This change adds:
- new `registries` block allowed in code scanning config file
- new `registries-auth-tokens` input in init action
- Change the downloadPacks function so that it accepts new parameters:
- registries block
- api auth
- Generate a qlconfig.yml file with the registries block if one is
supplied. Use this file when downloading packs.
- temporarily set the `GITHUB_TOKEN` and `CODEQL_REGISTRIES_AUTH` based
on api auth
TODO:
1. integration test
2. handle pack downloads when the config is generated by the CLI
This decorator enabled us to use the functionality of the Actions
toolcache within the runner too.
Now that we've deleted the runner we no longer need it.
In theory, a scanned language will not setup the build tracer, and so
shouldn't care about lua versus legacy tracing. However, `go` is a
special case where the autobuilder runs under the build tracer, that
then gets disabled immediately again, unless a special environment
variable is used.
Therefore, we need to thread through the feature flag to this
`database trace-command` invocation. For other scanned languages,
this should be a no-op, as no tracing is ever set up.
4.4.2 introduces a breaking change that the variable in a catch clause
is now `unknown` type. So, we need to cast the `e`, `err`, or `error`
variables to type `Error`.
This input is exposed in the CodeQL CLI as the flag --source-root, allowing
users of the CLI to set --source-root different from --working-dir. However,
in codeql-action, these two paths are conflated and it poses problems for
users with complicated build environments, in which a source root may be
a child of the working directory.
Most users should not notice this, as the default value is
${{ github.workspace }}, as it is implied now (`path.resolve()`).
This input allows users to specify which packs to run. It works in
unison with the packs block of the config file and it is similar to
how `queries` works. They both use `+` in the same way.
Note that the `#TODO` in the pr check is still around, but the CLI
is available. I will remove the TODO in the next commit.
This PR ensures environment variables are set before any invocation of
the CLI. Here is a list of vars that are set:
https://github.com/github/codeql-coreql-team/issues/1124#issuecomment-852463521
This ensures the CLI knows the features and versions of the containing
actions/runner.
Additionally:
- Fix the user agent so that it more closely aligns with user agent
spec
- Refactor environment variable initialization so that it all happens in
one place and call.
- Move Mode, getRequiredEnvParam, setMode, getMode out of actions-util
and into util. actions-util is meant for utils only called by the
action, not the runner.
The `prepareLocalRunEnvironment()` method is most likely deprecated and
should be removed. I originally added it because I had a way of working
where I would run the action from my local machine to test out changes,
but this was always a little flaky. So, I no longer use this way of
working. I will probably remove it soon.
This commit changes the way the action determines if running in action
or runner mode. There is now an environment variable that is set at the
beginning of the process and elsewhere in the process, we can check to
see if the variable is set.
Specifying a token as a cli input leads to a potential for leaking the
token on CI logs. This commit removes the option. Instead, users
should specify a single GitHub token through `--github-auth-stdin` or
by setting the `GITHUB_TOKEN` environment variable. This token should be
created with enough privileges to access the required repository.
This commit adds two new ways of specifying GitHub auth:
1. from the GITHUB_TOKEN environment variable
2. from standard input
This commit does not include any documentation changes and the
descriptions of new command line options will need to be tweaked.
