Merge pull request #1547 from github/update-v2.2.5-237a258d2

Merge main into releases/v2

.eslintrc.json

@@ -33,6 +33,12 @@
             "alphabetize": {"order": "asc"},
             "newlines-between": "always"
         }],
+        "max-len": ["error", {
+            "code": 120,
+            "ignoreUrls": true,
+            "ignoreStrings": true,
+            "ignoreTemplateLiterals": true
+        }],
         "no-async-foreach/no-async-foreach": "error",
         "no-console": "off",
         "no-sequences": "error",

.github/workflows/script/check-node-modules.sh

@@ -10,6 +10,10 @@ fi
 # When updating this, make sure to update the npm version in
 # `.github/workflows/update-dependencies.yml` too.
 sudo npm install --force -g npm@9.2.0
+
+# clean the npm cache to ensure we don't have any files owned by root
+sudo npm cache clean --force
+
 # Reinstall modules and then clean to remove absolute paths
 # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
 npm ci

CHANGELOG.md

@@ -1,9 +1,21 @@
 # CodeQL Action Changelog
 
-## [UNRELEASED]
+## 2.2.5 - 24 Feb 2023
+
+- Update default CodeQL bundle version to 2.12.3. [#1543](https://github.com/github/codeql-action/pull/1543)
+
+## 2.2.4 - 10 Feb 2023
 
 No user facing changes.
 
+## 2.2.3 - 08 Feb 2023
+
+- Update default CodeQL bundle version to 2.12.2. [#1518](https://github.com/github/codeql-action/pull/1518)
+
+## 2.2.2 - 06 Feb 2023
+
+- Fix an issue where customers using the CodeQL Action with the [CodeQL Action sync tool](https://docs.github.com/en/enterprise-server@3.7/admin/code-security/managing-github-advanced-security-for-your-enterprise/configuring-code-scanning-for-your-appliance#configuring-codeql-analysis-on-a-server-without-internet-access) would not be able to obtain the CodeQL tools. [#1517](https://github.com/github/codeql-action/pull/1517)
+
 ## 2.2.1 - 27 Jan 2023
 
 No user facing changes.

CONTRIBUTING.md

@@ -67,12 +67,8 @@ Here are a few things you can do that will increase the likelihood of your pull
     This mergeback incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v2" pull request, and bumps the patch version of the CodeQL Action.
 
     Approve the mergeback PR and automerge it.
-1. When the "Merge main into releases/v2" pull request is merged into the `releases/v2` branch, the "Update release branch" workflow will create a "Merge releases/v2 into releases/v1" pull request to merge the changes since the last release into the `releases/v1` release branch.
-    This ensures we keep both the `releases/v1` and `releases/v2` release branches up to date and fully supported.
 
-    Review the checklist items in the pull request description.
-    Once you've checked off all the items, approve the PR and automerge it.
-1. Once the mergeback has been merged to `main` and the "Merge releases/v2 into releases/v1" PR has been merged to `releases/v1`, the release is complete.
+Once the mergeback has been merged to `main`, the release is complete.
 
 ## Keeping the PR checks up to date (admin access required)
 

README.md

@@ -1,6 +1,6 @@
 # CodeQL Action
 
-This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/github/codeql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
+This action runs GitHub's industry-leading semantic code analysis engine, [CodeQL](https://codeql.github.com/), against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/github/codeql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
 For a list of recent changes, see the CodeQL Action's [changelog](CHANGELOG.md).
 

lib/analyze.js

@@ -126,6 +126,7 @@ async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger)
 async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, automationDetailsId, config, logger, featureEnablement) {
     const statusReport = {};
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+    const queryFlags = [memoryFlag, threadsFlag];
     await util.logCodeScanningConfigInCli(codeql, featureEnablement, logger);
     for (const language of config.languages) {
         const queries = config.queries[language];
@@ -140,7 +141,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                 // another to interpret the results.
                 logger.startGroup(`Running queries for ${language}`);
                 const startTimeBuiltIn = new Date().getTime();
-                await runQueryGroup(language, "all", undefined, undefined);
+                await runQueryGroup(language, "all", undefined, undefined, true);
                 // TODO should not be using `builtin` here. We should be using `all` instead.
                 // The status report does not support `all` yet.
                 statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
@@ -164,24 +165,29 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                     !hasPackWithCustomQueries) {
                     throw new Error(`Unable to analyze ${language} as no queries were selected for this language`);
                 }
+                const customQueryIndices = [];
+                for (let i = 0; i < queries.custom.length; ++i) {
+                    if (queries.custom[i].queries.length > 0) {
+                        customQueryIndices.push(i);
+                    }
+                }
                 logger.startGroup(`Running queries for ${language}`);
                 const querySuitePaths = [];
-                if (queries["builtin"].length > 0) {
+                if (queries.builtin.length > 0) {
                     const startTimeBuiltIn = new Date().getTime();
-                    querySuitePaths.push((await runQueryGroup(language, "builtin", createQuerySuiteContents(queries["builtin"], queryFilters), undefined)));
+                    querySuitePaths.push((await runQueryGroup(language, "builtin", createQuerySuiteContents(queries.builtin, queryFilters), undefined, customQueryIndices.length === 0 && packsWithVersion.length === 0)));
                     statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
                         new Date().getTime() - startTimeBuiltIn;
                 }
                 const startTimeCustom = new Date().getTime();
                 let ranCustom = false;
-                for (let i = 0; i < queries["custom"].length; ++i) {
-                    if (queries["custom"][i].queries.length > 0) {
-                        querySuitePaths.push((await runQueryGroup(language, `custom-${i}`, createQuerySuiteContents(queries["custom"][i].queries, queryFilters), queries["custom"][i].searchPath)));
-                        ranCustom = true;
-                    }
+                for (const i of customQueryIndices) {
+                    querySuitePaths.push((await runQueryGroup(language, `custom-${i}`, createQuerySuiteContents(queries.custom[i].queries, queryFilters), queries.custom[i].searchPath, i === customQueryIndices[customQueryIndices.length - 1] &&
+                        packsWithVersion.length === 0)));
+                    ranCustom = true;
                 }
                 if (packsWithVersion.length > 0) {
-                    querySuitePaths.push(await runQueryPacks(language, "packs", packsWithVersion, queryFilters));
+                    querySuitePaths.push(await runQueryPacks(language, "packs", packsWithVersion, queryFilters, true));
                     ranCustom = true;
                 }
                 if (ranCustom) {
@@ -218,7 +224,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         const databasePath = util.getCodeQLDatabasePath(config, language);
         return await codeql.databasePrintBaseline(databasePath);
     }
-    async function runQueryGroup(language, type, querySuiteContents, searchPath) {
+    async function runQueryGroup(language, type, querySuiteContents, searchPath, optimizeForLastQueryRun) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
         // Pass the queries to codeql using a file instead of using the command
         // line to avoid command line length restrictions, particularly on windows.
@@ -229,11 +235,11 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
             fs.writeFileSync(querySuitePath, querySuiteContents);
             logger.debug(`Query suite file for ${language}-${type}...\n${querySuiteContents}`);
         }
-        await codeql.databaseRunQueries(databasePath, searchPath, querySuitePath, memoryFlag, threadsFlag);
+        await codeql.databaseRunQueries(databasePath, searchPath, querySuitePath, queryFlags, optimizeForLastQueryRun);
         logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
         return querySuitePath;
     }
-    async function runQueryPacks(language, type, packs, queryFilters) {
+    async function runQueryPacks(language, type, packs, queryFilters, optimizeForLastQueryRun) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
         for (const pack of packs) {
             logger.debug(`Running query pack for ${language}-${type}: ${pack}`);
@@ -243,7 +249,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         const querySuitePath = `${databasePath}-queries-${type}.qls`;
         fs.writeFileSync(querySuitePath, yaml.dump(querySuite));
         logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
-        await codeql.databaseRunQueries(databasePath, undefined, querySuitePath, memoryFlag, threadsFlag);
+        await codeql.databaseRunQueries(databasePath, undefined, querySuitePath, queryFlags, optimizeForLastQueryRun);
         return querySuitePath;
     }
 }

lib/analyze.test.js

@@ -30,8 +30,10 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const yaml = __importStar(require("js-yaml"));
+const sinon = __importStar(require("sinon"));
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
+const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
@@ -188,6 +190,126 @@ const util = __importStar(require("./util"));
         }
     }
 });
+function mockCodeQL() {
+    return {
+        getVersion: async () => "2.12.2",
+        databaseRunQueries: sinon.spy(),
+        databaseInterpretResults: async () => "",
+        databasePrintBaseline: async () => "",
+    };
+}
+function createBaseConfig(tmpDir) {
+    return {
+        languages: [],
+        queries: {},
+        pathsIgnore: [],
+        paths: [],
+        originalUserInput: {},
+        tempDir: "tempDir",
+        codeQLCmd: "",
+        gitHubVersion: {
+            type: util.GitHubVariant.DOTCOM,
+        },
+        dbLocation: path.resolve(tmpDir, "codeql_databases"),
+        packs: {},
+        debugMode: false,
+        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
+        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+        augmentationProperties: {
+            injectedMlQueries: false,
+            packsInputCombines: false,
+            queriesInputCombines: false,
+        },
+        trapCaches: {},
+        trapCacheDownloadTime: 0,
+    };
+}
+function createQueryConfig(builtin, custom) {
+    return {
+        builtin,
+        custom: custom.map((c) => ({ searchPath: "/search", queries: [c] })),
+    };
+}
+async function runQueriesWithConfig(config, features) {
+    for (const language of config.languages) {
+        fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
+            recursive: true,
+        });
+    }
+    return (0, analyze_1.runQueries)("sarif-folder", "--memFlag", "--addSnippetsFlag", "--threadsFlag", undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)(features));
+}
+function getDatabaseRunQueriesCalls(mock) {
+    return mock.databaseRunQueries.getCalls();
+}
+(0, ava_1.default)("optimizeForLastQueryRun for one language", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp];
+        config.queries.cpp = createQueryConfig(["foo.ql"], []);
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        config.queries.cpp = createQueryConfig(["foo.ql"], []);
+        config.queries.java = createQueryConfig(["bar.ql"], []);
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true, true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages, with custom queries", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        config.queries.cpp = createQueryConfig(["foo.ql"], ["c1.ql", "c2.ql"]);
+        config.queries.java = createQueryConfig(["bar.ql"], ["c3.ql"]);
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [false, false, true, false, true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages, with custom queries and packs", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        config.queries.cpp = createQueryConfig(["foo.ql"], ["c1.ql", "c2.ql"]);
+        config.queries.java = createQueryConfig(["bar.ql"], ["c3.ql"]);
+        config.packs.cpp = ["a/cpp-pack1@0.1.0"];
+        config.packs.java = ["b/java-pack1@0.2.0", "b/java-pack2@0.3.3"];
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [false, false, false, true, false, false, true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for one language, CliConfigFileEnabled", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp];
+        await runQueriesWithConfig(config, [feature_flags_1.Feature.CliConfigFileEnabled]);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages, CliConfigFileEnabled", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        await runQueriesWithConfig(config, [feature_flags_1.Feature.CliConfigFileEnabled]);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true, true]);
+    });
+});
 (0, ava_1.default)("validateQueryFilters", (t) => {
     t.notThrows(() => (0, analyze_1.validateQueryFilters)([]));
     t.notThrows(() => (0, analyze_1.validateQueryFilters)(undefined));

lib/codeql.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@@ -94,6 +94,10 @@ exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
  * --extractor-options-verbosity that we need.
  */
 exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
+/**
+ * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for each language.
+ */
+exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
 /**
  * Set up CodeQL CLI access.
  *
@@ -101,16 +105,15 @@ exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
  * @param apiDetails
  * @param tempDir
  * @param variant
- * @param bypassToolcache
  * @param defaultCliVersion
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
  *        version requirement. Must be set to true outside tests.
  * @returns a { CodeQL, toolsVersion } object.
  */
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
     try {
-        const { codeqlFolder, toolsDownloadDurationMs, toolsSource, toolsVersion } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger);
+        const { codeqlFolder, toolsDownloadDurationMs, toolsSource, toolsVersion } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger);
         let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
         if (process.platform === "win32") {
             codeqlCmd += ".exe";
@@ -469,17 +472,20 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 throw new Error(`Unexpected output from codeql resolve queries: ${e}`);
             }
         },
-        async databaseRunQueries(databasePath, extraSearchPath, querySuitePath, memoryFlag, threadsFlag) {
+        async databaseRunQueries(databasePath, extraSearchPath, querySuitePath, flags, optimizeForLastQueryRun) {
             const codeqlArgs = [
                 "database",
                 "run-queries",
-                memoryFlag,
-                threadsFlag,
+                ...flags,
                 databasePath,
                 "--min-disk-free=1024",
                 "-v",
                 ...getExtraOptionsFromEnv(["database", "run-queries"]),
             ];
+            if (optimizeForLastQueryRun &&
+                (await util.supportExpectDiscardedCache(this))) {
+                codeqlArgs.push("--expect-discarded-cache");
+            }
             if (extraSearchPath !== undefined) {
                 codeqlArgs.push("--additional-packs", extraSearchPath);
             }

lib/codeql.test.js

@@ -97,7 +97,7 @@ ava_1.default.beforeEach(() => {
  * @returns the download URL for the bundle. This can be passed to the tools parameter of
  * `codeql.setupCodeQL`.
  */
-function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, tagName, }) {
+function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, repo = "github/codeql-action", platformSpecific = true, tagName, }) {
     const platform = process.platform === "win32"
         ? "win64"
         : process.platform === "linux"
@@ -105,7 +105,7 @@ function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, tagName, })
             : "osx64";
     const baseUrl = apiDetails?.url ?? "https://example.com";
     const relativeUrl = apiDetails
-        ? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
+        ? `/${repo}/releases/download/${tagName}/codeql-bundle${platformSpecific ? `-${platform}` : ""}.tar.gz`
         : `/download/${tagName}/codeql-bundle.tar.gz`;
     (0, nock_1.default)(baseUrl)
         .get(relativeUrl)
@@ -114,7 +114,7 @@ function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, tagName, })
 }
 async function installIntoToolcache({ apiDetails = sampleApiDetails, cliVersion, isPinned, tagName, tmpDir, }) {
     const url = mockDownloadApi({ apiDetails, isPinned, tagName });
-    await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, false, cliVersion !== undefined
+    await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined
         ? { cliVersion, tagName, variant: util.GitHubVariant.GHES }
         : SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
 }
@@ -153,7 +153,7 @@ function mockApiDetails(apiDetails) {
                 tagName: `codeql-bundle-${version}`,
                 isPinned: false,
             });
-            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
             t.is(result.toolsVersion, `0.0.0-${version}`);
             t.is(result.toolsSource, init_1.ToolsSource.Download);
@@ -173,7 +173,7 @@ function mockApiDetails(apiDetails) {
         const url = mockDownloadApi({
             tagName: "codeql-bundle-20200610",
         });
-        const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
         t.deepEqual(result.toolsVersion, "0.0.0-20200610");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
@@ -207,7 +207,7 @@ for (const { cliVersion, expectedToolcacheVersion, } of EXPLICITLY_REQUESTED_BUN
             const url = mockDownloadApi({
                 tagName: "codeql-bundle-20200610",
             });
-            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.assert(releaseApiMock.isDone(), "Releases API should have been called");
             t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
             t.deepEqual(result.toolsVersion, cliVersion);
@@ -256,7 +256,7 @@ for (const { githubReleases, toolcacheVersion } of [
                     }))),
                 }));
             }
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
             t.is(result.toolsSource, init_1.ToolsSource.Toolcache);
             t.is(result.toolsDownloadDurationMs, undefined);
@@ -272,7 +272,7 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
                 isPinned: true,
                 tmpDir,
             });
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, false, {
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, {
                 cliVersion: defaults.cliVersion,
                 tagName: defaults.bundleVersion,
                 variant,
@@ -295,7 +295,7 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
             mockDownloadApi({
                 tagName: defaults.bundleVersion,
             });
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, false, {
+            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, {
                 cliVersion: defaults.cliVersion,
                 tagName: defaults.bundleVersion,
                 variant,
@@ -319,7 +319,7 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
         mockDownloadApi({
             tagName: defaults.bundleVersion,
         });
-        const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.deepEqual(result.toolsVersion, defaults.cliVersion);
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.assert(Number.isInteger(result.toolsDownloadDurationMs));
@@ -327,41 +327,73 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
         t.is(cachedVersions.length, 2);
     });
 });
-(0, ava_1.default)("download codeql bundle from github ae endpoint", async (t) => {
+for (const isBundleVersionInUrl of [true, false]) {
+    const inclusionString = isBundleVersionInUrl
+        ? "includes"
+        : "does not include";
+    (0, ava_1.default)(`download codeql bundle from github ae endpoint (URL ${inclusionString} bundle version)`, async (t) => {
+        await util.withTmpDir(async (tmpDir) => {
+            (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+            const bundleAssetID = 10;
+            const platform = process.platform === "win32"
+                ? "win64"
+                : process.platform === "linux"
+                    ? "linux64"
+                    : "osx64";
+            const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
+            const eventualDownloadUrl = isBundleVersionInUrl
+                ? `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`
+                : `https://example.githubenterprise.com/api/v3/repos/github/codeql-action/releases/assets/${bundleAssetID}`;
+            (0, nock_1.default)("https://example.githubenterprise.com")
+                .get(`/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`)
+                .reply(200, {
+                assets: { [codeQLBundleName]: bundleAssetID },
+            });
+            (0, nock_1.default)("https://example.githubenterprise.com")
+                .get(`/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`)
+                .reply(200, {
+                url: eventualDownloadUrl,
+            });
+            (0, nock_1.default)("https://example.githubenterprise.com")
+                .get(eventualDownloadUrl.replace("https://example.githubenterprise.com", ""))
+                .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
+            mockApiDetails(sampleGHAEApiDetails);
+            sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
+            process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
+            const result = await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, {
+                cliVersion: defaults.cliVersion,
+                tagName: defaults.bundleVersion,
+                variant: util.GitHubVariant.GHAE,
+            }, (0, logging_1.getRunnerLogger)(true), false);
+            t.is(result.toolsSource, init_1.ToolsSource.Download);
+            t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+            const cachedVersions = toolcache.findAllVersions("CodeQL");
+            t.is(cachedVersions.length, 1);
+        });
+    });
+}
+(0, ava_1.default)("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        const bundleAssetID = 10;
-        const platform = process.platform === "win32"
-            ? "win64"
-            : process.platform === "linux"
-                ? "linux64"
-                : "osx64";
-        const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
-        (0, nock_1.default)("https://example.githubenterprise.com")
-            .get(`/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`)
-            .reply(200, {
-            assets: { [codeQLBundleName]: bundleAssetID },
+        mockApiDetails(sampleApiDetails);
+        sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
+        const releasesApiMock = mockReleaseApi({
+            assetNames: ["cli-version-2.12.2.txt"],
+            tagName: "codeql-bundle-20230203",
         });
-        (0, nock_1.default)("https://example.githubenterprise.com")
-            .get(`/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`)
-            .reply(200, {
-            url: `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`,
+        mockDownloadApi({
+            repo: "dsp-testing/codeql-cli-nightlies",
+            platformSpecific: false,
+            tagName: "codeql-bundle-20230203",
         });
-        (0, nock_1.default)("https://example.githubenterprise.com")
-            .get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
-            .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
-        mockApiDetails(sampleGHAEApiDetails);
-        sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
-        process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
-        const result = await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, false, {
-            cliVersion: defaults.cliVersion,
-            tagName: defaults.bundleVersion,
-            variant: util.GitHubVariant.GHAE,
-        }, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        t.is(result.toolsVersion, "0.0.0-20230203");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
-        t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+        t.true(Number.isInteger(result.toolsDownloadDurationMs));
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 1);
+        t.is(cachedVersions[0], "0.0.0-20230203");
+        t.false(releasesApiMock.isDone());
     });
 });
 (0, ava_1.default)("getExtraOptions works for explicit paths", (t) => {

lib/config-utils.js

@@ -131,7 +131,11 @@ async function addDefaultQueries(codeQL, languages, resultMap) {
     await runResolveQueries(codeQL, resultMap, suites, undefined);
 }
 // The set of acceptable values for built-in suites from the codeql bundle
-const builtinSuites = ["security-extended", "security-and-quality"];
+const builtinSuites = [
+    "security-experimental",
+    "security-extended",
+    "security-and-quality",
+];
 /**
  * Determine the set of queries associated with suiteName's suites and add them to resultMap.
  * Throws an error if suiteName is not a valid builtin suite.
@@ -143,6 +147,12 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
     if (!found) {
         throw new Error(getQueryUsesInvalid(configFile, suiteName));
     }
+    if (suiteName === "security-experimental" &&
+        !(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE))) {
+        throw new Error(`The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than 
+      ${codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE}. Please upgrade to CodeQL CLI version
+      ${codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE} or later.`);
+    }
     // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
     // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
     // pack, then add the ML-powered query pack so that we run ML-powered queries.
@@ -151,7 +161,9 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
     (process.platform !== "win32" ||
         (await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS))) &&
         languages.includes("javascript") &&
-        (found === "security-extended" || found === "security-and-quality") &&
+        (found === "security-experimental" ||
+            found === "security-extended" ||
+            found === "security-and-quality") &&
         !packs.javascript?.some(isMlPoweredJsQueriesPack) &&
         (await featureEnablement.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, codeQL))) {
         if (!packs.javascript) {
@@ -893,7 +905,8 @@ exports.parsePacks = parsePacks;
  * Without a '+', an input value will override the corresponding value in the config file.
  *
  * @param inputValue The input value to process.
- * @returns true if the input value should replace the corresponding value in the config file, false if it should be appended.
+ * @returns true if the input value should replace the corresponding value in the config file,
+ *          false if it should be appended.
  */
 function shouldCombine(inputValue) {
     return !!inputValue?.trim().startsWith("+");

lib/config-utils.test.js

@@ -1014,7 +1014,7 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that the ~0.1.0 version of ML-powered queries is run on v2.8.3 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.8.3", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
-// `security-extended` or `security-and-quality` query suite.
+//  `security-extended`, `security-and-quality`, or `security-experimental` query suite.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
 // Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
 // versions of the CodeQL CLI prior to 2.9.0.
@@ -1042,6 +1042,9 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.11.3+.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-and-quality", "~0.4.0");
+// Test that ML-powered queries are run on all platforms running `security-experimental` on CodeQL
+// CLI 2.12.1+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.12.1", true, undefined, "security-experimental", "~0.4.0");
 const calculateAugmentationMacro = ava_1.default.macro({
     exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
         const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20230120",
-    "cliVersion": "2.12.1",
-    "priorBundleVersion": "codeql-bundle-20230105",
-    "priorCliVersion": "2.12.0"
+    "bundleVersion": "codeql-bundle-20230217",
+    "cliVersion": "2.12.3",
+    "priorBundleVersion": "codeql-bundle-20230207",
+    "priorCliVersion": "2.12.2"
 }

lib/feature-flags.js

@@ -34,27 +34,12 @@ const DEFAULT_VERSION_FEATURE_FLAG_PREFIX = "default_codeql_version_";
 const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled";
 var Feature;
 (function (Feature) {
-    Feature["BypassToolcacheEnabled"] = "bypass_toolcache_enabled";
-    Feature["BypassToolcacheKotlinSwiftEnabled"] = "bypass_toolcache_kotlin_swift_enabled";
     Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
     Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
     Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
-    Feature["TrapCachingEnabled"] = "trap_caching_enabled";
     Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
 })(Feature = exports.Feature || (exports.Feature = {}));
 exports.featureConfig = {
-    [Feature.BypassToolcacheEnabled]: {
-        envVar: "CODEQL_BYPASS_TOOLCACHE",
-        // Cannot specify a minimum version because this flag is checked before we have
-        // access to the CodeQL instance.
-        minimumVersion: undefined,
-    },
-    [Feature.BypassToolcacheKotlinSwiftEnabled]: {
-        envVar: "CODEQL_BYPASS_TOOLCACHE_KOTLIN_SWIFT",
-        // Cannot specify a minimum version because this flag is checked before we have
-        // access to the CodeQL instance.
-        minimumVersion: undefined,
-    },
     [Feature.DisableKotlinAnalysisEnabled]: {
         envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
         minimumVersion: undefined,
@@ -67,10 +52,6 @@ exports.featureConfig = {
         envVar: "CODEQL_ML_POWERED_QUERIES",
         minimumVersion: "2.7.5",
     },
-    [Feature.TrapCachingEnabled]: {
-        envVar: "CODEQL_TRAP_CACHING",
-        minimumVersion: undefined,
-    },
     [Feature.UploadFailedSarifEnabled]: {
         envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
         minimumVersion: "2.11.3",
@@ -105,10 +86,6 @@ class Features {
         if (!codeql && exports.featureConfig[feature].minimumVersion) {
             throw new Error(`Internal error: A minimum version is specified for feature ${feature}, but no instance of CodeQL was provided.`);
         }
-        // Bypassing the toolcache is disabled in test mode.
-        if (feature === Feature.BypassToolcacheEnabled && util.isInTestMode()) {
-            return false;
-        }
         const envVar = (process.env[exports.featureConfig[feature].envVar] || "").toLocaleLowerCase();
         // Do not use this feature if user explicitly disables it via an environment variable.
         if (envVar === "false") {
@@ -136,7 +113,7 @@ class GitHubFeatureFlags {
         this.repositoryNwo = repositoryNwo;
         this.featureFlagsFile = featureFlagsFile;
         this.logger = logger;
-        /**/
+        this.hasAccessedRemoteFeatureFlags = false; // Not accessed by default.
     }
     getCliVersionFromFeatureFlag(f) {
         if (!f.startsWith(DEFAULT_VERSION_FEATURE_FLAG_PREFIX) ||
@@ -157,7 +134,9 @@ class GitHubFeatureFlags {
             const defaultDotComCliVersion = await this.getDefaultDotcomCliVersion();
             return {
                 cliVersion: defaultDotComCliVersion.version,
-                toolsFeatureFlagsValid: defaultDotComCliVersion.toolsFeatureFlagsValid,
+                toolsFeatureFlagsValid: this.hasAccessedRemoteFeatureFlags
+                    ? defaultDotComCliVersion.toolsFeatureFlagsValid
+                    : undefined,
                 variant,
             };
         }
@@ -188,7 +167,9 @@ class GitHubFeatureFlags {
                 `shipped with the Action. This is ${defaults.cliVersion}.`);
             return {
                 version: defaults.cliVersion,
-                toolsFeatureFlagsValid: false,
+                toolsFeatureFlagsValid: this.hasAccessedRemoteFeatureFlags
+                    ? false
+                    : undefined,
             };
         }
         const maxCliVersion = enabledFeatureFlagCliVersions.reduce((maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, enabledFeatureFlagCliVersions[0]);
@@ -255,6 +236,7 @@ class GitHubFeatureFlags {
         // Do nothing when not running against github.com
         if (this.gitHubVersion.type !== util.GitHubVariant.DOTCOM) {
             this.logger.debug("Not running against github.com. Disabling all toggleable features.");
+            this.hasAccessedRemoteFeatureFlags = false;
             return {};
         }
         try {
@@ -265,6 +247,7 @@ class GitHubFeatureFlags {
             const remoteFlags = response.data;
             this.logger.debug("Loaded the following default values for the feature flags from the Code Scanning API: " +
                 `${JSON.stringify(remoteFlags)}`);
+            this.hasAccessedRemoteFeatureFlags = true;
             return remoteFlags;
         }
         catch (e) {
@@ -273,6 +256,7 @@ class GitHubFeatureFlags {
                     "As a result, it will not be opted into any experimental features. " +
                     "This could be because the Action is running on a pull request from a fork. If not, " +
                     `please ensure the Action has the 'security-events: write' permission. Details: ${e}`);
+                this.hasAccessedRemoteFeatureFlags = false;
                 return {};
             }
             else {
@@ -283,7 +267,6 @@ class GitHubFeatureFlags {
                 throw new Error(`Encountered an error while trying to determine feature enablement: ${e}`);
             }
         }
-        return {};
     }
 }
 //# sourceMappingURL=feature-flags.js.map

lib/init-action.js

@@ -46,12 +46,13 @@ async function sendInitStatusReport(actionStatus, startedAt, config, toolsDownlo
         tools_source: toolsSource || init_1.ToolsSource.Unknown,
         workflow_languages: workflowLanguages || "",
     };
-    let initToolsDownloadFields = {};
-    if (toolsSource === init_1.ToolsSource.Download) {
-        initToolsDownloadFields = {
-            tools_download_duration_ms: toolsDownloadDurationMs,
-            tools_feature_flags_valid: toolsFeatureFlagsValid,
-        };
+    const initToolsDownloadFields = {};
+    if (toolsDownloadDurationMs !== undefined) {
+        initToolsDownloadFields.tools_download_duration_ms =
+            toolsDownloadDurationMs;
+    }
+    if (toolsFeatureFlagsValid !== undefined) {
+        initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
     }
     if (config !== undefined) {
         const languages = config.languages.join(",");
@@ -122,13 +123,13 @@ async function run() {
         if (codeQLDefaultVersionInfo.variant === util_1.GitHubVariant.DOTCOM) {
             toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid;
         }
-        const initCodeQLResult = await (0, init_1.initCodeQL)((0, actions_util_1.getOptionalInput)("tools"), apiDetails, (0, actions_util_1.getTemporaryDirectory)(), gitHubVersion.type, await (0, util_1.shouldBypassToolcache)(features, (0, actions_util_1.getOptionalInput)("tools"), (0, actions_util_1.getOptionalInput)("languages"), repositoryNwo, logger), codeQLDefaultVersionInfo, logger);
+        const initCodeQLResult = await (0, init_1.initCodeQL)((0, actions_util_1.getOptionalInput)("tools"), apiDetails, (0, actions_util_1.getTemporaryDirectory)(), gitHubVersion.type, codeQLDefaultVersionInfo, logger);
         codeql = initCodeQLResult.codeql;
         toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs;
         toolsVersion = initCodeQLResult.toolsVersion;
         toolsSource = initCodeQLResult.toolsSource;
         await (0, util_1.enrichEnvironment)(codeql);
-        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), (0, actions_util_1.getOptionalInput)("registries"), (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), await getTrapCachingEnabled(features), 
+        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), (0, actions_util_1.getOptionalInput)("registries"), (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), getTrapCachingEnabled(), 
         // Debug mode is enabled if:
         // - The `init` Action is passed `debug: true`.
         // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
@@ -192,7 +193,7 @@ async function run() {
     }
     await sendInitStatusReport("success", startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger);
 }
-async function getTrapCachingEnabled(featureEnablement) {
+function getTrapCachingEnabled() {
     // If the workflow specified something always respect that
     const trapCaching = (0, actions_util_1.getOptionalInput)("trap-caching");
     if (trapCaching !== undefined)
@@ -200,8 +201,8 @@ async function getTrapCachingEnabled(featureEnablement) {
     // On self-hosted runners which may have slow network access, disable TRAP caching by default
     if (!(0, util_1.isHostedRunner)())
         return false;
-    // On hosted runners, respect the feature flag
-    return await featureEnablement.getValue(feature_flags_1.Feature.TrapCachingEnabled);
+    // On hosted runners, enable TRAP caching by default
+    return true;
 }
 async function runWrapper() {
     try {

lib/init.js

@@ -41,9 +41,9 @@ var ToolsSource;
     ToolsSource["Toolcache"] = "TOOLCACHE";
     ToolsSource["Download"] = "DOWNLOAD";
 })(ToolsSource = exports.ToolsSource || (exports.ToolsSource = {}));
-async function initCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger) {
+async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
     logger.startGroup("Setup CodeQL tools");
-    const { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion } = await (0, codeql_1.setupCodeQL)(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger, true);
+    const { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion } = await (0, codeql_1.setupCodeQL)(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, true);
     await codeql.printVersion();
     logger.endGroup();
     return { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion };

lib/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA2E;AAC3E,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAC/B,iCAA4C;AAE5C,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;IACf,sCAAuB,CAAA;IACvB,oCAAqB,CAAA;AACvB,CAAC,EALW,WAAW,GAAX,mBAAW,KAAX,mBAAW,QAKtB;AAEM,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,eAAwB,EACxB,iBAA2C,EAC3C,MAAc;IAOd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,GAClE,MAAM,IAAA,oBAAW,EACf,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,eAAe,EACf,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACJ,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxE,CAAC;AA7BD,gCA6BC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,iBAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,iBAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,IAAI,MAAM,IAAA,yBAAkB,EAAC,MAAM,EAAE,mCAA0B,CAAC,EAAE;YAChE,0BAA0B;YAC1B,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;aAAM;YACL,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;gBACvC,yBAAyB;gBACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC5C,QAAQ,EACR,UAAU,CACX,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAlCD,0BAkCC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,8BAA8B,CAAC;QACnD,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,uCAAuC,CAAC,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,wCAAwC,CAAC;QAC7D,gEAAgE;QAChE,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,qBAAqB,CAAC,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA2E;AAC3E,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAC/B,iCAA4C;AAE5C,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;IACf,sCAAuB,CAAA;IACvB,oCAAqB,CAAA;AACvB,CAAC,EALW,WAAW,GAAX,mBAAW,KAAX,mBAAW,QAKtB;AAEM,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,iBAA2C,EAC3C,MAAc;IAOd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,GAClE,MAAM,IAAA,oBAAW,EACf,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACJ,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxE,CAAC;AA3BD,gCA2BC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,iBAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,iBAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,IAAI,MAAM,IAAA,yBAAkB,EAAC,MAAM,EAAE,mCAA0B,CAAC,EAAE;YAChE,0BAA0B;YAC1B,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;aAAM;YACL,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;gBACvC,yBAAyB;gBACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC5C,QAAQ,EACR,UAAU,CACX,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAlCD,0BAkCC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,8BAA8B,CAAC;QACnD,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,uCAAuC,CAAC,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,wCAAwC,CAAC;QAC7D,gEAAgE;QAChE,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,qBAAqB,CAAC,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}

lib/languages.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isScannedLanguage = exports.isTracedLanguage = exports.parseLanguage = exports.resolveAlias = exports.KOTLIN_SWIFT_BYPASS = exports.LANGUAGE_ALIASES = exports.Language = void 0;
+exports.isScannedLanguage = exports.isTracedLanguage = exports.parseLanguage = exports.resolveAlias = exports.LANGUAGE_ALIASES = exports.Language = void 0;
 // All the languages supported by CodeQL
 var Language;
 (function (Language) {
@@ -21,7 +21,6 @@ exports.LANGUAGE_ALIASES = {
     kotlin: Language.java,
     typescript: Language.javascript,
 };
-exports.KOTLIN_SWIFT_BYPASS = ["kotlin", "swift"];
 function resolveAlias(lang) {
     return exports.LANGUAGE_ALIASES[lang] || lang;
 }

lib/languages.js.map

@@ -1 +1 @@
-{"version":3,"file":"languages.js","sourceRoot":"","sources":["../src/languages.ts"],"names":[],"mappings":";;;AAAA,wCAAwC;AACxC,IAAY,QASX;AATD,WAAY,QAAQ;IAClB,6BAAiB,CAAA;IACjB,uBAAW,CAAA;IACX,qBAAS,CAAA;IACT,yBAAa,CAAA;IACb,qCAAyB,CAAA;IACzB,6BAAiB,CAAA;IACjB,yBAAa,CAAA;IACb,2BAAe,CAAA;AACjB,CAAC,EATW,QAAQ,GAAR,gBAAQ,KAAR,gBAAQ,QASnB;AAED,iCAAiC;AACpB,QAAA,gBAAgB,GAAiC;IAC5D,CAAC,EAAE,QAAQ,CAAC,GAAG;IACf,KAAK,EAAE,QAAQ,CAAC,GAAG;IACnB,IAAI,EAAE,QAAQ,CAAC,MAAM;IACrB,MAAM,EAAE,QAAQ,CAAC,IAAI;IACrB,UAAU,EAAE,QAAQ,CAAC,UAAU;CAChC,CAAC;AAIW,QAAA,mBAAmB,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AAEvD,SAAgB,YAAY,CAAC,IAAqB;IAChD,OAAO,wBAAgB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACxC,CAAC;AAFD,oCAEC;AAED;;;;;;;;;GASG;AACH,SAAgB,aAAa,CAAC,QAAgB;IAC5C,0BAA0B;IAC1B,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEzC,6BAA6B;IAC7B,IAAI,QAAQ,IAAI,QAAQ,EAAE;QACxB,OAAO,QAAoB,CAAC;KAC7B;IAED,iEAAiE;IACjE,oCAAoC;IACpC,IAAI,QAAQ,IAAI,wBAAgB,EAAE;QAChC,OAAO,QAAQ,CAAC;KACjB;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAhBD,sCAgBC;AAED,SAAgB,gBAAgB,CAAC,QAAkB;IACjD,OAAO;QACL,QAAQ,CAAC,GAAG;QACZ,QAAQ,CAAC,MAAM;QACf,QAAQ,CAAC,EAAE;QACX,QAAQ,CAAC,IAAI;QACb,QAAQ,CAAC,KAAK;KACf,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvB,CAAC;AARD,4CAQC;AAED,SAAgB,iBAAiB,CAAC,QAAkB;IAClD,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,8CAEC"}
+{"version":3,"file":"languages.js","sourceRoot":"","sources":["../src/languages.ts"],"names":[],"mappings":";;;AAAA,wCAAwC;AACxC,IAAY,QASX;AATD,WAAY,QAAQ;IAClB,6BAAiB,CAAA;IACjB,uBAAW,CAAA;IACX,qBAAS,CAAA;IACT,yBAAa,CAAA;IACb,qCAAyB,CAAA;IACzB,6BAAiB,CAAA;IACjB,yBAAa,CAAA;IACb,2BAAe,CAAA;AACjB,CAAC,EATW,QAAQ,GAAR,gBAAQ,KAAR,gBAAQ,QASnB;AAED,iCAAiC;AACpB,QAAA,gBAAgB,GAAiC;IAC5D,CAAC,EAAE,QAAQ,CAAC,GAAG;IACf,KAAK,EAAE,QAAQ,CAAC,GAAG;IACnB,IAAI,EAAE,QAAQ,CAAC,MAAM;IACrB,MAAM,EAAE,QAAQ,CAAC,IAAI;IACrB,UAAU,EAAE,QAAQ,CAAC,UAAU;CAChC,CAAC;AAIF,SAAgB,YAAY,CAAC,IAAqB;IAChD,OAAO,wBAAgB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACxC,CAAC;AAFD,oCAEC;AAED;;;;;;;;;GASG;AACH,SAAgB,aAAa,CAAC,QAAgB;IAC5C,0BAA0B;IAC1B,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEzC,6BAA6B;IAC7B,IAAI,QAAQ,IAAI,QAAQ,EAAE;QACxB,OAAO,QAAoB,CAAC;KAC7B;IAED,iEAAiE;IACjE,oCAAoC;IACpC,IAAI,QAAQ,IAAI,wBAAgB,EAAE;QAChC,OAAO,QAAQ,CAAC;KACjB;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAhBD,sCAgBC;AAED,SAAgB,gBAAgB,CAAC,QAAkB;IACjD,OAAO;QACL,QAAQ,CAAC,GAAG;QACZ,QAAQ,CAAC,MAAM;QACf,QAAQ,CAAC,EAAE;QACX,QAAQ,CAAC,IAAI;QACb,QAAQ,CAAC,KAAK;KACf,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvB,CAAC;AARD,4CAQC;AAED,SAAgB,iBAAiB,CAAC,QAAkB;IAClD,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,8CAEC"}

lib/setup-codeql.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setupCodeQLBundle = exports.getCodeQLURLVersion = exports.downloadCodeQL = exports.getCodeQLSource = exports.convertToSemVer = exports.getBundleVersionFromUrl = exports.tryFindCliVersionDotcomOnly = exports.findCodeQLBundleTagDotcomOnly = exports.getCodeQLActionRepository = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = void 0;
+exports.setupCodeQLBundle = exports.getCodeQLURLVersion = exports.downloadCodeQL = exports.tryGetFallbackToolcacheVersion = exports.getCodeQLSource = exports.convertToSemVer = exports.tryGetBundleVersionFromUrl = exports.tryFindCliVersionDotcomOnly = exports.findCodeQLBundleTagDotcomOnly = exports.getCodeQLActionRepository = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const perf_hooks_1 = require("perf_hooks");
@@ -211,21 +211,30 @@ async function getCodeQLBundleDownloadURL(tagName, apiDetails, variant, logger)
     }
     return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${tagName}/${codeQLBundleName}`;
 }
-function getBundleVersionFromTagName(tagName) {
+function tryGetBundleVersionFromTagName(tagName, logger) {
     const match = tagName.match(/^codeql-bundle-(.*)$/);
     if (match === null || match.length < 2) {
-        throw new Error(`Malformed bundle tag name: ${tagName}. Bundle version could not be inferred`);
+        logger.debug(`Could not determine bundle version from tag ${tagName}.`);
+        return undefined;
     }
     return match[1];
 }
-function getBundleVersionFromUrl(url) {
+function tryGetTagNameFromUrl(url, logger) {
     const match = url.match(/\/(codeql-bundle-.*)\//);
     if (match === null || match.length < 2) {
-        throw new Error(`Malformed tools url: ${url}. Bundle version could not be inferred`);
+        logger.debug(`Could not determine tag name for URL ${url}.`);
+        return undefined;
     }
-    return getBundleVersionFromTagName(match[1]);
+    return match[1];
 }
-exports.getBundleVersionFromUrl = getBundleVersionFromUrl;
+function tryGetBundleVersionFromUrl(url, logger) {
+    const tagName = tryGetTagNameFromUrl(url, logger);
+    if (tagName === undefined) {
+        return undefined;
+    }
+    return tryGetBundleVersionFromTagName(tagName, logger);
+}
+exports.tryGetBundleVersionFromUrl = tryGetBundleVersionFromUrl;
 function convertToSemVer(version, logger) {
     if (!semver.valid(version)) {
         logger.debug(`Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`);
@@ -238,18 +247,10 @@ function convertToSemVer(version, logger) {
     return s;
 }
 exports.convertToSemVer = convertToSemVer;
-async function getOrFindBundleTagName(version, logger) {
-    if (version.variant === util.GitHubVariant.DOTCOM) {
-        return await findCodeQLBundleTagDotcomOnly(version.cliVersion, logger);
-    }
-    else {
-        return version.tagName;
-    }
-}
 /**
  * Look for a version of the CodeQL tools in the cache which could override the requested CLI version.
  */
-async function findOverridingToolsInCache(requestedCliVersion, logger) {
+async function findOverridingToolsInCache(humanReadableVersion, logger) {
     const candidates = toolcache
         .findAllVersions("CodeQL")
         .filter(util_1.isGoodVersion)
@@ -260,7 +261,7 @@ async function findOverridingToolsInCache(requestedCliVersion, logger) {
         .filter(({ folder }) => fs.existsSync(path.join(folder, "pinned-version")));
     if (candidates.length === 1) {
         const candidate = candidates[0];
-        logger.debug(`CodeQL tools version ${candidate.version} in toolcache overriding version ${requestedCliVersion}.`);
+        logger.debug(`CodeQL tools version ${candidate.version} in toolcache overriding version ${humanReadableVersion}.`);
         return {
             codeqlFolder: candidate.folder,
             sourceType: "toolcache",
@@ -276,7 +277,7 @@ async function findOverridingToolsInCache(requestedCliVersion, logger) {
     }
     return undefined;
 }
-async function getCodeQLSource(toolsInput, bypassToolcache, defaultCliVersion, apiDetails, variant, logger) {
+async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, logger) {
     if (toolsInput && toolsInput !== "latest" && !toolsInput.startsWith("http")) {
         return {
             codeqlTarPath: toolsInput,
@@ -284,124 +285,166 @@ async function getCodeQLSource(toolsInput, bypassToolcache, defaultCliVersion, a
             toolsVersion: "local",
         };
     }
-    const forceLatestReason = 
-    // We use the special value of 'latest' to prioritize the version in the
-    // defaults over any pinned cached version.
-    toolsInput === "latest"
-        ? '"tools: latest" was requested'
-        : // If the user hasn't requested a particular CodeQL version, then bypass
-            // the toolcache when the appropriate feature is enabled. This
-            // allows us to quickly rollback a broken bundle that has made its way
-            // into the toolcache.
-            toolsInput === undefined && bypassToolcache
-                ? "a specific version of the CodeQL tools was not requested and the bypass toolcache feature is enabled"
-                : undefined;
-    const forceLatest = forceLatestReason !== undefined;
-    if (forceLatest) {
-        logger.debug(`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`);
-    }
     /**
-     * The requested version is:
+     * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced.
      *
-     * 1. The one in `defaults.json`, if forceLatest is true.
-     * 2. The version specified by the tools input URL, if one was provided.
-     * 3. The default CLI version, otherwise.
-    
-     * We include a `variant` property to let us verify using the type system that
-     * `tagName` is only undefined when the variant is Dotcom. This lets us ensure
-     * that we can always compute `tagName`, either by using the existing tag name
-     * on enterprise instances, or calling `findCodeQLBundleTagDotcomOnly` on
-     * Dotcom.
+     * We use the special value of 'latest' to prioritize the version in `defaults.json` over the
+     * version specified by the feature flags on Dotcom and over any pinned cached version on
+     * Enterprise Server.
      */
-    const requestedVersion = forceLatest
-        ? // case 1
-            {
-                cliVersion: defaults.cliVersion,
-                syntheticCliVersion: defaults.cliVersion,
-                tagName: defaults.bundleVersion,
-                variant,
-            }
-        : toolsInput !== undefined
-            ? // case 2
-                {
-                    syntheticCliVersion: convertToSemVer(getBundleVersionFromUrl(toolsInput), logger),
-                    tagName: `codeql-bundle-${getBundleVersionFromUrl(toolsInput)}`,
-                    url: toolsInput,
-                    variant,
-                }
-            : // case 3
-                {
-                    ...defaultCliVersion,
-                    syntheticCliVersion: defaultCliVersion.cliVersion,
-                };
-    // If we find the specified version, we always use that.
-    let codeqlFolder = toolcache.find("CodeQL", requestedVersion.syntheticCliVersion);
-    let tagName = requestedVersion["tagName"];
-    if (!codeqlFolder) {
-        logger.debug("Didn't find a version of the CodeQL tools in the toolcache with a version number " +
-            `exactly matching ${requestedVersion.syntheticCliVersion}.`);
-        if (requestedVersion.cliVersion) {
+    const forceShippedTools = toolsInput === "latest";
+    if (forceShippedTools) {
+        logger.info("Overriding the version of the CodeQL tools by the version shipped with the Action since " +
+            `"tools: latest" was requested.`);
+    }
+    /** CLI version number, for example 2.12.1. */
+    let cliVersion;
+    /** Tag name of the CodeQL bundle, for example `codeql-bundle-20230120`. */
+    let tagName;
+    /**
+     * URL of the CodeQL bundle.
+     *
+     * This does not always include a tag name.
+     */
+    let url;
+    if (forceShippedTools) {
+        cliVersion = defaults.cliVersion;
+        tagName = defaults.bundleVersion;
+    }
+    else if (toolsInput !== undefined) {
+        // If a tools URL was provided, then use that.
+        tagName = tryGetTagNameFromUrl(toolsInput, logger);
+        url = toolsInput;
+    }
+    else {
+        // Otherwise, use the default CLI version passed in.
+        cliVersion = defaultCliVersion.cliVersion;
+        tagName = defaultCliVersion["tagName"];
+    }
+    const bundleVersion = tagName && tryGetBundleVersionFromTagName(tagName, logger);
+    const humanReadableVersion = cliVersion ??
+        (bundleVersion && convertToSemVer(bundleVersion, logger)) ??
+        tagName ??
+        url ??
+        "unknown";
+    logger.debug("Attempting to obtain CodeQL tools. " +
+        `CLI version: ${cliVersion ?? "unknown"}, ` +
+        `bundle tag name: ${tagName ?? "unknown"}, ` +
+        `URL: ${url ?? "unspecified"}.`);
+    let codeqlFolder;
+    if (cliVersion) {
+        // If we find the specified CLI version, we always use that.
+        codeqlFolder = toolcache.find("CodeQL", cliVersion);
+        // Fall back to matching `x.y.z-<tagName>`.
+        if (!codeqlFolder) {
+            logger.debug("Didn't find a version of the CodeQL tools in the toolcache with a version number " +
+                `exactly matching ${cliVersion}.`);
             const allVersions = toolcache.findAllVersions("CodeQL");
             logger.debug(`Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(allVersions)}.`);
             // If there is exactly one version of the CodeQL tools in the toolcache, and that version is
             // the form `x.y.z-<tagName>`, then use it.
-            const candidateVersions = allVersions.filter((version) => version.startsWith(`${requestedVersion.cliVersion}-`));
+            const candidateVersions = allVersions.filter((version) => version.startsWith(`${cliVersion}-`));
             if (candidateVersions.length === 1) {
-                logger.debug("Exactly one candidate version found, using that.");
+                logger.debug(`Exactly one version of the CodeQL tools starting with ${cliVersion} found in the ` +
+                    "toolcache, using that.");
                 codeqlFolder = toolcache.find("CodeQL", candidateVersions[0]);
             }
+            else if (candidateVersions.length === 0) {
+                logger.debug(`Didn't find any versions of the CodeQL tools starting with ${cliVersion} ` +
+                    `in the toolcache. Trying next fallback method.`);
+            }
             else {
-                logger.debug("Did not find exactly one version of the CodeQL tools starting with the requested version.");
+                logger.warning(`Found ${candidateVersions.length} versions of the CodeQL tools starting with ` +
+                    `${cliVersion} in the toolcache, but at most one was expected.`);
+                logger.debug("Trying next fallback method.");
             }
         }
     }
-    if (!codeqlFolder && requestedVersion.cliVersion) {
-        // Fall back to accepting a `0.0.0-<bundleVersion>` version if we didn't find the
-        // `x.y.z` version. This is to support old versions of the toolcache.
-        //
-        // If we are on Dotcom, we will make an HTTP request to the Releases API here
-        // to find the tag name for the requested version.
-        tagName =
-            tagName || (await getOrFindBundleTagName(requestedVersion, logger));
-        const fallbackVersion = convertToSemVer(getBundleVersionFromTagName(tagName), logger);
-        logger.debug(`Computed a fallback toolcache version number of ${fallbackVersion} for CodeQL tools version ` +
-            `${requestedVersion.cliVersion}.`);
-        codeqlFolder = toolcache.find("CodeQL", fallbackVersion);
+    // Fall back to matching `0.0.0-<bundleVersion>`.
+    if (!codeqlFolder && (cliVersion || tagName)) {
+        if (cliVersion || tagName) {
+            const fallbackVersion = await tryGetFallbackToolcacheVersion(cliVersion, tagName, variant, logger);
+            if (fallbackVersion) {
+                codeqlFolder = toolcache.find("CodeQL", fallbackVersion);
+            }
+            else {
+                logger.debug("Could not determine a fallback toolcache version number for CodeQL tools version " +
+                    `${humanReadableVersion}.`);
+            }
+        }
+        else {
+            logger.debug("Both the CLI version and the bundle version are unknown, so we will not be able to find " +
+                "the requested version of the CodeQL tools in the toolcache.");
+        }
+    }
+    if (codeqlFolder) {
+        logger.info(`Found CodeQL tools version ${humanReadableVersion} in the toolcache.`);
+    }
+    else {
+        logger.info(`Did not find CodeQL tools version ${humanReadableVersion} in the toolcache.`);
     }
     if (codeqlFolder) {
         return {
             codeqlFolder,
             sourceType: "toolcache",
-            toolsVersion: requestedVersion.syntheticCliVersion,
+            toolsVersion: cliVersion ?? humanReadableVersion,
         };
     }
-    logger.debug(`Did not find CodeQL tools version ${requestedVersion.syntheticCliVersion} in the toolcache.`);
     // If we don't find the requested version on Enterprise, we may allow a
     // different version to save download time if the version hasn't been
     // specified explicitly (in which case we always honor it).
-    if (variant !== util.GitHubVariant.DOTCOM && !forceLatest && !toolsInput) {
-        const result = await findOverridingToolsInCache(requestedVersion.syntheticCliVersion, logger);
+    if (variant !== util.GitHubVariant.DOTCOM &&
+        !forceShippedTools &&
+        !toolsInput) {
+        const result = await findOverridingToolsInCache(humanReadableVersion, logger);
         if (result !== undefined) {
             return result;
         }
     }
+    if (!url) {
+        if (!tagName && cliVersion && variant === util.GitHubVariant.DOTCOM) {
+            tagName = await findCodeQLBundleTagDotcomOnly(cliVersion, logger);
+        }
+        else if (!tagName) {
+            throw new Error(`Could not obtain the requested version (${humanReadableVersion}) of the CodeQL tools ` +
+                "since we could not compute the tag name.");
+        }
+        url = await getCodeQLBundleDownloadURL(tagName, apiDetails, variant, logger);
+    }
     return {
-        cliVersion: requestedVersion.cliVersion || undefined,
-        codeqlURL: requestedVersion["url"] ||
-            (await getCodeQLBundleDownloadURL(tagName ||
-                // The check on `requestedVersion.tagName` is redundant but lets us
-                // use the property that if we don't know `requestedVersion.tagName`,
-                // then we must know `requestedVersion.cliVersion`. This property is
-                // required by the type of `getOrFindBundleTagName`.
-                (requestedVersion.tagName !== undefined
-                    ? requestedVersion.tagName
-                    : await getOrFindBundleTagName(requestedVersion, logger)), apiDetails, variant, logger)),
+        bundleVersion: tagName && tryGetBundleVersionFromTagName(tagName, logger),
+        cliVersion,
+        codeqlURL: url,
         sourceType: "download",
-        toolsVersion: requestedVersion.syntheticCliVersion,
+        toolsVersion: cliVersion ?? humanReadableVersion,
     };
 }
 exports.getCodeQLSource = getCodeQLSource;
-async function downloadCodeQL(codeqlURL, maybeCliVersion, apiDetails, variant, tempDir, logger) {
+/**
+ * Gets a fallback version number to use when looking for CodeQL in the toolcache if we didn't find
+ * the `x.y.z` version. This is to support old versions of the toolcache.
+ */
+async function tryGetFallbackToolcacheVersion(cliVersion, tagName, variant, logger) {
+    //
+    // If we are on Dotcom, we will make an HTTP request to the Releases API here
+    // to find the tag name for the requested version.
+    if (cliVersion && !tagName && variant === util.GitHubVariant.DOTCOM) {
+        tagName = await findCodeQLBundleTagDotcomOnly(cliVersion, logger);
+    }
+    if (!tagName) {
+        return undefined;
+    }
+    const bundleVersion = tryGetBundleVersionFromTagName(tagName, logger);
+    if (!bundleVersion) {
+        return undefined;
+    }
+    const fallbackVersion = convertToSemVer(bundleVersion, logger);
+    logger.debug(`Computed a fallback toolcache version number of ${fallbackVersion} for CodeQL version ` +
+        `${cliVersion ?? tagName}.`);
+    return fallbackVersion;
+}
+exports.tryGetFallbackToolcacheVersion = tryGetFallbackToolcacheVersion;
+async function downloadCodeQL(codeqlURL, maybeBundleVersion, maybeCliVersion, apiDetails, variant, tempDir, logger) {
     const parsedCodeQLURL = new URL(codeqlURL);
     const searchParams = new URLSearchParams(parsedCodeQLURL.search);
     const headers = {
@@ -430,12 +473,22 @@ async function downloadCodeQL(codeqlURL, maybeCliVersion, apiDetails, variant, t
     const toolsDownloadDurationMs = Math.round(perf_hooks_1.performance.now() - toolsDownloadStart);
     logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
     const codeqlExtracted = await toolcache.extractTar(codeqlPath);
-    const bundleVersion = getBundleVersionFromUrl(codeqlURL);
+    const bundleVersion = maybeBundleVersion ?? tryGetBundleVersionFromUrl(codeqlURL, logger);
+    if (bundleVersion === undefined) {
+        logger.debug("Could not cache CodeQL tools because we could not determine the bundle version from the " +
+            `URL ${codeqlURL}.`);
+        return {
+            toolsVersion: maybeCliVersion ?? "unknown",
+            codeqlFolder: codeqlExtracted,
+            toolsDownloadDurationMs,
+        };
+    }
     // Try to compute the CLI version for this bundle
-    const cliVersion = maybeCliVersion ||
-        (variant === util.GitHubVariant.DOTCOM &&
-            (await tryFindCliVersionDotcomOnly(`codeql-bundle-${bundleVersion}`, logger))) ||
-        undefined;
+    if (maybeCliVersion === undefined &&
+        variant === util.GitHubVariant.DOTCOM &&
+        codeqlURL.includes(`/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/`)) {
+        maybeCliVersion = await tryFindCliVersionDotcomOnly(`codeql-bundle-${bundleVersion}`, logger);
+    }
     // Include both the CLI version and the bundle version in the toolcache version number. That way
     // if the user requests the same URL again, we can get it from the cache without having to call
     // any of the Releases API.
@@ -445,11 +498,11 @@ async function downloadCodeQL(codeqlURL, maybeCliVersion, apiDetails, variant, t
     // CLI release. In principle, it should be enough to just check that the CLI version isn't a
     // pre-release, but the version numbers of CodeQL nightlies have the format `x.y.z+<timestamp>`,
     // and we don't want these nightlies to override stable CLI versions in the toolcache.
-    const toolcacheVersion = cliVersion && cliVersion.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
-        ? `${cliVersion}-${bundleVersion}`
+    const toolcacheVersion = maybeCliVersion?.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
+        ? `${maybeCliVersion}-${bundleVersion}`
         : convertToSemVer(bundleVersion, logger);
     return {
-        toolsVersion: cliVersion || toolcacheVersion,
+        toolsVersion: maybeCliVersion ?? toolcacheVersion,
         codeqlFolder: await toolcache.cacheDir(codeqlExtracted, "CodeQL", toolcacheVersion),
         toolsDownloadDurationMs,
     };
@@ -470,15 +523,14 @@ exports.getCodeQLURLVersion = getCodeQLURLVersion;
  * @param apiDetails
  * @param tempDir
  * @param variant
- * @param bypassToolcache
  * @param defaultCliVersion
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
  *        version requirement. Must be set to true outside tests.
  * @returns the path to the extracted bundle, and the version of the tools
  */
-async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, bypassToolcache, defaultCliVersion, logger) {
-    const source = await getCodeQLSource(toolsInput, bypassToolcache, defaultCliVersion, apiDetails, variant, logger);
+async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
+    const source = await getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, logger);
     let codeqlFolder;
     let toolsVersion = source.toolsVersion;
     let toolsDownloadDurationMs;
@@ -494,7 +546,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, bypas
             toolsSource = init_1.ToolsSource.Toolcache;
             break;
         case "download": {
-            const result = await downloadCodeQL(source.codeqlURL, source.cliVersion, apiDetails, variant, tempDir, logger);
+            const result = await downloadCodeQL(source.codeqlURL, source.bundleVersion, source.cliVersion, apiDetails, variant, tempDir, logger);
             toolsVersion = result.toolsVersion;
             codeqlFolder = result.codeqlFolder;
             toolsDownloadDurationMs = result.toolsDownloadDurationMs;

lib/upload-lib.js

@@ -293,7 +293,8 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
             if (Date.now() >
                 statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS) {
                 // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing.
-                // It's possible the analysis will eventually finish processing, but it's not worth spending more Actions time waiting.
+                // It's possible the analysis will eventually finish processing, but it's not worth spending more
+                // Actions time waiting.
                 logger.warning("Timed out waiting for analysis to finish processing. Continuing.");
                 break;
             }
@@ -329,7 +330,9 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
             else {
                 util.assertNever(status);
             }
-            await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS);
+            await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, {
+                allowProcessExit: false,
+            });
         }
     }
     finally {

lib/util.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseMatrixInput = exports.shouldBypassToolcache = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.enrichEnvironment = exports.initializeEnvironment = exports.EnvVar = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DID_AUTOBUILD_GO_ENV_VAR_NAME = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.parseMatrixInput = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.supportExpectDiscardedCache = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.enrichEnvironment = exports.initializeEnvironment = exports.EnvVar = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DID_AUTOBUILD_GO_ENV_VAR_NAME = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -40,7 +40,6 @@ const apiCompatibility = __importStar(require("./api-compatibility.json"));
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const feature_flags_1 = require("./feature-flags");
-const languages_1 = require("./languages");
 const shared_environment_1 = require("./shared-environment");
 /**
  * Specifies bundle versions that are known to be broken
@@ -456,16 +455,33 @@ async function bundleDb(config, language, codeql, dbName) {
     return databaseBundlePath;
 }
 exports.bundleDb = bundleDb;
-async function delay(milliseconds) {
-    // Immediately `unref` the timer such that it only prevents the process from exiting if the
-    // surrounding promise is being awaited.
-    return new Promise((resolve) => setTimeout(resolve, milliseconds).unref());
+/**
+ * @param milliseconds time to delay
+ * @param opts options
+ * @param opts.allowProcessExit if true, the timer will not prevent the process from exiting
+ */
+async function delay(milliseconds, { allowProcessExit }) {
+    return new Promise((resolve) => {
+        const timer = setTimeout(resolve, milliseconds);
+        if (allowProcessExit) {
+            // Immediately `unref` the timer such that it only prevents the process from exiting if the
+            // surrounding promise is being awaited.
+            timer.unref();
+        }
+    });
 }
 exports.delay = delay;
 function isGoodVersion(versionSpec) {
     return !BROKEN_VERSIONS.includes(versionSpec);
 }
 exports.isGoodVersion = isGoodVersion;
+/**
+ * Checks whether the CodeQL CLI supports the `--expect-discarded-cache` command-line flag.
+ */
+async function supportExpectDiscardedCache(codeQL) {
+    return codeQlVersionAbove(codeQL, "2.12.1");
+}
+exports.supportExpectDiscardedCache = supportExpectDiscardedCache;
 exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-queries";
 /**
  * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
@@ -637,7 +653,7 @@ async function withTimeout(timeoutMs, promise, onTimeout) {
         return result;
     };
     const timeoutTask = async () => {
-        await delay(timeoutMs);
+        await delay(timeoutMs, { allowProcessExit: true });
         if (!finished) {
             // Workaround: While the promise racing below will allow the main code
             // to continue, the process won't normally exit until the asynchronous
@@ -660,7 +676,7 @@ exports.withTimeout = withTimeout;
 async function checkForTimeout() {
     if (hadTimeout === true) {
         core.info("A timeout occurred, force exiting the process after 30 seconds to prevent hanging.");
-        await delay(30000);
+        await delay(30000, { allowProcessExit: true });
         process.exit();
     }
 }
@@ -685,45 +701,6 @@ function isHostedRunner() {
         process.env["RUNNER_TOOL_CACHE"]?.includes("hostedtoolcache"));
 }
 exports.isHostedRunner = isHostedRunner;
-/**
- *
- * @param featuresEnablement The features enabled for the current run
- * @param languagesInput Languages input from the workflow
- * @param repository The owner/name of the repository
- * @param logger A logger
- * @returns A boolean indicating whether or not the toolcache should be bypassed and the latest codeql should be downloaded.
- */
-async function shouldBypassToolcache(featuresEnablement, codeqlUrl, languagesInput, repository, logger) {
-    // An explicit codeql url is specified, that means the toolcache will not be used.
-    if (codeqlUrl) {
-        return true;
-    }
-    // Check if the toolcache is disabled for all languages
-    if (await featuresEnablement.getValue(feature_flags_1.Feature.BypassToolcacheEnabled)) {
-        return true;
-    }
-    // Check if the toolcache is disabled for kotlin and swift.
-    if (!(await featuresEnablement.getValue(feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled))) {
-        return false;
-    }
-    // Now check to see if kotlin or swift is one of the languages being analyzed.
-    const { rawLanguages, autodetected } = await (0, config_utils_1.getRawLanguages)(languagesInput, repository, logger);
-    let bypass = rawLanguages.some((lang) => languages_1.KOTLIN_SWIFT_BYPASS.includes(lang));
-    if (bypass) {
-        logger.info(`Bypassing toolcache for kotlin or swift. Languages: ${rawLanguages}`);
-    }
-    else if (!autodetected && rawLanguages.includes(languages_1.Language.java)) {
-        // special case: java was explicitly specified, but there might be
-        // some kotlin in the repository, so we need to make a request for that.
-        const langsInRepo = await (0, config_utils_1.getLanguagesInRepo)(repository, logger);
-        if (langsInRepo.includes("kotlin")) {
-            logger.info(`Bypassing toolcache for kotlin.`);
-            bypass = true;
-        }
-    }
-    return bypass;
-}
-exports.shouldBypassToolcache = shouldBypassToolcache;
 function parseMatrixInput(matrixInput) {
     if (matrixInput === undefined || matrixInput === "null") {
         return undefined;

lib/util.test.js

@@ -33,9 +33,7 @@ const github = __importStar(require("@actions/github"));
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const api = __importStar(require("./api-client"));
-const feature_flags_1 = require("./feature-flags");
 const logging_1 = require("./logging");
-const repository_1 = require("./repository");
 const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 (0, testing_utils_1.setupTests)(ava_1.default);
@@ -325,117 +323,4 @@ const shortTime = 10;
     t.deepEqual(shortTaskTimedOut, false);
     t.deepEqual(result, 99);
 });
-const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
-// eslint-disable-next-line github/array-foreach
-[
-    {
-        name: "disabled",
-        features: [],
-        hasCustomCodeQL: false,
-        languagesInput: undefined,
-        languagesInRepository: [],
-        expected: false,
-        expectedApiCall: false,
-    },
-    {
-        name: "disabled even though swift kotlin bypassed",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: undefined,
-        languagesInRepository: [],
-        expected: false,
-        expectedApiCall: true,
-    },
-    {
-        name: "disabled even though swift kotlin analyzed",
-        features: [],
-        hasCustomCodeQL: false,
-        languagesInput: " sWiFt , KoTlIn ",
-        languagesInRepository: [],
-        expected: false,
-        expectedApiCall: false,
-    },
-    {
-        name: "toolcache bypass all",
-        features: [feature_flags_1.Feature.BypassToolcacheEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: undefined,
-        languagesInRepository: [],
-        expected: true,
-        expectedApiCall: false,
-    },
-    {
-        name: "custom CodeQL",
-        features: [],
-        hasCustomCodeQL: true,
-        languagesInput: undefined,
-        languagesInRepository: [],
-        expected: true,
-        expectedApiCall: false,
-    },
-    {
-        name: "bypass swift",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: " sWiFt ,other",
-        languagesInRepository: [],
-        expected: true,
-        expectedApiCall: false,
-    },
-    {
-        name: "bypass kotlin",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: "other, KoTlIn ",
-        languagesInRepository: [],
-        expected: true,
-        expectedApiCall: false,
-    },
-    {
-        name: "bypass kotlin language from repository",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: "",
-        languagesInRepository: ["KoTlIn", "other"],
-        expected: true,
-        expectedApiCall: true,
-    },
-    {
-        name: "bypass swift language from repository",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: "",
-        languagesInRepository: ["SwiFt", "other"],
-        expected: true,
-        expectedApiCall: true,
-    },
-    {
-        name: "bypass java from input if there is kotlin in repository",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: "java",
-        languagesInRepository: ["kotlin", "other"],
-        expected: true,
-        expectedApiCall: true,
-    },
-    {
-        name: "don't bypass java from input if there is no kotlin in repository",
-        features: [feature_flags_1.Feature.BypassToolcacheKotlinSwiftEnabled],
-        hasCustomCodeQL: false,
-        languagesInput: "java",
-        languagesInRepository: ["java", "other"],
-        expected: false,
-        expectedApiCall: true,
-    },
-].forEach((args) => {
-    (0, ava_1.default)(`shouldBypassToolcache: ${args.name}`, async (t) => {
-        const mockRequest = (0, testing_utils_1.mockLanguagesInRepo)(args.languagesInRepository);
-        const mockLogger = (0, logging_1.getRunnerLogger)(true);
-        const featureEnablement = (0, testing_utils_1.createFeatures)(args.features);
-        const codeqlUrl = args.hasCustomCodeQL ? "custom-codeql-url" : undefined;
-        const actual = await util.shouldBypassToolcache(featureEnablement, codeqlUrl, args.languagesInput, mockRepositoryNwo, mockLogger);
-        t.deepEqual(actual, args.expected);
-        t.deepEqual(mockRequest.called, args.expectedApiCall);
-    });
-});
 //# sourceMappingURL=util.test.js.map

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.2.2",
+  "version": "2.2.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.2.2",
+  "version": "2.2.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.2.2",
+      "version": "2.2.5",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.2.2",
+  "version": "2.2.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

src/analyze.test.ts

@@ -3,15 +3,18 @@ import * as path from "path";
 
 import test, { ExecutionContext } from "ava";
 import * as yaml from "js-yaml";
+import * as sinon from "sinon";
 
 import {
   convertPackToQuerySuiteEntry,
   createQuerySuiteContents,
   runQueries,
   validateQueryFilters,
+  QueriesStatusReport,
 } from "./analyze";
-import { setCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { CodeQL, setCodeQL } from "./codeql";
+import { Config, QueriesWithSearchPath } from "./config-utils";
+import { Feature } from "./feature-flags";
 import { Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { setupTests, setupActionsVars, createFeatures } from "./testing-utils";
@@ -229,6 +232,175 @@ test("status report fields and search path setting", async (t) => {
   }
 });
 
+function mockCodeQL(): Partial<CodeQL> {
+  return {
+    getVersion: async () => "2.12.2",
+    databaseRunQueries: sinon.spy(),
+    databaseInterpretResults: async () => "",
+    databasePrintBaseline: async () => "",
+  };
+}
+
+function createBaseConfig(tmpDir: string): Config {
+  return {
+    languages: [],
+    queries: {},
+    pathsIgnore: [],
+    paths: [],
+    originalUserInput: {},
+    tempDir: "tempDir",
+    codeQLCmd: "",
+    gitHubVersion: {
+      type: util.GitHubVariant.DOTCOM,
+    } as util.GitHubVersion,
+    dbLocation: path.resolve(tmpDir, "codeql_databases"),
+    packs: {},
+    debugMode: false,
+    debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
+    debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+    augmentationProperties: {
+      injectedMlQueries: false,
+      packsInputCombines: false,
+      queriesInputCombines: false,
+    },
+    trapCaches: {},
+    trapCacheDownloadTime: 0,
+  };
+}
+
+function createQueryConfig(
+  builtin: string[],
+  custom: string[]
+): { builtin: string[]; custom: QueriesWithSearchPath[] } {
+  return {
+    builtin,
+    custom: custom.map((c) => ({ searchPath: "/search", queries: [c] })),
+  };
+}
+
+async function runQueriesWithConfig(
+  config: Config,
+  features: Feature[]
+): Promise<QueriesStatusReport> {
+  for (const language of config.languages) {
+    fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
+      recursive: true,
+    });
+  }
+  return runQueries(
+    "sarif-folder",
+    "--memFlag",
+    "--addSnippetsFlag",
+    "--threadsFlag",
+    undefined,
+    config,
+    getRunnerLogger(true),
+    createFeatures(features)
+  );
+}
+
+function getDatabaseRunQueriesCalls(mock: Partial<CodeQL>) {
+  return (mock.databaseRunQueries as sinon.SinonSpy).getCalls();
+}
+
+test("optimizeForLastQueryRun for one language", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const codeql = mockCodeQL();
+    setCodeQL(codeql);
+    const config: Config = createBaseConfig(tmpDir);
+    config.languages = [Language.cpp];
+    config.queries.cpp = createQueryConfig(["foo.ql"], []);
+
+    await runQueriesWithConfig(config, []);
+    t.deepEqual(
+      getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]),
+      [true]
+    );
+  });
+});
+
+test("optimizeForLastQueryRun for two languages", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const codeql = mockCodeQL();
+    setCodeQL(codeql);
+    const config: Config = createBaseConfig(tmpDir);
+    config.languages = [Language.cpp, Language.java];
+    config.queries.cpp = createQueryConfig(["foo.ql"], []);
+    config.queries.java = createQueryConfig(["bar.ql"], []);
+
+    await runQueriesWithConfig(config, []);
+    t.deepEqual(
+      getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]),
+      [true, true]
+    );
+  });
+});
+
+test("optimizeForLastQueryRun for two languages, with custom queries", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const codeql = mockCodeQL();
+    setCodeQL(codeql);
+    const config: Config = createBaseConfig(tmpDir);
+    config.languages = [Language.cpp, Language.java];
+    config.queries.cpp = createQueryConfig(["foo.ql"], ["c1.ql", "c2.ql"]);
+    config.queries.java = createQueryConfig(["bar.ql"], ["c3.ql"]);
+
+    await runQueriesWithConfig(config, []);
+    t.deepEqual(
+      getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]),
+      [false, false, true, false, true]
+    );
+  });
+});
+
+test("optimizeForLastQueryRun for two languages, with custom queries and packs", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const codeql = mockCodeQL();
+    setCodeQL(codeql);
+    const config: Config = createBaseConfig(tmpDir);
+    config.languages = [Language.cpp, Language.java];
+    config.queries.cpp = createQueryConfig(["foo.ql"], ["c1.ql", "c2.ql"]);
+    config.queries.java = createQueryConfig(["bar.ql"], ["c3.ql"]);
+    config.packs.cpp = ["a/cpp-pack1@0.1.0"];
+    config.packs.java = ["b/java-pack1@0.2.0", "b/java-pack2@0.3.3"];
+    await runQueriesWithConfig(config, []);
+    t.deepEqual(
+      getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]),
+      [false, false, false, true, false, false, true]
+    );
+  });
+});
+
+test("optimizeForLastQueryRun for one language, CliConfigFileEnabled", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const codeql = mockCodeQL();
+    setCodeQL(codeql);
+    const config: Config = createBaseConfig(tmpDir);
+    config.languages = [Language.cpp];
+
+    await runQueriesWithConfig(config, [Feature.CliConfigFileEnabled]);
+    t.deepEqual(
+      getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]),
+      [true]
+    );
+  });
+});
+
+test("optimizeForLastQueryRun for two languages, CliConfigFileEnabled", async (t) => {
+  return await util.withTmpDir(async (tmpDir) => {
+    const codeql = mockCodeQL();
+    setCodeQL(codeql);
+    const config: Config = createBaseConfig(tmpDir);
+    config.languages = [Language.cpp, Language.java];
+
+    await runQueriesWithConfig(config, [Feature.CliConfigFileEnabled]);
+    t.deepEqual(
+      getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]),
+      [true, true]
+    );
+  });
+});
+
 test("validateQueryFilters", (t) => {
   t.notThrows(() => validateQueryFilters([]));
   t.notThrows(() => validateQueryFilters(undefined));

src/analyze.ts

@@ -212,6 +212,7 @@ export async function runQueries(
   const statusReport: QueriesStatusReport = {};
 
   const codeql = await getCodeQL(config.codeQLCmd);
+  const queryFlags = [memoryFlag, threadsFlag];
 
   await util.logCodeScanningConfigInCli(codeql, featureEnablement, logger);
 
@@ -231,7 +232,7 @@ export async function runQueries(
         // another to interpret the results.
         logger.startGroup(`Running queries for ${language}`);
         const startTimeBuiltIn = new Date().getTime();
-        await runQueryGroup(language, "all", undefined, undefined);
+        await runQueryGroup(language, "all", undefined, undefined, true);
         // TODO should not be using `builtin` here. We should be using `all` instead.
         // The status report does not support `all` yet.
         statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
@@ -267,16 +268,24 @@ export async function runQueries(
           );
         }
 
+        const customQueryIndices: number[] = [];
+        for (let i = 0; i < queries.custom.length; ++i) {
+          if (queries.custom[i].queries.length > 0) {
+            customQueryIndices.push(i);
+          }
+        }
+
         logger.startGroup(`Running queries for ${language}`);
         const querySuitePaths: string[] = [];
-        if (queries["builtin"].length > 0) {
+        if (queries.builtin.length > 0) {
           const startTimeBuiltIn = new Date().getTime();
           querySuitePaths.push(
             (await runQueryGroup(
               language,
               "builtin",
-              createQuerySuiteContents(queries["builtin"], queryFilters),
-              undefined
+              createQuerySuiteContents(queries.builtin, queryFilters),
+              undefined,
+              customQueryIndices.length === 0 && packsWithVersion.length === 0
             )) as string
           );
           statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
@@ -284,21 +293,18 @@ export async function runQueries(
         }
         const startTimeCustom = new Date().getTime();
         let ranCustom = false;
-        for (let i = 0; i < queries["custom"].length; ++i) {
-          if (queries["custom"][i].queries.length > 0) {
-            querySuitePaths.push(
-              (await runQueryGroup(
-                language,
-                `custom-${i}`,
-                createQuerySuiteContents(
-                  queries["custom"][i].queries,
-                  queryFilters
-                ),
-                queries["custom"][i].searchPath
-              )) as string
-            );
-            ranCustom = true;
-          }
+        for (const i of customQueryIndices) {
+          querySuitePaths.push(
+            (await runQueryGroup(
+              language,
+              `custom-${i}`,
+              createQuerySuiteContents(queries.custom[i].queries, queryFilters),
+              queries.custom[i].searchPath,
+              i === customQueryIndices[customQueryIndices.length - 1] &&
+                packsWithVersion.length === 0
+            )) as string
+          );
+          ranCustom = true;
         }
         if (packsWithVersion.length > 0) {
           querySuitePaths.push(
@@ -306,7 +312,8 @@ export async function runQueries(
               language,
               "packs",
               packsWithVersion,
-              queryFilters
+              queryFilters,
+              true
             )
           );
           ranCustom = true;
@@ -373,7 +380,8 @@ export async function runQueries(
     language: Language,
     type: string,
     querySuiteContents: string | undefined,
-    searchPath: string | undefined
+    searchPath: string | undefined,
+    optimizeForLastQueryRun: boolean
   ): Promise<string | undefined> {
     const databasePath = util.getCodeQLDatabasePath(config, language);
     // Pass the queries to codeql using a file instead of using the command
@@ -391,8 +399,8 @@ export async function runQueries(
       databasePath,
       searchPath,
       querySuitePath,
-      memoryFlag,
-      threadsFlag
+      queryFlags,
+      optimizeForLastQueryRun
     );
 
     logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
@@ -402,7 +410,8 @@ export async function runQueries(
     language: Language,
     type: string,
     packs: string[],
-    queryFilters: configUtils.QueryFilter[]
+    queryFilters: configUtils.QueryFilter[],
+    optimizeForLastQueryRun: boolean
   ): Promise<string> {
     const databasePath = util.getCodeQLDatabasePath(config, language);
 
@@ -424,8 +433,8 @@ export async function runQueries(
       databasePath,
       undefined,
       querySuitePath,
-      memoryFlag,
-      threadsFlag
+      queryFlags,
+      optimizeForLastQueryRun
     );
 
     return querySuitePath;

src/codeql.test.ts

@@ -87,10 +87,14 @@ test.beforeEach(() => {
 function mockDownloadApi({
   apiDetails = sampleApiDetails,
   isPinned,
+  repo = "github/codeql-action",
+  platformSpecific = true,
   tagName,
 }: {
   apiDetails?: GitHubApiDetails;
   isPinned?: boolean;
+  repo?: string;
+  platformSpecific?: boolean;
   tagName: string;
 }): string {
   const platform =
@@ -102,7 +106,9 @@ function mockDownloadApi({
 
   const baseUrl = apiDetails?.url ?? "https://example.com";
   const relativeUrl = apiDetails
-    ? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
+    ? `/${repo}/releases/download/${tagName}/codeql-bundle${
+        platformSpecific ? `-${platform}` : ""
+      }.tar.gz`
     : `/download/${tagName}/codeql-bundle.tar.gz`;
 
   nock(baseUrl)
@@ -137,7 +143,6 @@ async function installIntoToolcache({
     apiDetails,
     tmpDir,
     util.GitHubVariant.GHES,
-    false,
     cliVersion !== undefined
       ? { cliVersion, tagName, variant: util.GitHubVariant.GHES }
       : SAMPLE_DEFAULT_CLI_VERSION,
@@ -199,7 +204,6 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
         sampleApiDetails,
         tmpDir,
         util.GitHubVariant.DOTCOM,
-        false,
         SAMPLE_DEFAULT_CLI_VERSION,
         getRunnerLogger(true),
         false
@@ -233,7 +237,6 @@ test("downloads an explicitly requested bundle even if a different version is ca
       sampleApiDetails,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      false,
       SAMPLE_DEFAULT_CLI_VERSION,
       getRunnerLogger(true),
       false
@@ -284,7 +287,6 @@ for (const {
         sampleApiDetails,
         tmpDir,
         util.GitHubVariant.DOTCOM,
-        false,
         SAMPLE_DEFAULT_CLI_VERSION,
         getRunnerLogger(true),
         false
@@ -352,7 +354,6 @@ for (const { githubReleases, toolcacheVersion } of [
           sampleApiDetails,
           tmpDir,
           util.GitHubVariant.DOTCOM,
-          false,
           SAMPLE_DEFAULT_CLI_VERSION,
           getRunnerLogger(true),
           false
@@ -381,7 +382,6 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
         sampleApiDetails,
         tmpDir,
         variant,
-        false,
         {
           cliVersion: defaults.cliVersion,
           tagName: defaults.bundleVersion,
@@ -417,7 +417,6 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
         sampleApiDetails,
         tmpDir,
         variant,
-        false,
         {
           cliVersion: defaults.cliVersion,
           tagName: defaults.bundleVersion,
@@ -454,7 +453,6 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
       sampleApiDetails,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      false,
       SAMPLE_DEFAULT_CLI_VERSION,
       getRunnerLogger(true),
       false
@@ -468,69 +466,118 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
   });
 });
 
-test("download codeql bundle from github ae endpoint", async (t) => {
+for (const isBundleVersionInUrl of [true, false]) {
+  const inclusionString = isBundleVersionInUrl
+    ? "includes"
+    : "does not include";
+  test(`download codeql bundle from github ae endpoint (URL ${inclusionString} bundle version)`, async (t) => {
+    await util.withTmpDir(async (tmpDir) => {
+      setupActionsVars(tmpDir, tmpDir);
+
+      const bundleAssetID = 10;
+
+      const platform =
+        process.platform === "win32"
+          ? "win64"
+          : process.platform === "linux"
+          ? "linux64"
+          : "osx64";
+      const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
+
+      const eventualDownloadUrl = isBundleVersionInUrl
+        ? `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`
+        : `https://example.githubenterprise.com/api/v3/repos/github/codeql-action/releases/assets/${bundleAssetID}`;
+
+      nock("https://example.githubenterprise.com")
+        .get(
+          `/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`
+        )
+        .reply(200, {
+          assets: { [codeQLBundleName]: bundleAssetID },
+        });
+
+      nock("https://example.githubenterprise.com")
+        .get(
+          `/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`
+        )
+        .reply(200, {
+          url: eventualDownloadUrl,
+        });
+
+      nock("https://example.githubenterprise.com")
+        .get(
+          eventualDownloadUrl.replace(
+            "https://example.githubenterprise.com",
+            ""
+          )
+        )
+        .replyWithFile(
+          200,
+          path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`)
+        );
+
+      mockApiDetails(sampleGHAEApiDetails);
+      sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
+      process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
+
+      const result = await codeql.setupCodeQL(
+        undefined,
+        sampleGHAEApiDetails,
+        tmpDir,
+        util.GitHubVariant.GHAE,
+        {
+          cliVersion: defaults.cliVersion,
+          tagName: defaults.bundleVersion,
+          variant: util.GitHubVariant.GHAE,
+        },
+        getRunnerLogger(true),
+        false
+      );
+
+      t.is(result.toolsSource, ToolsSource.Download);
+      t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+
+      const cachedVersions = toolcache.findAllVersions("CodeQL");
+      t.is(cachedVersions.length, 1);
+    });
+  });
+}
+
+test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
-    const bundleAssetID = 10;
-
-    const platform =
-      process.platform === "win32"
-        ? "win64"
-        : process.platform === "linux"
-        ? "linux64"
-        : "osx64";
-    const codeQLBundleName = `codeql-bundle-${platform}.tar.gz`;
-
-    nock("https://example.githubenterprise.com")
-      .get(
-        `/api/v3/enterprise/code-scanning/codeql-bundle/find/${defaults.bundleVersion}`
-      )
-      .reply(200, {
-        assets: { [codeQLBundleName]: bundleAssetID },
-      });
-
-    nock("https://example.githubenterprise.com")
-      .get(
-        `/api/v3/enterprise/code-scanning/codeql-bundle/download/${bundleAssetID}`
-      )
-      .reply(200, {
-        url: `https://example.githubenterprise.com/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`,
-      });
-
-    nock("https://example.githubenterprise.com")
-      .get(
-        `/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`
-      )
-      .replyWithFile(
-        200,
-        path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`)
-      );
-
-    mockApiDetails(sampleGHAEApiDetails);
-    sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
-    process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
+    mockApiDetails(sampleApiDetails);
+    sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
+    const releasesApiMock = mockReleaseApi({
+      assetNames: ["cli-version-2.12.2.txt"],
+      tagName: "codeql-bundle-20230203",
+    });
+    mockDownloadApi({
+      repo: "dsp-testing/codeql-cli-nightlies",
+      platformSpecific: false,
+      tagName: "codeql-bundle-20230203",
+    });
 
     const result = await codeql.setupCodeQL(
-      undefined,
-      sampleGHAEApiDetails,
+      "https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
+      sampleApiDetails,
       tmpDir,
-      util.GitHubVariant.GHAE,
-      false,
-      {
-        cliVersion: defaults.cliVersion,
-        tagName: defaults.bundleVersion,
-        variant: util.GitHubVariant.GHAE,
-      },
+      util.GitHubVariant.DOTCOM,
+      SAMPLE_DEFAULT_CLI_VERSION,
       getRunnerLogger(true),
       false
     );
 
+    t.is(result.toolsVersion, "0.0.0-20230203");
     t.is(result.toolsSource, ToolsSource.Download);
-    t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+    t.true(Number.isInteger(result.toolsDownloadDurationMs));
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
     t.is(cachedVersions.length, 1);
+    t.is(cachedVersions[0], "0.0.0-20230203");
+
+    t.false(releasesApiMock.isDone());
   });
 });
 

src/codeql.ts

@@ -148,13 +148,19 @@ export interface CodeQL {
   ): Promise<void>;
   /**
    * Run 'codeql database run-queries'.
+   *
+   * @param optimizeForLastQueryRun Whether to apply additional optimization for
+   *                                the last database query run in the action.
+   *                                It is always safe to set it to false.
+   *                                It should be set to true only for the very
+   *                                last databaseRunQueries() call.
    */
   databaseRunQueries(
     databasePath: string,
     extraSearchPath: string | undefined,
     querySuitePath: string | undefined,
-    memoryFlag: string,
-    threadsFlag: string
+    flags: string[],
+    optimizeForLastQueryRun: boolean
   ): Promise<void>;
   /**
    * Run 'codeql database interpret-results'.
@@ -278,6 +284,11 @@ export const CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
  */
 export const CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
 
+/**
+ * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for each language.
+ */
+export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
+
 /**
  * Set up CodeQL CLI access.
  *
@@ -285,7 +296,6 @@ export const CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
  * @param apiDetails
  * @param tempDir
  * @param variant
- * @param bypassToolcache
  * @param defaultCliVersion
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -297,7 +307,6 @@ export async function setupCodeQL(
   apiDetails: api.GitHubApiDetails,
   tempDir: string,
   variant: util.GitHubVariant,
-  bypassToolcache: boolean,
   defaultCliVersion: CodeQLDefaultVersionInfo,
   logger: Logger,
   checkVersion: boolean
@@ -314,7 +323,6 @@ export async function setupCodeQL(
         apiDetails,
         tempDir,
         variant,
-        bypassToolcache,
         defaultCliVersion,
         logger
       );
@@ -787,19 +795,24 @@ export async function getCodeQLForCmd(
       databasePath: string,
       extraSearchPath: string | undefined,
       querySuitePath: string | undefined,
-      memoryFlag: string,
-      threadsFlag: string
+      flags: string[],
+      optimizeForLastQueryRun: boolean
     ): Promise<void> {
       const codeqlArgs = [
         "database",
         "run-queries",
-        memoryFlag,
-        threadsFlag,
+        ...flags,
         databasePath,
         "--min-disk-free=1024", // Try to leave at least 1GB free
         "-v",
         ...getExtraOptionsFromEnv(["database", "run-queries"]),
       ];
+      if (
+        optimizeForLastQueryRun &&
+        (await util.supportExpectDiscardedCache(this))
+      ) {
+        codeqlArgs.push("--expect-discarded-cache");
+      }
       if (extraSearchPath !== undefined) {
         codeqlArgs.push("--additional-packs", extraSearchPath);
       }

src/config-utils.test.ts

@@ -1993,7 +1993,7 @@ test(
   process.platform === "win32" ? undefined : "~0.1.0"
 );
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
-// `security-extended` or `security-and-quality` query suite.
+//  `security-extended`, `security-and-quality`, or `security-experimental` query suite.
 test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
 // Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
 // versions of the CodeQL CLI prior to 2.9.0.
@@ -2074,7 +2074,6 @@ test(
   "security-extended",
   "~0.4.0"
 );
-
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.11.3+.
 test(
@@ -2085,6 +2084,16 @@ test(
   "security-and-quality",
   "~0.4.0"
 );
+// Test that ML-powered queries are run on all platforms running `security-experimental` on CodeQL
+// CLI 2.12.1+.
+test(
+  mlPoweredQueriesMacro,
+  "2.12.1",
+  true,
+  undefined,
+  "security-experimental",
+  "~0.4.0"
+);
 
 const calculateAugmentationMacro = test.macro({
   exec: async (

src/config-utils.ts

@@ -10,6 +10,7 @@ import {
   CodeQL,
   CODEQL_VERSION_GHES_PACK_DOWNLOAD,
   CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS,
+  CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE,
   ResolveQueriesOutput,
 } from "./codeql";
 import * as externalQueries from "./external-queries";
@@ -380,7 +381,11 @@ async function addDefaultQueries(
 }
 
 // The set of acceptable values for built-in suites from the codeql bundle
-const builtinSuites = ["security-extended", "security-and-quality"] as const;
+const builtinSuites = [
+  "security-experimental",
+  "security-extended",
+  "security-and-quality",
+] as const;
 
 /**
  * Determine the set of queries associated with suiteName's suites and add them to resultMap.
@@ -401,6 +406,19 @@ async function addBuiltinSuiteQueries(
   if (!found) {
     throw new Error(getQueryUsesInvalid(configFile, suiteName));
   }
+  if (
+    suiteName === "security-experimental" &&
+    !(await codeQlVersionAbove(
+      codeQL,
+      CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE
+    ))
+  ) {
+    throw new Error(
+      `The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than 
+      ${CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE}. Please upgrade to CodeQL CLI version
+      ${CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE} or later.`
+    );
+  }
 
   // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
   // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
@@ -413,7 +431,9 @@ async function addBuiltinSuiteQueries(
         CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS
       ))) &&
     languages.includes("javascript") &&
-    (found === "security-extended" || found === "security-and-quality") &&
+    (found === "security-experimental" ||
+      found === "security-extended" ||
+      found === "security-and-quality") &&
     !packs.javascript?.some(isMlPoweredJsQueriesPack) &&
     (await featureEnablement.getValue(Feature.MlPoweredQueriesEnabled, codeQL))
   ) {
@@ -1630,7 +1650,8 @@ export function parsePacks(
  * Without a '+', an input value will override the corresponding value in the config file.
  *
  * @param inputValue The input value to process.
- * @returns true if the input value should replace the corresponding value in the config file, false if it should be appended.
+ * @returns true if the input value should replace the corresponding value in the config file,
+ *          false if it should be appended.
  */
 function shouldCombine(inputValue?: string): boolean {
   return !!inputValue?.trim().startsWith("+");

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-20230120",
-  "cliVersion": "2.12.1",
-  "priorBundleVersion": "codeql-bundle-20230105",
-  "priorCliVersion": "2.12.0"
+  "bundleVersion": "codeql-bundle-20230217",
+  "cliVersion": "2.12.3",
+  "priorBundleVersion": "codeql-bundle-20230207",
+  "priorCliVersion": "2.12.2"
 }

src/feature-flags.ts

@@ -34,12 +34,9 @@ export interface FeatureEnablement {
 }
 
 export enum Feature {
-  BypassToolcacheEnabled = "bypass_toolcache_enabled",
-  BypassToolcacheKotlinSwiftEnabled = "bypass_toolcache_kotlin_swift_enabled",
   CliConfigFileEnabled = "cli_config_file_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
-  TrapCachingEnabled = "trap_caching_enabled",
   UploadFailedSarifEnabled = "upload_failed_sarif_enabled",
 }
 
@@ -47,18 +44,6 @@ export const featureConfig: Record<
   Feature,
   { envVar: string; minimumVersion: string | undefined }
 > = {
-  [Feature.BypassToolcacheEnabled]: {
-    envVar: "CODEQL_BYPASS_TOOLCACHE",
-    // Cannot specify a minimum version because this flag is checked before we have
-    // access to the CodeQL instance.
-    minimumVersion: undefined,
-  },
-  [Feature.BypassToolcacheKotlinSwiftEnabled]: {
-    envVar: "CODEQL_BYPASS_TOOLCACHE_KOTLIN_SWIFT",
-    // Cannot specify a minimum version because this flag is checked before we have
-    // access to the CodeQL instance.
-    minimumVersion: undefined,
-  },
   [Feature.DisableKotlinAnalysisEnabled]: {
     envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
     minimumVersion: undefined,
@@ -71,10 +56,6 @@ export const featureConfig: Record<
     envVar: "CODEQL_ML_POWERED_QUERIES",
     minimumVersion: "2.7.5",
   },
-  [Feature.TrapCachingEnabled]: {
-    envVar: "CODEQL_TRAP_CACHING",
-    minimumVersion: undefined,
-  },
   [Feature.UploadFailedSarifEnabled]: {
     envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
     minimumVersion: "2.11.3",
@@ -138,11 +119,6 @@ export class Features implements FeatureEnablement {
       );
     }
 
-    // Bypassing the toolcache is disabled in test mode.
-    if (feature === Feature.BypassToolcacheEnabled && util.isInTestMode()) {
-      return false;
-    }
-
     const envVar = (
       process.env[featureConfig[feature].envVar] || ""
     ).toLocaleLowerCase();
@@ -172,13 +148,17 @@ export class Features implements FeatureEnablement {
 class GitHubFeatureFlags implements FeatureEnablement {
   private cachedApiResponse: GitHubFeatureFlagsApiResponse | undefined;
 
+  // We cache whether the feature flags were accessed or not in order to accurately report whether flags were
+  // incorrectly configured vs. inaccessible in our telemetry.
+  private hasAccessedRemoteFeatureFlags: boolean;
+
   constructor(
     private readonly gitHubVersion: util.GitHubVersion,
     private readonly repositoryNwo: RepositoryNwo,
     private readonly featureFlagsFile: string,
     private readonly logger: Logger
   ) {
-    /**/
+    this.hasAccessedRemoteFeatureFlags = false; // Not accessed by default.
   }
 
   private getCliVersionFromFeatureFlag(f: string): string | undefined {
@@ -211,7 +191,9 @@ class GitHubFeatureFlags implements FeatureEnablement {
       const defaultDotComCliVersion = await this.getDefaultDotcomCliVersion();
       return {
         cliVersion: defaultDotComCliVersion.version,
-        toolsFeatureFlagsValid: defaultDotComCliVersion.toolsFeatureFlagsValid,
+        toolsFeatureFlagsValid: this.hasAccessedRemoteFeatureFlags
+          ? defaultDotComCliVersion.toolsFeatureFlagsValid
+          : undefined,
         variant,
       };
     }
@@ -224,7 +206,7 @@ class GitHubFeatureFlags implements FeatureEnablement {
 
   async getDefaultDotcomCliVersion(): Promise<{
     version: string;
-    toolsFeatureFlagsValid: boolean;
+    toolsFeatureFlagsValid: boolean | undefined;
   }> {
     const response = await this.getAllFeatures();
 
@@ -252,7 +234,9 @@ class GitHubFeatureFlags implements FeatureEnablement {
       );
       return {
         version: defaults.cliVersion,
-        toolsFeatureFlagsValid: false,
+        toolsFeatureFlagsValid: this.hasAccessedRemoteFeatureFlags
+          ? false
+          : undefined,
       };
     }
 
@@ -350,6 +334,7 @@ class GitHubFeatureFlags implements FeatureEnablement {
       this.logger.debug(
         "Not running against github.com. Disabling all toggleable features."
       );
+      this.hasAccessedRemoteFeatureFlags = false;
       return {};
     }
     try {
@@ -365,6 +350,7 @@ class GitHubFeatureFlags implements FeatureEnablement {
         "Loaded the following default values for the feature flags from the Code Scanning API: " +
           `${JSON.stringify(remoteFlags)}`
       );
+      this.hasAccessedRemoteFeatureFlags = true;
       return remoteFlags;
     } catch (e) {
       if (util.isHTTPError(e) && e.status === 403) {
@@ -374,6 +360,7 @@ class GitHubFeatureFlags implements FeatureEnablement {
             "This could be because the Action is running on a pull request from a fork. If not, " +
             `please ensure the Action has the 'security-events: write' permission. Details: ${e}`
         );
+        this.hasAccessedRemoteFeatureFlags = false;
         return {};
       } else {
         // Some features, such as `ml_powered_queries_enabled` affect the produced alerts.
@@ -385,6 +372,5 @@ class GitHubFeatureFlags implements FeatureEnablement {
         );
       }
     }
-    return {};
   }
 }

src/init-action.ts

@@ -16,7 +16,7 @@ import {
 import { getGitHubVersion } from "./api-client";
 import { CodeQL, CODEQL_VERSION_NEW_TRACING } from "./codeql";
 import * as configUtils from "./config-utils";
-import { Feature, FeatureEnablement, Features } from "./feature-flags";
+import { Feature, Features } from "./feature-flags";
 import {
   initCodeQL,
   initConfig,
@@ -43,7 +43,6 @@ import {
   GitHubVariant,
   initializeEnvironment,
   isHostedRunner,
-  shouldBypassToolcache,
 } from "./util";
 import { validateWorkflow } from "./workflow";
 
@@ -87,7 +86,9 @@ interface InitWithConfigStatusReport extends InitStatusReport {
 interface InitToolsDownloadFields {
   /** Time taken to download the bundle, in milliseconds. */
   tools_download_duration_ms?: number;
-  /** Whether the relevant tools dotcom feature flags have been misconfigured. Only populated if we attempt to determine the default version based on the dotcom feature flags. */
+  /**
+   * Whether the relevant tools dotcom feature flags have been misconfigured.
+   * Only populated if we attempt to determine the default version based on the dotcom feature flags. */
   tools_feature_flags_valid?: boolean;
 }
 
@@ -117,13 +118,14 @@ async function sendInitStatusReport(
     workflow_languages: workflowLanguages || "",
   };
 
-  let initToolsDownloadFields: InitToolsDownloadFields = {};
+  const initToolsDownloadFields: InitToolsDownloadFields = {};
 
-  if (toolsSource === ToolsSource.Download) {
-    initToolsDownloadFields = {
-      tools_download_duration_ms: toolsDownloadDurationMs,
-      tools_feature_flags_valid: toolsFeatureFlagsValid,
-    };
+  if (toolsDownloadDurationMs !== undefined) {
+    initToolsDownloadFields.tools_download_duration_ms =
+      toolsDownloadDurationMs;
+  }
+  if (toolsFeatureFlagsValid !== undefined) {
+    initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
   }
 
   if (config !== undefined) {
@@ -236,13 +238,6 @@ async function run() {
       apiDetails,
       getTemporaryDirectory(),
       gitHubVersion.type,
-      await shouldBypassToolcache(
-        features,
-        getOptionalInput("tools"),
-        getOptionalInput("languages"),
-        repositoryNwo,
-        logger
-      ),
       codeQLDefaultVersionInfo,
       logger
     );
@@ -259,7 +254,7 @@ async function run() {
       getOptionalInput("registries"),
       getOptionalInput("config-file"),
       getOptionalInput("db-location"),
-      await getTrapCachingEnabled(features),
+      getTrapCachingEnabled(),
       // Debug mode is enabled if:
       // - The `init` Action is passed `debug: true`.
       // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
@@ -391,9 +386,7 @@ async function run() {
   );
 }
 
-async function getTrapCachingEnabled(
-  featureEnablement: FeatureEnablement
-): Promise<boolean> {
+function getTrapCachingEnabled(): boolean {
   // If the workflow specified something always respect that
   const trapCaching = getOptionalInput("trap-caching");
   if (trapCaching !== undefined) return trapCaching === "true";
@@ -401,8 +394,8 @@ async function getTrapCachingEnabled(
   // On self-hosted runners which may have slow network access, disable TRAP caching by default
   if (!isHostedRunner()) return false;
 
-  // On hosted runners, respect the feature flag
-  return await featureEnablement.getValue(Feature.TrapCachingEnabled);
+  // On hosted runners, enable TRAP caching by default
+  return true;
 }
 
 async function runWrapper() {

src/init.ts

@@ -27,7 +27,6 @@ export async function initCodeQL(
   apiDetails: GitHubApiDetails,
   tempDir: string,
   variant: util.GitHubVariant,
-  bypassToolcache: boolean,
   defaultCliVersion: CodeQLDefaultVersionInfo,
   logger: Logger
 ): Promise<{
@@ -43,7 +42,6 @@ export async function initCodeQL(
       apiDetails,
       tempDir,
       variant,
-      bypassToolcache,
       defaultCliVersion,
       logger,
       true

src/languages.ts

@@ -21,8 +21,6 @@ export const LANGUAGE_ALIASES: { [lang: string]: Language } = {
 
 export type LanguageOrAlias = Language | keyof typeof LANGUAGE_ALIASES;
 
-export const KOTLIN_SWIFT_BYPASS = ["kotlin", "swift"];
-
 export function resolveAlias(lang: LanguageOrAlias): Language {
   return LANGUAGE_ALIASES[lang] || lang;
 }

src/setup-codeql.ts

@@ -241,24 +241,36 @@ async function getCodeQLBundleDownloadURL(
   return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${tagName}/${codeQLBundleName}`;
 }
 
-function getBundleVersionFromTagName(tagName: string): string {
+function tryGetBundleVersionFromTagName(
+  tagName: string,
+  logger: Logger
+): string | undefined {
   const match = tagName.match(/^codeql-bundle-(.*)$/);
   if (match === null || match.length < 2) {
-    throw new Error(
-      `Malformed bundle tag name: ${tagName}. Bundle version could not be inferred`
-    );
+    logger.debug(`Could not determine bundle version from tag ${tagName}.`);
+    return undefined;
   }
   return match[1];
 }
 
-export function getBundleVersionFromUrl(url: string): string {
+function tryGetTagNameFromUrl(url: string, logger: Logger): string | undefined {
   const match = url.match(/\/(codeql-bundle-.*)\//);
   if (match === null || match.length < 2) {
-    throw new Error(
-      `Malformed tools url: ${url}. Bundle version could not be inferred`
-    );
+    logger.debug(`Could not determine tag name for URL ${url}.`);
+    return undefined;
   }
-  return getBundleVersionFromTagName(match[1]);
+  return match[1];
+}
+
+export function tryGetBundleVersionFromUrl(
+  url: string,
+  logger: Logger
+): string | undefined {
+  const tagName = tryGetTagNameFromUrl(url, logger);
+  if (tagName === undefined) {
+    return undefined;
+  }
+  return tryGetBundleVersionFromTagName(tagName, logger);
 }
 
 export function convertToSemVer(version: string, logger: Logger): string {
@@ -291,6 +303,8 @@ type CodeQLToolsSource =
       toolsVersion: string;
     }
   | {
+      /** Bundle version of the tools, if known. */
+      bundleVersion?: string;
       /** CLI version of the tools, if known. */
       cliVersion?: string;
       codeqlURL: string;
@@ -299,22 +313,11 @@ type CodeQLToolsSource =
       toolsVersion: string;
     };
 
-async function getOrFindBundleTagName(
-  version: CodeQLDefaultVersionInfo,
-  logger: Logger
-): Promise<string> {
-  if (version.variant === util.GitHubVariant.DOTCOM) {
-    return await findCodeQLBundleTagDotcomOnly(version.cliVersion, logger);
-  } else {
-    return version.tagName;
-  }
-}
-
 /**
  * Look for a version of the CodeQL tools in the cache which could override the requested CLI version.
  */
 async function findOverridingToolsInCache(
-  requestedCliVersion: string,
+  humanReadableVersion: string,
   logger: Logger
 ): Promise<CodeQLToolsSource | undefined> {
   const candidates = toolcache
@@ -329,7 +332,7 @@ async function findOverridingToolsInCache(
   if (candidates.length === 1) {
     const candidate = candidates[0];
     logger.debug(
-      `CodeQL tools version ${candidate.version} in toolcache overriding version ${requestedCliVersion}.`
+      `CodeQL tools version ${candidate.version} in toolcache overriding version ${humanReadableVersion}.`
     );
     return {
       codeqlFolder: candidate.folder,
@@ -351,7 +354,6 @@ async function findOverridingToolsInCache(
 
 export async function getCodeQLSource(
   toolsInput: string | undefined,
-  bypassToolcache: boolean,
   defaultCliVersion: CodeQLDefaultVersionInfo,
   apiDetails: api.GitHubApiDetails,
   variant: util.GitHubVariant,
@@ -365,76 +367,73 @@ export async function getCodeQLSource(
     };
   }
 
-  const forceLatestReason =
-    // We use the special value of 'latest' to prioritize the version in the
-    // defaults over any pinned cached version.
-    toolsInput === "latest"
-      ? '"tools: latest" was requested'
-      : // If the user hasn't requested a particular CodeQL version, then bypass
-      // the toolcache when the appropriate feature is enabled. This
-      // allows us to quickly rollback a broken bundle that has made its way
-      // into the toolcache.
-      toolsInput === undefined && bypassToolcache
-      ? "a specific version of the CodeQL tools was not requested and the bypass toolcache feature is enabled"
-      : undefined;
-  const forceLatest = forceLatestReason !== undefined;
-  if (forceLatest) {
-    logger.debug(
-      `Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`
+  /**
+   * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced.
+   *
+   * We use the special value of 'latest' to prioritize the version in `defaults.json` over the
+   * version specified by the feature flags on Dotcom and over any pinned cached version on
+   * Enterprise Server.
+   */
+  const forceShippedTools = toolsInput === "latest";
+  if (forceShippedTools) {
+    logger.info(
+      "Overriding the version of the CodeQL tools by the version shipped with the Action since " +
+        `"tools: latest" was requested.`
     );
   }
 
+  /** CLI version number, for example 2.12.1. */
+  let cliVersion: string | undefined;
+  /** Tag name of the CodeQL bundle, for example `codeql-bundle-20230120`. */
+  let tagName: string | undefined;
   /**
-   * The requested version is:
-   * 
-   * 1. The one in `defaults.json`, if forceLatest is true.
-   * 2. The version specified by the tools input URL, if one was provided.
-   * 3. The default CLI version, otherwise.
-  
-   * We include a `variant` property to let us verify using the type system that
-   * `tagName` is only undefined when the variant is Dotcom. This lets us ensure
-   * that we can always compute `tagName`, either by using the existing tag name
-   * on enterprise instances, or calling `findCodeQLBundleTagDotcomOnly` on
-   * Dotcom.
+   * URL of the CodeQL bundle.
+   *
+   * This does not always include a tag name.
    */
-  const requestedVersion = forceLatest
-    ? // case 1
-      {
-        cliVersion: defaults.cliVersion,
-        syntheticCliVersion: defaults.cliVersion,
-        tagName: defaults.bundleVersion,
-        variant,
-      }
-    : toolsInput !== undefined
-    ? // case 2
-      {
-        syntheticCliVersion: convertToSemVer(
-          getBundleVersionFromUrl(toolsInput),
-          logger
-        ),
-        tagName: `codeql-bundle-${getBundleVersionFromUrl(toolsInput)}`,
-        url: toolsInput,
-        variant,
-      }
-    : // case 3
-      {
-        ...defaultCliVersion,
-        syntheticCliVersion: defaultCliVersion.cliVersion,
-      };
+  let url: string | undefined;
 
-  // If we find the specified version, we always use that.
-  let codeqlFolder = toolcache.find(
-    "CodeQL",
-    requestedVersion.syntheticCliVersion
+  if (forceShippedTools) {
+    cliVersion = defaults.cliVersion;
+    tagName = defaults.bundleVersion;
+  } else if (toolsInput !== undefined) {
+    // If a tools URL was provided, then use that.
+    tagName = tryGetTagNameFromUrl(toolsInput, logger);
+    url = toolsInput;
+  } else {
+    // Otherwise, use the default CLI version passed in.
+    cliVersion = defaultCliVersion.cliVersion;
+    tagName = defaultCliVersion["tagName"];
+  }
+
+  const bundleVersion =
+    tagName && tryGetBundleVersionFromTagName(tagName, logger);
+  const humanReadableVersion =
+    cliVersion ??
+    (bundleVersion && convertToSemVer(bundleVersion, logger)) ??
+    tagName ??
+    url ??
+    "unknown";
+
+  logger.debug(
+    "Attempting to obtain CodeQL tools. " +
+      `CLI version: ${cliVersion ?? "unknown"}, ` +
+      `bundle tag name: ${tagName ?? "unknown"}, ` +
+      `URL: ${url ?? "unspecified"}.`
   );
-  let tagName: string | undefined = requestedVersion["tagName"];
 
-  if (!codeqlFolder) {
-    logger.debug(
-      "Didn't find a version of the CodeQL tools in the toolcache with a version number " +
-        `exactly matching ${requestedVersion.syntheticCliVersion}.`
-    );
-    if (requestedVersion.cliVersion) {
+  let codeqlFolder;
+
+  if (cliVersion) {
+    // If we find the specified CLI version, we always use that.
+    codeqlFolder = toolcache.find("CodeQL", cliVersion);
+
+    // Fall back to matching `x.y.z-<tagName>`.
+    if (!codeqlFolder) {
+      logger.debug(
+        "Didn't find a version of the CodeQL tools in the toolcache with a version number " +
+          `exactly matching ${cliVersion}.`
+      );
       const allVersions = toolcache.findAllVersions("CodeQL");
       logger.debug(
         `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify(
@@ -444,55 +443,82 @@ export async function getCodeQLSource(
       // If there is exactly one version of the CodeQL tools in the toolcache, and that version is
       // the form `x.y.z-<tagName>`, then use it.
       const candidateVersions = allVersions.filter((version) =>
-        version.startsWith(`${requestedVersion.cliVersion}-`)
+        version.startsWith(`${cliVersion}-`)
       );
       if (candidateVersions.length === 1) {
-        logger.debug("Exactly one candidate version found, using that.");
-        codeqlFolder = toolcache.find("CodeQL", candidateVersions[0]);
-      } else {
         logger.debug(
-          "Did not find exactly one version of the CodeQL tools starting with the requested version."
+          `Exactly one version of the CodeQL tools starting with ${cliVersion} found in the ` +
+            "toolcache, using that."
         );
+        codeqlFolder = toolcache.find("CodeQL", candidateVersions[0]);
+      } else if (candidateVersions.length === 0) {
+        logger.debug(
+          `Didn't find any versions of the CodeQL tools starting with ${cliVersion} ` +
+            `in the toolcache. Trying next fallback method.`
+        );
+      } else {
+        logger.warning(
+          `Found ${candidateVersions.length} versions of the CodeQL tools starting with ` +
+            `${cliVersion} in the toolcache, but at most one was expected.`
+        );
+        logger.debug("Trying next fallback method.");
       }
     }
   }
 
-  if (!codeqlFolder && requestedVersion.cliVersion) {
-    // Fall back to accepting a `0.0.0-<bundleVersion>` version if we didn't find the
-    // `x.y.z` version. This is to support old versions of the toolcache.
-    //
-    // If we are on Dotcom, we will make an HTTP request to the Releases API here
-    // to find the tag name for the requested version.
-    tagName =
-      tagName || (await getOrFindBundleTagName(requestedVersion, logger));
-    const fallbackVersion = convertToSemVer(
-      getBundleVersionFromTagName(tagName),
-      logger
+  // Fall back to matching `0.0.0-<bundleVersion>`.
+  if (!codeqlFolder && (cliVersion || tagName)) {
+    if (cliVersion || tagName) {
+      const fallbackVersion = await tryGetFallbackToolcacheVersion(
+        cliVersion,
+        tagName,
+        variant,
+        logger
+      );
+      if (fallbackVersion) {
+        codeqlFolder = toolcache.find("CodeQL", fallbackVersion);
+      } else {
+        logger.debug(
+          "Could not determine a fallback toolcache version number for CodeQL tools version " +
+            `${humanReadableVersion}.`
+        );
+      }
+    } else {
+      logger.debug(
+        "Both the CLI version and the bundle version are unknown, so we will not be able to find " +
+          "the requested version of the CodeQL tools in the toolcache."
+      );
+    }
+  }
+
+  if (codeqlFolder) {
+    logger.info(
+      `Found CodeQL tools version ${humanReadableVersion} in the toolcache.`
     );
-    logger.debug(
-      `Computed a fallback toolcache version number of ${fallbackVersion} for CodeQL tools version ` +
-        `${requestedVersion.cliVersion}.`
+  } else {
+    logger.info(
+      `Did not find CodeQL tools version ${humanReadableVersion} in the toolcache.`
     );
-    codeqlFolder = toolcache.find("CodeQL", fallbackVersion);
   }
 
   if (codeqlFolder) {
     return {
       codeqlFolder,
       sourceType: "toolcache",
-      toolsVersion: requestedVersion.syntheticCliVersion,
+      toolsVersion: cliVersion ?? humanReadableVersion,
     };
   }
-  logger.debug(
-    `Did not find CodeQL tools version ${requestedVersion.syntheticCliVersion} in the toolcache.`
-  );
 
   // If we don't find the requested version on Enterprise, we may allow a
   // different version to save download time if the version hasn't been
   // specified explicitly (in which case we always honor it).
-  if (variant !== util.GitHubVariant.DOTCOM && !forceLatest && !toolsInput) {
+  if (
+    variant !== util.GitHubVariant.DOTCOM &&
+    !forceShippedTools &&
+    !toolsInput
+  ) {
     const result = await findOverridingToolsInCache(
-      requestedVersion.syntheticCliVersion,
+      humanReadableVersion,
       logger
     );
     if (result !== undefined) {
@@ -500,30 +526,66 @@ export async function getCodeQLSource(
     }
   }
 
+  if (!url) {
+    if (!tagName && cliVersion && variant === util.GitHubVariant.DOTCOM) {
+      tagName = await findCodeQLBundleTagDotcomOnly(cliVersion, logger);
+    } else if (!tagName) {
+      throw new Error(
+        `Could not obtain the requested version (${humanReadableVersion}) of the CodeQL tools ` +
+          "since we could not compute the tag name."
+      );
+    }
+    url = await getCodeQLBundleDownloadURL(
+      tagName,
+      apiDetails,
+      variant,
+      logger
+    );
+  }
+
   return {
-    cliVersion: requestedVersion.cliVersion || undefined,
-    codeqlURL:
-      requestedVersion["url"] ||
-      (await getCodeQLBundleDownloadURL(
-        tagName ||
-          // The check on `requestedVersion.tagName` is redundant but lets us
-          // use the property that if we don't know `requestedVersion.tagName`,
-          // then we must know `requestedVersion.cliVersion`. This property is
-          // required by the type of `getOrFindBundleTagName`.
-          (requestedVersion.tagName !== undefined
-            ? requestedVersion.tagName
-            : await getOrFindBundleTagName(requestedVersion, logger)),
-        apiDetails,
-        variant,
-        logger
-      )),
+    bundleVersion: tagName && tryGetBundleVersionFromTagName(tagName, logger),
+    cliVersion,
+    codeqlURL: url,
     sourceType: "download",
-    toolsVersion: requestedVersion.syntheticCliVersion,
+    toolsVersion: cliVersion ?? humanReadableVersion,
   };
 }
 
+/**
+ * Gets a fallback version number to use when looking for CodeQL in the toolcache if we didn't find
+ * the `x.y.z` version. This is to support old versions of the toolcache.
+ */
+export async function tryGetFallbackToolcacheVersion(
+  cliVersion: string | undefined,
+  tagName: string | undefined,
+  variant: util.GitHubVariant,
+  logger: Logger
+): Promise<string | undefined> {
+  //
+  // If we are on Dotcom, we will make an HTTP request to the Releases API here
+  // to find the tag name for the requested version.
+  if (cliVersion && !tagName && variant === util.GitHubVariant.DOTCOM) {
+    tagName = await findCodeQLBundleTagDotcomOnly(cliVersion, logger);
+  }
+  if (!tagName) {
+    return undefined;
+  }
+  const bundleVersion = tryGetBundleVersionFromTagName(tagName, logger);
+  if (!bundleVersion) {
+    return undefined;
+  }
+  const fallbackVersion = convertToSemVer(bundleVersion, logger);
+  logger.debug(
+    `Computed a fallback toolcache version number of ${fallbackVersion} for CodeQL version ` +
+      `${cliVersion ?? tagName}.`
+  );
+  return fallbackVersion;
+}
+
 export async function downloadCodeQL(
   codeqlURL: string,
+  maybeBundleVersion: string | undefined,
   maybeCliVersion: string | undefined,
   apiDetails: api.GitHubApiDetails,
   variant: util.GitHubVariant,
@@ -577,16 +639,33 @@ export async function downloadCodeQL(
 
   const codeqlExtracted = await toolcache.extractTar(codeqlPath);
 
-  const bundleVersion = getBundleVersionFromUrl(codeqlURL);
+  const bundleVersion =
+    maybeBundleVersion ?? tryGetBundleVersionFromUrl(codeqlURL, logger);
+
+  if (bundleVersion === undefined) {
+    logger.debug(
+      "Could not cache CodeQL tools because we could not determine the bundle version from the " +
+        `URL ${codeqlURL}.`
+    );
+    return {
+      toolsVersion: maybeCliVersion ?? "unknown",
+      codeqlFolder: codeqlExtracted,
+      toolsDownloadDurationMs,
+    };
+  }
+
   // Try to compute the CLI version for this bundle
-  const cliVersion: string | undefined =
-    maybeCliVersion ||
-    (variant === util.GitHubVariant.DOTCOM &&
-      (await tryFindCliVersionDotcomOnly(
-        `codeql-bundle-${bundleVersion}`,
-        logger
-      ))) ||
-    undefined;
+  if (
+    maybeCliVersion === undefined &&
+    variant === util.GitHubVariant.DOTCOM &&
+    codeqlURL.includes(`/${CODEQL_DEFAULT_ACTION_REPOSITORY}/`)
+  ) {
+    maybeCliVersion = await tryFindCliVersionDotcomOnly(
+      `codeql-bundle-${bundleVersion}`,
+      logger
+    );
+  }
+
   // Include both the CLI version and the bundle version in the toolcache version number. That way
   // if the user requests the same URL again, we can get it from the cache without having to call
   // any of the Releases API.
@@ -596,12 +675,11 @@ export async function downloadCodeQL(
   // CLI release. In principle, it should be enough to just check that the CLI version isn't a
   // pre-release, but the version numbers of CodeQL nightlies have the format `x.y.z+<timestamp>`,
   // and we don't want these nightlies to override stable CLI versions in the toolcache.
-  const toolcacheVersion =
-    cliVersion && cliVersion.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
-      ? `${cliVersion}-${bundleVersion}`
-      : convertToSemVer(bundleVersion, logger);
+  const toolcacheVersion = maybeCliVersion?.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
+    ? `${maybeCliVersion}-${bundleVersion}`
+    : convertToSemVer(bundleVersion, logger);
   return {
-    toolsVersion: cliVersion || toolcacheVersion,
+    toolsVersion: maybeCliVersion ?? toolcacheVersion,
     codeqlFolder: await toolcache.cacheDir(
       codeqlExtracted,
       "CodeQL",
@@ -628,7 +706,6 @@ export function getCodeQLURLVersion(url: string): string {
  * @param apiDetails
  * @param tempDir
  * @param variant
- * @param bypassToolcache
  * @param defaultCliVersion
  * @param logger
  * @param checkVersion Whether to check that CodeQL CLI meets the minimum
@@ -640,7 +717,6 @@ export async function setupCodeQLBundle(
   apiDetails: api.GitHubApiDetails,
   tempDir: string,
   variant: util.GitHubVariant,
-  bypassToolcache: boolean,
   defaultCliVersion: CodeQLDefaultVersionInfo,
   logger: Logger
 ): Promise<{
@@ -651,7 +727,6 @@ export async function setupCodeQLBundle(
 }> {
   const source = await getCodeQLSource(
     toolsInput,
-    bypassToolcache,
     defaultCliVersion,
     apiDetails,
     variant,
@@ -675,6 +750,7 @@ export async function setupCodeQLBundle(
     case "download": {
       const result = await downloadCodeQL(
         source.codeqlURL,
+        source.bundleVersion,
         source.cliVersion,
         apiDetails,
         variant,

src/upload-lib.ts

@@ -416,7 +416,8 @@ export async function waitForProcessing(
         statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS
       ) {
         // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing.
-        // It's possible the analysis will eventually finish processing, but it's not worth spending more Actions time waiting.
+        // It's possible the analysis will eventually finish processing, but it's not worth spending more
+        // Actions time waiting.
         logger.warning(
           "Timed out waiting for analysis to finish processing. Continuing."
         );
@@ -462,7 +463,9 @@ export async function waitForProcessing(
         util.assertNever(status);
       }
 
-      await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS);
+      await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, {
+        allowProcessExit: false,
+      });
     }
   } finally {
     logger.endGroup();

src/util.test.ts

@@ -8,14 +8,8 @@ import * as sinon from "sinon";
 
 import * as api from "./api-client";
 import { Config } from "./config-utils";
-import { Feature } from "./feature-flags";
 import { getRunnerLogger } from "./logging";
-import { parseRepositoryNwo } from "./repository";
-import {
-  createFeatures,
-  mockLanguagesInRepo,
-  setupTests,
-} from "./testing-utils";
+import { setupTests } from "./testing-utils";
 import * as util from "./util";
 
 setupTests(test);
@@ -398,123 +392,3 @@ test("withTimeout doesn't call callback if promise resolves", async (t) => {
   t.deepEqual(shortTaskTimedOut, false);
   t.deepEqual(result, 99);
 });
-
-const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
-// eslint-disable-next-line github/array-foreach
-[
-  {
-    name: "disabled",
-    features: [],
-    hasCustomCodeQL: false,
-    languagesInput: undefined,
-    languagesInRepository: [],
-    expected: false,
-    expectedApiCall: false,
-  },
-  {
-    name: "disabled even though swift kotlin bypassed",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: undefined,
-    languagesInRepository: [],
-    expected: false,
-    expectedApiCall: true,
-  },
-  {
-    name: "disabled even though swift kotlin analyzed",
-    features: [],
-    hasCustomCodeQL: false,
-    languagesInput: " sWiFt , KoTlIn ",
-    languagesInRepository: [],
-    expected: false,
-    expectedApiCall: false,
-  },
-  {
-    name: "toolcache bypass all",
-    features: [Feature.BypassToolcacheEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: undefined,
-    languagesInRepository: [],
-    expected: true,
-    expectedApiCall: false,
-  },
-  {
-    name: "custom CodeQL",
-    features: [],
-    hasCustomCodeQL: true,
-    languagesInput: undefined,
-    languagesInRepository: [],
-    expected: true,
-    expectedApiCall: false,
-  },
-  {
-    name: "bypass swift",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: " sWiFt ,other",
-    languagesInRepository: [],
-    expected: true,
-    expectedApiCall: false,
-  },
-  {
-    name: "bypass kotlin",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: "other, KoTlIn ",
-    languagesInRepository: [],
-    expected: true,
-    expectedApiCall: false,
-  },
-  {
-    name: "bypass kotlin language from repository",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: "",
-    languagesInRepository: ["KoTlIn", "other"],
-    expected: true,
-    expectedApiCall: true,
-  },
-  {
-    name: "bypass swift language from repository",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: "",
-    languagesInRepository: ["SwiFt", "other"],
-    expected: true,
-    expectedApiCall: true,
-  },
-  {
-    name: "bypass java from input if there is kotlin in repository",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: "java",
-    languagesInRepository: ["kotlin", "other"],
-    expected: true,
-    expectedApiCall: true,
-  },
-  {
-    name: "don't bypass java from input if there is no kotlin in repository",
-    features: [Feature.BypassToolcacheKotlinSwiftEnabled],
-    hasCustomCodeQL: false,
-    languagesInput: "java",
-    languagesInRepository: ["java", "other"],
-    expected: false,
-    expectedApiCall: true,
-  },
-].forEach((args) => {
-  test(`shouldBypassToolcache: ${args.name}`, async (t) => {
-    const mockRequest = mockLanguagesInRepo(args.languagesInRepository);
-    const mockLogger = getRunnerLogger(true);
-    const featureEnablement = createFeatures(args.features);
-    const codeqlUrl = args.hasCustomCodeQL ? "custom-codeql-url" : undefined;
-    const actual = await util.shouldBypassToolcache(
-      featureEnablement,
-      codeqlUrl,
-      args.languagesInput,
-      mockRepositoryNwo,
-      mockLogger
-    );
-    t.deepEqual(actual, args.expected);
-    t.deepEqual(mockRequest.called, args.expectedApiCall);
-  });
-});

src/util.ts

@@ -13,15 +13,12 @@ import * as apiCompatibility from "./api-compatibility.json";
 import { CodeQL, CODEQL_VERSION_NEW_TRACING } from "./codeql";
 import {
   Config,
-  getLanguagesInRepo,
-  getRawLanguages,
   parsePacksSpecification,
   prettyPrintPack,
 } from "./config-utils";
 import { Feature, FeatureEnablement } from "./feature-flags";
-import { KOTLIN_SWIFT_BYPASS, Language } from "./languages";
+import { Language } from "./languages";
 import { Logger } from "./logging";
-import { RepositoryNwo } from "./repository";
 import { CODEQL_ACTION_TEST_MODE } from "./shared-environment";
 
 /**
@@ -551,16 +548,38 @@ export async function bundleDb(
   return databaseBundlePath;
 }
 
-export async function delay(milliseconds: number) {
-  // Immediately `unref` the timer such that it only prevents the process from exiting if the
-  // surrounding promise is being awaited.
-  return new Promise((resolve) => setTimeout(resolve, milliseconds).unref());
+/**
+ * @param milliseconds time to delay
+ * @param opts options
+ * @param opts.allowProcessExit if true, the timer will not prevent the process from exiting
+ */
+export async function delay(
+  milliseconds: number,
+  { allowProcessExit }: { allowProcessExit: boolean }
+) {
+  return new Promise((resolve) => {
+    const timer = setTimeout(resolve, milliseconds);
+    if (allowProcessExit) {
+      // Immediately `unref` the timer such that it only prevents the process from exiting if the
+      // surrounding promise is being awaited.
+      timer.unref();
+    }
+  });
 }
 
 export function isGoodVersion(versionSpec: string) {
   return !BROKEN_VERSIONS.includes(versionSpec);
 }
 
+/**
+ * Checks whether the CodeQL CLI supports the `--expect-discarded-cache` command-line flag.
+ */
+export async function supportExpectDiscardedCache(
+  codeQL: CodeQL
+): Promise<boolean> {
+  return codeQlVersionAbove(codeQL, "2.12.1");
+}
+
 export const ML_POWERED_JS_QUERIES_PACK_NAME =
   "codeql/javascript-experimental-atm-queries";
 
@@ -751,7 +770,7 @@ export async function withTimeout<T>(
     return result;
   };
   const timeoutTask = async () => {
-    await delay(timeoutMs);
+    await delay(timeoutMs, { allowProcessExit: true });
     if (!finished) {
       // Workaround: While the promise racing below will allow the main code
       // to continue, the process won't normally exit until the asynchronous
@@ -776,7 +795,7 @@ export async function checkForTimeout() {
     core.info(
       "A timeout occurred, force exiting the process after 30 seconds to prevent hanging."
     );
-    await delay(30_000);
+    await delay(30_000, { allowProcessExit: true });
     process.exit();
   }
 }
@@ -802,63 +821,6 @@ export function isHostedRunner() {
   );
 }
 
-/**
- *
- * @param featuresEnablement The features enabled for the current run
- * @param languagesInput Languages input from the workflow
- * @param repository The owner/name of the repository
- * @param logger A logger
- * @returns A boolean indicating whether or not the toolcache should be bypassed and the latest codeql should be downloaded.
- */
-export async function shouldBypassToolcache(
-  featuresEnablement: FeatureEnablement,
-  codeqlUrl: string | undefined,
-  languagesInput: string | undefined,
-  repository: RepositoryNwo,
-  logger: Logger
-): Promise<boolean> {
-  // An explicit codeql url is specified, that means the toolcache will not be used.
-  if (codeqlUrl) {
-    return true;
-  }
-
-  // Check if the toolcache is disabled for all languages
-  if (await featuresEnablement.getValue(Feature.BypassToolcacheEnabled)) {
-    return true;
-  }
-
-  // Check if the toolcache is disabled for kotlin and swift.
-  if (
-    !(await featuresEnablement.getValue(
-      Feature.BypassToolcacheKotlinSwiftEnabled
-    ))
-  ) {
-    return false;
-  }
-
-  // Now check to see if kotlin or swift is one of the languages being analyzed.
-  const { rawLanguages, autodetected } = await getRawLanguages(
-    languagesInput,
-    repository,
-    logger
-  );
-  let bypass = rawLanguages.some((lang) => KOTLIN_SWIFT_BYPASS.includes(lang));
-  if (bypass) {
-    logger.info(
-      `Bypassing toolcache for kotlin or swift. Languages: ${rawLanguages}`
-    );
-  } else if (!autodetected && rawLanguages.includes(Language.java)) {
-    // special case: java was explicitly specified, but there might be
-    // some kotlin in the repository, so we need to make a request for that.
-    const langsInRepo = await getLanguagesInRepo(repository, logger);
-    if (langsInRepo.includes("kotlin")) {
-      logger.info(`Bypassing toolcache for kotlin.`);
-      bypass = true;
-    }
-  }
-  return bypass;
-}
-
 export function parseMatrixInput(
   matrixInput: string | undefined
 ): { [key: string]: string } | undefined {