Merge pull request #1634 from github/update-v2.2.10-66aeadb4c

Merge main into releases/v2

.github/actions/query-filter-test/action.yml

@@ -44,7 +44,7 @@ runs:
       env:
         CODEQL_ACTION_TEST_MODE: "true"
     - name: Check SARIF
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file:  ${{ inputs.sarif-file }}
         queries-run: ${{ inputs.queries-run}}

.github/actions/update-bundle/action.yml

@@ -0,0 +1,14 @@
+name: Update default CodeQL bundle
+description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
+
+runs:
+  using: composite
+  steps:
+    - name: Install ts-node
+      shell: bash
+      run: npm install -g ts-node
+
+    - name: Run update script
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts

.github/actions/update-bundle/index.ts

@@ -0,0 +1,69 @@
+import * as fs from 'fs';
+import * as github from '@actions/github';
+
+interface BundleInfo {
+  bundleVersion: string;
+  cliVersion: string;
+}
+
+interface Defaults {
+  bundleVersion: string;
+  cliVersion: string;
+  priorBundleVersion: string;
+  priorCliVersion: string;
+}
+
+const CODEQL_BUNDLE_PREFIX = 'codeql-bundle-';
+
+function getCodeQLCliVersionForRelease(release): string {
+  // We do not currently tag CodeQL bundles based on the CLI version they contain.
+  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
+  // This marker file is uploaded as a release asset for all new CodeQL bundles.
+  const cliVersionsFromMarkerFiles = release.assets
+  .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
+  .filter((v) => v)
+  .map((v) => v as string);
+  if (cliVersionsFromMarkerFiles.length > 1) {
+    throw new Error(
+      `Release ${release.tag_name} has multiple CLI version marker files.`
+      );
+    } else if (cliVersionsFromMarkerFiles.length === 0) {
+      throw new Error(
+        `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
+        );
+      }
+      return cliVersionsFromMarkerFiles[0];
+    }
+
+    async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
+      return {
+        bundleVersion: release.tag_name.substring(CODEQL_BUNDLE_PREFIX.length),
+        cliVersion: getCodeQLCliVersionForRelease(release)
+      };
+    }
+
+    async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
+      const release = github.context.payload.release;
+      console.log('Updating default bundle as a result of the following release: ' +
+      `${JSON.stringify(release)}.`)
+
+      const bundleInfo = await getBundleInfoFromRelease(release);
+      return {
+        bundleVersion: bundleInfo.bundleVersion,
+        cliVersion: bundleInfo.cliVersion,
+        priorBundleVersion: currentDefaults.bundleVersion,
+        priorCliVersion: currentDefaults.cliVersion
+      };
+    }
+
+    async function main() {
+      const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
+      const newDefaults = await getNewDefaults(previousDefaults);
+      // Update the source file in the repository. Calling workflows should subsequently rebuild
+      // the Action to update `lib/defaults.json`.
+      fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
+    }
+
+    // Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
+    // So instead we rely on the fact that Node won't exit until the event loop is empty.
+    main();

.github/dependabot.yml

@@ -16,6 +16,6 @@ updates:
     schedule:
       interval: weekly
   - package-ecosystem: github-actions
-    directory: "/.github/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
     schedule:
       interval: weekly

.github/workflows/__analyze-ref-input.yml

@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__autobuild-action.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__config-export.yml

@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__diagnostics-export.yml

@@ -25,6 +25,12 @@ jobs:
     strategy:
       matrix:
         include:
+        - os: ubuntu-latest
+          version: stable-20230317
+        - os: macos-latest
+          version: stable-20230317
+        - os: windows-latest
+          version: stable-20230317
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
@@ -45,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__export-file-baseline-information.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -49,7 +49,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
       env:
         CODEQL_FILE_BASELINE_INFORMATION: true
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Build code

.github/workflows/__extractor-ram-threads.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__go-custom-queries.yml

@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__go-tracing-autobuilder.yml

@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__init-with-registries.yml

@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Init with registries
@@ -69,8 +69,8 @@ jobs:
     - name: Verify packages installed
       shell: bash
       run: |
-        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
-        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
+        PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
+        CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
 
         if [[ -d $PRIVATE_PACK ]]
         then
@@ -117,5 +117,9 @@ jobs:
             cat $QLCONFIG_PATH
             exit 1
         fi
+    permissions:
+      contents: read
+      packages: read
+
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__javascript-source-root.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Move codeql-action

.github/workflows/__ml-powered-queries.yml

@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
@@ -85,7 +85,7 @@ jobs:
         retention-days: 7
 
     - name: Check sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
     # Running on Windows requires CodeQL CLI 2.9.0+.
       if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
       with:

.github/workflows/__multi-language-autodetect.yml

@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
@@ -71,7 +71,7 @@ jobs:
         db-location: ${{ runner.temp }}/customDbLocation
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
 

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -51,13 +51,13 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
+        packs: +codeql-testing/codeql-pack1@1.0.0
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
@@ -69,7 +69,7 @@ jobs:
         upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__packaging-config-inputs-js.yml

@@ -51,13 +51,13 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
+        packs: +codeql-testing/codeql-pack1@1.0.0
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
@@ -69,7 +69,7 @@ jobs:
         upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__packaging-config-js.yml

@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -68,7 +68,7 @@ jobs:
         upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__packaging-inputs-js.yml

@@ -51,14 +51,14 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging2.yml
         languages: javascript
-        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
+        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
       shell: bash
@@ -68,7 +68,7 @@ jobs:
         output: ${{ runner.temp }}/results
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__remote-config.yml

@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__rubocop-multi-language.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Ruby

.github/workflows/__ruby.yml

@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__split-workflow.yml

@@ -45,13 +45,13 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
+        packs: +codeql-testing/codeql-pack1@1.0.0
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code

.github/workflows/__submit-sarif-failure.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: actions/checkout@v3

.github/workflows/__swift-custom-build.yml

@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -53,7 +53,7 @@ jobs:
       with:
         languages: swift
         tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Check working directory

.github/workflows/__test-autobuild-working-dir.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Test setup

.github/workflows/__test-local-codeql.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Fetch a CodeQL bundle

.github/workflows/__test-proxy.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__unset-environment.yml

@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__upload-ref-sha-input.yml

@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/__with-checkout-path.yml

@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go

.github/workflows/codescanning-config-cli.yml

@@ -47,12 +47,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
 
     - name: Empty file
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
@@ -60,31 +60,31 @@ jobs:
 
     - name: Packs from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -96,7 +96,7 @@ jobs:
 
     - name: Queries from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -108,27 +108,27 @@ jobs:
 
     - name: Queries and packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
         queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
-        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries and packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
             }
           }
         languages: javascript
@@ -137,7 +137,7 @@ jobs:
 
     - name: Queries and packs from config overriden by input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -152,7 +152,7 @@ jobs:
 
     - name: Queries and packs from config merging with input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -161,7 +161,7 @@ jobs:
               { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
             ],
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
             }
           }
         languages: javascript
@@ -172,12 +172,12 @@ jobs:
 
     - name: Multi-language packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
               "ruby": ["codeql/ruby-queries"]
             },
             "queries": [
@@ -190,7 +190,7 @@ jobs:
 
     - name: Other config properties
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -209,7 +209,7 @@ jobs:
       if: success() || failure()
       env:
         CODEQL_PASS_CONFIG_TO_CLI: false
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: ""
         languages: javascript

.github/workflows/debug-artifacts-failure.yml

@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: latest
       - uses: actions/setup-go@v4

.github/workflows/debug-artifacts.yml

@@ -56,7 +56,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
       - uses: actions/setup-go@v4

.github/workflows/expected-queries-runs.yml

@@ -25,7 +25,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: latest
     - uses: ./../action/init
@@ -39,7 +39,7 @@ jobs:
         upload: never
 
     - name: Check Sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/incomplete-hostname-regexp,js/path-injection

.github/workflows/query-filters.yml

@@ -23,12 +23,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: latest
 
     - name: Check SARIF for default queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip
@@ -37,7 +37,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block
@@ -46,7 +46,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs and local queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs

.github/workflows/update-bundle.yml

@@ -0,0 +1,82 @@
+name: Update default CodeQL bundle
+
+on:
+  release:
+    types: [prereleased]
+
+jobs:
+  update-bundle:
+    if: startsWith(github.event.release.tag_name, 'codeql-bundle-')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump environment
+        run: env
+
+      - name: Dump GitHub context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github) }}'
+        run: echo "$GITHUB_CONTEXT"
+
+      - uses: actions/checkout@v3
+
+      - name: Update git config
+        run: |
+          git config --global user.email "github-actions@github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update bundle
+        uses: ./.github/actions/update-bundle
+
+      - name: Rebuild Action
+        run: npm run build
+
+      - name: Commit and push changes
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+        run: |
+          git checkout -b "update-bundle/$RELEASE_TAG"
+          git commit -am "Update default bundle to $RELEASE_TAG"
+          git push --set-upstream origin "update-bundle/$RELEASE_TAG"
+
+      - name: Open pull request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          pr_url=$(gh pr create \
+            --title "Update default bundle to $cli_version" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
+            --assignee "$GITHUB_ACTOR" \
+            --draft \
+          )
+          echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
+          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
+
+      - name: Create changelog note
+        shell: python
+        run: |
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
+
+      - name: Push changelog note
+        run: |
+          git commit -am "Add changelog note"
+          git push

CHANGELOG.md

@@ -1,8 +1,8 @@
 # CodeQL Action Changelog
 
-## [UNRELEASED]
+## 2.2.10 - 05 Apr 2023
 
-No user facing changes.
+- Update default CodeQL bundle version to 2.12.6. [#1629](https://github.com/github/codeql-action/pull/1629)
 
 ## 2.2.9 - 27 Mar 2023
 

lib/codeql.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.enrichEnvironment = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
+exports.enrichEnvironment = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -106,6 +106,11 @@ exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
  * Versions 2.12.4+ of the CodeQL CLI support the `--qlconfig-file` flag in calls to `database init`.
  */
 exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
+/**
+ * Versions 2.12.6+ of the CodeQL CLI fix a bug where duplicate notification objects could be produced,
+ * leading to an invalid SARIF output.
+ */
+exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = "2.12.6";
 /**
  * Set up CodeQL CLI access.
  *
@@ -509,7 +514,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         },
         async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, config, features, logger) {
             const shouldExportDiagnostics = await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, this);
-            const codeqlOutputFile = shouldExportDiagnostics
+            const shouldWorkaroundInvalidNotifications = shouldExportDiagnostics &&
+                !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED));
+            const codeqlOutputFile = shouldWorkaroundInvalidNotifications
                 ? path.join(config.tempDir, "codeql-intermediate-results.sarif")
                 : sarifFile;
             const codeqlArgs = [
@@ -546,7 +553,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             // capture stdout, which contains analysis summaries
             const returnState = await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
-            if (shouldExportDiagnostics) {
+            if (shouldWorkaroundInvalidNotifications) {
                 util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
             }
             return returnState.stdout;
@@ -626,14 +633,17 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             await new toolrunner.ToolRunner(cmd, args).exec();
         },
         async databaseExportDiagnostics(databasePath, sarifFile, automationDetailsId, tempDir, logger) {
-            const intermediateSarifFile = path.join(tempDir, "codeql-intermediate-results.sarif");
+            const shouldWorkaroundInvalidNotifications = !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED));
+            const codeqlOutputFile = shouldWorkaroundInvalidNotifications
+                ? path.join(tempDir, "codeql-intermediate-results.sarif")
+                : sarifFile;
             const args = [
                 "database",
                 "export-diagnostics",
                 `${databasePath}`,
                 "--db-cluster",
                 "--format=sarif-latest",
-                `--output=${intermediateSarifFile}`,
+                `--output=${codeqlOutputFile}`,
                 "--sarif-include-diagnostics",
                 "-vvv",
                 ...getExtraOptionsFromEnv(["diagnostics", "export"]),
@@ -642,8 +652,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 args.push("--sarif-category", automationDetailsId);
             }
             await new toolrunner.ToolRunner(cmd, args).exec();
-            // Fix invalid notifications in the SARIF file output by CodeQL.
-            util.fixInvalidNotificationsInFile(intermediateSarifFile, sarifFile, logger);
+            if (shouldWorkaroundInvalidNotifications) {
+                // Fix invalid notifications in the SARIF file output by CodeQL.
+                util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
+            }
         },
         async diagnosticsExport(sarifFile, automationDetailsId, config, features) {
             const args = [

lib/codeql.test.js

@@ -382,11 +382,11 @@ for (const isBundleVersionInUrl of [true, false]) {
             tagName: "codeql-bundle-20230203",
         });
         mockDownloadApi({
-            repo: "dsp-testing/codeql-cli-nightlies",
+            repo: "codeql-testing/codeql-cli-nightlies",
             platformSpecific: false,
             tagName: "codeql-bundle-20230203",
         });
-        const result = await codeql.setupCodeQL("https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.is(result.toolsVersion, "0.0.0-20230203");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.true(Number.isInteger(result.toolsDownloadDurationMs));

lib/config-utils.test.js

@@ -1134,7 +1134,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
             {
                 // no slash
                 url: "http://ghcr.io",
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
             {
@@ -1200,7 +1200,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
         const registriesInput = yaml.dump([
             {
                 url: "http://ghcr.io",
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
             {
@@ -1227,7 +1227,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
         const registriesInput = yaml.dump([
             {
                 // missing url property
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
             {
@@ -1252,7 +1252,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
             {
                 // no slash
                 url: "http://ghcr.io",
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
         ]);
@@ -1283,7 +1283,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
         const registriesInput = yaml.dump([
             {
                 url: "http://ghcr.io",
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
         ]);

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20230317",
-    "cliVersion": "2.12.5",
-    "priorBundleVersion": "codeql-bundle-20230304",
-    "priorCliVersion": "2.12.4"
+    "bundleVersion": "codeql-bundle-20230403",
+    "cliVersion": "2.12.6",
+    "priorBundleVersion": "codeql-bundle-20230317",
+    "priorCliVersion": "2.12.5"
 }

lib/util.js

@@ -719,6 +719,9 @@ function fixInvalidNotifications(sarif, logger) {
         logger.info(`Removed ${numDuplicateLocationsRemoved} duplicate locations from SARIF notification ` +
             "objects.");
     }
+    else {
+        logger.debug("No duplicate locations found in SARIF notification objects.");
+    }
     return newSarif;
 }
 exports.fixInvalidNotifications = fixInvalidNotifications;

lib/util.test.js

@@ -363,7 +363,11 @@ const stubLocation = {
     const messages = [];
     const result = util.fixInvalidNotifications(createMockSarifWithNotification([stubLocation]), (0, testing_utils_1.getRecordingLogger)(messages));
     t.deepEqual(result, createMockSarifWithNotification([stubLocation]));
-    t.is(messages.length, 0);
+    t.is(messages.length, 1);
+    t.deepEqual(messages[0], {
+        type: "debug",
+        message: "No duplicate locations found in SARIF notification objects.",
+    });
 });
 (0, ava_1.default)("fixInvalidNotifications removes duplicate locations", (t) => {
     const messages = [];

pr-checks/checks/diagnostics-export.yml

@@ -1,6 +1,8 @@
 name: "Diagnostic export"
 description: "Tests that manually added diagnostics are correctly exported to SARIF."
-versions: ["latest", "nightly-latest"]
+# Test on 2.12.5 (which requires a workaround in the Action), the latest release, and the latest
+# nightly.
+versions: ["stable-20230317", "latest", "nightly-latest"]
 env:
   CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
 steps:

pr-checks/checks/export-file-baseline-information.yml

@@ -11,7 +11,7 @@ steps:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
     env:
       CODEQL_FILE_BASELINE_INFORMATION: true
-  - uses: ./../action/.github/setup-swift
+  - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{steps.init.outputs.codeql-path}}
   - name: Build code

pr-checks/checks/init-with-registries.yml

@@ -11,6 +11,10 @@ versions: [
     "nightly-latest",
 ]
 
+permissions:
+  contents: read
+  packages: read
+
 steps:
   - name: Init with registries
     uses: ./../action/init
@@ -27,8 +31,8 @@ steps:
   - name: Verify packages installed
     shell: bash
     run: |
-      PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
-      CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
+      PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
+      CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
 
       if [[ -d $PRIVATE_PACK ]]
       then

pr-checks/checks/ml-powered-queries.yml

@@ -28,7 +28,7 @@ steps:
       retention-days: 7
 
   - name: Check sarif
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     # Running on Windows requires CodeQL CLI 2.9.0+.
     if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
     with:

pr-checks/checks/multi-language-autodetect.yml

@@ -10,7 +10,7 @@ steps:
       db-location: "${{ runner.temp }}/customDbLocation"
       tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-  - uses: ./../action/.github/setup-swift
+  - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{steps.init.outputs.codeql-path}}
 

pr-checks/checks/packaging-codescanning-config-inputs-js.yml

@@ -9,7 +9,7 @@ steps:
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging3.yml"
-      packs: +dsp-testing/codeql-pack1@1.0.0
+      packs: +codeql-testing/codeql-pack1@1.0.0
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code
@@ -21,7 +21,7 @@ steps:
       upload-database: false
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

pr-checks/checks/packaging-config-inputs-js.yml

@@ -5,7 +5,7 @@ steps:
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging3.yml"
-      packs: +dsp-testing/codeql-pack1@1.0.0
+      packs: +codeql-testing/codeql-pack1@1.0.0
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code
@@ -17,7 +17,7 @@ steps:
       upload-database: false
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

pr-checks/checks/packaging-config-js.yml

@@ -16,7 +16,7 @@ steps:
       upload-database: false
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

pr-checks/checks/packaging-inputs-js.yml

@@ -6,7 +6,7 @@ steps:
     with:
       config-file: ".github/codeql/codeql-config-packaging2.yml"
       languages: javascript
-      packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
+      packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code
     shell: bash
@@ -16,7 +16,7 @@ steps:
       output: "${{ runner.temp }}/results"
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

pr-checks/checks/split-workflow.yml

@@ -6,7 +6,7 @@ steps:
   - uses: ./../action/init
     with:
       config-file: ".github/codeql/codeql-config-packaging3.yml"
-      packs: +dsp-testing/codeql-pack1@1.0.0
+      packs: +codeql-testing/codeql-pack1@1.0.0
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Build code

pr-checks/checks/swift-custom-build.yml

@@ -11,7 +11,7 @@ steps:
     with:
       languages: swift
       tools: ${{ steps.prepare-test.outputs.tools-url }}
-  - uses: ./../action/.github/setup-swift
+  - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{steps.init.outputs.codeql-path}}
   - name: Check working directory

pr-checks/sync.py

@@ -79,7 +79,7 @@ for file in os.listdir('checks'):
         {
             'name': 'Prepare test',
             'id': 'prepare-test',
-            'uses': './.github/prepare-test',
+            'uses': './.github/actions/prepare-test',
             'with': {
                 'version': '${{ matrix.version }}'
             }
@@ -107,8 +107,10 @@ for file in os.listdir('checks'):
         'name': checkSpecification['name'],
         'timeout-minutes': 45,
         'runs-on': '${{ matrix.os }}',
-        'steps': steps
+        'steps': steps,
     }
+    if 'permissions' in checkSpecification:
+        checkJob['permissions'] = checkSpecification['permissions']
 
     for key in ["env", "container", "services"]:
         if key in checkSpecification:

src/codeql.test.ts

@@ -554,13 +554,13 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
       tagName: "codeql-bundle-20230203",
     });
     mockDownloadApi({
-      repo: "dsp-testing/codeql-cli-nightlies",
+      repo: "codeql-testing/codeql-cli-nightlies",
       platformSpecific: false,
       tagName: "codeql-bundle-20230203",
     });
 
     const result = await codeql.setupCodeQL(
-      "https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
+      "https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
       sampleApiDetails,
       tmpDir,
       util.GitHubVariant.DOTCOM,

src/codeql.ts

@@ -319,6 +319,12 @@ export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
  */
 export const CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
 
+/**
+ * Versions 2.12.6+ of the CodeQL CLI fix a bug where duplicate notification objects could be produced,
+ * leading to an invalid SARIF output.
+ */
+export const CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = "2.12.6";
+
 /**
  * Set up CodeQL CLI access.
  *
@@ -878,7 +884,13 @@ export async function getCodeQLForCmd(
         Feature.ExportDiagnosticsEnabled,
         this
       );
-      const codeqlOutputFile = shouldExportDiagnostics
+      const shouldWorkaroundInvalidNotifications =
+        shouldExportDiagnostics &&
+        !(await util.codeQlVersionAbove(
+          this,
+          CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED
+        ));
+      const codeqlOutputFile = shouldWorkaroundInvalidNotifications
         ? path.join(config.tempDir, "codeql-intermediate-results.sarif")
         : sarifFile;
       const codeqlArgs = [
@@ -924,7 +936,7 @@ export async function getCodeQLForCmd(
         errorMatchers
       );
 
-      if (shouldExportDiagnostics) {
+      if (shouldWorkaroundInvalidNotifications) {
         util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
       }
 
@@ -1027,17 +1039,21 @@ export async function getCodeQLForCmd(
       tempDir: string,
       logger: Logger
     ): Promise<void> {
-      const intermediateSarifFile = path.join(
-        tempDir,
-        "codeql-intermediate-results.sarif"
-      );
+      const shouldWorkaroundInvalidNotifications =
+        !(await util.codeQlVersionAbove(
+          this,
+          CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED
+        ));
+      const codeqlOutputFile = shouldWorkaroundInvalidNotifications
+        ? path.join(tempDir, "codeql-intermediate-results.sarif")
+        : sarifFile;
       const args = [
         "database",
         "export-diagnostics",
         `${databasePath}`,
         "--db-cluster", // Database is always a cluster for CodeQL versions that support diagnostics.
         "--format=sarif-latest",
-        `--output=${intermediateSarifFile}`,
+        `--output=${codeqlOutputFile}`,
         "--sarif-include-diagnostics", // ExportDiagnosticsEnabled is always true if this command is run.
         "-vvv",
         ...getExtraOptionsFromEnv(["diagnostics", "export"]),
@@ -1047,12 +1063,10 @@ export async function getCodeQLForCmd(
       }
       await new toolrunner.ToolRunner(cmd, args).exec();
 
-      // Fix invalid notifications in the SARIF file output by CodeQL.
-      util.fixInvalidNotificationsInFile(
-        intermediateSarifFile,
-        sarifFile,
-        logger
-      );
+      if (shouldWorkaroundInvalidNotifications) {
+        // Fix invalid notifications in the SARIF file output by CodeQL.
+        util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
+      }
     },
     async diagnosticsExport(
       sarifFile: string,

src/config-utils.test.ts

@@ -2307,7 +2307,7 @@ test("downloadPacks-with-registries", async (t) => {
       {
         // no slash
         url: "http://ghcr.io",
-        packages: ["codeql/*", "dsp-testing/*"],
+        packages: ["codeql/*", "codeql-testing/*"],
         token: "not-a-token",
       },
       {
@@ -2397,7 +2397,7 @@ test("downloadPacks-with-registries fails on 2.10.3", async (t) => {
     const registriesInput = yaml.dump([
       {
         url: "http://ghcr.io",
-        packages: ["codeql/*", "dsp-testing/*"],
+        packages: ["codeql/*", "codeql-testing/*"],
         token: "not-a-token",
       },
       {
@@ -2439,7 +2439,7 @@ test("downloadPacks-with-registries fails with invalid registries block", async
     const registriesInput = yaml.dump([
       {
         // missing url property
-        packages: ["codeql/*", "dsp-testing/*"],
+        packages: ["codeql/*", "codeql-testing/*"],
         token: "not-a-token",
       },
       {
@@ -2478,7 +2478,7 @@ test("no generateRegistries when CLI is too old", async (t) => {
       {
         // no slash
         url: "http://ghcr.io",
-        packages: ["codeql/*", "dsp-testing/*"],
+        packages: ["codeql/*", "codeql-testing/*"],
         token: "not-a-token",
       },
     ]);
@@ -2527,7 +2527,7 @@ test("generateRegistries prefers original CODEQL_REGISTRIES_AUTH", async (t) =>
     const registriesInput = yaml.dump([
       {
         url: "http://ghcr.io",
-        packages: ["codeql/*", "dsp-testing/*"],
+        packages: ["codeql/*", "codeql-testing/*"],
         token: "not-a-token",
       },
     ]);

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-20230317",
-  "cliVersion": "2.12.5",
-  "priorBundleVersion": "codeql-bundle-20230304",
-  "priorCliVersion": "2.12.4"
+  "bundleVersion": "codeql-bundle-20230403",
+  "cliVersion": "2.12.6",
+  "priorBundleVersion": "codeql-bundle-20230317",
+  "priorCliVersion": "2.12.5"
 }

src/util.test.ts

@@ -441,7 +441,11 @@ test("fixInvalidNotifications leaves notifications with unique locations alone",
     getRecordingLogger(messages)
   );
   t.deepEqual(result, createMockSarifWithNotification([stubLocation]));
-  t.is(messages.length, 0);
+  t.is(messages.length, 1);
+  t.deepEqual(messages[0], {
+    type: "debug",
+    message: "No duplicate locations found in SARIF notification objects.",
+  });
 });
 
 test("fixInvalidNotifications removes duplicate locations", (t) => {

src/util.ts

@@ -875,6 +875,8 @@ export function fixInvalidNotifications(
       `Removed ${numDuplicateLocationsRemoved} duplicate locations from SARIF notification ` +
         "objects."
     );
+  } else {
+    logger.debug("No duplicate locations found in SARIF notification objects.");
   }
   return newSarif;
 }

tests/multi-language-repo/.github/codeql/codeql-config-packaging.yml

@@ -3,9 +3,9 @@ name: Pack testing in the CodeQL Action
 disable-default-queries: true
 packs:
   javascript:
-    - dsp-testing/codeql-pack1@1.0.0
-    - dsp-testing/codeql-pack2
-    - dsp-testing/codeql-pack3:other-query.ql
+    - codeql-testing/codeql-pack1@1.0.0
+    - codeql-testing/codeql-pack2
+    - codeql-testing/codeql-pack3:other-query.ql
 
 paths-ignore:
   - tests

tests/multi-language-repo/.github/codeql/codeql-config-packaging3.yml

@@ -3,8 +3,8 @@ name: Pack testing in the CodeQL Action
 disable-default-queries: true
 packs:
   javascript:
-    - dsp-testing/codeql-pack2
-    - dsp-testing/codeql-pack3:other-query.ql
+    - codeql-testing/codeql-pack2
+    - codeql-testing/codeql-pack3:other-query.ql
 paths-ignore:
   - tests
   - lib

tests/multi-language-repo/.github/codeql/codeql-config-query-filters2.yml

@@ -5,7 +5,7 @@ disable-default-queries: true
 packs:
   javascript:
     - codeql/javascript-queries
-    - dsp-testing/codeql-pack1@1.0.0
+    - codeql-testing/codeql-pack1@1.0.0
 
 query-filters:
 # This should run js/path-injection and js/zipslip

tests/multi-language-repo/.github/codeql/codeql-config-query-filters3.yml

@@ -15,7 +15,7 @@ queries:
 packs:
   javascript:
     - codeql/javascript-queries
-    - dsp-testing/codeql-pack1@1.0.0
+    - codeql-testing/codeql-pack1@1.0.0
 
 query-filters:
 # This should run js/path-injection and js/zipslip

tests/multi-language-repo/.github/codeql/codeql-config-registries.yml

@@ -3,5 +3,5 @@ name: Pack testing in the CodeQL Action
 disable-default-queries: true
 packs:
   javascript:
-    - dsp-testing/private-pack
-    - dsp-testing/codeql-pack1
+    - codeql-testing/private-pack
+    - codeql-testing/codeql-pack1

tests/multi-language-repo/.github/codeql/multi-language-packs-config.yml

@@ -1,7 +1,7 @@
 packs:
   javascript:
-    - dsp-testing/codeql-pack1@1.0.0
-    - dsp-testing/codeql-pack2
+    - codeql-testing/codeql-pack1@1.0.0
+    - codeql-testing/codeql-pack2
   ruby:
     - codeql/ruby-queries
 

tests/multi-language-repo/.github/codeql/queries-and-packs-config.yml

@@ -1,7 +1,7 @@
 packs:
   javascript:
-    - dsp-testing/codeql-pack1@1.0.0
-    - dsp-testing/codeql-pack2
+    - codeql-testing/codeql-pack1@1.0.0
+    - codeql-testing/codeql-pack2
 
 queries:
   - uses: ./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql