Fix spelling errors

spelling: executable
spelling: github
spelling: javascript
spelling: latest
spelling: occurred
spelling: parameter

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

lib/actions-util.js

@@ -328,7 +328,7 @@ function getWorkflowRunID() {
 }
 exports.getWorkflowRunID = getWorkflowRunID;
 /**
- * Get the analysis key paramter for the current job.
+ * Get the analysis key parameter for the current job.
  *
  * This will combine the workflow path and current job name.
  * Computing this the first time requires making requests to
@@ -434,6 +434,10 @@ function isHTTPError(arg) {
     var _a;
     return ((_a = arg) === null || _a === void 0 ? void 0 : _a.status) !== undefined && Number.isInteger(arg.status);
 }
+const GENERIC_403_MSG = "The repo on which this action is running is not opted-in to CodeQL code scanning.";
+const GENERIC_404_MSG = "Not authorized to used the CodeQL code scanning feature on this repo.";
+const OUT_OF_DATE_MSG = "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+const INCOMPATIBLE_MSG = "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
 /**
  * Send a status report to the code_scanning/analysis/status endpoint.
  *
@@ -462,30 +466,31 @@ async function sendStatusReport(statusReport) {
         return true;
     }
     catch (e) {
+        console.log(e);
         if (isHTTPError(e)) {
             switch (e.status) {
                 case 403:
-                    core.setFailed("The repo on which this action is running is not opted-in to CodeQL code scanning.");
+                    core.setFailed(e.message || GENERIC_403_MSG);
                     return false;
                 case 404:
-                    core.setFailed("Not authorized to used the CodeQL code scanning feature on this repo.");
+                    core.setFailed(GENERIC_404_MSG);
                     return false;
                 case 422:
                     // schema incompatibility when reporting status
                     // this means that this action version is no longer compatible with the API
                     // we still want to continue as it is likely the analysis endpoint will work
                     if (getRequiredEnvParam("GITHUB_SERVER_URL") !== util_1.GITHUB_DOTCOM_URL) {
-                        core.debug("CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.");
+                        core.debug(INCOMPATIBLE_MSG);
                     }
                     else {
-                        core.debug("CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.");
+                        core.debug(OUT_OF_DATE_MSG);
                     }
                     return true;
             }
         }
         // something else has gone wrong and the request/response will be logged by octokit
         // it's possible this is a transient error and we should continue scanning
-        core.error("An unexpected error occured when sending code scanning status report.");
+        core.error("An unexpected error occurred when sending code scanning status report.");
         return true;
     }
 }

lib/analysis-paths.js

@@ -28,7 +28,7 @@ function printPathFiltersWarning(config, logger) {
     // If any other languages are detected/configured then show a warning.
     if ((config.paths.length !== 0 || config.pathsIgnore.length !== 0) &&
         !config.languages.every(isInterpretedLanguage)) {
-        logger.warning('The "paths"/"paths-ignore" fields of the config only have effect for Javascript and Python');
+        logger.warning('The "paths"/"paths-ignore" fields of the config only have effect for JavaScript and Python');
     }
 }
 exports.printPathFiltersWarning = printPathFiltersWarning;

lib/codeql.js

@@ -54,6 +54,11 @@ function getCodeQLActionRepository(mode, logger) {
     if (mode !== "actions") {
         return CODEQL_DEFAULT_ACTION_REPOSITORY;
     }
+    else {
+        return getActionsCodeQLActionRepository(logger);
+    }
+}
+function getActionsCodeQLActionRepository(logger) {
     if (process.env["GITHUB_ACTION_REPOSITORY"] !== undefined) {
         return process.env["GITHUB_ACTION_REPOSITORY"];
     }
@@ -69,7 +74,7 @@ function getCodeQLActionRepository(mode, logger) {
     const relativeScriptPathParts = actions_util_1.getRelativeScriptPath().split(path.sep);
     return `${relativeScriptPathParts[0]}/${relativeScriptPathParts[1]}`;
 }
-async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
+async function getCodeQLBundleDownloadURL(apiDetails, mode, variant, logger) {
     const codeQLActionRepository = getCodeQLActionRepository(mode, logger);
     const potentialDownloadSources = [
         // This GitHub instance, and this Action.
@@ -85,6 +90,30 @@ async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
         return !self.slice(0, index).some((other) => fast_deep_equal_1.default(source, other));
     });
     const codeQLBundleName = getCodeQLBundleName();
+    if (variant === util.GitHubVariant.GHAE) {
+        try {
+            const release = await api
+                .getApiClient(apiDetails)
+                .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+                tag: CODEQL_BUNDLE_VERSION,
+            });
+            const assetID = release.data.assets[codeQLBundleName];
+            if (assetID !== undefined) {
+                const download = await api
+                    .getApiClient(apiDetails)
+                    .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
+                const downloadURL = download.data.url;
+                logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
+                return downloadURL;
+            }
+            else {
+                logger.info(`Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(release.data.assets)}.`);
+            }
+        }
+        catch (e) {
+            logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
+        }
+    }
     for (const downloadSource of uniqueDownloadSources) {
         const [apiURL, repository] = downloadSource;
         // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -110,25 +139,6 @@ async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
             logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
         }
     }
-    try {
-        const release = await api
-            .getApiClient(apiDetails)
-            .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
-            tag: CODEQL_BUNDLE_VERSION,
-        });
-        const assetID = release.data.assets[codeQLBundleName];
-        if (assetID !== undefined) {
-            const download = await api
-                .getApiClient(apiDetails)
-                .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
-            const downloadURL = download.data.url;
-            logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
-            return downloadURL;
-        }
-    }
-    catch (e) {
-        logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
-    }
     return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }
 // We have to download CodeQL manually because the toolcache doesn't support Accept headers.
@@ -146,12 +156,7 @@ async function toolcacheDownloadTool(url, headers, tempDir, logger) {
     await pipeline(response.message, fs.createWriteStream(dest));
     return dest;
 }
-async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logger) {
-    // Setting these two env vars makes the toolcache code safe to use outside,
-    // of actions but this is obviously not a great thing we're doing and it would
-    // be better to write our own implementation to use outside of actions.
-    process.env["RUNNER_TEMP"] = tempDir;
-    process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+async function setupCodeQL(codeqlURL, apiDetails, tempDir, mode, variant, logger) {
     try {
         // We use the special value of 'latest' to prioritize the version in the
         // defaults over any pinned cached version.
@@ -181,7 +186,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logge
         }
         else {
             if (!codeqlURL) {
-                codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
+                codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, variant, logger);
             }
             const parsedCodeQLURL = new URL(codeqlURL);
             const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);

lib/codeql.test.js

@@ -24,15 +24,20 @@ const sampleApiDetails = {
     auth: "token",
     url: "https://github.com",
 };
+const sampleGHAEApiDetails = {
+    auth: "token",
+    url: "https://example.githubenterprise.com",
+};
 ava_1.default("download codeql bundle cache", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
         const versions = ["20200601", "20200610"];
         for (let i = 0; i < versions.length; i++) {
             const version = versions[i];
             nock_1.default("https://example.com")
                 .get(`/download/codeql-bundle-${version}/codeql-bundle.tar.gz`)
                 .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-            await codeql.setupCodeQL(`https://example.com/download/codeql-bundle-${version}/codeql-bundle.tar.gz`, sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+            await codeql.setupCodeQL(`https://example.com/download/codeql-bundle-${version}/codeql-bundle.tar.gz`, sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
             t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
         }
         const cachedVersions = toolcache.findAllVersions("CodeQL");
@@ -41,36 +46,39 @@ ava_1.default("download codeql bundle cache", async (t) => {
 });
 ava_1.default("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
         nock_1.default("https://example.com")
             .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
         nock_1.default("https://example.com")
             .get(`/download/codeql-bundle-20200610/codeql-bundle.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200610/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200610/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
     });
 });
 ava_1.default("don't download codeql bundle cache with pinned different version cached", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
         nock_1.default("https://example.com")
             .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
-        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 1);
     });
 });
 ava_1.default("download codeql bundle cache with different version cached (not pinned)", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
         nock_1.default("https://example.com")
             .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
         const platform = process.platform === "win32"
             ? "win64"
@@ -80,17 +88,18 @@ ava_1.default("download codeql bundle cache with different version cached (not p
         nock_1.default("https://github.com")
             .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/codeql-bundle-${platform}.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 2);
     });
 });
-ava_1.default('download codeql bundle cache with pinned different version cached if "latests" tools specified', async (t) => {
+ava_1.default('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
     await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
         nock_1.default("https://example.com")
             .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
         const platform = process.platform === "win32"
             ? "win64"
@@ -100,11 +109,39 @@ ava_1.default('download codeql bundle cache with pinned different version cached
         nock_1.default("https://github.com")
             .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/codeql-bundle-${platform}.tar.gz`)
             .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle.tar.gz`));
-        await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, tmpDir, "runner", logging_1.getRunnerLogger(true));
+        await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, "runner", util.GitHubVariant.DOTCOM, logging_1.getRunnerLogger(true));
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 2);
     });
 });
+ava_1.default("download codeql bundle from github ae endpoint", async (t) => {
+    await util.withTmpDir(async (tmpDir) => {
+        util.setupActionsVars(tmpDir, tmpDir);
+        const bundleAssetID = 10;
+        const platform = process.platform === "win32"
+            ? "win64"
+            : process.platform === "linux"
+                ? "linux64"
+                : "osx64";
+        const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
+        nock_1.default("https://example.githubenterprise.com")
+            .get(`/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`)
+            .reply(200, {
+            assets: { [codeQLBundleName]: bundleAssetID },
+        });
+        nock_1.default("https://example.githubenterprise.com")
+            .get(`/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`)
+            .reply(200, {
+            url: `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`,
+        });
+        nock_1.default("https://example.githubenterprise.com")
+            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
+            .replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
+        await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, "runner", util.GitHubVariant.GHAE, logging_1.getRunnerLogger(true));
+        const cachedVersions = toolcache.findAllVersions("CodeQL");
+        t.is(cachedVersions.length, 1);
+    });
+});
 ava_1.default("parse codeql bundle url version", (t) => {
     t.deepEqual(codeql.getCodeQLURLVersion("https://github.com/.../codeql-bundle-20200601/..."), "20200601");
 });

lib/defaults.json

@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20210304"
+    "bundleVersion": "codeql-bundle-20210308"
 }

lib/init-action.js

@@ -60,16 +60,14 @@ async function run() {
         url: actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
     };
     const gitHubVersion = await util_1.getGitHubVersion(apiDetails);
-    if (gitHubVersion !== undefined) {
-        util_1.checkGitHubVersionInRange(gitHubVersion, "actions", logger);
-    }
+    util_1.checkGitHubVersionInRange(gitHubVersion, "actions", logger);
     try {
         actionsUtil.prepareLocalRunEnvironment();
         const workflowErrors = await actionsUtil.validateWorkflow();
         if (!(await actionsUtil.sendStatusReport(await actionsUtil.createStatusReportBase("init", "starting", startedAt, workflowErrors)))) {
             return;
         }
-        const initCodeQLResult = await init_1.initCodeQL(actionsUtil.getOptionalInput("tools"), apiDetails, actionsUtil.getTemporaryDirectory(), actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"), "actions", logger);
+        const initCodeQLResult = await init_1.initCodeQL(actionsUtil.getOptionalInput("tools"), apiDetails, actionsUtil.getTemporaryDirectory(), "actions", gitHubVersion.type, logger);
         codeql = initCodeQLResult.codeql;
         toolsVersion = initCodeQLResult.toolsVersion;
         config = await init_1.initConfig(actionsUtil.getOptionalInput("languages"), actionsUtil.getOptionalInput("queries"), actionsUtil.getOptionalInput("config-file"), repository_1.parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")), actionsUtil.getTemporaryDirectory(), actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"), codeql, actionsUtil.getRequiredEnvParam("GITHUB_WORKSPACE"), gitHubVersion, apiDetails, logger);

lib/init-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action.js","sourceRoot":"","sources":["../src/init-action.ts"],"names":[],"mappings":";;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAG9C,iCAMgB;AAChB,2CAAuC;AACvC,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAqE;AAsBrE,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,MAA0B,EAC1B,YAAoB;;IAEpB,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,MAAM,EACN,SAAS,EACT,SAAS,CACV,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACpE,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CACvE,GAAG,CACJ,CAAC;IACF,MAAM,qBAAqB,GAAG,MAAM,CAAC,iBAAiB,CACpD,yBAAyB,CAC1B;QACC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,YAAY,SAAG,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,0CAAE,IAAI,EAAE,CAAC;IACnE,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;QAC9D,OAAO,CAAC,IAAI,CACV,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC/D,CAAC;KACH;IACD,IAAI,YAAY,KAAK,SAAS,EAAE;QAC9B,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,YAAY,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;KAC1C;IAED,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,SAAS;QACT,kBAAkB,EAAE,iBAAiB,IAAI,EAAE;QAC3C,KAAK;QACL,YAAY,EAAE,WAAW;QACzB,uBAAuB,EAAE,qBAAqB;QAC9C,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAC1B,WAAW,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE;QACxD,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,0BAAgB,EAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,MAAc,CAAC;IACnB,IAAI,YAAoB,CAAC;IAEzB,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;QAC3C,gBAAgB,EAAE,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC;QAC3E,GAAG,EAAE,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC;KAC1D,CAAC;IAEF,MAAM,aAAa,GAAG,MAAM,uBAAgB,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,aAAa,KAAK,SAAS,EAAE;QAC/B,gCAAyB,CAAC,aAAa,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;KAC7D;IAED,IAAI;QACF,WAAW,CAAC,0BAA0B,EAAE,CAAC;QAEzC,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,gBAAgB,EAAE,CAAC;QAE5D,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,UAAU,EACV,SAAS,EACT,cAAc,CACf,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,gBAAgB,GAAG,MAAM,iBAAU,CACvC,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,EACrC,UAAU,EACV,WAAW,CAAC,qBAAqB,EAAE,EACnC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,EACpD,SAAS,EACT,MAAM,CACP,CAAC;QACF,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;QACjC,YAAY,GAAG,gBAAgB,CAAC,YAAY,CAAC;QAE7C,MAAM,GAAG,MAAM,iBAAU,CACvB,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,EACzC,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,EACvC,WAAW,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAC3C,+BAAkB,CAAC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,EACxE,WAAW,CAAC,qBAAqB,EAAE,EACnC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,EACpD,MAAM,EACN,WAAW,CAAC,mBAAmB,CAAC,kBAAkB,CAAC,EACnD,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;QAEF,IACE,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC;YAC1C,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,KAAK,MAAM,EACpE;YACA,IAAI;gBACF,MAAM,wBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;aACzC;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,CAAC,OAAO,CACZ,GAAG,GAAG,CAAC,OAAO,2FAA2F,CAC1G,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,CAAC,CAAC,OAAO,CACV,CACF,CAAC;QACF,OAAO;KACR;IAED,IAAI;QACF,mBAAmB;QACnB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE;YACX,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,CACV,6GAA6G,CAC9G,CAAC;SACH;QAED,mGAAmG;QACnG,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC;QACtD,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAE7C,MAAM,YAAY,GAAG,MAAM,cAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnD,IAAI,YAAY,KAAK,SAAS,EAAE;YAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBAC3D,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;aACjC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,0BAAmB,CACvB,mBAAmB,EACnB,SAAS,EACT,MAAM,EACN,MAAM,EACN,YAAY,CACb,CAAC;aACH;SACF;QAED,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;KACjD;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action.js","sourceRoot":"","sources":["../src/init-action.ts"],"names":[],"mappings":";;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAG9C,iCAMgB;AAChB,2CAAuC;AACvC,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAqE;AAsBrE,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,MAA0B,EAC1B,YAAoB;;IAEpB,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,sBAAsB,CAC/D,MAAM,EACN,SAAS,EACT,SAAS,CACV,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,iBAAiB,GAAG,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACpE,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CACvE,GAAG,CACJ,CAAC;IACF,MAAM,qBAAqB,GAAG,MAAM,CAAC,iBAAiB,CACpD,yBAAyB,CAC1B;QACC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,YAAY,SAAG,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,0CAAE,IAAI,EAAE,CAAC;IACnE,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;QAC9D,OAAO,CAAC,IAAI,CACV,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC/D,CAAC;KACH;IACD,IAAI,YAAY,KAAK,SAAS,EAAE;QAC9B,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,YAAY,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;KAC1C;IAED,MAAM,YAAY,GAA4B;QAC5C,GAAG,gBAAgB;QACnB,SAAS;QACT,kBAAkB,EAAE,iBAAiB,IAAI,EAAE;QAC3C,KAAK;QACL,YAAY,EAAE,WAAW;QACzB,uBAAuB,EAAE,qBAAqB;QAC9C,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAC1B,WAAW,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE;QACxD,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,0BAAgB,EAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,MAAc,CAAC;IACnB,IAAI,YAAoB,CAAC;IAEzB,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC;QAC3C,gBAAgB,EAAE,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC;QAC3E,GAAG,EAAE,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC;KAC1D,CAAC;IAEF,MAAM,aAAa,GAAG,MAAM,uBAAgB,CAAC,UAAU,CAAC,CAAC;IACzD,gCAAyB,CAAC,aAAa,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE5D,IAAI;QACF,WAAW,CAAC,0BAA0B,EAAE,CAAC;QAEzC,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,gBAAgB,EAAE,CAAC;QAE5D,IACE,CAAC,CAAC,MAAM,WAAW,CAAC,gBAAgB,CAClC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,UAAU,EACV,SAAS,EACT,cAAc,CACf,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,gBAAgB,GAAG,MAAM,iBAAU,CACvC,WAAW,CAAC,gBAAgB,CAAC,OAAO,CAAC,EACrC,UAAU,EACV,WAAW,CAAC,qBAAqB,EAAE,EACnC,SAAS,EACT,aAAa,CAAC,IAAI,EAClB,MAAM,CACP,CAAC;QACF,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC;QACjC,YAAY,GAAG,gBAAgB,CAAC,YAAY,CAAC;QAE7C,MAAM,GAAG,MAAM,iBAAU,CACvB,WAAW,CAAC,gBAAgB,CAAC,WAAW,CAAC,EACzC,WAAW,CAAC,gBAAgB,CAAC,SAAS,CAAC,EACvC,WAAW,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAC3C,+BAAkB,CAAC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,EACxE,WAAW,CAAC,qBAAqB,EAAE,EACnC,WAAW,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,EACpD,MAAM,EACN,WAAW,CAAC,mBAAmB,CAAC,kBAAkB,CAAC,EACnD,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;QAEF,IACE,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC;YAC1C,WAAW,CAAC,gBAAgB,CAAC,2BAA2B,CAAC,KAAK,MAAM,EACpE;YACA,IAAI;gBACF,MAAM,wBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;aACzC;YAAC,OAAO,GAAG,EAAE;gBACZ,MAAM,CAAC,OAAO,CACZ,GAAG,GAAG,CAAC,OAAO,2FAA2F,CAC1G,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,CAAC,CAAC,OAAO,CACV,CACF,CAAC;QACF,OAAO;KACR;IAED,IAAI;QACF,mBAAmB;QACnB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE;YACX,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,CACV,6GAA6G,CAC9G,CAAC;SACH;QAED,mGAAmG;QACnG,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC;QACtD,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAE7C,MAAM,YAAY,GAAG,MAAM,cAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnD,IAAI,YAAY,KAAK,SAAS,EAAE;YAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBAC3D,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;aACjC;YAED,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,0BAAmB,CACvB,mBAAmB,EACnB,SAAS,EACT,MAAM,EACN,MAAM,EACN,YAAY,CACb,CAAC;aACH;SACF;QAED,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;KACjD;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,WAAW,CAAC,gBAAgB,CAChC,MAAM,WAAW,CAAC,sBAAsB,CACtC,MAAM,EACN,SAAS,EACT,SAAS,EACT,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,uBAAuB,KAAK,EAAE,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/init.js

@@ -16,9 +16,9 @@ const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
 const tracer_config_1 = require("./tracer-config");
 const util = __importStar(require("./util"));
-async function initCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logger) {
+async function initCodeQL(codeqlURL, apiDetails, tempDir, mode, variant, logger) {
     logger.startGroup("Setup CodeQL tools");
-    const { codeql, toolsVersion } = await codeql_1.setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logger);
+    const { codeql, toolsVersion } = await codeql_1.setupCodeQL(codeqlURL, apiDetails, tempDir, mode, variant, logger);
     await codeql.printVersion();
     logger.endGroup();
     return { codeql, toolsVersion };
@@ -129,7 +129,7 @@ exports.injectWindowsTracer = injectWindowsTracer;
 async function installPythonDeps(codeql, logger) {
     logger.startGroup("Setup Python dependencies");
     const scriptsFolder = path.resolve(__dirname, "../python-setup");
-    // Setup tools on the Github hosted runners
+    // Setup tools on the GitHub hosted runners
     if (process.env["ImageOS"] !== undefined) {
         try {
             if (process.platform === "win32") {

lib/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA+C;AAC/C,4DAA8C;AAG9C,mDAAwE;AACxE,6CAA+B;AAExB,KAAK,UAAU,UAAU,CAC9B,SAA6B,EAC7B,UAA4B,EAC5B,OAAe,EACf,QAAgB,EAChB,IAAe,EACf,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,oBAAW,CAChD,SAAS,EACT,UAAU,EACV,OAAO,EACP,QAAQ,EACR,IAAI,EACJ,MAAM,CACP,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AApBD,gCAoBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,UAAyB,EACzB,OAAe,EACf,YAAoB,EACpB,MAAc,EACd,YAAoB,EACpB,aAAiC,EACjC,UAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,UAAU,EACV,OAAO,EACP,YAAY,EACZ,MAAM,EACN,YAAY,EACZ,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9BD,gCA8BC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B;IAE1B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAElC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9E,sEAAsE;IACtE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,yBAAyB;QACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,EACpD,QAAQ,EACR,UAAU,CACX,CAAC;KACH;IAED,OAAO,MAAM,uCAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAnBD,0BAmBC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,2CAA2C;IAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,SAAS,EAAE;QACxC,IAAI;YACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC,CAChD,CAAC,IAAI,EAAE,CAAC;aACV;iBAAM;gBACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;aACV;SACF;QAAC,OAAO,CAAC,EAAE;YACV,mGAAmG;YACnG,uDAAuD;YACvD,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,OAAO,CACZ,mLAAmL,CACpL,CAAC;YACF,OAAO;SACR;KACF;IAED,uBAAuB;IACvB,IAAI;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE;gBAChE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,+IAA+I,CAChJ,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAnDD,8CAmDC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA+C;AAC/C,4DAA8C;AAG9C,mDAAwE;AACxE,6CAA+B;AAExB,KAAK,UAAU,UAAU,CAC9B,SAA6B,EAC7B,UAA4B,EAC5B,OAAe,EACf,IAAe,EACf,OAA2B,EAC3B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,oBAAW,CAChD,SAAS,EACT,UAAU,EACV,OAAO,EACP,IAAI,EACJ,OAAO,EACP,MAAM,CACP,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AApBD,gCAoBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,UAAyB,EACzB,OAAe,EACf,YAAoB,EACpB,MAAc,EACd,YAAoB,EACpB,aAAiC,EACjC,UAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,UAAU,EACV,OAAO,EACP,YAAY,EACZ,MAAM,EACN,YAAY,EACZ,aAAa,EACb,UAAU,EACV,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9BD,gCA8BC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B;IAE1B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAElC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9E,sEAAsE;IACtE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,yBAAyB;QACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,EACpD,QAAQ,EACR,UAAU,CACX,CAAC;KACH;IAED,OAAO,MAAM,uCAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAnBD,0BAmBC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,2CAA2C;IAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,SAAS,EAAE;QACxC,IAAI;YACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;gBAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC,CAChD,CAAC,IAAI,EAAE,CAAC;aACV;iBAAM;gBACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;aACV;SACF;QAAC,OAAO,CAAC,EAAE;YACV,mGAAmG;YACnG,uDAAuD;YACvD,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,OAAO,CACZ,mLAAmL,CACpL,CAAC;YACF,OAAO;SACR;KACF;IAED,uBAAuB;IACvB,IAAI;QACF,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE;gBAChE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,+IAA+I,CAChJ,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAnDD,8CAmDC"}

lib/runner.js

@@ -100,6 +100,7 @@ program
     try {
         const tempDir = getTempDir(cmd.tempDir);
         const toolsDir = getToolsDir(cmd.toolsDir);
+        util_1.setupActionsVars(tempDir, toolsDir);
         // Wipe the temp dir
         logger.info(`Cleaning temp directory ${tempDir}`);
         fs.rmdirSync(tempDir, { recursive: true });
@@ -108,18 +109,16 @@ program
         const apiDetails = {
             auth,
             externalRepoAuth: auth,
-            url: util_1.parseGithubUrl(cmd.githubUrl),
+            url: util_1.parseGitHubUrl(cmd.githubUrl),
         };
         const gitHubVersion = await util_1.getGitHubVersion(apiDetails);
-        if (gitHubVersion !== undefined) {
-            util_1.checkGitHubVersionInRange(gitHubVersion, "runner", logger);
-        }
+        util_1.checkGitHubVersionInRange(gitHubVersion, "runner", logger);
         let codeql;
         if (cmd.codeqlPath !== undefined) {
             codeql = codeql_1.getCodeQL(cmd.codeqlPath);
         }
         else {
-            codeql = (await init_1.initCodeQL(undefined, apiDetails, tempDir, toolsDir, "runner", logger)).codeql;
+            codeql = (await init_1.initCodeQL(undefined, apiDetails, tempDir, "runner", gitHubVersion.type, logger)).codeql;
         }
         const config = await init_1.initConfig(cmd.languages, cmd.queries, cmd.configFile, repository_1.parseRepositoryNwo(cmd.repository), tempDir, toolsDir, codeql, cmd.checkoutPath || process.cwd(), gitHubVersion, apiDetails, logger);
         const tracerConfig = await init_1.runInit(codeql, config);
@@ -181,6 +180,7 @@ program
             throw new Error("Config file could not be found at expected location. " +
                 "Was the 'init' command run with the same '--temp-dir' argument as this command.");
         }
+        util_1.setupActionsVars(config.tempDir, config.toolCacheDir);
         importTracerEnvironment(config);
         let language = undefined;
         if (cmd.language !== undefined) {
@@ -224,18 +224,18 @@ program
     .action(async (cmd) => {
     const logger = logging_1.getRunnerLogger(cmd.debug);
     try {
-        const tempDir = getTempDir(cmd.tempDir);
-        const outputDir = cmd.outputDir || path.join(tempDir, "codeql-sarif");
         const config = await config_utils_1.getConfig(getTempDir(cmd.tempDir), logger);
         if (config === undefined) {
             throw new Error("Config file could not be found at expected location. " +
                 "Was the 'init' command run with the same '--temp-dir' argument as this command.");
         }
+        util_1.setupActionsVars(config.tempDir, config.toolCacheDir);
         const auth = await util_1.getGitHubAuth(logger, cmd.githubAuth, cmd.githubAuthStdin);
         const apiDetails = {
             auth,
-            url: util_1.parseGithubUrl(cmd.githubUrl),
+            url: util_1.parseGitHubUrl(cmd.githubUrl),
         };
+        const outputDir = cmd.outputDir || path.join(config.tempDir, "codeql-sarif");
         await analyze_1.runAnalyze(outputDir, util_1.getMemoryFlag(cmd.ram), util_1.getAddSnippetsFlag(cmd.addSnippets), util_1.getThreadsFlag(cmd.threads, logger), config, logger);
         if (!cmd.upload) {
             logger.info("Not uploading results");
@@ -266,7 +266,7 @@ program
     const auth = await util_1.getGitHubAuth(logger, cmd.githubAuth, cmd.githubAuthStdin);
     const apiDetails = {
         auth,
-        url: util_1.parseGithubUrl(cmd.githubUrl),
+        url: util_1.parseGitHubUrl(cmd.githubUrl),
     };
     try {
         const gitHubVersion = await util_1.getGitHubVersion(apiDetails);

lib/tracer-config.js

@@ -141,9 +141,9 @@ async function getCombinedTracerConfig(config, codeql) {
     else if (process.platform !== "win32") {
         mainTracerConfig.env["LD_PRELOAD"] = path.join(codeQLDir, "tools", "linux64", "${LIB}trace.so");
     }
-    // On macos it's necessary to prefix the build command with the runner exectuable
+    // On macos it's necessary to prefix the build command with the runner executable
     // on order to trace when System Integrity Protection is enabled.
-    // The exectuable also exists and works for other platforms so we output this env
+    // The executable also exists and works for other platforms so we output this env
     // var with a path to the runner regardless so it's always available.
     const runnerExeName = process.platform === "win32" ? "runner.exe" : "runner";
     mainTracerConfig.env["CODEQL_RUNNER"] = path.join(mainTracerConfig.env["CODEQL_DIST"], "tools", mainTracerConfig.env["CODEQL_PLATFORM"], runnerExeName);

lib/upload-lib.js

@@ -117,7 +117,20 @@ function getSarifFilePaths(sarifPath) {
 // Counts the number of results in the given SARIF file
 function countResultsInSarif(sarif) {
     let numResults = 0;
-    for (const run of JSON.parse(sarif).runs) {
+    let parsedSarif;
+    try {
+        parsedSarif = JSON.parse(sarif);
+    }
+    catch (e) {
+        throw new Error(`Invalid SARIF. JSON syntax error: ${e.message}`);
+    }
+    if (!Array.isArray(parsedSarif.runs)) {
+        throw new Error("Invalid SARIF. Missing 'runs' array.");
+    }
+    for (const run of parsedSarif.runs) {
+        if (!Array.isArray(run.results)) {
+            throw new Error("Invalid SARIF. Missing 'results' array in run.");
+        }
         numResults += run.results.length;
     }
     return numResults;

lib/util.js

@@ -171,7 +171,7 @@ exports.getCodeQLDatabasePath = getCodeQLDatabasePath;
  * Parses user input of a github.com or GHES URL to a canonical form.
  * Removes any API prefix or suffix if one is present.
  */
-function parseGithubUrl(inputUrl) {
+function parseGitHubUrl(inputUrl) {
     const originalUrl = inputUrl;
     if (inputUrl.indexOf("://") === -1) {
         inputUrl = `https://${inputUrl}`;
@@ -205,7 +205,7 @@ function parseGithubUrl(inputUrl) {
     }
     return url.toString();
 }
-exports.parseGithubUrl = parseGithubUrl;
+exports.parseGitHubUrl = parseGitHubUrl;
 const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
 const CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR = "CODEQL_ACTION_WARNED_ABOUT_VERSION";
 let hasBeenWarnedAboutVersion = false;
@@ -217,7 +217,7 @@ var GitHubVariant;
 })(GitHubVariant = exports.GitHubVariant || (exports.GitHubVariant = {}));
 async function getGitHubVersion(apiDetails) {
     // We can avoid making an API request in the standard dotcom case
-    if (parseGithubUrl(apiDetails.url) === exports.GITHUB_DOTCOM_URL) {
+    if (parseGitHubUrl(apiDetails.url) === exports.GITHUB_DOTCOM_URL) {
         return { type: GitHubVariant.DOTCOM };
     }
     // Doesn't strictly have to be the meta endpoint as we're only
@@ -320,4 +320,20 @@ async function getGitHubAuth(logger, githubAuth, fromStdIn, readable = process.s
     throw new Error("No GitHub authentication token was specified. Please provide a token via the GITHUB_TOKEN environment variable, or by adding the `--github-auth-stdin` flag and passing the token via standard input.");
 }
 exports.getGitHubAuth = getGitHubAuth;
+// Sets environment variables that make using some libraries designed for
+// use only on actions safe to use outside of actions.
+//
+// Obviously this is not a tremendously great thing we're doing and it
+// would be better to write our own implementation of libraries to use
+// outside of actions. For now this works well enough.
+//
+// Currently this list of libraries that is deemed to now be safe includes:
+// - @actions/tool-cache
+//
+// Also see "queries/unguarded-action-lib.ql".
+function setupActionsVars(tempDir, toolsDir) {
+    process.env["RUNNER_TEMP"] = tempDir;
+    process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+}
+exports.setupActionsVars = setupActionsVars;
 //# sourceMappingURL=util.js.map

lib/util.test.js

@@ -102,27 +102,27 @@ ava_1.default("getExtraOptionsEnvParam() fails on invalid JSON", (t) => {
     t.throws(util.getExtraOptionsEnvParam);
     process.env.CODEQL_ACTION_EXTRA_OPTIONS = origExtraOptions;
 });
-ava_1.default("parseGithubUrl", (t) => {
-    t.deepEqual(util.parseGithubUrl("github.com"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("https://github.com"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("https://api.github.com"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("https://github.com/foo/bar"), "https://github.com");
-    t.deepEqual(util.parseGithubUrl("github.example.com"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://api.github.example.com"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com/api/v3"), "https://github.example.com/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com:1234"), "https://github.example.com:1234/");
-    t.deepEqual(util.parseGithubUrl("https://api.github.example.com:1234"), "https://github.example.com:1234/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com:1234/api/v3"), "https://github.example.com:1234/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com/base/path"), "https://github.example.com/base/path/");
-    t.deepEqual(util.parseGithubUrl("https://github.example.com/base/path/api/v3"), "https://github.example.com/base/path/");
-    t.throws(() => util.parseGithubUrl(""), {
+ava_1.default("parseGitHubUrl", (t) => {
+    t.deepEqual(util.parseGitHubUrl("github.com"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("https://github.com"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("https://api.github.com"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("https://github.com/foo/bar"), "https://github.com");
+    t.deepEqual(util.parseGitHubUrl("github.example.com"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://api.github.example.com"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com/api/v3"), "https://github.example.com/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com:1234"), "https://github.example.com:1234/");
+    t.deepEqual(util.parseGitHubUrl("https://api.github.example.com:1234"), "https://github.example.com:1234/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com:1234/api/v3"), "https://github.example.com:1234/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com/base/path"), "https://github.example.com/base/path/");
+    t.deepEqual(util.parseGitHubUrl("https://github.example.com/base/path/api/v3"), "https://github.example.com/base/path/");
+    t.throws(() => util.parseGitHubUrl(""), {
         message: '"" is not a valid URL',
     });
-    t.throws(() => util.parseGithubUrl("ssh://github.com"), {
+    t.throws(() => util.parseGitHubUrl("ssh://github.com"), {
         message: '"ssh://github.com" is not a http or https URL',
     });
-    t.throws(() => util.parseGithubUrl("http:///::::433"), {
+    t.throws(() => util.parseGitHubUrl("http:///::::433"), {
         message: '"http:///::::433" is not a valid URL',
     });
 });

queries/unguarded-action-lib.ql

@@ -19,6 +19,21 @@ predicate isSafeActionLib(string lib) {
   lib.matches("@actions/exec/%")
 }
 
+/**
+ * Matches libraries that are not always safe to use outside of actions
+ * but can be made so by setting certain environment variables.
+ */
+predicate isSafeActionLibWithActionsEnvVars(string lib) {
+    lib = "@actions/tool-cache"
+}
+
+/**
+ * Matches the names of runner commands that set action env vars
+ */
+predicate commandSetsActionsEnvVars(string commandName) {
+    commandName = "init" or commandName = "autobuild" or commandName = "analyze"
+}
+
 /**
  * An import from a library that is meant for GitHub Actions and
  * we do not want to be using outside of actions.
@@ -45,6 +60,32 @@ class RunnerEntrypoint extends Function {
   RunnerEntrypoint() {
     getFile().getAbsolutePath().matches("%/runner.ts")
   }
+
+  /**
+   * Does this runner entry point set the RUNNER_TEMP and
+   * RUNNER_TOOL_CACHE env vars which make some actions libraries
+   * safe to use outside of actions.
+   * See "setupActionsVars" in "util.ts".
+   */
+  predicate setsActionsEnvVars() {
+    // This is matching code of the following format, where "this"
+    // is the function being passed to the "action" method.
+    //
+    // program
+    //   .command("init")
+    //   ...
+    //   .action(async (cmd: InitArgs) => {
+    //     ...
+    //   })
+    exists(MethodCallExpr actionCall,
+        MethodCallExpr commandCall |
+        commandCall.getMethodName() = "command" and
+        commandCall.getReceiver().(VarAccess).getVariable().getName() = "program" and
+        commandSetsActionsEnvVars(commandCall.getArgument(0).(StringLiteral).getValue()) and
+        actionCall.getMethodName() = "action" and
+        actionCall.getReceiver().getAChildExpr*() = commandCall and
+        actionCall.getArgument(0).getAChildExpr*() = this)
+  }
 }
 
 /**
@@ -114,6 +155,7 @@ Function calledBy(Function f) {
 from VarAccess v, ActionsLibImport actionsLib, RunnerEntrypoint runnerEntry 
 where actionsLib.getAProvidedVariable() = v.getVariable()
   and getAFunctionChildExpr(calledBy*(runnerEntry)) = v
+  and not (isSafeActionLibWithActionsEnvVars(actionsLib.getName()) and runnerEntry.setsActionsEnvVars())
 select v, "$@ is imported from $@ and this code can be called from $@",
   v, v.getName(),
   actionsLib, actionsLib.getName(),

runner/package-lock.json

@@ -1194,24 +1194,24 @@
       }
     },
     "elliptic": {
-      "version": "6.5.3",
-      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz",
-      "integrity": "sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==",
+      "version": "6.5.4",
+      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz",
+      "integrity": "sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==",
       "dev": true,
       "requires": {
-        "bn.js": "^4.4.0",
-        "brorand": "^1.0.1",
+        "bn.js": "^4.11.9",
+        "brorand": "^1.1.0",
         "hash.js": "^1.0.0",
-        "hmac-drbg": "^1.0.0",
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0",
-        "minimalistic-crypto-utils": "^1.0.0"
+        "hmac-drbg": "^1.0.1",
+        "inherits": "^2.0.4",
+        "minimalistic-assert": "^1.0.1",
+        "minimalistic-crypto-utils": "^1.0.1"
       },
       "dependencies": {
         "bn.js": {
-          "version": "4.11.9",
-          "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.11.9.tgz",
-          "integrity": "sha512-E6QoYqCKZfgatHTdHzs1RRKP7ip4vvm+EyRUeE2RF0NblwVvb0p6jSVeNTOFxPn26QXN2o6SMfNxKp6kU8zQaw==",
+          "version": "4.12.0",
+          "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
+          "integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==",
           "dev": true
         }
       }

src/actions-util.ts

@@ -396,7 +396,7 @@ export function getWorkflowRunID(): number {
 }
 
 /**
- * Get the analysis key paramter for the current job.
+ * Get the analysis key parameter for the current job.
  *
  * This will combine the workflow path and current job name.
  * Computing this the first time requires making requests to
@@ -556,12 +556,22 @@ export async function createStatusReportBase(
 
 interface HTTPError {
   status: number;
+  message?: string;
 }
 
 function isHTTPError(arg: any): arg is HTTPError {
   return arg?.status !== undefined && Number.isInteger(arg.status);
 }
 
+const GENERIC_403_MSG =
+  "The repo on which this action is running is not opted-in to CodeQL code scanning.";
+const GENERIC_404_MSG =
+  "Not authorized to used the CodeQL code scanning feature on this repo.";
+const OUT_OF_DATE_MSG =
+  "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action.";
+const INCOMPATIBLE_MSG =
+  "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action.";
+
 /**
  * Send a status report to the code_scanning/analysis/status endpoint.
  *
@@ -598,32 +608,24 @@ export async function sendStatusReport<S extends StatusReportBase>(
 
     return true;
   } catch (e) {
+    console.log(e);
     if (isHTTPError(e)) {
       switch (e.status) {
         case 403:
-          core.setFailed(
-            "The repo on which this action is running is not opted-in to CodeQL code scanning."
-          );
+          core.setFailed(e.message || GENERIC_403_MSG);
           return false;
         case 404:
-          core.setFailed(
-            "Not authorized to used the CodeQL code scanning feature on this repo."
-          );
+          core.setFailed(GENERIC_404_MSG);
           return false;
         case 422:
           // schema incompatibility when reporting status
           // this means that this action version is no longer compatible with the API
           // we still want to continue as it is likely the analysis endpoint will work
           if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
-            core.debug(
-              "CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."
-            );
+            core.debug(INCOMPATIBLE_MSG);
           } else {
-            core.debug(
-              "CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."
-            );
+            core.debug(OUT_OF_DATE_MSG);
           }
-
           return true;
       }
     }
@@ -631,7 +633,7 @@ export async function sendStatusReport<S extends StatusReportBase>(
     // something else has gone wrong and the request/response will be logged by octokit
     // it's possible this is a transient error and we should continue scanning
     core.error(
-      "An unexpected error occured when sending code scanning status report."
+      "An unexpected error occurred when sending code scanning status report."
     );
     return true;
   }

src/analysis-paths.ts

@@ -34,7 +34,7 @@ export function printPathFiltersWarning(
     !config.languages.every(isInterpretedLanguage)
   ) {
     logger.warning(
-      'The "paths"/"paths-ignore" fields of the config only have effect for Javascript and Python'
+      'The "paths"/"paths-ignore" fields of the config only have effect for JavaScript and Python'
     );
   }
 }

src/codeql.test.ts

@@ -17,8 +17,15 @@ const sampleApiDetails = {
   url: "https://github.com",
 };
 
+const sampleGHAEApiDetails = {
+  auth: "token",
+  url: "https://example.githubenterprise.com",
+};
+
 test("download codeql bundle cache", async (t) => {
   await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
     const versions = ["20200601", "20200610"];
 
     for (let i = 0; i < versions.length; i++) {
@@ -35,8 +42,8 @@ test("download codeql bundle cache", async (t) => {
         `https://example.com/download/codeql-bundle-${version}/codeql-bundle.tar.gz`,
         sampleApiDetails,
         tmpDir,
-        tmpDir,
         "runner",
+        util.GitHubVariant.DOTCOM,
         getRunnerLogger(true)
       );
 
@@ -51,6 +58,8 @@ test("download codeql bundle cache", async (t) => {
 
 test("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
   await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
     nock("https://example.com")
       .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
       .replyWithFile(
@@ -62,8 +71,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
       "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -80,8 +89,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
       "https://example.com/download/codeql-bundle-20200610/codeql-bundle.tar.gz",
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -91,6 +100,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
 
 test("don't download codeql bundle cache with pinned different version cached", async (t) => {
   await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
     nock("https://example.com")
       .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
       .replyWithFile(
@@ -102,8 +113,8 @@ test("don't download codeql bundle cache with pinned different version cached",
       "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -113,8 +124,8 @@ test("don't download codeql bundle cache with pinned different version cached",
       undefined,
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -126,6 +137,8 @@ test("don't download codeql bundle cache with pinned different version cached",
 
 test("download codeql bundle cache with different version cached (not pinned)", async (t) => {
   await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
     nock("https://example.com")
       .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
       .replyWithFile(
@@ -137,8 +150,8 @@ test("download codeql bundle cache with different version cached (not pinned)",
       "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -163,8 +176,8 @@ test("download codeql bundle cache with different version cached (not pinned)",
       undefined,
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -174,8 +187,10 @@ test("download codeql bundle cache with different version cached (not pinned)",
   });
 });
 
-test('download codeql bundle cache with pinned different version cached if "latests" tools specified', async (t) => {
+test('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
   await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
     nock("https://example.com")
       .get(`/download/codeql-bundle-20200601/codeql-bundle.tar.gz`)
       .replyWithFile(
@@ -187,8 +202,8 @@ test('download codeql bundle cache with pinned different version cached if "late
       "https://example.com/download/codeql-bundle-20200601/codeql-bundle.tar.gz",
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -214,8 +229,8 @@ test('download codeql bundle cache with pinned different version cached if "late
       "latest",
       sampleApiDetails,
       tmpDir,
-      tmpDir,
       "runner",
+      util.GitHubVariant.DOTCOM,
       getRunnerLogger(true)
     );
 
@@ -225,6 +240,59 @@ test('download codeql bundle cache with pinned different version cached if "late
   });
 });
 
+test("download codeql bundle from github ae endpoint", async (t) => {
+  await util.withTmpDir(async (tmpDir) => {
+    util.setupActionsVars(tmpDir, tmpDir);
+
+    const bundleAssetID = 10;
+
+    const platform =
+      process.platform === "win32"
+        ? "win64"
+        : process.platform === "linux"
+        ? "linux64"
+        : "osx64";
+    const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
+
+    nock("https://example.githubenterprise.com")
+      .get(
+        `/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`
+      )
+      .reply(200, {
+        assets: { [codeQLBundleName]: bundleAssetID },
+      });
+
+    nock("https://example.githubenterprise.com")
+      .get(
+        `/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`
+      )
+      .reply(200, {
+        url: `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`,
+      });
+
+    nock("https://example.githubenterprise.com")
+      .get(
+        `/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`
+      )
+      .replyWithFile(
+        200,
+        path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`)
+      );
+
+    await codeql.setupCodeQL(
+      undefined,
+      sampleGHAEApiDetails,
+      tmpDir,
+      "runner",
+      util.GitHubVariant.GHAE,
+      getRunnerLogger(true)
+    );
+
+    const cachedVersions = toolcache.findAllVersions("CodeQL");
+    t.is(cachedVersions.length, 1);
+  });
+});
+
 test("parse codeql bundle url version", (t) => {
   t.deepEqual(
     codeql.getCodeQLURLVersion(

src/codeql.ts

@@ -137,8 +137,12 @@ function getCodeQLBundleName(): string {
 function getCodeQLActionRepository(mode: util.Mode, logger: Logger): string {
   if (mode !== "actions") {
     return CODEQL_DEFAULT_ACTION_REPOSITORY;
+  } else {
+    return getActionsCodeQLActionRepository(logger);
   }
+}
 
+function getActionsCodeQLActionRepository(logger: Logger): string {
   if (process.env["GITHUB_ACTION_REPOSITORY"] !== undefined) {
     return process.env["GITHUB_ACTION_REPOSITORY"];
   }
@@ -164,6 +168,7 @@ function getCodeQLActionRepository(mode: util.Mode, logger: Logger): string {
 async function getCodeQLBundleDownloadURL(
   apiDetails: api.GitHubApiDetails,
   mode: util.Mode,
+  variant: util.GitHubVariant,
   logger: Logger
 ): Promise<string> {
   const codeQLActionRepository = getCodeQLActionRepository(mode, logger);
@@ -183,6 +188,39 @@ async function getCodeQLBundleDownloadURL(
     }
   );
   const codeQLBundleName = getCodeQLBundleName();
+  if (variant === util.GitHubVariant.GHAE) {
+    try {
+      const release = await api
+        .getApiClient(apiDetails)
+        .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+          tag: CODEQL_BUNDLE_VERSION,
+        });
+      const assetID = release.data.assets[codeQLBundleName];
+      if (assetID !== undefined) {
+        const download = await api
+          .getApiClient(apiDetails)
+          .request(
+            "GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}",
+            { asset_id: assetID }
+          );
+        const downloadURL = download.data.url;
+        logger.info(
+          `Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`
+        );
+        return downloadURL;
+      } else {
+        logger.info(
+          `Attempted to fetch bundle from GitHub AE endpoint but the bundle ${codeQLBundleName} was not found in the assets ${JSON.stringify(
+            release.data.assets
+          )}.`
+        );
+      }
+    } catch (e) {
+      logger.info(
+        `Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`
+      );
+    }
+  }
   for (const downloadSource of uniqueDownloadSources) {
     const [apiURL, repository] = downloadSource;
     // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -213,31 +251,6 @@ async function getCodeQLBundleDownloadURL(
       );
     }
   }
-  try {
-    const release = await api
-      .getApiClient(apiDetails)
-      .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
-        tag: CODEQL_BUNDLE_VERSION,
-      });
-    const assetID = release.data.assets[codeQLBundleName];
-    if (assetID !== undefined) {
-      const download = await api
-        .getApiClient(apiDetails)
-        .request(
-          "GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}",
-          { asset_id: assetID }
-        );
-      const downloadURL = download.data.url;
-      logger.info(
-        `Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`
-      );
-      return downloadURL;
-    }
-  } catch (e) {
-    logger.info(
-      `Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`
-    );
-  }
   return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }
 
@@ -268,16 +281,10 @@ export async function setupCodeQL(
   codeqlURL: string | undefined,
   apiDetails: api.GitHubApiDetails,
   tempDir: string,
-  toolsDir: string,
   mode: util.Mode,
+  variant: util.GitHubVariant,
   logger: Logger
 ): Promise<{ codeql: CodeQL; toolsVersion: string }> {
-  // Setting these two env vars makes the toolcache code safe to use outside,
-  // of actions but this is obviously not a great thing we're doing and it would
-  // be better to write our own implementation to use outside of actions.
-  process.env["RUNNER_TEMP"] = tempDir;
-  process.env["RUNNER_TOOL_CACHE"] = toolsDir;
-
   try {
     // We use the special value of 'latest' to prioritize the version in the
     // defaults over any pinned cached version.
@@ -314,7 +321,12 @@ export async function setupCodeQL(
       logger.debug(`CodeQL found in cache ${codeqlFolder}`);
     } else {
       if (!codeqlURL) {
-        codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
+        codeqlURL = await getCodeQLBundleDownloadURL(
+          apiDetails,
+          mode,
+          variant,
+          logger
+        );
       }
 
       const parsedCodeQLURL = new URL(codeqlURL);

src/defaults.json

@@ -1,3 +1,3 @@
 {
-	"bundleVersion": "codeql-bundle-20210304"
+	"bundleVersion": "codeql-bundle-20210308"
 }

src/init-action.ts

@@ -101,9 +101,7 @@ async function run() {
   };
 
   const gitHubVersion = await getGitHubVersion(apiDetails);
-  if (gitHubVersion !== undefined) {
-    checkGitHubVersionInRange(gitHubVersion, "actions", logger);
-  }
+  checkGitHubVersionInRange(gitHubVersion, "actions", logger);
 
   try {
     actionsUtil.prepareLocalRunEnvironment();
@@ -127,8 +125,8 @@ async function run() {
       actionsUtil.getOptionalInput("tools"),
       apiDetails,
       actionsUtil.getTemporaryDirectory(),
-      actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
       "actions",
+      gitHubVersion.type,
       logger
     );
     codeql = initCodeQLResult.codeql;

src/init.ts

@@ -17,8 +17,8 @@ export async function initCodeQL(
   codeqlURL: string | undefined,
   apiDetails: GitHubApiDetails,
   tempDir: string,
-  toolsDir: string,
   mode: util.Mode,
+  variant: util.GitHubVariant,
   logger: Logger
 ): Promise<{ codeql: CodeQL; toolsVersion: string }> {
   logger.startGroup("Setup CodeQL tools");
@@ -26,8 +26,8 @@ export async function initCodeQL(
     codeqlURL,
     apiDetails,
     tempDir,
-    toolsDir,
     mode,
+    variant,
     logger
   );
   await codeql.printVersion();
@@ -192,7 +192,7 @@ export async function installPythonDeps(codeql: CodeQL, logger: Logger) {
 
   const scriptsFolder = path.resolve(__dirname, "../python-setup");
 
-  // Setup tools on the Github hosted runners
+  // Setup tools on the GitHub hosted runners
   if (process.env["ImageOS"] !== undefined) {
     try {
       if (process.platform === "win32") {

src/runner.ts

@@ -19,8 +19,9 @@ import {
   getGitHubVersion,
   getMemoryFlag,
   getThreadsFlag,
-  parseGithubUrl,
+  parseGitHubUrl,
   getGitHubAuth,
+  setupActionsVars,
 } from "./util";
 
 const program = new Command();
@@ -149,6 +150,8 @@ program
       const tempDir = getTempDir(cmd.tempDir);
       const toolsDir = getToolsDir(cmd.toolsDir);
 
+      setupActionsVars(tempDir, toolsDir);
+
       // Wipe the temp dir
       logger.info(`Cleaning temp directory ${tempDir}`);
       fs.rmdirSync(tempDir, { recursive: true });
@@ -163,13 +166,11 @@ program
       const apiDetails = {
         auth,
         externalRepoAuth: auth,
-        url: parseGithubUrl(cmd.githubUrl),
+        url: parseGitHubUrl(cmd.githubUrl),
       };
 
       const gitHubVersion = await getGitHubVersion(apiDetails);
-      if (gitHubVersion !== undefined) {
-        checkGitHubVersionInRange(gitHubVersion, "runner", logger);
-      }
+      checkGitHubVersionInRange(gitHubVersion, "runner", logger);
 
       let codeql: CodeQL;
       if (cmd.codeqlPath !== undefined) {
@@ -180,8 +181,8 @@ program
             undefined,
             apiDetails,
             tempDir,
-            toolsDir,
             "runner",
+            gitHubVersion.type,
             logger
           )
         ).codeql;
@@ -291,6 +292,7 @@ program
             "Was the 'init' command run with the same '--temp-dir' argument as this command."
         );
       }
+      setupActionsVars(config.tempDir, config.toolCacheDir);
       importTracerEnvironment(config);
       let language: Language | undefined = undefined;
       if (cmd.language !== undefined) {
@@ -381,8 +383,6 @@ program
   .action(async (cmd: AnalyzeArgs) => {
     const logger = getRunnerLogger(cmd.debug);
     try {
-      const tempDir = getTempDir(cmd.tempDir);
-      const outputDir = cmd.outputDir || path.join(tempDir, "codeql-sarif");
       const config = await getConfig(getTempDir(cmd.tempDir), logger);
       if (config === undefined) {
         throw new Error(
@@ -390,6 +390,7 @@ program
             "Was the 'init' command run with the same '--temp-dir' argument as this command."
         );
       }
+      setupActionsVars(config.tempDir, config.toolCacheDir);
 
       const auth = await getGitHubAuth(
         logger,
@@ -399,9 +400,11 @@ program
 
       const apiDetails = {
         auth,
-        url: parseGithubUrl(cmd.githubUrl),
+        url: parseGitHubUrl(cmd.githubUrl),
       };
 
+      const outputDir =
+        cmd.outputDir || path.join(config.tempDir, "codeql-sarif");
       await runAnalyze(
         outputDir,
         getMemoryFlag(cmd.ram),
@@ -483,7 +486,7 @@ program
     );
     const apiDetails = {
       auth,
-      url: parseGithubUrl(cmd.githubUrl),
+      url: parseGitHubUrl(cmd.githubUrl),
     };
     try {
       const gitHubVersion = await getGitHubVersion(apiDetails);

src/tracer-config.ts

@@ -185,9 +185,9 @@ export async function getCombinedTracerConfig(
     );
   }
 
-  // On macos it's necessary to prefix the build command with the runner exectuable
+  // On macos it's necessary to prefix the build command with the runner executable
   // on order to trace when System Integrity Protection is enabled.
-  // The exectuable also exists and works for other platforms so we output this env
+  // The executable also exists and works for other platforms so we output this env
   // var with a path to the runner regardless so it's always available.
   const runnerExeName = process.platform === "win32" ? "runner.exe" : "runner";
   mainTracerConfig.env["CODEQL_RUNNER"] = path.join(

src/upload-lib.ts

@@ -176,7 +176,20 @@ function getSarifFilePaths(sarifPath: string) {
 // Counts the number of results in the given SARIF file
 export function countResultsInSarif(sarif: string): number {
   let numResults = 0;
-  for (const run of JSON.parse(sarif).runs) {
+  let parsedSarif;
+  try {
+    parsedSarif = JSON.parse(sarif);
+  } catch (e) {
+    throw new Error(`Invalid SARIF. JSON syntax error: ${e.message}`);
+  }
+  if (!Array.isArray(parsedSarif.runs)) {
+    throw new Error("Invalid SARIF. Missing 'runs' array.");
+  }
+
+  for (const run of parsedSarif.runs) {
+    if (!Array.isArray(run.results)) {
+      throw new Error("Invalid SARIF. Missing 'results' array in run.");
+    }
     numResults += run.results.length;
   }
   return numResults;

src/util.test.ts

@@ -125,62 +125,62 @@ test("getExtraOptionsEnvParam() fails on invalid JSON", (t) => {
   process.env.CODEQL_ACTION_EXTRA_OPTIONS = origExtraOptions;
 });
 
-test("parseGithubUrl", (t) => {
-  t.deepEqual(util.parseGithubUrl("github.com"), "https://github.com");
-  t.deepEqual(util.parseGithubUrl("https://github.com"), "https://github.com");
+test("parseGitHubUrl", (t) => {
+  t.deepEqual(util.parseGitHubUrl("github.com"), "https://github.com");
+  t.deepEqual(util.parseGitHubUrl("https://github.com"), "https://github.com");
   t.deepEqual(
-    util.parseGithubUrl("https://api.github.com"),
+    util.parseGitHubUrl("https://api.github.com"),
     "https://github.com"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.com/foo/bar"),
+    util.parseGitHubUrl("https://github.com/foo/bar"),
     "https://github.com"
   );
 
   t.deepEqual(
-    util.parseGithubUrl("github.example.com"),
+    util.parseGitHubUrl("github.example.com"),
     "https://github.example.com/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.example.com"),
+    util.parseGitHubUrl("https://github.example.com"),
     "https://github.example.com/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://api.github.example.com"),
+    util.parseGitHubUrl("https://api.github.example.com"),
     "https://github.example.com/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.example.com/api/v3"),
+    util.parseGitHubUrl("https://github.example.com/api/v3"),
     "https://github.example.com/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.example.com:1234"),
+    util.parseGitHubUrl("https://github.example.com:1234"),
     "https://github.example.com:1234/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://api.github.example.com:1234"),
+    util.parseGitHubUrl("https://api.github.example.com:1234"),
     "https://github.example.com:1234/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.example.com:1234/api/v3"),
+    util.parseGitHubUrl("https://github.example.com:1234/api/v3"),
     "https://github.example.com:1234/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.example.com/base/path"),
+    util.parseGitHubUrl("https://github.example.com/base/path"),
     "https://github.example.com/base/path/"
   );
   t.deepEqual(
-    util.parseGithubUrl("https://github.example.com/base/path/api/v3"),
+    util.parseGitHubUrl("https://github.example.com/base/path/api/v3"),
     "https://github.example.com/base/path/"
   );
 
-  t.throws(() => util.parseGithubUrl(""), {
+  t.throws(() => util.parseGitHubUrl(""), {
     message: '"" is not a valid URL',
   });
-  t.throws(() => util.parseGithubUrl("ssh://github.com"), {
+  t.throws(() => util.parseGitHubUrl("ssh://github.com"), {
     message: '"ssh://github.com" is not a http or https URL',
   });
-  t.throws(() => util.parseGithubUrl("http:///::::433"), {
+  t.throws(() => util.parseGitHubUrl("http:///::::433"), {
     message: '"http:///::::433" is not a valid URL',
   });
 });

src/util.ts

@@ -189,7 +189,7 @@ export function getCodeQLDatabasePath(tempDir: string, language: Language) {
  * Parses user input of a github.com or GHES URL to a canonical form.
  * Removes any API prefix or suffix if one is present.
  */
-export function parseGithubUrl(inputUrl: string): string {
+export function parseGitHubUrl(inputUrl: string): string {
   const originalUrl = inputUrl;
   if (inputUrl.indexOf("://") === -1) {
     inputUrl = `https://${inputUrl}`;
@@ -247,7 +247,7 @@ export async function getGitHubVersion(
   apiDetails: GitHubApiDetails
 ): Promise<GitHubVersion> {
   // We can avoid making an API request in the standard dotcom case
-  if (parseGithubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) {
+  if (parseGitHubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) {
     return { type: GitHubVariant.DOTCOM };
   }
 
@@ -390,3 +390,19 @@ export async function getGitHubAuth(
     "No GitHub authentication token was specified. Please provide a token via the GITHUB_TOKEN environment variable, or by adding the `--github-auth-stdin` flag and passing the token via standard input."
   );
 }
+
+// Sets environment variables that make using some libraries designed for
+// use only on actions safe to use outside of actions.
+//
+// Obviously this is not a tremendously great thing we're doing and it
+// would be better to write our own implementation of libraries to use
+// outside of actions. For now this works well enough.
+//
+// Currently this list of libraries that is deemed to now be safe includes:
+// - @actions/tool-cache
+//
+// Also see "queries/unguarded-action-lib.ql".
+export function setupActionsVars(tempDir: string, toolsDir: string) {
+  process.env["RUNNER_TEMP"] = tempDir;
+  process.env["RUNNER_TOOL_CACHE"] = toolsDir;
+}

tests/multi-language-repo/.github/codeql/custom-queries.yml

@@ -23,7 +23,7 @@ queries:
     uses: Anthophila/go-querypack@master
   - name: Cpp queries 
     uses: Anthophila/cpp-querypack@second-branch
-  - name: Javascript queries 
+  - name: JavaScript queries 
     uses: Anthophila/javascript-querypack/show_ifs2.ql@master
   - name: Python queries 
     uses: Anthophila/python-querypack/show_ifs2.ql@second-branch 

tests/multi-language-repo/codeql-qlpacks/javascript-qlpack/show_ifs.ql

@@ -1,6 +1,6 @@
 /**
- * @name Show Javascript Ifs
- * @description Show Javascript Ifs
+ * @name Show JavaScript Ifs
+ * @description Show JavaScript Ifs
  * @kind problem
  * @id inrepo-javascript-querypack/show-ifs
  */