Merge remote-tracking branch 'origin/main' into mbg/upload-lib/post-process

2025-12-31 19:50:32 +08:00 · 2025-10-24 10:08:38 +01:00
parent f48b54af10 9625890712
commit b9cd36824e
12 changed files with 85 additions and 61 deletions
--- a/src/analyze-action-env.test.ts
+++ b/src/analyze-action-env.test.ts
@@ -24,6 +24,9 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from environment variables", async (t) => {
+  // This test frequently times out on Windows with the default timeout, so we bump
+  // it a bit to 20s.
+  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
--- a/src/analyze-action-input.test.ts
+++ b/src/analyze-action-input.test.ts
@@ -24,6 +24,7 @@ setupTests(test);
 // but the first test would fail.

 test("analyze action with RAM & threads from action inputs", async (t) => {
+  t.timeout(1000 * 20);
  await util.withTmpDir(async (tmpDir) => {
    process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
    process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@@ -653,7 +653,7 @@ class GitHubFeatureFlags {
      }

      this.logger.debug(
-        "Loaded the following default values for the feature flags from the Code Scanning API:",
+        "Loaded the following default values for the feature flags from the CodeQL Action API:",
      );
      for (const [feature, value] of Object.entries(remoteFlags).sort(
        ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -666,10 +666,10 @@ class GitHubFeatureFlags {
      const httpError = util.asHTTPError(e);
      if (httpError?.status === 403) {
        this.logger.warning(
-          "This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
+          "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
            "As a result, it will not be opted into any experimental features. " +
            "This could be because the Action is running on a pull request from a fork. If not, " +
-            `please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}`,
+            `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
        );
        this.hasAccessedRemoteFeatureFlags = false;
        return {};
--- a/src/status-report.ts
+++ b/src/status-report.ts
@@ -387,9 +387,9 @@ export async function createStatusReportBase(
 }

 const OUT_OF_DATE_MSG =
-  "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+  "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
 const INCOMPATIBLE_MSG =
-  "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
+  "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";

 /**
 * Send a status report to the code_scanning/analysis/status endpoint.
@@ -439,12 +439,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
          ) {
            core.warning(
              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
-                "Uploading Code Scanning results requires write access. " +
-                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "Uploading CodeQL results requires write access. " +
+                'To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
                `See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`,
            );
          } else {
-            core.warning(httpError.message);
+            core.warning(
+              "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
+                "This could be because the Action is running on a pull request from a fork. If not, " +
+                `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
+            );
          }
          return;
        case 404:
@@ -466,7 +470,7 @@ export async function sendStatusReport<S extends StatusReportBase>(
    // something else has gone wrong and the request/response will be logged by octokit
    // it's possible this is a transient error and we should continue scanning
    core.warning(
-      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
+      `An unexpected error occurred when sending a status report: ${getErrorMessage(
        e,
      )}`,
    );