Merge pull request #2751 from github/henrymercer/fix-init-post-without-config

Send `init-post` status report in absence of config

.github/codeql/codeql-actions-config.yml

@@ -0,0 +1,4 @@
+# Configuration for the CodeQL Actions Queries
+name: "CodeQL Actions Queries config"
+queries:
+  - uses: security-and-quality

.github/workflows/__all-platform-bundle.yml

@@ -32,7 +32,7 @@ jobs:
     name: All-platform bundle
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__analyze-ref-input.yml

@@ -36,7 +36,7 @@ jobs:
     name: "Analyze: 'ref' and 'sha' from inputs"
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__autobuild-action.yml

@@ -36,7 +36,7 @@ jobs:
     name: autobuild-action
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -38,7 +38,7 @@ jobs:
     name: Autobuild direct tracing (custom working directory)
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__autobuild-direct-tracing.yml

@@ -38,7 +38,7 @@ jobs:
     name: Autobuild direct tracing
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__build-mode-autobuild.yml

@@ -32,7 +32,7 @@ jobs:
     name: Build mode autobuild
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__build-mode-manual.yml

@@ -32,7 +32,7 @@ jobs:
     name: Build mode manual
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__build-mode-none.yml

@@ -34,7 +34,7 @@ jobs:
     name: Build mode none
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__build-mode-rollback.yml

@@ -32,7 +32,7 @@ jobs:
     name: Build mode rollback
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -32,7 +32,7 @@ jobs:
     name: Clean up database cluster directory
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__config-export.yml

@@ -42,7 +42,7 @@ jobs:
     name: Config export
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__config-input.yml

@@ -32,7 +32,7 @@ jobs:
     name: Config input
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__cpp-deptrace-disabled.yml

@@ -36,7 +36,7 @@ jobs:
     name: 'C/C++: disabling autoinstalling dependencies (Linux)'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__cpp-deptrace-enabled-on-macos.yml

@@ -32,7 +32,7 @@ jobs:
     name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__cpp-deptrace-enabled.yml

@@ -36,7 +36,7 @@ jobs:
     name: 'C/C++: autoinstalling dependencies (Linux)'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__diagnostics-export.yml

@@ -42,7 +42,7 @@ jobs:
     name: Diagnostic export
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__export-file-baseline-information.yml

@@ -36,7 +36,7 @@ jobs:
     name: Export file baseline information
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__extract-direct-to-toolcache.yml

@@ -36,7 +36,7 @@ jobs:
     name: Extract directly to toolcache
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__extractor-ram-threads.yml

@@ -32,7 +32,7 @@ jobs:
     name: Extractor ram and threads options test
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-custom-queries.yml

@@ -34,7 +34,7 @@ jobs:
     name: 'Go: Custom queries'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -32,7 +32,7 @@ jobs:
     name: 'Go: diagnostic when Go is changed after init step'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml

@@ -32,7 +32,7 @@ jobs:
     name: 'Go: diagnostic when `file` is not installed'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -32,7 +32,7 @@ jobs:
     name: 'Go: workaround for indirect tracing'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-tracing-autobuilder.yml

@@ -62,7 +62,7 @@ jobs:
     name: 'Go: tracing with autobuilder step'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -62,7 +62,7 @@ jobs:
     name: 'Go: tracing with custom build steps'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -62,7 +62,7 @@ jobs:
     name: 'Go: tracing with legacy workflow'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__javascript-source-root.yml

@@ -36,7 +36,7 @@ jobs:
     name: Custom source root
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__job-run-uuid-sarif.yml

@@ -32,7 +32,7 @@ jobs:
     name: Job run UUID added to SARIF
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__language-aliases.yml

@@ -32,7 +32,7 @@ jobs:
     name: Language aliases
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__multi-language-autodetect.yml

@@ -62,7 +62,7 @@ jobs:
     name: Multi-language repository
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -48,7 +48,7 @@ jobs:
     name: 'Packaging: Config and input passed to the CLI'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__packaging-config-inputs-js.yml

@@ -48,7 +48,7 @@ jobs:
     name: 'Packaging: Config and input'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__packaging-config-js.yml

@@ -48,7 +48,7 @@ jobs:
     name: 'Packaging: Config file'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__packaging-inputs-js.yml

@@ -48,7 +48,7 @@ jobs:
     name: 'Packaging: Action input'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__remote-config.yml

@@ -34,7 +34,7 @@ jobs:
     name: Remote config file
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__resolve-environment-action.yml

@@ -48,7 +48,7 @@ jobs:
     name: Resolve environment
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__rubocop-multi-language.yml

@@ -32,7 +32,7 @@ jobs:
     name: RuboCop multi-language
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:
@@ -46,7 +46,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/__ruby.yml

@@ -42,7 +42,7 @@ jobs:
     name: Ruby analysis
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__split-workflow.yml

@@ -42,7 +42,7 @@ jobs:
     name: Split workflow
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__start-proxy.yml

@@ -36,7 +36,7 @@ jobs:
     name: Start proxy
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__submit-sarif-failure.yml

@@ -36,7 +36,8 @@ jobs:
     name: Submit SARIF after failure
     permissions:
       contents: read
-      security-events: write
+      security-events: write # needed to upload the SARIF file
+
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__swift-autobuild.yml

@@ -32,7 +32,7 @@ jobs:
     name: Swift analysis using autobuild
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__swift-custom-build.yml

@@ -36,7 +36,7 @@ jobs:
     name: Swift analysis using a custom build command
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__test-autobuild-working-dir.yml

@@ -32,7 +32,7 @@ jobs:
     name: Autobuild working directory
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__test-local-codeql.yml

@@ -32,7 +32,7 @@ jobs:
     name: Local CodeQL bundle
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__test-proxy.yml

@@ -34,7 +34,7 @@ jobs:
     name: Proxy test
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__unset-environment.yml

@@ -34,7 +34,7 @@ jobs:
     name: Test unsetting environment variables
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__upload-ref-sha-input.yml

@@ -36,7 +36,7 @@ jobs:
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__with-checkout-path.yml

@@ -36,7 +36,7 @@ jobs:
     name: Use a custom `checkout_path`
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__zstd-bundle-streaming.yml

@@ -34,7 +34,7 @@ jobs:
     name: Zstandard bundle (streaming)
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/__zstd-bundle.yml

@@ -36,7 +36,7 @@ jobs:
     name: Zstandard bundle
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/check-expected-release-files.yml

@@ -13,6 +13,9 @@ jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4

.github/workflows/codeql.yml

@@ -24,7 +24,7 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      security-events: write
+      contents: read
 
     steps:
     - uses: actions/checkout@v4
@@ -70,7 +70,7 @@ jobs:
         echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
         echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
 
-  build:
+  analyze-javascript:
     needs: [check-codeql-versions]
     strategy:
       fail-fast: false
@@ -80,6 +80,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
+      contents: read
       security-events: write
 
     steps:
@@ -99,3 +100,27 @@ jobs:
       uses: ./analyze
       with:
         category: "/language:javascript"
+
+
+  analyze-actions:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: ./init
+      with:
+        languages: actions
+        config-file: ./.github/codeql/codeql-actions-config.yml
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
+      with:
+        category: "/language:actions"

.github/workflows/codescanning-config-cli.yml

@@ -23,6 +23,11 @@ jobs:
   code-scanning-config-tests:
     continue-on-error: true
 
+    permissions:
+      contents: read
+      packages: read
+      security-events: read
+
     strategy:
       fail-fast: false
       matrix:

.github/workflows/debug-artifacts-failure-safe.yml

@@ -19,10 +19,20 @@ on:
   workflow_dispatch: {}
 jobs:
   upload-artifacts:
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+        - stable-v2.20.3
+        - default
+        - linked
+        - nightly-latest
     name: Upload debug artifacts after failure in analyze
     continue-on-error: true
     env:
       CODEQL_ACTION_TEST_MODE: true
+    permissions:
+      contents: read
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:
@@ -34,7 +44,7 @@ jobs:
         id: prepare-test
         uses: ./.github/actions/prepare-test
         with:
-          version: linked
+          version: ${{ matrix.version }}
       - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
@@ -58,6 +68,8 @@ jobs:
     name: Download and check debug artifacts after failure in analyze
     needs: upload-artifacts
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
@@ -66,22 +78,25 @@ jobs:
         shell: bash
         run: |
           LANGUAGES="cpp csharp go java javascript python"
-          cd "./my-debug-artifacts"
-          echo "Artifacts from run:"
-          for language in $LANGUAGES; do
-            echo "- Checking $language"
-            if [[ ! -f "my-db-$language-partial.zip" ]] ; then
-              echo "Missing a partial database bundle for $language"
-              exit 1
-            fi
-            if [[ ! -d "log" ]] ; then
-              echo "Missing database initialization logs"
-              exit 1
-            fi
-            if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
-              echo "Missing logs for $language"
-              exit 1
-            fi
+          for version in $VERSIONS; do
+            echo "Artifacts from version $version:"
+            pushd "./my-debug-artifacts-${version//./}"
+            for language in $LANGUAGES; do
+              echo "- Checking $language"
+              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
+                echo "Missing a partial database bundle for $language"
+                exit 1
+              fi
+              if [[ ! -d "log" ]] ; then
+                echo "Missing database initialization logs"
+                exit 1
+              fi
+              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
+                echo "Missing logs for $language"
+                exit 1
+              fi
+            done
+            popd
           done
         env:
           GO111MODULE: auto

.github/workflows/debug-artifacts-safe.yml

@@ -22,11 +22,7 @@ jobs:
       fail-fast: false
       matrix:
         version:
-        - stable-v2.15.5
-        - stable-v2.16.6
-        - stable-v2.17.6
-        - stable-v2.18.4
-        - stable-v2.19.4
+        - stable-v2.20.3
         - default
         - linked
         - nightly-latest
@@ -34,6 +30,8 @@ jobs:
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
@@ -64,6 +62,8 @@ jobs:
     name: Download and check debug artifacts
     needs: upload-artifacts
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
@@ -71,7 +71,7 @@ jobs:
       - name: Check expected artifacts exist
         shell: bash
         run: |
-          VERSIONS="stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 stable-v2.19.4 default linked nightly-latest"
+          VERSIONS="stable-v2.20.3 default linked nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"
           for version in $VERSIONS; do
             pushd "./my-debug-artifacts-${version//./}"

.github/workflows/expected-queries-runs.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     steps:
     - name: Check out repository
       uses: actions/checkout@v4

.github/workflows/post-release-mergeback.yml

@@ -27,6 +27,10 @@ jobs:
       BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
       HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
 
+    permissions:
+      contents: write # needed to create tags and push commits
+      pull-requests: write
+
     steps:
       - name: Dump environment
         run: env
@@ -164,7 +168,7 @@ jobs:
             --draft
 
       - name: Generate token
-        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
+        uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/pr-checks.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
-      security-events: write
+      security-events: write # needed to upload ESLint results
 
     strategy:
       fail-fast: false
@@ -40,6 +40,8 @@ jobs:
   check-node-modules:
     if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check modules up to date
+    permissions:
+      contents: read
     runs-on: macos-latest
     timeout-minutes: 45
 
@@ -51,6 +53,8 @@ jobs:
   check-file-contents:
     if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check file contents
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
@@ -81,6 +85,8 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
@@ -101,6 +107,9 @@ jobs:
     env:
       BASE_REF: ${{ github.base_ref }}
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@v4
       - id: head-version

.github/workflows/python312-windows.yml

@@ -17,6 +17,8 @@ jobs:
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: windows-latest
 
     steps:

.github/workflows/query-filters.yml

@@ -20,6 +20,8 @@ jobs:
     name: Query Filters Tests
     timeout-minutes: 45
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository.
     steps:
     - name: Check out repository
       uses: actions/checkout@v4

.github/workflows/rebuild.yml

@@ -11,6 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.label.name == 'Rebuild'
 
+    permissions:
+      contents: write # needed to push rebuilt commit
+      pull-requests: write # needed to comment on the PR
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/test-codeql-bundle-all.yml

@@ -27,7 +27,7 @@ jobs:
     name: 'CodeQL Bundle All'
     permissions:
       contents: read
-      security-events: write
+      security-events: read
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/update-bundle.yml

@@ -17,6 +17,9 @@ jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull requests
     steps:
       - name: Dump environment
         run: env

.github/workflows/update-dependencies.yml

@@ -9,6 +9,9 @@ jobs:
     timeout-minutes: 45
     runs-on: macos-latest
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
+    permissions:
+      contents: write # needed to push the updated dependencies
+      pull-requests: write # needed to comment on the PR
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4

.github/workflows/update-release-branch.yml

@@ -22,6 +22,8 @@ jobs:
       latest_tag: ${{ steps.versions.outputs.latest_tag }}
       backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
       backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v4
       with:
@@ -63,6 +65,9 @@ jobs:
       REPOSITORY: "${{ github.repository }}"
       MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
       LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
     steps:
     - uses: actions/checkout@v4
       with:
@@ -114,9 +119,12 @@ jobs:
     env:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
+      uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -10,20 +10,23 @@ jobs:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: ${{ github.repository == 'github/codeql-action' }}
+    if: github.repository == 'github/codeql-action'
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
 
     steps:
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.7"
+          python-version: "3.13"
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4
       - name: Checkout Enterprise Releases
         uses: actions/checkout@v4
         with:
           repository: github/enterprise-releases
-          ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
+          token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }}
           path: ${{ github.workspace }}/enterprise-releases/
       - name: Update Supported Enterprise Server Versions
         run: |

CHANGELOG.md

@@ -6,6 +6,22 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
+## 3.28.8 - 29 Jan 2025
+
+- Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. [#2744](https://github.com/github/codeql-action/pull/2744)
+
+## 3.28.7 - 29 Jan 2025
+
+No user facing changes.
+
+## 3.28.6 - 27 Jan 2025
+
+- Re-enable debug artifact upload for CLI versions 2.20.3 or greater. [#2726](https://github.com/github/codeql-action/pull/2726)
+
+## 3.28.5 - 24 Jan 2025
+
+- Update default CodeQL bundle version to 2.20.3. [#2717](https://github.com/github/codeql-action/pull/2717)
+
 ## 3.28.4 - 23 Jan 2025
 
 No user facing changes.

lib/analyze-action-post.js

@@ -41,6 +41,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
+const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
 const environment_1 = require("./environment");
@@ -57,7 +58,9 @@ async function runWrapper() {
         if (process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true") {
             const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
             if (config !== undefined) {
-                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type));
+                const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+                const version = await codeql.getVersion();
+                await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, version.version));
             }
         }
     }

lib/analyze-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,CAC1B,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,qCAAqC;AACrC,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,OAAO,CAAC,OAAO,CAChB,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/analyze-action.js

@@ -160,6 +160,14 @@ async function run() {
     let dbCreationTimings = undefined;
     let didUploadTrapCaches = false;
     util.initializeEnvironment(actionsUtil.getActionVersion());
+    // Unset the CODEQL_PROXY_* environment variables, as they are not needed
+    // and can cause issues with the CodeQL CLI
+    // Check for CODEQL_PROXY_HOST: and if it is empty but set, unset it
+    if (process.env.CODEQL_PROXY_HOST === "") {
+        delete process.env.CODEQL_PROXY_HOST;
+        delete process.env.CODEQL_PROXY_PORT;
+        delete process.env.CODEQL_PROXY_CA_CERTIFICATE;
+    }
     // Make inputs accessible in the `post` step, details at
     // https://github.com/github/codeql-action/issues/2553
     actionsUtil.persistInputs();

lib/debug-artifacts.js

@@ -53,6 +53,7 @@ const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
 const environment_1 = require("./environment");
 const logging_1 = require("./logging");
+const tools_features_1 = require("./tools-features");
 const util_1 = require("./util");
 function sanitizeArtifactName(name) {
     return name.replace(/[^a-zA-Z0-9_\\-]+/g, "");
@@ -61,7 +62,7 @@ function sanitizeArtifactName(name) {
  * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
  * environment variable is set
  */
-async function uploadCombinedSarifArtifacts(logger, gitHubVariant) {
+async function uploadCombinedSarifArtifacts(logger, gitHubVariant, codeQlVersion) {
     const tempDir = (0, actions_util_1.getTemporaryDirectory)();
     // Upload Actions SARIF artifacts for debugging when environment variable is set
     if (process.env["CODEQL_ACTION_DEBUG_COMBINED_SARIF"] === "true") {
@@ -80,7 +81,7 @@ async function uploadCombinedSarifArtifacts(logger, gitHubVariant) {
             }
         }
         try {
-            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant);
+            await uploadDebugArtifacts(logger, toUpload, baseTempDir, "combined-sarif-artifacts", gitHubVariant, codeQlVersion);
         }
         catch (e) {
             logger.warning(`Failed to upload combined SARIF files as Actions debugging artifact. Reason: ${(0, util_1.getErrorMessage)(e)}`);
@@ -140,7 +141,7 @@ async function tryBundleDatabase(config, language, logger) {
  *
  * Logs and suppresses any errors that occur.
  */
-async function tryUploadAllAvailableDebugArtifacts(config, logger) {
+async function tryUploadAllAvailableDebugArtifacts(config, logger, codeQlVersion) {
     const filesToUpload = [];
     try {
         for (const language of config.languages) {
@@ -180,20 +181,23 @@ async function tryUploadAllAvailableDebugArtifacts(config, logger) {
         return;
     }
     try {
-        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type));
+        await (0, logging_1.withGroup)("Uploading debug artifacts", async () => uploadDebugArtifacts(logger, filesToUpload, config.dbLocation, config.debugArtifactName, config.gitHubVersion.type, codeQlVersion));
     }
     catch (e) {
         logger.warning(`Failed to upload debug artifacts. Reason: ${(0, util_1.getErrorMessage)(e)}`);
     }
 }
-async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant) {
+async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghVariant, codeQlVersion) {
     if (toUpload.length === 0) {
-        return;
+        return "no-artifacts-to-upload";
+    }
+    const uploadSupported = (0, tools_features_1.isSafeArtifactUpload)(codeQlVersion);
+    if (!uploadSupported) {
+        core.info(`Skipping debug artifact upload because the current CLI does not support safe upload. Please upgrade to CLI v${tools_features_1.SafeArtifactUploadVersion} or later.`);
+        return "upload-not-supported";
     }
-    logger.info("Uploading debug artifacts is temporarily disabled");
-    return;
     let suffix = "";
-    const matrix = (0, actions_util_1.getRequiredInput)("matrix");
+    const matrix = (0, actions_util_1.getOptionalInput)("matrix");
     if (matrix) {
         try {
             for (const [, matrixVal] of Object.entries(JSON.parse(matrix)).sort())
@@ -209,10 +213,12 @@ async function uploadDebugArtifacts(logger, toUpload, rootDir, artifactName, ghV
             // ensure we don't keep the debug artifacts around for too long since they can be large.
             retentionDays: 7,
         });
+        return "upload-successful";
     }
     catch (e) {
         // A failure to upload debug artifacts should not fail the entire action.
         core.warning(`Failed to upload debug artifacts: ${e}`);
+        return "upload-failed";
     }
 }
 // `@actions/artifact@v2` is not yet supported on GHES so the legacy version of the client will be used on GHES

lib/debug-artifacts.test.js

@@ -46,9 +46,47 @@ const util_1 = require("./util");
     t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
     t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
 });
-(0, ava_1.default)("uploadDebugArtifacts", async (t) => {
+// These next tests check the correctness of the logic to determine whether or not
+// artifacts are uploaded in debug mode. Since it's not easy to mock the actual
+// call to upload an artifact, we just check that we get an "upload-failed" result,
+// instead of actually uploading the artifact.
+//
+// For tests where we expect artifact upload to be blocked, we check for a different
+// response from the function.
+(0, ava_1.default)("uploadDebugArtifacts when artifacts empty should emit 'no-artifacts-to-upload'", async (t) => {
     // Test that no error is thrown if artifacts list is empty.
     const logger = (0, logging_1.getActionsLogger)();
-    await t.notThrowsAsync(debugArtifacts.uploadDebugArtifacts(logger, [], "rootDir", "artifactName", util_1.GitHubVariant.DOTCOM));
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, [], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, undefined);
+        t.is(uploaded, "no-artifacts-to-upload", "Should not have uploaded any artifacts");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when no codeql version is used should invoke artifact upload", async (t) => {
+    // Test that the artifact is uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, undefined);
+        t.is(uploaded, 
+        // The failure is expected since we don't want to actually upload any artifacts in unit tests.
+        "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when new codeql version is used should invoke artifact upload", async (t) => {
+    // Test that the artifact is uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, "2.20.3");
+        t.is(uploaded, 
+        // The failure is expected since we don't want to actually upload any artifacts in unit tests.
+        "upload-failed", "Expect failure to upload artifacts since root dir does not exist");
+    });
+});
+(0, ava_1.default)("uploadDebugArtifacts when old codeql is used should avoid trying to upload artifacts", async (t) => {
+    // Test that the artifact is not uploaded.
+    const logger = (0, logging_1.getActionsLogger)();
+    await t.notThrowsAsync(async () => {
+        const uploaded = await debugArtifacts.uploadDebugArtifacts(logger, ["hucairz"], "i-dont-exist", "artifactName", util_1.GitHubVariant.DOTCOM, "2.20.2");
+        t.is(uploaded, "upload-not-supported", "Expected artifact upload to be blocked because of old CodeQL version");
+    });
 });
 //# sourceMappingURL=debug-artifacts.test.js.map

lib/debug-artifacts.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sBAAsB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvC,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CACpB,cAAc,CAAC,oBAAoB,CACjC,MAAM,EACN,EAAE,EACF,SAAS,EACT,cAAc,EACd,oBAAa,CAAC,MAAM,CACrB,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,kFAAkF;AAClF,+EAA+E;AAC/E,mFAAmF;AACnF,8CAA8C;AAC9C,EAAE;AACF,oFAAoF;AACpF,8BAA8B;AAE9B,IAAA,aAAI,EAAC,gFAAgF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjG,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,EAAE,EACF,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,wBAAwB,EACxB,wCAAwC,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mFAAmF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oFAAoF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sFAAsF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvG,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,sBAAsB,EACtB,sEAAsE,CACvE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.20.2",
-    "cliVersion": "2.20.2",
-    "priorBundleVersion": "codeql-bundle-v2.20.1",
-    "priorCliVersion": "2.20.1"
+    "bundleVersion": "codeql-bundle-v2.20.3",
+    "cliVersion": "2.20.3",
+    "priorBundleVersion": "codeql-bundle-v2.20.2",
+    "priorCliVersion": "2.20.2"
 }

lib/init-action-post-helper.js

@@ -142,7 +142,9 @@ async function run(uploadAllAvailableDebugArtifacts, printDebugLogs, config, rep
     // Upload appropriate Actions artifacts for debugging
     if (config.debugMode) {
         logger.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");
-        await uploadAllAvailableDebugArtifacts(config, logger, features);
+        const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+        const version = await codeql.getVersion();
+        await uploadAllAvailableDebugArtifacts(config, logger, version.version);
         await printDebugLogs(config);
     }
     if (actionsUtil.isSelfHostedRunner()) {

lib/init-action-post.js

@@ -64,9 +64,10 @@ async function runWrapper() {
         config = await (0, config_utils_1.getConfig)((0, actions_util_1.getTemporaryDirectory)(), logger);
         if (config === undefined) {
             logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
-            return;
         }
-        uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.tryUploadAllAvailableDebugArtifacts, actions_util_1.printDebugLogs, config, repositoryNwo, features, logger);
+        else {
+            uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.tryUploadAllAvailableDebugArtifacts, actions_util_1.printDebugLogs, config, repositoryNwo, features, logger);
+        }
     }
     catch (unwrappedError) {
         const error = (0, util_1.wrapError)(unwrappedError);

lib/init-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,iDAAmD;AACnD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,mDAOyB;AACzB,iCAKgB;AAOhB,KAAK,UAAU,UAAU;IACvB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,MAA0B,CAAC;IAC/B,IAAI,uBAES,CAAC;IACd,IAAI,CAAC;QACH,qCAAqC;QACrC,IAAA,4BAAa,GAAE,CAAC;QAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;YACF,OAAO;QACT,CAAC;QAED,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,mCAAmC,EAClD,6BAAc,EACd,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IACJ,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAA,uCAAuB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAE5E,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAAyB;YACzC,GAAG,gBAAgB;YACnB,GAAG,uBAAuB;YAC1B,UAAU,EAAE,oBAAoB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,iDAAmD;AACnD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,mDAOyB;AACzB,iCAKgB;AAOhB,KAAK,UAAU,UAAU;IACvB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,MAA0B,CAAC;IAC/B,IAAI,uBAES,CAAC;IACd,IAAI,CAAC;QACH,qCAAqC;QACrC,IAAA,4BAAa,GAAE,CAAC;QAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,mCAAmC,EAClD,6BAAc,EACd,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAA,uCAAuB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAE5E,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAAyB;YACzC,GAAG,gBAAgB;YACnB,GAAG,uBAAuB;YAC1B,UAAU,EAAE,oBAAoB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/init-action.js

@@ -317,6 +317,11 @@ async function run() {
         if (await features.getValue(feature_flags_1.Feature.DisableKotlinAnalysisEnabled)) {
             core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
         }
+        const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
+        if ((await (0, util_1.codeQlVersionAtLeast)(codeql, "2.20.3")) &&
+            !(await (0, util_1.codeQlVersionAtLeast)(codeql, "2.20.4"))) {
+            core.exportVariable(kotlinLimitVar, "2.1.20");
+        }
         if (config.languages.includes(languages_1.Language.cpp)) {
             const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
             if (process.env[envVar]) {

lib/start-proxy-action.js

@@ -39,28 +39,14 @@ const core = __importStar(require("@actions/core"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const node_forge_1 = require("node-forge");
 const actionsUtil = __importStar(require("./actions-util"));
-const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const start_proxy_1 = require("./start-proxy");
 const util = __importStar(require("./util"));
 const UPDATEJOB_PROXY = "update-job-proxy";
 const UPDATEJOB_PROXY_VERSION = "v2.0.20241023203727";
 const UPDATEJOB_PROXY_URL_PREFIX = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.18.1/";
-const PROXY_USER = "proxy_user";
 const KEY_SIZE = 2048;
 const KEY_EXPIRY_YEARS = 2;
-const LANGUAGE_TO_REGISTRY_TYPE = {
-    java: "maven_repository",
-    csharp: "nuget_feed",
-    javascript: "npm_registry",
-    python: "python_index",
-    ruby: "rubygems_server",
-    rust: "cargo_registry",
-    // We do not have an established proxy type for these languages, thus leaving empty.
-    actions: "",
-    cpp: "",
-    go: "",
-    swift: "",
-};
 const CERT_SUBJECT = [
     {
         name: "commonName",
@@ -112,16 +98,18 @@ async function runWrapper() {
     const proxyLogFilePath = path.resolve(tempDir, "proxy.log");
     core.saveState("proxy-log-file", proxyLogFilePath);
     // Get the configuration options
-    const credentials = getCredentials(logger);
+    const credentials = (0, start_proxy_1.getCredentials)(logger, actionsUtil.getOptionalInput("registry_secrets"), actionsUtil.getOptionalInput("registries_credentials"), actionsUtil.getOptionalInput("language"));
+    if (credentials.length === 0) {
+        logger.info("No credentials found, skipping proxy setup.");
+        return;
+    }
     logger.info(`Credentials loaded for the following registries:\n ${credentials
         .map((c) => credentialToStr(c))
         .join("\n")}`);
     const ca = generateCertificateAuthority();
-    const proxyAuth = getProxyAuth();
     const proxyConfig = {
         all_credentials: credentials,
         ca,
-        proxy_auth: proxyAuth,
     };
     // Start the Proxy
     const proxyBin = await getProxyBinaryPath();
@@ -178,64 +166,6 @@ async function startProxy(binPath, config, logFilePath, logger) {
         core.setFailed(`start-proxy action failed: ${util.getErrorMessage(error)}`);
     }
 }
-// getCredentials returns registry credentials from action inputs.
-// It prefers `registries_credentials` over `registry_secrets`.
-// If neither is set, it returns an empty array.
-function getCredentials(logger) {
-    const registriesCredentials = actionsUtil.getOptionalInput("registries_credentials");
-    const registrySecrets = actionsUtil.getOptionalInput("registry_secrets");
-    const languageString = actionsUtil.getOptionalInput("language");
-    const language = languageString ? (0, languages_1.parseLanguage)(languageString) : undefined;
-    const registryTypeForLanguage = language
-        ? LANGUAGE_TO_REGISTRY_TYPE[language]
-        : undefined;
-    let credentialsStr;
-    if (registriesCredentials !== undefined) {
-        logger.info(`Using registries_credentials input.`);
-        credentialsStr = Buffer.from(registriesCredentials, "base64").toString();
-    }
-    else if (registrySecrets !== undefined) {
-        logger.info(`Using registry_secrets input.`);
-        credentialsStr = registrySecrets;
-    }
-    else {
-        logger.info(`No credentials defined.`);
-        return [];
-    }
-    // Parse and validate the credentials
-    const parsed = JSON.parse(credentialsStr);
-    const out = [];
-    for (const e of parsed) {
-        if (e.url === undefined && e.host === undefined) {
-            throw new Error("Invalid credentials - must specify host or url");
-        }
-        // Filter credentials based on language if specified. `type` is the registry type.
-        // E.g., "maven_feed" for Java/Kotlin, "nuget_repository" for C#.
-        if (e.type !== registryTypeForLanguage) {
-            continue;
-        }
-        out.push({
-            type: e.type,
-            host: e.host,
-            url: e.url,
-            username: e.username,
-            password: e.password,
-            token: e.token,
-        });
-    }
-    return out;
-}
-// getProxyAuth returns the authentication information for the proxy itself.
-function getProxyAuth() {
-    const proxy_password = actionsUtil.getOptionalInput("proxy_password");
-    if (proxy_password) {
-        return {
-            username: PROXY_USER,
-            password: proxy_password,
-        };
-    }
-    return;
-}
 async function getProxyBinaryPath() {
     const proxyFileName = process.platform === "win32" ? `${UPDATEJOB_PROXY}.exe` : UPDATEJOB_PROXY;
     const platform = process.platform === "win32"

lib/start-proxy.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCredentials = getCredentials;
+const languages_1 = require("./languages");
+const util_1 = require("./util");
+const LANGUAGE_TO_REGISTRY_TYPE = {
+    java: "maven_repository",
+    csharp: "nuget_feed",
+    javascript: "npm_registry",
+    python: "python_index",
+    ruby: "rubygems_server",
+    rust: "cargo_registry",
+    // We do not have an established proxy type for these languages, thus leaving empty.
+    actions: "",
+    cpp: "",
+    go: "",
+    swift: "",
+};
+// getCredentials returns registry credentials from action inputs.
+// It prefers `registries_credentials` over `registry_secrets`.
+// If neither is set, it returns an empty array.
+function getCredentials(logger, registrySecrets, registriesCredentials, languageString) {
+    const language = languageString ? (0, languages_1.parseLanguage)(languageString) : undefined;
+    const registryTypeForLanguage = language
+        ? LANGUAGE_TO_REGISTRY_TYPE[language]
+        : undefined;
+    let credentialsStr;
+    if (registriesCredentials !== undefined) {
+        logger.info(`Using registries_credentials input.`);
+        credentialsStr = Buffer.from(registriesCredentials, "base64").toString();
+    }
+    else if (registrySecrets !== undefined) {
+        logger.info(`Using registry_secrets input.`);
+        credentialsStr = registrySecrets;
+    }
+    else {
+        logger.info(`No credentials defined.`);
+        return [];
+    }
+    // Parse and validate the credentials
+    let parsed;
+    try {
+        parsed = JSON.parse(credentialsStr);
+    }
+    catch {
+        // Don't log the error since it might contain sensitive information.
+        logger.error("Failed to parse the credentials data.");
+        throw new util_1.ConfigurationError("Invalid credentials format.");
+    }
+    const out = [];
+    for (const e of parsed) {
+        if (e.url === undefined && e.host === undefined) {
+            // The proxy needs one of these to work. If both are defined, the url has the precedence.
+            throw new util_1.ConfigurationError("Invalid credentials - must specify host or url");
+        }
+        // Filter credentials based on language if specified. `type` is the registry type.
+        // E.g., "maven_feed" for Java/Kotlin, "nuget_repository" for C#.
+        if (registryTypeForLanguage && e.type !== registryTypeForLanguage) {
+            continue;
+        }
+        const isPrintable = (str) => {
+            return str ? /^[\x20-\x7E]*$/.test(str) : true;
+        };
+        if (!isPrintable(e.type) ||
+            !isPrintable(e.host) ||
+            !isPrintable(e.url) ||
+            !isPrintable(e.username) ||
+            !isPrintable(e.password) ||
+            !isPrintable(e.token)) {
+            throw new util_1.ConfigurationError("Invalid credentials - fields must contain only printable characters");
+        }
+        out.push({
+            type: e.type,
+            host: e.host,
+            url: e.url,
+            username: e.username,
+            password: e.password,
+            token: e.token,
+        });
+    }
+    return out;
+}
+//# sourceMappingURL=start-proxy.js.map

lib/start-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"start-proxy.js","sourceRoot":"","sources":["../src/start-proxy.ts"],"names":[],"mappings":";;AA8BA,wCA2EC;AAzGD,2CAAsD;AAEtD,iCAA4C;AAW5C,MAAM,yBAAyB,GAA6B;IAC1D,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,cAAc;IAC1B,MAAM,EAAE,cAAc;IACtB,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE,gBAAgB;IACtB,oFAAoF;IACpF,OAAO,EAAE,EAAE;IACX,GAAG,EAAE,EAAE;IACP,EAAE,EAAE,EAAE;IACN,KAAK,EAAE,EAAE;CACD,CAAC;AAEX,kEAAkE;AAClE,+DAA+D;AAC/D,gDAAgD;AAChD,SAAgB,cAAc,CAC5B,MAAc,EACd,eAAmC,EACnC,qBAAyC,EACzC,cAAkC;IAElC,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,MAAM,uBAAuB,GAAG,QAAQ;QACtC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,cAAsB,CAAC;IAC3B,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC3E,CAAC;SAAM,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC7C,cAAc,GAAG,eAAe,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,qCAAqC;IACrC,IAAI,MAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAiB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;QACpE,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtD,MAAM,IAAI,yBAAkB,CAAC,6BAA6B,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChD,yFAAyF;YACzF,MAAM,IAAI,yBAAkB,CAC1B,gDAAgD,CACjD,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,iEAAiE;QACjE,IAAI,uBAAuB,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAClE,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,GAAuB,EAAW,EAAE;YACvD,OAAO,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC,CAAC;QAEF,IACE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC;YACnB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,EACrB,CAAC;YACD,MAAM,IAAI,yBAAkB,CAC1B,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

lib/start-proxy.test.js

@@ -0,0 +1,99 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ava_1 = __importDefault(require("ava"));
+const logging_1 = require("./logging");
+const startProxyExports = __importStar(require("./start-proxy"));
+const testing_utils_1 = require("./testing-utils");
+(0, testing_utils_1.setupTests)(ava_1.default);
+(0, ava_1.default)("getCredentials prefers registriesCredentials over registrySecrets", async (t) => {
+    const registryCredentials = Buffer.from(JSON.stringify([
+        { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+    ])).toString("base64");
+    const registrySecrets = JSON.stringify([
+        { type: "npm_registry", host: "registry.npmjs.org", token: "def" },
+    ]);
+    const credentials = startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), registrySecrets, registryCredentials, undefined);
+    t.is(credentials.length, 1);
+    t.is(credentials[0].host, "npm.pkg.github.com");
+});
+(0, ava_1.default)("getCredentials throws error when credential missing host and url", async (t) => {
+    const registryCredentials = Buffer.from(JSON.stringify([{ type: "npm_registry", token: "abc" }])).toString("base64");
+    t.throws(() => startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, registryCredentials, undefined), {
+        message: "Invalid credentials - must specify host or url",
+    });
+});
+(0, ava_1.default)("getCredentials filters by language when specified", async (t) => {
+    const mixedCredentials = [
+        { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+        { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
+        { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
+    ];
+    const credentials = startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, Buffer.from(JSON.stringify(mixedCredentials)).toString("base64"), "java");
+    t.is(credentials.length, 1);
+    t.is(credentials[0].type, "maven_repository");
+});
+(0, ava_1.default)("getCredentials returns all credentials when no language specified", async (t) => {
+    const mixedCredentials = [
+        { type: "npm_registry", host: "npm.pkg.github.com", token: "abc" },
+        { type: "maven_repository", host: "maven.pkg.github.com", token: "def" },
+        { type: "nuget_feed", host: "nuget.pkg.github.com", token: "ghi" },
+    ];
+    const credentialsInput = Buffer.from(JSON.stringify(mixedCredentials)).toString("base64");
+    const credentials = startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, credentialsInput, undefined);
+    t.is(credentials.length, 3);
+});
+(0, ava_1.default)("getCredentials throws an error when non-printable characters are used", async (t) => {
+    const invalidCredentials = [
+        { type: "nuget_feed", host: "1nuget.pkg.github.com", token: "abc\u0000" }, // Non-printable character in token
+        { type: "nuget_feed", host: "2nuget.pkg.github.com\u0001" }, // Non-printable character in host
+        {
+            type: "nuget_feed",
+            host: "3nuget.pkg.github.com",
+            password: "ghi\u0002",
+        }, // Non-printable character in password
+        { type: "nuget_feed", host: "4nuget.pkg.github.com", password: "ghi\x00" }, // Non-printable character in password
+    ];
+    for (const invalidCredential of invalidCredentials) {
+        const credentialsInput = Buffer.from(JSON.stringify([invalidCredential])).toString("base64");
+        t.throws(() => startProxyExports.getCredentials((0, logging_1.getRunnerLogger)(true), undefined, credentialsInput, undefined), {
+            message: "Invalid credentials - fields must contain only printable characters",
+        });
+    }
+});
+//# sourceMappingURL=start-proxy.test.js.map

lib/start-proxy.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"start-proxy.test.js","sourceRoot":"","sources":["../src/start-proxy.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,uCAA4C;AAC5C,iEAAmD;AACnD,mDAA6C;AAE7C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,mEAAmE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpF,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC;QACb,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC,CACH,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrB,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;QACrC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,eAAe,EACf,mBAAmB,EACnB,SAAS,CACV,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;AAClD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,kEAAkE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACnF,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CACzD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,iBAAiB,CAAC,cAAc,CAC9B,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,mBAAmB,EACnB,SAAS,CACV,EACH;QACE,OAAO,EAAE,gDAAgD;KAC1D,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mDAAmD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpE,MAAM,gBAAgB,GAAG;QACvB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;QACxE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC;IAEF,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAChE,MAAM,CACP,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mEAAmE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpF,MAAM,gBAAgB,GAAG;QACvB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;QACxE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,EAAE;KACnE,CAAC;IACF,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CACjC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,MAAM,WAAW,GAAG,iBAAiB,CAAC,cAAc,CAClD,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,SAAS,CACV,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC9B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,uEAAuE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxF,MAAM,kBAAkB,GAAG;QACzB,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,mCAAmC;QAC9G,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,6BAA6B,EAAE,EAAE,kCAAkC;QAC/F;YACE,IAAI,EAAE,YAAY;YAClB,IAAI,EAAE,uBAAuB;YAC7B,QAAQ,EAAE,WAAW;SACtB,EAAE,sCAAsC;QACzC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,sCAAsC;KACnH,CAAC;IAEF,KAAK,MAAM,iBAAiB,IAAI,kBAAkB,EAAE,CAAC;QACnD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAClC,IAAI,CAAC,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC,CACpC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAErB,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,iBAAiB,CAAC,cAAc,CAC9B,IAAA,yBAAe,EAAC,IAAI,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,SAAS,CACV,EACH;YACE,OAAO,EACL,qEAAqE;SACxE,CACF,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC"}

lib/tools-features.js

@@ -1,7 +1,42 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ToolsFeature = void 0;
+exports.SafeArtifactUploadVersion = exports.ToolsFeature = void 0;
 exports.isSupportedToolsFeature = isSupportedToolsFeature;
+exports.isSafeArtifactUpload = isSafeArtifactUpload;
+const semver = __importStar(require("semver"));
 var ToolsFeature;
 (function (ToolsFeature) {
     ToolsFeature["AnalysisSummaryV2IsDefault"] = "analysisSummaryV2Default";
@@ -25,4 +60,20 @@ var ToolsFeature;
 function isSupportedToolsFeature(versionInfo, feature) {
     return !!versionInfo.features && versionInfo.features[feature];
 }
+exports.SafeArtifactUploadVersion = "2.20.3";
+/**
+ * The first version of the CodeQL CLI where artifact upload is safe to use
+ * for failed runs. This is not really a feature flag, but it is easiest to
+ * model the behavior as a feature flag.
+ *
+ * This was not captured in a tools feature, so we need to use semver.
+ *
+ * @param codeQlVersion The version of the CodeQL CLI to check. If not provided, it is assumed to be safe.
+ * @returns True if artifact upload is safe to use for failed runs or false otherwise.
+ */
+function isSafeArtifactUpload(codeQlVersion) {
+    return !codeQlVersion
+        ? true
+        : semver.gte(codeQlVersion, exports.SafeArtifactUploadVersion);
+}
 //# sourceMappingURL=tools-features.js.map

lib/tools-features.js.map

@@ -1 +1 @@
-{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;AAsBA,0DAKC;AAzBD,IAAY,YAWX;AAXD,WAAY,YAAY;IACtB,uEAAuD,CAAA;IACvD,mDAAmC,CAAA;IACnC,qHAAqG,CAAA;IACrG,+FAA+E,CAAA;IAC/E,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,qEAAqD,CAAA;IACrD,mFAAmE,CAAA;IACnE,iDAAiC,CAAA;IACjC,uFAAuE,CAAA;AACzE,CAAC,EAXW,YAAY,4BAAZ,YAAY,QAWvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC"}
+{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,0DAKC;AAcD,oDAIC;AA/CD,+CAAiC;AAIjC,IAAY,YAWX;AAXD,WAAY,YAAY;IACtB,uEAAuD,CAAA;IACvD,mDAAmC,CAAA;IACnC,qHAAqG,CAAA;IACrG,+FAA+E,CAAA;IAC/E,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,qEAAqD,CAAA;IACrD,mFAAmE,CAAA;IACnE,iDAAiC,CAAA;IACjC,uFAAuE,CAAA;AACzE,CAAC,EAXW,YAAY,4BAAZ,YAAY,QAWvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC;AAEY,QAAA,yBAAyB,GAAG,QAAQ,CAAC;AAElD;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAAC,aAAsB;IACzD,OAAO,CAAC,aAAa;QACnB,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,iCAAyB,CAAC,CAAC;AAC3D,CAAC"}

lib/upload-sarif-action-post.js

@@ -59,7 +59,10 @@ async function runWrapper() {
                 core.warning(`Did not upload debug artifacts because cannot determine the GitHub variant running.`);
                 return;
             }
-            await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type));
+            await (0, logging_1.withGroup)("Uploading combined SARIF debug artifact", () => debugArtifacts.uploadCombinedSarifArtifacts(logger, gitHubVersion.type, 
+            // The codeqlVersion is not applicable for uploading non-codeql sarif.
+            // We can assume all versions are safe to upload.
+            undefined));
         }
     }
     catch (error) {

lib/upload-sarif-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action-post.js","sourceRoot":"","sources":["../src/upload-sarif-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,6CAA6C;QAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,mFAAmF;QACnF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,IAAI,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CACV,qFAAqF,CACtF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CACxE,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,yCAAyC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action-post.js","sourceRoot":"","sources":["../src/upload-sarif-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,kEAAoD;AACpD,+CAAuC;AACvC,uCAAwD;AACxD,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,6CAA6C;QAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,mFAAmF;QACnF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,IAAI,aAAa,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CACV,qFAAqF,CACtF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,IAAA,mBAAS,EAAC,yCAAyC,EAAE,GAAG,EAAE,CAC9D,cAAc,CAAC,4BAA4B,CACzC,MAAM,EACN,aAAa,CAAC,IAAI;YAClB,sEAAsE;YACtE,iDAAiD;YACjD,SAAS,CACV,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,yCAAyC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

node_modules/@babel/runtime/README.md

@@ -1,19 +0,0 @@
-# @babel/runtime
-
-> babel's modular runtime helpers
-
-See our website [@babel/runtime](https://babeljs.io/docs/en/babel-runtime) for more information.
-
-## Install
-
-Using npm:
-
-```sh
-npm install --save @babel/runtime
-```
-
-or using yarn:
-
-```sh
-yarn add @babel/runtime
-```

node_modules/@babel/runtime/helpers/AsyncGenerator.js

@@ -1,64 +0,0 @@
-var OverloadYield = require("./OverloadYield.js");
-function AsyncGenerator(gen) {
-  var front, back;
-  function resume(key, arg) {
-    try {
-      var result = gen[key](arg),
-        value = result.value,
-        overloaded = value instanceof OverloadYield;
-      Promise.resolve(overloaded ? value.v : value).then(function (arg) {
-        if (overloaded) {
-          var nextKey = "return" === key ? "return" : "next";
-          if (!value.k || arg.done) return resume(nextKey, arg);
-          arg = gen[nextKey](arg).value;
-        }
-        settle(result.done ? "return" : "normal", arg);
-      }, function (err) {
-        resume("throw", err);
-      });
-    } catch (err) {
-      settle("throw", err);
-    }
-  }
-  function settle(type, value) {
-    switch (type) {
-      case "return":
-        front.resolve({
-          value: value,
-          done: !0
-        });
-        break;
-      case "throw":
-        front.reject(value);
-        break;
-      default:
-        front.resolve({
-          value: value,
-          done: !1
-        });
-    }
-    (front = front.next) ? resume(front.key, front.arg) : back = null;
-  }
-  this._invoke = function (key, arg) {
-    return new Promise(function (resolve, reject) {
-      var request = {
-        key: key,
-        arg: arg,
-        resolve: resolve,
-        reject: reject,
-        next: null
-      };
-      back ? back = back.next = request : (front = back = request, resume(key, arg));
-    });
-  }, "function" != typeof gen["return"] && (this["return"] = void 0);
-}
-AsyncGenerator.prototype["function" == typeof Symbol && Symbol.asyncIterator || "@@asyncIterator"] = function () {
-  return this;
-}, AsyncGenerator.prototype.next = function (arg) {
-  return this._invoke("next", arg);
-}, AsyncGenerator.prototype["throw"] = function (arg) {
-  return this._invoke("throw", arg);
-}, AsyncGenerator.prototype["return"] = function (arg) {
-  return this._invoke("return", arg);
-};
-module.exports = AsyncGenerator, module.exports.__esModule = true, module.exports["default"] = module.exports;

node_modules/@babel/runtime/helpers/AwaitValue.js

@@ -1,4 +0,0 @@
-function _AwaitValue(value) {
-  this.wrapped = value;
-}
-module.exports = _AwaitValue, module.exports.__esModule = true, module.exports["default"] = module.exports;

node_modules/@babel/runtime/helpers/OverloadYield.js

@@ -1,4 +0,0 @@
-function _OverloadYield(value, kind) {
-  this.v = value, this.k = kind;
-}
-module.exports = _OverloadYield, module.exports.__esModule = true, module.exports["default"] = module.exports;

node_modules/@babel/runtime/helpers/applyDecoratedDescriptor.js

@@ -1,24 +0,0 @@
-function _applyDecoratedDescriptor(target, property, decorators, descriptor, context) {
-  var desc = {};
-  Object.keys(descriptor).forEach(function (key) {
-    desc[key] = descriptor[key];
-  });
-  desc.enumerable = !!desc.enumerable;
-  desc.configurable = !!desc.configurable;
-  if ('value' in desc || desc.initializer) {
-    desc.writable = true;
-  }
-  desc = decorators.slice().reverse().reduce(function (desc, decorator) {
-    return decorator(target, property, desc) || desc;
-  }, desc);
-  if (context && desc.initializer !== void 0) {
-    desc.value = desc.initializer ? desc.initializer.call(context) : void 0;
-    desc.initializer = undefined;
-  }
-  if (desc.initializer === void 0) {
-    Object.defineProperty(target, property, desc);
-    desc = null;
-  }
-  return desc;
-}
-module.exports = _applyDecoratedDescriptor, module.exports.__esModule = true, module.exports["default"] = module.exports;