Include repo property queries in combineQueries

2025-12-30 19:20:08 +08:00 · 2025-09-20 13:36:01 +01:00
parent 1bfb67dae0
commit d14a2122fd
3 changed files with 58 additions and 21 deletions
--- a/src/codeql.test.ts
+++ b/src/codeql.test.ts
@@ -659,15 +659,15 @@ test(
  },
  {
    queries: [
-      {
-        uses: "zzz",
-      },
      {
        uses: "xxx",
      },
      {
        uses: "yyy",
      },
+      {
+        uses: "zzz",
+      },
    ],
  },
 );
--- a/src/config/db-config.ts
+++ b/src/config/db-config.ts
@@ -364,25 +364,53 @@ function parseQueriesFromInput(
 /**
 * Combines queries from various configuration sources.
 *
- * @param augmentedConfig The loaded configuration file (either `config-file` or `config` input).
+ * @param config The loaded configuration file (either `config-file` or `config` input).
 * @param augmentationProperties Additional configuration data from other sources.
 * @returns Returns `augmentedConfig` with `queries` set to the computed array of queries.
 */
 function combineQueries(
-  augmentedConfig: UserConfig,
+  config: UserConfig,
  augmentationProperties: AugmentationProperties,
-): QuerySpec[] | undefined {
-  if (augmentationProperties.queriesInput) {
-    if (augmentationProperties.queriesInputCombines) {
-      return (augmentedConfig.queries || []).concat(
-        augmentationProperties.queriesInput,
-      );
+): QuerySpec[] {
+  const result: QuerySpec[] = [];
+
+  // Query settings obtained from the repository properties have the highest precedence.
+  if (
+    augmentationProperties.repoPropertyQueries &&
+    augmentationProperties.repoPropertyQueries.input
+  ) {
+    // If there are queries configured as a repository property, these may be organisational
+    // settings. If they don't allow combining with other query configurations, return just the
+    // ones configured in the repository properties.
+    if (!augmentationProperties.repoPropertyQueries.combines) {
+      return augmentationProperties.repoPropertyQueries.input;
    } else {
-      return augmentationProperties.queriesInput;
+      // Otherwise, add them to the query array and continue.
+      result.push(...augmentationProperties.repoPropertyQueries.input);
    }
  }

-  return augmentedConfig.queries;
+  // If there is a `queries` input to the Action, it has the next highest precedence.
+  if (augmentationProperties.queriesInput) {
+    // If there is a `queries` input and `queriesInputCombines` is `false`, then we don't
+    // combine it with the queries configured in the configuration file (if any). That is the
+    // original behaviour of this property. However, we DO combine it with any queries that
+    // we obtained from the repository properties, since that may be enforced by the organisation.
+    if (!augmentationProperties.queriesInputCombines) {
+      return result.concat(augmentationProperties.queriesInput);
+    } else {
+      // If they combine, add them to the query array and continue.
+      result.push(...augmentationProperties.queriesInput);
+    }
+  }
+
+  // If we get to this point, we either don't have any extra configuration inputs or all of them
+  // allow themselves to be combined with the settings from the configuration file.
+  if (config.queries) {
+    result.push(...config.queries);
+  }
+
+  return result;
 }

 export function generateCodeScanningConfig(