nightly-latest + - os: windows-latest version: nightly-latest name: Build mode autobuild + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -54,6 +71,11 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' + - name: Install Java + uses: actions/setup-java@v5 + with: + java-version: ${{ inputs.java-version || '17' }} + distribution: temurin - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ @@ -68,6 +90,11 @@ jobs: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" @@ -77,6 +104,14 @@ jobs: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 7e1c8a7ed..e0dc25f88 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -49,6 +49,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Build mode manual + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -65,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index 98f3a2d31..7584f9065 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -41,6 +41,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Build mode none + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index 64b45fade..c1f3ccd0c 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Build mode rollback + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__bundle-toolcache.yml b/.github/workflows/__bundle-toolcache.yml index 687a29b02..de3826b65 100644 --- a/.github/workflows/__bundle-toolcache.yml +++ b/.github/workflows/__bundle-toolcache.yml @@ -43,6 +43,7 @@ jobs: - os: windows-latest version: linked name: 'Bundle: Caching checks' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -59,7 +60,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -69,7 +70,7 @@ jobs: - name: Install @actions/tool-cache run: npm install @actions/tool-cache - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); @@ -88,7 +89,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/.github/workflows/__bundle-zstd.yml b/.github/workflows/__bundle-zstd.yml index b481ea424..0139fdc14 100644 --- a/.github/workflows/__bundle-zstd.yml +++ b/.github/workflows/__bundle-zstd.yml @@ -43,6 +43,7 @@ jobs: - os: windows-latest version: linked name: 'Bundle: Zstandard checks' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -59,7 +60,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -84,7 +85,7 @@ jobs: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index 6bd5f79b6..dfe53c67c 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: linked name: Clean up database cluster directory + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 85118c3fa..c6666b0f6 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -38,17 +38,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Config export + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -80,7 +73,7 @@ jobs: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index 09909e353..30b2cfaec 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: linked name: Config input + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -48,7 +49,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index 92a7635ad..122159236 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -43,6 +43,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: 'C/C++: disabling autoinstalling dependencies (Linux)' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index 1852b4305..b9669b870 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -41,6 +41,7 @@ jobs: - os: macos-latest version: nightly-latest name: 'C/C++: autoinstalling dependencies is skipped (macOS)' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index 88a79b6a7..bf155a64d 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -43,6 +43,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: 'C/C++: autoinstalling dependencies (Linux)' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 1b8618798..d8707c799 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -38,17 +38,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Diagnostic export + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -91,7 +84,7 @@ jobs: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 72cbf23d7..b2d9b72c7 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -53,6 +53,7 @@ jobs: - os: windows-latest version: nightly-latest name: Export file baseline information + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -69,7 +70,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index df05dff46..2d8316f52 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: linked name: Extractor ram and threads options test + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__global-proxy.yml similarity index 97% rename from .github/workflows/__test-proxy.yml rename to .github/workflows/__global-proxy.yml index 92f333059..bd5d64b5f 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__global-proxy.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-proxy: + global-proxy: strategy: fail-fast: false matrix: @@ -41,6 +41,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Proxy test + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index d73ac3a62..1b5b7b915 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -51,6 +51,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: 'Go: Custom queries' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -67,7 +68,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 9398fedca..061ad4254 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -49,6 +49,7 @@ jobs: - os: ubuntu-latest version: default name: 'Go: diagnostic when Go is changed after init step' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -65,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -74,7 +75,7 @@ jobs: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: '1.20' - name: Build code @@ -84,7 +85,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/go.sarif with: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index dbb22383e..0a347c65c 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -49,6 +49,7 @@ jobs: - os: ubuntu-latest version: default name: 'Go: diagnostic when `file` is not installed' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -65,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -85,7 +86,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/go.sarif with: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 830e28a9c..bb811d4d5 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -49,6 +49,7 @@ jobs: - os: ubuntu-latest version: default name: 'Go: workaround for indirect tracing' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -65,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 24f72b896..6d4cc91cc 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -83,6 +83,7 @@ jobs: - os: macos-latest version: nightly-latest name: 'Go: tracing with autobuilder step' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -99,7 +100,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index e2812b92d..634b074c0 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -83,6 +83,7 @@ jobs: - os: macos-latest version: nightly-latest name: 'Go: tracing with custom build steps' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -99,7 +100,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index e8294697d..8168e3b10 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -83,6 +83,7 @@ jobs: - os: macos-latest version: nightly-latest name: 'Go: tracing with legacy workflow' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -99,7 +100,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index f570a05e0..bbbc55bf1 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -38,23 +38,12 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Download using registries' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read packages: read @@ -117,8 +106,6 @@ jobs: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index f0e66bf32..e6c883966 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -43,6 +43,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Custom source root + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index 50539d5e9..4df3b0d1c 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Job run UUID added to SARIF + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index 99db1af54..5f95caa13 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: linked name: Language aliases + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__local-bundle.yml similarity index 95% rename from .github/workflows/__test-local-codeql.yml rename to .github/workflows/__local-bundle.yml index 09e47d922..7f840b5dc 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__local-bundle.yml @@ -41,7 +41,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-local-codeql: + local-bundle: strategy: fail-fast: false matrix: @@ -49,6 +49,7 @@ jobs: - os: ubuntu-latest version: linked name: Local CodeQL bundle + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -65,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 4d16b5fe3..ee5d10c81 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -83,6 +83,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Multi-language repository + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -99,7 +100,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__overlay-init-fallback.yml b/.github/workflows/__overlay-init-fallback.yml index c1fdaaf0a..d85e58aa1 100644 --- a/.github/workflows/__overlay-init-fallback.yml +++ b/.github/workflows/__overlay-init-fallback.yml @@ -41,6 +41,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Overlay database init fallback + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 0d7d4cf9e..0e08cf70f 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,23 +48,12 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input passed to the CLI' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -74,7 +63,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -88,7 +77,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 7067a4d73..de3070baf 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,23 +48,12 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -74,7 +63,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -88,7 +77,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index d6bd2cf7d..9c9dadada 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,23 +48,12 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config file' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -74,7 +63,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -88,7 +77,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 03a81db68..2aa63c3c3 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,23 +48,12 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Action input' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -74,7 +63,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -88,7 +77,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml index 50f24c61e..c4aa5ffaf 100644 --- a/.github/workflows/__quality-queries.yml +++ b/.github/workflows/__quality-queries.yml @@ -45,24 +45,6 @@ jobs: - os: ubuntu-latest version: linked analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning - - os: macos-latest - version: linked - analysis-kinds: code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning - - os: windows-latest - version: linked - analysis-kinds: code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning,code-quality - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning @@ -72,25 +54,8 @@ jobs: - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: macos-latest - version: nightly-latest - analysis-kinds: code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: windows-latest - version: nightly-latest - analysis-kinds: code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality name: Quality queries input + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -133,7 +98,7 @@ jobs: retention-days: 7 - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif EXPECT_PRESENT: 'false' @@ -141,7 +106,7 @@ jobs: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif EXPECT_PRESENT: 'true' diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 39a4a0623..fb76dbc67 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -51,6 +51,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Remote config file + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -67,7 +68,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index f7ca25276..2203f3316 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,23 +38,12 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Resolve environment + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 2ab2b5616..48694e902 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -39,6 +39,7 @@ jobs: - os: ubuntu-latest version: default name: RuboCop multi-language + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -55,7 +56,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Set up Ruby - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 + uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0 with: ruby-version: 2.6 - name: Install Code Scanning integration diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index be9fac76e..769a11925 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -49,6 +49,7 @@ jobs: - os: macos-latest version: nightly-latest name: Ruby analysis + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__rust.yml b/.github/workflows/__rust.yml index c1254ba2c..d788e5226 100644 --- a/.github/workflows/__rust.yml +++ b/.github/workflows/__rust.yml @@ -47,6 +47,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Rust analysis + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 894701978..e916b36cc 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -59,6 +59,7 @@ jobs: - os: macos-latest version: nightly-latest name: Split workflow + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -75,7 +76,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index b42dd061a..26f118460 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -43,6 +43,7 @@ jobs: - os: windows-latest version: linked name: Start proxy + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 3bd3e71cf..7383b52a8 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -43,6 +43,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Submit SARIF after failure + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: write # needed to upload the SARIF file diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index 00a47fb54..9d18d0c97 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -39,6 +39,7 @@ jobs: - os: macos-latest version: nightly-latest name: Swift analysis using autobuild + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index 72482eb4f..32ce33a7f 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -53,6 +53,7 @@ jobs: - os: macos-latest version: nightly-latest name: Swift analysis using a custom build command + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -69,7 +70,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index cf40679b1..8b8d15654 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -51,6 +51,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Test unsetting environment variables + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -67,7 +68,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index 90a1c9ef1..d9bcbb20f 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -48,11 +48,8 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: 'Upload-sarif: code quality endpoint' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -69,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 41036c61a..8202ab136 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -48,11 +48,8 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Upload-sarif: 'ref' and 'sha' from inputs" + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -69,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index ea694d7c6..e12c9846a 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -48,11 +48,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked name: Use a custom `checkout_path` + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -69,7 +66,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cc157b15f..1af109a76 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,6 +23,7 @@ env: jobs: # Identify the CodeQL tool versions to use in the analysis job. check-codeql-versions: + if: github.triggering_actor != 'dependabot[bot]' runs-on: ubuntu-latest outputs: versions: ${{ steps.compare.outputs.versions }} @@ -75,6 +76,7 @@ jobs: echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT analyze-javascript: + if: github.triggering_actor != 'dependabot[bot]' needs: [check-codeql-versions] strategy: fail-fast: false @@ -110,6 +112,7 @@ jobs: upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }} analyze-other: + if: github.triggering_actor != 'dependabot[bot]' runs-on: ubuntu-latest strategy: diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 316cb7d13..c6dc41f29 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -28,6 +28,7 @@ defaults: jobs: code-scanning-config-tests: + if: github.triggering_actor != 'dependabot[bot]' continue-on-error: true permissions: @@ -41,16 +42,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest # Code-Scanning config not created because environment variable is not set name: Code Scanning Configuration tests @@ -61,7 +56,7 @@ jobs: uses: actions/checkout@v5 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml index 5c40cf2a4..c938c51e6 100644 --- a/.github/workflows/debug-artifacts-failure-safe.yml +++ b/.github/workflows/debug-artifacts-failure-safe.yml @@ -24,6 +24,7 @@ defaults: jobs: upload-artifacts: + if: github.triggering_actor != 'dependabot[bot]' strategy: fail-fast: false matrix: @@ -50,7 +51,7 @@ jobs: uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: ^1.13.1 - uses: ./../action/init @@ -70,6 +71,7 @@ jobs: expect-error: true download-and-check-artifacts: name: Download and check debug artifacts after failure in analyze + if: github.triggering_actor != 'dependabot[bot]' needs: upload-artifacts timeout-minutes: 45 permissions: diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml index c91bb4f87..3e7282f82 100644 --- a/.github/workflows/debug-artifacts-safe.yml +++ b/.github/workflows/debug-artifacts-safe.yml @@ -23,6 +23,7 @@ defaults: jobs: upload-artifacts: + if: github.triggering_actor != 'dependabot[bot]' strategy: fail-fast: false matrix: @@ -46,7 +47,7 @@ jobs: uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: ^1.13.1 - uses: ./../action/init @@ -64,6 +65,7 @@ jobs: id: analysis download-and-check-artifacts: name: Download and check debug artifacts + if: github.triggering_actor != 'dependabot[bot]' needs: upload-artifacts timeout-minutes: 45 permissions: diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index bb52c1f6f..03efc0c33 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -47,7 +47,7 @@ jobs: - uses: actions/checkout@v5 with: fetch-depth: 0 # ensure we have all tags and can push commits - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 - name: Update git config run: | @@ -139,7 +139,7 @@ jobs: token: "${{ secrets.GITHUB_TOKEN }}" - name: Generate token - uses: actions/create-github-app-token@v2.1.1 + uses: actions/create-github-app-token@v2.1.4 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index d4993b6ce..fa80525f9 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -15,6 +15,7 @@ defaults: jobs: unit-tests: name: Unit Tests + if: github.triggering_actor != 'dependabot[bot]' strategy: fail-fast: false matrix: @@ -31,15 +32,15 @@ jobs: run: git config --global core.autocrlf false - uses: actions/checkout@v5 - + - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: '20.x' cache: 'npm' - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: 3.11 @@ -59,6 +60,10 @@ jobs: - name: Run unit tests run: npm test + - name: Run pr-checks tests + working-directory: pr-checks + run: python -m unittest discover + - name: Lint if: matrix.os != 'windows-latest' run: npm run lint-ci @@ -71,7 +76,7 @@ jobs: category: eslint check-node-version: - if: github.event.pull_request + if: github.event.pull_request && github.triggering_actor != 'dependabot[bot]' name: Check Action Node versions runs-on: ubuntu-latest timeout-minutes: 45 diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 40061955b..aa2a03420 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -18,6 +18,7 @@ defaults: jobs: test-setup-python-scripts: + if: github.triggering_actor != 'dependabot[bot]' env: CODEQL_ACTION_TEST_MODE: true timeout-minutes: 45 @@ -26,7 +27,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: 3.12 diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml index 60212c918..aabcc144b 100644 --- a/.github/workflows/query-filters.yml +++ b/.github/workflows/query-filters.yml @@ -22,6 +22,7 @@ defaults: jobs: query-filters: name: Query Filters Tests + if: github.triggering_actor != 'dependabot[bot]' timeout-minutes: 45 runs-on: ubuntu-latest permissions: @@ -31,7 +32,7 @@ jobs: uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index 874ca7a4d..e7b9022be 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -15,6 +15,10 @@ jobs: runs-on: ubuntu-latest if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch' + env: + HEAD_REF: ${{ github.event.pull_request.head.ref || github.event.ref }} + BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }} + permissions: contents: write # needed to push rebuilt commit pull-requests: write # needed to comment on the PR @@ -23,7 +27,7 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.head.ref || github.event.ref }} + ref: ${{ env.HEAD_REF }} - name: Remove label if: github.event_name == 'pull_request' @@ -41,8 +45,6 @@ jobs: - name: Merge in changes from base branch id: merge - env: - BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }} run: | git fetch origin "$BASE_BRANCH" @@ -72,13 +74,20 @@ jobs: npm run build - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: 3.11 - - name: Generate workflows + - name: Sync back version updates to generated workflows + # Only sync back versions on Dependabot update PRs + if: startsWith(env.HEAD_REF, 'dependabot/') + working-directory: pr-checks + run: | + python3 sync_back.py -v + + - name: Generate workflows + working-directory: pr-checks run: | - cd pr-checks python -m pip install --upgrade pip pip install ruamel.yaml==0.17.31 python3 sync.py diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml index cf11d2ca1..8d8e872fa 100644 --- a/.github/workflows/rollback-release.yml +++ b/.github/workflows/rollback-release.yml @@ -10,6 +10,10 @@ on: required: true # Only for dry-runs of changes to the workflow. push: + # Don't run dry-run on release branches, to avoid an issue where the + # "new" tag determined by the "Prepare release" job already exists. + branches-ignore: + - releases/v* paths: - .github/workflows/rollback-release.yml - .github/actions/prepare-mergeback-branch/** @@ -133,7 +137,7 @@ jobs: - name: Generate token if: github.event_name == 'workflow_dispatch' - uses: actions/create-github-app-token@v2.1.1 + uses: actions/create-github-app-token@v2.1.4 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 3ccfb4e63..4b7fdca81 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -28,6 +28,7 @@ jobs: - os: ubuntu-latest version: nightly-latest name: 'CodeQL Bundle All' + if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read security-events: read @@ -46,7 +47,7 @@ jobs: uses: ./../action/init with: # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu - languages: cpp,csharp,go,java,javascript,python,ruby + languages: cpp,csharp,go,java,javascript,python,ruby tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Build code run: ./build.sh diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 3f49c2a14..e64135d84 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -41,7 +41,7 @@ jobs: git config --global user.name "github-actions[bot]" - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: '20.x' cache: 'npm' diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index bf08414d5..f693ac939 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -39,7 +39,7 @@ jobs: (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1 - name: Install Node - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 - name: Checkout repository uses: actions/checkout@v5 diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index f850f6505..69700a35f 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -93,7 +93,7 @@ jobs: pull-requests: write # needed to create pull request steps: - name: Generate token - uses: actions/create-github-app-token@v2.1.1 + uses: actions/create-github-app-token@v2.1.4 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml index 80785a826..35d4ba01f 100644 --- a/.github/workflows/update-supported-enterprise-server-versions.yml +++ b/.github/workflows/update-supported-enterprise-server-versions.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: "3.13" - name: Checkout CodeQL Action diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cae4a75f..d2e5bd94a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,9 +4,14 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] +No user facing changes. + +## 3.30.4 - 25 Sep 2025 + - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100) - We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. [#3107](https://github.com/github/codeql-action/pull/3107) - You can now run the latest CodeQL nightly bundle by passing `tools: nightly` to the `init` action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. [#3130](https://github.com/github/codeql-action/pull/3130) +- Update default CodeQL bundle version to 2.23.1. [#3118](https://github.com/github/codeql-action/pull/3118) ## 3.30.3 - 10 Sep 2025 diff --git a/justfile b/justfile index f146ed9b4..c951b4b06 100644 --- a/justfile +++ b/justfile @@ -22,7 +22,7 @@ test: build # Run the tests for a single file test_file filename: build - npx ava --verbose {{filename}} + npx ava --serial --verbose {{filename}} [doc("Refresh the .js build artefacts in the lib directory")] [confirm] diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 98c3dd52d..4c38451e8 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -26463,7 +26463,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -26490,7 +26490,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -26503,7 +26503,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -67282,7 +67282,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -72091,11 +72091,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72114,6 +72121,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72130,6 +72141,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -72235,11 +72248,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72258,6 +72278,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72274,6 +72298,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -73037,7 +73063,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core14 = __importStar4(require_core()); var path6 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -73045,7 +73071,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants7(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -73063,6 +73088,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError2; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -73334,9 +73367,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core14.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core14.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -73348,7 +73378,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core14.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -73365,6 +73398,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core14.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -73374,6 +73410,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError2.name) { core14.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core14.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core14.error(`Failed to save: ${typedError.message}`); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 129f5cd89..18407fdcd 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -32312,7 +32312,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -32339,7 +32339,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -32352,7 +32352,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -73131,7 +73131,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -77940,11 +77940,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -77963,6 +77970,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -77979,6 +77990,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78084,11 +78097,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -78107,6 +78127,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -78123,6 +78147,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78886,7 +78912,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core15 = __importStar4(require_core()); var path20 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -78894,7 +78920,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants10(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -78912,6 +78937,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError2; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -79183,9 +79216,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core15.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core15.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -79197,7 +79227,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core15.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -79214,6 +79247,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core15.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -79223,6 +79259,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError2.name) { core15.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core15.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core15.error(`Failed to save: ${typedError.message}`); @@ -90198,6 +90236,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2) { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Not using an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -90587,8 +90633,8 @@ var path8 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/overlay-database-utils.ts var crypto = __toESM(require("crypto")); @@ -92389,11 +92435,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index cbb034877..0ec50725c 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -26463,7 +26463,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -26490,7 +26490,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -26503,7 +26503,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -67282,7 +67282,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -72091,11 +72091,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72114,6 +72121,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72130,6 +72141,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -72235,11 +72248,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72258,6 +72278,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72274,6 +72298,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -73037,7 +73063,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core14 = __importStar4(require_core()); var path7 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -73045,7 +73071,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants7(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -73063,6 +73088,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -73334,9 +73367,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core14.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core14.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -73348,7 +73378,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core14.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -73365,6 +73398,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core14.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -73374,6 +73410,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError.name) { core14.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core14.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core14.error(`Failed to save: ${typedError.message}`); @@ -78256,8 +78294,8 @@ var path3 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/overlay-database-utils.ts var fs2 = __toESM(require("fs")); diff --git a/lib/defaults.json b/lib/defaults.json index 712efc19f..dbc0d5e25 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.0", - "cliVersion": "2.23.0", - "priorBundleVersion": "codeql-bundle-v2.22.4", - "priorCliVersion": "2.22.4" + "bundleVersion": "codeql-bundle-v2.23.1", + "cliVersion": "2.23.1", + "priorBundleVersion": "codeql-bundle-v2.23.0", + "priorCliVersion": "2.23.0" } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 5bbbca202..59fbc3081 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -32312,7 +32312,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -32339,7 +32339,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -32352,7 +32352,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -73131,7 +73131,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -77940,11 +77940,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -77963,6 +77970,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -77979,6 +77990,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78084,11 +78097,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -78107,6 +78127,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -78123,6 +78147,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78886,7 +78912,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core18 = __importStar4(require_core()); var path19 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -78894,7 +78920,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants10(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -78912,6 +78937,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError2; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -79183,9 +79216,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core18.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core18.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -79197,7 +79227,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core18.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -79214,6 +79247,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core18.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -79223,6 +79259,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError2.name) { core18.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core18.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core18.error(`Failed to save: ${typedError.message}`); @@ -128417,6 +128455,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2) { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Not using an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -128793,8 +128839,8 @@ var path8 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/overlay-database-utils.ts var fs6 = __toESM(require("fs")); @@ -130332,11 +130378,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/init-action.js b/lib/init-action.js index 54629c8d8..2a06db967 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -32312,7 +32312,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -32339,7 +32339,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -32352,7 +32352,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -73131,7 +73131,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -77940,11 +77940,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -77963,6 +77970,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -77979,6 +77990,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78084,11 +78097,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -78107,6 +78127,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -78123,6 +78147,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78886,7 +78912,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core14 = __importStar4(require_core()); var path20 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -78894,7 +78920,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants10(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -78912,6 +78937,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError2; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -79183,9 +79216,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core14.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core14.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -79197,7 +79227,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core14.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -79214,6 +79247,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core14.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -79223,6 +79259,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError2.name) { core14.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core14.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core14.error(`Failed to save: ${typedError.message}`); @@ -86053,6 +86091,14 @@ function getApiClient() { function getApiClientWithExternalAuth(apiDetails) { return createApiClientWithDetails(apiDetails, { allowExternal: true }); } +function getAuthorizationHeaderFor(logger, apiDetails, url) { + if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Not using an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -86516,8 +86562,8 @@ var path9 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/overlay-database-utils.ts var crypto = __toESM(require("crypto")); @@ -89161,11 +89207,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index aa81b7a90..41d3e68bb 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -26463,7 +26463,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -26490,7 +26490,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -26503,7 +26503,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -67282,7 +67282,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -72091,11 +72091,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72114,6 +72121,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72130,6 +72141,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -72235,11 +72248,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72258,6 +72278,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72274,6 +72298,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -73037,7 +73063,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core13 = __importStar4(require_core()); var path5 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -73045,7 +73071,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants7(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -73063,6 +73088,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -73334,9 +73367,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core13.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core13.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -73348,7 +73378,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core13.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -73365,6 +73398,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core13.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -73374,6 +73410,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError.name) { core13.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core13.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core13.error(`Failed to save: ${typedError.message}`); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index ddd00d080..484ceb79e 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -26463,7 +26463,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -26490,7 +26490,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -26503,7 +26503,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -67282,7 +67282,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -72091,11 +72091,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72114,6 +72121,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72130,6 +72141,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -72235,11 +72248,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -72258,6 +72278,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -72274,6 +72298,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -73037,7 +73063,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core14 = __importStar4(require_core()); var path2 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -73045,7 +73071,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants7(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -73063,6 +73088,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError2; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -73334,9 +73367,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core14.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core14.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -73348,7 +73378,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core14.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -73365,6 +73398,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core14.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -73374,6 +73410,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError2.name) { core14.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core14.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core14.error(`Failed to save: ${typedError.message}`); diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index c9aa76f79..21508de07 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44966,7 +44966,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -44991,7 +44991,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -45018,7 +45018,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -45031,7 +45031,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -49356,17 +49356,8 @@ var persistInputs = function() { core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; -// src/logging.ts -var core5 = __toESM(require_core()); -function getActionsLogger() { - return core5; -} - -// src/start-proxy.ts -var core7 = __toESM(require_core()); - // src/api-client.ts -var core6 = __toESM(require_core()); +var core5 = __toESM(require_core()); var githubUtils = __toESM(require_utils4()); var retry = __toESM(require_dist_node15()); var import_console_log_level = __toESM(require_console_log_level()); @@ -49391,10 +49382,27 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url) { + if (url.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Not using an authorization token.`); + return void 0; +} + +// src/logging.ts +var core6 = __toESM(require_core()); +function getActionsLogger() { + return core6; +} + +// src/start-proxy.ts +var core7 = __toESM(require_core()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/languages.ts var KnownLanguage = /* @__PURE__ */ ((KnownLanguage2) => { @@ -49682,7 +49690,20 @@ async function getProxyBinaryPath(logger) { const proxyInfo = await getDownloadUrl(logger); let proxyBin = toolcache.find(proxyFileName, proxyInfo.version); if (!proxyBin) { - const temp = await toolcache.downloadTool(proxyInfo.url); + const apiDetails = getApiDetails(); + const authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + proxyInfo.url + ); + const temp = await toolcache.downloadTool( + proxyInfo.url, + void 0, + authorization, + { + accept: "application/octet-stream" + } + ); const extracted = await toolcache.extractTar(temp); proxyBin = await toolcache.cacheDir( extracted, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index ef4ae60b6..00a0c285e 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33584,7 +33584,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -33609,7 +33609,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -33636,7 +33636,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -33649,7 +33649,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -74428,7 +74428,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -79237,11 +79237,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -79260,6 +79267,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -79276,6 +79287,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -79381,11 +79394,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -79404,6 +79424,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -79420,6 +79444,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -80183,7 +80209,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core12 = __importStar4(require_core()); var path15 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -80191,7 +80217,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants10(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -80209,6 +80234,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -80480,9 +80513,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core12.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core12.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -80494,7 +80524,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core12.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -80511,6 +80544,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core12.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -80520,6 +80556,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError.name) { core12.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core12.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core12.error(`Failed to save: ${typedError.message}`); @@ -88544,6 +88582,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2) { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Not using an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -88902,8 +88948,8 @@ var path8 = __toESM(require("path")); var semver4 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/overlay-database-utils.ts var fs5 = __toESM(require("fs")); @@ -90160,11 +90206,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 87481d864..0e1dd2992 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -26463,7 +26463,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -26490,7 +26490,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -26503,7 +26503,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -109984,7 +109984,7 @@ var require_package3 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -110567,11 +110567,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -110590,6 +110597,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -110606,6 +110617,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -110711,11 +110724,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -110734,6 +110754,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -110750,6 +110774,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -111513,7 +111539,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core14 = __importStar4(require_core()); var path2 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -111521,7 +111547,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config2(); var tar_1 = require_tar2(); - var constants_1 = require_constants10(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -111539,6 +111564,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError2; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -111810,9 +111843,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core14.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core14.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -111824,7 +111854,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core14.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -111841,6 +111874,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core14.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -111850,6 +111886,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError2.name) { core14.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core14.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core14.error(`Failed to save: ${typedError.message}`); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index f179541d5..504d2fba3 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { @@ -32312,7 +32312,7 @@ var require_package = __commonJS({ dependencies: { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -32339,7 +32339,7 @@ var require_package = __commonJS({ }, devDependencies: { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -32352,7 +32352,7 @@ var require_package = __commonJS({ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", ava: "^6.4.1", esbuild: "^0.25.10", @@ -73131,7 +73131,7 @@ var require_package2 = __commonJS({ "node_modules/@actions/cache/package.json"(exports2, module2) { module2.exports = { name: "@actions/cache", - version: "4.0.5", + version: "4.1.0", preview: true, description: "Actions cache lib", keywords: [ @@ -77940,11 +77940,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 9 /*ScalarType.STRING*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, signedUploadUrl: "" }; + const message = { ok: false, signedUploadUrl: "", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -77963,6 +77970,10 @@ var require_cache2 = __commonJS({ 2: message.signedUploadUrl = reader.string(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -77979,6 +77990,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.signedUploadUrl !== "") writer.tag(2, runtime_1.WireType.LengthDelimited).string(message.signedUploadUrl); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78084,11 +78097,18 @@ var require_cache2 = __commonJS({ kind: "scalar", T: 3 /*ScalarType.INT64*/ + }, + { + no: 3, + name: "message", + kind: "scalar", + T: 9 + /*ScalarType.STRING*/ } ]); } create(value) { - const message = { ok: false, entryId: "0" }; + const message = { ok: false, entryId: "0", message: "" }; globalThis.Object.defineProperty(message, runtime_4.MESSAGE_TYPE, { enumerable: false, value: this }); if (value !== void 0) (0, runtime_3.reflectionMergePartial)(this, message, value); @@ -78107,6 +78127,10 @@ var require_cache2 = __commonJS({ 2: message.entryId = reader.int64().toString(); break; + case /* string message */ + 3: + message.message = reader.string(); + break; default: let u = options.readUnknownField; if (u === "throw") @@ -78123,6 +78147,8 @@ var require_cache2 = __commonJS({ writer.tag(1, runtime_1.WireType.Varint).bool(message.ok); if (message.entryId !== "0") writer.tag(2, runtime_1.WireType.Varint).int64(message.entryId); + if (message.message !== "") + writer.tag(3, runtime_1.WireType.LengthDelimited).string(message.message); let u = options.writeUnknownFields; if (u !== false) (u == true ? runtime_2.UnknownFieldHandler.onWrite : u)(this.typeName, message, writer); @@ -78886,7 +78912,7 @@ var require_cache3 = __commonJS({ }); }; Object.defineProperty(exports2, "__esModule", { value: true }); - exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.ReserveCacheError = exports2.ValidationError = void 0; + exports2.saveCache = exports2.restoreCache = exports2.isFeatureAvailable = exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; var core14 = __importStar4(require_core()); var path16 = __importStar4(require("path")); var utils = __importStar4(require_cacheUtils()); @@ -78894,7 +78920,6 @@ var require_cache3 = __commonJS({ var cacheTwirpClient = __importStar4(require_cacheTwirpClient()); var config_1 = require_config(); var tar_1 = require_tar(); - var constants_1 = require_constants10(); var http_client_1 = require_lib(); var ValidationError = class _ValidationError extends Error { constructor(message) { @@ -78912,6 +78937,14 @@ var require_cache3 = __commonJS({ } }; exports2.ReserveCacheError = ReserveCacheError; + var FinalizeCacheError = class _FinalizeCacheError extends Error { + constructor(message) { + super(message); + this.name = "FinalizeCacheError"; + Object.setPrototypeOf(this, _FinalizeCacheError.prototype); + } + }; + exports2.FinalizeCacheError = FinalizeCacheError; function checkPaths(paths) { if (!paths || paths.length === 0) { throw new ValidationError(`Path Validation Error: At least one directory or file path is required`); @@ -79183,9 +79216,6 @@ var require_cache3 = __commonJS({ } const archiveFileSize = utils.getArchiveFileSizeInBytes(archivePath); core14.debug(`File Size: ${archiveFileSize}`); - if (archiveFileSize > constants_1.CacheFileSizeLimit && !(0, config_1.isGhes)()) { - throw new Error(`Cache size of ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B) is over the 10GB limit, not saving cache.`); - } options.archiveSizeBytes = archiveFileSize; core14.debug("Reserving Cache"); const version = utils.getCacheVersion(paths, compressionMethod, enableCrossOsArchive); @@ -79197,7 +79227,10 @@ var require_cache3 = __commonJS({ try { const response = yield twirpClient.CreateCacheEntry(request); if (!response.ok) { - throw new Error("Response was not ok"); + if (response.message) { + core14.warning(`Cache reservation failed: ${response.message}`); + } + throw new Error(response.message || "Response was not ok"); } signedUploadUrl = response.signedUploadUrl; } catch (error2) { @@ -79214,6 +79247,9 @@ var require_cache3 = __commonJS({ const finalizeResponse = yield twirpClient.FinalizeCacheEntryUpload(finalizeRequest); core14.debug(`FinalizeCacheEntryUploadResponse: ${finalizeResponse.ok}`); if (!finalizeResponse.ok) { + if (finalizeResponse.message) { + throw new FinalizeCacheError(finalizeResponse.message); + } throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`); } cacheId = parseInt(finalizeResponse.entryId); @@ -79223,6 +79259,8 @@ var require_cache3 = __commonJS({ throw error2; } else if (typedError.name === ReserveCacheError.name) { core14.info(`Failed to save: ${typedError.message}`); + } else if (typedError.name === FinalizeCacheError.name) { + core14.warning(typedError.message); } else { if (typedError instanceof http_client_1.HttpClientError && typeof typedError.statusCode === "number" && typedError.statusCode >= 500) { core14.error(`Failed to save: ${typedError.message}`); @@ -88796,6 +88834,14 @@ function getApiDetails() { function getApiClient() { return createApiClientWithDetails(getApiDetails()); } +function getAuthorizationHeaderFor(logger, apiDetails, url2) { + if (url2.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && url2.startsWith(`${apiDetails.apiURL}/`)) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + logger.debug(`Not using an authorization token.`); + return void 0; +} var cachedGitHubVersion = void 0; async function getGitHubVersionFromApi(apiClient, apiDetails) { if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) { @@ -88885,8 +88931,8 @@ var path8 = __toESM(require("path")); var semver3 = __toESM(require_semver2()); // src/defaults.json -var bundleVersion = "codeql-bundle-v2.23.0"; -var cliVersion = "2.23.0"; +var bundleVersion = "codeql-bundle-v2.23.1"; +var cliVersion = "2.23.1"; // src/overlay-database-utils.ts var fs5 = __toESM(require("fs")); @@ -90861,11 +90907,12 @@ var downloadCodeQL = async function(codeqlURL, compressionMethod, maybeBundleVer let authorization = void 0; if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if (codeqlURL.startsWith(`${apiDetails.url}/`) || apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL + ); } const toolcacheInfo = getToolcacheDestinationInfo( maybeBundleVersion, diff --git a/package-lock.json b/package-lock.json index 3873f3dfd..b6da79aac 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,17 +1,17 @@ { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "license": "MIT", "dependencies": { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -38,7 +38,7 @@ }, "devDependencies": { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -51,7 +51,7 @@ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", "ava": "^6.4.1", "esbuild": "^0.25.10", @@ -284,9 +284,9 @@ "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==" }, "node_modules/@actions/cache": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.0.5.tgz", - "integrity": "sha512-RjLz1/vvntOfp3FpkY3wB0MjVRbLq7bfQEuQG9UUTKwdtcYmFrKVmuD+9B6ADbzbkSfHM+dM4sMjdr3R4XIkFg==", + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/@actions/cache/-/cache-4.1.0.tgz", + "integrity": "sha512-z3Opg+P4Y7baq+g1dODXgdtsvPLSewr3ZKpp3U0HQR1A/vWCoJFS52XSezjdngo4SIOdR5oHtyK3a3Arar+X9A==", "license": "MIT", "dependencies": { "@actions/core": "^1.11.1", @@ -1248,11 +1248,14 @@ } }, "node_modules/@eslint/compat": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-1.3.2.tgz", - "integrity": "sha512-jRNwzTbd6p2Rw4sZ1CgWRS8YMtqG15YyZf7zvb6gY2rB2u6n+2Z+ELW0GtL0fQgyl0pr4Y/BzBfng/BdsereRA==", + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-1.4.0.tgz", + "integrity": "sha512-DEzm5dKeDBPm3r08Ixli/0cmxr8LkRdwxMRUIJBlSCpAwSrvFEJpVBzV+66JhDxiaqKxnRzCXhtiMiczF7Hglg==", "dev": true, "license": "Apache-2.0", + "dependencies": { + "@eslint/core": "^0.16.0" + }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" }, @@ -1265,6 +1268,19 @@ } } }, + "node_modules/@eslint/core": { + "version": "0.16.0", + "resolved": "https://registry.npmjs.org/@eslint/core/-/core-0.16.0.tgz", + "integrity": "sha512-nmC8/totwobIiFcGkDza3GIKfAw1+hLiYVrh3I1nIomQ8PEr5cxg34jnkmGawul/ep52wGRAcyeDCNtWKSOj4Q==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "@types/json-schema": "^7.0.15" + }, + "engines": { + "node": "^18.18.0 || ^20.9.0 || >=21.1.0" + } + }, "node_modules/@eslint/eslintrc": { "version": "3.3.1", "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.1.tgz", @@ -2631,6 +2647,13 @@ "dev": true, "license": "MIT" }, + "node_modules/@types/json-schema": { + "version": "7.0.15", + "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz", + "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==", + "dev": true, + "license": "MIT" + }, "node_modules/@types/json5": { "version": "0.0.29", "dev": true, @@ -2689,17 +2712,17 @@ "license": "MIT" }, "node_modules/@typescript-eslint/eslint-plugin": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.44.0.tgz", - "integrity": "sha512-EGDAOGX+uwwekcS0iyxVDmRV9HX6FLSM5kzrAToLTsr9OWCIKG/y3lQheCq18yZ5Xh78rRKJiEpP0ZaCs4ryOQ==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.44.1.tgz", + "integrity": "sha512-molgphGqOBT7t4YKCSkbasmu1tb1MgrZ2szGzHbclF7PNmOkSTQVHy+2jXOSnxvR3+Xe1yySHFZoqMpz3TfQsw==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/regexpp": "^4.10.0", - "@typescript-eslint/scope-manager": "8.44.0", - "@typescript-eslint/type-utils": "8.44.0", - "@typescript-eslint/utils": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0", + "@typescript-eslint/scope-manager": "8.44.1", + "@typescript-eslint/type-utils": "8.44.1", + "@typescript-eslint/utils": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1", "graphemer": "^1.4.0", "ignore": "^7.0.0", "natural-compare": "^1.4.0", @@ -2713,20 +2736,20 @@ "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "@typescript-eslint/parser": "^8.44.0", + "@typescript-eslint/parser": "^8.44.1", "eslint": "^8.57.0 || ^9.0.0", "typescript": ">=4.8.4 <6.0.0" } }, "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.0.tgz", - "integrity": "sha512-87Jv3E+al8wpD+rIdVJm/ItDBe/Im09zXIjFoipOjr5gHUhJmTzfFLuTJ/nPTMc2Srsroy4IBXwcTCHyRR7KzA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz", + "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0" + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2737,9 +2760,9 @@ } }, "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.0.tgz", - "integrity": "sha512-ZSl2efn44VsYM0MfDQe68RKzBz75NPgLQXuGypmym6QVOWL5kegTZuZ02xRAT9T+onqvM6T8CdQk0OwYMB6ZvA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz", + "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==", "dev": true, "license": "MIT", "engines": { @@ -2751,16 +2774,16 @@ } }, "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.0.tgz", - "integrity": "sha512-lqNj6SgnGcQZwL4/SBJ3xdPEfcBuhCG8zdcwCPgYcmiPLgokiNDKlbPzCwEwu7m279J/lBYWtDYL+87OEfn8Jw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz", + "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/project-service": "8.44.0", - "@typescript-eslint/tsconfig-utils": "8.44.0", - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0", + "@typescript-eslint/project-service": "8.44.1", + "@typescript-eslint/tsconfig-utils": "8.44.1", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1", "debug": "^4.3.4", "fast-glob": "^3.3.2", "is-glob": "^4.0.3", @@ -2780,16 +2803,16 @@ } }, "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.0.tgz", - "integrity": "sha512-nktOlVcg3ALo0mYlV+L7sWUD58KG4CMj1rb2HUVOO4aL3K/6wcD+NERqd0rrA5Vg06b42YhF6cFxeixsp9Riqg==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.1.tgz", + "integrity": "sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.7.0", - "@typescript-eslint/scope-manager": "8.44.0", - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/typescript-estree": "8.44.0" + "@typescript-eslint/scope-manager": "8.44.1", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/typescript-estree": "8.44.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2804,13 +2827,13 @@ } }, "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.0.tgz", - "integrity": "sha512-zaz9u8EJ4GBmnehlrpoKvj/E3dNbuQ7q0ucyZImm3cLqJ8INTc970B1qEqDX/Rzq65r3TvVTN7kHWPBoyW7DWw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz", + "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", + "@typescript-eslint/types": "8.44.1", "eslint-visitor-keys": "^4.2.1" }, "engines": { @@ -2883,16 +2906,16 @@ } }, "node_modules/@typescript-eslint/parser": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.44.0.tgz", - "integrity": "sha512-VGMpFQGUQWYT9LfnPcX8ouFojyrZ/2w3K5BucvxL/spdNehccKhB4jUyB1yBCXpr2XFm0jkECxgrpXBW2ipoAw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.44.1.tgz", + "integrity": "sha512-EHrrEsyhOhxYt8MTg4zTF+DJMuNBzWwgvvOYNj/zm1vnaD/IC5zCXFehZv94Piqa2cRFfXrTFxIvO95L7Qc/cw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/scope-manager": "8.44.0", - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/typescript-estree": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0", + "@typescript-eslint/scope-manager": "8.44.1", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/typescript-estree": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1", "debug": "^4.3.4" }, "engines": { @@ -2908,14 +2931,14 @@ } }, "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.0.tgz", - "integrity": "sha512-87Jv3E+al8wpD+rIdVJm/ItDBe/Im09zXIjFoipOjr5gHUhJmTzfFLuTJ/nPTMc2Srsroy4IBXwcTCHyRR7KzA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz", + "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0" + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2926,9 +2949,9 @@ } }, "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.0.tgz", - "integrity": "sha512-ZSl2efn44VsYM0MfDQe68RKzBz75NPgLQXuGypmym6QVOWL5kegTZuZ02xRAT9T+onqvM6T8CdQk0OwYMB6ZvA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz", + "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==", "dev": true, "license": "MIT", "engines": { @@ -2940,16 +2963,16 @@ } }, "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.0.tgz", - "integrity": "sha512-lqNj6SgnGcQZwL4/SBJ3xdPEfcBuhCG8zdcwCPgYcmiPLgokiNDKlbPzCwEwu7m279J/lBYWtDYL+87OEfn8Jw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz", + "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/project-service": "8.44.0", - "@typescript-eslint/tsconfig-utils": "8.44.0", - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0", + "@typescript-eslint/project-service": "8.44.1", + "@typescript-eslint/tsconfig-utils": "8.44.1", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1", "debug": "^4.3.4", "fast-glob": "^3.3.2", "is-glob": "^4.0.3", @@ -2969,13 +2992,13 @@ } }, "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.0.tgz", - "integrity": "sha512-zaz9u8EJ4GBmnehlrpoKvj/E3dNbuQ7q0ucyZImm3cLqJ8INTc970B1qEqDX/Rzq65r3TvVTN7kHWPBoyW7DWw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz", + "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", + "@typescript-eslint/types": "8.44.1", "eslint-visitor-keys": "^4.2.1" }, "engines": { @@ -3039,14 +3062,14 @@ } }, "node_modules/@typescript-eslint/project-service": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.44.0.tgz", - "integrity": "sha512-ZeaGNraRsq10GuEohKTo4295Z/SuGcSq2LzfGlqiuEvfArzo/VRrT0ZaJsVPuKZ55lVbNk8U6FcL+ZMH8CoyVA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.44.1.tgz", + "integrity": "sha512-ycSa60eGg8GWAkVsKV4E6Nz33h+HjTXbsDT4FILyL8Obk5/mx4tbvCNsLf9zret3ipSumAOG89UcCs/KRaKYrA==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/tsconfig-utils": "^8.44.0", - "@typescript-eslint/types": "^8.44.0", + "@typescript-eslint/tsconfig-utils": "^8.44.1", + "@typescript-eslint/types": "^8.44.1", "debug": "^4.3.4" }, "engines": { @@ -3061,9 +3084,9 @@ } }, "node_modules/@typescript-eslint/project-service/node_modules/@typescript-eslint/types": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.0.tgz", - "integrity": "sha512-ZSl2efn44VsYM0MfDQe68RKzBz75NPgLQXuGypmym6QVOWL5kegTZuZ02xRAT9T+onqvM6T8CdQk0OwYMB6ZvA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz", + "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==", "dev": true, "license": "MIT", "engines": { @@ -3093,9 +3116,9 @@ } }, "node_modules/@typescript-eslint/tsconfig-utils": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.44.0.tgz", - "integrity": "sha512-x5Y0+AuEPqAInc6yd0n5DAcvtoQ/vyaGwuX5HE9n6qAefk1GaedqrLQF8kQGylLUb9pnZyLf+iEiL9fr8APDtQ==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.44.1.tgz", + "integrity": "sha512-B5OyACouEjuIvof3o86lRMvyDsFwZm+4fBOqFHccIctYgBjqR3qT39FBYGN87khcgf0ExpdCBeGKpKRhSFTjKQ==", "dev": true, "license": "MIT", "engines": { @@ -3110,15 +3133,15 @@ } }, "node_modules/@typescript-eslint/type-utils": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.44.0.tgz", - "integrity": "sha512-9cwsoSxJ8Sak67Be/hD2RNt/fsqmWnNE1iHohG8lxqLSNY8xNfyY7wloo5zpW3Nu9hxVgURevqfcH6vvKCt6yg==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.44.1.tgz", + "integrity": "sha512-KdEerZqHWXsRNKjF9NYswNISnFzXfXNDfPxoTh7tqohU/PRIbwTmsjGK6V9/RTYWau7NZvfo52lgVk+sJh0K3g==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/typescript-estree": "8.44.0", - "@typescript-eslint/utils": "8.44.0", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/typescript-estree": "8.44.1", + "@typescript-eslint/utils": "8.44.1", "debug": "^4.3.4", "ts-api-utils": "^2.1.0" }, @@ -3135,14 +3158,14 @@ } }, "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/scope-manager": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.0.tgz", - "integrity": "sha512-87Jv3E+al8wpD+rIdVJm/ItDBe/Im09zXIjFoipOjr5gHUhJmTzfFLuTJ/nPTMc2Srsroy4IBXwcTCHyRR7KzA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.44.1.tgz", + "integrity": "sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0" + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -3153,9 +3176,9 @@ } }, "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.0.tgz", - "integrity": "sha512-ZSl2efn44VsYM0MfDQe68RKzBz75NPgLQXuGypmym6QVOWL5kegTZuZ02xRAT9T+onqvM6T8CdQk0OwYMB6ZvA==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.44.1.tgz", + "integrity": "sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==", "dev": true, "license": "MIT", "engines": { @@ -3167,16 +3190,16 @@ } }, "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.0.tgz", - "integrity": "sha512-lqNj6SgnGcQZwL4/SBJ3xdPEfcBuhCG8zdcwCPgYcmiPLgokiNDKlbPzCwEwu7m279J/lBYWtDYL+87OEfn8Jw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.44.1.tgz", + "integrity": "sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/project-service": "8.44.0", - "@typescript-eslint/tsconfig-utils": "8.44.0", - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/visitor-keys": "8.44.0", + "@typescript-eslint/project-service": "8.44.1", + "@typescript-eslint/tsconfig-utils": "8.44.1", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/visitor-keys": "8.44.1", "debug": "^4.3.4", "fast-glob": "^3.3.2", "is-glob": "^4.0.3", @@ -3196,16 +3219,16 @@ } }, "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/utils": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.0.tgz", - "integrity": "sha512-nktOlVcg3ALo0mYlV+L7sWUD58KG4CMj1rb2HUVOO4aL3K/6wcD+NERqd0rrA5Vg06b42YhF6cFxeixsp9Riqg==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.44.1.tgz", + "integrity": "sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.7.0", - "@typescript-eslint/scope-manager": "8.44.0", - "@typescript-eslint/types": "8.44.0", - "@typescript-eslint/typescript-estree": "8.44.0" + "@typescript-eslint/scope-manager": "8.44.1", + "@typescript-eslint/types": "8.44.1", + "@typescript-eslint/typescript-estree": "8.44.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -3220,13 +3243,13 @@ } }, "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": { - "version": "8.44.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.0.tgz", - "integrity": "sha512-zaz9u8EJ4GBmnehlrpoKvj/E3dNbuQ7q0ucyZImm3cLqJ8INTc970B1qEqDX/Rzq65r3TvVTN7kHWPBoyW7DWw==", + "version": "8.44.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.44.1.tgz", + "integrity": "sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.44.0", + "@typescript-eslint/types": "8.44.1", "eslint-visitor-keys": "^4.2.1" }, "engines": { diff --git a/package.json b/package.json index b53112257..8920aacd1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "private": true, "description": "CodeQL action", "scripts": { @@ -25,7 +25,7 @@ "dependencies": { "@actions/artifact": "^2.3.1", "@actions/artifact-legacy": "npm:@actions/artifact@^1.1.2", - "@actions/cache": "^4.0.5", + "@actions/cache": "^4.1.0", "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -52,7 +52,7 @@ }, "devDependencies": { "@ava/typescript": "6.0.0", - "@eslint/compat": "^1.3.2", + "@eslint/compat": "^1.4.0", "@eslint/eslintrc": "^3.3.1", "@eslint/js": "^9.36.0", "@microsoft/eslint-formatter-sarif": "^3.1.0", @@ -65,7 +65,7 @@ "@types/node-forge": "^1.3.14", "@types/semver": "^7.7.1", "@types/sinon": "^17.0.4", - "@typescript-eslint/eslint-plugin": "^8.44.0", + "@typescript-eslint/eslint-plugin": "^8.44.1", "@typescript-eslint/parser": "^8.41.0", "ava": "^6.4.1", "esbuild": "^0.25.10", diff --git a/pr-checks/.gitignore b/pr-checks/.gitignore index 0a764a4de..979f35ea9 100644 --- a/pr-checks/.gitignore +++ b/pr-checks/.gitignore @@ -1 +1,3 @@ env +__pycache__/ +*.pyc diff --git a/pr-checks/__init__.py b/pr-checks/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index 332f12930..3396be22a 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -1,7 +1,7 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] -operatingSystems: ["ubuntu"] useAllPlatformBundle: "true" installGo: true steps: diff --git a/pr-checks/checks/autobuild-action.yml b/pr-checks/checks/autobuild-action.yml index ac67a81fe..91ae7834c 100644 --- a/pr-checks/checks/autobuild-action.yml +++ b/pr-checks/checks/autobuild-action.yml @@ -1,5 +1,6 @@ name: "autobuild-action" description: "Tests that the C# autobuild action works" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["linked"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/autobuild-direct-tracing.yml b/pr-checks/checks/autobuild-direct-tracing.yml deleted file mode 100644 index 1e9d2d900..000000000 --- a/pr-checks/checks/autobuild-direct-tracing.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: "Autobuild direct tracing" -description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled" -operatingSystems: ["ubuntu", "windows"] -versions: ["linked", "nightly-latest"] -installJava: "true" -env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true -steps: - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: "${{ runner.temp }}/customDbLocation" - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/autobuild-working-dir.yml similarity index 96% rename from pr-checks/checks/test-autobuild-working-dir.yml rename to pr-checks/checks/autobuild-working-dir.yml index eda3677f6..77c1f73c8 100644 --- a/pr-checks/checks/test-autobuild-working-dir.yml +++ b/pr-checks/checks/autobuild-working-dir.yml @@ -1,7 +1,6 @@ name: "Autobuild working directory" description: "Tests working-directory input of autobuild action" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - name: Test setup run: | diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 7e840d15a..26b8626f2 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -1,7 +1,8 @@ name: "Build mode autobuild" description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'" -operatingSystems: ["ubuntu"] -versions: ["nightly-latest"] +operatingSystems: ["ubuntu", "windows"] +versions: ["linked", "nightly-latest"] +installJava: "true" steps: - name: Set up Java test repo configuration run: | @@ -17,6 +18,11 @@ steps: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" @@ -26,4 +32,12 @@ steps: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze diff --git a/pr-checks/checks/build-mode-manual.yml b/pr-checks/checks/build-mode-manual.yml index 64009c2ee..f1815b7ff 100644 --- a/pr-checks/checks/build-mode-manual.yml +++ b/pr-checks/checks/build-mode-manual.yml @@ -1,6 +1,5 @@ name: "Build mode manual" description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] installGo: true steps: diff --git a/pr-checks/checks/build-mode-none.yml b/pr-checks/checks/build-mode-none.yml index 4d23614a9..669ea7915 100644 --- a/pr-checks/checks/build-mode-none.yml +++ b/pr-checks/checks/build-mode-none.yml @@ -1,6 +1,5 @@ name: "Build mode none" description: "An end-to-end integration test of a Java repository built using 'build-mode: none'" -operatingSystems: ["ubuntu"] versions: ["linked", "nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/build-mode-rollback.yml b/pr-checks/checks/build-mode-rollback.yml index 1d935314e..49bcfdd1f 100644 --- a/pr-checks/checks/build-mode-rollback.yml +++ b/pr-checks/checks/build-mode-rollback.yml @@ -1,6 +1,5 @@ name: "Build mode rollback" description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled." -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] env: CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true diff --git a/pr-checks/checks/bundle-toolcache.yml b/pr-checks/checks/bundle-toolcache.yml index d384cefee..d3a15fcb4 100644 --- a/pr-checks/checks/bundle-toolcache.yml +++ b/pr-checks/checks/bundle-toolcache.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -18,7 +18,7 @@ steps: - name: Install @actions/tool-cache run: npm install @actions/tool-cache - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); @@ -37,7 +37,7 @@ steps: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/pr-checks/checks/bundle-zstd.yml b/pr-checks/checks/bundle-zstd.yml index de83d8e92..2ec8b3b8d 100644 --- a/pr-checks/checks/bundle-zstd.yml +++ b/pr-checks/checks/bundle-zstd.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -33,7 +33,7 @@ steps: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/pr-checks/checks/cleanup-db-cluster-dir.yml b/pr-checks/checks/cleanup-db-cluster-dir.yml index 1c181a57e..d2cacf47e 100644 --- a/pr-checks/checks/cleanup-db-cluster-dir.yml +++ b/pr-checks/checks/cleanup-db-cluster-dir.yml @@ -1,6 +1,5 @@ name: "Clean up database cluster directory" description: "The database cluster directory is cleaned up if it is not empty." -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Add a file to the database cluster directory diff --git a/pr-checks/checks/config-export.yml b/pr-checks/checks/config-export.yml index ce9448256..c51ad04e2 100644 --- a/pr-checks/checks/config-export.yml +++ b/pr-checks/checks/config-export.yml @@ -18,7 +18,7 @@ steps: path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/config-input.yml b/pr-checks/checks/config-input.yml index 5807e8594..f139ff90e 100644 --- a/pr-checks/checks/config-input.yml +++ b/pr-checks/checks/config-input.yml @@ -1,7 +1,6 @@ name: "Config input" description: "Tests specifying configuration using the config input" installNode: true -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Copy queries into workspace diff --git a/pr-checks/checks/cpp-deptrace-disabled.yml b/pr-checks/checks/cpp-deptrace-disabled.yml index 1073d0194..5b6e82726 100644 --- a/pr-checks/checks/cpp-deptrace-disabled.yml +++ b/pr-checks/checks/cpp-deptrace-disabled.yml @@ -1,6 +1,5 @@ name: "C/C++: disabling autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/cpp-deptrace-enabled.yml b/pr-checks/checks/cpp-deptrace-enabled.yml index f92f29d21..e35910a75 100644 --- a/pr-checks/checks/cpp-deptrace-enabled.yml +++ b/pr-checks/checks/cpp-deptrace-enabled.yml @@ -1,6 +1,5 @@ name: "C/C++: autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/diagnostics-export.yml b/pr-checks/checks/diagnostics-export.yml index 4324b35a9..eb247f7ca 100644 --- a/pr-checks/checks/diagnostics-export.yml +++ b/pr-checks/checks/diagnostics-export.yml @@ -31,7 +31,7 @@ steps: path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index 2eb0e6d52..f7698f885 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -1,5 +1,6 @@ name: "Export file baseline information" description: "Tests that file baseline information is exported when the feature is enabled" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] installGo: true env: diff --git a/pr-checks/checks/extractor-ram-threads.yml b/pr-checks/checks/extractor-ram-threads.yml index 435c9f41e..43638af18 100644 --- a/pr-checks/checks/extractor-ram-threads.yml +++ b/pr-checks/checks/extractor-ram-threads.yml @@ -1,7 +1,6 @@ name: "Extractor ram and threads options test" description: "Tests passing RAM and threads limits to extractors" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/global-proxy.yml similarity index 97% rename from pr-checks/checks/test-proxy.yml rename to pr-checks/checks/global-proxy.yml index 39efb214e..1d6412574 100644 --- a/pr-checks/checks/test-proxy.yml +++ b/pr-checks/checks/global-proxy.yml @@ -1,7 +1,6 @@ name: "Proxy test" description: "Tests using a proxy specified by the https_proxy environment variable" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] container: image: ubuntu:22.04 container-init-steps: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index e7cd79185..10acfeb43 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when Go is changed after init step" description: "Checks that we emit a diagnostic if Go is changed after the init step" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true @@ -12,7 +11,7 @@ steps: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: "1.20" - name: Build code @@ -22,7 +21,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 3f2fa90b9..c5083b601 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when `file` is not installed" description: "Checks that we emit a diagnostic if the `file` program is not installed" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true @@ -23,7 +22,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround.yml b/pr-checks/checks/go-indirect-tracing-workaround.yml index 5c6690128..222b964c7 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround.yml @@ -1,7 +1,6 @@ name: "Go: workaround for indirect tracing" description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/init-with-registries.yml b/pr-checks/checks/init-with-registries.yml index bc45d255a..cedc62aab 100644 --- a/pr-checks/checks/init-with-registries.yml +++ b/pr-checks/checks/init-with-registries.yml @@ -62,8 +62,6 @@ steps: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/pr-checks/checks/javascript-source-root.yml b/pr-checks/checks/javascript-source-root.yml index 9c933576e..b06dc7bfa 100644 --- a/pr-checks/checks/javascript-source-root.yml +++ b/pr-checks/checks/javascript-source-root.yml @@ -1,7 +1,6 @@ name: "Custom source root" description: "Checks that the argument specifying a non-default source root works" versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs -operatingSystems: ["ubuntu"] steps: - name: Move codeql-action run: | diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml index 196e32178..9c0f843d4 100644 --- a/pr-checks/checks/job-run-uuid-sarif.yml +++ b/pr-checks/checks/job-run-uuid-sarif.yml @@ -1,6 +1,5 @@ name: "Job run UUID added to SARIF" description: "Tests that the job run UUID is added to the SARIF output" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/language-aliases.yml b/pr-checks/checks/language-aliases.yml index 16f5f044f..b0db1288a 100644 --- a/pr-checks/checks/language-aliases.yml +++ b/pr-checks/checks/language-aliases.yml @@ -1,7 +1,6 @@ name: "Language aliases" description: "Tests that language aliases are resolved correctly" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/local-bundle.yml similarity index 95% rename from pr-checks/checks/test-local-codeql.yml rename to pr-checks/checks/local-bundle.yml index 1e41e5dd3..c16c2bf50 100644 --- a/pr-checks/checks/test-local-codeql.yml +++ b/pr-checks/checks/local-bundle.yml @@ -1,7 +1,6 @@ name: "Local CodeQL bundle" description: "Tests using a CodeQL bundle from a local file rather than a URL" versions: ["linked"] -operatingSystems: ["ubuntu"] installGo: true steps: - name: Fetch latest CodeQL bundle diff --git a/pr-checks/checks/overlay-init-fallback.yml b/pr-checks/checks/overlay-init-fallback.yml index 44d19d79c..bfcfd27e7 100644 --- a/pr-checks/checks/overlay-init-fallback.yml +++ b/pr-checks/checks/overlay-init-fallback.yml @@ -1,7 +1,6 @@ name: "Overlay database init fallback" description: "Tests that overlay init action succeeds with non-overlay packs" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/quality-queries.yml b/pr-checks/checks/quality-queries.yml index 9eb578171..b8420ad20 100644 --- a/pr-checks/checks/quality-queries.yml +++ b/pr-checks/checks/quality-queries.yml @@ -54,7 +54,7 @@ steps: retention-days: 7 - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" EXPECT_PRESENT: "false" @@ -62,7 +62,7 @@ steps: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif" EXPECT_PRESENT: "true" diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index b4439a2d3..27bcf070d 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -1,11 +1,10 @@ name: "RuboCop multi-language" description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF" -operatingSystems: ["ubuntu"] # This check doesn't use CodeQL, so the `version` matrix variable is unused. versions: ["default"] steps: - name: Set up Ruby - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 + uses: ruby/setup-ruby@0481980f17b760ef6bca5e8c55809102a0af1e5a # v1.263.0 with: ruby-version: 2.6 - name: Install Code Scanning integration diff --git a/pr-checks/checks/rust.yml b/pr-checks/checks/rust.yml index 67920538d..c19fc986d 100644 --- a/pr-checks/checks/rust.yml +++ b/pr-checks/checks/rust.yml @@ -8,7 +8,6 @@ versions: - linked - default - nightly-latest -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index ba67db39f..97332e4c9 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -1,7 +1,6 @@ name: Submit SARIF after failure description: Check that a SARIF file is submitted for the workflow run if it fails versions: ["linked", "default", "nightly-latest"] -operatingSystems: ["ubuntu"] env: # Internal-only environment variable used to indicate that the post-init Action diff --git a/pr-checks/readme.md b/pr-checks/readme.md index 618a67503..283ed3599 100644 --- a/pr-checks/readme.md +++ b/pr-checks/readme.md @@ -9,6 +9,6 @@ to one of the files in this directory. 1. Install https://github.com/casey/just by whichever way you prefer. 2. Run `just update-pr-checks` in your terminal. -### If you don't want to intall `just` +### If you don't want to install `just` Manually run each step in the `justfile`. diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 206519cc4..866a61030 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -29,12 +29,6 @@ defaultTestVersions = [ "nightly-latest" ] -def is_os_and_version_excluded(os, version, exclude_params): - for exclude_param in exclude_params: - if exclude_param[0] == os and exclude_param[1] == version: - return True - return False - # When updating the ruamel.yaml version here, update the PR check in # `.github/workflows/pr-checks.yml` too. header = """# Warning: This file is generated automatically, and should not be modified. @@ -78,22 +72,17 @@ for file in sorted((this_dir / 'checks').glob('*.yml')): if 'inputs' in checkSpecification: workflowInputs = checkSpecification['inputs'] - excludedOsesAndVersions = checkSpecification.get('excludeOsAndVersionCombination', []) for version in checkSpecification.get('versions', defaultTestVersions): if version == "latest": raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?') runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"] - operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu", "macos", "windows"]) + operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"]) for operatingSystem in operatingSystems: runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)] for runnerImage in runnerImagesForOs: - # Skip appending this combination to the matrix if it is explicitly excluded. - if is_os_and_version_excluded(operatingSystem, version, excludedOsesAndVersions): - continue - matrix.append({ 'os': runnerImage, 'version': version @@ -128,7 +117,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')): steps.extend([ { 'name': 'Install Node.js', - 'uses': 'actions/setup-node@v4', + 'uses': 'actions/setup-node@v5', 'with': { 'node-version': '20.x', 'cache': 'npm', @@ -166,7 +155,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')): steps.append({ 'name': 'Install Go', - 'uses': 'actions/setup-go@v5', + 'uses': 'actions/setup-go@v6', 'with': { 'go-version': '${{ inputs.go-version || \'' + baseGoVersionExpr + '\' }}', # to avoid potentially misleading autobuilder results where we expect it to download @@ -211,6 +200,7 @@ for file in sorted((this_dir / 'checks').glob('*.yml')): } }, 'name': checkSpecification['name'], + 'if': 'github.triggering_actor != \'dependabot[bot]\'', 'permissions': { 'contents': 'read', 'security-events': 'read' diff --git a/pr-checks/sync_back.py b/pr-checks/sync_back.py new file mode 100755 index 000000000..1474b455e --- /dev/null +++ b/pr-checks/sync_back.py @@ -0,0 +1,185 @@ +#!/usr/bin/env python3 +""" +Sync-back script to automatically update action versions in source templates +from the generated workflow files after Dependabot updates. + +This script scans the generated workflow files (.github/workflows/__*.yml) to find +all external action versions used, then updates: +1. Hardcoded action versions in pr-checks/sync.py +2. Action version references in template files in pr-checks/checks/ + +The script automatically detects all actions used in generated workflows and +preserves version comments (e.g., # v1.2.3) when syncing versions. + +This ensures that when Dependabot updates action versions in generated workflows, +those changes are properly synced back to the source templates. Regular workflow +files are updated directly by Dependabot and don't need sync-back. +""" + +import os +import re +import glob +import argparse +import sys +from pathlib import Path +from typing import Dict, List + + +def scan_generated_workflows(workflow_dir: str) -> Dict[str, str]: + """ + Scan generated workflow files to extract the latest action versions. + + Args: + workflow_dir: Path to .github/workflows directory + + Returns: + Dictionary mapping action names to their latest versions (including comments) + """ + action_versions = {} + generated_files = glob.glob(os.path.join(workflow_dir, "__*.yml")) + + for file_path in generated_files: + with open(file_path, 'r') as f: + content = f.read() + + # Find all action uses in the file, including potential comments + # This pattern captures: action_name@version_with_possible_comment + pattern = r'uses:\s+([^/\s]+/[^@\s]+)@([^@\n]+)' + matches = re.findall(pattern, content) + + for action_name, version_with_comment in matches: + # Only track non-local actions (those with / but not starting with ./) + if not action_name.startswith('./'): + # Assume that version numbers are consistent (this should be the case on a Dependabot update PR) + action_versions[action_name] = version_with_comment.rstrip() + + return action_versions + + +def update_sync_py(sync_py_path: str, action_versions: Dict[str, str]) -> bool: + """ + Update hardcoded action versions in pr-checks/sync.py + + Args: + sync_py_path: Path to sync.py file + action_versions: Dictionary of action names to versions (may include comments) + + Returns: + True if file was modified, False otherwise + """ + if not os.path.exists(sync_py_path): + raise FileNotFoundError(f"Could not find {sync_py_path}") + + with open(sync_py_path, 'r') as f: + content = f.read() + + original_content = content + + # Update hardcoded action versions + for action_name, version_with_comment in action_versions.items(): + # Extract just the version part (before any comment) for sync.py + version = version_with_comment.split('#')[0].strip() if '#' in version_with_comment else version_with_comment.strip() + + # Look for patterns like 'uses': 'actions/setup-node@v4' + # Note that this will break if we store an Action uses reference in a + # variable - that's a risk we're happy to take since in that case the + # PR checks will just fail. + pattern = rf"('uses':\s*'){re.escape(action_name)}@(?:[^']+)(')" + replacement = rf"\1{action_name}@{version}\2" + content = re.sub(pattern, replacement, content) + + if content != original_content: + with open(sync_py_path, 'w') as f: + f.write(content) + print(f"Updated {sync_py_path}") + return True + else: + print(f"No changes needed in {sync_py_path}") + return False + + +def update_template_files(checks_dir: str, action_versions: Dict[str, str]) -> List[str]: + """ + Update action versions in template files in pr-checks/checks/ + + Args: + checks_dir: Path to pr-checks/checks directory + action_versions: Dictionary of action names to versions (may include comments) + + Returns: + List of files that were modified + """ + modified_files = [] + template_files = glob.glob(os.path.join(checks_dir, "*.yml")) + + for file_path in template_files: + with open(file_path, 'r') as f: + content = f.read() + + original_content = content + + # Update action versions + for action_name, version_with_comment in action_versions.items(): + # Look for patterns like 'uses: actions/setup-node@v4' or 'uses: actions/setup-node@sha # comment' + pattern = rf"(uses:\s+{re.escape(action_name)})@(?:[^@\n]+)" + replacement = rf"\1@{version_with_comment}" + content = re.sub(pattern, replacement, content) + + if content != original_content: + with open(file_path, 'w') as f: + f.write(content) + modified_files.append(file_path) + print(f"Updated {file_path}") + + return modified_files + + +def main(): + parser = argparse.ArgumentParser(description="Sync action versions from generated workflows back to templates") + parser.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output") + args = parser.parse_args() + + # Get the repository root (assuming script is in pr-checks/) + script_dir = Path(__file__).parent + repo_root = script_dir.parent + + workflow_dir = repo_root / ".github" / "workflows" + checks_dir = script_dir / "checks" + sync_py_path = script_dir / "sync.py" + + print("Scanning generated workflows for latest action versions...") + action_versions = scan_generated_workflows(str(workflow_dir)) + + if args.verbose: + print("Found action versions:") + for action, version in action_versions.items(): + print(f" {action}@{version}") + + if not action_versions: + print("No action versions found in generated workflows") + return 1 + + # Update files + print("\nUpdating source files...") + modified_files = [] + + # Update sync.py + if update_sync_py(str(sync_py_path), action_versions): + modified_files.append(str(sync_py_path)) + + # Update template files + template_modified = update_template_files(str(checks_dir), action_versions) + modified_files.extend(template_modified) + + if modified_files: + print(f"\nSync completed. Modified {len(modified_files)} files:") + for file_path in modified_files: + print(f" {file_path}") + else: + print("\nNo files needed updating - all action versions are already in sync") + + return 0 + + +if __name__ == "__main__": + sys.exit(main()) \ No newline at end of file diff --git a/pr-checks/test_sync_back.py b/pr-checks/test_sync_back.py new file mode 100644 index 000000000..de2e42d73 --- /dev/null +++ b/pr-checks/test_sync_back.py @@ -0,0 +1,237 @@ +#!/usr/bin/env python3 +""" +Tests for the sync_back.py script +""" + +import os +import shutil +import tempfile +import unittest + +import sync_back + + +class TestSyncBack(unittest.TestCase): + + def setUp(self): + """Set up temporary directories and files for testing""" + self.test_dir = tempfile.mkdtemp() + self.workflow_dir = os.path.join(self.test_dir, ".github", "workflows") + self.checks_dir = os.path.join(self.test_dir, "pr-checks", "checks") + os.makedirs(self.workflow_dir) + os.makedirs(self.checks_dir) + + # Create sync.py file + self.sync_py_path = os.path.join(self.test_dir, "pr-checks", "sync.py") + + def tearDown(self): + """Clean up temporary directories""" + shutil.rmtree(self.test_dir) + + def test_scan_generated_workflows_basic(self): + """Test basic workflow scanning functionality""" + # Create a test generated workflow file + workflow_content = """ +name: Test Workflow +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v5 + - uses: actions/setup-go@v6 + """ + + with open(os.path.join(self.workflow_dir, "__test.yml"), 'w') as f: + f.write(workflow_content) + + result = sync_back.scan_generated_workflows(self.workflow_dir) + + self.assertEqual(result['actions/checkout'], 'v4') + self.assertEqual(result['actions/setup-node'], 'v5') + self.assertEqual(result['actions/setup-go'], 'v6') + + def test_scan_generated_workflows_with_comments(self): + """Test scanning workflows with version comments""" + workflow_content = """ +name: Test Workflow +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 + - uses: actions/setup-python@v6 # Latest Python + """ + + with open(os.path.join(self.workflow_dir, "__test.yml"), 'w') as f: + f.write(workflow_content) + + result = sync_back.scan_generated_workflows(self.workflow_dir) + + self.assertEqual(result['actions/checkout'], 'v4') + self.assertEqual(result['ruby/setup-ruby'], '44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0') + self.assertEqual(result['actions/setup-python'], 'v6 # Latest Python') + + def test_scan_generated_workflows_ignores_local_actions(self): + """Test that local actions (starting with ./) are ignored""" + workflow_content = """ +name: Test Workflow +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/local-action + - uses: ./another-local-action@v1 + """ + + with open(os.path.join(self.workflow_dir, "__test.yml"), 'w') as f: + f.write(workflow_content) + + result = sync_back.scan_generated_workflows(self.workflow_dir) + + self.assertEqual(result['actions/checkout'], 'v4') + self.assertNotIn('./.github/actions/local-action', result) + self.assertNotIn('./another-local-action', result) + + + def test_update_sync_py(self): + """Test updating sync.py file""" + sync_py_content = """ +steps = [ + { + 'uses': 'actions/setup-node@v4', + 'with': {'node-version': '16'} + }, + { + 'uses': 'actions/setup-go@v5', + 'with': {'go-version': '1.19'} + } +] + """ + + with open(self.sync_py_path, 'w') as f: + f.write(sync_py_content) + + action_versions = { + 'actions/setup-node': 'v5', + 'actions/setup-go': 'v6' + } + + result = sync_back.update_sync_py(self.sync_py_path, action_versions) + self.assertTrue(result) + + with open(self.sync_py_path, 'r') as f: + updated_content = f.read() + + self.assertIn("'uses': 'actions/setup-node@v5'", updated_content) + self.assertIn("'uses': 'actions/setup-go@v6'", updated_content) + + def test_update_sync_py_with_comments(self): + """Test updating sync.py file when versions have comments""" + sync_py_content = """ +steps = [ + { + 'uses': 'actions/setup-node@v4', + 'with': {'node-version': '16'} + } +] + """ + + with open(self.sync_py_path, 'w') as f: + f.write(sync_py_content) + + action_versions = { + 'actions/setup-node': 'v5 # Latest version' + } + + result = sync_back.update_sync_py(self.sync_py_path, action_versions) + self.assertTrue(result) + + with open(self.sync_py_path, 'r') as f: + updated_content = f.read() + + # sync.py should get the version without comment + self.assertIn("'uses': 'actions/setup-node@v5'", updated_content) + self.assertNotIn("# Latest version", updated_content) + + def test_update_template_files(self): + """Test updating template files""" + template_content = """ +name: Test Template +steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v4 + with: + node-version: 16 + """ + + template_path = os.path.join(self.checks_dir, "test.yml") + with open(template_path, 'w') as f: + f.write(template_content) + + action_versions = { + 'actions/checkout': 'v4', + 'actions/setup-node': 'v5 # Latest' + } + + result = sync_back.update_template_files(self.checks_dir, action_versions) + self.assertEqual(len(result), 1) + self.assertIn(template_path, result) + + with open(template_path, 'r') as f: + updated_content = f.read() + + self.assertIn("uses: actions/checkout@v4", updated_content) + self.assertIn("uses: actions/setup-node@v5 # Latest", updated_content) + + def test_update_template_files_preserves_comments(self): + """Test that updating template files preserves version comments""" + template_content = """ +name: Test Template +steps: + - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.256.0 + """ + + template_path = os.path.join(self.checks_dir, "test.yml") + with open(template_path, 'w') as f: + f.write(template_content) + + action_versions = { + 'ruby/setup-ruby': '55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0' + } + + result = sync_back.update_template_files(self.checks_dir, action_versions) + self.assertEqual(len(result), 1) + + with open(template_path, 'r') as f: + updated_content = f.read() + + self.assertIn("uses: ruby/setup-ruby@55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0", updated_content) + + def test_no_changes_needed(self): + """Test that functions return False/empty when no changes are needed""" + # Test sync.py with no changes needed + sync_py_content = """ +steps = [ + { + 'uses': 'actions/setup-node@v5', + 'with': {'node-version': '16'} + } +] + """ + + with open(self.sync_py_path, 'w') as f: + f.write(sync_py_content) + + action_versions = { + 'actions/setup-node': 'v5' + } + + result = sync_back.update_sync_py(self.sync_py_path, action_versions) + self.assertFalse(result) + + +if __name__ == '__main__': + unittest.main() diff --git a/src/api-client.ts b/src/api-client.ts index 8e4a30c57..86134b7f8 100644 --- a/src/api-client.ts +++ b/src/api-client.ts @@ -4,6 +4,7 @@ import * as retry from "@octokit/plugin-retry"; import consoleLogLevel from "console-log-level"; import { getActionVersion, getRequiredInput } from "./actions-util"; +import { Logger } from "./logging"; import { getRepositoryNwo, RepositoryNwo } from "./repository"; import { ConfigurationError, @@ -54,7 +55,7 @@ function createApiClientWithDetails( ); } -export function getApiDetails() { +export function getApiDetails(): GitHubApiDetails { return { auth: getRequiredInput("token"), url: getRequiredEnvParam("GITHUB_SERVER_URL"), @@ -72,6 +73,36 @@ export function getApiClientWithExternalAuth( return createApiClientWithDetails(apiDetails, { allowExternal: true }); } +/** + * Gets a value for the `Authorization` header for a request to `url`; or `undefined` if the + * `Authorization` header should not be set for `url`. + * + * @param logger The logger to use for debugging messages. + * @param apiDetails Details of the GitHub API we are using. + * @param url The URL for which we want to add an `Authorization` header. + * + * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated. + */ +export function getAuthorizationHeaderFor( + logger: Logger, + apiDetails: GitHubApiDetails, + url: string, +): string | undefined { + // We only want to provide an authorization header if we are downloading + // from the same GitHub instance the Action is running on. + // This avoids leaking Enterprise tokens to dotcom. + if ( + url.startsWith(`${apiDetails.url}/`) || + (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`)) + ) { + logger.debug(`Providing an authorization token.`); + return `token ${apiDetails.auth}`; + } + + logger.debug(`Not using an authorization token.`); + return undefined; +} + let cachedGitHubVersion: GitHubVersion | undefined = undefined; export async function getGitHubVersionFromApi( diff --git a/src/defaults.json b/src/defaults.json index 712efc19f..dbc0d5e25 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.23.0", - "cliVersion": "2.23.0", - "priorBundleVersion": "codeql-bundle-v2.22.4", - "priorCliVersion": "2.22.4" + "bundleVersion": "codeql-bundle-v2.23.1", + "cliVersion": "2.23.1", + "priorBundleVersion": "codeql-bundle-v2.23.0", + "priorCliVersion": "2.23.0" } diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index a387a8b7e..127bb1b93 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -566,21 +566,17 @@ export const downloadCodeQL = async function ( const headers: OutgoingHttpHeaders = { accept: "application/octet-stream", }; - // We only want to provide an authorization header if we are downloading - // from the same GitHub instance the Action is running on. - // This avoids leaking Enterprise tokens to dotcom. - // We also don't want to send an authorization header if there's already a token provided in the URL. let authorization: string | undefined = undefined; + + // We don't want to send an authorization header if there's already a token provided in the URL. if (searchParams.has("token")) { logger.debug("CodeQL tools URL contains an authorization token."); - } else if ( - codeqlURL.startsWith(`${apiDetails.url}/`) || - (apiDetails.apiURL && codeqlURL.startsWith(`${apiDetails.apiURL}/`)) - ) { - logger.debug("Providing an authorization token to download CodeQL tools."); - authorization = `token ${apiDetails.auth}`; } else { - logger.debug("Downloading CodeQL tools without an authorization token."); + authorization = api.getAuthorizationHeaderFor( + logger, + apiDetails, + codeqlURL, + ); } const toolcacheInfo = getToolcacheDestinationInfo( diff --git a/src/start-proxy-action.ts b/src/start-proxy-action.ts index 6ce3b70ff..9592b904b 100644 --- a/src/start-proxy-action.ts +++ b/src/start-proxy-action.ts @@ -6,6 +6,7 @@ import * as toolcache from "@actions/tool-cache"; import { pki } from "node-forge"; import * as actionsUtil from "./actions-util"; +import { getApiDetails, getAuthorizationHeaderFor } from "./api-client"; import { getActionsLogger, Logger } from "./logging"; import { Credential, @@ -192,7 +193,20 @@ async function getProxyBinaryPath(logger: Logger): Promise { let proxyBin = toolcache.find(proxyFileName, proxyInfo.version); if (!proxyBin) { - const temp = await toolcache.downloadTool(proxyInfo.url); + const apiDetails = getApiDetails(); + const authorization = getAuthorizationHeaderFor( + logger, + apiDetails, + proxyInfo.url, + ); + const temp = await toolcache.downloadTool( + proxyInfo.url, + undefined, + authorization, + { + accept: "application/octet-stream", + }, + ); const extracted = await toolcache.extractTar(temp); proxyBin = await toolcache.cacheDir( extracted,