Merge pull request #2550 from github/henrymercer/fix-ff-name

Fix name of Python stdlib extraction feature flag

.eslintignore

@@ -1,4 +0,0 @@
-**/webpack.config.js
-lib/**
-src/testdata/**
-tests/**

.github/actions/prepare-test/action.yml

@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
   version:
-    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYYMMDD', or 'stable-vX.Y.Z"
     required: true
   use-all-platform-bundle:
     description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -32,14 +32,28 @@ runs:
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
+        if [[ ${{ inputs.version }} == "linked" ]]; then
+          echo "tools-url=linked" >> "$GITHUB_OUTPUT"
+          exit 0
+        elif [[ ${{ inputs.version }} == "default" ]]; then
+          echo "tools-url=" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          extension="tar.zst"
+        else
+          extension="tar.gz"
+        fi
+
         if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
-          artifact_name="codeql-bundle.tar.gz"
+          artifact_name="codeql-bundle.$extension"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.tar.gz"
+          artifact_name="codeql-bundle-linux64.$extension"
         elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.tar.gz"
+          artifact_name="codeql-bundle-osx64.$extension"
         elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.tar.gz"
+          artifact_name="codeql-bundle-win64.$extension"
         else
           echo "::error::Unrecognized OS $RUNNER_OS"
           exit 1
@@ -50,14 +64,10 @@ runs:
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
         elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
           version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version-manual/$artifact_name" >> $GITHUB_OUTPUT
+          echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
         elif [[ ${{ inputs.version }} == *"stable"* ]]; then
           version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "linked" ]]; then
-          echo "tools-url=linked" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "default" ]]; then
-          echo "tools-url=" >> $GITHUB_OUTPUT
         else
           echo "::error::Unrecognized version specified!"
           exit 1

.github/actions/setup-swift/action.yml

@@ -11,7 +11,7 @@ runs:
       id: get_swift_version
       if: runner.os == 'Linux'
       shell: bash
-      env: 
+      env:
         CODEQL_PATH: ${{ inputs.codeql-path }}
       run: |
         SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
@@ -19,7 +19,7 @@ runs:
           VERSION="null"
         else
           VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version. 
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
           if [ $VERSION = "5.7" ]; then
             VERSION="5.7.0"
           elif [ $VERSION = "5.8" ]; then
@@ -29,11 +29,11 @@ runs:
           # setup-swift does not yet support v5.9.1 Remove this when it does.
           elif [ $VERSION = "5.9.1" ]; then
             VERSION="5.9.0"
-          fi 
+          fi
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
 
-    - uses: redsun82/setup-swift@b2b6f77ab14f6a9b136b520dc53ec8eca27d2b99 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
       if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
       with:
         swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/dependabot.yml

@@ -16,6 +16,10 @@ updates:
       # v7 requires ESM
       - dependency-name: "del"
         versions: ["^7.0.0"]
+      # This is broken due to the way configuration files have changed. 
+      # This might be fixed when we move to eslint v9.
+      - dependency-name: "eslint-plugin-import"
+        versions: [">=2.30.0"]
     groups:
       npm:
         patterns:

.github/workflows/__all-platform-bundle.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__analyze-ref-input.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__autobuild-action.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -44,12 +44,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__autobuild-direct-tracing.yml

@@ -44,12 +44,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__build-mode-autobuild.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__build-mode-manual.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__build-mode-none.yml

@@ -40,12 +40,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__build-mode-rollback.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__config-export.yml

@@ -48,12 +48,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__config-input.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__cpp-deptrace-disabled.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__cpp-deptrace-enabled.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__diagnostics-export.yml

@@ -48,12 +48,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__export-file-baseline-information.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__extractor-ram-threads.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__go-custom-queries.yml

@@ -28,53 +28,9 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: windows-latest
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: macos-12
-            version: stable-v2.14.6
-          - os: windows-latest
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: windows-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: windows-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: windows-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
             version: linked
           - os: ubuntu-latest
             version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
     name: 'Go: Custom queries'
     permissions:
       contents: read
@@ -84,12 +40,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__go-tracing-autobuilder.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
           - os: ubuntu-latest
             version: stable-v2.14.6
           - os: macos-12
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.17.6
           - os: macos-latest
             version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -68,12 +68,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository
@@ -87,7 +82,7 @@ jobs:
           setup-kotlin: 'true'
       - uses: actions/setup-go@v5
         with:
-          go-version: ~1.22.0
+          go-version: ~1.23.0
       # to avoid potentially misleading autobuilder results where we expect it to download
       # dependencies successfully, but they actually come from a warm cache
           cache: false

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
           - os: ubuntu-latest
             version: stable-v2.14.6
           - os: macos-12
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.17.6
           - os: macos-latest
             version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -68,12 +68,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository
@@ -87,7 +82,7 @@ jobs:
           setup-kotlin: 'true'
       - uses: actions/setup-go@v5
         with:
-          go-version: ~1.22.0
+          go-version: ~1.23.0
       # to avoid potentially misleading autobuilder results where we expect it to download
       # dependencies successfully, but they actually come from a warm cache
           cache: false

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
           - os: ubuntu-latest
             version: stable-v2.14.6
           - os: macos-12
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.17.6
           - os: macos-latest
             version: stable-v2.17.6
+          - os: ubuntu-latest
+            version: stable-v2.18.4
+          - os: macos-latest
+            version: stable-v2.18.4
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -68,12 +68,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository
@@ -87,7 +82,7 @@ jobs:
           setup-kotlin: 'true'
       - uses: actions/setup-go@v5
         with:
-          go-version: ~1.22.0
+          go-version: ~1.23.0
       # to avoid potentially misleading autobuilder results where we expect it to download
       # dependencies successfully, but they actually come from a warm cache
           cache: false

.github/workflows/__init-with-registries.yml

@@ -55,12 +55,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__javascript-source-root.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__job-run-uuid-sarif.yml

@@ -0,0 +1,79 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Job run UUID added to SARIF
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  job-run-uuid-sarif:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: nightly-latest
+    name: Job run UUID added to SARIF
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - uses: ./../action/init
+        id: init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check results
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/results"
+          actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
+          if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
+            echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
+            exit 1
+          else
+            echo "Found job run UUID '$actual'."
+          fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__language-aliases.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__multi-language-autodetect.yml

@@ -27,10 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.13.5
           - os: macos-12
             version: stable-v2.14.6
           - os: ubuntu-latest
@@ -47,6 +43,10 @@ jobs:
             version: stable-v2.17.6
           - os: ubuntu-latest
             version: stable-v2.17.6
+          - os: macos-latest
+            version: stable-v2.18.4
+          - os: ubuntu-latest
+            version: stable-v2.18.4
           - os: macos-latest
             version: default
           - os: ubuntu-latest
@@ -68,12 +68,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -54,12 +54,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__packaging-config-inputs-js.yml

@@ -54,12 +54,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__packaging-config-js.yml

@@ -54,12 +54,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__packaging-inputs-js.yml

@@ -54,12 +54,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__remote-config.yml

@@ -28,53 +28,9 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: windows-latest
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: macos-12
-            version: stable-v2.14.6
-          - os: windows-latest
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: macos-latest
-            version: stable-v2.15.5
-          - os: windows-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: macos-latest
-            version: stable-v2.16.6
-          - os: windows-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: macos-latest
-            version: stable-v2.17.6
-          - os: windows-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: default
-          - os: macos-latest
-            version: default
-          - os: windows-latest
-            version: default
-          - os: ubuntu-latest
-            version: linked
-          - os: macos-latest
-            version: linked
-          - os: windows-latest
             version: linked
           - os: ubuntu-latest
             version: nightly-latest
-          - os: macos-latest
-            version: nightly-latest
-          - os: windows-latest
-            version: nightly-latest
     name: Remote config file
     permissions:
       contents: read
@@ -84,12 +40,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__resolve-environment-action.yml

@@ -27,12 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: macos-12
-            version: stable-v2.13.5
-          - os: windows-latest
-            version: stable-v2.13.5
           - os: ubuntu-latest
             version: default
           - os: macos-latest
@@ -60,12 +54,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository
@@ -79,8 +68,7 @@ jobs:
           setup-kotlin: 'true'
       - uses: ./../action/init
         with:
-          languages: ${{ matrix.version == 'stable-v2.13.5' && 'go' || 'go,javascript-typescript'
-            }}
+          languages: go,javascript-typescript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
 
       - name: Resolve environment for Go
@@ -94,14 +82,13 @@ jobs:
         run: exit 1
 
       - name: Resolve environment for JavaScript/TypeScript
-        if: matrix.version != 'stable-v2.13.5'
         uses: ./../action/resolve-environment
         id: resolve-environment-js
         with:
           language: javascript-typescript
 
       - name: Fail if JavaScript/TypeScript configuration present
-        if: matrix.version != 'stable-v2.13.5' && 
+        if: 
           fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
         run: exit 1
     env:

.github/workflows/__rubocop-multi-language.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__ruby.yml

@@ -48,12 +48,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__split-workflow.yml

@@ -48,12 +48,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__submit-sarif-failure.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository
@@ -63,6 +58,7 @@ jobs:
       - uses: ./init
         with:
           languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
       - name: Fail
     # We want this job to pass if the Action correctly uploads the SARIF file for
     # the failed run.

.github/workflows/__swift-autobuild.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__swift-custom-build.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__test-autobuild-working-dir.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__test-local-codeql.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository
@@ -66,7 +61,7 @@ jobs:
         with:
       # Swift is not supported on Ubuntu so we manually exclude it from the list here
           languages: cpp,csharp,go,java,javascript,python,ruby
-          tools: ./codeql-bundle-linux64.tar.gz
+          tools: ./codeql-bundle-linux64.tar.zst
       - name: Build code
         shell: bash
         run: ./build.sh

.github/workflows/__test-proxy.yml

@@ -38,12 +38,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__unset-environment.yml

@@ -27,18 +27,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: stable-v2.17.6
-          - os: ubuntu-latest
-            version: default
           - os: ubuntu-latest
             version: linked
           - os: ubuntu-latest
@@ -52,12 +40,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__upload-ref-sha-input.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__with-checkout-path.yml

@@ -42,12 +42,7 @@ jobs:
     steps:
       - name: Setup Python on MacOS
         uses: actions/setup-python@v5
-        if: >-
-          runner.os == 'macOS' && (
-
-          matrix.version == 'stable-v2.13.5' ||
-
-          matrix.version == 'stable-v2.14.6')
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
         with:
           python-version: '3.11'
       - name: Check out repository

.github/workflows/__zstd-bundle-fallback.yml

@@ -0,0 +1,123 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Zstandard bundle fallback
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  zstd-bundle-fallback:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+    name: Zstandard bundle fallback
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check expected diagnostics
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            if (!toolsUrl.endsWith('.tar.gz')) {
+              core.setFailed(
+                `Expected the tools URL to be a .tar.gz file, but found '${toolsUrl}'.`
+              );
+            }
+
+            const zstdFailureReason = downloadTelemetryNotifications[0].properties.attributes.zstdFailureReason;
+            console.log(`Found zstd failure reason: ${zstdFailureReason}`);
+
+            const expectedZstdFailureReason = 'Failing since CODEQL_ACTION_FORCE_ZSTD_FAILURE is true.';
+            if (zstdFailureReason !== expectedZstdFailureReason) {
+              core.setFailed(
+                `Expected the zstd failure reason to be '${expectedZstdFailureReason}', but found '${zstdFailureReason}'.`
+              );
+            }
+    env:
+      CODEQL_ACTION_ZSTD_BUNDLE: true
+      CODEQL_ACTION_FORCE_ZSTD_FAILURE: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle-streaming.yml

@@ -0,0 +1,113 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Zstandard bundle (streaming)
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  zstd-bundle-streaming:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+    name: Zstandard bundle (streaming)
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostic with expected tools URL appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            if (!toolsUrl.endsWith('.tar.zst')) {
+              core.setFailed(
+                `Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_ZSTD_BUNDLE: true
+      CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__zstd-bundle.yml

@@ -0,0 +1,116 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Zstandard bundle
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  zstd-bundle:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            version: linked
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+    name: Zstandard bundle
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+          setup-kotlin: 'true'
+      - name: Remove CodeQL from toolcache
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
+            fs.rmdirSync(codeqlPath, { recursive: true });
+      - id: init
+        uses: ./../action/init
+        with:
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - uses: ./../action/analyze
+        with:
+          output: ${{ runner.temp }}/results
+          upload-database: false
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: zstd-bundle.sarif
+          path: ${{ runner.temp }}/results/javascript.sarif
+          retention-days: 7
+      - name: Check diagnostic with expected tools URL appears in SARIF
+        uses: actions/github-script@v7
+        env:
+          SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+        with:
+          script: |
+            const fs = require('fs');
+
+            const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+            const run = sarif.runs[0];
+
+            const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+            const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
+              n.descriptor.id === 'codeql-action/bundle-download-telemetry'
+            );
+            if (downloadTelemetryNotifications.length !== 1) {
+              core.setFailed(
+                'Expected exactly one reporting descriptor in the ' +
+                  `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                  `${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
+                  `${JSON.stringify(toolExecutionNotifications)}.`
+              );
+            }
+
+            const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
+            console.log(`Found tools URL: ${toolsUrl}`);
+
+            const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
+
+            if (!toolsUrl.endsWith(expectedExtension)) {
+              core.setFailed(
+                `Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
+              );
+            }
+    env:
+      CODEQL_ACTION_ZSTD_BUNDLE: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/debug-artifacts-failure.yml

@@ -3,6 +3,7 @@
 name: PR Check - Debug artifacts after failure
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
 on:
   push:
     branches:
@@ -61,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
       - name: Check expected artifacts exist
         shell: bash
         run: |

.github/workflows/debug-artifacts-legacy.yml

@@ -0,0 +1,99 @@
+# Checks logs, SARIF, and database bundle debug artifacts exist and are accessible
+# with download-artifact@v3 when CODEQL_ACTION_ARTIFACT_V4_UPGRADE is set to false.
+name: PR Check - Debug artifact upload using artifact@v2
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: false
+on:
+  push:
+    branches:
+    - main
+    - releases/v*
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.14.6
+        - stable-v2.15.5
+        - stable-v2.16.6
+        - stable-v2.17.6
+        - stable-v2.18.4
+        - default
+        - linked
+        - nightly-latest
+    name: Upload debug artifacts
+    env:
+      CODEQL_ACTION_TEST_MODE: true
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ^1.13.1
+      - uses: ./../action/init
+        id: init
+        with:
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+          debug: true
+          debug-artifact-name: my-debug-artifacts
+          debug-database-name: my-db
+          # We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
+          languages: cpp,csharp,go,java,javascript,python,ruby 
+      - name: Build code
+        shell: bash
+        run: ./build.sh
+      - uses: ./../action/analyze
+        id: analysis
+  download-and-check-artifacts:
+    name: Download and check debug artifacts
+    needs: upload-artifacts
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+      - name: Check expected artifacts exist
+        shell: bash
+        run: |
+          VERSIONS="stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 default linked nightly-latest"
+          LANGUAGES="cpp csharp go java javascript python"
+          for version in $VERSIONS; do
+            pushd "./my-debug-artifacts-${version//./}"
+            echo "Artifacts from version $version:"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "$language.sarif" ]] ; then
+                echo "Missing a SARIF file for $language"
+                exit 1
+              fi
+              if [[ ! -f "my-db-$language.zip" ]] ; then
+                echo "Missing a database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
+          done
+        env:
+          GO111MODULE: auto

.github/workflows/debug-artifacts.yml

@@ -2,6 +2,7 @@
 name: PR Check - Debug artifact upload
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  CODEQL_ACTION_ARTIFACT_V4_UPGRADE: true
 on:
   push:
     branches:
@@ -22,11 +23,11 @@ jobs:
       fail-fast: false
       matrix:
         version:
-        - stable-v2.13.5
         - stable-v2.14.6
         - stable-v2.15.5
         - stable-v2.16.6
         - stable-v2.17.6
+        - stable-v2.18.4
         - default
         - linked
         - nightly-latest
@@ -67,11 +68,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
       - name: Check expected artifacts exist
         shell: bash
         run: |
-          VERSIONS="stable-v2.13.5 stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 default linked nightly-latest"
+          VERSIONS="stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 default linked nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"
           for version in $VERSIONS; do
             pushd "./my-debug-artifacts-${version//./}"

.github/workflows/post-release-mergeback.yml

@@ -108,6 +108,17 @@ jobs:
           # - `--force` since we're overwriting the `vN` tag
           git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"
 
+      - name: Prepare partial Changelog
+        env:
+          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+        run: |
+          python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
+
+          echo "::group::Partial CHANGELOG"
+          cat $PARTIAL_CHANGELOG
+          echo "::endgroup::"
+
       - name: Create mergeback branch
         if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
         env:
@@ -150,3 +161,16 @@ jobs:
             --body "${pr_body}" \
             --assignee "${GITHUB_ACTOR}" \
             --draft
+
+      - name: Create the GitHub release
+        env:
+          PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Do not mark this release as latest. The most recent CLI release must be marked as latest.
+          gh release create \
+            "$VERSION" \
+            --latest=false \
+            --title "$VERSION" \
+            --notes-file "$PARTIAL_CHANGELOG"

.github/workflows/pr-checks.yml

@@ -24,7 +24,16 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Lint
-        run: npm run-script lint
+        id: lint
+        run: npm run-script lint-ci
+
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v3
+        # Only upload SARIF for the latest version of Node.js
+        if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
+        with:
+          sarif_file: eslint.sarif
+          category: eslint
 
       - name: Update version of @types/node
         if: matrix.node-types-version != 'current'

.github/workflows/rebuild.yml

@@ -69,7 +69,8 @@ jobs:
           if [ ! -z "$(git status --porcelain)" ]; then
             git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
             git config --global user.name "github-actions[bot]"
-            git commit -am "Rebuild"
+            git add --all
+            git commit -m "Rebuild"
             git push origin "HEAD:$BRANCH"
             echo "Pushed a commit to rebuild the Action." \
               "Please mark the PR as ready for review to trigger PR checks." |

.github/workflows/script/prepare_changelog.py

@@ -0,0 +1,37 @@
+import os
+import sys
+
+EMPTY_CHANGELOG = 'No changes.\n\n'
+
+# Prepare the changelog for the new release
+# This function will extract the part of the changelog that
+# we want to include in the new release.
+def extract_changelog_snippet(changelog_file, version_tag):
+  output = ''
+  if (not os.path.exists(changelog_file)):
+    output = EMPTY_CHANGELOG
+
+  else:
+    with open('CHANGELOG.md', 'r') as f:
+      lines = f.readlines()
+
+      # Include everything up to, but excluding the second heading
+      found_first_section = False
+      for i, line in enumerate(lines):
+        if line.startswith('## '):
+          if found_first_section:
+            break
+          found_first_section = True
+        output += line
+
+  output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
+
+  return output
+
+
+if len(sys.argv) < 3:
+  raise Exception('Expecting argument: changelog_file version_tag')
+changelog_file = sys.argv[1]
+version_tag = sys.argv[2]
+
+print(extract_changelog_snippet(changelog_file, version_tag))

.github/workflows/update-release-branch.yml

@@ -104,6 +104,7 @@ jobs:
   backport:
     timeout-minutes: 45
     runs-on: ubuntu-latest
+    environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
     strategy:
@@ -114,9 +115,18 @@ jobs:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
     steps:
-    - uses: actions/checkout@v4
+    - name: Generate token
+      uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69
+      id: app-token
+      with:
+        app-id: ${{ vars.AUTOMATION_APP_ID }}
+        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+
+    - name: Checkout
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
+        token: ${{ steps.app-token.outputs.token }}
     - uses: ./.github/actions/release-initialise
 
     - name: Update older release branch

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -54,7 +54,8 @@ jobs:
             git push origin update-supported-enterprise-server-versions
 
             body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
-            body+="version is about to be feature frozen, or because an old release has been deprecated.\n\n"
+            body+="version is about to be feature frozen, or because an old release has been deprecated."
+            body+=$'\n\n'
             body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
             body+="deprecate the corresponding version of CodeQL."
 

.gitignore

@@ -5,3 +5,7 @@ node_modules/.cache/
 *.class
 # macOS
 .DS_Store
+# eslint sarif report
+eslint.sarif
+# for local incremental compilation
+tsconfig.tsbuildinfo

CHANGELOG.md

@@ -6,6 +6,68 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 ## [UNRELEASED]
 
+- Bump the minimum CodeQL bundle version to 2.14.6. [#2549](https://github.com/github/codeql-action/pull/2549)
+
+## 3.26.13 - 14 Oct 2024
+
+No user facing changes.
+
+## 3.26.12 - 07 Oct 2024
+
+- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)
+
+  - If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
+
+  - Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.
+
+## 3.26.11 - 03 Oct 2024
+
+- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. 
+
+  Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
+  
+  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. 
+- Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
+
+## 3.26.10 - 30 Sep 2024
+
+- We are rolling out a feature in September/October 2024 that sets up CodeQL using a bundle compressed with [Zstandard](http://facebook.github.io/zstd/). Our aim is to improve the performance of setting up CodeQL. [#2502](https://github.com/github/codeql-action/pull/2502)
+
+## 3.26.9 - 24 Sep 2024
+
+No user facing changes.
+
+## 3.26.8 - 19 Sep 2024
+
+- Update default CodeQL bundle version to 2.19.0. [#2483](https://github.com/github/codeql-action/pull/2483)
+
+## 3.26.7 - 13 Sep 2024
+
+- Update default CodeQL bundle version to 2.18.4. [#2471](https://github.com/github/codeql-action/pull/2471)
+
+## 3.26.6 - 29 Aug 2024
+
+- Update default CodeQL bundle version to 2.18.3. [#2449](https://github.com/github/codeql-action/pull/2449)
+
+## 3.26.5 - 23 Aug 2024
+
+- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)
+
+## 3.26.4 - 21 Aug 2024
+
+- _Deprecation:_ The `add-snippets` input on the `analyze` Action is deprecated and will be removed in the first release in August 2025. [#2436](https://github.com/github/codeql-action/pull/2436)
+- Fix an issue where the disk usage system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled, and then surface a warning. The system call is now disabled for these machines. [#2434](https://github.com/github/codeql-action/pull/2434)
+
+## 3.26.3 - 19 Aug 2024
+
+- Fix an issue where the CodeQL Action could not write diagnostic messages on Windows. This issue did not impact analysis quality. [#2430](https://github.com/github/codeql-action/pull/2430)
+
+## 3.26.2 - 14 Aug 2024
+
+- Update default CodeQL bundle version to 2.18.2. [#2417](https://github.com/github/codeql-action/pull/2417)
+
+## 3.26.1 - 13 Aug 2024
+
 No user facing changes.
 
 ## 3.26.0 - 06 Aug 2024

README.md

@@ -16,10 +16,48 @@ We recommend using default setup to configure CodeQL analysis for your repositor
 
 You can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see "[Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."
 
-### Permissions
+### Actions
+
+This repository contains several actions that enable you to analyze code in your repository using CodeQL and upload the analysis to GitHub Code Scanning. Actions in this repository also allow you to upload to GitHub analyses generated by any SARIF-producing SAST tool.
+
+Actions for CodeQL analyses:
+
+- `init`: Sets up CodeQL for analysis. For information about input parameters, see the [init action definition](https://github.com/github/codeql-action/blob/main/init/action.yml).
+- `analyze`: Finalizes the CodeQL database, runs the analysis, and uploads the results to Code Scanning. For information about input parameters, see the [analyze action definition](https://github.com/github/codeql-action/blob/main/analyze/action.yml).
+
+Actions for uploading analyses generated by third-party tools:
+
+- `upload-sarif`: Uploads a SARIF file to Code Scanning. If you are using the `analyze` action, there is no reason to use this action as well. For information about input parameters, see the [upload-sarif action definition](https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml).
+
+Actions with special purposes and unlikely to be used directly:
+
+- `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
+- `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
+- `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).
+
+### Workflow Permissions
 
 All advanced setup code scanning workflows must have the `security-events: write` permission. Workflows in private repositories must additionally have the `contents: read` permission. For more information, see "[Assigning permissions to jobs](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs)."
 
+### Build Modes
+
+The CodeQL Action supports different build modes for analyzing the source code. The available build modes are:
+
+- `none`: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.
+- `autobuild`: The database will be created by attempting to automatically build the source code. Available for all compiled languages.
+- `manual`: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the `init` and `analyze` steps. Available for all compiled languages.
+
+#### Which build mode should I use?
+
+Interpreted languages must use `none` for the build mode.
+
+For compiled languages:
+
+- `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
+- `autobuild` build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must switch to `manual` or `none`. If `autobuild` succeeds, then the results and run time will be the same as `manual` mode.
+- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by C/C++, Swift, Go, or Kotlin.
+
+
 ## Supported versions of the CodeQL Action
 
 The following versions of the CodeQL Action are currently supported:
@@ -33,19 +71,19 @@ To provide the best experience to customers using older versions of GitHub Enter
 
 For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/)."
 
-## Supported versions of the CodeQL CLI and GitHub Enterprise Server
+## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 
-We typically release new minor versions of the CodeQL Action and CLI when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and CLI releases that shipped with it are deprecated as well.
+We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.
 
-| Recommended CodeQL Action | Recommended CodeQL CLI Version | GitHub Environment |
-|---------|----------|--------------|
-| `v3` | default (do not pass a `tools` input) | GitHub.com |
-| `v3.24.11` | `v2.16.6` | Enterprise Server 3.13 |
-| `3.22.12` | `2.15.5` | Enterprise Server 3.12 |
-| `2.22.1` | `2.14.6` | Enterprise Server 3.11 |
-| `2.20.3` | `2.13.5` | Enterprise Server 3.10 |
+| Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
+|-----------------------|-------------------------------|--------------------|-------|
+| `v3.26.6` | `2.18.4` | Enterprise Server 3.15 | |
+| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
+| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
+| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
+| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 | Supports CodeQL Action v3, but did not ship with CodeQL Action v3. For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/#users-of-github-enterprise-server-311)." |
 
-CodeQL Action `v2` will stop receiving updates when GHES 3.11 is deprecated.
+CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated.
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

analyze/action.yml

@@ -19,7 +19,7 @@ inputs:
     # If changing this, make sure to update workflow.ts accordingly.
     default: "always"
   cleanup-level:
-    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
+    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --cache-cleanup flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
     required: false
     default: "brutal"
   ram:
@@ -34,6 +34,11 @@ inputs:
     description: Specify whether or not to add code snippets to the output sarif file.
     required: false
     default: "false"
+    deprecationMessage: >-
+      The input "add-snippets" is deprecated and will be removed on the first release in August 2025.
+      When this input is set to true it is expected to add code snippets with an alert to the SARIF file.
+      However, since Code Scanning ignores code snippets provided as part of a SARIF file this is currently
+      a no operation. No alternative is available.
   skip-queries:
     description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
     required: false
@@ -69,7 +74,7 @@ inputs:
     required: true
     default: "true"
   token:
-    description: "GitHub token to use for authenticating with this instance of GitHub. The token needs the `security-events: write` permission."
+    description: "GitHub token to use for authenticating with this instance of GitHub. The token must be the built-in GitHub Actions token, and the workflow must have the `security-events: write` permission. Most of the time it is advisable to avoid specifying this input so that the workflow falls back to using the default value."
     required: false
     default: ${{ github.token }}
   matrix:

autobuild/action.yml

@@ -1,5 +1,5 @@
 name: 'CodeQL: Autobuild'
-description: 'Attempt to automatically build code'
+description: 'Attempt to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead.'
 author: 'GitHub'
 inputs:
   token:

lib/actions-util.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getFileType = exports.FileCmdNotFoundError = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.CommandInvocationError = exports.getFileType = exports.FileCmdNotFoundError = exports.determineBaseBranchHeadCommitOid = exports.getCommitOid = exports.getOptionalInput = exports.getRequiredInput = void 0;
 exports.getTemporaryDirectory = getTemporaryDirectory;
 exports.getRef = getRef;
 exports.getActionVersion = getActionVersion;
@@ -37,6 +37,9 @@ exports.getUploadValue = getUploadValue;
 exports.getWorkflowRunID = getWorkflowRunID;
 exports.getWorkflowRunAttempt = getWorkflowRunAttempt;
 exports.isSelfHostedRunner = isSelfHostedRunner;
+exports.prettyPrintInvocation = prettyPrintInvocation;
+exports.ensureEndsInPeriod = ensureEndsInPeriod;
+exports.runTool = runTool;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -76,6 +79,34 @@ function getTemporaryDirectory() {
         ? value
         : (0, util_1.getRequiredEnvParam)("RUNNER_TEMP");
 }
+async function runGitCommand(checkoutPath, args, customErrorMessage) {
+    let stdout = "";
+    let stderr = "";
+    try {
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), args, {
+            silent: true,
+            listeners: {
+                stdout: (data) => {
+                    stdout += data.toString();
+                },
+                stderr: (data) => {
+                    stderr += data.toString();
+                },
+            },
+            cwd: checkoutPath,
+        }).exec();
+        return stdout;
+    }
+    catch (error) {
+        let reason = stderr;
+        if (stderr.includes("not a git repository")) {
+            reason =
+                "The checkout path provided to the action does not appear to be a git repository.";
+        }
+        core.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
+        throw error;
+    }
+}
 /**
  * Gets the SHA of the commit that is currently checked out.
  */
@@ -87,72 +118,45 @@ const getCommitOid = async function (checkoutPath, ref = "HEAD") {
     // the merge commit, which must mean that git is available.
     // Even if this does go wrong, it's not a huge problem for the alerts to
     // reported on the merge commit.
-    let stderr = "";
     try {
-        let commitOid = "";
-        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", ref], {
-            silent: true,
-            listeners: {
-                stdout: (data) => {
-                    commitOid += data.toString();
-                },
-                stderr: (data) => {
-                    stderr += data.toString();
-                },
-            },
-            cwd: checkoutPath,
-        }).exec();
-        return commitOid.trim();
+        const stdout = await runGitCommand(checkoutPath, ["rev-parse", ref], "Continuing with commit SHA from user input or environment.");
+        return stdout.trim();
     }
     catch {
-        if (stderr.includes("not a git repository")) {
-            core.info("Could not determine current commit SHA using git. Continuing with data from user input or environment. " +
-                "The checkout path provided to the action does not appear to be a git repository.");
-        }
-        else {
-            core.info(`Could not determine current commit SHA using git. Continuing with data from user input or environment. ${stderr}`);
-        }
         return (0, exports.getOptionalInput)("sha") || (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
     }
 };
 exports.getCommitOid = getCommitOid;
 /**
- * If the action was triggered by a pull request, determine the commit sha of the merge base.
- * Returns undefined if run by other triggers or the merge base cannot be determined.
+ * If the action was triggered by a pull request, determine the commit sha at
+ * the head of the base branch, using the merge commit that this workflow analyzes.
+ * Returns undefined if run by other triggers or the base branch commit cannot be
+ * determined.
  */
-const determineMergeBaseCommitOid = async function (checkoutPathOverride) {
+const determineBaseBranchHeadCommitOid = async function (checkoutPathOverride) {
     if (getWorkflowEventName() !== "pull_request") {
         return undefined;
     }
     const mergeSha = (0, util_1.getRequiredEnvParam)("GITHUB_SHA");
     const checkoutPath = checkoutPathOverride ?? (0, exports.getOptionalInput)("checkout_path");
-    let stderr = "";
     try {
         let commitOid = "";
         let baseOid = "";
         let headOid = "";
-        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["show", "-s", "--format=raw", mergeSha], {
-            silent: true,
-            listeners: {
-                stdline: (data) => {
-                    if (data.startsWith("commit ") && commitOid === "") {
-                        commitOid = data.substring(7);
-                    }
-                    else if (data.startsWith("parent ")) {
-                        if (baseOid === "") {
-                            baseOid = data.substring(7);
-                        }
-                        else if (headOid === "") {
-                            headOid = data.substring(7);
-                        }
-                    }
-                },
-                stderr: (data) => {
-                    stderr += data.toString();
-                },
-            },
-            cwd: checkoutPath,
-        }).exec();
+        const stdout = await runGitCommand(checkoutPath, ["show", "-s", "--format=raw", mergeSha], "Will calculate the base branch SHA on the server.");
+        for (const data of stdout.split("\n")) {
+            if (data.startsWith("commit ") && commitOid === "") {
+                commitOid = data.substring(7);
+            }
+            else if (data.startsWith("parent ")) {
+                if (baseOid === "") {
+                    baseOid = data.substring(7);
+                }
+                else if (headOid === "") {
+                    headOid = data.substring(7);
+                }
+            }
+        }
         // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
         if (commitOid === mergeSha &&
             headOid.length === 40 &&
@@ -162,18 +166,10 @@ const determineMergeBaseCommitOid = async function (checkoutPathOverride) {
         return undefined;
     }
     catch {
-        if (stderr.includes("not a git repository")) {
-            core.info("The checkout path provided to the action does not appear to be a git repository. " +
-                "Will calculate the merge base on the server.");
-        }
-        else {
-            core.info(`Failed to call git to determine merge base. Will calculate the merge base on ` +
-                `the server. Reason: ${stderr}`);
-        }
         return undefined;
     }
 };
-exports.determineMergeBaseCommitOid = determineMergeBaseCommitOid;
+exports.determineBaseBranchHeadCommitOid = determineBaseBranchHeadCommitOid;
 /**
  * Get the ref currently being analyzed.
  */
@@ -429,4 +425,79 @@ exports.getFileType = getFileType;
 function isSelfHostedRunner() {
     return process.env.RUNNER_ENVIRONMENT === "self-hosted";
 }
+function prettyPrintInvocation(cmd, args) {
+    return [cmd, ...args].map((x) => (x.includes(" ") ? `'${x}'` : x)).join(" ");
+}
+/**
+ * An error from a tool invocation, with associated exit code, stderr, etc.
+ */
+class CommandInvocationError extends Error {
+    constructor(cmd, args, exitCode, stderr, stdout) {
+        const prettyCommand = prettyPrintInvocation(cmd, args);
+        const lastLine = ensureEndsInPeriod(stderr.trim().split("\n").pop()?.trim() || "n/a");
+        super(`Failed to run "${prettyCommand}". ` +
+            `Exit code was ${exitCode} and last log line was: ${lastLine} See the logs for more details.`);
+        this.cmd = cmd;
+        this.args = args;
+        this.exitCode = exitCode;
+        this.stderr = stderr;
+        this.stdout = stdout;
+    }
+}
+exports.CommandInvocationError = CommandInvocationError;
+function ensureEndsInPeriod(text) {
+    return text[text.length - 1] === "." ? text : `${text}.`;
+}
+/**
+ * A constant defining the maximum number of characters we will keep from
+ * the programs stderr for logging.
+ *
+ * This serves two purposes:
+ * 1. It avoids an OOM if a program fails in a way that results it
+ *    printing many log lines.
+ * 2. It avoids us hitting the limit of how much data we can send in our
+ *    status reports on GitHub.com.
+ */
+const MAX_STDERR_BUFFER_SIZE = 20000;
+/**
+ * Runs a CLI tool.
+ *
+ * @returns Standard output produced by the tool.
+ * @throws A `CommandInvocationError` if the tool exits with a non-zero status code.
+ */
+async function runTool(cmd, args = [], opts = {}) {
+    let stdout = "";
+    let stderr = "";
+    if (!opts.noStreamStdout) {
+        process.stdout.write(`[command]${cmd} ${args.join(" ")}\n`);
+    }
+    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
+        ignoreReturnCode: true,
+        listeners: {
+            stdout: (data) => {
+                stdout += data.toString("utf8");
+                if (!opts.noStreamStdout) {
+                    process.stdout.write(data);
+                }
+            },
+            stderr: (data) => {
+                let readStartIndex = 0;
+                // If the error is too large, then we only take the last MAX_STDERR_BUFFER_SIZE characters
+                if (data.length - MAX_STDERR_BUFFER_SIZE > 0) {
+                    // Eg: if we have MAX_STDERR_BUFFER_SIZE the start index should be 2.
+                    readStartIndex = data.length - MAX_STDERR_BUFFER_SIZE + 1;
+                }
+                stderr += data.toString("utf8", readStartIndex);
+                // Mimic the standard behavior of the toolrunner by writing stderr to stdout
+                process.stdout.write(data);
+            },
+        },
+        silent: true,
+        ...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
+    }).exec();
+    if (exitCode !== 0) {
+        throw new CommandInvocationError(cmd, args, exitCode, stderr, stdout);
+    }
+    return stdout;
+}
 //# sourceMappingURL=actions-util.js.map

lib/actions-util.test.js

@@ -214,34 +214,36 @@ const util_1 = require("./util");
         getAdditionalInputStub.restore();
     });
 });
-(0, ava_1.default)("determineMergeBaseCommitOid non-pullrequest", async (t) => {
+(0, ava_1.default)("determineBaseBranchHeadCommitOid non-pullrequest", async (t) => {
     const infoStub = sinon.stub(core, "info");
     process.env["GITHUB_EVENT_NAME"] = "hucairz";
     process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
-    const result = await actionsUtil.determineMergeBaseCommitOid(__dirname);
+    const result = await actionsUtil.determineBaseBranchHeadCommitOid(__dirname);
     t.deepEqual(result, undefined);
     t.deepEqual(0, infoStub.callCount);
     infoStub.restore();
 });
-(0, ava_1.default)("determineMergeBaseCommitOid no error", async (t) => {
+(0, ava_1.default)("determineBaseBranchHeadCommitOid not git repository", async (t) => {
     const infoStub = sinon.stub(core, "info");
     process.env["GITHUB_EVENT_NAME"] = "pull_request";
     process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
     await (0, util_1.withTmpDir)(async (tmpDir) => {
-        await actionsUtil.determineMergeBaseCommitOid(tmpDir);
+        await actionsUtil.determineBaseBranchHeadCommitOid(tmpDir);
     });
     t.deepEqual(1, infoStub.callCount);
-    t.assert(infoStub.firstCall.args[0].startsWith("The checkout path provided to the action does not appear to be a git repository."));
+    t.deepEqual(infoStub.firstCall.args[0], "git call failed. Will calculate the base branch SHA on the server. Error: " +
+        "The checkout path provided to the action does not appear to be a git repository.");
     infoStub.restore();
 });
-(0, ava_1.default)("determineMergeBaseCommitOid other error", async (t) => {
+(0, ava_1.default)("determineBaseBranchHeadCommitOid other error", async (t) => {
     const infoStub = sinon.stub(core, "info");
     process.env["GITHUB_EVENT_NAME"] = "pull_request";
     process.env["GITHUB_SHA"] = "100912429fab4cb230e66ffb11e738ac5194e73a";
-    const result = await actionsUtil.determineMergeBaseCommitOid(path.join(__dirname, "../../i-dont-exist"));
+    const result = await actionsUtil.determineBaseBranchHeadCommitOid(path.join(__dirname, "../../i-dont-exist"));
     t.deepEqual(result, undefined);
     t.deepEqual(1, infoStub.callCount);
-    t.assert(infoStub.firstCall.args[0].startsWith("Failed to call git to determine merge base."));
+    t.assert(infoStub.firstCall.args[0].startsWith("git call failed. Will calculate the base branch SHA on the server. Error: "));
+    t.assert(!infoStub.firstCall.args[0].endsWith("The checkout path provided to the action does not appear to be a git repository."));
     infoStub.restore();
 });
 //# sourceMappingURL=actions-util.test.js.map

lib/analyze-action-post-helper.js

@@ -1,44 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.run = run;
-const core = __importStar(require("@actions/core"));
-const actionsUtil = __importStar(require("./actions-util"));
-const config_utils_1 = require("./config-utils");
-const logging_1 = require("./logging");
-async function run(uploadSarifDebugArtifact) {
-    const logger = (0, logging_1.getActionsLogger)();
-    const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
-    if (config === undefined) {
-        throw new Error("Config file could not be found at expected location. Did the 'init' action fail to start?");
-    }
-    // Upload Actions SARIF artifacts for debugging
-    if (config?.debugMode) {
-        core.info("Debug mode is on. Uploading available SARIF files as Actions debugging artifact...");
-        const outputDir = actionsUtil.getRequiredInput("output");
-        await uploadSarifDebugArtifact(config, outputDir);
-    }
-}
-//# sourceMappingURL=analyze-action-post-helper.js.map

lib/analyze-action-post-helper.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"analyze-action-post-helper.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAMA,kBAuBC;AA7BD,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAAmD;AACnD,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,wBAGkB;IAElB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,IAAI,MAAM,EAAE,SAAS,EAAE,CAAC;QACtB,IAAI,CAAC,IAAI,CACP,oFAAoF,CACrF,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,wBAAwB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;AACH,CAAC"}

lib/analyze-action-post-helper.test.js

@@ -1,73 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const ava_1 = __importDefault(require("ava"));
-const sinon = __importStar(require("sinon"));
-const actionsUtil = __importStar(require("./actions-util"));
-const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
-const configUtils = __importStar(require("./config-utils"));
-const testing_utils_1 = require("./testing-utils");
-const util = __importStar(require("./util"));
-(0, testing_utils_1.setupTests)(ava_1.default);
-(0, ava_1.default)("post: analyze action with debug mode off", async (t) => {
-    return await util.withTmpDir(async (tmpDir) => {
-        process.env["RUNNER_TEMP"] = tmpDir;
-        const gitHubVersion = {
-            type: util.GitHubVariant.DOTCOM,
-        };
-        sinon.stub(configUtils, "getConfig").resolves({
-            debugMode: false,
-            gitHubVersion,
-            languages: [],
-            packs: [],
-        });
-        const uploadSarifSpy = sinon.spy();
-        await analyzeActionPostHelper.run(uploadSarifSpy);
-        t.assert(uploadSarifSpy.notCalled);
-    });
-});
-(0, ava_1.default)("post: analyze action with debug mode on", async (t) => {
-    return await util.withTmpDir(async (tmpDir) => {
-        process.env["RUNNER_TEMP"] = tmpDir;
-        const gitHubVersion = {
-            type: util.GitHubVariant.DOTCOM,
-        };
-        sinon.stub(configUtils, "getConfig").resolves({
-            debugMode: true,
-            gitHubVersion,
-            languages: [],
-            packs: [],
-        });
-        const requiredInputStub = sinon.stub(actionsUtil, "getRequiredInput");
-        requiredInputStub.withArgs("output").returns("fake-output-dir");
-        const uploadSarifSpy = sinon.spy();
-        await analyzeActionPostHelper.run(uploadSarifSpy);
-        t.assert(uploadSarifSpy.called);
-    });
-});
-//# sourceMappingURL=analyze-action-post-helper.test.js.map

lib/analyze-action-post-helper.test.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"analyze-action-post-helper.test.js","sourceRoot":"","sources":["../src/analyze-action-post-helper.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,sFAAwE;AACxE,4DAA8C;AAC9C,mDAA6C;AAC7C,6CAA+B;AAE/B,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,0CAA0C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC3D,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QAEpC,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,SAAS,EAAE,KAAK;YAChB,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QAEpC,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAElD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC;QAEpC,MAAM,aAAa,GAAuB;YACxC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;SAChC,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC;YAC5C,SAAS,EAAE,IAAI;YACf,aAAa;YACb,SAAS,EAAE,EAAE;YACb,KAAK,EAAE,EAAE;SACuB,CAAC,CAAC;QAEpC,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QACtE,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAEhE,MAAM,cAAc,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAElD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

lib/analyze-action-post.js

@@ -29,19 +29,33 @@ Object.defineProperty(exports, "__esModule", { value: true });
  * other `post:` hooks.
  */
 const core = __importStar(require("@actions/core"));
-const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
+const actions_util_1 = require("./actions-util");
+const api_client_1 = require("./api-client");
+const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
-const uploadSarifActionPostHelper = __importStar(require("./upload-sarif-action-post-helper"));
+const environment_1 = require("./environment");
+const feature_flags_1 = require("./feature-flags");
+const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const util_1 = require("./util");
 async function runWrapper() {
     try {
-        await analyzeActionPostHelper.run(debugArtifacts.uploadSarifDebugArtifact);
-        // Also run the upload-sarif post action since we're potentially running
-        // the same steps in the analyze action.
-        await uploadSarifActionPostHelper.uploadArtifacts(debugArtifacts.uploadDebugArtifacts);
+        const logger = (0, logging_1.getActionsLogger)();
+        const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
+        (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
+        const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+        const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
+        // Upload SARIF artifacts if we determine that this is a first-party analysis run.
+        // For third-party runs, this artifact will be uploaded in the `upload-sarif-post` step.
+        if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
+            const config = await (0, config_utils_1.getConfig)((0, actions_util_1.getTemporaryDirectory)(), logger);
+            if (config !== undefined) {
+                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, features));
+            }
+        }
     }
     catch (error) {
-        core.setFailed(`analyze post-action step failed: ${(0, util_1.wrapError)(error).message}`);
+        core.setFailed(`analyze post-action step failed: ${(0, util_1.getErrorMessage)(error)}`);
     }
 }
 void runWrapper();

lib/analyze-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,sFAAwE;AACxE,kEAAoD;AACpD,+FAAiF;AACjF,iCAAmC;AAEnC,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,wBAAwB,CAAC,CAAC;QAE3E,wEAAwE;QACxE,wCAAwC;QACxC,MAAM,2BAA2B,CAAC,eAAe,CAC/C,cAAc,CAAC,oBAAoB,CACpC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAC/D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,iDAAuD;AACvD,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,mDAA2C;AAC3C,uCAAwD;AACxD,6CAAkD;AAClD,iCAIgB;AAEhB,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;YAChE,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,QAAQ,CACT,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/analyze-action.js

@@ -50,7 +50,7 @@ const uploadLib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
 async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanup, logger) {
     const status = (0, status_report_1.getActionsStatus)(error, stats?.analyze_failure_language);
-    const statusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Analyze, status, startedAt, config, await util.checkDiskUsage(), logger, error?.message, error?.stack);
+    const statusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Analyze, status, startedAt, config, await util.checkDiskUsage(logger), logger, error?.message, error?.stack);
     if (statusReportBase !== undefined) {
         const report = {
             ...statusReportBase,
@@ -163,6 +163,7 @@ async function run() {
         }
         const apiDetails = (0, api_client_1.getApiDetails)();
         const outputDir = actionsUtil.getRequiredInput("output");
+        core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
         const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
         const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
@@ -244,7 +245,7 @@ async function runWrapper() {
         await exports.runPromise;
     }
     catch (error) {
-        core.setFailed(`analyze action failed: ${util.wrapError(error).message}`);
+        core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
     }
     await util.checkForTimeout();
 }

lib/analyze.js

@@ -186,7 +186,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         }
         catch (e) {
             statusReport.analyze_failure_language = language;
-            throw new CodeQLAnalysisError(statusReport, `Error running analysis for ${language}: ${util.wrapError(e).message}`, util.wrapError(e));
+            throw new CodeQLAnalysisError(statusReport, `Error running analysis for ${language}: ${util.getErrorMessage(e)}`, util.wrapError(e));
         }
     }
     return statusReport;

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.14", "minimumVersion": "3.10" }
+{ "maximumVersion": "3.15", "minimumVersion": "3.11" }

lib/autobuild-action.js

@@ -96,7 +96,7 @@ async function runWrapper() {
         await run();
     }
     catch (error) {
-        core.setFailed(`autobuild action failed. ${(0, util_1.wrapError)(error).message}`);
+        core.setFailed(`autobuild action failed. ${(0, util_1.getErrorMessage)(error)}`);
     }
 }
 void runWrapper();

lib/autobuild-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,qCAAqC;AACrC,iDAAmD;AACnD,+CAAuC;AAEvC,uCAAqD;AACrD,mDAMyB;AACzB,mDAAuD;AACvD,iCAMgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,MAA0B,EAC1B,MAAc,EACd,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,MAAM,EACN,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAA0B;YAC1C,GAAG,gBAAgB;YACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3C,iBAAiB,EAAE,eAAe;SACnC,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,eAAqC,CAAC;IAC1C,IAAI,SAAiC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACjD,IAAA,yBAAkB,EAAC,IAAA,+BAAgB,GAAE,EAAE,aAAa,CAAC,CAAC;QAEtD,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjD,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACtE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE,CAAC;gBACrB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAClC,CAAC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,+FAA+F;QAC/F,oBAAoB;QACpB,MAAM,IAAA,oCAAoB,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,MAAM,EACN,MAAM,EACN,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;IAExE,MAAM,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,qCAAqC;AACrC,iDAAmD;AACnD,+CAAuC;AAEvC,uCAAqD;AACrD,mDAMyB;AACzB,mDAAuD;AACvD,iCAOgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,MAA0B,EAC1B,MAAc,EACd,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,MAAM,EACN,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAA0B;YAC1C,GAAG,gBAAgB;YACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3C,iBAAiB,EAAE,eAAe;SACnC,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,MAA0B,CAAC;IAC/B,IAAI,eAAqC,CAAC;IAC1C,IAAI,SAAiC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,SAAS,EACpB,UAAU,EACV,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACjD,IAAA,yBAAkB,EAAC,IAAA,+BAAgB,GAAE,EAAE,aAAa,CAAC,CAAC;QAEtD,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjD,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACtE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE,CAAC;gBACrB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAClC,CAAC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,+FAA+F;QAC/F,oBAAoB;QACpB,MAAM,IAAA,oCAAoB,EAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,MAAM,EACN,MAAM,EACN,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;IAExE,MAAM,yBAAyB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/cli-errors.js

@@ -1,26 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.cliErrorsConfig = exports.CliConfigErrorCategory = exports.CommandInvocationError = void 0;
+exports.cliErrorsConfig = exports.CliConfigErrorCategory = exports.CliError = void 0;
 exports.getCliConfigCategoryIfExists = getCliConfigCategoryIfExists;
 exports.wrapCliConfigurationError = wrapCliConfigurationError;
+const actions_util_1 = require("./actions-util");
 const doc_url_1 = require("./doc-url");
 const util_1 = require("./util");
 /**
- * A class of Error that we can classify as an error stemming from a CLI
- * invocation, with associated exit code, stderr,etc.
+ * An error from a CodeQL CLI invocation, with associated exit code, stderr, etc.
  */
-class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, stderr, stdout) {
-        const prettyCommand = [cmd, ...args]
-            .map((x) => (x.includes(" ") ? `'${x}'` : x))
-            .join(" ");
+class CliError extends Error {
+    constructor({ cmd, args, exitCode, stderr }) {
+        const prettyCommand = (0, actions_util_1.prettyPrintInvocation)(cmd, args);
         const fatalErrors = extractFatalErrors(stderr);
         const autobuildErrors = extractAutobuildErrors(stderr);
         let message;
         if (fatalErrors) {
             message =
                 `Encountered a fatal error while running "${prettyCommand}". ` +
-                    `Exit code was ${exitCode} and error was: ${ensureEndsInPeriod(fatalErrors.trim())} See the logs for more details.`;
+                    `Exit code was ${exitCode} and error was: ${(0, actions_util_1.ensureEndsInPeriod)(fatalErrors.trim())} See the logs for more details.`;
         }
         else if (autobuildErrors) {
             message =
@@ -29,7 +27,7 @@ class CommandInvocationError extends Error {
                     `Encountered the following error: ${autobuildErrors}`;
         }
         else {
-            const lastLine = ensureEndsInPeriod(stderr.trim().split("\n").pop()?.trim() || "n/a");
+            const lastLine = (0, actions_util_1.ensureEndsInPeriod)(stderr.trim().split("\n").pop()?.trim() || "n/a");
             message =
                 `Encountered a fatal error while running "${prettyCommand}". ` +
                     `Exit code was ${exitCode} and last log line was: ${lastLine} See the logs for more details.`;
@@ -37,10 +35,9 @@ class CommandInvocationError extends Error {
         super(message);
         this.exitCode = exitCode;
         this.stderr = stderr;
-        this.stdout = stdout;
     }
 }
-exports.CommandInvocationError = CommandInvocationError;
+exports.CliError = CliError;
 /**
  * Provide a better error message from the stderr of a CLI invocation that failed with a fatal
  * error.
@@ -89,10 +86,10 @@ function extractFatalErrors(error) {
         }
         const isOneLiner = !fatalErrors.some((e) => e.includes("\n"));
         if (isOneLiner) {
-            fatalErrors = fatalErrors.map(ensureEndsInPeriod);
+            fatalErrors = fatalErrors.map(actions_util_1.ensureEndsInPeriod);
         }
         return [
-            ensureEndsInPeriod(lastError),
+            (0, actions_util_1.ensureEndsInPeriod)(lastError),
             "Context:",
             ...fatalErrors.reverse(),
         ].join(isOneLiner ? " " : "\n");
@@ -109,9 +106,6 @@ function extractAutobuildErrors(error) {
     }
     return errorLines.join("\n") || undefined;
 }
-function ensureEndsInPeriod(text) {
-    return text[text.length - 1] === "." ? text : `${text}.`;
-}
 /** Error messages from the CLI that we consider configuration errors and handle specially. */
 var CliConfigErrorCategory;
 (function (CliConfigErrorCategory) {
@@ -267,9 +261,6 @@ function getCliConfigCategoryIfExists(cliError) {
  * simply returns the original error.
  */
 function wrapCliConfigurationError(cliError) {
-    if (!(cliError instanceof CommandInvocationError)) {
-        return cliError;
-    }
     const cliConfigErrorCategory = getCliConfigCategoryIfExists(cliError);
     if (cliConfigErrorCategory === undefined) {
         return cliError;

lib/codeql.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = exports.CODEQL_VERSION_LANGUAGE_ALIASING = exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG = void 0;
+exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = void 0;
 exports.setupCodeQL = setupCodeQL;
 exports.getCodeQL = getCodeQL;
 exports.setCodeQL = setCodeQL;
@@ -63,19 +63,19 @@ let cachedCodeQL = undefined;
  * The version flags below can be used to conditionally enable certain features
  * on versions newer than this.
  */
-const CODEQL_MINIMUM_VERSION = "2.13.5";
+const CODEQL_MINIMUM_VERSION = "2.14.6";
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
  */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.13.5";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.14.6";
 /**
  * This is the version of GHES that was most recently deprecated.
  */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.9";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.10";
 /**
  * This is the deprecation date for the version of GHES that was most recently deprecated.
  */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2024-07-09";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2024-09-24";
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 /*
@@ -85,14 +85,6 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
  * For convenience, please keep these in descending order. Once a version
  * flag is older than the oldest supported version above, it may be removed.
  */
-/**
- * Versions 2.14.2+ of the CodeQL CLI support language-specific baseline configuration.
- */
-exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG = "2.14.2";
-/**
- * Versions 2.14.4+ of the CodeQL CLI support language aliasing.
- */
-exports.CODEQL_VERSION_LANGUAGE_ALIASING = "2.14.4";
 /**
  * Versions 2.15.0+ of the CodeQL CLI support new analysis summaries.
  */
@@ -105,6 +97,10 @@ exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = "2.15.0";
  * Versions 2.15.2+ of the CodeQL CLI support the `--sarif-include-query-help` option.
  */
 const CODEQL_VERSION_INCLUDE_QUERY_HELP = "2.15.2";
+/**
+ * Versions 2.17.1+ of the CodeQL CLI support the `--cache-cleanup` option.
+ */
+const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
 /**
  * Set up CodeQL CLI access.
  *
@@ -118,9 +114,10 @@ const CODEQL_VERSION_INCLUDE_QUERY_HELP = "2.15.2";
  *        version requirement. Must be set to true outside tests.
  * @returns a { CodeQL, toolsVersion } object.
  */
-async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, checkVersion) {
+async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) {
     try {
-        const { codeqlFolder, toolsDownloadDurationMs, toolsSource, toolsVersion } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger);
+        const { codeqlFolder, toolsDownloadStatusReport, toolsSource, toolsVersion, zstdAvailability, } = await setupCodeql.setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger);
+        logger.debug(`Bundle download status report: ${JSON.stringify(toolsDownloadStatusReport)}`);
         let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
         if (process.platform === "win32") {
             codeqlCmd += ".exe";
@@ -131,13 +128,14 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
         cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
         return {
             codeql: cachedCodeQL,
-            toolsDownloadDurationMs,
+            toolsDownloadStatusReport,
             toolsSource,
             toolsVersion,
+            zstdAvailability,
         };
     }
     catch (e) {
-        throw new Error(`Unable to download and extract CodeQL CLI: ${(0, util_1.wrapError)(e).message}`);
+        throw new Error(`Unable to download and extract CodeQL CLI: ${(0, util_1.getErrorMessage)(e)}`);
     }
 }
 /**
@@ -182,7 +180,7 @@ function setCodeQL(partialCodeql) {
         extractUsingBuildMode: resolveFunction(partialCodeql, "extractUsingBuildMode"),
         finalizeDatabase: resolveFunction(partialCodeql, "finalizeDatabase"),
         resolveLanguages: resolveFunction(partialCodeql, "resolveLanguages"),
-        betterResolveLanguages: resolveFunction(partialCodeql, "betterResolveLanguages"),
+        betterResolveLanguages: resolveFunction(partialCodeql, "betterResolveLanguages", async () => ({ aliases: {}, extractors: {} })),
         resolveQueries: resolveFunction(partialCodeql, "resolveQueries"),
         resolveBuildEnvironment: resolveFunction(partialCodeql, "resolveBuildEnvironment"),
         packDownload: resolveFunction(partialCodeql, "packDownload"),
@@ -235,7 +233,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
         async getVersion() {
             let result = util.getCachedCodeQlVersion();
             if (result === undefined) {
-                const output = await runTool(cmd, ["version", "--format=json"]);
+                const output = await runCli(cmd, ["version", "--format=json"], {
+                    noStreamStdout: true,
+                });
                 try {
                     result = JSON.parse(output);
                 }
@@ -247,7 +247,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             return result;
         },
         async printVersion() {
-            await runTool(cmd, ["version", "--format=json"]);
+            await runCli(cmd, ["version", "--format=json"]);
         },
         async supportsFeature(feature) {
             return (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), feature);
@@ -272,9 +272,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             if (qlconfigFile !== undefined) {
                 extraArgs.push(`--qlconfig-file=${qlconfigFile}`);
             }
-            if (await util.codeQlVersionAtLeast(this, exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG)) {
-                extraArgs.push("--calculate-language-specific-baseline");
-            }
+            extraArgs.push("--calculate-language-specific-baseline");
             if (await isSublanguageFileCoverageEnabled(config, this)) {
                 extraArgs.push("--sublanguage-file-coverage");
             }
@@ -284,14 +282,14 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             const overwriteFlag = (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), tools_features_1.ToolsFeature.ForceOverwrite)
                 ? "--force-overwrite"
                 : "--overwrite";
-            await runTool(cmd, [
+            await runCli(cmd, [
                 "database",
                 "init",
                 overwriteFlag,
                 "--db-cluster",
                 config.dbLocation,
                 `--source-root=${sourceRoot}`,
-                ...(await getLanguageAliasingArguments(this)),
+                "--extractor-include-aliases",
                 ...extraArgs,
                 ...getExtraOptionsFromEnv(["database", "init"], {
                     ignoringOptions: ["--overwrite"],
@@ -319,10 +317,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
             // the Actions runtime introduces its own workaround for SIP
             // (https://github.com/actions/runner/pull/416).
-            await runTool(autobuildCmd);
+            await runCli(autobuildCmd);
         },
         async extractScannedLanguage(config, language) {
-            await runTool(cmd, [
+            await runCli(cmd, [
                 "database",
                 "trace-command",
                 "--index-traceless-dbs",
@@ -337,7 +335,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 applyAutobuildAzurePipelinesTimeoutFix();
             }
             try {
-                await runTool(cmd, [
+                await runCli(cmd, [
                     "database",
                     "trace-command",
                     "--use-build-mode",
@@ -354,10 +352,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                     const prefix = "We were unable to automatically build your code. " +
                         "Please change the build mode for this language to manual and specify build steps " +
                         `for your project. See ${doc_url_1.DocUrl.AUTOMATIC_BUILD_FAILED} for more information.`;
-                    const ErrorConstructor = e instanceof util.ConfigurationError
-                        ? util.ConfigurationError
-                        : Error;
-                    throw new ErrorConstructor(`${prefix} ${util.wrapError(e).message}`);
+                    throw new util.ConfigurationError(`${prefix} ${(0, util_1.getErrorMessage)(e)}`);
                 }
                 else {
                     throw e;
@@ -375,7 +370,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 ...getExtraOptionsFromEnv(["database", "finalize"]),
                 databasePath,
             ];
-            await runTool(cmd, args);
+            await runCli(cmd, args);
         },
         async resolveLanguages() {
             const codeqlArgs = [
@@ -384,7 +379,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "--format=json",
                 ...getExtraOptionsFromEnv(["resolve", "languages"]),
             ];
-            const output = await runTool(cmd, codeqlArgs);
+            const output = await runCli(cmd, codeqlArgs);
             try {
                 return JSON.parse(output);
             }
@@ -398,10 +393,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "languages",
                 "--format=betterjson",
                 "--extractor-options-verbosity=4",
-                ...(await getLanguageAliasingArguments(this)),
+                "--extractor-include-aliases",
                 ...getExtraOptionsFromEnv(["resolve", "languages"]),
             ];
-            const output = await runTool(cmd, codeqlArgs);
+            const output = await runCli(cmd, codeqlArgs);
             try {
                 return JSON.parse(output);
             }
@@ -420,7 +415,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             if (extraSearchPath !== undefined) {
                 codeqlArgs.push("--additional-packs", extraSearchPath);
             }
-            const output = await runTool(cmd, codeqlArgs);
+            const output = await runCli(cmd, codeqlArgs);
             try {
                 return JSON.parse(output);
             }
@@ -433,13 +428,13 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "resolve",
                 "build-environment",
                 `--language=${language}`,
-                ...(await getLanguageAliasingArguments(this)),
+                "--extractor-include-aliases",
                 ...getExtraOptionsFromEnv(["resolve", "build-environment"]),
             ];
             if (workingDir !== undefined) {
                 codeqlArgs.push("--working-dir", workingDir);
             }
-            const output = await runTool(cmd, codeqlArgs);
+            const output = await runCli(cmd, codeqlArgs);
             try {
                 return JSON.parse(output);
             }
@@ -463,7 +458,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             if (await util.codeQlVersionAtLeast(this, feature_flags_1.CODEQL_VERSION_FINE_GRAINED_PARALLELISM)) {
                 codeqlArgs.push("--intra-layer-parallelism");
             }
-            await runTool(cmd, codeqlArgs);
+            await runCli(cmd, codeqlArgs);
         },
         async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, config, features) {
             const shouldExportDiagnostics = await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, this);
@@ -481,6 +476,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 `--sarif-codescanning-config=${getGeneratedCodeScanningConfigPath(config)}`,
                 "--sarif-group-rules-by-pack",
                 ...(await getCodeScanningQueryHelpArguments(this)),
+                ...(await getJobRunUuidSarifOptions(this)),
                 ...getExtraOptionsFromEnv(["database", "interpret-results"]),
             ];
             if (automationDetailsId !== undefined) {
@@ -508,7 +504,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             // Capture the stdout, which contains the analysis summary. Don't stream it to the Actions
             // logs to avoid printing it twice.
-            return await runTool(cmd, codeqlArgs, {
+            return await runCli(cmd, codeqlArgs, {
                 noStreamStdout: true,
             });
         },
@@ -519,7 +515,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 ...getExtraOptionsFromEnv(["database", "print-baseline"]),
                 databasePath,
             ];
-            return await runTool(cmd, codeqlArgs);
+            return await runCli(cmd, codeqlArgs);
         },
         /**
          * Download specified packs into the package cache. If the specified
@@ -547,7 +543,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 ...getExtraOptionsFromEnv(["pack", "download"]),
                 ...packs,
             ];
-            const output = await runTool(cmd, codeqlArgs);
+            const output = await runCli(cmd, codeqlArgs);
             try {
                 const parsedOutput = JSON.parse(output);
                 if (Array.isArray(parsedOutput.packs) &&
@@ -566,14 +562,17 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
         },
         async databaseCleanup(databasePath, cleanupLevel) {
+            const cacheCleanupFlag = (await util.codeQlVersionAtLeast(this, CODEQL_VERSION_CACHE_CLEANUP))
+                ? "--cache-cleanup"
+                : "--mode";
             const codeqlArgs = [
                 "database",
                 "cleanup",
                 databasePath,
-                `--mode=${cleanupLevel}`,
+                `${cacheCleanupFlag}=${cleanupLevel}`,
                 ...getExtraOptionsFromEnv(["database", "cleanup"]),
             ];
-            await runTool(cmd, codeqlArgs);
+            await runCli(cmd, codeqlArgs);
         },
         async databaseBundle(databasePath, outputFilePath, databaseName) {
             const args = [
@@ -626,7 +625,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "extractor",
                 "--format=json",
                 `--language=${language}`,
-                ...(await getLanguageAliasingArguments(this)),
+                "--extractor-include-aliases",
                 ...getExtraOptionsFromEnv(["resolve", "extractor"]),
             ], {
                 silent: true,
@@ -655,7 +654,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             if (mergeRunsFromEqualCategory) {
                 args.push("--sarif-merge-runs-from-equal-category");
             }
-            await runTool(cmd, args);
+            await runCli(cmd, args);
         },
     };
     // To ensure that status reports include the CodeQL CLI version wherever
@@ -735,48 +734,16 @@ function getExtraOptions(options, paths, pathInfo) {
         : getExtraOptions(options?.[paths[0]], paths?.slice(1), pathInfo.concat(paths[0]));
     return all.concat(specific);
 }
-/*
- * A constant defining the maximum number of characters we will keep from
- * the programs stderr for logging. This serves two purposes:
- * (1) It avoids an OOM if a program fails in a way that results it
- *     printing many log lines.
- * (2) It avoids us hitting the limit of how much data we can send in our
- *     status reports on GitHub.com.
- */
-const maxErrorSize = 20_000;
-async function runTool(cmd, args = [], opts = {}) {
-    let stdout = "";
-    let stderr = "";
-    process.stdout.write(`[command]${cmd} ${args.join(" ")}\n`);
-    const exitCode = await new toolrunner.ToolRunner(cmd, args, {
-        ignoreReturnCode: true,
-        listeners: {
-            stdout: (data) => {
-                stdout += data.toString("utf8");
-                if (!opts.noStreamStdout) {
-                    process.stdout.write(data);
-                }
-            },
-            stderr: (data) => {
-                let readStartIndex = 0;
-                // If the error is too large, then we only take the last 20,000 characters
-                if (data.length - maxErrorSize > 0) {
-                    // Eg: if we have 20,000 the start index should be 2.
-                    readStartIndex = data.length - maxErrorSize + 1;
-                }
-                stderr += data.toString("utf8", readStartIndex);
-                // Mimic the standard behavior of the toolrunner by writing stderr to stdout
-                process.stdout.write(data);
-            },
-        },
-        silent: true,
-        ...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
-    }).exec();
-    if (exitCode !== 0) {
-        const e = new cli_errors_1.CommandInvocationError(cmd, args, exitCode, stderr, stdout);
-        throw (0, cli_errors_1.wrapCliConfigurationError)(e);
+async function runCli(cmd, args = [], opts = {}) {
+    try {
+        return await (0, actions_util_1.runTool)(cmd, args, opts);
+    }
+    catch (e) {
+        if (e instanceof actions_util_1.CommandInvocationError) {
+            throw (0, cli_errors_1.wrapCliConfigurationError)(new cli_errors_1.CliError(e));
+        }
+        throw e;
     }
-    return stdout;
 }
 /**
  * Generates a code scanning configuration that is to be used for a scan.
@@ -859,12 +826,6 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) {
 function getGeneratedCodeScanningConfigPath(config) {
     return path.resolve(config.tempDir, "user-config.yaml");
 }
-async function getLanguageAliasingArguments(codeql) {
-    if (await util.codeQlVersionAtLeast(codeql, exports.CODEQL_VERSION_LANGUAGE_ALIASING)) {
-        return ["--extractor-include-aliases"];
-    }
-    return [];
-}
 async function isSublanguageFileCoverageEnabled(config, codeql) {
     return (
     // Sub-language file coverage is first supported in GHES 3.12.
@@ -898,4 +859,11 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
         "-Dmaven.wagon.http.pool=false",
     ].join(" ");
 }
+async function getJobRunUuidSarifOptions(codeql) {
+    const jobRunUuid = process.env[environment_1.EnvVar.JOB_RUN_UUID];
+    return jobRunUuid &&
+        (await codeql.supportsFeature(tools_features_1.ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty))
+        ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
+        : [];
+}
 //# sourceMappingURL=codeql.js.map

lib/codeql.test.js

@@ -60,7 +60,7 @@ async function installIntoToolcache({ apiDetails = testing_utils_1.SAMPLE_DOTCOM
     const url = (0, testing_utils_1.mockBundleDownloadApi)({ apiDetails, isPinned, tagName });
     await codeql.setupCodeQL(cliVersion !== undefined ? undefined : url, apiDetails, tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined
         ? { cliVersion, tagName }
-        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        : testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
 }
 function mockReleaseApi({ apiDetails = testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, assetNames, tagName, }) {
     return (0, nock_1.default)(apiDetails.apiURL)
@@ -97,11 +97,10 @@ function mockApiDetails(apiDetails) {
                 tagName: `codeql-bundle-${version}`,
                 isPinned: false,
             });
-            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
             t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
             t.is(result.toolsVersion, `0.0.0-${version}`);
             t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-            t.assert(Number.isInteger(result.toolsDownloadDurationMs));
         }
         t.is(toolcache.findAllVersions("CodeQL").length, 2);
     });
@@ -110,15 +109,17 @@ function mockApiDetails(apiDetails) {
     await util.withTmpDir(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
         const url = (0, testing_utils_1.mockBundleDownloadApi)({
-            tagName: `codeql-bundle-v2.14.0`,
+            tagName: `codeql-bundle-v2.15.0`,
             isPinned: false,
         });
-        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
         t.is(toolcache.findAllVersions("CodeQL").length, 1);
-        t.assert(toolcache.find("CodeQL", `2.14.0`));
-        t.is(result.toolsVersion, `2.14.0`);
+        t.assert(toolcache.find("CodeQL", `2.15.0`));
+        t.is(result.toolsVersion, `2.15.0`);
         t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+        if (result.toolsDownloadStatusReport) {
+            assertDurationsInteger(t, result.toolsDownloadStatusReport);
+        }
     });
 });
 (0, ava_1.default)("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
@@ -132,11 +133,13 @@ function mockApiDetails(apiDetails) {
         const url = (0, testing_utils_1.mockBundleDownloadApi)({
             tagName: "codeql-bundle-20200610",
         });
-        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
         t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
         t.deepEqual(result.toolsVersion, "0.0.0-20200610");
         t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+        if (result.toolsDownloadStatusReport) {
+            assertDurationsInteger(t, result.toolsDownloadStatusReport);
+        }
     });
 });
 const EXPLICITLY_REQUESTED_BUNDLE_TEST_CASES = [
@@ -158,11 +161,11 @@ for (const { tagName, expectedToolcacheVersion, } of EXPLICITLY_REQUESTED_BUNDLE
             const url = (0, testing_utils_1.mockBundleDownloadApi)({
                 tagName,
             });
-            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(url, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
             t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
             t.deepEqual(result.toolsVersion, expectedToolcacheVersion);
             t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-            t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+            t.assert(Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs));
         });
     });
 }
@@ -181,10 +184,12 @@ for (const toolcacheVersion of [
                 .withArgs("CodeQL", toolcacheVersion)
                 .returns("path/to/cached/codeql");
             sinon.stub(toolcache, "findAllVersions").returns([toolcacheVersion]);
-            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+            const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
             t.is(result.toolsVersion, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
             t.is(result.toolsSource, setup_codeql_1.ToolsSource.Toolcache);
-            t.is(result.toolsDownloadDurationMs, undefined);
+            t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
+            t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
+            t.is(result.toolsDownloadStatusReport?.extractionDurationMs, undefined);
         });
     });
 }
@@ -199,10 +204,12 @@ for (const toolcacheVersion of [
         const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.GHES, {
             cliVersion: defaults.cliVersion,
             tagName: defaults.bundleVersion,
-        }, (0, logging_1.getRunnerLogger)(true), false);
+        }, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
         t.deepEqual(result.toolsVersion, "0.0.0-20200601");
         t.is(result.toolsSource, setup_codeql_1.ToolsSource.Toolcache);
-        t.is(result.toolsDownloadDurationMs, undefined);
+        t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined);
+        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
+        t.is(result.toolsDownloadStatusReport?.extractionDurationMs, undefined);
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 1);
     });
@@ -221,10 +228,12 @@ for (const toolcacheVersion of [
         const result = await codeql.setupCodeQL(undefined, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.GHES, {
             cliVersion: defaults.cliVersion,
             tagName: defaults.bundleVersion,
-        }, (0, logging_1.getRunnerLogger)(true), false);
+        }, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
         t.deepEqual(result.toolsVersion, defaults.cliVersion);
         t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+        if (result.toolsDownloadStatusReport) {
+            assertDurationsInteger(t, result.toolsDownloadStatusReport);
+        }
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 2);
     });
@@ -240,10 +249,12 @@ for (const toolcacheVersion of [
         (0, testing_utils_1.mockBundleDownloadApi)({
             tagName: defaults.bundleVersion,
         });
-        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("latest", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
         t.deepEqual(result.toolsVersion, defaults.cliVersion);
         t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+        if (result.toolsDownloadStatusReport) {
+            assertDurationsInteger(t, result.toolsDownloadStatusReport);
+        }
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 2);
     });
@@ -254,7 +265,7 @@ for (const toolcacheVersion of [
         mockApiDetails(testing_utils_1.SAMPLE_DOTCOM_API_DETAILS);
         sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
         const releasesApiMock = mockReleaseApi({
-            assetNames: ["cli-version-2.13.5.txt"],
+            assetNames: ["cli-version-2.14.6.txt"],
             tagName: "codeql-bundle-20230203",
         });
         (0, testing_utils_1.mockBundleDownloadApi)({
@@ -262,16 +273,25 @@ for (const toolcacheVersion of [
             platformSpecific: false,
             tagName: "codeql-bundle-20230203",
         });
-        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, tmpDir, util.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true), false);
         t.is(result.toolsVersion, "0.0.0-20230203");
         t.is(result.toolsSource, setup_codeql_1.ToolsSource.Download);
-        t.true(Number.isInteger(result.toolsDownloadDurationMs));
+        if (result.toolsDownloadStatusReport) {
+            assertDurationsInteger(t, result.toolsDownloadStatusReport);
+        }
         const cachedVersions = toolcache.findAllVersions("CodeQL");
         t.is(cachedVersions.length, 1);
         t.is(cachedVersions[0], "0.0.0-20230203");
         t.false(releasesApiMock.isDone());
     });
 });
+function assertDurationsInteger(t, statusReport) {
+    t.assert(Number.isInteger(statusReport?.combinedDurationMs));
+    if (statusReport.downloadDurationMs !== undefined) {
+        t.assert(Number.isInteger(statusReport?.downloadDurationMs));
+        t.assert(Number.isInteger(statusReport?.extractionDurationMs));
+    }
+}
 (0, ava_1.default)("getExtraOptions works for explicit paths", (t) => {
     t.deepEqual(codeql.getExtraOptions({}, ["foo"], []), []);
     t.deepEqual(codeql.getExtraOptions({ foo: [42] }, ["foo"], []), ["42"]);
@@ -591,7 +611,7 @@ for (const { codeqlVersion, flagPassed, githubVersion, negativeFlagPassed, } of
     // safeWhich throws because of the test CodeQL object.
     sinon.stub(safeWhich, "safeWhich").resolves("");
     await t.throwsAsync(async () => await codeqlObject.databaseRunQueries(stubConfig.dbLocation, []), {
-        instanceOf: cli_errors_1.CommandInvocationError,
+        instanceOf: cli_errors_1.CliError,
         message: `Encountered a fatal error while running "codeql-for-testing database run-queries  --expect-discarded-cache --min-disk-free=1024 -v --intra-layer-parallelism". Exit code was 1 and error was: Oops! A fatal internal error occurred. Details:
     com.semmle.util.exception.CatastrophicError: An error occurred while evaluating ControlFlowGraph::ControlFlow::Root.isRootOf/1#dispred#f610e6ed/2@86282cc8
     Severe disk cache trouble (corruption or out of space) at /home/runner/work/_temp/codeql_databases/go/db-go/default/cache/pages/28/33.pack: Failed to write item to disk. See the logs for more details.`,

lib/config-utils.js

@@ -34,7 +34,6 @@ exports.getNoLanguagesError = getNoLanguagesError;
 exports.getUnknownLanguagesError = getUnknownLanguagesError;
 exports.getLanguagesInRepo = getLanguagesInRepo;
 exports.getLanguages = getLanguages;
-exports.getLanguageAliases = getLanguageAliases;
 exports.getRawLanguages = getRawLanguages;
 exports.getDefaultConfig = getDefaultConfig;
 exports.calculateAugmentation = calculateAugmentation;
@@ -54,7 +53,6 @@ const perf_hooks_1 = require("perf_hooks");
 const yaml = __importStar(require("js-yaml"));
 const semver = __importStar(require("semver"));
 const api = __importStar(require("./api-client"));
-const codeql_1 = require("./codeql");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const trap_caching_1 = require("./trap-caching");
@@ -155,7 +153,7 @@ async function getLanguages(codeQL, languagesInput, repository, logger) {
         logger.info(`Automatically detected languages: ${languages.join(", ")}`);
     }
     else {
-        const aliases = await getLanguageAliases(codeQL);
+        const aliases = (await codeQL.betterResolveLanguages()).aliases;
         if (aliases) {
             languages = languages.map((lang) => aliases[lang] || lang);
         }
@@ -185,16 +183,6 @@ async function getLanguages(codeQL, languagesInput, repository, logger) {
     }
     return parsedLanguages;
 }
-/**
- * Gets the set of languages supported by CodeQL, along with their aliases if supported by the
- * version of the CLI.
- */
-async function getLanguageAliases(codeql) {
-    if (await (0, util_1.codeQlVersionAtLeast)(codeql, codeql_1.CODEQL_VERSION_LANGUAGE_ALIASING)) {
-        return (await codeql.betterResolveLanguages()).aliases;
-    }
-    return undefined;
-}
 /**
  * Gets the set of languages in the current repository without checking to
  * see if these languages are actually supported by CodeQL.

lib/debug-artifacts.js

@@ -26,25 +26,158 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sanitizeArifactName = sanitizeArifactName;
+exports.sanitizeArtifactName = sanitizeArtifactName;
+exports.uploadCombinedSarifArtifacts = uploadCombinedSarifArtifacts;
+exports.tryUploadAllAvailableDebugArtifacts = tryUploadAllAvailableDebugArtifacts;
 exports.uploadDebugArtifacts = uploadDebugArtifacts;
-exports.uploadSarifDebugArtifact = uploadSarifDebugArtifact;
-exports.uploadLogsDebugArtifact = uploadLogsDebugArtifact;
-exports.uploadDatabaseBundleDebugArtifact = uploadDatabaseBundleDebugArtifact;
+exports.getArtifactUploaderClient = getArtifactUploaderClient;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const artifact = __importStar(require("@actions/artifact"));
+const artifactLegacy = __importStar(require("@actions/artifact-legacy"));
 const core = __importStar(require("@actions/core"));
 const adm_zip_1 = __importDefault(require("adm-zip"));
 const del_1 = __importDefault(require("del"));
 const actions_util_1 = require("./actions-util");
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
+const environment_1 = require("./environment");
+const feature_flags_1 = require("./feature-flags");
+const logging_1 = require("./logging");
 const util_1 = require("./util");
-function sanitizeArifactName(name) {
+function sanitizeArtifactName(name) {
     return name.replace(/[^a-zA-Z0-9_\\-]+/g, "");
 }
-async function uploadDebugArtifacts(toUpload, rootDir, artifactName) {
+/**
+ * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
+ * environment variable is set
+ */
+async function uploadCombinedSarifArtifacts(logger, gitHubVariant, features) {
+    const tempDir = (0, actions_util_1.getTemporaryDirectory)();
+    // Upload Actions SARIF artifacts for debugging when environment variable is set
+    if (process.env["CODEQL_ACTION_DEBUG_COMBINED_SARIF"] === "true") {
+        logger.info("Uploading available combined SARIF files as Actions debugging artifact...");
+        const baseTempDir = path.resolve(tempDir, "combined-sarif");
+        const toUpload = [];
+        if (fs.existsSync(baseTempDir)) {
+            const outputDirs = fs.readdirSync(baseTempDir);
+            for (const outputDir of outputDirs) {
+                const sarifFiles = fs
+                    .readdirSync(path.resolve(baseTempDir, outputDir))
+                    .filter((f) => f.endsWith(".sarif"));
+                for (const sarifFile of sarifFiles) {
+                    toUpload.push(path.resolve(baseTempDir, outputDir, sarifFile));
+                }
+            }
+        }
+        try {
+            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant, features);
+        }
+        catch (e) {
+            logger.warning(`Failed to upload combined SARIF files as Actions debugging artifact. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+        }
+    }
+}
+/**
+ * Try to prepare a SARIF result debug artifact for the given language.
+ *
+ * @return The path to that debug artifact, or undefined if an error occurs.
+ */
+function tryPrepareSarifDebugArtifact(config, language, logger) {
+    try {
+        const analyzeActionOutputDir = process.env[environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR];
+        if (analyzeActionOutputDir !== undefined &&
+            fs.existsSync(analyzeActionOutputDir) &&
+            fs.lstatSync(analyzeActionOutputDir).isDirectory()) {
+            const sarifFile = path.resolve(analyzeActionOutputDir, `${language}.sarif`);
+            // Move SARIF to DB location so that they can be uploaded with the same root directory as the other artifacts.
+            if (fs.existsSync(sarifFile)) {
+                const sarifInDbLocation = path.resolve(config.dbLocation, `${language}.sarif`);
+                fs.copyFileSync(sarifFile, sarifInDbLocation);
+                return sarifInDbLocation;
+            }
+        }
+    }
+    catch (e) {
+        logger.warning(`Failed to find SARIF results path for ${language}. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+    }
+    return undefined;
+}
+/**
+ * Try to bundle the database for the given language.
+ *
+ * @return The path to the database bundle, or undefined if an error occurs.
+ */
+async function tryBundleDatabase(config, language, logger) {
+    try {
+        if ((0, analyze_1.dbIsFinalized)(config, language, logger)) {
+            try {
+                return await createDatabaseBundleCli(config, language);
+            }
+            catch (e) {
+                logger.warning(`Failed to bundle database for ${language} using the CLI. ` +
+                    `Falling back to a partial bundle. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+            }
+        }
+        return await createPartialDatabaseBundle(config, language);
+    }
+    catch (e) {
+        logger.warning(`Failed to bundle database for ${language}. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+        return undefined;
+    }
+}
+/**
+ * Attempt to upload all available debug artifacts.
+ *
+ * Logs and suppresses any errors that occur.
+ */
+async function tryUploadAllAvailableDebugArtifacts(config, logger, features) {
+    const filesToUpload = [];
+    try {
+        for (const language of config.languages) {
+            await (0, logging_1.withGroup)(`Uploading debug artifacts for ${language}`, async () => {
+                logger.info("Preparing SARIF result debug artifact...");
+                const sarifResultDebugArtifact = tryPrepareSarifDebugArtifact(config, language, logger);
+                if (sarifResultDebugArtifact) {
+                    filesToUpload.push(sarifResultDebugArtifact);
+                    logger.info("SARIF result debug artifact ready for upload.");
+                }
+                logger.info("Preparing database logs debug artifact...");
+                const databaseDirectory = (0, util_1.getCodeQLDatabasePath)(config, language);
+                const logsDirectory = path.resolve(databaseDirectory, "log");
+                if ((0, util_1.doesDirectoryExist)(logsDirectory)) {
+                    filesToUpload.push(...(0, util_1.listFolder)(logsDirectory));
+                    logger.info("Database logs debug artifact ready for upload.");
+                }
+                // Multilanguage tracing: there are additional logs in the root of the cluster
+                logger.info("Preparing database cluster logs debug artifact...");
+                const multiLanguageTracingLogsDirectory = path.resolve(config.dbLocation, "log");
+                if ((0, util_1.doesDirectoryExist)(multiLanguageTracingLogsDirectory)) {
+                    filesToUpload.push(...(0, util_1.listFolder)(multiLanguageTracingLogsDirectory));
+                    logger.info("Database cluster logs debug artifact ready for upload.");
+                }
+                // Add database bundle
+                logger.info("Preparing database bundle debug artifact...");
+                const databaseBundle = await tryBundleDatabase(config, language, logger);
+                if (databaseBundle) {
+                    filesToUpload.push(databaseBundle);
+                    logger.info("Database bundle debug artifact ready for upload.");
+                }
+            });
+        }
+    }
+    catch (e) {
+        logger.warning(`Failed to prepare debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+        return;
+    }
+    try {
+        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type, features));
+    }
+    catch (e) {
+        logger.warning(`Failed to upload debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
+    }
+}
+async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant, features) {
     if (toUpload.length === 0) {
         return;
     }
@@ -59,9 +192,9 @@ async function uploadDebugArtifacts(toUpload, rootDir, artifactName) {
             core.info("Could not parse user-specified `matrix` input into JSON. The debug artifact will not be named with the user's `matrix` input.");
         }
     }
+    const artifactUploader = await getArtifactUploaderClient(logger, ghVariant, features);
     try {
-        await artifact.create().uploadArtifact(sanitizeArifactName(`${artifactName}${suffix}`), toUpload.map((file) => path.normalize(file)), path.normalize(rootDir), {
-            continueOnError: true,
+        await artifactUploader.uploadArtifact(sanitizeArtifactName(`${artifactName}${suffix}`), toUpload.map((file) => path.normalize(file)), path.normalize(rootDir), {
             // ensure we don't keep the debug artifacts around for too long since they can be large.
             retentionDays: 7,
         });
@@ -71,34 +204,23 @@ async function uploadDebugArtifacts(toUpload, rootDir, artifactName) {
         core.warning(`Failed to upload debug artifacts: ${e}`);
     }
 }
-async function uploadSarifDebugArtifact(config, outputDir) {
-    if (!(0, util_1.doesDirectoryExist)(outputDir)) {
-        return;
+// `@actions/artifact@v2` is not yet supported on GHES so the legacy version of the client will be used on GHES
+// until it is supported. We also use the legacy version of the client if the feature flag is disabled.
+// The feature flag is named `ArtifactV4Upgrade` to reduce customer confusion; customers are primarily affected by
+// `actions/download-artifact`, whose upgrade to v4 must be accompanied by the `@actions/artifact@v2` upgrade.
+async function getArtifactUploaderClient(logger, ghVariant, features) {
+    if (ghVariant === util_1.GitHubVariant.GHES) {
+        logger.info("Debug artifacts can be consumed with `actions/download-artifact@v3` because the `v4` version is not yet compatible on GHES.");
+        return artifactLegacy.create();
     }
-    let toUpload = [];
-    for (const lang of config.languages) {
-        const sarifFile = path.resolve(outputDir, `${lang}.sarif`);
-        if (fs.existsSync(sarifFile)) {
-            toUpload = toUpload.concat(sarifFile);
-        }
+    else if (!(await features.getValue(feature_flags_1.Feature.ArtifactV4Upgrade))) {
+        logger.info("Debug artifacts can be consumed with `actions/download-artifact@v3`. To use the `actions/download-artifact@v4`, set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to true.");
+        return artifactLegacy.create();
     }
-    await uploadDebugArtifacts(toUpload, outputDir, config.debugArtifactName);
-}
-async function uploadLogsDebugArtifact(config) {
-    let toUpload = [];
-    for (const language of config.languages) {
-        const databaseDirectory = (0, util_1.getCodeQLDatabasePath)(config, language);
-        const logsDirectory = path.resolve(databaseDirectory, "log");
-        if ((0, util_1.doesDirectoryExist)(logsDirectory)) {
-            toUpload = toUpload.concat((0, util_1.listFolder)(logsDirectory));
-        }
+    else {
+        logger.info("Debug artifacts can be consumed with `actions/download-artifact@v4`.");
+        return new artifact.DefaultArtifactClient();
     }
-    // Multilanguage tracing: there are additional logs in the root of the cluster
-    const multiLanguageTracingLogsDirectory = path.resolve(config.dbLocation, "log");
-    if ((0, util_1.doesDirectoryExist)(multiLanguageTracingLogsDirectory)) {
-        toUpload = toUpload.concat((0, util_1.listFolder)(multiLanguageTracingLogsDirectory));
-    }
-    await uploadDebugArtifacts(toUpload, config.dbLocation, config.debugArtifactName);
 }
 /**
  * If a database has not been finalized, we cannot run the `codeql database bundle`
@@ -122,25 +244,7 @@ async function createPartialDatabaseBundle(config, language) {
  * Runs `codeql database bundle` command and returns the path.
  */
 async function createDatabaseBundleCli(config, language) {
-    // Otherwise run `codeql database bundle` command.
     const databaseBundlePath = await (0, util_1.bundleDb)(config, language, await (0, codeql_1.getCodeQL)(config.codeQLCmd), `${config.debugDatabaseName}-${language}`);
     return databaseBundlePath;
 }
-async function uploadDatabaseBundleDebugArtifact(config, logger) {
-    for (const language of config.languages) {
-        try {
-            let databaseBundlePath;
-            if (!(0, analyze_1.dbIsFinalized)(config, language, logger)) {
-                databaseBundlePath = await createPartialDatabaseBundle(config, language);
-            }
-            else {
-                databaseBundlePath = await createDatabaseBundleCli(config, language);
-            }
-            await uploadDebugArtifacts([databaseBundlePath], config.dbLocation, config.debugArtifactName);
-        }
-        catch (error) {
-            core.info(`Failed to upload database debug bundle for ${config.debugDatabaseName}-${language}: ${error}`);
-        }
-    }
-}
 //# sourceMappingURL=debug-artifacts.js.map

lib/debug-artifacts.test.js

@@ -28,14 +28,20 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const ava_1 = __importDefault(require("ava"));
 const debugArtifacts = __importStar(require("./debug-artifacts"));
-(0, ava_1.default)("sanitizeArifactName", (t) => {
-    t.deepEqual(debugArtifacts.sanitizeArifactName("hello-world_"), "hello-world_");
-    t.deepEqual(debugArtifacts.sanitizeArifactName("hello`world`"), "helloworld");
-    t.deepEqual(debugArtifacts.sanitizeArifactName("hello===123"), "hello123");
-    t.deepEqual(debugArtifacts.sanitizeArifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
+const feature_flags_1 = require("./feature-flags");
+const logging_1 = require("./logging");
+const testing_utils_1 = require("./testing-utils");
+const util_1 = require("./util");
+(0, ava_1.default)("sanitizeArtifactName", (t) => {
+    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello-world_"), "hello-world_");
+    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello`world`"), "helloworld");
+    t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
+    t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
 });
 (0, ava_1.default)("uploadDebugArtifacts", async (t) => {
     // Test that no error is thrown if artifacts list is empty.
-    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts([], "rootDir", "artifactName"));
+    const logger = (0, logging_1.getActionsLogger)();
+    const mockFeature = (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.ArtifactV4Upgrade]);
+    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts(logger, [], "rootDir", "artifactName", util_1.GitHubVariant.DOTCOM, mockFeature));
 });
 //# sourceMappingURL=debug-artifacts.test.js.map

lib/debug-artifacts.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AAEpD,IAAA,aAAI,EAAC,qBAAqB,EAAE,CAAC,CAAC,EAAE,EAAE;IAChC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,mBAAmB,CAAC,cAAc,CAAC,EAClD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,mBAAmB,CAAC,cAAc,CAAC,EAAE,YAAY,CAAC,CAAC;IAC9E,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,mBAAmB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC3E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,mBAAmB,CAAC,yBAAyB,CAAC,EAC7D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CAAC,EAAE,EAAE,SAAS,EAAE,cAAc,CAAC,CACnE,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,mDAA0C;AAC1C,uCAA6C;AAC7C,mDAAiD;AACjD,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,WAAW,GAAG,IAAA,8BAAc,EAAC,CAAC,uBAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAChE,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CACjC,MAAM,EACN,EAAE,EACF,SAAS,EACT,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,WAAW,CACZ,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.18.1",
-    "cliVersion": "2.18.1",
-    "priorBundleVersion": "codeql-bundle-v2.18.0",
-    "priorCliVersion": "2.18.0"
+    "bundleVersion": "codeql-bundle-v2.19.1",
+    "cliVersion": "2.19.1",
+    "priorBundleVersion": "codeql-bundle-v2.19.0",
+    "priorCliVersion": "2.19.0"
 }

lib/diagnostics.js

@@ -38,7 +38,9 @@ function makeDiagnostic(id, name, data = undefined) {
  */
 function addDiagnostic(config, language, diagnostic) {
     const logger = (0, logging_1.getActionsLogger)();
-    const databasePath = (0, util_1.getCodeQLDatabasePath)(config, language);
+    const databasePath = language
+        ? (0, util_1.getCodeQLDatabasePath)(config, language)
+        : config.dbLocation;
     // Check that the database exists before writing to it. If the database does not yet exist,
     // store the diagnostic in memory and write it later.
     if ((0, fs_1.existsSync)(databasePath)) {
@@ -58,11 +60,16 @@ function addDiagnostic(config, language, diagnostic) {
  */
 function writeDiagnostic(config, language, diagnostic) {
     const logger = (0, logging_1.getActionsLogger)();
-    const diagnosticsPath = path_1.default.resolve((0, util_1.getCodeQLDatabasePath)(config, language), "diagnostic", "codeql-action");
+    const databasePath = language
+        ? (0, util_1.getCodeQLDatabasePath)(config, language)
+        : config.dbLocation;
+    const diagnosticsPath = path_1.default.resolve(databasePath, "diagnostic", "codeql-action");
     try {
         // Create the directory if it doesn't exist yet.
         (0, fs_1.mkdirSync)(diagnosticsPath, { recursive: true });
-        const jsonPath = path_1.default.resolve(diagnosticsPath, `codeql-action-${diagnostic.timestamp}.json`);
+        const jsonPath = path_1.default.resolve(diagnosticsPath, 
+        // Remove colons from the timestamp as these are not allowed in Windows filenames.
+        `codeql-action-${diagnostic.timestamp.replaceAll(":", "")}.json`);
         (0, fs_1.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
     }
     catch (err) {