Merge pull request #1706 from github/update-v2.3.5-d3314cca2

Merge main into releases/v2

.github/actions/setup-swift/action.yml

@@ -1,5 +1,5 @@
 name: "Set up Swift"
-description: Sets up an appropriate Swift version if Swift is enabled via CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT.
+description: Sets up an appropriate Swift version if supported on this platform.
 inputs:
   codeql-path:
     description: Path to the CodeQL CLI executable.
@@ -9,24 +9,29 @@ runs:
   steps:
     - name: Get Swift version
       id: get_swift_version
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+      if: runner.os != 'Windows'
       shell: bash
       env: 
         CODEQL_PATH: ${{ inputs.codeql-path }}
       run: |
-        if [ $RUNNER_OS = "macOS" ]; then
+        if [[ $RUNNER_OS = "macOS" ]]; then
           PLATFORM="osx64"
         else # We do not run this step on Windows.
           PLATFORM="linux64"
         fi 
         SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
+          VERSION="null"
+        else
           VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
           # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
           if [ $VERSION = "5.7" ]; then
             VERSION="5.7.0"
           fi
+        fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+
     - uses: swift-actions/setup-swift@65540b95f51493d65f5e59e97dcef9629ddf11bf # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+      if: runner.os != 'Windows' && steps.get_swift_version.outputs.version != 'null'
       with:
         swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/workflows/__analyze-ref-input.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: "Analyze: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -84,8 +87,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__autobuild-action.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - autobuild-action
@@ -32,6 +32,9 @@ jobs:
         - os: windows-latest
           version: latest
     name: autobuild-action
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -48,8 +51,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__config-export.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Config export
@@ -38,6 +38,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Config export
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -54,8 +57,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__diagnostics-export.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Diagnostic export
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Diagnostic export
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -60,8 +63,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__export-file-baseline-information.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Export file baseline information
@@ -32,6 +32,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Export file baseline information
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -48,8 +51,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__extractor-ram-threads.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Extractor ram and threads options test
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: latest
     name: Extractor ram and threads options test
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -44,8 +47,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-custom-queries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: Custom queries'
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Go: Custom queries'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -84,8 +87,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-tracing-autobuilder.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with autobuilder step'
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: 'Go: tracing with autobuilder step'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -70,8 +73,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with custom build steps'
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: 'Go: tracing with custom build steps'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -70,8 +73,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Go: tracing with legacy workflow'
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: 'Go: tracing with legacy workflow'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -70,8 +73,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__init-with-registries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Download using registries'
@@ -44,6 +44,10 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Download using registries'
+    permissions:
+      contents: read
+      packages: read
+
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -60,8 +64,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
@@ -128,9 +131,5 @@ jobs:
             cat $QLCONFIG_PATH
             exit 1
         fi
-    permissions:
-      contents: read
-      packages: read
-
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__javascript-source-root.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Custom source root
@@ -32,6 +32,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Custom source root
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -48,8 +51,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__ml-powered-queries.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - ML-powered queries
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: ML-powered queries
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -84,8 +87,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__multi-language-autodetect.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Multi-language repository
@@ -54,6 +54,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Multi-language repository
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -70,8 +73,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
@@ -94,7 +96,7 @@ jobs:
       with:
         upload-database: false
 
-    - name: Check language autodetect for all languages excluding Ruby, Swift
+    - name: Check language autodetect for all languages excluding Swift
       shell: bash
       run: |
         CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
@@ -127,11 +129,6 @@ jobs:
           echo "Did not create a database for Python, or created it in the wrong location."
           exit 1
         fi
-
-    - name: Check language autodetect for Ruby
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
-      shell: bash
-      run: |
         RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
         if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
           echo "Did not create a database for Ruby, or created it in the wrong location."
@@ -139,7 +136,9 @@ jobs:
         fi
 
     - name: Check language autodetect for Swift
-      if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+      if: >-
+        env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' || 
+            (runner.os != 'Windows' && matrix.version == 'nightly-latest')
       shell: bash
       run: |
         SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input passed to the CLI'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -60,8 +63,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__packaging-config-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config and input'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config and input'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -60,8 +63,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__packaging-config-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Config file'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config file'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -60,8 +63,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__packaging-inputs-js.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: 'PR Check - Packaging: Action input'
@@ -44,6 +44,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Action input'
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -60,8 +63,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__remote-config.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Remote config file
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Remote config file
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -84,8 +87,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__rubocop-multi-language.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - RuboCop multi-language
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: cached
     name: RuboCop multi-language
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -44,8 +47,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__ruby.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Ruby analysis
@@ -38,6 +38,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Ruby analysis
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -54,8 +57,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__split-workflow.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Split workflow
@@ -38,6 +38,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Split workflow
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -54,8 +57,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__submit-sarif-failure.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Submit SARIF after failure
@@ -32,6 +32,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Submit SARIF after failure
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -48,8 +51,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__swift-custom-build.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Swift analysis using a custom build command
@@ -38,6 +38,9 @@ jobs:
         - os: macos-latest
           version: nightly-latest
     name: Swift analysis using a custom build command
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -54,8 +57,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__test-autobuild-working-dir.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Autobuild working directory
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: latest
     name: Autobuild working directory
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -44,8 +47,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__test-local-codeql.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Local CodeQL bundle
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Local CodeQL bundle
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -44,8 +47,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__test-proxy.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Proxy test
@@ -28,6 +28,9 @@ jobs:
         - os: ubuntu-latest
           version: latest
     name: Proxy test
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -44,8 +47,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__unset-environment.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Test unsetting environment variables
@@ -40,6 +40,9 @@ jobs:
         - os: ubuntu-latest
           version: nightly-latest
     name: Test unsetting environment variables
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -56,8 +59,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__upload-ref-sha-input.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -84,8 +87,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/__with-checkout-path.yml

@@ -1,6 +1,6 @@
 # Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 name: PR Check - Use a custom `checkout_path`
@@ -68,6 +68,9 @@ jobs:
         - os: windows-latest
           version: nightly-latest
     name: Use a custom `checkout_path`
+    permissions:
+      contents: read
+      security-events: write
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -84,8 +87,7 @@ jobs:
             matrix.version == '20220908' ||
             matrix.version == '20221211' ||
             matrix.version == 'cached' ||
-            matrix.version == 'latest' ||
+            matrix.version == 'latest'
-            matrix.version == 'nightly-latest'
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV

.github/workflows/debug-artifacts.yml

@@ -49,11 +49,16 @@ jobs:
         with:
           go-version: ^1.13.1
       - uses: ./../action/init
+        id: init
         with:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
           debug: true
           debug-artifact-name: my-debug-artifacts
           debug-database-name: my-db
+      - uses: ./../action/.github/actions/setup-swift
+        if: matrix.version == 'nightly-latest'
+        with:
+          codeql-path: ${{ steps.init.outputs.codeql-path }}
       - name: Build code
         shell: bash
         run: ./build.sh

.github/workflows/post-release-mergeback.yml

@@ -40,7 +40,7 @@ jobs:
 
       - name: Update git config
         run: |
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Get version and new branch

.github/workflows/update-bundle.yml

@@ -30,7 +30,7 @@ jobs:
 
       - name: Update git config
         run: |
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
 
       - name: Update bundle

.github/workflows/update-dependencies.yml

@@ -29,7 +29,7 @@ jobs:
         git checkout "origin/$BRANCH"
         .github/workflows/script/update-node-modules.sh update
         if [ ! -z "$(git status --porcelain)" ]; then
-          git config --global user.email "github-actions@github.com"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
           git add node_modules
           git commit -am "Update checked-in dependencies"

.github/workflows/update-release-branch.yml

@@ -35,7 +35,7 @@ jobs:
 
     - name: Update git config
       run: |
-        git config --global user.email "github-actions@github.com"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
         git config --global user.name "github-actions[bot]"
 
     - name: Update release branch

CHANGELOG.md

@@ -1,9 +1,15 @@
 # CodeQL Action Changelog
 
-## [UNRELEASED]
+## 2.3.5 - 25 May 2023
 
+- Allow invalid URIs to be used as values to `artifactLocation.uri` properties. This reverses a change from [#1668](https://github.com/github/codeql-action/pull/1668) that inadvertently led to stricter validation of some URI values. [#1705](https://github.com/github/codeql-action/pull/1705)
+- Gracefully handle invalid URIs when fingerprinting. [#1694](https://github.com/github/codeql-action/pull/1694)
+
+## 2.3.4 - 24 May 2023
+
+- Updated the SARIF 2.1.0 JSON schema file to the latest from [oasis-tcs/sarif-spec](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). [#1668](https://github.com/github/codeql-action/pull/1668)
 - We are rolling out a feature in May 2023 that will disable Python dependency installation for new users of the CodeQL Action. This improves the speed of analysis while having only a very minor impact on results. [#1676](https://github.com/github/codeql-action/pull/1676)
-- We are improving the way that [CodeQL bundles](https://github.com/github/codeql-action/releases) are tagged to make it possible to easily identify bundles by their CodeQL semantic version.
+- We are improving the way that [CodeQL bundles](https://github.com/github/codeql-action/releases) are tagged to make it possible to easily identify bundles by their CodeQL semantic version. [#1682](https://github.com/github/codeql-action/pull/1682)
   - As of CodeQL CLI 2.13.4, CodeQL bundles will be tagged using semantic versions, for example `codeql-bundle-v2.13.4`, instead of timestamps, like `codeql-bundle-20230615`.
   - This change does not affect the majority of workflows, and we will not be changing tags for existing bundle releases.
   - Some workflows with custom logic that depends on the specific format of the CodeQL bundle tag may need to be updated. For example, if your workflow matches CodeQL bundle tag names against a `codeql-bundle-yyyymmdd` pattern, you should update it to also recognize `codeql-bundle-vx.y.z` tags.
@@ -13,7 +19,6 @@
 
 - Update default CodeQL bundle version to 2.13.1. [#1664](https://github.com/github/codeql-action/pull/1664)
 - You can now configure CodeQL within your code scanning workflow by passing a `config` input to the `init` Action. See [Using a custom configuration file](https://aka.ms/code-scanning-docs/config-file) for more information about configuring code scanning. [#1590](https://github.com/github/codeql-action/pull/1590)
-- Updated the SARIF 2.1.0 JSON schema file to the latest from [oasis-tcs/sarif-spec](https://github.com/oasis-tcs/sarif-spec/blob/123e95847b13fbdd4cbe2120fa5e33355d4a042b/Schemata/sarif-schema-2.1.0.json). [#1668](https://github.com/github/codeql-action/pull/1668)
 
 ## 2.3.2 - 27 Apr 2023
 

CONTRIBUTING.md

@@ -12,7 +12,7 @@ Please note that this project is released with a [Contributor Code of Conduct][c
 
 ## Development and Testing
 
-Before you start, ensure that you have a recent version of node (14 or higher) installed, along with a recent version of npm (7 or higher). You can see which version of node is used by the action in `init/action.yml`.
+Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in `init/action.yml`.
 
 ### Common tasks
 

README.md

@@ -170,3 +170,7 @@ You can use Actions or environment variables to share configuration across multi
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).
+
+## Contributing
+
+This project welcomes contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for details on how to build, install, and contribute.

lib/fingerprints.js

@@ -194,7 +194,14 @@ function resolveUriToFile(location, artifacts, sourceRoot, logger) {
         logger.debug(`Ignoring location as URI "${location.uri}" is invalid`);
         return undefined;
     }
-    let uri = decodeURIComponent(location.uri);
+    let uri;
+    try {
+        uri = decodeURIComponent(location.uri);
+    }
+    catch (e) {
+        logger.debug(`Ignoring location as URI "${location.uri}" is invalid`);
+        return undefined;
+    }
     // Remove a file scheme, and abort if the scheme is anything else
     const fileUriPrefix = "file://";
     if (uri.startsWith(fileUriPrefix)) {

lib/init-action-post-helper.js

@@ -110,8 +110,9 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
     // but we didn't upload anything.
     if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
         !uploadFailedSarifResult.raw_upload_size_bytes) {
+        const error = JSON.stringify(uploadFailedSarifResult);
         throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
-            `but the result was instead ${uploadFailedSarifResult}.`);
+            `but the result was instead ${error}.`);
     }
     // Upload appropriate Actions artifacts for debugging
     if (config.debugMode) {

lib/init-action-post-helper.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAKgB;AAChB,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,YAAY,GAAG,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC;IACtC,OAAO;QACL,uBAAuB,EAAE,YAAY,CAAC,OAAO;QAC7C,6BAA6B,EAAE,YAAY,CAAC,KAAK;KAClD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EAAE;QACxE,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,EAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACtE,IACE,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,QAAQ,CAClC,WAAW,CAAC,cAAc,CAAC,YAAY,CAAC,CACzC;QACD,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC;IAEvC,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAE/C,kFAAkF;IAClF,IACE,YAAY,KAAK,SAAS;QAC1B,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EACpE;QACA,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;KACvE;SAAM;QACL,8EAA8E;QAC9E,MAAM,MAAM,CAAC,yBAAyB,CACpC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,YAAY,EAAE,YAAY,IAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IAEF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AArDD,kBAqDC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAKgB;AAChB,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,YAAY,GAAG,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC;IACtC,OAAO;QACL,uBAAuB,EAAE,YAAY,CAAC,OAAO;QAC7C,6BAA6B,EAAE,YAAY,CAAC,KAAK;KAClD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EAAE;QACxE,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,EAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACtE,IACE,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,QAAQ,CAClC,WAAW,CAAC,cAAc,CAAC,YAAY,CAAC,CACzC;QACD,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC;IAEvC,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAE/C,kFAAkF;IAClF,IACE,YAAY,KAAK,SAAS;QAC1B,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EACpE;QACA,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;KACvE;SAAM;QACL,8EAA8E;QAC9E,MAAM,MAAM,CAAC,yBAAyB,CACpC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,YAAY,EAAE,YAAY,IAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IAEF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,KAAK,GAAG,CACzC,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AAtDD,kBAsDC"}

lib/upload-lib.js

@@ -181,16 +181,23 @@ function validateSarifFileSchema(sarifFilePath, logger) {
     const sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8"));
     const schema = require("../src/sarif-schema-2.1.0.json");
     const result = new jsonschema.Validator().validate(sarif, schema);
-    if (!result.valid) {
+    // Filter errors related to invalid URIs in the artifactLocation field as this
+    // is a breaking change. See https://github.com/github/codeql-action/issues/1703
+    const errors = (result.errors || []).filter((err) => err.argument !== "uri-reference");
+    const warnings = (result.errors || []).filter((err) => err.argument === "uri-reference");
+    for (const warning of warnings) {
+        logger.info(`Warning: '${warning.instance}' is not a valid URI in '${warning.property}'.`);
+    }
+    if (errors.length) {
         // Output the more verbose error messages in groups as these may be very large.
-        for (const error of result.errors) {
+        for (const error of errors) {
             logger.startGroup(`Error details: ${error.stack}`);
             logger.info(JSON.stringify(error, null, 2));
             logger.endGroup();
         }
         // Set the main error message to the stacks of all the errors.
         // This should be of a manageable size and may even give enough to fix the error.
-        const sarifErrors = result.errors.map((e) => `- ${e.stack}`);
+        const sarifErrors = errors.map((e) => `- ${e.stack}`);
         throw new Error(`Unable to upload "${sarifFilePath}" as it is not valid SARIF:\n${sarifErrors.join("\n")}`);
     }
 }

lib/upload-lib.test.js

@@ -233,6 +233,18 @@ ava_1.default.beforeEach(() => {
     t.deepEqual(loggedMessages.length, 1);
     t.assert(loggedMessages[0].includes("Pruned 2 results"));
 });
+(0, ava_1.default)("accept results with invalid artifactLocation.uri value", (t) => {
+    const loggedMessages = [];
+    const mockLogger = {
+        info: (message) => {
+            loggedMessages.push(message);
+        },
+    };
+    const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
+    uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
+    t.deepEqual(loggedMessages.length, 1);
+    t.deepEqual(loggedMessages[0], "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.");
+});
 const affectedCodeQLVersion = {
     driver: {
         name: "CodeQL",

lib/util.js

@@ -673,11 +673,6 @@ function removeDuplicateLocations(locations) {
     });
 }
 function fixInvalidNotifications(sarif, logger) {
-    if (process.env[shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
-        logger.info("SARIF notification object duplicate location fix disabled by the " +
-            `${shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`);
-        return sarif;
-    }
     if (!Array.isArray(sarif.runs)) {
         return sarif;
     }
@@ -727,11 +722,28 @@ function fixInvalidNotifications(sarif, logger) {
     return newSarif;
 }
 exports.fixInvalidNotifications = fixInvalidNotifications;
+/**
+ * Removes duplicates from the sarif file.
+ *
+ * When `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX` is set to true, this will
+ * simply rename the input file to the output file. Otherwise, it will parse the
+ * input file as JSON, remove duplicate locations from the SARIF notification
+ * objects, and write the result to the output file.
+ *
+ * For context, see documentation of:
+ * `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX`. */
 function fixInvalidNotificationsInFile(inputPath, outputPath, logger) {
+    if (process.env[shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
+        logger.info("SARIF notification object duplicate location fix disabled by the " +
+            `${shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`);
+        fs.renameSync(inputPath, outputPath);
+    }
+    else {
         let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8"));
         sarif = fixInvalidNotifications(sarif, logger);
         fs.writeFileSync(outputPath, JSON.stringify(sarif));
     }
+}
 exports.fixInvalidNotificationsInFile = fixInvalidNotificationsInFile;
 function wrapError(error) {
     return error instanceof Error ? error : new Error(String(error));

lib/workflow.js

@@ -298,7 +298,9 @@ function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
  * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
  */
 function getAnalyzeActionName() {
-    if ((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY") === "github/codeql-action") {
+    if ((0, util_1.isInTestMode)() ||
+        process.env["CODEQL_ACTION_TESTING_ENVIRONMENT"] ===
+            "codeql-action-pr-checks") {
         return "./analyze";
     }
     else {

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.3.4",
+  "version": "2.3.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.3.4",
+  "version": "2.3.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.3.4",
+      "version": "2.3.5",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.3.4",
+  "version": "2.3.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/multi-language-autodetect.yml

@@ -21,7 +21,7 @@ steps:
     with:
       upload-database: false
 
-  - name: Check language autodetect for all languages excluding Ruby, Swift
+  - name: Check language autodetect for all languages excluding Swift
     shell: bash
     run: |
       CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
@@ -54,11 +54,6 @@ steps:
         echo "Did not create a database for Python, or created it in the wrong location."
         exit 1
       fi
-
-  - name: Check language autodetect for Ruby
-    if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
-    shell: bash
-    run: |
       RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
       if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
         echo "Did not create a database for Ruby, or created it in the wrong location."
@@ -66,7 +61,9 @@ steps:
       fi
 
   - name: Check language autodetect for Swift
-    if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
+    if: >- 
+      env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' || 
+          (runner.os != 'Windows' && matrix.version == 'nightly-latest')
     shell: bash
     run: |
       SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

pr-checks/sync.py

@@ -24,7 +24,7 @@ defaultTestVersions = [
 
 header = """# Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
+#     (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
 # to regenerate this file.
 
 """
@@ -83,8 +83,7 @@ for file in os.listdir('checks'):
                     matrix.version == '20220908' ||
                     matrix.version == '20221211' ||
                     matrix.version == 'cached' ||
-                    matrix.version == 'latest' ||
+                    matrix.version == 'latest'
-                    matrix.version == 'nightly-latest'
                 )
             ''').strip()),
             'shell': 'bash',
@@ -101,6 +100,10 @@ for file in os.listdir('checks'):
             }
         },
         'name': checkSpecification['name'],
+        'permissions': {
+            'contents': 'read',
+            'security-events': 'write'
+        },
         'timeout-minutes': 45,
         'runs-on': '${{ matrix.os }}',
         'steps': steps,

src/fingerprints.ts

@@ -201,7 +201,14 @@ export function resolveUriToFile(
     logger.debug(`Ignoring location as URI "${location.uri}" is invalid`);
     return undefined;
   }
-  let uri = decodeURIComponent(location.uri as string);
+
+  let uri: string;
+  try {
+    uri = decodeURIComponent(location.uri as string);
+  } catch (e: any) {
+    logger.debug(`Ignoring location as URI "${location.uri}" is invalid`);
+    return undefined;
+  }
 
   // Remove a file scheme, and abort if the scheme is anything else
   const fileUriPrefix = "file://";

src/init-action-post-helper.ts

@@ -171,9 +171,10 @@ export async function run(
     process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
     !uploadFailedSarifResult.raw_upload_size_bytes
   ) {
+    const error = JSON.stringify(uploadFailedSarifResult);
     throw new Error(
       "Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
-        `but the result was instead ${uploadFailedSarifResult}.`
+        `but the result was instead ${error}.`
     );
   }
 

src/testdata/with-invalid-uri.sarif

@@ -0,0 +1,42 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "LGTM.com",
+          "organization": "Semmle",
+          "version": "1.24.0-SNAPSHOT",
+          "rules": []
+        }
+      },
+      "results" : [ {
+        "ruleId" : "js/unused-local-variable",
+        "ruleIndex" : 0,
+        "message" : {
+          "text" : "Unused variable foo."
+        },
+        "locations" : [ {
+          "physicalLocation" : {
+            "artifactLocation" : {
+              "uri" : "not a valid URI",
+              "uriBaseId" : "%SRCROOT%",
+              "index" : 0
+            },
+            "region" : {
+              "startLine" : 2,
+              "startColumn" : 7,
+              "endColumn" : 10
+            }
+          }
+        } ]
+      } ],
+      "columnKind": "utf16CodeUnits",
+      "properties": {
+        "semmle.formatSpecifier": "2.1.0",
+        "semmle.sourceLanguage": "java"
+      }
+    }
+  ]
+}

src/upload-lib.test.ts

@@ -360,6 +360,23 @@ test("pruneInvalidResults", (t) => {
   t.assert(loggedMessages[0].includes("Pruned 2 results"));
 });
 
+test("accept results with invalid artifactLocation.uri value", (t) => {
+  const loggedMessages: string[] = [];
+  const mockLogger = {
+    info: (message: string) => {
+      loggedMessages.push(message);
+    },
+  } as Logger;
+
+  const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
+  uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
+
+  t.deepEqual(loggedMessages.length, 1);
+  t.deepEqual(
+    loggedMessages[0],
+    "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'."
+  );
+});
 const affectedCodeQLVersion = {
   driver: {
     name: "CodeQL",

src/upload-lib.ts

@@ -228,9 +228,24 @@ export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
   const schema = require("../src/sarif-schema-2.1.0.json") as jsonschema.Schema;
 
   const result = new jsonschema.Validator().validate(sarif, schema);
-  if (!result.valid) {
+  // Filter errors related to invalid URIs in the artifactLocation field as this
+  // is a breaking change. See https://github.com/github/codeql-action/issues/1703
+  const errors = (result.errors || []).filter(
+    (err) => err.argument !== "uri-reference"
+  );
+  const warnings = (result.errors || []).filter(
+    (err) => err.argument === "uri-reference"
+  );
+
+  for (const warning of warnings) {
+    logger.info(
+      `Warning: '${warning.instance}' is not a valid URI in '${warning.property}'.`
+    );
+  }
+
+  if (errors.length) {
     // Output the more verbose error messages in groups as these may be very large.
-    for (const error of result.errors) {
+    for (const error of errors) {
       logger.startGroup(`Error details: ${error.stack}`);
       logger.info(JSON.stringify(error, null, 2));
       logger.endGroup();
@@ -238,7 +253,7 @@ export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
 
     // Set the main error message to the stacks of all the errors.
     // This should be of a manageable size and may even give enough to fix the error.
-    const sarifErrors = result.errors.map((e) => `- ${e.stack}`);
+    const sarifErrors = errors.map((e) => `- ${e.stack}`);
     throw new Error(
       `Unable to upload "${sarifFilePath}" as it is not valid SARIF:\n${sarifErrors.join(
         "\n"

src/util.ts

@@ -818,13 +818,6 @@ export function fixInvalidNotifications(
   sarif: SarifFile,
   logger: Logger
 ): SarifFile {
-  if (process.env[CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
-    logger.info(
-      "SARIF notification object duplicate location fix disabled by the " +
-        `${CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`
-    );
-    return sarif;
-  }
   if (!Array.isArray(sarif.runs)) {
     return sarif;
   }
@@ -883,15 +876,33 @@ export function fixInvalidNotifications(
   return newSarif;
 }
 
+/**
+ * Removes duplicates from the sarif file.
+ *
+ * When `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX` is set to true, this will
+ * simply rename the input file to the output file. Otherwise, it will parse the
+ * input file as JSON, remove duplicate locations from the SARIF notification
+ * objects, and write the result to the output file.
+ *
+ * For context, see documentation of:
+ * `CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX`. */
 export function fixInvalidNotificationsInFile(
   inputPath: string,
   outputPath: string,
   logger: Logger
 ): void {
+  if (process.env[CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX] === "true") {
+    logger.info(
+      "SARIF notification object duplicate location fix disabled by the " +
+        `${CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`
+    );
+    fs.renameSync(inputPath, outputPath);
+  } else {
     let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8")) as SarifFile;
     sarif = fixInvalidNotifications(sarif, logger);
     fs.writeFileSync(outputPath, JSON.stringify(sarif));
   }
+}
 
 export function wrapError(error: unknown): Error {
   return error instanceof Error ? error : new Error(String(error));

src/workflow.ts

@@ -7,7 +7,7 @@ import * as yaml from "js-yaml";
 
 import * as api from "./api-client";
 import { Logger } from "./logging";
-import { getRequiredEnvParam } from "./util";
+import { getRequiredEnvParam, isInTestMode } from "./util";
 
 export interface WorkflowJobStep {
   name?: string;
@@ -389,7 +389,11 @@ function getInputOrThrow(
  * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
  */
 function getAnalyzeActionName() {
-  if (getRequiredEnvParam("GITHUB_REPOSITORY") === "github/codeql-action") {
+  if (
+    isInTestMode() ||
+    process.env["CODEQL_ACTION_TESTING_ENVIRONMENT"] ===
+      "codeql-action-pr-checks"
+  ) {
     return "./analyze";
   } else {
     return "github/codeql-action/analyze";