github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2025-12-09 01:08:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into mbg/upload-lib/post-process

Browse Source
This commit is contained in:
Michael B. Gale
2025-10-24 10:08:38 +01:00
parent f48b54af10 9625890712
commit b9cd36824e
12 changed files with 85 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/analyze-action.js generated
View File

@@ -91549,7 +91549,7 @@ var GitHubFeatureFlags = class {
remoteFlags = { ...remoteFlags, ...chunkFlags }; remoteFlags = { ...remoteFlags, ...chunkFlags };
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:" "Loaded the following default values for the feature flags from the CodeQL Action API:"
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB) ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -91562,7 +91562,7 @@ var GitHubFeatureFlags = class {
const httpError = asHTTPError(e); const httpError = asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
`This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};
@@ -94277,8 +94277,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -94305,10 +94305,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core12.warning( core12.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core12.warning(httpError.message); core12.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -94324,7 +94326,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core12.warning( core12.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

16
lib/autobuild-action.js generated
View File

@@ -80310,7 +80310,7 @@ var GitHubFeatureFlags = class {
remoteFlags = { ...remoteFlags, ...chunkFlags }; remoteFlags = { ...remoteFlags, ...chunkFlags };
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:" "Loaded the following default values for the feature flags from the CodeQL Action API:"
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB) ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -80323,7 +80323,7 @@ var GitHubFeatureFlags = class {
const httpError = asHTTPError(e); const httpError = asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
`This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};
@@ -81233,8 +81233,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -81261,10 +81261,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core12.warning( core12.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core12.warning(httpError.message); core12.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -81280,7 +81282,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core12.warning( core12.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

16
lib/init-action-post.js generated
View File

@@ -129673,7 +129673,7 @@ var GitHubFeatureFlags = class {
remoteFlags = { ...remoteFlags, ...chunkFlags }; remoteFlags = { ...remoteFlags, ...chunkFlags };
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:" "Loaded the following default values for the feature flags from the CodeQL Action API:"
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB) ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -129686,7 +129686,7 @@ var GitHubFeatureFlags = class {
const httpError = asHTTPError(e); const httpError = asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
`This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};
@@ -131736,8 +131736,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -131764,10 +131764,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core13.warning( core13.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core13.warning(httpError.message); core13.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -131783,7 +131785,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core13.warning( core13.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

16
lib/init-action.js generated
View File

@@ -88975,7 +88975,7 @@ var GitHubFeatureFlags = class {
remoteFlags = { ...remoteFlags, ...chunkFlags }; remoteFlags = { ...remoteFlags, ...chunkFlags };
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:" "Loaded the following default values for the feature flags from the CodeQL Action API:"
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB) ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -88988,7 +88988,7 @@ var GitHubFeatureFlags = class {
const httpError = asHTTPError(e); const httpError = asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
`This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};
@@ -91941,8 +91941,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -91969,10 +91969,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core11.warning( core11.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core11.warning(httpError.message); core11.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -91988,7 +91990,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core11.warning( core11.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

12
lib/resolve-environment-action.js generated
View File

@@ -80859,8 +80859,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -80887,10 +80887,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core11.warning( core11.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core11.warning(httpError.message); core11.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -80906,7 +80908,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core11.warning( core11.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

16
lib/setup-codeql-action.js generated
View File

@@ -86780,7 +86780,7 @@ var GitHubFeatureFlags = class {
remoteFlags = { ...remoteFlags, ...chunkFlags }; remoteFlags = { ...remoteFlags, ...chunkFlags };
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:" "Loaded the following default values for the feature flags from the CodeQL Action API:"
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB) ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -86793,7 +86793,7 @@ var GitHubFeatureFlags = class {
const httpError = asHTTPError(e); const httpError = asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
`This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};
@@ -88750,8 +88750,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -88778,10 +88778,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core11.warning( core11.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core11.warning(httpError.message); core11.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -88797,7 +88799,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core11.warning( core11.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

12
lib/start-proxy-action.js generated
View File

@@ -97005,8 +97005,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -97033,10 +97033,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core10.warning( core10.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core10.warning(httpError.message); core10.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -97052,7 +97054,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core10.warning( core10.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

16
lib/upload-sarif-action.js generated
View File

@@ -89723,7 +89723,7 @@ var GitHubFeatureFlags = class {
remoteFlags = { ...remoteFlags, ...chunkFlags }; remoteFlags = { ...remoteFlags, ...chunkFlags };
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:" "Loaded the following default values for the feature flags from the CodeQL Action API:"
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB) ([nameA], [nameB]) => nameA.localeCompare(nameB)
@@ -89736,7 +89736,7 @@ var GitHubFeatureFlags = class {
const httpError = asHTTPError(e); const httpError = asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
`This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}` `This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. As a result, it will not be opted into any experimental features. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};
@@ -89987,8 +89987,8 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
return void 0; return void 0;
} }
} }
var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; var OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; var INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
async function sendStatusReport(statusReport) { async function sendStatusReport(statusReport) {
setJobStatusIfUnsuccessful(statusReport.status); setJobStatusIfUnsuccessful(statusReport.status);
const statusReportJSON = JSON.stringify(statusReport); const statusReportJSON = JSON.stringify(statusReport);
@@ -90015,10 +90015,12 @@ async function sendStatusReport(statusReport) {
case 403: case 403:
if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") { if (getWorkflowEventName() === "push" && process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
core9.warning( core9.warning(
`Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.` `Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading CodeQL results requires write access. To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See ${"https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push" /* SCANNING_ON_PUSH */} for more information on how to configure these events.`
); );
} else { } else {
core9.warning(httpError.message); core9.warning(
`This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. This could be because the Action is running on a pull request from a fork. If not, please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`
);
} }
return; return;
case 404: case 404:
@@ -90034,7 +90036,7 @@ async function sendStatusReport(statusReport) {
} }
} }
core9.warning( core9.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e e
)}` )}`
); );

3
src/analyze-action-env.test.ts
View File

@@ -24,6 +24,9 @@ setupTests(test);
// but the first test would fail. // but the first test would fail.
test("analyze action with RAM & threads from environment variables", async (t) => { test("analyze action with RAM & threads from environment variables", async (t) => {
// This test frequently times out on Windows with the default timeout, so we bump
// it a bit to 20s.
t.timeout(1000 * 20);
await util.withTmpDir(async (tmpDir) => { await util.withTmpDir(async (tmpDir) => {
process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL; process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository"; process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

1
src/analyze-action-input.test.ts
View File

@@ -24,6 +24,7 @@ setupTests(test);
// but the first test would fail. // but the first test would fail.
test("analyze action with RAM & threads from action inputs", async (t) => { test("analyze action with RAM & threads from action inputs", async (t) => {
t.timeout(1000 * 20);
await util.withTmpDir(async (tmpDir) => { await util.withTmpDir(async (tmpDir) => {
process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL; process.env["GITHUB_SERVER_URL"] = util.GITHUB_DOTCOM_URL;
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository"; process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";

6
src/feature-flags.ts
View File

@@ -653,7 +653,7 @@ class GitHubFeatureFlags {
} }
this.logger.debug( this.logger.debug(
"Loaded the following default values for the feature flags from the Code Scanning API:", "Loaded the following default values for the feature flags from the CodeQL Action API:",
); );
for (const [feature, value] of Object.entries(remoteFlags).sort( for (const [feature, value] of Object.entries(remoteFlags).sort(
([nameA], [nameB]) => nameA.localeCompare(nameB), ([nameA], [nameB]) => nameA.localeCompare(nameB),
@@ -666,10 +666,10 @@ class GitHubFeatureFlags {
const httpError = util.asHTTPError(e); const httpError = util.asHTTPError(e);
if (httpError?.status === 403) { if (httpError?.status === 403) {
this.logger.warning( this.logger.warning(
"This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " + "This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
"As a result, it will not be opted into any experimental features. " + "As a result, it will not be opted into any experimental features. " +
"This could be because the Action is running on a pull request from a fork. If not, " + "This could be because the Action is running on a pull request from a fork. If not, " +
`please ensure the Action has the 'security-events: write' permission. Details: ${httpError.message}`, `please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
); );
this.hasAccessedRemoteFeatureFlags = false; this.hasAccessedRemoteFeatureFlags = false;
return {}; return {};

16
src/status-report.ts
View File

@@ -387,9 +387,9 @@ export async function createStatusReportBase(
} }
const OUT_OF_DATE_MSG = const OUT_OF_DATE_MSG =
"CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."; "CodeQL Action is out-of-date. Please upgrade to the latest version of `codeql-action`.";
const INCOMPATIBLE_MSG = const INCOMPATIBLE_MSG =
"CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."; "CodeQL Action version is incompatible with the API endpoint. Please update to a compatible version of `codeql-action`.";
/** /**
* Send a status report to the code_scanning/analysis/status endpoint. * Send a status report to the code_scanning/analysis/status endpoint.
@@ -439,12 +439,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
) { ) {
core.warning( core.warning(
'Workflows triggered by Dependabot on the "push" event run with read-only access. ' + 'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
"Uploading Code Scanning results requires write access. " + "Uploading CodeQL results requires write access. " +
'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' + 'To use CodeQL with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
`See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`, `See ${DocUrl.SCANNING_ON_PUSH} for more information on how to configure these events.`,
); );
} else { } else {
core.warning(httpError.message); core.warning(
"This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. " +
"This could be because the Action is running on a pull request from a fork. If not, " +
`please ensure the workflow has at least the 'security-events: read' permission. Details: ${httpError.message}`,
);
} }
return; return;
case 404: case 404:
@@ -466,7 +470,7 @@ export async function sendStatusReport<S extends StatusReportBase>(
// something else has gone wrong and the request/response will be logged by octokit // something else has gone wrong and the request/response will be logged by octokit
// it's possible this is a transient error and we should continue scanning // it's possible this is a transient error and we should continue scanning
core.warning( core.warning(
`An unexpected error occurred when sending code scanning status report: ${getErrorMessage( `An unexpected error occurred when sending a status report: ${getErrorMessage(
e, e,
)}`, )}`,
); );