PR checks: stop setting experimental Swift var for new CLI versions (#1718)

Now that `latest` and `cached` are both 2.13.3, which is the version in which we GA'ed Swift, we should stop setting this experimental variable when we test these CLI versions so we can test the case where the variable is unset.

.github/actions/setup-swift/action.yml

@@ -1,5 +1,5 @@
 name: "Set up Swift"
-description: Sets up an appropriate Swift version if Swift is enabled via CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT.
+description: Sets up an appropriate Swift version if supported on this platform.
 inputs:
   codeql-path:
     description: Path to the CodeQL CLI executable.
@@ -9,24 +9,29 @@ runs:
   steps:
     - name: Get Swift version
       id: get_swift_version
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+      if: runner.os != 'Windows'
       shell: bash
       env: 
         CODEQL_PATH: ${{ inputs.codeql-path }}
       run: |
-        if [ $RUNNER_OS = "macOS" ]; then
+        if [[ $RUNNER_OS = "macOS" ]]; then
           PLATFORM="osx64"
         else # We do not run this step on Windows.
           PLATFORM="linux64"
         fi 
         SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
-        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
-        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
-        if [ $VERSION = "5.7" ]; then
-          VERSION="5.7.0"
+        if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
+          VERSION="null"
+        else
+          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
+          # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
+          if [ $VERSION = "5.7" ]; then
+            VERSION="5.7.0"
+          fi
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+
     - uses: swift-actions/setup-swift@65540b95f51493d65f5e59e97dcef9629ddf11bf # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+      if: runner.os != 'Windows' && steps.get_swift_version.outputs.version != 'null'
       with:
         swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/workflows/__analyze-ref-input.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: "Analyze: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -82,10 +85,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__autobuild-action.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - autobuild-action
@@ -32,6 +32,9 @@ jobs:
         - os: windows-latest
           version: latest
     name: autobuild-action
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -46,10 +49,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__config-export.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Config export
@@ -38,6 +38,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Config export
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -52,10 +55,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__diagnostics-export.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Diagnostic export
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Diagnostic export
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -58,10 +61,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__export-file-baseline-information.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Export file baseline information
@@ -32,6 +32,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Export file baseline information
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -46,10 +49,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__extractor-ram-threads.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Extractor ram and threads options test
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: latest
     name: Extractor ram and threads options test
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -42,10 +45,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-custom-queries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: Custom queries'
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Go: Custom queries'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -82,10 +85,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-tracing-autobuilder.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with autobuilder step'
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: 'Go: tracing with autobuilder step'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -68,10 +71,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with custom build steps'
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: 'Go: tracing with custom build steps'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -68,10 +71,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with legacy workflow'
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: 'Go: tracing with legacy workflow'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -68,10 +71,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__init-with-registries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Download using registries'
@@ -44,6 +44,10 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Download using registries'
+    permissions:
+      contents: read
+      packages: read
+
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -58,10 +62,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
@@ -128,9 +129,5 @@ jobs:
             cat $QLCONFIG_PATH
             exit 1
         fi
-    permissions:
-      contents: read
-      packages: read
-
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__javascript-source-root.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Custom source root
@@ -32,6 +32,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Custom source root
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -46,10 +49,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__ml-powered-queries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - ML-powered queries
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: ML-powered queries
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -82,10 +85,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__multi-language-autodetect.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Multi-language repository
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Multi-language repository
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -68,10 +71,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
@@ -94,7 +94,7 @@ jobs:
       with:
         upload-database: false
 
-    - name: Check language autodetect for all languages excluding Ruby, Swift
+    - name: Check language autodetect for all languages excluding Swift
       shell: bash
       run: |
         CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
@@ -127,11 +127,6 @@ jobs:
           echo "Did not create a database for Python, or created it in the wrong location."
           exit 1
         fi
-
-    - name: Check language autodetect for Ruby
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
-      shell: bash
-      run: |
         RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
         if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
           echo "Did not create a database for Ruby, or created it in the wrong location."
@@ -139,7 +134,9 @@ jobs:
         fi
 
     - name: Check language autodetect for Swift
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+      if: >-
+        env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' || 
+            (runner.os != 'Windows' && matrix.version == 'nightly-latest')
       shell: bash
       run: |
         SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input passed to the CLI'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -58,10 +61,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__packaging-config-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config and input'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -58,10 +61,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__packaging-config-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config file'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config file'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -58,10 +61,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__packaging-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Action input'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Action input'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -58,10 +61,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__remote-config.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Remote config file
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Remote config file
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -82,10 +85,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__rubocop-multi-language.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - RuboCop multi-language
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: cached
     name: RuboCop multi-language
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -42,10 +45,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__ruby.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Ruby analysis
@@ -38,6 +38,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Ruby analysis
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -52,10 +55,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__split-workflow.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Split workflow
@@ -38,6 +38,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Split workflow
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -52,10 +55,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__submit-sarif-failure.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Submit SARIF after failure
@@ -32,6 +32,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Submit SARIF after failure
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -46,10 +49,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__swift-custom-build.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Swift analysis using a custom build command
@@ -38,6 +38,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Swift analysis using a custom build command
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -52,10 +55,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__test-autobuild-working-dir.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Autobuild working directory
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: latest
     name: Autobuild working directory
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -42,10 +45,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__test-local-codeql.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Local CodeQL bundle
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Local CodeQL bundle
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -42,10 +45,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__test-proxy.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Proxy test
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: latest
     name: Proxy test
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -42,10 +45,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__unset-environment.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Test unsetting environment variables
@@ -40,6 +40,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Test unsetting environment variables
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -54,10 +57,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__upload-ref-sha-input.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -82,10 +85,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__with-checkout-path.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Use a custom `checkout_path`
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Use a custom `checkout_path`
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -82,10 +85,7 @@ jobs:
       if: >-
         runner.os != 'Windows' && (
             matrix.version == '20220908' ||
-            matrix.version == '20221211' ||
-            matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
-            matrix.version == 'nightly-latest'
+            matrix.version == '20221211'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/debug-artifacts.yml

@@ -49,11 +49,15 @@ jobs:
         with:
           go-version: ^1.13.1
       - uses: ./../action/init
+        id: init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           debug: true
           debug-artifact-name: my-debug-artifacts
           debug-database-name: my-db
+      - uses: ./../action/.github/actions/setup-swift
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
       - name: Build code
         shell: bash
         run: ./build.sh

.github/workflows/post-release-mergeback.yml

@@ -40,7 +40,7 @@ jobs:
 
       - name: Update git config
         run: |
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Get version and new branch

.github/workflows/python-deps.yml

@@ -72,7 +72,7 @@ jobs:
 
     - name: Verify packages installed
       run: |
-        $GITHUB_WORKSPACE/python-setup/tests/check_requests_2_26_0.sh ${PYTHON_VERSION}
+        $GITHUB_WORKSPACE/python-setup/tests/check_requests.sh ${PYTHON_VERSION} 2.31.0
 
   # This one shouldn't fail, but also won't install packages
   test-setup-python-scripts-non-standard-location:
@@ -170,5 +170,5 @@ jobs:
 
     - name: Verify packages installed
       run: |
-        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests_2_26_0.ps1"
-        powershell -File $cmd $Env:PYTHON_VERSION
+        $cmd = $Env:GITHUB_WORKSPACE + "\\python-setup\\tests\\check_requests.ps1"
+        powershell -File $cmd $Env:PYTHON_VERSION 2.31.0

.github/workflows/update-bundle.yml

@@ -30,7 +30,7 @@ jobs:
 
       - name: Update git config
         run: |
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Update bundle

.github/workflows/update-dependencies.yml

@@ -29,7 +29,7 @@ jobs:
         git checkout "origin/$BRANCH"
         .github/workflows/script/update-node-modules.sh update
         if [ ! -z "$(git status --porcelain)" ]; then
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
           git add node_modules
           git commit -am "Update checked-in dependencies"

.github/workflows/update-release-branch.yml

@@ -35,7 +35,7 @@ jobs:
 
     - name: Update git config
       run: |
-        git config --global user.email "github-actions@github.com"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
         git config --global user.name "github-actions[bot]"
 
     - name: Update release branch

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -35,14 +35,22 @@ jobs:
           npm run build
         env:
           ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
-      - name: Commit Changes
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
-        with:
-          commit-message: Update supported GitHub Enterprise Server versions.
-          title: Update supported GitHub Enterprise Server versions.
-          body: ""
-          author: GitHub <noreply@github.com>
-          branch: update-supported-enterprise-server-versions
-          draft: true
+
+      - name: Update git config
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Commit changes and open PR
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ -z $(git status --porcelain) ]]; then
+            echo "No changes to commit"
+          else
+            git checkout -b update-supported-enterprise-server-versions
+            git add .
+            git commit --message "Update supported GitHub Enterprise Server versions"
+            git push origin update-supported-enterprise-server-versions
+            gh pr create --fill --draft
+          fi

.github/workflows/update-supported-enterprise-server-versions/update.py

@@ -35,7 +35,10 @@ def main():
 
 		if oldest_supported_release is None or release_version < oldest_supported_release:
 			end_of_life_date = datetime.date.fromisoformat(release_data["end"])
-			if end_of_life_date > datetime.date.today():
+			# The GHES version is not actually end of life until the end of the day specified by
+			# `end_of_life_date`. Wait an extra week to be safe.
+			is_end_of_life = datetime.date.today() > end_of_life_date + datetime.timedelta(weeks=1)
+			if not is_end_of_life:
 				oldest_supported_release = release_version
 
 	api_compatibility_data = {

CHANGELOG.md

@@ -2,13 +2,31 @@
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 2.3.6 - 01 Jun 2023
+
+- Update default CodeQL bundle version to 2.13.3. [#1698](https://github.com/github/codeql-action/pull/1698)
+
+## 2.3.5 - 25 May 2023
+
+- Allow invalid URIs to be used as values to `artifactLocation.uri` properties. This reverses a change from [#1668](https://github.com/github/codeql-action/pull/1668) that inadvertently led to stricter validation of some URI values. [#1705](https://github.com/github/codeql-action/pull/1705)
+- Gracefully handle invalid URIs when fingerprinting. [#1694](https://github.com/github/codeql-action/pull/1694)
+
+## 2.3.4 - 24 May 2023
+
+- Updated the SARIF 2.1.0 JSON schema file to the latest from [oasis-tcs/sarif-spec](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). [#1668](https://github.com/github/codeql-action/pull/1668)
+- We are rolling out a feature in May 2023 that will disable Python dependency installation for new users of the CodeQL Action. This improves the speed of analysis while having only a very minor impact on results. [#1676](https://github.com/github/codeql-action/pull/1676)
+- We are improving the way that [CodeQL bundles](https://github.com/github/codeql-action/releases) are tagged to make it possible to easily identify bundles by their CodeQL semantic version. [#1682](https://github.com/github/codeql-action/pull/1682)
+  - As of CodeQL CLI 2.13.4, CodeQL bundles will be tagged using semantic versions, for example `codeql-bundle-v2.13.4`, instead of timestamps, like `codeql-bundle-20230615`.
+  - This change does not affect the majority of workflows, and we will not be changing tags for existing bundle releases.
+  - Some workflows with custom logic that depends on the specific format of the CodeQL bundle tag may need to be updated. For example, if your workflow matches CodeQL bundle tag names against a `codeql-bundle-yyyymmdd` pattern, you should update it to also recognize `codeql-bundle-vx.y.z` tags.
 - Remove the requirement for `on.push` and `on.pull_request` to trigger on the same branches. [#1675](https://github.com/github/codeql-action/pull/1675)
 
 ## 2.3.3 - 04 May 2023
 
 - Update default CodeQL bundle version to 2.13.1. [#1664](https://github.com/github/codeql-action/pull/1664)
 - You can now configure CodeQL within your code scanning workflow by passing a `config` input to the `init` Action. See [Using a custom configuration file](https://aka.ms/code-scanning-docs/config-file) for more information about configuring code scanning. [#1590](https://github.com/github/codeql-action/pull/1590)
-- Updated the SARIF 2.1.0 JSON schema file to the latest from [oasis-tcs/sarif-spec](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). [#1668](https://github.com/github/codeql-action/pull/1668)
 
 ## 2.3.2 - 27 Apr 2023
 

CONTRIBUTING.md

@@ -12,7 +12,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 ## Development and Testing
 
-Before you start, ensure that you have a recent version of node (14 or higher) installed, along with a recent version of npm (7 or higher). You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
 
 ### Common tasks
 

README.md

@@ -170,3 +170,7 @@ You can use Actions or environment variables to share configuration across multi
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).
+
+## Contributing
+
+This project welcomes contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to build, install, and contribute.

lib/actions-util.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionVersion = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.getWorkflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionVersion = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -104,7 +104,7 @@ exports.getCommitOid = getCommitOid;
  * Returns undefined if run by other triggers or the merge base cannot be determined.
  */
 const determineMergeBaseCommitOid = async function () {
-    if (workflowEventName() !== "pull_request") {
+    if (getWorkflowEventName() !== "pull_request") {
         return undefined;
     }
     const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
@@ -155,7 +155,7 @@ exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
  *
  * This will combine the workflow path and current job name.
  * Computing this the first time requires making requests to
- * the github API, but after that the result will be cached.
+ * the GitHub API, but after that the result will be cached.
  */
 async function getAnalysisKey() {
     const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
@@ -395,7 +395,8 @@ async function sendStatusReport(statusReport) {
         if ((0, util_1.isHTTPError)(e)) {
             switch (e.status) {
                 case 403:
-                    if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+                    if (getWorkflowEventName() === "push" &&
+                        process.env["GITHUB_ACTOR"] === "dependabot[bot]") {
                         core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
                             "Uploading Code Scanning results requires write access. " +
                             'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
@@ -428,42 +429,36 @@ async function sendStatusReport(statusReport) {
     }
 }
 exports.sendStatusReport = sendStatusReport;
-function workflowEventName() {
-    // If the original event is dynamic CODESCANNING_EVENT_NAME will contain the right info (push/pull_request)
-    if (process.env["GITHUB_EVENT_NAME"] === "dynamic") {
-        const value = process.env["CODESCANNING_EVENT_NAME"];
-        if (value === undefined || value.length === 0) {
-            return process.env["GITHUB_EVENT_NAME"];
-        }
-        return value;
-    }
-    return process.env["GITHUB_EVENT_NAME"];
+/**
+ * Returns the name of the event that triggered this workflow.
+ *
+ * This will be "dynamic" for default setup workflow runs.
+ */
+function getWorkflowEventName() {
+    return (0, util_1.getRequiredEnvParam)("GITHUB_EVENT_NAME");
 }
-exports.workflowEventName = workflowEventName;
-// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
-function workflowIsTriggeredByPushEvent() {
-    return workflowEventName() === "push";
-}
-// Is dependabot the actor that triggered the current workflow run.
-function isDependabotActor() {
-    return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
-}
-// Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
-// as opposed to running a remote action (i.e. when another repo references us)
+exports.getWorkflowEventName = getWorkflowEventName;
+/**
+ * Returns whether the current workflow is executing a local copy of the Action, e.g. we're running
+ * a workflow on the codeql-action repo itself.
+ */
 function isRunningLocalAction() {
     const relativeScriptPath = getRelativeScriptPath();
     return (relativeScriptPath.startsWith("..") || path.isAbsolute(relativeScriptPath));
 }
 exports.isRunningLocalAction = isRunningLocalAction;
-// Get the location where the action is running from.
-// This can be used to get the actions name or tell if we're running a local action.
+/**
+ * Get the location where the Action is running from.
+ *
+ * This can be used to get the Action's name or tell if we're running a local Action.
+ */
 function getRelativeScriptPath() {
     const runnerTemp = (0, util_1.getRequiredEnvParam)("RUNNER_TEMP");
     const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
     return path.relative(actionsDirectory, __filename);
 }
 exports.getRelativeScriptPath = getRelativeScriptPath;
-// Reads the contents of GITHUB_EVENT_PATH as a JSON object
+/** Returns the contents of `GITHUB_EVENT_PATH` as a JSON object. */
 function getWorkflowEvent() {
     const eventJsonFile = (0, util_1.getRequiredEnvParam)("GITHUB_EVENT_PATH");
     try {
@@ -476,10 +471,13 @@ function getWorkflowEvent() {
 function removeRefsHeadsPrefix(ref) {
     return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref;
 }
-// Returns whether we are analyzing the default branch for the repository.
-// For cases where the repository information might not be available (e.g.,
-// dynamic workflows), this can be forced by the environment variable
-// CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH.
+/**
+ * Returns whether we are analyzing the default branch for the repository.
+ *
+ * This first checks the environment variable `CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH`. This
+ * environment variable can be set in cases where repository information might not be available, for
+ * example dynamic workflows.
+ */
 async function isAnalyzingDefaultBranch() {
     if (process.env.CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH === "true") {
         return true;
@@ -489,8 +487,8 @@ async function isAnalyzingDefaultBranch() {
     currentRef = removeRefsHeadsPrefix(currentRef);
     const event = getWorkflowEvent();
     let defaultBranch = event?.repository?.default_branch;
-    if (process.env.GITHUB_EVENT_NAME === "schedule") {
-        defaultBranch = removeRefsHeadsPrefix((0, util_1.getRequiredEnvParam)("GITHUB_REF"));
+    if (getWorkflowEventName() === "schedule") {
+        defaultBranch = removeRefsHeadsPrefix(getRefFromEnv());
     }
     return currentRef === defaultBranch;
 }
@@ -524,7 +522,10 @@ async function printDebugLogs(config) {
     }
 }
 exports.printDebugLogs = printDebugLogs;
-// Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload inputs appropriately.
+/**
+ * Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload
+ * inputs appropriately.
+ */
 function getUploadValue(input) {
     switch (input) {
         case undefined:

lib/actions-util.test.js

@@ -172,6 +172,7 @@ const util_1 = require("./util");
     t.deepEqual(process.env.CODEQL_ACTION_VERSION, "1.2.3");
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
+    process.env["GITHUB_EVENT_NAME"] = "push";
     process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
     t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
     process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "false";
@@ -210,12 +211,4 @@ const util_1 = require("./util");
         getAdditionalInputStub.restore();
     });
 });
-(0, ava_1.default)("workflowEventName()", async (t) => {
-    process.env["GITHUB_EVENT_NAME"] = "push";
-    t.deepEqual(actionsutil.workflowEventName(), "push");
-    process.env["GITHUB_EVENT_NAME"] = "dynamic";
-    t.deepEqual(actionsutil.workflowEventName(), "dynamic");
-    process.env["CODESCANNING_EVENT_NAME"] = "push";
-    t.deepEqual(actionsutil.workflowEventName(), "push");
-});
 //# sourceMappingURL=actions-util.test.js.map

lib/analyze-action.js

@@ -163,7 +163,7 @@ async function run() {
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
         await runAutobuildIfLegacyGoWorkflow(config, logger);
-        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger);
+        dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger, features);
         if (actionsUtil.getRequiredInput("skip-queries") !== "true") {
             runStats = await (0, analyze_1.runQueries)(outputDir, memory, util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")), threads, actionsUtil.getOptionalInput("category"), config, logger, features);
         }

lib/analyze.js

@@ -36,6 +36,7 @@ const yaml = __importStar(require("js-yaml"));
 const analysisPaths = __importStar(require("./analysis-paths"));
 const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
+const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const tracer_config_1 = require("./tracer-config");
 const util = __importStar(require("./util"));
@@ -47,12 +48,17 @@ class CodeQLAnalysisError extends Error {
     }
 }
 exports.CodeQLAnalysisError = CodeQLAnalysisError;
-async function setupPythonExtractor(logger) {
+async function setupPythonExtractor(logger, features, codeql) {
     const codeqlPython = process.env["CODEQL_PYTHON"];
     if (codeqlPython === undefined || codeqlPython.length === 0) {
         // If CODEQL_PYTHON is not set, no dependencies were installed, so we don't need to do anything
         return;
     }
+    if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
+        logger.warning("We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
+            "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.");
+        return;
+    }
     const scriptsFolder = path.resolve(__dirname, "../python-setup");
     let output = "";
     const options = {
@@ -70,7 +76,7 @@ async function setupPythonExtractor(logger) {
     logger.info(`Setting LGTM_PYTHON_SETUP_VERSION=${output}`);
     process.env["LGTM_PYTHON_SETUP_VERSION"] = output;
 }
-async function createdDBForScannedLanguages(codeql, config, logger) {
+async function createdDBForScannedLanguages(codeql, config, logger, features) {
     // Insert the LGTM_INDEX_X env vars at this point so they are set when
     // we extract any scanned languages.
     analysisPaths.includeAndExcludeAnalysisPaths(config);
@@ -79,7 +85,7 @@ async function createdDBForScannedLanguages(codeql, config, logger) {
             !dbIsFinalized(config, language, logger)) {
             logger.startGroup(`Extracting ${language}`);
             if (language === languages_1.Language.python) {
-                await setupPythonExtractor(logger);
+                await setupPythonExtractor(logger, features, codeql);
             }
             await codeql.extractScannedLanguage(config, language);
             logger.endGroup();
@@ -99,10 +105,10 @@ function dbIsFinalized(config, language, logger) {
     }
 }
 exports.dbIsFinalized = dbIsFinalized;
-async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger) {
+async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, features) {
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
     const extractionStart = perf_hooks_1.performance.now();
-    await createdDBForScannedLanguages(codeql, config, logger);
+    await createdDBForScannedLanguages(codeql, config, logger, features);
     const extractionTime = perf_hooks_1.performance.now() - extractionStart;
     const trapImportStart = perf_hooks_1.performance.now();
     for (const language of config.languages) {
@@ -203,7 +209,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                 logger.endGroup();
                 logger.info(analysisSummary);
             }
-            logger.info(await runPrintLinesOfCode(language));
+            await runPrintLinesOfCode(language);
         }
         catch (e) {
             logger.info(String(e));
@@ -271,7 +277,7 @@ function createQuerySuiteContents(queries, queryFilters) {
     return yaml.dump(queries.map((q) => ({ query: q })).concat(queryFilters));
 }
 exports.createQuerySuiteContents = createQuerySuiteContents;
-async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger) {
+async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger, features) {
     try {
         await (0, del_1.default)(outputDir, { force: true });
     }
@@ -281,7 +287,7 @@ async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger) {
         }
     }
     await fs.promises.mkdir(outputDir, { recursive: true });
-    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger);
+    const timings = await finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger, features);
     // WARNING: This does not _really_ end tracing, as the tracer will restore its
     // critical environment variables and it'll still be active for all processes
     // launched from this build step.

lib/codeql.js

@@ -66,7 +66,6 @@ const CODEQL_MINIMUM_VERSION = "2.8.5";
  * For convenience, please keep these in descending order. Once a version
  * flag is older than the oldest supported version above, it may be removed.
  */
-const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
@@ -174,6 +173,7 @@ function setCodeQL(partialCodeql) {
         databasePrintBaseline: resolveFunction(partialCodeql, "databasePrintBaseline"),
         databaseExportDiagnostics: resolveFunction(partialCodeql, "databaseExportDiagnostics"),
         diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
+        resolveExtractor: resolveFunction(partialCodeql, "resolveExtractor"),
     };
     return cachedCodeQL;
 }
@@ -269,10 +269,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             ], { stdin: externalRepositoryToken });
         },
         async runAutobuild(language) {
-            const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
-            // The autobuilder for Swift is located in the experimental/ directory.
-            const possibleExperimentalDir = language === languages_1.Language.swift ? "experimental" : "";
-            const autobuildCmd = path.join(path.dirname(cmd), possibleExperimentalDir, language, "tools", cmdName);
+            const autobuildCmd = path.join(await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh");
             // Update JAVA_TOOL_OPTIONS to contain '-Dhttp.keepAlive=false'
             // This is because of an issue with Azure pipelines timing out connections after 4 minutes
             // and Maven not properly handling closed connections
@@ -301,31 +298,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         },
         async extractScannedLanguage(config, language) {
             const databasePath = util.getCodeQLDatabasePath(config, language);
-            // Get extractor location
-            //
-            // Request it using `format=json` so we don't need to strip the trailing new line generated by
-            // the CLI.
-            let extractorPath = "";
-            await new toolrunner.ToolRunner(cmd, [
-                "resolve",
-                "extractor",
-                "--format=json",
-                `--language=${language}`,
-                ...getExtraOptionsFromEnv(["resolve", "extractor"]),
-            ], {
-                silent: true,
-                listeners: {
-                    stdout: (data) => {
-                        extractorPath += data.toString();
-                    },
-                    stderr: (data) => {
-                        process.stderr.write(data);
-                    },
-                },
-            }).exec();
             // Set trace command
             const ext = process.platform === "win32" ? ".cmd" : ".sh";
-            const traceCommand = path.resolve(JSON.parse(extractorPath), "tools", `autobuild${ext}`);
+            const traceCommand = path.resolve(await this.resolveExtractor(language), "tools", `autobuild${ext}`);
             // Run trace command
             await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, [
                 "database",
@@ -438,12 +413,11 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 addSnippetsFlag,
                 "--print-diagnostics-summary",
                 "--print-metrics-summary",
+                "--sarif-add-query-help",
                 "--sarif-group-rules-by-pack",
                 ...(await getCodeScanningConfigExportArguments(config, this, features)),
                 ...getExtraOptionsFromEnv(["database", "interpret-results"]),
             ];
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_CUSTOM_QUERY_HELP))
-                codeqlArgs.push("--sarif-add-query-help");
             if (automationDetailsId !== undefined) {
                 codeqlArgs.push("--sarif-category", automationDetailsId);
             }
@@ -581,6 +555,29 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             await new toolrunner.ToolRunner(cmd, args).exec();
         },
+        async resolveExtractor(language) {
+            // Request it using `format=json` so we don't need to strip the trailing new line generated by
+            // the CLI.
+            let extractorPath = "";
+            await new toolrunner.ToolRunner(cmd, [
+                "resolve",
+                "extractor",
+                "--format=json",
+                `--language=${language}`,
+                ...getExtraOptionsFromEnv(["resolve", "extractor"]),
+            ], {
+                silent: true,
+                listeners: {
+                    stdout: (data) => {
+                        extractorPath += data.toString();
+                    },
+                    stderr: (data) => {
+                        process.stderr.write(data);
+                    },
+                },
+            }).exec();
+            return JSON.parse(extractorPath);
+        },
     };
     // To ensure that status reports include the CodeQL CLI version wherever
     // possible, we want to call getVersion(), which populates the version value

lib/codeql.test.js

@@ -49,20 +49,11 @@ const testing_utils_1 = require("./testing-utils");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
-const sampleApiDetails = {
-    auth: "token",
-    url: "https://github.com",
-    apiURL: "https://api.github.com",
-};
 const sampleGHAEApiDetails = {
     auth: "token",
     url: "https://example.githubenterprise.com",
     apiURL: "https://example.githubenterprise.com/api/v3",
 };
-const SAMPLE_DEFAULT_CLI_VERSION = {
-    cliVersion: "2.0.0",
-    variant: util.GitHubVariant.DOTCOM,
-};
 let stubConfig;
 ava_1.default.beforeEach(() => {
     (0, util_1.initializeEnvironment)("1.2.3");
@@ -91,34 +82,13 @@ ava_1.default.beforeEach(() => {
         trapCacheDownloadTime: 0,
     };
 });
-/**
- * Mocks the API for downloading the bundle tagged `tagName`.
- *
- * @returns the download URL for the bundle. This can be passed to the tools parameter of
- * `codeql.setupCodeQL`.
- */
-function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, repo = "github/codeql-action", platformSpecific = true, tagName, }) {
-    const platform = process.platform === "win32"
-        ? "win64"
-        : process.platform === "linux"
-            ? "linux64"
-            : "osx64";
-    const baseUrl = apiDetails?.url ?? "https://example.com";
-    const relativeUrl = apiDetails
-        ? `/${repo}/releases/download/${tagName}/codeql-bundle${platformSpecific ? `-${platform}` : ""}.tar.gz`
-        : `/download/${tagName}/codeql-bundle.tar.gz`;
-    (0, nock_1.default)(baseUrl)
-        .get(relativeUrl)
-        .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
-    return `${baseUrl}${relativeUrl}`;
-}
-async function installIntoToolcache({ apiDetails = sampleApiDetails, cliVersion, isPinned, tagName, tmpDir, }) {
-    const url = mockDownloadApi({ apiDetails, isPinned, tagName });
+async function installIntoToolcache({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, cliVersion, isPinned, tagName, tmpDir, }) {
+    const url = (0, testing_utils_1.mockBundleDownloadApi)({ apiDetails, isPinned, tagName });
     await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined
         ? { cliVersion, tagName, variant: util.GitHubVariant.GHES }
-        : SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
 }
-function mockReleaseApi({ apiDetails = sampleApiDetails, assetNames, tagName, }) {
+function mockReleaseApi({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, assetNames, tagName, }) {
     return (0, nock_1.default)(apiDetails.apiURL)
         .get(`/repos/github/codeql-action/releases/tags/${tagName}`)
         .reply(200, {
@@ -149,11 +119,11 @@ function mockApiDetails(apiDetails) {
         const versions = ["20200601", "20200610"];
         for (let i = 0; i < versions.length; i++) {
             const version = versions[i];
-            const url = mockDownloadApi({
+            const url = (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName: `codeql-bundle-${version}`,
                 isPinned: false,
             });
-            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
             t.is(result.toolsVersion, `0.0.0-${version}`);
             t.is(result.toolsSource, init_1.ToolsSource.Download);
@@ -170,10 +140,10 @@ function mockApiDetails(apiDetails) {
             isPinned: true,
             tmpDir,
         });
-        const url = mockDownloadApi({
+        const url = (0, testing_utils_1.mockBundleDownloadApi)({
             tagName: "codeql-bundle-20200610",
         });
-        const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
         t.deepEqual(result.toolsVersion, "0.0.0-20200610");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
@@ -198,16 +168,16 @@ for (const { cliVersion, expectedToolcacheVersion, } of EXPLICITLY_REQUESTED_BUN
     (0, ava_1.default)(`caches an explicitly requested bundle containing CLI ${cliVersion} as ${expectedToolcacheVersion}`, async (t) => {
         await util.withTmpDir(async (tmpDir) => {
             (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-            mockApiDetails(sampleApiDetails);
+            mockApiDetails(testing_utils_1.SAMPLE_DOTCOM_API_DETAILS);
             sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
             const releaseApiMock = mockReleaseApi({
                 assetNames: [`cli-version-${cliVersion}.txt`],
                 tagName: "codeql-bundle-20200610",
             });
-            const url = mockDownloadApi({
+            const url = (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName: "codeql-bundle-20200610",
             });
-            const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
             t.assert(releaseApiMock.isDone(), "Releases API should have been called");
             t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
             t.deepEqual(result.toolsVersion, cliVersion);
@@ -220,19 +190,19 @@ for (const { githubReleases, toolcacheVersion } of [
     // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested
     // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache.
     {
-        toolcacheVersion: SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
+        toolcacheVersion: testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion,
     },
     {
         githubReleases: {
-            "codeql-bundle-20230101": `cli-version-${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}.txt`,
+            "codeql-bundle-20230101": `cli-version-${testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion}.txt`,
         },
         toolcacheVersion: "0.0.0-20230101",
     },
     {
-        toolcacheVersion: `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
+        toolcacheVersion: `${testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`,
     },
 ]) {
-    (0, ava_1.default)(`uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
+    (0, ava_1.default)(`uses tools from toolcache when ${testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` +
         `${toolcacheVersion} is installed`, async (t) => {
         await util.withTmpDir(async (tmpDir) => {
             (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
@@ -256,8 +226,8 @@ for (const { githubReleases, toolcacheVersion } of [
                     }))),
                 }));
             }
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
-            t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            t.is(result.toolsVersion, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
             t.is(result.toolsSource, init_1.ToolsSource.Toolcache);
             t.is(result.toolsDownloadDurationMs, undefined);
         });
@@ -272,7 +242,7 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
                 isPinned: true,
                 tmpDir,
             });
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, {
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, variant, {
                 cliVersion: defaults.cliVersion,
                 tagName: defaults.bundleVersion,
                 variant,
@@ -292,10 +262,10 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
                 isPinned: false,
                 tmpDir,
             });
-            mockDownloadApi({
+            (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName: defaults.bundleVersion,
             });
-            const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, variant, {
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, variant, {
                 cliVersion: defaults.cliVersion,
                 tagName: defaults.bundleVersion,
                 variant,
@@ -316,10 +286,10 @@ for (const variant of [util.GitHubVariant.GHAE, util.GitHubVariant.GHES]) {
             isPinned: true,
             tmpDir,
         });
-        mockDownloadApi({
+        (0, testing_utils_1.mockBundleDownloadApi)({
             tagName: defaults.bundleVersion,
         });
-        const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.deepEqual(result.toolsVersion, defaults.cliVersion);
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.assert(Number.isInteger(result.toolsDownloadDurationMs));
@@ -375,18 +345,18 @@ for (const isBundleVersionInUrl of [true, false]) {
 (0, ava_1.default)("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
     await util.withTmpDir(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
-        mockApiDetails(sampleApiDetails);
+        mockApiDetails(testing_utils_1.SAMPLE_DOTCOM_API_DETAILS);
         sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
         const releasesApiMock = mockReleaseApi({
             assetNames: ["cli-version-2.12.2.txt"],
             tagName: "codeql-bundle-20230203",
         });
-        mockDownloadApi({
+        (0, testing_utils_1.mockBundleDownloadApi)({
             repo: "codeql-testing/codeql-cli-nightlies",
             platformSpecific: false,
             tagName: "codeql-bundle-20230203",
         });
-        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.is(result.toolsVersion, "0.0.0-20230203");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.true(Number.isInteger(result.toolsDownloadDurationMs));
@@ -418,24 +388,6 @@ for (const isBundleVersionInUrl of [true, false]) {
     t.throws(() => codeql.getExtraOptions({ foo: 87 }, ["foo"], []));
     t.throws(() => codeql.getExtraOptions({ "*": [42], foo: { "*": 87, bar: [99] } }, ["foo", "bar"], []));
 });
-(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-    // safeWhich throws because of the test CodeQL object.
-    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
-});
-(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-    // safeWhich throws because of the test CodeQL object.
-    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
-    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
-});
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
     await util.withTmpDir(async (tempDir) => {
         const runnerConstructorStub = stubToolRunnerConstructor();

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20230428",
-    "cliVersion": "2.13.1",
-    "priorBundleVersion": "codeql-bundle-20230414",
-    "priorCliVersion": "2.13.0"
+    "bundleVersion": "codeql-bundle-20230524",
+    "cliVersion": "2.13.3",
+    "priorBundleVersion": "codeql-bundle-20230428",
+    "priorCliVersion": "2.13.1"
 }

lib/feature-flags.js

@@ -40,6 +40,7 @@ var Feature;
     Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
     Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
     Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
+    Feature["DisablePythonDependencyInstallation"] = "disable_python_dependency_installation";
 })(Feature = exports.Feature || (exports.Feature = {}));
 exports.featureConfig = {
     [Feature.DisableKotlinAnalysisEnabled]: {
@@ -72,6 +73,16 @@ exports.featureConfig = {
         minimumVersion: "2.11.3",
         defaultValue: true,
     },
+    [Feature.DisablePythonDependencyInstallation]: {
+        envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+        // Although the python extractor only started supporting not extracting installed
+        // dependencies in 2.13.1, the init-action can still benefit from not installing
+        // dependencies no matter what codeql version we are using, so therefore the
+        // minimumVersion is set to 'undefined'. This means that with an old CodeQL version,
+        // packages available with current python3 installation might get extracted.
+        minimumVersion: undefined,
+        defaultValue: false,
+    },
 };
 exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
 /**

lib/fingerprints.js

@@ -194,7 +194,14 @@ function resolveUriToFile(location, artifacts, sourceRoot, logger) {
         logger.debug(`Ignoring location as URI "${location.uri}" is invalid`);
         return undefined;
     }
-    let uri = decodeURIComponent(location.uri);
+    let uri;
+    try {
+        uri = decodeURIComponent(location.uri);
+    }
+    catch (e) {
+        logger.debug(`Ignoring location as URI "${location.uri}" is invalid`);
+        return undefined;
+    }
     // Remove a file scheme, and abort if the scheme is anything else
     const fileUriPrefix = "file://";
     if (uri.startsWith(fileUriPrefix)) {

lib/init-action-post-helper.js

@@ -110,8 +110,9 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
     // but we didn't upload anything.
     if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
         !uploadFailedSarifResult.raw_upload_size_bytes) {
+        const error = JSON.stringify(uploadFailedSarifResult);
         throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
-            `but the result was instead ${uploadFailedSarifResult}.`);
+            `but the result was instead ${error}.`);
     }
     // Upload appropriate Actions artifacts for debugging
     if (config.debugMode) {

lib/init-action-post-helper.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAKgB;AAChB,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,YAAY,GAAG,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC;IACtC,OAAO;QACL,uBAAuB,EAAE,YAAY,CAAC,OAAO;QAC7C,6BAA6B,EAAE,YAAY,CAAC,KAAK;KAClD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EAAE;QACxE,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,EAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACtE,IACE,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,QAAQ,CAClC,WAAW,CAAC,cAAc,CAAC,YAAY,CAAC,CACzC;QACD,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC;IAEvC,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAE/C,kFAAkF;IAClF,IACE,YAAY,KAAK,SAAS;QAC1B,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EACpE;QACA,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;KACvE;SAAM;QACL,8EAA8E;QAC9E,MAAM,MAAM,CAAC,yBAAyB,CACpC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,YAAY,EAAE,YAAY,IAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IAEF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AArDD,kBAqDC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAKgB;AAChB,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,YAAY,GAAG,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC;IACtC,OAAO;QACL,uBAAuB,EAAE,YAAY,CAAC,OAAO;QAC7C,6BAA6B,EAAE,YAAY,CAAC,KAAK;KAClD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EAAE;QACxE,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,EAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACtE,IACE,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,QAAQ,CAClC,WAAW,CAAC,cAAc,CAAC,YAAY,CAAC,CACzC;QACD,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC;IAEvC,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAE/C,kFAAkF;IAClF,IACE,YAAY,KAAK,SAAS;QAC1B,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EACpE;QACA,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;KACvE;SAAM;QACL,8EAA8E;QAC9E,MAAM,MAAM,CAAC,yBAAyB,CACpC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,YAAY,EAAE,YAAY,IAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IAEF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,KAAK,GAAG,CACzC,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AAtDD,kBAsDC"}

lib/init-action.js

@@ -136,12 +136,17 @@ async function run() {
         (0, actions_util_1.getOptionalInput)("debug") === "true" || core.isDebug(), (0, actions_util_1.getOptionalInput)("debug-artifact-name") || util_1.DEFAULT_DEBUG_ARTIFACT_NAME, (0, actions_util_1.getOptionalInput)("debug-database-name") || util_1.DEFAULT_DEBUG_DATABASE_NAME, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), codeql, (0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), gitHubVersion, apiDetails, features, logger);
         if (config.languages.includes(languages_1.Language.python) &&
             (0, actions_util_1.getRequiredInput)("setup-python-dependencies") === "true") {
-            try {
-                await (0, init_1.installPythonDeps)(codeql, logger);
+            if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
+                logger.info("Skipping python dependency installation");
             }
-            catch (unwrappedError) {
-                const error = (0, util_1.wrapError)(unwrappedError);
-                logger.warning(`${error.message} You can call this action with 'setup-python-dependencies: false' to disable this process`);
+            else {
+                try {
+                    await (0, init_1.installPythonDeps)(codeql, logger);
+                }
+                catch (unwrappedError) {
+                    const error = (0, util_1.wrapError)(unwrappedError);
+                    logger.warning(`${error.message} You can call this action with 'setup-python-dependencies: false' to disable this process`);
+                }
             }
         }
     }
@@ -170,6 +175,10 @@ async function run() {
         if (await features.getValue(feature_flags_1.Feature.DisableKotlinAnalysisEnabled)) {
             core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
         }
+        // Disable Python dependency extraction if feature flag set
+        if (await features.getValue(feature_flags_1.Feature.DisablePythonDependencyInstallation, codeql)) {
+            core.exportVariable("CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION", "true");
+        }
         const sourceRoot = path.resolve((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), (0, actions_util_1.getOptionalInput)("source-root") || "");
         const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", registriesInput, features, apiDetails, logger);
         if (tracerConfig !== undefined) {

lib/setup-codeql.js

@@ -315,6 +315,13 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
         // If a tools URL was provided, then use that.
         tagName = tryGetTagNameFromUrl(toolsInput, logger);
         url = toolsInput;
+        if (tagName) {
+            const bundleVersion = tryGetBundleVersionFromTagName(tagName, logger);
+            // If the bundle version is a semantic version, it is a CLI version number.
+            if (bundleVersion && semver.valid(bundleVersion)) {
+                cliVersion = convertToSemVer(bundleVersion, logger);
+            }
+        }
     }
     else {
         // Otherwise, use the default CLI version passed in.

lib/setup-codeql.test.js

@@ -117,4 +117,14 @@ ava_1.default.beforeEach(() => {
         message: "Failed to find a release of the CodeQL tools that contains CodeQL CLI 2.12.1.",
     });
 });
+(0, ava_1.default)("getCodeQLSource sets CLI version for a semver tagged bundle", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const tagName = "codeql-bundle-v1.2.3";
+        (0, testing_utils_1.mockBundleDownloadApi)({ tagName });
+        const source = await setupCodeql.getCodeQLSource(`https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, util_1.GitHubVariant.DOTCOM, (0, logging_1.getRunnerLogger)(true));
+        t.is(source.sourceType, "download");
+        t.is(source["cliVersion"], "1.2.3");
+    });
+});
 //# sourceMappingURL=setup-codeql.test.js.map

lib/setup-codeql.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAA6C;AAC7C,iCAA0D;AAE1D,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,IAAA,gBAAS,EAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC9B;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EACL,+EAA+E;KAClF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAMyB;AACzB,iCAKgB;AAEhB,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,IAAA,gBAAS,EAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC9B;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EACL,+EAA+E;KAClF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,6DAA6D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9E,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,IAAA,gCAAgB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,MAAM,OAAO,GAAG,sBAAsB,CAAC;QACvC,IAAA,qCAAqB,EAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,eAAe,CAC9C,6DAA6D,OAAO,+BAA+B,EACnG,0CAA0B,EAC1B,yCAAyB,EACzB,oBAAa,CAAC,MAAM,EACpB,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;QAEF,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACpC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

lib/testing-utils.js

@@ -22,15 +22,28 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createFeatures = exports.mockCodeQLVersion = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = void 0;
+exports.mockBundleDownloadApi = exports.createFeatures = exports.mockCodeQLVersion = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = exports.SAMPLE_DEFAULT_CLI_VERSION = exports.SAMPLE_DOTCOM_API_DETAILS = void 0;
 const node_util_1 = require("node:util");
+const path_1 = __importDefault(require("path"));
 const github = __importStar(require("@actions/github"));
-const nock = __importStar(require("nock"));
+const nock_1 = __importDefault(require("nock"));
 const sinon = __importStar(require("sinon"));
 const apiClient = __importStar(require("./api-client"));
 const CodeQL = __importStar(require("./codeql"));
 const util_1 = require("./util");
+exports.SAMPLE_DOTCOM_API_DETAILS = {
+    auth: "token",
+    url: "https://github.com",
+    apiURL: "https://api.github.com",
+};
+exports.SAMPLE_DEFAULT_CLI_VERSION = {
+    cliVersion: "2.0.0",
+    variant: util_1.GitHubVariant.DOTCOM,
+};
 function wrapOutput(context) {
     // Function signature taken from Socket.write.
     // Note there are two overloads:
@@ -92,7 +105,7 @@ function setupTests(test) {
             process.stdout.write(t.context.testOutput);
         }
         // Undo any modifications made by nock
-        nock.cleanAll();
+        nock_1.default.cleanAll();
         // Undo any modifications made by sinon
         sinon.restore();
         // Undo any modifications to the env
@@ -196,4 +209,26 @@ function createFeatures(enabledFeatures) {
     };
 }
 exports.createFeatures = createFeatures;
+/**
+ * Mocks the API for downloading the bundle tagged `tagName`.
+ *
+ * @returns the download URL for the bundle. This can be passed to the tools parameter of
+ * `codeql.setupCodeQL`.
+ */
+function mockBundleDownloadApi({ apiDetails = exports.SAMPLE_DOTCOM_API_DETAILS, isPinned, repo = "github/codeql-action", platformSpecific = true, tagName, }) {
+    const platform = process.platform === "win32"
+        ? "win64"
+        : process.platform === "linux"
+            ? "linux64"
+            : "osx64";
+    const baseUrl = apiDetails?.url ?? "https://example.com";
+    const relativeUrl = apiDetails
+        ? `/${repo}/releases/download/${tagName}/codeql-bundle${platformSpecific ? `-${platform}` : ""}.tar.gz`
+        : `/download/${tagName}/codeql-bundle.tar.gz`;
+    (0, nock_1.default)(baseUrl)
+        .get(relativeUrl)
+        .replyWithFile(200, path_1.default.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
+    return `${baseUrl}${relativeUrl}`;
+}
+exports.mockBundleDownloadApi = mockBundleDownloadApi;
 //# sourceMappingURL=testing-utils.js.map

lib/trap-caching.js

@@ -91,7 +91,7 @@ async function downloadTrapCaches(codeql, languages, logger) {
     }
     let baseSha = "unknown";
     const eventPath = process.env.GITHUB_EVENT_PATH;
-    if (actionsUtil.workflowEventName() === "pull_request" &&
+    if (actionsUtil.getWorkflowEventName() === "pull_request" &&
         eventPath !== undefined) {
         const event = JSON.parse(fs.readFileSync(path.resolve(eventPath), "utf-8"));
         baseSha = event.pull_request?.base?.sha || baseSha;

lib/upload-lib.js

@@ -181,16 +181,23 @@ function validateSarifFileSchema(sarifFilePath, logger) {
     const sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8"));
     const schema = require("../src/sarif-schema-2.1.0.json");
     const result = new jsonschema.Validator().validate(sarif, schema);
-    if (!result.valid) {
+    // Filter errors related to invalid URIs in the artifactLocation field as this
+    // is a breaking change. See https://github.com/github/codeql-action/issues/1703
+    const errors = (result.errors || []).filter((err) => err.argument !== "uri-reference");
+    const warnings = (result.errors || []).filter((err) => err.argument === "uri-reference");
+    for (const warning of warnings) {
+        logger.info(`Warning: '${warning.instance}' is not a valid URI in '${warning.property}'.`);
+    }
+    if (errors.length) {
         // Output the more verbose error messages in groups as these may be very large.
-        for (const error of result.errors) {
+        for (const error of errors) {
             logger.startGroup(`Error details: ${error.stack}`);
             logger.info(JSON.stringify(error, null, 2));
             logger.endGroup();
         }
         // Set the main error message to the stacks of all the errors.
         // This should be of a manageable size and may even give enough to fix the error.
-        const sarifErrors = result.errors.map((e) => `- ${e.stack}`);
+        const sarifErrors = errors.map((e) => `- ${e.stack}`);
         throw new Error(`Unable to upload "${sarifFilePath}" as it is not valid SARIF:\n${sarifErrors.join("\n")}`);
     }
 }
@@ -213,7 +220,7 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
         base_ref: undefined,
         base_sha: undefined,
     };
-    if (actionsUtil.workflowEventName() === "pull_request") {
+    if (actionsUtil.getWorkflowEventName() === "pull_request") {
         if (commitOid === util.getRequiredEnvParam("GITHUB_SHA") &&
             mergeBaseCommitOid) {
             // We're uploading results for the merge commit

lib/upload-lib.test.js

@@ -233,6 +233,18 @@ ava_1.default.beforeEach(() => {
     t.deepEqual(loggedMessages.length, 1);
     t.assert(loggedMessages[0].includes("Pruned 2 results"));
 });
+(0, ava_1.default)("accept results with invalid artifactLocation.uri value", (t) => {
+    const loggedMessages = [];
+    const mockLogger = {
+        info: (message) => {
+            loggedMessages.push(message);
+        },
+    };
+    const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
+    uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
+    t.deepEqual(loggedMessages.length, 1);
+    t.deepEqual(loggedMessages[0], "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.");
+});
 const affectedCodeQLVersion = {
     driver: {
         name: "CodeQL",

lib/util.js

@@ -673,11 +673,6 @@ function removeDuplicateLocations(locations) {
     });
 }
 function fixInvalidNotifications(sarif, logger) {
-    if (process.env[shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
-        logger.info("SARIF notification object duplicate location fix disabled by the " +
-            `${shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`);
-        return sarif;
-    }
     if (!Array.isArray(sarif.runs)) {
         return sarif;
     }
@@ -727,10 +722,27 @@ function fixInvalidNotifications(sarif, logger) {
     return newSarif;
 }
 exports.fixInvalidNotifications = fixInvalidNotifications;
+/**
+ * Removes duplicates from the sarif file.
+ *
+ * When `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX` is set to true, this will
+ * simply rename the input file to the output file. Otherwise, it will parse the
+ * input file as JSON, remove duplicate locations from the SARIF notification
+ * objects, and write the result to the output file.
+ *
+ * For context, see documentation of:
+ * `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX`. */
 function fixInvalidNotificationsInFile(inputPath, outputPath, logger) {
-    let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8"));
-    sarif = fixInvalidNotifications(sarif, logger);
-    fs.writeFileSync(outputPath, JSON.stringify(sarif));
+    if (process.env[shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
+        logger.info("SARIF notification object duplicate location fix disabled by the " +
+            `${shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`);
+        fs.renameSync(inputPath, outputPath);
+    }
+    else {
+        let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8"));
+        sarif = fixInvalidNotifications(sarif, logger);
+        fs.writeFileSync(outputPath, JSON.stringify(sarif));
+    }
 }
 exports.fixInvalidNotificationsInFile = fixInvalidNotificationsInFile;
 function wrapError(error) {

lib/workflow.js

@@ -298,7 +298,9 @@ function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
  * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
  */
 function getAnalyzeActionName() {
-    if ((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY") === "github/codeql-action") {
+    if ((0, util_1.isInTestMode)() ||
+        process.env["CODEQL_ACTION_TESTING_ENVIRONMENT"] ===
+            "codeql-action-pr-checks") {
         return "./analyze";
     }
     else {

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.3.4",
+  "version": "2.3.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.3.4",
+  "version": "2.3.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.3.4",
+      "version": "2.3.7",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.3.4",
+  "version": "2.3.7",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/multi-language-autodetect.yml

@@ -21,7 +21,7 @@ steps:
     with:
       upload-database: false
 
-  - name: Check language autodetect for all languages excluding Ruby, Swift
+  - name: Check language autodetect for all languages excluding Swift
     shell: bash
     run: |
       CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
@@ -54,11 +54,6 @@ steps:
         echo "Did not create a database for Python, or created it in the wrong location."
         exit 1
       fi
-
-  - name: Check language autodetect for Ruby
-    if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
-    shell: bash
-    run: |
       RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
       if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
         echo "Did not create a database for Ruby, or created it in the wrong location."
@@ -66,7 +61,9 @@ steps:
       fi
 
   - name: Check language autodetect for Swift
-    if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+    if: >- 
+      env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' || 
+          (runner.os != 'Windows' && matrix.version == 'nightly-latest')
     shell: bash
     run: |
       SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

pr-checks/sync.py

@@ -24,7 +24,7 @@ defaultTestVersions = [
 
 header = """# Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 """
@@ -81,10 +81,7 @@ for file in os.listdir('checks'):
             'if': FoldedScalarString(textwrap.dedent('''
                 runner.os != 'Windows' && (
                     matrix.version == '20220908' ||
-                    matrix.version == '20221211' ||
-                    matrix.version == 'cached' ||
-                    matrix.version == 'latest' ||
-                    matrix.version == 'nightly-latest'
+                    matrix.version == '20221211'
                 )
             ''').strip()),
             'shell': 'bash',
@@ -101,6 +98,10 @@ for file in os.listdir('checks'):
             }
         },
         'name': checkSpecification['name'],
+        'permissions': {
+            'contents': 'read',
+            'security-events': 'write'
+        },
         'timeout-minutes': 45,
         'runs-on': '${{ matrix.os }}',
         'steps': steps,

python-setup/tests/check_requests.ps1

@@ -0,0 +1,27 @@
+#! /usr/bin/pwsh
+
+$EXPECTED_PYTHON_VERSION=$args[0]
+$EXPECTED_REQUESTS_VERSION=$args[1]
+
+$FOUND_PYTHON_VERSION="$Env:LGTM_PYTHON_SETUP_VERSION"
+$FOUND_PYTHONPATH="$Env:LGTM_INDEX_IMPORT_PATH"
+
+write-host "FOUND_PYTHON_VERSION=$FOUND_PYTHON_VERSION FOUND_PYTHONPATH=$FOUND_PYTHONPATH "
+
+if ($FOUND_PYTHON_VERSION -ne $EXPECTED_PYTHON_VERSION) {
+    write-host "Script told us to use Python $FOUND_PYTHON_VERSION, but expected $EXPECTED_PYTHON_VERSION"
+    exit 1
+} else {
+    write-host "Script told us to use Python $FOUND_PYTHON_VERSION, which was expected"
+}
+
+$env:PYTHONPATH=$FOUND_PYTHONPATH
+
+$INSTALLED_REQUESTS_VERSION = (py -3 -c "import requests; print(requests.__version__)")
+
+if ($INSTALLED_REQUESTS_VERSION -ne $EXPECTED_REQUESTS_VERSION) {
+    write-host "Using $FOUND_PYTHONPATH as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, but expected $EXPECTED_REQUESTS_VERSION"
+    exit 1
+} else {
+    write-host "Using $FOUND_PYTHONPATH as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, which was expected"
+}

python-setup/tests/check_requests.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+EXPECTED_PYTHON_VERSION=$1
+EXPECTED_REQUESTS_VERSION=$2
+
+FOUND_PYTHON_VERSION="$LGTM_PYTHON_SETUP_VERSION"
+FOUND_PYTHONPATH="$LGTM_INDEX_IMPORT_PATH"
+
+echo "FOUND_PYTHON_VERSION=${FOUND_PYTHON_VERSION} FOUND_PYTHONPATH=${FOUND_PYTHONPATH} "
+
+if [[ $FOUND_PYTHON_VERSION != $EXPECTED_PYTHON_VERSION ]]; then
+    echo "Script told us to use Python ${FOUND_PYTHON_VERSION}, but expected ${EXPECTED_PYTHON_VERSION}"
+    exit 1
+else
+    echo "Script told us to use Python ${FOUND_PYTHON_VERSION}, which was expected"
+fi
+
+PYTHON_EXE="python${EXPECTED_PYTHON_VERSION}"
+
+INSTALLED_REQUESTS_VERSION=$(PYTHONPATH="${FOUND_PYTHONPATH}" "${PYTHON_EXE}" -c 'import requests; print(requests.__version__)')
+
+if [[ "$INSTALLED_REQUESTS_VERSION" != "$EXPECTED_REQUESTS_VERSION" ]]; then
+    echo "Using ${FOUND_PYTHONPATH} as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, but expected $EXPECTED_REQUESTS_VERSION"
+    exit 1
+else
+    echo "Using ${FOUND_PYTHONPATH} as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, which was expected"
+fi

python-setup/tests/check_requests_2_26_0.ps1

@@ -1,28 +0,0 @@
-#! /usr/bin/pwsh
-
-$EXPECTED_VERSION=$args[0]
-
-$FOUND_VERSION="$Env:LGTM_PYTHON_SETUP_VERSION"
-$FOUND_PYTHONPATH="$Env:LGTM_INDEX_IMPORT_PATH"
-
-write-host "FOUND_VERSION=$FOUND_VERSION FOUND_PYTHONPATH=$FOUND_PYTHONPATH "
-
-if ($FOUND_VERSION -ne $EXPECTED_VERSION) {
-    write-host "Script told us to use Python $FOUND_VERSION, but expected $EXPECTED_VERSION"
-    exit 1
-} else {
-    write-host "Script told us to use Python $FOUND_VERSION, which was expected"
-}
-
-$env:PYTHONPATH=$FOUND_PYTHONPATH
-
-$INSTALLED_REQUESTS_VERSION = (py -3 -c "import requests; print(requests.__version__)")
-
-$EXPECTED_REQUESTS="2.26.0"
-
-if ($INSTALLED_REQUESTS_VERSION -ne $EXPECTED_REQUESTS) {
-    write-host "Using $FOUND_PYTHONPATH as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, but expected $EXPECTED_REQUESTS"
-    exit 1
-} else {
-    write-host "Using $FOUND_PYTHONPATH as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, which was expected"
-}

python-setup/tests/check_requests_2_26_0.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-
-set -e
-
-SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-
-EXPECTED_VERSION=$1
-
-FOUND_VERSION="$LGTM_PYTHON_SETUP_VERSION"
-FOUND_PYTHONPATH="$LGTM_INDEX_IMPORT_PATH"
-
-echo "FOUND_VERSION=${FOUND_VERSION} FOUND_PYTHONPATH=${FOUND_PYTHONPATH} "
-
-if [[ $FOUND_VERSION != $EXPECTED_VERSION ]]; then
-    echo "Script told us to use Python ${FOUND_VERSION}, but expected ${EXPECTED_VERSION}"
-    exit 1
-else
-    echo "Script told us to use Python ${FOUND_VERSION}, which was expected"
-fi
-
-PYTHON_EXE="python${EXPECTED_VERSION}"
-
-INSTALLED_REQUESTS_VERSION=$(PYTHONPATH="${FOUND_PYTHONPATH}" "${PYTHON_EXE}" -c 'import requests; print(requests.__version__)')
-
-EXPECTED_REQUESTS="2.26.0"
-
-if [[ "$INSTALLED_REQUESTS_VERSION" != "$EXPECTED_REQUESTS" ]]; then
-    echo "Using ${FOUND_PYTHONPATH} as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, but expected $EXPECTED_REQUESTS"
-    exit 1
-else
-    echo "Using ${FOUND_PYTHONPATH} as PYTHONPATH, we found version $INSTALLED_REQUESTS_VERSION of requests, which was expected"
-fi

python-setup/tests/pipenv/python-3.8/Pipfile.lock

@@ -18,43 +18,116 @@
     "default": {
         "certifi": {
             "hashes": [
-                "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
-                "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
+                "sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7",
+                "sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716"
             ],
-            "index": "pypi",
-            "version": "==2022.12.7"
+            "markers": "python_version >= '3.6'",
+            "version": "==2023.5.7"
         },
         "charset-normalizer": {
             "hashes": [
-                "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
-                "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
+                "sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6",
+                "sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1",
+                "sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e",
+                "sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373",
+                "sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62",
+                "sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230",
+                "sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be",
+                "sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c",
+                "sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0",
+                "sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448",
+                "sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f",
+                "sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649",
+                "sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d",
+                "sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0",
+                "sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706",
+                "sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a",
+                "sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59",
+                "sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23",
+                "sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5",
+                "sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb",
+                "sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e",
+                "sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e",
+                "sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c",
+                "sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28",
+                "sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d",
+                "sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41",
+                "sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974",
+                "sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce",
+                "sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f",
+                "sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1",
+                "sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d",
+                "sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8",
+                "sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017",
+                "sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31",
+                "sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7",
+                "sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8",
+                "sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e",
+                "sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14",
+                "sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd",
+                "sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d",
+                "sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795",
+                "sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b",
+                "sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b",
+                "sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b",
+                "sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203",
+                "sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f",
+                "sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19",
+                "sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1",
+                "sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a",
+                "sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac",
+                "sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9",
+                "sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0",
+                "sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137",
+                "sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f",
+                "sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6",
+                "sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5",
+                "sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909",
+                "sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f",
+                "sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0",
+                "sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324",
+                "sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755",
+                "sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb",
+                "sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854",
+                "sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c",
+                "sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60",
+                "sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84",
+                "sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0",
+                "sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b",
+                "sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1",
+                "sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531",
+                "sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1",
+                "sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11",
+                "sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326",
+                "sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df",
+                "sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab"
             ],
-            "markers": "python_version >= '3'",
-            "version": "==2.0.12"
+            "markers": "python_full_version >= '3.7.0'",
+            "version": "==3.1.0"
         },
         "idna": {
             "hashes": [
                 "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
                 "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
             ],
-            "markers": "python_version >= '3'",
+            "markers": "python_version >= '3.5'",
             "version": "==3.4"
         },
         "requests": {
             "hashes": [
-                "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
-                "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
+                "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f",
+                "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
             ],
             "index": "pypi",
-            "version": "==2.26.0"
+            "version": "==2.31.0"
         },
         "urllib3": {
             "hashes": [
-                "sha256:47cc05d99aaa09c9e72ed5809b60e7ba354e64b59c9c173ac3018642d8bb41fc",
-                "sha256:c083dd0dce68dbfbe1129d5271cb90f9447dea7d52097c6e0126120c521ddea8"
+                "sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc",
+                "sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
-            "version": "==1.26.13"
+            "markers": "python_version >= '3.7'",
+            "version": "==2.0.2"
         }
     },
     "develop": {}

python-setup/tests/pipenv/requests-3/Pipfile.lock

@@ -16,43 +16,116 @@
     "default": {
         "certifi": {
             "hashes": [
-                "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
-                "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
+                "sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7",
+                "sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716"
             ],
-            "index": "pypi",
-            "version": "==2022.12.7"
+            "markers": "python_version >= '3.6'",
+            "version": "==2023.5.7"
         },
         "charset-normalizer": {
             "hashes": [
-                "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
-                "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
+                "sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6",
+                "sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1",
+                "sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e",
+                "sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373",
+                "sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62",
+                "sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230",
+                "sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be",
+                "sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c",
+                "sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0",
+                "sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448",
+                "sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f",
+                "sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649",
+                "sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d",
+                "sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0",
+                "sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706",
+                "sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a",
+                "sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59",
+                "sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23",
+                "sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5",
+                "sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb",
+                "sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e",
+                "sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e",
+                "sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c",
+                "sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28",
+                "sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d",
+                "sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41",
+                "sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974",
+                "sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce",
+                "sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f",
+                "sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1",
+                "sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d",
+                "sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8",
+                "sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017",
+                "sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31",
+                "sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7",
+                "sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8",
+                "sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e",
+                "sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14",
+                "sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd",
+                "sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d",
+                "sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795",
+                "sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b",
+                "sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b",
+                "sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b",
+                "sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203",
+                "sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f",
+                "sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19",
+                "sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1",
+                "sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a",
+                "sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac",
+                "sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9",
+                "sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0",
+                "sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137",
+                "sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f",
+                "sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6",
+                "sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5",
+                "sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909",
+                "sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f",
+                "sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0",
+                "sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324",
+                "sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755",
+                "sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb",
+                "sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854",
+                "sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c",
+                "sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60",
+                "sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84",
+                "sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0",
+                "sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b",
+                "sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1",
+                "sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531",
+                "sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1",
+                "sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11",
+                "sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326",
+                "sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df",
+                "sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab"
             ],
-            "markers": "python_version >= '3'",
-            "version": "==2.0.12"
+            "markers": "python_full_version >= '3.7.0'",
+            "version": "==3.1.0"
         },
         "idna": {
             "hashes": [
                 "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
                 "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
             ],
-            "markers": "python_version >= '3'",
+            "markers": "python_version >= '3.5'",
             "version": "==3.4"
         },
         "requests": {
             "hashes": [
-                "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
-                "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
+                "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f",
+                "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
             ],
             "index": "pypi",
-            "version": "==2.26.0"
+            "version": "==2.31.0"
         },
         "urllib3": {
             "hashes": [
-                "sha256:47cc05d99aaa09c9e72ed5809b60e7ba354e64b59c9c173ac3018642d8bb41fc",
-                "sha256:c083dd0dce68dbfbe1129d5271cb90f9447dea7d52097c6e0126120c521ddea8"
+                "sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc",
+                "sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
-            "version": "==1.26.13"
+            "markers": "python_version >= '3.7'",
+            "version": "==2.0.2"
         }
     },
     "develop": {}

python-setup/tests/poetry/python-3.8/poetry.lock

@@ -1,3 +1,5 @@
+# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
+
 [[package]]
 name = "certifi"
 version = "2022.12.7"
@@ -5,6 +7,10 @@ description = "Python package for providing Mozilla's CA Bundle."
 category = "main"
 optional = false
 python-versions = ">=3.6"
+files = [
+    {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
+    {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
+]
 
 [[package]]
 name = "charset-normalizer"
@@ -13,6 +19,10 @@ description = "The Real First Universal Charset Detector. Open, modern and activ
 category = "main"
 optional = false
 python-versions = ">=3.5.0"
+files = [
+    {file = "charset-normalizer-2.0.7.tar.gz", hash = "sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0"},
+    {file = "charset_normalizer-2.0.7-py3-none-any.whl", hash = "sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"},
+]
 
 [package.extras]
 unicode-backport = ["unicodedata2"]
@@ -24,24 +34,32 @@ description = "Internationalized Domain Names in Applications (IDNA)"
 category = "main"
 optional = false
 python-versions = ">=3.5"
+files = [
+    {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
+    {file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
+]
 
 [[package]]
 name = "requests"
-version = "2.26.0"
+version = "2.31.0"
 description = "Python HTTP for Humans."
 category = "main"
 optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*"
+python-versions = ">=3.7"
+files = [
+    {file = "requests-2.31.0-py3-none-any.whl", hash = "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"},
+    {file = "requests-2.31.0.tar.gz", hash = "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"},
+]
 
 [package.dependencies]
 certifi = ">=2017.4.17"
-charset-normalizer = {version = ">=2.0.0,<2.1.0", markers = "python_version >= \"3\""}
-idna = {version = ">=2.5,<4", markers = "python_version >= \"3\""}
-urllib3 = ">=1.21.1,<1.27"
+charset-normalizer = ">=2,<4"
+idna = ">=2.5,<4"
+urllib3 = ">=1.21.1,<3"
 
 [package.extras]
-socks = ["PySocks (>=1.5.6,!=1.5.7)", "win-inet-pton"]
-use-chardet-on-py3 = ["chardet (>=3.0.2,<5)"]
+socks = ["PySocks (>=1.5.6,!=1.5.7)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
 [[package]]
 name = "urllib3"
@@ -50,6 +68,10 @@ description = "HTTP library with thread-safe connection pooling, file post, and
 category = "main"
 optional = false
 python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
+files = [
+    {file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"},
+    {file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"},
+]
 
 [package.extras]
 brotli = ["brotlipy (>=0.6.0)"]
@@ -57,28 +79,6 @@ secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress", "p
 socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
 
 [metadata]
-lock-version = "1.1"
+lock-version = "2.0"
 python-versions = "^3.8"
 content-hash = "fabc9cabf9f18437e7b9ea3dbd1895a5a118239c17b3d097c465a290707e6bfd"
-
-[metadata.files]
-certifi = [
-    {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
-    {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
-]
-charset-normalizer = [
-    {file = "charset-normalizer-2.0.7.tar.gz", hash = "sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0"},
-    {file = "charset_normalizer-2.0.7-py3-none-any.whl", hash = "sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"},
-]
-idna = [
-    {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
-    {file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
-]
-requests = [
-    {file = "requests-2.26.0-py2.py3-none-any.whl", hash = "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24"},
-    {file = "requests-2.26.0.tar.gz", hash = "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"},
-]
-urllib3 = [
-    {file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"},
-    {file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"},
-]

python-setup/tests/poetry/requests-3/poetry.lock

@@ -1,3 +1,5 @@
+# This file is automatically @generated by Poetry 1.4.2 and should not be changed by hand.
+
 [[package]]
 name = "certifi"
 version = "2022.12.7"
@@ -5,6 +7,10 @@ description = "Python package for providing Mozilla's CA Bundle."
 category = "main"
 optional = false
 python-versions = ">=3.6"
+files = [
+    {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
+    {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
+]
 
 [[package]]
 name = "charset-normalizer"
@@ -13,6 +19,10 @@ description = "The Real First Universal Charset Detector. Open, modern and activ
 category = "main"
 optional = false
 python-versions = ">=3.5.0"
+files = [
+    {file = "charset-normalizer-2.0.7.tar.gz", hash = "sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0"},
+    {file = "charset_normalizer-2.0.7-py3-none-any.whl", hash = "sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"},
+]
 
 [package.extras]
 unicode-backport = ["unicodedata2"]
@@ -24,24 +34,32 @@ description = "Internationalized Domain Names in Applications (IDNA)"
 category = "main"
 optional = false
 python-versions = ">=3.5"
+files = [
+    {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
+    {file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
+]
 
 [[package]]
 name = "requests"
-version = "2.26.0"
+version = "2.31.0"
 description = "Python HTTP for Humans."
 category = "main"
 optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*"
+python-versions = ">=3.7"
+files = [
+    {file = "requests-2.31.0-py3-none-any.whl", hash = "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"},
+    {file = "requests-2.31.0.tar.gz", hash = "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"},
+]
 
 [package.dependencies]
 certifi = ">=2017.4.17"
-charset-normalizer = {version = ">=2.0.0,<2.1.0", markers = "python_version >= \"3\""}
-idna = {version = ">=2.5,<4", markers = "python_version >= \"3\""}
-urllib3 = ">=1.21.1,<1.27"
+charset-normalizer = ">=2,<4"
+idna = ">=2.5,<4"
+urllib3 = ">=1.21.1,<3"
 
 [package.extras]
-socks = ["PySocks (>=1.5.6,!=1.5.7)", "win-inet-pton"]
-use-chardet-on-py3 = ["chardet (>=3.0.2,<5)"]
+socks = ["PySocks (>=1.5.6,!=1.5.7)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
 [[package]]
 name = "urllib3"
@@ -50,6 +68,10 @@ description = "HTTP library with thread-safe connection pooling, file post, and
 category = "main"
 optional = false
 python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
+files = [
+    {file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"},
+    {file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"},
+]
 
 [package.extras]
 brotli = ["brotlipy (>=0.6.0)"]
@@ -57,28 +79,6 @@ secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress", "p
 socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
 
 [metadata]
-lock-version = "1.1"
-python-versions = "^3.6"
-content-hash = "3186fede9fea5b617c0bcebda3034f2d889a3c4579d60dd45945772895a28b7d"
-
-[metadata.files]
-certifi = [
-    {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
-    {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
-]
-charset-normalizer = [
-    {file = "charset-normalizer-2.0.7.tar.gz", hash = "sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0"},
-    {file = "charset_normalizer-2.0.7-py3-none-any.whl", hash = "sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"},
-]
-idna = [
-    {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
-    {file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
-]
-requests = [
-    {file = "requests-2.26.0-py2.py3-none-any.whl", hash = "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24"},
-    {file = "requests-2.26.0.tar.gz", hash = "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"},
-]
-urllib3 = [
-    {file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"},
-    {file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"},
-]
+lock-version = "2.0"
+python-versions = "^3.7"
+content-hash = "05ba07023dd383fd84c8e4945f1eae1aac30917ad1e4c10fb03e8235fcf3c248"

python-setup/tests/poetry/requests-3/pyproject.toml

@@ -5,7 +5,7 @@ description = ""
 authors = ["Your Name <you@example.com>"]
 
 [tool.poetry.dependencies]
-python = "^3.6"
+python = "^3.7"
 requests = "*"
 
 [tool.poetry.dev-dependencies]

python-setup/tests/requirements/non-standard-location/non-standard/requirements.txt

@@ -1 +1 @@
-requests==2.26.0
+requests==2.31.0

python-setup/tests/requirements/requests-3/requirements.txt

@@ -1 +1 @@
-requests==2.26.0
+requests==2.31.0

python-setup/tests/setup_py/requests-3/setup.py

@@ -7,6 +7,6 @@ from setuptools import setup
 
 setup(
     name="example-setup.py",
-    install_requires=["requests==2.26.0"],
+    install_requires=["requests==2.31.0"],
     python_requires='>=3.7',
 )

queries/codeql-pack.lock.yml

@@ -0,0 +1,14 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql-javascript:
+    version: 0.6.1
+  codeql/regex:
+    version: 0.0.12
+  codeql/tutorial:
+    version: 0.0.9
+  codeql/util:
+    version: 0.0.9
+  codeql/yaml:
+    version: 0.0.1
+compiled: false

queries/codeql-pack.yml

@@ -1,4 +1,4 @@
 name: codeql-action-custom-queries-javascript
 version: 0.0.0
-libraryPathDependencies: codeql-javascript
-
+dependencies:
+  codeql/javascript-all: 0.6.1

queries/default-setup-environment-variables.ql

@@ -0,0 +1,52 @@
+/**
+ * @name Some environment variables may not exist in default setup workflows
+ * @id javascript/codeql-action/default-setup-env-vars
+ * @kind problem
+ * @severity warning
+ */
+
+import javascript
+
+bindingset[envVar]
+predicate isSafeForDefaultSetup(string envVar) {
+  // Ignore internal Code Scanning environment variables
+  envVar.matches("CODE_SCANNING_%") or
+  envVar.matches("CODEQL_%") or
+  envVar.matches("CODESCANNING_%") or
+  envVar.matches("LGTM_%") or
+  // We flag up usage of potentially unsafe parts of the GitHub event in `default-setup-event-context.ql`.
+  envVar = "GITHUB_EVENT_PATH" or
+  // The following environment variables are known to be safe for use with default setup
+  envVar =
+    [
+      "GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",
+      "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
+      "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
+      "GITHUB_WORKSPACE", "GOFLAGS", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH", "RUNNER_NAME", "RUNNER_OS",
+      "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
+    ]
+}
+
+predicate envVarRead(DataFlow::Node node, string envVar) {
+  node =
+    any(DataFlow::PropRead read |
+      read = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead() and
+      envVar = read.getPropertyName()
+    ) or
+  node =
+    any(DataFlow::CallNode call |
+      call.getCalleeName().matches("get%EnvParam") and
+      envVar = call.getArgument(0).getStringValue()
+    )
+}
+
+from DataFlow::Node read, string envVar
+where
+  envVarRead(read, envVar) and
+  not isSafeForDefaultSetup(envVar)
+select read,
+  "The environment variable " + envVar +
+    " may not exist in default setup workflows. If all uses are safe, add it to the list of " +
+    "environment variables that are known to be safe in " +
+    "'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, " +
+    "dismiss this alert as a false positive."

queries/default-setup-event-context.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Some context properties may not exist in default setup workflows
+ * @id javascript/codeql-action/default-setup-context-properties
+ * @kind path-problem
+ * @severity warning
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+class NotParsedLabel extends DataFlow::FlowLabel {
+  NotParsedLabel() { this = "not-parsed" }
+}
+
+class ParsedLabel extends DataFlow::FlowLabel {
+  ParsedLabel() { this = "parsed" }
+}
+
+class EventContextAccessConfiguration extends DataFlow::Configuration {
+  EventContextAccessConfiguration() { this = "EventContextAccessConfiguration" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
+    source = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead("GITHUB_EVENT_PATH") and
+    lbl instanceof NotParsedLabel
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
+    sink instanceof DataFlow::PropRead and
+    lbl instanceof ParsedLabel and
+    not exists(DataFlow::PropRead n | sink = n.getBase()) and
+    not sink.asExpr().getFile().getBaseName().matches("%.test.ts")
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+  ) {
+    src = trg.(FileSystemReadAccess).getAPathArgument() and inlbl = outlbl
+    or
+    exists(JsonParserCall c |
+      src = c.getInput() and
+      trg = c.getOutput() and
+      inlbl instanceof NotParsedLabel and
+      outlbl instanceof ParsedLabel
+    )
+    or
+    (
+      TaintTracking::sharedTaintStep(src, trg) or
+      DataFlow::SharedFlowStep::step(src, trg) or
+      DataFlow::SharedFlowStep::step(src, trg, _, _)
+    ) and
+    inlbl = outlbl
+  }
+}
+
+from EventContextAccessConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "This event context property may not exist in default setup workflows."