Merge branch 'main' into update-bundle/codeql-bundle-v2.22.0

2026-01-04 21:50:17 +08:00 · 2025-06-10 06:56:41 -07:00
parent 3855117ba1 7cb9b16051
commit efd43b3097
41 changed files with 107 additions and 424 deletions
--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -24,7 +24,6 @@ import { isScannedLanguage, Language } from "./languages";
 import { Logger, withGroupAsync } from "./logging";
 import { getRepositoryNwoFromEnv } from "./repository";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
-import { ToolsFeature } from "./tools-features";
 import { endTracingForCluster } from "./tracer-config";
 import * as util from "./util";
 import { BuildMode } from "./util";
@@ -167,10 +166,7 @@ export async function runExtraction(
      if (language === Language.python) {
        await setupPythonExtractor(logger);
      }
-      if (
-        config.buildMode &&
-        (await codeql.supportsFeature(ToolsFeature.TraceCommandUseBuildMode))
-      ) {
+      if (config.buildMode) {
        if (
          language === Language.cpp &&
          config.buildMode === BuildMode.Autobuild
--- a/src/autobuild.ts
+++ b/src/autobuild.ts
@@ -10,17 +10,15 @@ import { Feature, featureConfig, Features } from "./feature-flags";
 import { isTracedLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { getRepositoryNwo } from "./repository";
-import { ToolsFeature } from "./tools-features";
 import { BuildMode } from "./util";

 export async function determineAutobuildLanguages(
-  codeql: CodeQL,
+  _codeql: CodeQL,
  config: configUtils.Config,
  logger: Logger,
 ): Promise<Language[] | undefined> {
  if (
-    (config.buildMode === BuildMode.None &&
-      (await codeql.supportsFeature(ToolsFeature.TraceCommandUseBuildMode))) ||
+    config.buildMode === BuildMode.None ||
    config.buildMode === BuildMode.Manual
  ) {
    logger.info(
@@ -160,10 +158,7 @@ export async function runAutobuild(
  if (language === Language.cpp) {
    await setupCppAutobuild(codeQL, logger);
  }
-  if (
-    config.buildMode &&
-    (await codeQL.supportsFeature(ToolsFeature.TraceCommandUseBuildMode))
-  ) {
+  if (config.buildMode) {
    await codeQL.extractUsingBuildMode(config, language);
  } else {
    await codeQL.runAutobuild(config, language);
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -280,7 +280,7 @@ let cachedCodeQL: CodeQL | undefined = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.15.5";
+const CODEQL_MINIMUM_VERSION = "2.16.6";

 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
@@ -582,10 +582,7 @@ export async function getCodeQLForCmd(
        extraArgs.push("--external-repository-token-stdin");
      }

-      if (
-        config.buildMode !== undefined &&
-        (await this.supportsFeature(ToolsFeature.BuildModeOption))
-      ) {
+      if (config.buildMode !== undefined) {
        extraArgs.push(`--build-mode=${config.buildMode}`);
      }
      if (qlconfigFile !== undefined) {
--- a/src/init-action.ts
+++ b/src/init-action.ts
@@ -60,7 +60,6 @@ import {
  checkDiskUsage,
  checkForTimeout,
  checkGitHubVersionInRange,
-  checkSipEnablement,
  codeQlVersionAtLeast,
  DEFAULT_DEBUG_ARTIFACT_NAME,
  DEFAULT_DEBUG_DATABASE_NAME,
@@ -340,39 +339,34 @@ async function run() {
    }
    core.endGroup();

-    config = await initConfig(
-      {
-        languagesInput: getOptionalInput("languages"),
-        queriesInput: getOptionalInput("queries"),
-        packsInput: getOptionalInput("packs"),
-        buildModeInput: getOptionalInput("build-mode"),
-        configFile,
-        dbLocation: getOptionalInput("db-location"),
-        configInput: getOptionalInput("config"),
-        trapCachingEnabled: getTrapCachingEnabled(),
-        dependencyCachingEnabled: getDependencyCachingEnabled(),
-        // Debug mode is enabled if:
-        // - The `init` Action is passed `debug: true`.
-        // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
-        //   or by setting the `ACTIONS_STEP_DEBUG` secret to `true`).
-        debugMode: getOptionalInput("debug") === "true" || core.isDebug(),
-        debugArtifactName:
-          getOptionalInput("debug-artifact-name") ||
-          DEFAULT_DEBUG_ARTIFACT_NAME,
-        debugDatabaseName:
-          getOptionalInput("debug-database-name") ||
-          DEFAULT_DEBUG_DATABASE_NAME,
-        repository: repositoryNwo,
-        tempDir: getTemporaryDirectory(),
-        codeql,
-        workspacePath: getRequiredEnvParam("GITHUB_WORKSPACE"),
-        githubVersion: gitHubVersion,
-        apiDetails,
-        features,
-        logger,
-      },
+    config = await initConfig({
+      languagesInput: getOptionalInput("languages"),
+      queriesInput: getOptionalInput("queries"),
+      packsInput: getOptionalInput("packs"),
+      buildModeInput: getOptionalInput("build-mode"),
+      configFile,
+      dbLocation: getOptionalInput("db-location"),
+      configInput: getOptionalInput("config"),
+      trapCachingEnabled: getTrapCachingEnabled(),
+      dependencyCachingEnabled: getDependencyCachingEnabled(),
+      // Debug mode is enabled if:
+      // - The `init` Action is passed `debug: true`.
+      // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
+      //   or by setting the `ACTIONS_STEP_DEBUG` secret to `true`).
+      debugMode: getOptionalInput("debug") === "true" || core.isDebug(),
+      debugArtifactName:
+        getOptionalInput("debug-artifact-name") || DEFAULT_DEBUG_ARTIFACT_NAME,
+      debugDatabaseName:
+        getOptionalInput("debug-database-name") || DEFAULT_DEBUG_DATABASE_NAME,
+      repository: repositoryNwo,
+      tempDir: getTemporaryDirectory(),
      codeql,
-    );
+      workspacePath: getRequiredEnvParam("GITHUB_WORKSPACE"),
+      githubVersion: gitHubVersion,
+      apiDetails,
+      features,
+      logger,
+    });

    await checkInstallPython311(config.languages, codeql);
  } catch (unwrappedError) {
@@ -623,32 +617,11 @@ async function run() {
      await downloadDependencyCaches(config.languages, logger);
    }

-    // For CLI versions <2.15.1, build tracing caused errors in macOS ARM machines with
-    // System Integrity Protection (SIP) disabled.
-    if (
-      !(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
-      process.platform === "darwin" &&
-      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await checkSipEnablement(logger))
-    ) {
-      logger.warning(
-        "CodeQL versions 2.15.0 and lower are not supported on macOS ARM machines with System Integrity Protection (SIP) disabled.",
-      );
-    }
-
-    // From 2.16.0 the default for the python extractor is to not perform any
-    // dependency extraction. For versions before that, you needed to set this flag to
-    // enable this behavior.
-
+    // Suppress warnings about disabled Python library extraction.
    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
      // disabled by default, no warning
-    } else if (await codeQlVersionAtLeast(codeql, "2.16.0")) {
-      // disabled by default, prints warning if environment variable is not set
-      core.exportVariable(
-        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
-        "true",
-      );
    } else {
+      // disabled by default, prints warning if environment variable is not set
      core.exportVariable(
        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
        "true",
--- a/src/init.test.ts
+++ b/src/init.test.ts
@@ -3,12 +3,7 @@ import path from "path";

 import test from "ava";

-import { Config } from "./config-utils";
-import {
-  cleanupDatabaseClusterDirectory,
-  printPathFiltersWarning,
-} from "./init";
-import { Language } from "./languages";
+import { cleanupDatabaseClusterDirectory } from "./init";
 import {
  LoggedMessage,
  createTestConfig,
@@ -19,30 +14,6 @@ import { ConfigurationError, withTmpDir } from "./util";

 setupTests(test);

-test("printPathFiltersWarning does not trigger when 'paths' and 'paths-ignore' are undefined", async (t) => {
-  const messages: LoggedMessage[] = [];
-  printPathFiltersWarning(
-    {
-      languages: [Language.cpp],
-      originalUserInput: {},
-    } as Partial<Config> as Config,
-    getRecordingLogger(messages),
-  );
-  t.is(messages.length, 0);
-});
-
-test("printPathFiltersWarning does not trigger when 'paths' and 'paths-ignore' are empty", async (t) => {
-  const messages: LoggedMessage[] = [];
-  printPathFiltersWarning(
-    {
-      languages: [Language.cpp],
-      originalUserInput: { paths: [], "paths-ignore": [] },
-    } as Partial<Config> as Config,
-    getRecordingLogger(messages),
-  );
-  t.is(messages.length, 0);
-});
-
 test("cleanupDatabaseClusterDirectory cleans up where possible", async (t) => {
  await withTmpDir(async (tmpDir: string) => {
    const dbLocation = path.resolve(tmpDir, "dbs");
--- a/src/init.ts
+++ b/src/init.ts
@@ -11,8 +11,8 @@ import { CodeQL, setupCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { CodeQLDefaultVersionInfo, FeatureEnablement } from "./feature-flags";
 import { getGitRoot } from "./git-utils";
-import { Language, isScannedLanguage } from "./languages";
-import { Logger } from "./logging";
+import { Language } from "./languages";
+import { Logger, withGroupAsync } from "./logging";
 import {
  CODEQL_OVERLAY_MINIMUM_VERSION,
  OverlayDatabaseMode,
@@ -20,7 +20,6 @@ import {
 import { ToolsSource } from "./setup-codeql";
 import { ZstdAvailability } from "./tar";
 import { ToolsDownloadStatusReport } from "./tools-download";
-import { ToolsFeature } from "./tools-features";
 import { TracerConfig, getCombinedTracerConfig } from "./tracer-config";
 import * as util from "./util";

@@ -69,20 +68,10 @@ export async function initCodeQL(

 export async function initConfig(
  inputs: configUtils.InitConfigInputs,
-  codeql: CodeQL,
 ): Promise<configUtils.Config> {
-  const logger = inputs.logger;
-  logger.startGroup("Load language configuration");
-  const config = await configUtils.initConfig(inputs);
-  if (
-    !(await codeql.supportsFeature(
-      ToolsFeature.InformsAboutUnsupportedPathFilters,
-    ))
-  ) {
-    printPathFiltersWarning(config, logger);
-  }
-  logger.endGroup();
-  return config;
+  return await withGroupAsync("Load language configuration", async () => {
+    return await configUtils.initConfig(inputs);
+  });
 }

 export async function getOverlayDatabaseMode(
@@ -164,23 +153,6 @@ export async function runInit(
  return await getCombinedTracerConfig(codeql, config);
 }

-export function printPathFiltersWarning(
-  config: configUtils.Config,
-  logger: Logger,
-) {
-  // Index include/exclude/filters only work in javascript/python/ruby.
-  // If any other languages are detected/configured then show a warning.
-  if (
-    (config.originalUserInput.paths?.length ||
-      config.originalUserInput["paths-ignore"]?.length) &&
-    !config.languages.every(isScannedLanguage)
-  ) {
-    logger.warning(
-      'The "paths"/"paths-ignore" fields of the config only have effect for JavaScript, Python, and Ruby',
-    );
-  }
-}
-
 /**
 * If we are running python 3.12+ on windows, we need to switch to python 3.11.
 * This check happens in a powershell script.
--- a/src/tools-features.test.ts
+++ b/src/tools-features.test.ts
@@ -6,33 +6,9 @@ import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 test("isSupportedToolsFeature", async (t) => {
  const versionInfo = makeVersionInfo("1.0.0");

-  t.false(
-    isSupportedToolsFeature(
-      versionInfo,
-      ToolsFeature.IndirectTracingSupportsStaticBinaries,
-    ),
-  );
+  t.false(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite));

-  versionInfo.features = { indirectTracingSupportsStaticBinaries: true };
+  versionInfo.features = { forceOverwrite: true };

-  t.true(
-    isSupportedToolsFeature(
-      versionInfo,
-      ToolsFeature.IndirectTracingSupportsStaticBinaries,
-    ),
-  );
-});
-
-test("setsCodeqlRunnerEnvVar", async (t) => {
-  const versionInfo = makeVersionInfo("1.0.0");
-
-  t.false(
-    isSupportedToolsFeature(versionInfo, ToolsFeature.SetsCodeqlRunnerEnvVar),
-  );
-
-  versionInfo.features = { setsCodeqlRunnerEnvVar: true };
-
-  t.true(
-    isSupportedToolsFeature(versionInfo, ToolsFeature.SetsCodeqlRunnerEnvVar),
-  );
+  t.true(isSupportedToolsFeature(versionInfo, ToolsFeature.ForceOverwrite));
 });
--- a/src/tools-features.ts
+++ b/src/tools-features.ts
@@ -4,12 +4,8 @@ import type { VersionInfo } from "./codeql";

 export enum ToolsFeature {
  AnalysisSummaryV2IsDefault = "analysisSummaryV2Default",
-  BuildModeOption = "buildModeOption",
  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
  IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
-  InformsAboutUnsupportedPathFilters = "informsAboutUnsupportedPathFilters",
-  SetsCodeqlRunnerEnvVar = "setsCodeqlRunnerEnvVar",
-  TraceCommandUseBuildMode = "traceCommandUseBuildMode",
  SarifMergeRunsFromEqualCategory = "sarifMergeRunsFromEqualCategory",
  ForceOverwrite = "forceOverwrite",
  PythonDefaultIsToNotExtractStdlib = "pythonDefaultIsToNotExtractStdlib",
--- a/src/tracer-config.test.ts
+++ b/src/tracer-config.test.ts
@@ -35,7 +35,7 @@ test("getCombinedTracerConfig - return undefined when no languages are traced la
  });
 });

-test("getCombinedTracerConfig - with start-tracing.json environment file", async (t) => {
+test("getCombinedTracerConfig", async (t) => {
  await util.withTmpDir(async (tmpDir) => {
    const config = getTestConfig(tmpDir);

@@ -70,66 +70,6 @@ test("getCombinedTracerConfig - with start-tracing.json environment file", async
    );
    t.notDeepEqual(result, undefined);

-    const expectedEnv = startTracingEnv;
-
-    if (process.platform === "win32") {
-      expectedEnv["CODEQL_RUNNER"] = path.join(
-        bundlePath,
-        "tools/win64/runner.exe",
-      );
-    } else if (process.platform === "darwin") {
-      expectedEnv["CODEQL_RUNNER"] = path.join(
-        bundlePath,
-        "tools/osx64/runner",
-      );
-    } else {
-      expectedEnv["CODEQL_RUNNER"] = path.join(
-        bundlePath,
-        "tools/linux64/runner",
-      );
-    }
-
-    t.deepEqual(result, {
-      env: expectedEnv,
-    });
-  });
-});
-
-test("getCombinedTracerConfig - with SetsCodeqlRunnerEnvVar feature enabled in CLI", async (t) => {
-  await util.withTmpDir(async (tmpDir) => {
-    const config = getTestConfig(tmpDir);
-
-    const bundlePath = path.join(tmpDir, "bundle");
-    const codeqlPlatform =
-      process.platform === "win32"
-        ? "win64"
-        : process.platform === "darwin"
-          ? "osx64"
-          : "linux64";
-    const startTracingEnv = {
-      foo: "bar",
-      CODEQL_DIST: bundlePath,
-      CODEQL_PLATFORM: codeqlPlatform,
-    };
-
-    const tracingEnvironmentDir = path.join(
-      config.dbLocation,
-      "temp",
-      "tracingEnvironment",
-    );
-    fs.mkdirSync(tracingEnvironmentDir, { recursive: true });
-    const startTracingJson = path.join(
-      tracingEnvironmentDir,
-      "start-tracing.json",
-    );
-    fs.writeFileSync(startTracingJson, JSON.stringify(startTracingEnv));
-
-    const result = await getCombinedTracerConfig(
-      mockCodeQLVersion("1.0.0", { setsCodeqlRunnerEnvVar: true }),
-      config,
-    );
-    t.notDeepEqual(result, undefined);
-
    t.false(Object.prototype.hasOwnProperty.call(result?.env, "CODEQL_RUNNER"));
  });
 });
--- a/src/tracer-config.ts
+++ b/src/tracer-config.ts
@@ -5,7 +5,6 @@ import { type CodeQL } from "./codeql";
 import { type Config } from "./config-utils";
 import { isTracedLanguage } from "./languages";
 import { Logger } from "./logging";
-import { ToolsFeature } from "./tools-features";
 import { BuildMode } from "./util";

 export type TracerConfig = {
@@ -13,7 +12,7 @@ export type TracerConfig = {
 };

 export async function shouldEnableIndirectTracing(
-  codeql: CodeQL,
+  _codeql: CodeQL,
  config: Config,
 ): Promise<boolean> {
  // We don't need to trace build mode none, or languages which unconditionally don't need tracing.
@@ -23,10 +22,7 @@ export async function shouldEnableIndirectTracing(

  // If the CLI supports `trace-command` with a `--build-mode`, we'll use direct tracing instead of
  // indirect tracing.
-  if (
-    config.buildMode === BuildMode.Autobuild &&
-    (await codeql.supportsFeature(ToolsFeature.TraceCommandUseBuildMode))
-  ) {
+  if (config.buildMode === BuildMode.Autobuild) {
    return false;
  }

@@ -106,25 +102,5 @@ export async function getCombinedTracerConfig(
    return undefined;
  }

-  const mainTracerConfig = await getTracerConfigForCluster(config);
-
-  // If the CLI doesn't yet support setting the CODEQL_RUNNER environment variable to
-  // the runner executable path, we set it here in the Action.
-  if (!(await codeql.supportsFeature(ToolsFeature.SetsCodeqlRunnerEnvVar))) {
-    // On macOS when System Integrity Protection is enabled, it's necessary to prefix
-    // the build command with the runner executable for indirect tracing, so we expose
-    // it here via the CODEQL_RUNNER environment variable.
-    // The executable also exists and works for other platforms so we unconditionally
-    // set the environment variable.
-    const runnerExeName =
-      process.platform === "win32" ? "runner.exe" : "runner";
-    mainTracerConfig.env["CODEQL_RUNNER"] = path.join(
-      mainTracerConfig.env["CODEQL_DIST"],
-      "tools",
-      mainTracerConfig.env["CODEQL_PLATFORM"],
-      runnerExeName,
-    );
-  }
-
-  return mainTracerConfig;
+  return await getTracerConfigForCluster(config);
 }