Merge pull request #1687 from github/henrymercer/update-changelog-note

Push back semver CodeQL bundles

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## [UNRELEASED]
 
+- We are rolling out a feature in May 2023 that will disable Python dependency installation for new users of the CodeQL Action. This improves the speed of analysis while having only a very minor impact on results. [#1676](https://github.com/github/codeql-action/pull/1676)
+- We are improving the way that [CodeQL bundles](https://github.com/github/codeql-action/releases) are tagged to make it possible to easily identify bundles by their CodeQL semantic version.
+  - As of CodeQL CLI 2.13.4, CodeQL bundles will be tagged using semantic versions, for example `codeql-bundle-v2.13.4`, instead of timestamps, like `codeql-bundle-20230615`.
+  - This change does not affect the majority of workflows, and we will not be changing tags for existing bundle releases.
+  - Some workflows with custom logic that depends on the specific format of the CodeQL bundle tag may need to be updated. For example, if your workflow matches CodeQL bundle tag names against a `codeql-bundle-yyyymmdd` pattern, you should update it to also recognize `codeql-bundle-vx.y.z` tags.
 - Remove the requirement for `on.push` and `on.pull_request` to trigger on the same branches. [#1675](https://github.com/github/codeql-action/pull/1675)
 
 ## 2.3.3 - 04 May 2023

lib/analyze-action.js

@@ -163,7 +163,7 @@ async function run() {
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
         await runAutobuildIfLegacyGoWorkflow(config, logger);
-        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger);
+        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger, features);
         if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
             runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, actionsUtil.getOptionalInput("category"), config, logger, features);
         }

lib/analyze.js

@@ -36,6 +36,7 @@ const yaml = __importStar(require("js-yaml"));
 const analysisPaths = __importStar(require("./analysis-paths"));
 const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
+const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const tracer_config_1 = require("./tracer-config");
 const util = __importStar(require("./util"));
@@ -47,12 +48,17 @@ class CodeQLAnalysisError extends Error {
     }
 }
 exports.CodeQLAnalysisError = CodeQLAnalysisError;
-async function setupPythonExtractor(logger) {
+async function setupPythonExtractor(logger, features, codeql) {
     const codeqlPython = process.env["CODEQL_PYTHON"];
     if (codeqlPython === undefined || codeqlPython.length === 0) {
         // If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
         return;
     }
+    if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
+        logger.warning("We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
+            "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.");
+        return;
+    }
     const scriptsFolder = path.resolve(__dirname, "../python-setup");
     let output = "";
     const options = {
@@ -70,7 +76,7 @@ async function setupPythonExtractor(logger) {
     logger.info(`Setting LGTM_PYTHON_SETUP_VERSION=${output}`);
     process.env["LGTM_PYTHON_SETUP_VERSION"] = output;
 }
-async function createdDBForScannedLanguages(codeql, config, logger) {
+async function createdDBForScannedLanguages(codeql, config, logger, features) {
     // Insert the LGTM_INDEX_X env vars at this point so they are set when
     // we extract any scanned languages.
     analysisPaths.includeAndExcludeAnalysisPaths(config);
@@ -79,7 +85,7 @@ async function createdDBForScannedLanguages(codeql, config, logger) {
             !dbIsFinalized(config, language, logger)) {
             logger.startGroup(`Extracting ${language}`);
             if (language === languages_1.Language.python) {
-                await setupPythonExtractor(logger);
+                await setupPythonExtractor(logger, features, codeql);
             }
             await codeql.extractScannedLanguage(config, language);
             logger.endGroup();
@@ -99,10 +105,10 @@ function dbIsFinalized(config, language, logger) {
     }
 }
 exports.dbIsFinalized = dbIsFinalized;
-async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger) {
+async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, features) {
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
     const extractionStart = perf_hooks_1.performance.now();
-    await createdDBForScannedLanguages(codeql, config, logger);
+    await createdDBForScannedLanguages(codeql, config, logger, features);
     const extractionTime = perf_hooks_1.performance.now() - extractionStart;
     const trapImportStart = perf_hooks_1.performance.now();
     for (const language of config.languages) {
@@ -271,7 +277,7 @@ function createQuerySuiteContents(queries, queryFilters) {
     return yaml.dump(queries.map((q) => ({ query: q })).concat(queryFilters));
 }
 exports.createQuerySuiteContents = createQuerySuiteContents;
-async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger) {
+async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger, features) {
     try {
         await (0, del_1.default)(outputDir, { force: true });
     }
@@ -281,7 +287,7 @@ async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger) {
         }
     }
     await fs.promises.mkdir(outputDir, { recursive: true });
-    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger);
+    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, features);
     // WARNING: This does not _really_ end tracing, as the tracer will restore its
     // critical environment variables and it'll still be active for all processes
     // launched from this build step.

lib/codeql.js

@@ -66,7 +66,6 @@ const CODEQL_MINIMUM_VERSION = "2.8.5";
  * For convenience, please keep these in descending order. Once a version
  * flag is older than the oldest supported version above, it may be removed.
  */
-const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
@@ -174,6 +173,7 @@ function setCodeQL(partialCodeql) {
         databasePrintBaseline: resolveFunction(partialCodeql, "databasePrintBaseline"),
         databaseExportDiagnostics: resolveFunction(partialCodeql, "databaseExportDiagnostics"),
         diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
+        resolveExtractor: resolveFunction(partialCodeql, "resolveExtractor"),
     };
     return cachedCodeQL;
 }
@@ -269,10 +269,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             ], { stdin: externalRepositoryToken });
         },
         async runAutobuild(language) {
-            const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
+            const autobuildCmd = path.join(await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh");
-            // The autobuilder for Swift is located in the experimental/ directory.
-            const possibleExperimentalDir = language === languages_1.Language.swift ? "experimental" : "";
-            const autobuildCmd = path.join(path.dirname(cmd), possibleExperimentalDir, language, "tools", cmdName);
             // Update JAVA_TOOL_OPTIONS to contain '-Dhttp.keepAlive=false'
             // This is because of an issue with Azure pipelines timing out connections after 4 minutes
             // and Maven not properly handling closed connections
@@ -301,31 +298,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         },
         async extractScannedLanguage(config, language) {
             const databasePath = util.getCodeQLDatabasePath(config, language);
-            // Get extractor location
-            //
-            // Request it using `format=json` so we don't need to strip the trailing new line generated by
-            // the CLI.
-            let extractorPath = "";
-            await new toolrunner.ToolRunner(cmd, [
-                "resolve",
-                "extractor",
-                "--format=json",
-                `--language=${language}`,
-                ...getExtraOptionsFromEnv(["resolve", "extractor"]),
-            ], {
-                silent: true,
-                listeners: {
-                    stdout: (data) => {
-                        extractorPath += data.toString();
-                    },
-                    stderr: (data) => {
-                        process.stderr.write(data);
-                    },
-                },
-            }).exec();
             // Set trace command
             const ext = process.platform === "win32" ? ".cmd" : ".sh";
-            const traceCommand = path.resolve(JSON.parse(extractorPath), "tools", `autobuild${ext}`);
+            const traceCommand = path.resolve(await this.resolveExtractor(language), "tools", `autobuild${ext}`);
             // Run trace command
             await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, [
                 "database",
@@ -438,12 +413,11 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 addSnippetsFlag,
                 "--print-diagnostics-summary",
                 "--print-metrics-summary",
+                "--sarif-add-query-help",
                 "--sarif-group-rules-by-pack",
                 ...(await getCodeScanningConfigExportArguments(config, this, features)),
                 ...getExtraOptionsFromEnv(["database", "interpret-results"]),
             ];
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_CUSTOM_QUERY_HELP))
-                codeqlArgs.push("--sarif-add-query-help");
             if (automationDetailsId !== undefined) {
                 codeqlArgs.push("--sarif-category", automationDetailsId);
             }
@@ -581,6 +555,29 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             await new toolrunner.ToolRunner(cmd, args).exec();
         },
+        async resolveExtractor(language) {
+            // Request it using `format=json` so we don't need to strip the trailing new line generated by
+            // the CLI.
+            let extractorPath = "";
+            await new toolrunner.ToolRunner(cmd, [
+                "resolve",
+                "extractor",
+                "--format=json",
+                `--language=${language}`,
+                ...getExtraOptionsFromEnv(["resolve", "extractor"]),
+            ], {
+                silent: true,
+                listeners: {
+                    stdout: (data) => {
+                        extractorPath += data.toString();
+                    },
+                    stderr: (data) => {
+                        process.stderr.write(data);
+                    },
+                },
+            }).exec();
+            return JSON.parse(extractorPath);
+        },
     };
     // To ensure that status reports include the CodeQL CLI version wherever
     // possible, we want to call getVersion(), which populates the version value

lib/codeql.test.js

@@ -49,20 +49,11 @@ const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
-const sampleApiDetails = {
-    auth: "token",
-    url: "https://github.com",
-    apiURL: "https://api.github.com",
-};
 const sampleGHAEApiDetails = {
     auth: "token",
     url: "https://example.githubenterprise.com",
     apiURL: "https://example.githubenterprise.com/api/v3",
 };
-const SAMPLE_DEFAULT_CLI_VERSION = {
-    cliVersion: "2.0.0",
-    variant: util.GitHubVariant.DOTCOM,
-};
 let stubConfig;
 ava_1.default.beforeEach(() => {
     (0, util_1.initializeEnvironment)("1.2.3");
@@ -91,34 +82,13 @@ ava_1.default.beforeEach(() => {
         trapCacheDownloadTime: 0,
     };
 });
-/**
+async function installIntoToolcache({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, cliVersion, isPinned, tagName, tmpDir, }) {
- * Mocks the API for downloading the bundle tagged `tagName`.
+    const url = (0, testing_utils_1.mockBundleDownloadApi)({ apiDetails, isPinned, tagName });
- *
- * @returns the download URL for the bundle. This can be passed to the tools parameter of
- * `codeql.setupCodeQL`.
- */
-function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, repo = "github/codeql-action", platformSpecific = true, tagName, }) {
-    const platform = process.platform === "win32"
-        ? "win64"
-        : process.platform === "linux"
-            ? "linux64"
-            : "osx64";
-    const baseUrl = apiDetails?.url ?? "https://example.com";
-    const relativeUrl = apiDetails
-        ? `/${repo}/releases/download/${tagName}/codeql-bundle${platformSpecific ? `-${platform}` : ""}.tar.gz`
-        : `/download/${tagName}/codeql-bundle.tar.gz`;
-    (0, nock_1.default)(baseUrl)
-        .get(relativeUrl)
-        .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
-    return `${baseUrl}${relativeUrl}`;
-}
-async function installIntoToolcache({ apiDetails = sampleApiDetails, cliVersion, isPinned, tagName, tmpDir, }) {
-    const url = mockDownloadApi({ apiDetails, isPinned, tagName });
     await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined
         ? { cliVersion, tagName, variant: util.GitHubVariant.GHES }
-        : SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
 }
-function mockReleaseApi({ apiDetails = sampleApiDetails, assetNames, tagName, }) {
+function mockReleaseApi({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, assetNames, tagName, }) {
     return (0, nock_1.default)(apiDetails.apiURL)
         .get(`/repos/github/codeql-action/releases/tags/${tagName}`)
         .reply(200, {
@@ -149,11 +119,11 @@ function mockApiDetails(apiDetails) {
         const versions = ["20200601", "20200610"];
         for (let i = 0; i < versions.length; i++) {
             const version = versions[i];
-            const url = mockDownloadApi({
+            const url = (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName: `codeql-bundle-${version}`,
                 isPinned: false,
             });
-            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
             t.is(result.toolsVersion, `0.0.0-${version}`);
             t.is(result.toolsSource, init_1.ToolsSource.Download);
@@ -170,10 +140,10 @@ function mockApiDetails(apiDetails) {
             isPinned: true,
             tmpDir,
         });
-        const url = mockDownloadApi({
+        const url = (0, testing_utils_1.mockBundleDownloadApi)({
             tagName: "codeql-bundle-20200610",
         });
-        const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
         t.deepEqual(result.toolsVersion, "0.0.0-20200610");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
@@ -198,16 +168,16 @@ for (const { cliVersion, expectedToolcacheVersion, } of EXPLICITLY_REQUESTED_BUN
     (0, ava_1.default)(`caches an explicitly requested bundle containing CLI ${cliVersion} as ${expectedToolcacheVersion}`, async (t) => {
         await util.withTmpDir(async (tmpDir) => {
             (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-            mockApiDetails(sampleApiDetails);
+            mockApiDetails(testing_utils_1.SAMPLE_DOTCOM_API_DETAILS);
             sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
             const releaseApiMock = mockReleaseApi({
                 assetNames: [`cli-version-${cliVersion}.txt`],
                 tagName: "codeql-bundle-20200610",
             });
-            const url = mockDownloadApi({
+            const url = (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName: "codeql-bundle-20200610",
             });
-            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.assert(releaseApiMock.isDone(), "Releases API should have been called");
             t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
             t.deepEqual(result.toolsVersion, cliVersion);
@@ -220,19 +190,19 @@ for (const { githubReleases, toolcacheVersion } of [
     // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
     // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
     {
-        toolcacheVersion: SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+        toolcacheVersion: testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
     },
     {
         githubReleases: {
-            "codeql-bundle-20230101": `cli-version-${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}.txt`,
+            "codeql-bundle-20230101": `cli-version-${testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion}.txt`,
         },
         toolcacheVersion: "0.0.0-20230101",
     },
     {
-        toolcacheVersion: `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
+        toolcacheVersion: `${testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
     },
 ]) {
-    (0, ava_1.default)(`uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
+    (0, ava_1.default)(`uses tools from toolcache when ${testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
         `${toolcacheVersion} is installed`, async (t) => {
         await util.withTmpDir(async (tmpDir) => {
             (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -256,8 +226,8 @@ for (const { githubReleases, toolcacheVersion } of [
                     }))),
                 }));
             }
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
-            t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+            t.is(result.toolsVersion, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
             t.is(result.toolsSource, init_1.ToolsSource.Toolcache);
             t.is(result.toolsDownloadDurationMs, undefined);
         });
@@ -272,7 +242,7 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
                 isPinned: true,
                 tmpDir,
             });
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, {
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, variant, {
                 cliVersion: defaults.cliVersion,
                 tagName: defaults.bundleVersion,
                 variant,
@@ -292,10 +262,10 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
                 isPinned: false,
                 tmpDir,
             });
-            mockDownloadApi({
+            (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName: defaults.bundleVersion,
             });
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, {
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, variant, {
                 cliVersion: defaults.cliVersion,
                 tagName: defaults.bundleVersion,
                 variant,
@@ -316,10 +286,10 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
             isPinned: true,
             tmpDir,
         });
-        mockDownloadApi({
+        (0, testing_utils_1.mockBundleDownloadApi)({
             tagName: defaults.bundleVersion,
         });
-        const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.deepEqual(result.toolsVersion, defaults.cliVersion);
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.assert(Number.isInteger(result.toolsDownloadDurationMs));
@@ -375,18 +345,18 @@ for (const isBundleVersionInUrl of [true, false]) {
 (0, ava_1.default)("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        mockApiDetails(sampleApiDetails);
+        mockApiDetails(testing_utils_1.SAMPLE_DOTCOM_API_DETAILS);
         sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
         const releasesApiMock = mockReleaseApi({
             assetNames: ["cli-version-2.12.2.txt"],
             tagName: "codeql-bundle-20230203",
         });
-        mockDownloadApi({
+        (0, testing_utils_1.mockBundleDownloadApi)({
             repo: "codeql-testing/codeql-cli-nightlies",
             platformSpecific: false,
             tagName: "codeql-bundle-20230203",
         });
-        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.is(result.toolsVersion, "0.0.0-20230203");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.true(Number.isInteger(result.toolsDownloadDurationMs));
@@ -418,24 +388,6 @@ for (const isBundleVersionInUrl of [true, false]) {
     t.throws(() => codeql.getExtraOptions({ foo: 87 }, ["foo"], []));
     t.throws(() => codeql.getExtraOptions({ "*": [42], foo: { "*": 87, bar: [99] } }, ["foo", "bar"], []));
 });
-(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-    // safeWhich throws because of the test CodeQL object.
-    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
-});
-(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-    // safeWhich throws because of the test CodeQL object.
-    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
-    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
-});
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
     await util.withTmpDir(async (tempDir) => {
         const runnerConstructorStub = stubToolRunnerConstructor();

lib/feature-flags.js

@@ -40,6 +40,7 @@ var Feature;
     Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
     Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
     Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
+    Feature["DisablePythonDependencyInstallation"] = "disable_python_dependency_installation";
 })(Feature = exports.Feature || (exports.Feature = {}));
 exports.featureConfig = {
     [Feature.DisableKotlinAnalysisEnabled]: {
@@ -72,6 +73,16 @@ exports.featureConfig = {
         minimumVersion: "2.11.3",
         defaultValue: true,
     },
+    [Feature.DisablePythonDependencyInstallation]: {
+        envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+        // Although the python extractor only started supporting not extracting installed
+        // dependencies in 2.13.1, the init-action can still benefit from not installing
+        // dependencies no matter what codeql version we are using, so therefore the
+        // minimumVersion is set to 'undefined'. This means that with an old CodeQL version,
+        // packages available with current python3 installation might get extracted.
+        minimumVersion: undefined,
+        defaultValue: false,
+    },
 };
 exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 /**

lib/init-action.js

@@ -136,6 +136,10 @@ async function run() {
         (0, actions_util_1.getOptionalInput)("debug") === "true" || core.isDebug(), (0, actions_util_1.getOptionalInput)("debug-artifact-name") || util_1.DEFAULT_DEBUG_ARTIFACT_NAME, (0, actions_util_1.getOptionalInput)("debug-database-name") || util_1.DEFAULT_DEBUG_DATABASE_NAME, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), codeql, (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), gitHubVersion, apiDetails, features, logger);
         if (config.languages.includes(languages_1.Language.python) &&
             (0, actions_util_1.getRequiredInput)("setup-python-dependencies") === "true") {
+            if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
+                logger.info("Skipping python dependency installation");
+            }
+            else {
                 try {
                     await (0, init_1.installPythonDeps)(codeql, logger);
                 }
@@ -145,6 +149,7 @@ async function run() {
                 }
             }
         }
+    }
     catch (unwrappedError) {
         const error = (0, util_1.wrapError)(unwrappedError);
         core.setFailed(error.message);
@@ -170,6 +175,10 @@ async function run() {
         if (await features.getValue(feature_flags_1.Feature.DisableKotlinAnalysisEnabled)) {
             core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
         }
+        // Disable Python dependency extraction if feature flag set
+        if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
+            core.exportVariable("CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION", "true");
+        }
         const sourceRoot = path.resolve((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), (0, actions_util_1.getOptionalInput)("source-root") || "");
         const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", registriesInput, features, apiDetails, logger);
         if (tracerConfig !== undefined) {

lib/setup-codeql.js

@@ -315,6 +315,13 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
         // If a tools URL was provided, then use that.
         tagName = tryGetTagNameFromUrl(toolsInput, logger);
         url = toolsInput;
+        if (tagName) {
+            const bundleVersion = tryGetBundleVersionFromTagName(tagName, logger);
+            // If the bundle version is a semantic version, it is a CLI version number.
+            if (bundleVersion && semver.valid(bundleVersion)) {
+                cliVersion = convertToSemVer(bundleVersion, logger);
+            }
+        }
     }
     else {
         // Otherwise, use the default CLI version passed in.

lib/setup-codeql.test.js

@@ -117,4 +117,14 @@ ava_1.default.beforeEach(() => {
         message: "Failed to find a release of the CodeQL tools that contains CodeQL CLI 2.12.1.",
     });
 });
+(0, ava_1.default)("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const tagName = "codeql-bundle-v1.2.3";
+        (0, testing_utils_1.mockBundleDownloadApi)({ tagName });
+        const source = await setupCodeql.getCodeQLSource(`https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, util_1.GitHubVariant.DOTCOM, (0, logging_1.getRunnerLogger)(true));
+        t.is(source.sourceType, "download");
+        t.is(source["cliVersion"], "1.2.3");
+    });
+});
 //# sourceMappingURL=setup-codeql.test.js.map

lib/setup-codeql.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAA6C;AAC7C,iCAA0D;AAE1D,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,IAAA,gBAAS,EAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC9B;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EACL,+EAA+E;KAClF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAMyB;AACzB,iCAKgB;AAEhB,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,IAAA,gBAAS,EAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC9B;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EACL,+EAA+E;KAClF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,6DAA6D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9E,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,MAAM,OAAO,GAAG,sBAAsB,CAAC;QACvC,IAAA,qCAAqB,EAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,eAAe,CAC9C,6DAA6D,OAAO,+BAA+B,EACnG,0CAA0B,EAC1B,yCAAyB,EACzB,oBAAa,CAAC,MAAM,EACpB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;QAEF,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACpC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

lib/testing-utils.js

@@ -22,15 +22,28 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createFeatures = exports.mockCodeQLVersion = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = void 0;
+exports.mockBundleDownloadApi = exports.createFeatures = exports.mockCodeQLVersion = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = exports.SAMPLE_DEFAULT_CLI_VERSION = exports.SAMPLE_DOTCOM_API_DETAILS = void 0;
 const node_util_1 = require("node:util");
+const path_1 = __importDefault(require("path"));
 const github = __importStar(require("@actions/github"));
-const nock = __importStar(require("nock"));
+const nock_1 = __importDefault(require("nock"));
 const sinon = __importStar(require("sinon"));
 const apiClient = __importStar(require("./api-client"));
 const CodeQL = __importStar(require("./codeql"));
 const util_1 = require("./util");
+exports.SAMPLE_DOTCOM_API_DETAILS = {
+    auth: "token",
+    url: "https://github.com",
+    apiURL: "https://api.github.com",
+};
+exports.SAMPLE_DEFAULT_CLI_VERSION = {
+    cliVersion: "2.0.0",
+    variant: util_1.GitHubVariant.DOTCOM,
+};
 function wrapOutput(context) {
     // Function signature taken from Socket.write.
     // Note there are two overloads:
@@ -92,7 +105,7 @@ function setupTests(test) {
             process.stdout.write(t.context.testOutput);
         }
         // Undo any modifications made by nock
-        nock.cleanAll();
+        nock_1.default.cleanAll();
         // Undo any modifications made by sinon
         sinon.restore();
         // Undo any modifications to the env
@@ -196,4 +209,26 @@ function createFeatures(enabledFeatures) {
     };
 }
 exports.createFeatures = createFeatures;
+/**
+ * Mocks the API for downloading the bundle tagged `tagName`.
+ *
+ * @returns the download URL for the bundle. This can be passed to the tools parameter of
+ * `codeql.setupCodeQL`.
+ */
+function mockBundleDownloadApi({ apiDetails = exports.SAMPLE_DOTCOM_API_DETAILS, isPinned, repo = "github/codeql-action", platformSpecific = true, tagName, }) {
+    const platform = process.platform === "win32"
+        ? "win64"
+        : process.platform === "linux"
+            ? "linux64"
+            : "osx64";
+    const baseUrl = apiDetails?.url ?? "https://example.com";
+    const relativeUrl = apiDetails
+        ? `/${repo}/releases/download/${tagName}/codeql-bundle${platformSpecific ? `-${platform}` : ""}.tar.gz`
+        : `/download/${tagName}/codeql-bundle.tar.gz`;
+    (0, nock_1.default)(baseUrl)
+        .get(relativeUrl)
+        .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
+    return `${baseUrl}${relativeUrl}`;
+}
+exports.mockBundleDownloadApi = mockBundleDownloadApi;
 //# sourceMappingURL=testing-utils.js.map

src/analyze-action.ts

@@ -237,7 +237,8 @@ async function run() {
       threads,
       memory,
       config,
-      logger
+      logger,
+      features
     );
 
     if (actionsUtil.getRequiredInput("skip-queries") !== "true") {

src/analyze.ts

@@ -10,7 +10,7 @@ import { DatabaseCreationTimings } from "./actions-util";
 import * as analysisPaths from "./analysis-paths";
 import { CodeQL, getCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
-import { FeatureEnablement } from "./feature-flags";
+import { FeatureEnablement, Feature } from "./feature-flags";
 import { isScannedLanguage, Language } from "./languages";
 import { Logger } from "./logging";
 import { endTracingForCluster } from "./tracer-config";
@@ -80,13 +80,27 @@ export interface QueriesStatusReport {
   analyze_failure_language?: string;
 }
 
-async function setupPythonExtractor(logger: Logger) {
+async function setupPythonExtractor(
+  logger: Logger,
+  features: FeatureEnablement,
+  codeql: CodeQL
+) {
   const codeqlPython = process.env["CODEQL_PYTHON"];
   if (codeqlPython === undefined || codeqlPython.length === 0) {
     // If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
     return;
   }
 
+  if (
+    await features.getValue(Feature.DisablePythonDependencyInstallation, codeql)
+  ) {
+    logger.warning(
+      "We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
+        "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'."
+    );
+    return;
+  }
+
   const scriptsFolder = path.resolve(__dirname, "../python-setup");
 
   let output = "";
@@ -119,7 +133,8 @@ async function setupPythonExtractor(logger: Logger) {
 export async function createdDBForScannedLanguages(
   codeql: CodeQL,
   config: configUtils.Config,
-  logger: Logger
+  logger: Logger,
+  features: FeatureEnablement
 ) {
   // Insert the LGTM_INDEX_X env vars at this point so they are set when
   // we extract any scanned languages.
@@ -133,7 +148,7 @@ export async function createdDBForScannedLanguages(
       logger.startGroup(`Extracting ${language}`);
 
       if (language === Language.python) {
-        await setupPythonExtractor(logger);
+        await setupPythonExtractor(logger, features, codeql);
       }
 
       await codeql.extractScannedLanguage(config, language);
@@ -165,12 +180,13 @@ async function finalizeDatabaseCreation(
   config: configUtils.Config,
   threadsFlag: string,
   memoryFlag: string,
-  logger: Logger
+  logger: Logger,
+  features: FeatureEnablement
 ): Promise<DatabaseCreationTimings> {
   const codeql = await getCodeQL(config.codeQLCmd);
 
   const extractionStart = performance.now();
-  await createdDBForScannedLanguages(codeql, config, logger);
+  await createdDBForScannedLanguages(codeql, config, logger, features);
   const extractionTime = performance.now() - extractionStart;
 
   const trapImportStart = performance.now();
@@ -474,7 +490,8 @@ export async function runFinalize(
   threadsFlag: string,
   memoryFlag: string,
   config: configUtils.Config,
-  logger: Logger
+  logger: Logger,
+  features: FeatureEnablement
 ): Promise<DatabaseCreationTimings> {
   try {
     await del(outputDir, { force: true });
@@ -489,7 +506,8 @@ export async function runFinalize(
     config,
     threadsFlag,
     memoryFlag,
-    logger
+    logger,
+    features
   );
 
   // WARNING: This does not _really_ end tracing, as the tracer will restore its

src/codeql.test.ts

@@ -16,37 +16,29 @@ import { GitHubApiDetails } from "./api-client";
 import * as codeql from "./codeql";
 import { AugmentationProperties, Config } from "./config-utils";
 import * as defaults from "./defaults.json";
-import {
+import { Feature, featureConfig } from "./feature-flags";
-  CodeQLDefaultVersionInfo,
-  Feature,
-  featureConfig,
-} from "./feature-flags";
 import { ToolsSource } from "./init";
 import { Language } from "./languages";
 import { getRunnerLogger } from "./logging";
-import { setupTests, createFeatures, setupActionsVars } from "./testing-utils";
+import {
+  setupTests,
+  createFeatures,
+  setupActionsVars,
+  SAMPLE_DOTCOM_API_DETAILS,
+  SAMPLE_DEFAULT_CLI_VERSION,
+  mockBundleDownloadApi,
+} from "./testing-utils";
 import * as util from "./util";
 import { initializeEnvironment } from "./util";
 
 setupTests(test);
 
-const sampleApiDetails = {
-  auth: "token",
-  url: "https://github.com",
-  apiURL: "https://api.github.com",
-};
-
 const sampleGHAEApiDetails = {
   auth: "token",
   url: "https://example.githubenterprise.com",
   apiURL: "https://example.githubenterprise.com/api/v3",
 };
 
-const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
-  cliVersion: "2.0.0",
-  variant: util.GitHubVariant.DOTCOM,
-};
-
 let stubConfig: Config;
 
 test.beforeEach(() => {
@@ -78,54 +70,8 @@ test.beforeEach(() => {
   };
 });
 
-/**
- * Mocks the API for downloading the bundle tagged `tagName`.
- *
- * @returns the download URL for the bundle. This can be passed to the tools parameter of
- * `codeql.setupCodeQL`.
- */
-function mockDownloadApi({
-  apiDetails = sampleApiDetails,
-  isPinned,
-  repo = "github/codeql-action",
-  platformSpecific = true,
-  tagName,
-}: {
-  apiDetails?: GitHubApiDetails;
-  isPinned?: boolean;
-  repo?: string;
-  platformSpecific?: boolean;
-  tagName: string;
-}): string {
-  const platform =
-    process.platform === "win32"
-      ? "win64"
-      : process.platform === "linux"
-      ? "linux64"
-      : "osx64";
-
-  const baseUrl = apiDetails?.url ?? "https://example.com";
-  const relativeUrl = apiDetails
-    ? `/${repo}/releases/download/${tagName}/codeql-bundle${
-        platformSpecific ? `-${platform}` : ""
-      }.tar.gz`
-    : `/download/${tagName}/codeql-bundle.tar.gz`;
-
-  nock(baseUrl)
-    .get(relativeUrl)
-    .replyWithFile(
-      200,
-      path.join(
-        __dirname,
-        `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`
-      )
-    );
-
-  return `${baseUrl}${relativeUrl}`;
-}
-
 async function installIntoToolcache({
-  apiDetails = sampleApiDetails,
+  apiDetails = SAMPLE_DOTCOM_API_DETAILS,
   cliVersion,
   isPinned,
   tagName,
@@ -137,7 +83,7 @@ async function installIntoToolcache({
   tagName: string;
   tmpDir: string;
 }) {
-  const url = mockDownloadApi({ apiDetails, isPinned, tagName });
+  const url = mockBundleDownloadApi({ apiDetails, isPinned, tagName });
   await codeql.setupCodeQL(
     cliVersion !== undefined ? undefined : url,
     apiDetails,
@@ -152,7 +98,7 @@ async function installIntoToolcache({
 }
 
 function mockReleaseApi({
-  apiDetails = sampleApiDetails,
+  apiDetails = SAMPLE_DOTCOM_API_DETAILS,
   assetNames,
   tagName,
 }: {
@@ -195,13 +141,13 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
     for (let i = 0; i < versions.length; i++) {
       const version = versions[i];
 
-      const url = mockDownloadApi({
+      const url = mockBundleDownloadApi({
         tagName: `codeql-bundle-${version}`,
         isPinned: false,
       });
       const result = await codeql.setupCodeQL(
         url,
-        sampleApiDetails,
+        SAMPLE_DOTCOM_API_DETAILS,
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
@@ -229,12 +175,12 @@ test("downloads an explicitly requested bundle even if a different version is ca
       tmpDir,
     });
 
-    const url = mockDownloadApi({
+    const url = mockBundleDownloadApi({
       tagName: "codeql-bundle-20200610",
     });
     const result = await codeql.setupCodeQL(
       url,
-      sampleApiDetails,
+      SAMPLE_DOTCOM_API_DETAILS,
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
@@ -271,20 +217,20 @@ for (const {
     await util.withTmpDir(async (tmpDir) => {
       setupActionsVars(tmpDir, tmpDir);
 
-      mockApiDetails(sampleApiDetails);
+      mockApiDetails(SAMPLE_DOTCOM_API_DETAILS);
       sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
 
       const releaseApiMock = mockReleaseApi({
         assetNames: [`cli-version-${cliVersion}.txt`],
         tagName: "codeql-bundle-20200610",
       });
-      const url = mockDownloadApi({
+      const url = mockBundleDownloadApi({
         tagName: "codeql-bundle-20200610",
       });
 
       const result = await codeql.setupCodeQL(
         url,
-        sampleApiDetails,
+        SAMPLE_DOTCOM_API_DETAILS,
         tmpDir,
         util.GitHubVariant.DOTCOM,
         SAMPLE_DEFAULT_CLI_VERSION,
@@ -351,7 +297,7 @@ for (const { githubReleases, toolcacheVersion } of [
 
         const result = await codeql.setupCodeQL(
           undefined,
-          sampleApiDetails,
+          SAMPLE_DOTCOM_API_DETAILS,
           tmpDir,
           util.GitHubVariant.DOTCOM,
           SAMPLE_DEFAULT_CLI_VERSION,
@@ -379,7 +325,7 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
 
       const result = await codeql.setupCodeQL(
         undefined,
-        sampleApiDetails,
+        SAMPLE_DOTCOM_API_DETAILS,
         tmpDir,
         variant,
         {
@@ -409,12 +355,12 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
         tmpDir,
       });
 
-      mockDownloadApi({
+      mockBundleDownloadApi({
         tagName: defaults.bundleVersion,
       });
       const result = await codeql.setupCodeQL(
         undefined,
-        sampleApiDetails,
+        SAMPLE_DOTCOM_API_DETAILS,
         tmpDir,
         variant,
         {
@@ -445,12 +391,12 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
       tmpDir,
     });
 
-    mockDownloadApi({
+    mockBundleDownloadApi({
       tagName: defaults.bundleVersion,
     });
     const result = await codeql.setupCodeQL(
       "latest",
-      sampleApiDetails,
+      SAMPLE_DOTCOM_API_DETAILS,
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
@@ -547,13 +493,13 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
   await util.withTmpDir(async (tmpDir) => {
     setupActionsVars(tmpDir, tmpDir);
 
-    mockApiDetails(sampleApiDetails);
+    mockApiDetails(SAMPLE_DOTCOM_API_DETAILS);
     sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
     const releasesApiMock = mockReleaseApi({
       assetNames: ["cli-version-2.12.2.txt"],
       tagName: "codeql-bundle-20230203",
     });
-    mockDownloadApi({
+    mockBundleDownloadApi({
       repo: "codeql-testing/codeql-cli-nightlies",
       platformSpecific: false,
       tagName: "codeql-bundle-20230203",
@@ -561,7 +507,7 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
 
     const result = await codeql.setupCodeQL(
       "https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
-      sampleApiDetails,
+      SAMPLE_DOTCOM_API_DETAILS,
       tmpDir,
       util.GitHubVariant.DOTCOM,
       SAMPLE_DEFAULT_CLI_VERSION,
@@ -622,54 +568,6 @@ test("getExtraOptions throws for bad content", (t) => {
   );
 });
 
-test("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0", async (t) => {
-  const runnerConstructorStub = stubToolRunnerConstructor();
-  const codeqlObject = await codeql.getCodeQLForTesting();
-  sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-  // safeWhich throws because of the test CodeQL object.
-  sinon.stub(safeWhich, "safeWhich").resolves("");
-  await codeqlObject.databaseInterpretResults(
-    "",
-    [],
-    "",
-    "",
-    "",
-    "-v",
-    "",
-    stubConfig,
-    createFeatures([]),
-    getRunnerLogger(true)
-  );
-  t.false(
-    runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
-    "--sarif-add-query-help should be absent, but it is present"
-  );
-});
-
-test("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
-  const runnerConstructorStub = stubToolRunnerConstructor();
-  const codeqlObject = await codeql.getCodeQLForTesting();
-  sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-  // safeWhich throws because of the test CodeQL object.
-  sinon.stub(safeWhich, "safeWhich").resolves("");
-  await codeqlObject.databaseInterpretResults(
-    "",
-    [],
-    "",
-    "",
-    "",
-    "-v",
-    "",
-    stubConfig,
-    createFeatures([]),
-    getRunnerLogger(true)
-  );
-  t.true(
-    runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
-    "--sarif-add-query-help should be present, but it is absent"
-  );
-});
-
 test("databaseInitCluster() without injected codescanning config", async (t) => {
   await util.withTmpDir(async (tempDir) => {
     const runnerConstructorStub = stubToolRunnerConstructor();

src/codeql.ts

@@ -196,6 +196,8 @@ export interface CodeQL {
     config: Config,
     features: FeatureEnablement
   ): Promise<void>;
+  /** Get the location of an extractor for the specified language. */
+  resolveExtractor(language: Language): Promise<string>;
 }
 
 export interface ResolveLanguagesOutput {
@@ -259,7 +261,6 @@ const CODEQL_MINIMUM_VERSION = "2.8.5";
  * For convenience, please keep these in descending order. Once a version
  * flag is older than the oldest supported version above, it may be removed.
  */
-const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 export const CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
@@ -418,6 +419,7 @@ export function setCodeQL(partialCodeql: Partial<CodeQL>): CodeQL {
       "databaseExportDiagnostics"
     ),
     diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
+    resolveExtractor: resolveFunction(partialCodeql, "resolveExtractor"),
   };
   return cachedCodeQL;
 }
@@ -547,17 +549,10 @@ export async function getCodeQLForCmd(
       );
     },
     async runAutobuild(language: Language) {
-      const cmdName =
-        process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
-      // The autobuilder for Swift is located in the experimental/ directory.
-      const possibleExperimentalDir =
-        language === Language.swift ? "experimental" : "";
       const autobuildCmd = path.join(
-        path.dirname(cmd),
+        await this.resolveExtractor(language),
-        possibleExperimentalDir,
-        language,
         "tools",
-        cmdName
+        process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh"
       );
 
       // Update JAVA_TOOL_OPTIONS to contain '-Dhttp.keepAlive=false'
@@ -590,37 +585,11 @@ export async function getCodeQLForCmd(
     },
     async extractScannedLanguage(config: Config, language: Language) {
       const databasePath = util.getCodeQLDatabasePath(config, language);
-      // Get extractor location
-      //
-      // Request it using `format=json` so we don't need to strip the trailing new line generated by
-      // the CLI.
-      let extractorPath = "";
-      await new toolrunner.ToolRunner(
-        cmd,
-        [
-          "resolve",
-          "extractor",
-          "--format=json",
-          `--language=${language}`,
-          ...getExtraOptionsFromEnv(["resolve", "extractor"]),
-        ],
-        {
-          silent: true,
-          listeners: {
-            stdout: (data) => {
-              extractorPath += data.toString();
-            },
-            stderr: (data) => {
-              process.stderr.write(data);
-            },
-          },
-        }
-      ).exec();
 
       // Set trace command
       const ext = process.platform === "win32" ? ".cmd" : ".sh";
       const traceCommand = path.resolve(
-        JSON.parse(extractorPath) as string,
+        await this.resolveExtractor(language),
         "tools",
         `autobuild${ext}`
       );
@@ -773,12 +742,11 @@ export async function getCodeQLForCmd(
         addSnippetsFlag,
         "--print-diagnostics-summary",
         "--print-metrics-summary",
+        "--sarif-add-query-help",
         "--sarif-group-rules-by-pack",
         ...(await getCodeScanningConfigExportArguments(config, this, features)),
         ...getExtraOptionsFromEnv(["database", "interpret-results"]),
       ];
-      if (await util.codeQlVersionAbove(this, CODEQL_VERSION_CUSTOM_QUERY_HELP))
-        codeqlArgs.push("--sarif-add-query-help");
       if (automationDetailsId !== undefined) {
         codeqlArgs.push("--sarif-category", automationDetailsId);
       }
@@ -954,6 +922,33 @@ export async function getCodeQLForCmd(
       }
       await new toolrunner.ToolRunner(cmd, args).exec();
     },
+    async resolveExtractor(language: Language): Promise<string> {
+      // Request it using `format=json` so we don't need to strip the trailing new line generated by
+      // the CLI.
+      let extractorPath = "";
+      await new toolrunner.ToolRunner(
+        cmd,
+        [
+          "resolve",
+          "extractor",
+          "--format=json",
+          `--language=${language}`,
+          ...getExtraOptionsFromEnv(["resolve", "extractor"]),
+        ],
+        {
+          silent: true,
+          listeners: {
+            stdout: (data) => {
+              extractorPath += data.toString();
+            },
+            stderr: (data) => {
+              process.stderr.write(data);
+            },
+          },
+        }
+      ).exec();
+      return JSON.parse(extractorPath);
+    },
   };
   // To ensure that status reports include the CodeQL CLI version wherever
   // possible, we want to call getVersion(), which populates the version value

src/feature-flags.ts

@@ -43,6 +43,7 @@ export enum Feature {
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
   UploadFailedSarifEnabled = "upload_failed_sarif_enabled",
+  DisablePythonDependencyInstallation = "disable_python_dependency_installation",
 }
 
 export const featureConfig: Record<
@@ -80,6 +81,16 @@ export const featureConfig: Record<
     minimumVersion: "2.11.3",
     defaultValue: true,
   },
+  [Feature.DisablePythonDependencyInstallation]: {
+    envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+    // Although the python extractor only started supporting not extracting installed
+    // dependencies in 2.13.1, the init-action can still benefit from not installing
+    // dependencies no matter what codeql version we are using, so therefore the
+    // minimumVersion is set to 'undefined'. This means that with an old CodeQL version,
+    // packages available with current python3 installation might get extracted.
+    minimumVersion: undefined,
+    defaultValue: false,
+  },
 };
 
 /**

src/init-action.ts

@@ -277,6 +277,14 @@ async function run() {
       config.languages.includes(Language.python) &&
       getRequiredInput("setup-python-dependencies") === "true"
     ) {
+      if (
+        await features.getValue(
+          Feature.DisablePythonDependencyInstallation,
+          codeql
+        )
+      ) {
+        logger.info("Skipping python dependency installation");
+      } else {
         try {
           await installPythonDeps(codeql, logger);
         } catch (unwrappedError) {
@@ -286,6 +294,7 @@ async function run() {
           );
         }
       }
+    }
   } catch (unwrappedError) {
     const error = wrapError(unwrappedError);
     core.setFailed(error.message);
@@ -331,6 +340,19 @@ async function run() {
       core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
     }
 
+    // Disable Python dependency extraction if feature flag set
+    if (
+      await features.getValue(
+        Feature.DisablePythonDependencyInstallation,
+        codeql
+      )
+    ) {
+      core.exportVariable(
+        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
+        "true"
+      );
+    }
+
     const sourceRoot = path.resolve(
       getRequiredEnvParam("GITHUB_WORKSPACE"),
       getOptionalInput("source-root") || ""

src/setup-codeql.test.ts

@@ -7,8 +7,19 @@ import * as actionsUtil from "./actions-util";
 import * as api from "./api-client";
 import { getRunnerLogger } from "./logging";
 import * as setupCodeql from "./setup-codeql";
-import { setupTests } from "./testing-utils";
+import {
-import { initializeEnvironment, wrapError } from "./util";
+  SAMPLE_DEFAULT_CLI_VERSION,
+  SAMPLE_DOTCOM_API_DETAILS,
+  mockBundleDownloadApi,
+  setupActionsVars,
+  setupTests,
+} from "./testing-utils";
+import {
+  GitHubVariant,
+  initializeEnvironment,
+  withTmpDir,
+  wrapError,
+} from "./util";
 
 setupTests(test);
 
@@ -123,3 +134,21 @@ test("findCodeQLBundleTagDotcomOnly() errors if no GitHub Release matches marker
     }
   );
 });
+
+test("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+    const tagName = "codeql-bundle-v1.2.3";
+    mockBundleDownloadApi({ tagName });
+    const source = await setupCodeql.getCodeQLSource(
+      `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`,
+      SAMPLE_DEFAULT_CLI_VERSION,
+      SAMPLE_DOTCOM_API_DETAILS,
+      GitHubVariant.DOTCOM,
+      getRunnerLogger(true)
+    );
+
+    t.is(source.sourceType, "download");
+    t.is(source["cliVersion"], "1.2.3");
+  });
+});

src/setup-codeql.ts

@@ -400,6 +400,14 @@ export async function getCodeQLSource(
     // If a tools URL was provided, then use that.
     tagName = tryGetTagNameFromUrl(toolsInput, logger);
     url = toolsInput;
+
+    if (tagName) {
+      const bundleVersion = tryGetBundleVersionFromTagName(tagName, logger);
+      // If the bundle version is a semantic version, it is a CLI version number.
+      if (bundleVersion && semver.valid(bundleVersion)) {
+        cliVersion = convertToSemVer(bundleVersion, logger);
+      }
+    }
   } else {
     // Otherwise, use the default CLI version passed in.
     cliVersion = defaultCliVersion.cliVersion;

src/testing-utils.ts

@@ -1,15 +1,32 @@
 import { TextDecoder } from "node:util";
+import path from "path";
 
 import * as github from "@actions/github";
 import { TestFn } from "ava";
-import * as nock from "nock";
+import nock from "nock";
 import * as sinon from "sinon";
 
 import * as apiClient from "./api-client";
+import { GitHubApiDetails } from "./api-client";
 import * as CodeQL from "./codeql";
-import { Feature, FeatureEnablement } from "./feature-flags";
+import {
+  CodeQLDefaultVersionInfo,
+  Feature,
+  FeatureEnablement,
+} from "./feature-flags";
 import { Logger } from "./logging";
-import { HTTPError } from "./util";
+import { GitHubVariant, HTTPError } from "./util";
+
+export const SAMPLE_DOTCOM_API_DETAILS = {
+  auth: "token",
+  url: "https://github.com",
+  apiURL: "https://api.github.com",
+};
+
+export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = {
+  cliVersion: "2.0.0",
+  variant: GitHubVariant.DOTCOM,
+};
 
 type TestContext = {
   stdoutWrite: any;
@@ -212,3 +229,49 @@ export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement {
     },
   };
 }
+
+/**
+ * Mocks the API for downloading the bundle tagged `tagName`.
+ *
+ * @returns the download URL for the bundle. This can be passed to the tools parameter of
+ * `codeql.setupCodeQL`.
+ */
+export function mockBundleDownloadApi({
+  apiDetails = SAMPLE_DOTCOM_API_DETAILS,
+  isPinned,
+  repo = "github/codeql-action",
+  platformSpecific = true,
+  tagName,
+}: {
+  apiDetails?: GitHubApiDetails;
+  isPinned?: boolean;
+  repo?: string;
+  platformSpecific?: boolean;
+  tagName: string;
+}): string {
+  const platform =
+    process.platform === "win32"
+      ? "win64"
+      : process.platform === "linux"
+      ? "linux64"
+      : "osx64";
+
+  const baseUrl = apiDetails?.url ?? "https://example.com";
+  const relativeUrl = apiDetails
+    ? `/${repo}/releases/download/${tagName}/codeql-bundle${
+        platformSpecific ? `-${platform}` : ""
+      }.tar.gz`
+    : `/download/${tagName}/codeql-bundle.tar.gz`;
+
+  nock(baseUrl)
+    .get(relativeUrl)
+    .replyWithFile(
+      200,
+      path.join(
+        __dirname,
+        `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`
+      )
+    );
+
+  return `${baseUrl}${relativeUrl}`;
+}