Previously, with the config parsing in the cli feature flag turned on,
the CLI was not able to download packs from other registries. This PR
adds the codeql-action changes required for this. The CLI changes will
be in a separate, internal PR.
This commit does a few related things:
1. Bumps the minimum version for cli config parsing to 2.10.6
2. Ensures that if cli config parsing is enabled, then remove repos
are _not_ downloaded by the action. It happens in the CLI.
3. Passes the `--external-repository-token-stdin` option to the CLI
and passes the appropriate token via stdin if cli config parsing is
enabled.
If a user explicitly includes java in their language inputs, always
make an api call to check for kotlin in the repo.
Also, add some suggestions from code reviews.
This works by moving the logic to check for toolcache bypass out of
creating the codeql instance. The logic now _may_ perform an API request
in order to check what languages are in the repository. This check is
redundant because the same call is being made later in the action when
the actual list of languages is calculated.
This commit centralizes how feature flags are handled. All feature flags
must now add an entry in the `featureFlagConfig` dictionary. This
dictionary associates the flag with an environment variable name and
optionally a minimum version for CodeQL.
The new logic is:
- if the environment variable is set to false: disabled
- if the minimum version requirement specified and met: disabled
- if the environment variable is set to true: enable
- Otherwise check feature flag enablement from the server
This change adds:
- new `registries` block allowed in code scanning config file
- new `registries-auth-tokens` input in init action
- Change the downloadPacks function so that it accepts new parameters:
- registries block
- api auth
- Generate a qlconfig.yml file with the registries block if one is
supplied. Use this file when downloading packs.
- temporarily set the `GITHUB_TOKEN` and `CODEQL_REGISTRIES_AUTH` based
on api auth
TODO:
1. integration test
2. handle pack downloads when the config is generated by the CLI
When someone creates an invalid `queries` entry in the codeql config
file, like this:
```
queries:
- foo.ql
```
THe error message is confusing, looking like this:
```
Error: Cannot use 'in' operator to search for 'uses' in ql/ql/src
TypeError: Cannot use 'in' operator to search for 'uses' in ql/ql/src
at loadConfig (/home/runner/work/_actions/github/codeql-action/71a8b35ff4c80fcfcd05bc1cd932fe3c08f943ca/lib/config-utils.js:577:41)
```
With this change, the error message is more comprehensible:
`queries must be an array, with each entry having a 'uses' property`
