Merge pull request #2716 from github/mergeback/v3.28.4-to-main-ee117c90

Mergeback v3.28.4 refs/heads/releases/v3 into main

CHANGELOG.md

@@ -6,6 +6,20 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
+## 3.28.4 - 23 Jan 2025
+
+No user facing changes.
+
+## 3.28.3 - 22 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.2. [#2707](https://github.com/github/codeql-action/pull/2707)
+- Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the [CodeQL Action sync tool](https://github.com/github/codeql-action-sync-tool) and the Actions runner did not have Zstandard installed. [#2710](https://github.com/github/codeql-action/pull/2710)
+- Uploading debug artifacts for CodeQL analysis is temporarily disabled. [#2712](https://github.com/github/codeql-action/pull/2712)
+
+## 3.28.2 - 21 Jan 2025
+
+No user facing changes.
+
 ## 3.28.1 - 10 Jan 2025
 
 - CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see [this changelog post](https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/). [#2677](https://github.com/github/codeql-action/pull/2677)

lib/debug-artifacts.js

@@ -190,6 +190,8 @@ async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghV
     if (toUpload.length === 0) {
         return;
     }
+    logger.info("Uploading debug artifacts is temporarily disabled");
+    return;
     let suffix = "";
     const matrix = (0, actions_util_1.getRequiredInput)("matrix");
     if (matrix) {

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.20.1",
-    "cliVersion": "2.20.1",
-    "priorBundleVersion": "codeql-bundle-v2.20.0",
-    "priorCliVersion": "2.20.0"
+    "bundleVersion": "codeql-bundle-v2.20.2",
+    "cliVersion": "2.20.2",
+    "priorBundleVersion": "codeql-bundle-v2.20.1",
+    "priorCliVersion": "2.20.1"
 }

lib/setup-codeql.js

@@ -70,11 +70,18 @@ var ToolsSource;
 })(ToolsSource || (exports.ToolsSource = ToolsSource = {}));
 exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 const CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
-function getCodeQLBundleExtension(useZstd) {
-    return useZstd ? ".tar.zst" : ".tar.gz";
+function getCodeQLBundleExtension(compressionMethod) {
+    switch (compressionMethod) {
+        case "gzip":
+            return ".tar.gz";
+        case "zstd":
+            return ".tar.zst";
+        default:
+            util.assertNever(compressionMethod);
+    }
 }
-function getCodeQLBundleName(useZstd) {
-    const extension = getCodeQLBundleExtension(useZstd);
+function getCodeQLBundleName(compressionMethod) {
+    const extension = getCodeQLBundleExtension(compressionMethod);
     let platform;
     if (process.platform === "win32") {
         platform = "win64";
@@ -100,7 +107,7 @@ function getCodeQLActionRepository(logger) {
     }
     return util.getRequiredEnvParam("GITHUB_ACTION_REPOSITORY");
 }
-async function getCodeQLBundleDownloadURL(tagName, apiDetails, useZstd, logger) {
+async function getCodeQLBundleDownloadURL(tagName, apiDetails, compressionMethod, logger) {
     const codeQLActionRepository = getCodeQLActionRepository(logger);
     const potentialDownloadSources = [
         // This GitHub instance, and this Action.
@@ -115,7 +122,7 @@ async function getCodeQLBundleDownloadURL(tagName, apiDetails, useZstd, logger)
     const uniqueDownloadSources = potentialDownloadSources.filter((source, index, self) => {
         return !self.slice(0, index).some((other) => (0, fast_deep_equal_1.default)(source, other));
     });
-    const codeQLBundleName = getCodeQLBundleName(useZstd);
+    const codeQLBundleName = getCodeQLBundleName(compressionMethod);
     for (const downloadSource of uniqueDownloadSources) {
         const [apiURL, repository] = downloadSource;
         // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -132,13 +139,13 @@ async function getCodeQLBundleDownloadURL(tagName, apiDetails, useZstd, logger)
             });
             for (const asset of release.data.assets) {
                 if (asset.name === codeQLBundleName) {
-                    logger.info(`Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`);
+                    logger.info(`Found CodeQL bundle ${codeQLBundleName} in ${repository} on ${apiURL} with URL ${asset.url}.`);
                     return asset.url;
                 }
             }
         }
         catch (e) {
-            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
+            logger.info(`Looked for CodeQL bundle ${codeQLBundleName} in ${repository} on ${apiURL} but got error ${e}.`);
         }
     }
     return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${tagName}/${codeQLBundleName}`;
@@ -221,8 +228,14 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
         !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) &&
         !toolsInput.startsWith("http")) {
         logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
+        const compressionMethod = tar.inferCompressionMethod(toolsInput);
+        if (compressionMethod === undefined) {
+            throw new util.ConfigurationError(`Could not infer compression method from path ${toolsInput}. Please specify a path ` +
+                "ending in '.tar.gz' or '.tar.zst'.");
+        }
         return {
             codeqlTarPath: toolsInput,
+            compressionMethod,
             sourceType: "local",
             toolsVersion: "local",
         };
@@ -356,9 +369,22 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
             return result;
         }
     }
+    let compressionMethod;
     if (!url) {
-        url = await getCodeQLBundleDownloadURL(tagName, apiDetails, cliVersion !== undefined &&
-            (await useZstdBundle(cliVersion, tarSupportsZstd)), logger);
+        compressionMethod =
+            cliVersion !== undefined &&
+                (await useZstdBundle(cliVersion, tarSupportsZstd))
+                ? "zstd"
+                : "gzip";
+        url = await getCodeQLBundleDownloadURL(tagName, apiDetails, compressionMethod, logger);
+    }
+    else {
+        const method = tar.inferCompressionMethod(url);
+        if (method === undefined) {
+            throw new util.ConfigurationError(`Could not infer compression method from URL ${url}. Please specify a URL ` +
+                "ending in '.tar.gz' or '.tar.zst'.");
+        }
+        compressionMethod = method;
     }
     if (cliVersion) {
         logger.info(`Using CodeQL CLI version ${cliVersion} sourced from ${url} .`);
@@ -370,6 +396,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
         bundleVersion: tagName && tryGetBundleVersionFromTagName(tagName, logger),
         cliVersion,
         codeqlURL: url,
+        compressionMethod,
         sourceType: "download",
         toolsVersion: cliVersion ?? humanReadableVersion,
     };
@@ -390,7 +417,7 @@ async function tryGetFallbackToolcacheVersion(cliVersion, tagName, logger) {
 }
 // Exported using `export const` for testing purposes. Specifically, we want to
 // be able to stub this function and have other functions in this file use that stub.
-const downloadCodeQL = async function (codeqlURL, maybeBundleVersion, maybeCliVersion, apiDetails, tarVersion, tempDir, features, logger) {
+const downloadCodeQL = async function (codeqlURL, compressionMethod, maybeBundleVersion, maybeCliVersion, apiDetails, tarVersion, tempDir, features, logger) {
     const parsedCodeQLURL = new URL(codeqlURL);
     const searchParams = new URLSearchParams(parsedCodeQLURL.search);
     const headers = {
@@ -417,7 +444,7 @@ const downloadCodeQL = async function (codeqlURL, maybeBundleVersion, maybeCliVe
     const extractedBundlePath = extractToToolcache
         ? toolcacheInfo.path
         : getTempExtractionDir(tempDir);
-    let statusReport = await (0, tools_download_1.downloadAndExtract)(codeqlURL, extractedBundlePath, authorization, { "User-Agent": "CodeQL Action", ...headers }, tarVersion, logger);
+    let statusReport = await (0, tools_download_1.downloadAndExtract)(codeqlURL, compressionMethod, extractedBundlePath, authorization, { "User-Agent": "CodeQL Action", ...headers }, tarVersion, logger);
     if (!toolcacheInfo) {
         logger.debug("Could not cache CodeQL tools because we could not determine the bundle version from the " +
             `URL ${codeqlURL}.`);
@@ -509,8 +536,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, featu
     let toolsSource;
     switch (source.sourceType) {
         case "local": {
-            const compressionMethod = tar.inferCompressionMethod(source.codeqlTarPath);
-            codeqlFolder = await tar.extract(source.codeqlTarPath, getTempExtractionDir(tempDir), compressionMethod, zstdAvailability.version, logger);
+            codeqlFolder = await tar.extract(source.codeqlTarPath, getTempExtractionDir(tempDir), source.compressionMethod, zstdAvailability.version, logger);
             toolsSource = ToolsSource.Local;
             break;
         }
@@ -520,7 +546,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, featu
             toolsSource = ToolsSource.Toolcache;
             break;
         case "download": {
-            const result = await (0, exports.downloadCodeQL)(source.codeqlURL, source.bundleVersion, source.cliVersion, apiDetails, zstdAvailability.version, tempDir, features, logger);
+            const result = await (0, exports.downloadCodeQL)(source.codeqlURL, source.compressionMethod, source.bundleVersion, source.cliVersion, apiDetails, zstdAvailability.version, tempDir, features, logger);
             toolsVersion = result.toolsVersion;
             codeqlFolder = result.codeqlFolder;
             toolsDownloadStatusReport = result.statusReport;

lib/tar.js

@@ -43,6 +43,7 @@ const stream = __importStar(require("stream"));
 const toolrunner_1 = require("@actions/exec/lib/toolrunner");
 const io = __importStar(require("@actions/io"));
 const toolcache = __importStar(require("@actions/tool-cache"));
+const semver = __importStar(require("semver"));
 const actions_util_1 = require("./actions-util");
 const util_1 = require("./util");
 const MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
@@ -88,13 +89,18 @@ async function isZstdAvailable(logger) {
         switch (type) {
             case "gnu":
                 return {
-                    available: foundZstdBinary && version >= MIN_REQUIRED_GNU_TAR_VERSION,
+                    available: foundZstdBinary &&
+                        // GNU tar only uses major and minor version numbers
+                        semver.gte(semver.coerce(version), semver.coerce(MIN_REQUIRED_GNU_TAR_VERSION)),
                     foundZstdBinary,
                     version: tarVersion,
                 };
             case "bsd":
                 return {
-                    available: foundZstdBinary && version >= MIN_REQUIRED_BSD_TAR_VERSION,
+                    available: foundZstdBinary &&
+                        // Do a loose comparison since these version numbers don't contain
+                        // a patch version number.
+                        semver.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
                     foundZstdBinary,
                     version: tarVersion,
                 };
@@ -179,10 +185,16 @@ async function extractTarZst(tar, dest, tarVersion, logger) {
         throw e;
     }
 }
+const KNOWN_EXTENSIONS = {
+    "tar.gz": "gzip",
+    "tar.zst": "zstd",
+};
 function inferCompressionMethod(tarPath) {
-    if (tarPath.endsWith(".tar.gz")) {
-        return "gzip";
+    for (const [ext, method] of Object.entries(KNOWN_EXTENSIONS)) {
+        if (tarPath.endsWith(`.${ext}`)) {
+            return method;
+        }
     }
-    return "zstd";
+    return undefined;
 }
 //# sourceMappingURL=tar.js.map

lib/tools-download.js

@@ -73,9 +73,8 @@ function makeStreamedToolsDownloadDurations(combinedDurationMs) {
         streamExtraction: true,
     };
 }
-async function downloadAndExtract(codeqlURL, dest, authorization, headers, tarVersion, logger) {
+async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorization, headers, tarVersion, logger) {
     logger.info(`Downloading CodeQL tools from ${codeqlURL} . This may take a while.`);
-    const compressionMethod = tar.inferCompressionMethod(codeqlURL);
     try {
         if (compressionMethod === "zstd" && process.platform === "linux") {
             logger.info(`Streaming the extraction of the CodeQL bundle.`);

lib/tools-download.js.map

@@ -1 +1 @@
-{"version":3,"file":"tools-download.js","sourceRoot":"","sources":["../src/tools-download.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkFA,gDAmGC;AA8CD,sDAOC;AAED,4DAOC;AAnPD,uCAAyB;AAEzB,uCAAyB;AACzB,2CAA6B;AAC7B,2CAAyC;AAEzC,oDAAsC;AACtC,sDAAkD;AAClD,+DAAiD;AACjD,uDAAyC;AACzC,+CAAiC;AAEjC,uCAAmD;AACnD,2CAA6B;AAC7B,iCAA2E;AAE3E;;GAEG;AACU,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEvE;;GAEG;AACH,MAAM,mBAAmB,GAAG,QAAQ,CAAC;AAarC,SAAS,uCAAuC,CAC9C,kBAA0B,EAC1B,oBAA4B;IAE5B,OAAO;QACL,kBAAkB,EAAE,kBAAkB,GAAG,oBAAoB;QAC7D,kBAAkB;QAClB,oBAAoB;QACpB,gBAAgB,EAAE,KAAK;KACxB,CAAC;AACJ,CAAC;AAaD,SAAS,kCAAkC,CACzC,kBAA0B;IAE1B,OAAO;QACL,kBAAkB;QAClB,kBAAkB,EAAE,SAAS;QAC7B,oBAAoB,EAAE,SAAS;QAC/B,gBAAgB,EAAE,IAAI;KACvB,CAAC;AACJ,CAAC;AAaM,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAAsC,EACtC,MAAc;IAEd,MAAM,CAAC,IAAI,CACT,iCAAiC,SAAS,2BAA2B,CACtE,CAAC;IAEF,MAAM,iBAAiB,GAAG,GAAG,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,IAAI,iBAAiB,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAE9D,MAAM,iBAAiB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;YAC5C,MAAM,mCAAmC,CACvC,SAAS,EACT,IAAI,EACJ,aAAa,EACb,OAAO,EACP,UAAW,EACX,MAAM,CACP,CAAC;YAEF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CACnC,wBAAW,CAAC,GAAG,EAAE,GAAG,iBAAiB,CACtC,CAAC;YACF,MAAM,CAAC,IAAI,CACT,wDAAwD,IAAI,KAAK,IAAA,wBAAc,EAC7E,kBAAkB,CACnB,IAAI,CACN,CAAC;YAEF,OAAO;gBACL,iBAAiB;gBACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;gBAC/C,GAAG,kCAAkC,CAAC,kBAAkB,CAAC;aAC1D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,OAAO,CACV,4EAA4E,IAAA,sBAAe,EAAC,CAAC,CAAC,EAAE,CACjG,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAAC;QAE1E,gFAAgF;QAChF,uBAAuB;QACvB,MAAM,IAAA,kBAAW,EAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,kBAAkB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,kBAAkB,GAAG,MAAM,SAAS,CAAC,YAAY,CACrD,SAAS,EACT,SAAS,EACT,aAAa,EACb,OAAO,CACR,CAAC;IACF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAE9E,MAAM,CAAC,IAAI,CACT,yCAAyC,kBAAkB,KAAK,IAAA,wBAAc,EAC5E,kBAAkB,CACnB,IAAI,CACN,CAAC;IAEF,IAAI,oBAA4B,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACzC,MAAM,eAAe,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,OAAO,CACf,kBAAkB,EAClB,IAAI,EACJ,iBAAiB,EACjB,UAAU,EACV,MAAM,CACP,CAAC;QACF,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CACT,wCAAwC,IAAI,KAAK,IAAA,wBAAc,EAC7D,oBAAoB,CACrB,IAAI,CACN,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,IAAA,kBAAW,EAAC,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;QAC/C,GAAG,uCAAuC,CACxC,kBAAkB,EAClB,oBAAoB,CACrB;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mCAAmC,CAChD,SAAiB,EACjB,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAA0B,EAC1B,MAAc;IAEd,4BAA4B;IAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,mDAAmD;IACnD,MAAM,KAAK,GAAG,IAAI,wBAAU,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEnD,8DAA8D;IAC9D,OAAO,GAAG,MAAM,CAAC,MAAM,CACrB,EAAE,YAAY,EAAE,eAAe,EAAE,EACjC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EACtC,OAAO,CACR,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,EAAE,CAC9D,wBAAK,CAAC,GAAG,CACP,SAAS,EACT;QACE,OAAO;QACP,uDAAuD;QACvD,aAAa,EAAE,sCAA8B;QAC7C,2CAA2C;QAC3C,KAAK;KACuB,EAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAClB,CACF,CAAC;IAEF,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,yCAAyC,SAAS,uBAAuB,QAAQ,CAAC,UAAU,GAAG,CAChG,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;AAC9D,CAAC;AAED,8FAA8F;AAC9F,SAAgB,qBAAqB,CAAC,OAAe;IACnD,OAAO,IAAI,CAAC,IAAI,CACd,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,EACxC,mBAAmB,EACnB,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,EAChC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,CAChB,CAAC;AACJ,CAAC;AAED,SAAgB,wBAAwB,CACtC,aAAqB,EACrB,MAAc;IAEd,MAAM,cAAc,GAAG,GAAG,aAAa,WAAW,CAAC;IACnD,EAAE,CAAC,aAAa,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,OAAO,CAAC,sBAAsB,EAAE,kCAAkC,CAAC,CAAC,IAAI,CACtE,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,sBAAsB,IAAI,qBAAqB,CAAC,CAC1E;QACC,CAAC,CAAC,GAAG;QACL,CAAC,CAAC,iBAAiB,CAAC;AACxB,CAAC"}
+{"version":3,"file":"tools-download.js","sourceRoot":"","sources":["../src/tools-download.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkFA,gDAkGC;AA8CD,sDAOC;AAED,4DAOC;AAlPD,uCAAyB;AAEzB,uCAAyB;AACzB,2CAA6B;AAC7B,2CAAyC;AAEzC,oDAAsC;AACtC,sDAAkD;AAClD,+DAAiD;AACjD,uDAAyC;AACzC,+CAAiC;AAEjC,uCAAmD;AACnD,2CAA6B;AAC7B,iCAA2E;AAE3E;;GAEG;AACU,QAAA,8BAA8B,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEvE;;GAEG;AACH,MAAM,mBAAmB,GAAG,QAAQ,CAAC;AAarC,SAAS,uCAAuC,CAC9C,kBAA0B,EAC1B,oBAA4B;IAE5B,OAAO;QACL,kBAAkB,EAAE,kBAAkB,GAAG,oBAAoB;QAC7D,kBAAkB;QAClB,oBAAoB;QACpB,gBAAgB,EAAE,KAAK;KACxB,CAAC;AACJ,CAAC;AAaD,SAAS,kCAAkC,CACzC,kBAA0B;IAE1B,OAAO;QACL,kBAAkB;QAClB,kBAAkB,EAAE,SAAS;QAC7B,oBAAoB,EAAE,SAAS;QAC/B,gBAAgB,EAAE,IAAI;KACvB,CAAC;AACJ,CAAC;AAaM,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,iBAAwC,EACxC,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAAsC,EACtC,MAAc;IAEd,MAAM,CAAC,IAAI,CACT,iCAAiC,SAAS,2BAA2B,CACtE,CAAC;IAEF,IAAI,CAAC;QACH,IAAI,iBAAiB,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAE9D,MAAM,iBAAiB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;YAC5C,MAAM,mCAAmC,CACvC,SAAS,EACT,IAAI,EACJ,aAAa,EACb,OAAO,EACP,UAAW,EACX,MAAM,CACP,CAAC;YAEF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CACnC,wBAAW,CAAC,GAAG,EAAE,GAAG,iBAAiB,CACtC,CAAC;YACF,MAAM,CAAC,IAAI,CACT,wDAAwD,IAAI,KAAK,IAAA,wBAAc,EAC7E,kBAAkB,CACnB,IAAI,CACN,CAAC;YAEF,OAAO;gBACL,iBAAiB;gBACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;gBAC/C,GAAG,kCAAkC,CAAC,kBAAkB,CAAC;aAC1D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,OAAO,CACV,4EAA4E,IAAA,sBAAe,EAAC,CAAC,CAAC,EAAE,CACjG,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAAC;QAE1E,gFAAgF;QAChF,uBAAuB;QACvB,MAAM,IAAA,kBAAW,EAAC,IAAI,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,kBAAkB,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,kBAAkB,GAAG,MAAM,SAAS,CAAC,YAAY,CACrD,SAAS,EACT,SAAS,EACT,aAAa,EACb,OAAO,CACR,CAAC;IACF,MAAM,kBAAkB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,kBAAkB,CAAC,CAAC;IAE9E,MAAM,CAAC,IAAI,CACT,yCAAyC,kBAAkB,KAAK,IAAA,wBAAc,EAC5E,kBAAkB,CACnB,IAAI,CACN,CAAC;IAEF,IAAI,oBAA4B,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QACzC,MAAM,eAAe,GAAG,wBAAW,CAAC,GAAG,EAAE,CAAC;QAC1C,MAAM,GAAG,CAAC,OAAO,CACf,kBAAkB,EAClB,IAAI,EACJ,iBAAiB,EACjB,UAAU,EACV,MAAM,CACP,CAAC;QACF,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAW,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CACT,wCAAwC,IAAI,KAAK,IAAA,wBAAc,EAC7D,oBAAoB,CACrB,IAAI,CACN,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,IAAA,kBAAW,EAAC,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,QAAQ,EAAE,0BAA0B,CAAC,SAAS,CAAC;QAC/C,GAAG,uCAAuC,CACxC,kBAAkB,EAClB,oBAAoB,CACrB;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mCAAmC,CAChD,SAAiB,EACjB,IAAY,EACZ,aAAiC,EACjC,OAA4B,EAC5B,UAA0B,EAC1B,MAAc;IAEd,4BAA4B;IAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,mDAAmD;IACnD,MAAM,KAAK,GAAG,IAAI,wBAAU,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEnD,8DAA8D;IAC9D,OAAO,GAAG,MAAM,CAAC,MAAM,CACrB,EAAE,YAAY,EAAE,eAAe,EAAE,EACjC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,EACtC,OAAO,CACR,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,EAAE,CAC9D,wBAAK,CAAC,GAAG,CACP,SAAS,EACT;QACE,OAAO;QACP,uDAAuD;QACvD,aAAa,EAAE,sCAA8B;QAC7C,2CAA2C;QAC3C,KAAK;KACuB,EAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAClB,CACF,CAAC;IAEF,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,yCAAyC,SAAS,uBAAuB,QAAQ,CAAC,UAAU,GAAG,CAChG,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;AAC9D,CAAC;AAED,8FAA8F;AAC9F,SAAgB,qBAAqB,CAAC,OAAe;IACnD,OAAO,IAAI,CAAC,IAAI,CACd,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,EACxC,mBAAmB,EACnB,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,EAChC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,CAChB,CAAC;AACJ,CAAC;AAED,SAAgB,wBAAwB,CACtC,aAAqB,EACrB,MAAc;IAEd,MAAM,cAAc,GAAG,GAAG,aAAa,WAAW,CAAC;IACnD,EAAE,CAAC,aAAa,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,OAAO,CAAC,sBAAsB,EAAE,kCAAkC,CAAC,CAAC,IAAI,CACtE,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,sBAAsB,IAAI,qBAAqB,CAAC,CAC1E;QACC,CAAC,CAAC,GAAG;QACL,CAAC,CAAC,iBAAiB,CAAC;AACxB,CAAC"}

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.2",
+  "version": "3.28.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
@@ -7568,9 +7568,10 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.28.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz",
-      "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==",
+      "version": "5.28.5",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
+      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+      "license": "MIT",
       "dependencies": {
         "@fastify/busboy": "^2.0.0"
       },

node_modules/undici/lib/fetch/body.js

@@ -22,6 +22,14 @@ const { isUint8Array, isArrayBuffer } = require('util/types')
 const { File: UndiciFile } = require('./file')
 const { parseMIMEType, serializeAMimeType } = require('./dataURL')
 
+let random
+try {
+  const crypto = require('node:crypto')
+  random = (max) => crypto.randomInt(0, max)
+} catch {
+  random = (max) => Math.floor(Math.random(max))
+}
+
 let ReadableStream = globalThis.ReadableStream
 
 /** @type {globalThis['File']} */
@@ -107,7 +115,7 @@ function extractBody (object, keepalive = false) {
     // Set source to a copy of the bytes held by object.
     source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
   } else if (util.isFormDataLike(object)) {
-    const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
+    const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
 
     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */

node_modules/undici/package.json

@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "5.28.4",
+  "version": "5.28.5",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "3.28.2",
+  "version": "3.28.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "3.28.2",
+      "version": "3.28.5",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^2.1.9",
@@ -7636,9 +7636,10 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.28.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz",
-      "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==",
+      "version": "5.28.5",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
+      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+      "license": "MIT",
       "dependencies": {
         "@fastify/busboy": "^2.0.0"
       },

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.28.2",
+  "version": "3.28.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

src/debug-artifacts.ts

@@ -242,6 +242,9 @@ export async function uploadDebugArtifacts(
   if (toUpload.length === 0) {
     return;
   }
+  logger.info("Uploading debug artifacts is temporarily disabled");
+  return;
+
   let suffix = "";
   const matrix = getRequiredInput("matrix");
   if (matrix) {

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.20.1",
-  "cliVersion": "2.20.1",
-  "priorBundleVersion": "codeql-bundle-v2.20.0",
-  "priorCliVersion": "2.20.0"
+  "bundleVersion": "codeql-bundle-v2.20.2",
+  "cliVersion": "2.20.2",
+  "priorBundleVersion": "codeql-bundle-v2.20.1",
+  "priorCliVersion": "2.20.1"
 }

src/setup-codeql.ts

@@ -39,12 +39,21 @@ export const CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 
 const CODEQL_BUNDLE_VERSION_ALIAS: string[] = ["linked", "latest"];
 
-function getCodeQLBundleExtension(useZstd: boolean): string {
-  return useZstd ? ".tar.zst" : ".tar.gz";
+function getCodeQLBundleExtension(
+  compressionMethod: tar.CompressionMethod,
+): string {
+  switch (compressionMethod) {
+    case "gzip":
+      return ".tar.gz";
+    case "zstd":
+      return ".tar.zst";
+    default:
+      util.assertNever(compressionMethod);
+  }
 }
 
-function getCodeQLBundleName(useZstd: boolean): string {
-  const extension = getCodeQLBundleExtension(useZstd);
+function getCodeQLBundleName(compressionMethod: tar.CompressionMethod): string {
+  const extension = getCodeQLBundleExtension(compressionMethod);
 
   let platform: string;
   if (process.platform === "win32") {
@@ -76,7 +85,7 @@ export function getCodeQLActionRepository(logger: Logger): string {
 async function getCodeQLBundleDownloadURL(
   tagName: string,
   apiDetails: api.GitHubApiDetails,
-  useZstd: boolean,
+  compressionMethod: tar.CompressionMethod,
   logger: Logger,
 ): Promise<string> {
   const codeQLActionRepository = getCodeQLActionRepository(logger);
@@ -95,7 +104,7 @@ async function getCodeQLBundleDownloadURL(
       return !self.slice(0, index).some((other) => deepEqual(source, other));
     },
   );
-  const codeQLBundleName = getCodeQLBundleName(useZstd);
+  const codeQLBundleName = getCodeQLBundleName(compressionMethod);
   for (const downloadSource of uniqueDownloadSources) {
     const [apiURL, repository] = downloadSource;
     // If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
@@ -115,14 +124,14 @@ async function getCodeQLBundleDownloadURL(
       for (const asset of release.data.assets) {
         if (asset.name === codeQLBundleName) {
           logger.info(
-            `Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`,
+            `Found CodeQL bundle ${codeQLBundleName} in ${repository} on ${apiURL} with URL ${asset.url}.`,
           );
           return asset.url;
         }
       }
     } catch (e) {
       logger.info(
-        `Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`,
+        `Looked for CodeQL bundle ${codeQLBundleName} in ${repository} on ${apiURL} but got error ${e}.`,
       );
     }
   }
@@ -198,6 +207,7 @@ export function convertToSemVer(version: string, logger: Logger): string {
 type CodeQLToolsSource =
   | {
       codeqlTarPath: string;
+      compressionMethod: tar.CompressionMethod;
       sourceType: "local";
       /** Human-readable description of the source of the tools for telemetry purposes. */
       toolsVersion: "local";
@@ -213,6 +223,7 @@ type CodeQLToolsSource =
       bundleVersion?: string;
       /** CLI version of the tools, if known. */
       cliVersion?: string;
+      compressionMethod: tar.CompressionMethod;
       codeqlURL: string;
       sourceType: "download";
       /** Human-readable description of the source of the tools for telemetry purposes. */
@@ -272,8 +283,16 @@ export async function getCodeQLSource(
     !toolsInput.startsWith("http")
   ) {
     logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
+    const compressionMethod = tar.inferCompressionMethod(toolsInput);
+    if (compressionMethod === undefined) {
+      throw new util.ConfigurationError(
+        `Could not infer compression method from path ${toolsInput}. Please specify a path ` +
+          "ending in '.tar.gz' or '.tar.zst'.",
+      );
+    }
     return {
       codeqlTarPath: toolsInput,
+      compressionMethod,
       sourceType: "local",
       toolsVersion: "local",
     };
@@ -455,14 +474,30 @@ export async function getCodeQLSource(
     }
   }
 
+  let compressionMethod: tar.CompressionMethod;
+
   if (!url) {
+    compressionMethod =
+      cliVersion !== undefined &&
+      (await useZstdBundle(cliVersion, tarSupportsZstd))
+        ? "zstd"
+        : "gzip";
+
     url = await getCodeQLBundleDownloadURL(
       tagName!,
       apiDetails,
-      cliVersion !== undefined &&
-        (await useZstdBundle(cliVersion, tarSupportsZstd)),
+      compressionMethod,
       logger,
     );
+  } else {
+    const method = tar.inferCompressionMethod(url);
+    if (method === undefined) {
+      throw new util.ConfigurationError(
+        `Could not infer compression method from URL ${url}. Please specify a URL ` +
+          "ending in '.tar.gz' or '.tar.zst'.",
+      );
+    }
+    compressionMethod = method;
   }
 
   if (cliVersion) {
@@ -474,6 +509,7 @@ export async function getCodeQLSource(
     bundleVersion: tagName && tryGetBundleVersionFromTagName(tagName, logger),
     cliVersion,
     codeqlURL: url,
+    compressionMethod,
     sourceType: "download",
     toolsVersion: cliVersion ?? humanReadableVersion,
   };
@@ -504,6 +540,7 @@ export async function tryGetFallbackToolcacheVersion(
 // be able to stub this function and have other functions in this file use that stub.
 export const downloadCodeQL = async function (
   codeqlURL: string,
+  compressionMethod: tar.CompressionMethod,
   maybeBundleVersion: string | undefined,
   maybeCliVersion: string | undefined,
   apiDetails: api.GitHubApiDetails,
@@ -552,6 +589,7 @@ export const downloadCodeQL = async function (
 
   let statusReport = await downloadAndExtract(
     codeqlURL,
+    compressionMethod,
     extractedBundlePath,
     authorization,
     { "User-Agent": "CodeQL Action", ...headers },
@@ -714,13 +752,10 @@ export async function setupCodeQLBundle(
   let toolsSource: ToolsSource;
   switch (source.sourceType) {
     case "local": {
-      const compressionMethod = tar.inferCompressionMethod(
-        source.codeqlTarPath,
-      );
       codeqlFolder = await tar.extract(
         source.codeqlTarPath,
         getTempExtractionDir(tempDir),
-        compressionMethod,
+        source.compressionMethod,
         zstdAvailability.version,
         logger,
       );
@@ -735,6 +770,7 @@ export async function setupCodeQLBundle(
     case "download": {
       const result = await downloadCodeQL(
         source.codeqlURL,
+        source.compressionMethod,
         source.bundleVersion,
         source.cliVersion,
         apiDetails,

src/tar.ts

@@ -5,6 +5,7 @@ import * as stream from "stream";
 import { ToolRunner } from "@actions/exec/lib/toolrunner";
 import * as io from "@actions/io";
 import * as toolcache from "@actions/tool-cache";
+import * as semver from "semver";
 
 import { CommandInvocationError } from "./actions-util";
 import { Logger } from "./logging";
@@ -68,13 +69,23 @@ export async function isZstdAvailable(
     switch (type) {
       case "gnu":
         return {
-          available: foundZstdBinary && version >= MIN_REQUIRED_GNU_TAR_VERSION,
+          available:
+            foundZstdBinary &&
+            // GNU tar only uses major and minor version numbers
+            semver.gte(
+              semver.coerce(version)!,
+              semver.coerce(MIN_REQUIRED_GNU_TAR_VERSION)!,
+            ),
           foundZstdBinary,
           version: tarVersion,
         };
       case "bsd":
         return {
-          available: foundZstdBinary && version >= MIN_REQUIRED_BSD_TAR_VERSION,
+          available:
+            foundZstdBinary &&
+            // Do a loose comparison since these version numbers don't contain
+            // a patch version number.
+            semver.gte(version, MIN_REQUIRED_BSD_TAR_VERSION),
           foundZstdBinary,
           version: tarVersion,
         };
@@ -202,9 +213,18 @@ export async function extractTarZst(
   }
 }
 
-export function inferCompressionMethod(tarPath: string): CompressionMethod {
-  if (tarPath.endsWith(".tar.gz")) {
-    return "gzip";
+const KNOWN_EXTENSIONS: Record<string, CompressionMethod> = {
+  "tar.gz": "gzip",
+  "tar.zst": "zstd",
+};
+
+export function inferCompressionMethod(
+  tarPath: string,
+): CompressionMethod | undefined {
+  for (const [ext, method] of Object.entries(KNOWN_EXTENSIONS)) {
+    if (tarPath.endsWith(`.${ext}`)) {
+      return method;
+    }
   }
-  return "zstd";
+  return undefined;
 }

src/tools-download.ts

@@ -82,6 +82,7 @@ export type ToolsDownloadStatusReport = {
 
 export async function downloadAndExtract(
   codeqlURL: string,
+  compressionMethod: tar.CompressionMethod,
   dest: string,
   authorization: string | undefined,
   headers: OutgoingHttpHeaders,
@@ -92,8 +93,6 @@ export async function downloadAndExtract(
     `Downloading CodeQL tools from ${codeqlURL} . This may take a while.`,
   );
 
-  const compressionMethod = tar.inferCompressionMethod(codeqlURL);
-
   try {
     if (compressionMethod === "zstd" && process.platform === "linux") {
       logger.info(`Streaming the extraction of the CodeQL bundle.`);