This will allow feature flags to be shared across steps in the same job,
avoiding an error we saw earlier where the init action had the flag
enabled, but the analyze step had it disabled.
This uses the runner's temp folder to cache the flags file, which will
stick around until the job completes.
This commit centralizes how feature flags are handled. All feature flags
must now add an entry in the `featureFlagConfig` dictionary. This
dictionary associates the flag with an environment variable name and
optionally a minimum version for CodeQL.
The new logic is:
- if the environment variable is set to false: disabled
- if the minimum version requirement specified and met: disabled
- if the environment variable is set to true: enable
- Otherwise check feature flag enablement from the server
This change adds:
- new `registries` block allowed in code scanning config file
- new `registries-auth-tokens` input in init action
- Change the downloadPacks function so that it accepts new parameters:
- registries block
- api auth
- Generate a qlconfig.yml file with the registries block if one is
supplied. Use this file when downloading packs.
- temporarily set the `GITHUB_TOKEN` and `CODEQL_REGISTRIES_AUTH` based
on api auth
TODO:
1. integration test
2. handle pack downloads when the config is generated by the CLI
This decorator enabled us to use the functionality of the Actions
toolcache within the runner too.
Now that we've deleted the runner we no longer need it.
.substr() is deprecated so we replace it with .slice() which works similarily but isn't deprecated
Signed-off-by: Tobias Speicher <rootcommander@gmail.com>
This commit adds a `UserError` class that should be thrown when the
cause of an error is fundamentally from user configuration.
When sending status reports, avoid sending a `failure` for `UserError`s.
This will prevent our diagnostics from pinging us for errors outside of
our control.
The new name `ml_powered_javascript_queries` is more consistent with
status report fields for analysis and interpretation duration metrics.
This isn't a breaking change since the old name never made it into the
GitHub API.
And add a better error message.
By using `void` instead of `await`, any error thrown is not caught
by surrounding try-catch blocks.
I could continue to use `void` and explicitly handle any thrown errors
by using `.catch`, but most likely the time savings is minimal and
this makes the code more complex.
4.4.2 introduces a breaking change that the variable in a catch clause
is now `unknown` type. So, we need to cast the `e`, `err`, or `error`
variables to type `Error`.
In the previous commit, the default value of the input is ${{ github.workspace }}
which means that most uses of this input would probably prefix their paths with
${{ github.workspace }}, especially since actions/checkout's 'path' input
must be under ${{ github.workspace }}. Therefore, it doesn't make much sense for
this to be an absolute file path.
Instead, it's more intuitive to make this relative to the repository.
This input is exposed in the CodeQL CLI as the flag --source-root, allowing
users of the CLI to set --source-root different from --working-dir. However,
in codeql-action, these two paths are conflated and it poses problems for
users with complicated build environments, in which a source root may be
a child of the working directory.
Most users should not notice this, as the default value is
${{ github.workspace }}, as it is implied now (`path.resolve()`).
This input allows users to specify which packs to run. It works in
unison with the packs block of the config file and it is similar to
how `queries` works. They both use `+` in the same way.
Note that the `#TODO` in the pr check is still around, but the CLI
is available. I will remove the TODO in the next commit.
