Merge pull request #2916 from github/dependabot/npm_and_yarn/npm-5cdccdc43f

build(deps): bump the npm group with 5 updates

.github/actions/prepare-test/action.yml

@@ -29,24 +29,27 @@ runs:
     - id: get-url
       name: Determine URL
       shell: bash
+      env:
+        VERSION: ${{ inputs.version }}
+        USE_ALL_PLATFORM_BUNDLE: ${{ inputs.use-all-platform-bundle }}
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
-        if [[ ${{ inputs.version }} == "linked" ]]; then
+        if [[ "$VERSION" == "linked" ]]; then
           echo "tools-url=linked" >> "$GITHUB_OUTPUT"
           exit 0
-        elif [[ ${{ inputs.version }} == "default" ]]; then
+        elif [[ "$VERSION" == "default" ]]; then
           echo "tools-url=" >> "$GITHUB_OUTPUT"
           exit 0
         fi
 
-        if [[ ${{ inputs.version }} == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
+        if [[ "$VERSION" == "nightly-latest" && "$RUNNER_OS" != "Windows" ]]; then
           extension="tar.zst"
         else
           extension="tar.gz"
         fi
 
-        if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
+        if [[ "$USE_ALL_PLATFORM_BUNDLE" == "true" ]]; then
           artifact_name="codeql-bundle.$extension"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
           artifact_name="codeql-bundle-linux64.$extension"
@@ -59,14 +62,14 @@ runs:
           exit 1
         fi
 
-        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+        if [[ "$VERSION" == "nightly-latest" ]]; then
           tag=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$tag/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"nightly"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+        elif [[ "$VERSION" == *"nightly"* ]]; then
+          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == *"stable"* ]]; then
-          version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
+        elif [[ "$VERSION" == *"stable"* ]]; then
+          version=`echo "$VERSION" | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
         else
           echo "::error::Unrecognized version specified!"

.github/actions/release-branches/action.yml

@@ -18,8 +18,11 @@ runs:
   using: "composite"
   steps:
     - id: branches
+      env:
+        MAJOR_VERSION: ${{ inputs.major_version }}
+        LATEST_TAG: ${{ inputs.latest_tag }}
       run: |
         python ${{ github.action_path }}/release-branches.py \
-            --major-version ${{ inputs.major_version }} \
-            --latest-tag ${{ inputs.latest_tag }}
+            --major-version "$MAJOR_VERSION" \
+            --latest-tag "$LATEST_TAG"
       shell: bash

.github/dependabot.yml

@@ -2,8 +2,6 @@ version: 2
 updates:
   - package-ecosystem: npm
     directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     labels:
@@ -26,8 +24,6 @@ updates:
           - "*"
   - package-ecosystem: github-actions
     directory: "/"
-    reviewers:
-      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     groups:
@@ -36,8 +32,6 @@ updates:
           - "*"
   - package-ecosystem: github-actions
     directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
-    reviewers:
-      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     groups:

.github/workflows/__rubocop-multi-language.yml

@@ -46,7 +46,7 @@ jobs:
           use-all-platform-bundle: 'false'
           setup-kotlin: 'true'
       - name: Set up Ruby
-        uses: ruby/setup-ruby@277ba2a127aba66d45bad0fa2dc56f80dbfedffa # v1.222.0
+        uses: ruby/setup-ruby@13e7a03dc3ac6c3798f4570bfead2aed4d96abfb # v1.244.0
         with:
           ruby-version: 2.6
       - name: Install Code Scanning integration

.github/workflows/codeql.yml

@@ -75,7 +75,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 

.github/workflows/codescanning-config-cli.yml

@@ -3,6 +3,9 @@
 name: Code-Scanning config CLI tests
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  # Diff informed queries add an additional query filter which is not yet
+  # taken into account by these tests.
+  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
 
 on:
   push:

.github/workflows/post-release-mergeback.yml

@@ -168,7 +168,7 @@ jobs:
             --draft
 
       - name: Generate token
-        uses: actions/create-github-app-token@v1.11.6
+        uses: actions/create-github-app-token@v2.0.6
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}

.github/workflows/update-release-branch.yml

@@ -124,7 +124,7 @@ jobs:
       pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
-      uses: actions/create-github-app-token@v1.11.6
+      uses: actions/create-github-app-token@v2.0.6
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}

CHANGELOG.md

@@ -6,6 +6,45 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 No user facing changes.
 
+## 3.28.19 - 03 Jun 2025
+
+- The CodeQL Action no longer includes its own copy of the extractor for the `actions` language, which is currently in public preview.
+  The `actions` extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the `actions` language _and_ you have pinned
+  your `tools:` property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable
+  `actions` analysis.
+- Update default CodeQL bundle version to 2.21.4. [#2910](https://github.com/github/codeql-action/pull/2910)
+
+## 3.28.18 - 16 May 2025
+
+- Update default CodeQL bundle version to 2.21.3. [#2893](https://github.com/github/codeql-action/pull/2893)
+- Skip validating SARIF produced by CodeQL for improved performance. [#2894](https://github.com/github/codeql-action/pull/2894)
+- The number of threads and amount of RAM used by CodeQL can now be set via the `CODEQL_THREADS` and `CODEQL_RAM` runner environment variables. If set, these environment variables override the `threads` and `ram` inputs respectively. [#2891](https://github.com/github/codeql-action/pull/2891)
+
+## 3.28.17 - 02 May 2025
+
+- Update default CodeQL bundle version to 2.21.2. [#2872](https://github.com/github/codeql-action/pull/2872)
+
+## 3.28.16 - 23 Apr 2025
+
+- Update default CodeQL bundle version to 2.21.1. [#2863](https://github.com/github/codeql-action/pull/2863)
+
+## 3.28.15 - 07 Apr 2025
+
+- Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. [#2842](https://github.com/github/codeql-action/pull/2842)
+
+## 3.28.14 - 07 Apr 2025
+
+- Update default CodeQL bundle version to 2.21.0. [#2838](https://github.com/github/codeql-action/pull/2838)
+
+## 3.28.13 - 24 Mar 2025
+
+No user facing changes.
+
+## 3.28.12 - 19 Mar 2025
+
+- Dependency caching should now cache more dependencies for Java `build-mode: none` extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
+- Update default CodeQL bundle version to 2.20.7. [#2810](https://github.com/github/codeql-action/pull/2810)
+
 ## 3.28.11 - 07 Mar 2025
 
 - Update default CodeQL bundle version to 2.20.6. [#2793](https://github.com/github/codeql-action/pull/2793)

README.md

@@ -70,10 +70,11 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 | Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
 |-----------------------|-------------------------------|--------------------|-------|
-| `v3.26.6`  | `2.18.4` | Enterprise Server 3.15 | |
-| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
-| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
-| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
+| `v3.28.12`  | `2.20.7` | Enterprise Server 3.17 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.16 | |
+| `v3.28.6`  | `2.20.3` | Enterprise Server 3.15 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.14 | |
+| `v3.28.6` | `2.20.3` | Enterprise Server 3.13 | |
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

actions-extractor/codeql-extractor.yml

@@ -1,44 +0,0 @@
-name: "actions"
-aliases: []
-display_name: "GitHub Actions"
-version: 0.0.1
-column_kind: "utf16"
-unicode_newlines: true
-build_modes:
-  - none
-file_coverage_languages: []
-github_api_languages: []
-scc_languages: []
-file_types:
-  - name: workflow
-    display_name: GitHub Actions workflow files
-    extensions:
-      - .yml
-      - .yaml
-forwarded_extractor_name: javascript
-options:
-  trap:
-    title: TRAP options
-    description: Options about how the extractor handles TRAP files
-    type: object
-    visibility: 3
-    properties:
-      cache:
-        title: TRAP cache options
-        description: Options about how the extractor handles its TRAP cache
-        type: object
-        properties:
-          dir:
-            title: TRAP cache directory
-            description: The directory of the TRAP cache to use
-            type: string
-          bound:
-            title: TRAP cache bound
-            description: A soft limit (in MB) on the size of the TRAP cache
-            type: string
-            pattern: "[0-9]+"
-          write:
-            title: TRAP cache writeable
-            description: Whether to write to the TRAP cache as well as reading it
-            type: string
-            pattern: "(true|TRUE|false|FALSE)"

actions-extractor/tools/autobuild-impl.ps1

@@ -1,40 +0,0 @@
-if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
-    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
-} else {
-    Write-Output 'No path filters set. Using the default filters.'
-    $DefaultPathFilters = @(
-        'exclude:**/*',
-        'include:.github/workflows/**/*.yml',
-        'include:.github/workflows/**/*.yaml',
-        'include:**/action.yml',
-        'include:**/action.yaml'
-    )
-
-    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
-}
-
-# Find the JavaScript extractor directory via `codeql resolve extractor`.
-$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
-if ($LASTEXITCODE -ne 0) {
-    throw 'Failed to resolve JavaScript extractor.'
-}
-
-Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
-
-# Run the JavaScript autobuilder.
-$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
-Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
-
-# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
-
-&$JavaScriptAutoBuild
-if ($LASTEXITCODE -ne 0) {
-    throw "JavaScript autobuilder failed."
-}

actions-extractor/tools/autobuild.cmd

@@ -1,3 +0,0 @@
-@echo off
-rem All of the work is done in the PowerShell script
-powershell.exe %~dp0autobuild-impl.ps1

actions-extractor/tools/autobuild.sh

@@ -1,39 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-DEFAULT_PATH_FILTERS=$(cat << END
-exclude:**/*
-include:.github/workflows/**/*.yml
-include:.github/workflows/**/*.yaml
-include:**/action.yml
-include:**/action.yaml
-END
-)
-
-if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
-    echo "Path filters set. Passing them through to the JavaScript extractor."
-else
-    echo "No path filters set. Using the default filters."
-    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
-    export LGTM_INDEX_FILTERS
-fi
-
-# Find the JavaScript extractor directory via `codeql resolve extractor`.
-CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
-export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
-
-echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
-
-# Run the JavaScript autobuilder
-JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
-echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
-
-# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
-env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
-    ${JAVASCRIPT_AUTO_BUILD}

justfile

@@ -3,7 +3,7 @@ all: lint sync
 
 # Lint source typescript
 lint:
-    npm run lint -- --fix
+    npm run lint-fix
 
 # Sync generated files (javascript and PR checks)
 sync: build update-pr-checks
@@ -15,3 +15,16 @@ update-pr-checks:
 # Transpile typescript code into javascript
 build:
     npm run build
+
+# Build then run all the tests
+test: build
+    npm run test
+
+# Run the tests for a single file
+test_file filename: build
+    npx ava --verbose {{filename}}
+
+[doc("Refresh the .js build artefacts in the lib directory")]
+[confirm]
+refresh-lib:
+    rm -rf lib && npm run build

lib/analyze-action-post.js

@@ -38,12 +38,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
  * It will run after the all steps in this job, in reverse order in relation to
  * other `post:` hooks.
  */
+const fs = __importStar(require("fs"));
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const debugArtifacts = __importStar(require("./debug-artifacts"));
+const dependency_caching_1 = require("./dependency-caching");
 const environment_1 = require("./environment");
 const logging_1 = require("./logging");
 const util_1 = require("./util");
@@ -63,6 +65,18 @@ async function runWrapper() {
                 await debugArtifacts.uploadCombinedSarifArtifacts(logger, config.gitHubVersion.type, version.version);
             }
         }
+        // If we analysed Java in build-mode: none, we may have downloaded dependencies
+        // to the temp directory. Clean these up so they don't persist unnecessarily
+        // long on self-hosted runners.
+        const javaTempDependencyDir = (0, dependency_caching_1.getJavaTempDependencyDir)();
+        if (fs.existsSync(javaTempDependencyDir)) {
+            try {
+                fs.rmSync(javaTempDependencyDir, { recursive: true });
+            }
+            catch (error) {
+                logger.info(`Failed to remove temporary Java dependencies directory: ${(0, util_1.getErrorMessage)(error)}`);
+            }
+        }
     }
     catch (error) {
         core.setFailed(`analyze post-action step failed: ${(0, util_1.getErrorMessage)(error)}`);

lib/analyze-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,qCAAqC;AACrC,iDAA2C;AAC3C,kEAAoD;AACpD,+CAAuC;AACvC,uCAA6C;AAC7C,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,MAAM,cAAc,CAAC,4BAA4B,CAC/C,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,OAAO,CAAC,OAAO,CAChB,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,uCAAyB;AAEzB,oDAAsC;AAEtC,4DAA8C;AAC9C,6CAAgD;AAChD,qCAAqC;AACrC,iDAA2C;AAC3C,kEAAoD;AACpD,6DAAgE;AAChE,+CAAuC;AACvC,uCAA6C;AAC7C,iCAAoE;AAEpE,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,WAAW,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAC5B,WAAW,CAAC,qBAAqB,EAAE,EACnC,MAAM,CACP,CAAC;YACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC1C,MAAM,cAAc,CAAC,4BAA4B,CAC/C,MAAM,EACN,MAAM,CAAC,aAAa,CAAC,IAAI,EACzB,OAAO,CAAC,OAAO,CAChB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,4EAA4E;QAC5E,+BAA+B;QAC/B,MAAM,qBAAqB,GAAG,IAAA,6CAAwB,GAAE,CAAC;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,qBAAqB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CACT,2DAA2D,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/analyze-action.js

@@ -41,7 +41,6 @@ const fs = __importStar(require("fs"));
 const path_1 = __importDefault(require("path"));
 const perf_hooks_1 = require("perf_hooks");
 const core = __importStar(require("@actions/core"));
-const github = __importStar(require("@actions/github"));
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze_1 = require("./analyze");
 const api_client_1 = require("./api-client");
@@ -51,6 +50,7 @@ const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const database_upload_1 = require("./database-upload");
 const dependency_caching_1 = require("./dependency-caching");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
@@ -189,14 +189,15 @@ async function run() {
         const outputDir = actionsUtil.getRequiredInput("output");
         core.exportVariable(environment_1.EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
         const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
-        const repositoryNwo = (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY"));
+        const repositoryNwo = (0, repository_1.getRepositoryNwo)();
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         util.checkActionVersion(actionsUtil.getActionVersion(), gitHubVersion);
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
         const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"], logger);
-        const pull_request = github.context.payload.pull_request;
-        const diffRangePackDir = pull_request &&
-            (await (0, analyze_1.setupDiffInformedQueryRun)(pull_request.base.ref, pull_request.head.label, codeql, logger, features));
+        const branches = await (0, diff_informed_analysis_utils_1.getDiffInformedAnalysisBranches)(codeql, features, logger);
+        const diffRangePackDir = branches
+            ? await (0, analyze_1.setupDiffInformedQueryRun)(branches, logger)
+            : undefined;
         await (0, analyze_1.warnIfGoInstalledAfterInit)(config, logger);
         await runAutobuildIfLegacyGoWorkflow(config, logger);
         dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, codeql, config, logger);
@@ -239,7 +240,7 @@ async function run() {
         }
         else if (uploadResult !== undefined &&
             actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-            await uploadLib.waitForProcessing((0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
+            await uploadLib.waitForProcessing((0, repository_1.getRepositoryNwo)(), uploadResult.sarifID, (0, logging_1.getActionsLogger)());
         }
         // If we did not throw an error yet here, but we expect one, throw it.
         if (actionsUtil.getOptionalInput("expect-error") === "true") {

lib/analyze.js

@@ -54,15 +54,16 @@ const actionsUtil = __importStar(require("./actions-util"));
 const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
 const codeql_1 = require("./codeql");
+const dependency_caching_1 = require("./dependency-caching");
 const diagnostics_1 = require("./diagnostics");
-const diff_filtering_utils_1 = require("./diff-filtering-utils");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const repository_1 = require("./repository");
 const tools_features_1 = require("./tools-features");
 const tracer_config_1 = require("./tracer-config");
-const upload_lib_1 = require("./upload-lib");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 class CodeQLAnalysisError extends Error {
@@ -102,6 +103,14 @@ async function runExtraction(codeql, config, logger) {
                     config.buildMode === util_1.BuildMode.Autobuild) {
                     await (0, autobuild_1.setupCppAutobuild)(codeql, logger);
                 }
+                // The Java `build-mode: none` extractor places dependencies (.jar files) in the
+                // database scratch directory by default. For dependency caching purposes, we want
+                // a stable path that caches can be restored into and that we can cache at the
+                // end of the workflow (i.e. that does not get removed when the scratch directory is).
+                if (language === languages_1.Language.java && config.buildMode === util_1.BuildMode.None) {
+                    process.env["CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_DEPENDENCY_DIR"] =
+                        (0, dependency_caching_1.getJavaTempDependencyDir)();
+                }
                 await codeql.extractUsingBuildMode(config, language);
             }
             else {
@@ -152,21 +161,13 @@ async function finalizeDatabaseCreation(codeql, config, threadsFlag, memoryFlag,
 /**
  * Set up the diff-informed analysis feature.
  *
- * @param baseRef The base branch name, used for calculating the diff range.
- * @param headLabel The label that uniquely identifies the head branch across
- * repositories, used for calculating the diff range.
- * @param codeql
- * @param logger
- * @param features
  * @returns Absolute path to the directory containing the extension pack for
  * the diff range information, or `undefined` if the feature is disabled.
  */
-async function setupDiffInformedQueryRun(baseRef, headLabel, codeql, logger, features) {
-    if (!(await features.getValue(feature_flags_1.Feature.DiffInformedQueries, codeql))) {
-        return undefined;
-    }
+async function setupDiffInformedQueryRun(branches, logger) {
     return await (0, logging_1.withGroupAsync)("Generating diff range extension pack", async () => {
-        const diffRanges = await getPullRequestEditedDiffRanges(baseRef, headLabel, logger);
+        logger.info(`Calculating diff ranges for ${branches.base}...${branches.head}`);
+        const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
         const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
         if (packDir === undefined) {
             logger.warning("Cannot create diff range extension pack for diff-informed queries; " +
@@ -181,17 +182,15 @@ async function setupDiffInformedQueryRun(baseRef, headLabel, codeql, logger, fea
 /**
  * Return the file line ranges that were added or modified in the pull request.
  *
- * @param baseRef The base branch name, used for calculating the diff range.
- * @param headLabel The label that uniquely identifies the head branch across
- * repositories, used for calculating the diff range.
+ * @param branches The base and head branches of the pull request.
  * @param logger
  * @returns An array of tuples, where each tuple contains the absolute path of a
  * file, the start line and the end line (both 1-based and inclusive) of an
  * added or modified range in that file. Returns `undefined` if the action was
  * not triggered by a pull request or if there was an error.
  */
-async function getPullRequestEditedDiffRanges(baseRef, headLabel, logger) {
-    const fileDiffs = await getFileDiffsWithBasehead(baseRef, headLabel, logger);
+async function getPullRequestEditedDiffRanges(branches, logger) {
+    const fileDiffs = await getFileDiffsWithBasehead(branches, logger);
     if (fileDiffs === undefined) {
         return undefined;
     }
@@ -214,15 +213,15 @@ async function getPullRequestEditedDiffRanges(baseRef, headLabel, logger) {
     }
     return results;
 }
-async function getFileDiffsWithBasehead(baseRef, headLabel, logger) {
-    const ownerRepo = util.getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
-    const owner = ownerRepo[0];
-    const repo = ownerRepo[1];
-    const basehead = `${baseRef}...${headLabel}`;
+async function getFileDiffsWithBasehead(branches, logger) {
+    // Check CODE_SCANNING_REPOSITORY first. If it is empty or not set, fall back
+    // to GITHUB_REPOSITORY.
+    const repositoryNwo = (0, repository_1.getRepositoryNwoFromEnv)("CODE_SCANNING_REPOSITORY", "GITHUB_REPOSITORY");
+    const basehead = `${branches.base}...${branches.head}`;
     try {
         const response = await (0, api_client_1.getApiClient)().rest.repos.compareCommitsWithBasehead({
-            owner,
-            repo,
+            owner: repositoryNwo.owner,
+            repo: repositoryNwo.repo,
             basehead,
             per_page: 1,
         });
@@ -334,8 +333,21 @@ function writeDiffRangeDataExtensionPack(logger, ranges) {
     if (ranges === undefined) {
         return undefined;
     }
+    if (ranges.length === 0) {
+        // An empty diff range means that there are no added or modified lines in
+        // the pull request. But the `restrictAlertsTo` extensible predicate
+        // interprets an empty data extension differently, as an indication that
+        // all alerts should be included. So we need to specifically set the diff
+        // range to a non-empty list that cannot match any alert location.
+        ranges = [{ path: "", startLine: 0, endLine: 0 }];
+    }
     const diffRangeDir = path.join(actionsUtil.getTemporaryDirectory(), "pr-diff-range");
-    fs.mkdirSync(diffRangeDir);
+    // We expect the Actions temporary directory to already exist, so are mainly
+    // using `recursive: true` to avoid errors if the directory already exists,
+    // for example if the analyze Action is run multiple times in the same job.
+    // This is not really something that is supported, but we make use of it in
+    // tests.
+    fs.mkdirSync(diffRangeDir, { recursive: true });
     fs.writeFileSync(path.join(diffRangeDir, "qlpack.yml"), `
 name: codeql-action/pr-diff-range
 version: 0.0.0
@@ -350,6 +362,7 @@ extensions:
   - addsTo:
       pack: codeql/util
       extensible: restrictAlertsTo
+      checkPresence: false
     data:
 `;
     let data = ranges
@@ -371,7 +384,7 @@ extensions:
     logger.debug(`Wrote pr-diff-range extension pack to ${extensionFilePath}:\n${extensionContents}`);
     // Write the diff ranges to a JSON file, for action-side alert filtering by the
     // upload-lib module.
-    (0, diff_filtering_utils_1.writeDiffRangesJsonFile)(logger, ranges);
+    (0, diff_informed_analysis_utils_1.writeDiffRangesJsonFile)(logger, ranges);
     return diffRangeDir;
 }
 // Runs queries and creates sarif files in the given folder
@@ -415,7 +428,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
             logger.endGroup();
             logger.info(analysisSummary);
             if (await features.getValue(feature_flags_1.Feature.QaTelemetryEnabled)) {
-                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile, logger);
+                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile);
                 const perQueryAlertCountEventReport = {
                     event: "codeql database interpret-results",
                     started_at: startTimeInterpretResults.toISOString(),
@@ -443,8 +456,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", sarifRunPropertyFlag, automationDetailsId, config, features);
     }
     /** Get an object with all queries and their counts parsed from a SARIF file path. */
-    function getPerQueryAlertCounts(sarifPath, log) {
-        (0, upload_lib_1.validateSarifFileSchema)(sarifPath, log);
+    function getPerQueryAlertCounts(sarifPath) {
         const sarifObject = JSON.parse(fs.readFileSync(sarifPath, "utf8"));
         // We do not need to compute fingerprints because we are not sending data based off of locations.
         // Generate the query: alert count object

lib/api-client.js

@@ -122,14 +122,12 @@ async function getGitHubVersion() {
  * Get the path of the currently executing workflow relative to the repository root.
  */
 async function getWorkflowRelativePath() {
-    const repo_nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY").split("/");
-    const owner = repo_nwo[0];
-    const repo = repo_nwo[1];
+    const repo_nwo = (0, repository_1.getRepositoryNwo)();
     const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
     const apiClient = getApiClient();
     const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
-        owner,
-        repo,
+        owner: repo_nwo.owner,
+        repo: repo_nwo.repo,
         run_id,
     });
     const workflowUrl = runsResponse.data.workflow_url;
@@ -187,7 +185,7 @@ function computeAutomationID(analysis_key, environment) {
 }
 /** List all Actions cache entries matching the provided key and ref. */
 async function listActionsCaches(key, ref) {
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
     return await getApiClient().paginate("GET /repos/{owner}/{repo}/actions/caches", {
         owner: repositoryNwo.owner,
         repo: repositoryNwo.repo,
@@ -197,7 +195,7 @@ async function listActionsCaches(key, ref) {
 }
 /** Delete an Actions cache item by its ID. */
 async function deleteActionsCache(id) {
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
     await getApiClient().rest.actions.deleteActionsCacheById({
         owner: repositoryNwo.owner,
         repo: repositoryNwo.repo,
@@ -208,9 +206,14 @@ function wrapApiConfigurationError(e) {
     if ((0, util_1.isHTTPError)(e)) {
         if (e.message.includes("API rate limit exceeded for installation") ||
             e.message.includes("commit not found") ||
-            /^ref .* not found in this repository$/.test(e.message)) {
+            e.message.includes("Resource not accessible by integration") ||
+            /ref .* not found in this repository/.test(e.message)) {
             return new util_1.ConfigurationError(e.message);
         }
+        else if (e.message.includes("Bad credentials") ||
+            e.message.includes("Not Found")) {
+            return new util_1.ConfigurationError("Please check that your token is valid and has the required permissions: contents: read, security-events: write");
+        }
     }
     return e;
 }

lib/api-client.test.js

@@ -120,4 +120,40 @@ function mockGetMetaVersionHeader(versionHeader) {
     });
     t.deepEqual({ type: util.GitHubVariant.GHE_DOTCOM }, gheDotcom);
 });
+(0, ava_1.default)("wrapApiConfigurationError correctly wraps specific configuration errors", (t) => {
+    // We don't reclassify arbitrary errors
+    const arbitraryError = new Error("arbitrary error");
+    let res = api.wrapApiConfigurationError(arbitraryError);
+    t.is(res, arbitraryError);
+    // Same goes for arbitrary errors
+    const configError = new util.ConfigurationError("arbitrary error");
+    res = api.wrapApiConfigurationError(configError);
+    t.is(res, configError);
+    // If an HTTP error doesn't contain a specific error message, we don't
+    // wrap is an an API error.
+    const httpError = new util.HTTPError("arbitrary HTTP error", 456);
+    res = api.wrapApiConfigurationError(httpError);
+    t.is(res, httpError);
+    // For other HTTP errors, we wrap them as Configuration errors if they contain
+    // specific error messages.
+    const httpNotFoundError = new util.HTTPError("commit not found", 404);
+    res = api.wrapApiConfigurationError(httpNotFoundError);
+    t.deepEqual(res, new util.ConfigurationError("commit not found"));
+    const refNotFoundError = new util.HTTPError("ref 'refs/heads/jitsi' not found in this repository - https://docs.github.com/rest", 404);
+    res = api.wrapApiConfigurationError(refNotFoundError);
+    t.deepEqual(res, new util.ConfigurationError("ref 'refs/heads/jitsi' not found in this repository - https://docs.github.com/rest"));
+    const apiRateLimitError = new util.HTTPError("API rate limit exceeded for installation", 403);
+    res = api.wrapApiConfigurationError(apiRateLimitError);
+    t.deepEqual(res, new util.ConfigurationError("API rate limit exceeded for installation"));
+    const tokenSuggestionMessage = "Please check that your token is valid and has the required permissions: contents: read, security-events: write";
+    const badCredentialsError = new util.HTTPError("Bad credentials", 401);
+    res = api.wrapApiConfigurationError(badCredentialsError);
+    t.deepEqual(res, new util.ConfigurationError(tokenSuggestionMessage));
+    const notFoundError = new util.HTTPError("Not Found", 404);
+    res = api.wrapApiConfigurationError(notFoundError);
+    t.deepEqual(res, new util.ConfigurationError(tokenSuggestionMessage));
+    const resourceNotAccessibleError = new util.HTTPError("Resource not accessible by integration", 403);
+    res = api.wrapApiConfigurationError(resourceNotAccessibleError);
+    t.deepEqual(res, new util.ConfigurationError("Resource not accessible by integration"));
+});
 //# sourceMappingURL=api-client.test.js.map

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.17", "minimumVersion": "3.12" }
+{ "maximumVersion": "3.18", "minimumVersion": "3.13" }

lib/autobuild.js

@@ -123,7 +123,7 @@ async function setupCppAutobuild(codeql, logger) {
     const envVar = feature_flags_1.featureConfig[feature_flags_1.Feature.CppDependencyInstallation].envVar;
     const featureName = "C++ automatic installation of dependencies";
     const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
     const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
     if (await features.getValue(feature_flags_1.Feature.CppDependencyInstallation, codeql)) {
         // disable autoinstall on self-hosted runners unless explicitly requested

lib/autobuild.js.map

@@ -1 +1 @@
-{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAeA,kEAkGC;AAED,8CAqCC;AAED,oCAsBC;AAhLD,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,uCAAmC;AACnC,+CAAuC;AACvC,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAkD;AAClD,qDAAgD;AAChD,iCAAwD;AAEjD,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,MAA0B,EAC1B,MAAc;IAEd,IACE,CAAC,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,IAAI;QAClC,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,MAAM,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,qBAAqB,MAAM,CAAC,SAAS,2BAA2B;YAC9D,OAAO,gBAAM,CAAC,kBAAkB,wBAAwB,CAC3D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACjD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,OAAO,gBAAM,CAAC,4BAA4B,wBAAwB,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE,CAAC;QACvE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,gBAAM,CAAC,oBAAoB,wBAAwB;gBAClJ,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,gBAAM,CAAC,oBAAoB,wBAAwB,CACnK,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAkB,EAClB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IACE,MAAM,CAAC,SAAS;QAChB,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,EACrE,CAAC;QACD,MAAM,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC"}
+{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAeA,kEAkGC;AAED,8CAmCC;AAED,oCAsBC;AA9KD,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,uCAAmC;AACnC,+CAAuC;AACvC,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAgD;AAChD,qDAAgD;AAChD,iCAAmC;AAE5B,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,MAA0B,EAC1B,MAAc;IAEd,IACE,CAAC,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,IAAI;QAClC,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,SAAS,KAAK,gBAAS,CAAC,MAAM,EACrC,CAAC;QACD,MAAM,CAAC,IAAI,CACT,qBAAqB,MAAM,CAAC,SAAS,2BAA2B;YAC9D,OAAO,gBAAM,CAAC,kBAAkB,wBAAwB,CAC3D,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACjD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;QACrE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,OAAO,gBAAM,CAAC,4BAA4B,wBAAwB,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,6BAAgB,GAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE,CAAC;QACvE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B,CAAC;YACD,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,gBAAM,CAAC,oBAAoB,wBAAwB;gBAClJ,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,gBAAM,CAAC,oBAAoB,wBAAwB,CACnK,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAkB,EAClB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE,CAAC;QAC9B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IACE,MAAM,CAAC,SAAS;QAChB,CAAC,MAAM,MAAM,CAAC,eAAe,CAAC,6BAAY,CAAC,wBAAwB,CAAC,CAAC,EACrE,CAAC;QACD,MAAM,MAAM,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC"}

lib/codeql.js

@@ -54,7 +54,6 @@ const doc_url_1 = require("./doc-url");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const git_utils_1 = require("./git-utils");
-const languages_1 = require("./languages");
 const overlay_database_utils_1 = require("./overlay-database-utils");
 const setupCodeql = __importStar(require("./setup-codeql"));
 const tools_features_1 = require("./tools-features");
@@ -78,15 +77,15 @@ const CODEQL_MINIMUM_VERSION = "2.15.5";
 /**
  * This version will shortly become the oldest version of CodeQL that the Action will run with.
  */
-const CODEQL_NEXT_MINIMUM_VERSION = "2.15.5";
+const CODEQL_NEXT_MINIMUM_VERSION = "2.16.6";
 /**
  * This is the version of GHES that was most recently deprecated.
  */
-const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.11";
+const GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.12";
 /**
  * This is the deprecation date for the version of GHES that was most recently deprecated.
  */
-const GHES_MOST_RECENT_DEPRECATION_DATE = "2024-12-19";
+const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-04-03";
 /** The CLI verbosity level to use for extraction in debug mode. */
 const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
 /*
@@ -262,19 +261,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 extraArgs.push(...(await getTrapCachingExtractorConfigArgs(config)));
                 extraArgs.push(`--trace-process-name=${processName}`);
             }
-            if (config.languages.indexOf(languages_1.Language.actions) >= 0) {
-                // We originally added an embedded version of the Actions extractor to the CodeQL Action
-                // itself in order to deploy the extractor between CodeQL releases. When we did add the
-                // extractor to the CLI, though, its autobuild script was missing the execute bit.
-                // 2.20.6 is the first CLI release with the fully-functional extractor in the CLI. For older
-                // versions, we'll keep using the embedded extractor. We can remove the embedded extractor
-                // once 2.20.6 is deployed in the runner images.
-                if (!(await util.codeQlVersionAtLeast(codeql, "2.20.6"))) {
-                    extraArgs.push("--search-path");
-                    const extractorPath = path.resolve(__dirname, "../actions-extractor");
-                    extraArgs.push(extractorPath);
-                }
-            }
             const codeScanningConfigFile = await generateCodeScanningConfig(config, logger);
             const externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
             extraArgs.push(`--codescanning-config=${codeScanningConfigFile}`);
@@ -292,7 +278,8 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 ? "--force-overwrite"
                 : "--overwrite";
             if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.Overlay) {
-                extraArgs.push("--overlay");
+                const overlayChangesFile = await (0, overlay_database_utils_1.writeOverlayChangesFile)(config, sourceRoot, logger);
+                extraArgs.push(`--overlay-changes=${overlayChangesFile}`);
             }
             else if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.OverlayBase) {
                 extraArgs.push("--overlay-base");
@@ -314,6 +301,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                     ignoringOptions: ["--overwrite"],
                 }),
             ], { stdin: externalRepositoryToken });
+            if (overlayDatabaseMode === overlay_database_utils_1.OverlayDatabaseMode.OverlayBase) {
+                await (0, overlay_database_utils_1.writeBaseDatabaseOidsFile)(config, sourceRoot);
+            }
         },
         async runAutobuild(config, language) {
             applyAutobuildAzurePipelinesTimeoutFix();
@@ -805,6 +795,13 @@ async function generateCodeScanningConfig(config, logger) {
     if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) {
         delete augmentedConfig.packs;
     }
+    augmentedConfig["query-filters"] = [
+        ...(config.augmentationProperties.defaultQueryFilters || []),
+        ...(augmentedConfig["query-filters"] || []),
+    ];
+    if (augmentedConfig["query-filters"]?.length === 0) {
+        delete augmentedConfig["query-filters"];
+    }
     logger.info(`Writing augmented user configuration file to ${codeScanningConfigFile}`);
     logger.startGroup("Augmented user configuration file contents");
     logger.info(yaml.dump(augmentedConfig));

lib/config-utils.js

@@ -64,6 +64,7 @@ const yaml = __importStar(require("js-yaml"));
 const semver = __importStar(require("semver"));
 const api = __importStar(require("./api-client"));
 const caching_utils_1 = require("./caching-utils");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const trap_caching_1 = require("./trap-caching");
@@ -79,6 +80,7 @@ exports.defaultAugmentationProperties = {
     packsInputCombines: false,
     packsInput: undefined,
     queriesInput: undefined,
+    defaultQueryFilters: [],
 };
 function getPacksStrInvalid(packStr, configFile) {
     return configFile
@@ -227,7 +229,7 @@ async function getRawLanguages(languagesInput, repository, logger) {
 async function getDefaultConfig({ languagesInput, queriesInput, packsInput, buildModeInput, dbLocation, trapCachingEnabled, dependencyCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeql, githubVersion, features, logger, }) {
     const languages = await getLanguages(codeql, languagesInput, repository, logger);
     const buildMode = await parseBuildModeInput(buildModeInput, languages, features, logger);
-    const augmentationProperties = calculateAugmentation(packsInput, queriesInput, languages);
+    const augmentationProperties = await calculateAugmentation(codeql, features, packsInput, queriesInput, languages, logger);
     const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeql, languages, logger);
     return {
         languages,
@@ -277,7 +279,7 @@ async function loadConfig({ languagesInput, queriesInput, packsInput, buildModeI
     }
     const languages = await getLanguages(codeql, languagesInput, repository, logger);
     const buildMode = await parseBuildModeInput(buildModeInput, languages, features, logger);
-    const augmentationProperties = calculateAugmentation(packsInput, queriesInput, languages);
+    const augmentationProperties = await calculateAugmentation(codeql, features, packsInput, queriesInput, languages, logger);
     const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeql, languages, logger);
     return {
         languages,
@@ -303,11 +305,14 @@ async function loadConfig({ languagesInput, queriesInput, packsInput, buildModeI
  * and the CLI does not know about these inputs so we need to inject them into
  * the config file sent to the CLI.
  *
+ * @param codeql The CodeQL object.
+ * @param features The feature enablement object.
  * @param rawPacksInput The packs input from the action configuration.
  * @param rawQueriesInput The queries input from the action configuration.
  * @param languages The languages that the config file is for. If the packs input
  *    is non-empty, then there must be exactly one language. Otherwise, an
  *    error is thrown.
+ * @param logger The logger to use for logging.
  *
  * @returns The properties that need to be augmented in the config file.
  *
@@ -315,16 +320,21 @@ async function loadConfig({ languagesInput, queriesInput, packsInput, buildModeI
  *     not have exactly one language.
  */
 // exported for testing.
-function calculateAugmentation(rawPacksInput, rawQueriesInput, languages) {
+async function calculateAugmentation(codeql, features, rawPacksInput, rawQueriesInput, languages, logger) {
     const packsInputCombines = shouldCombine(rawPacksInput);
     const packsInput = parsePacksFromInput(rawPacksInput, languages, packsInputCombines);
     const queriesInputCombines = shouldCombine(rawQueriesInput);
     const queriesInput = parseQueriesFromInput(rawQueriesInput, queriesInputCombines);
+    const defaultQueryFilters = [];
+    if (await (0, diff_informed_analysis_utils_1.shouldPerformDiffInformedAnalysis)(codeql, features, logger)) {
+        defaultQueryFilters.push({ exclude: { tags: "exclude-from-incremental" } });
+    }
     return {
         packsInputCombines,
         packsInput: packsInput?.[languages[0]],
         queriesInput,
         queriesInputCombines,
+        defaultQueryFilters,
     };
 }
 function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {

lib/config-utils.test.js

@@ -624,7 +624,7 @@ const packSpecPrettyPrintingMacro = ava_1.default.macro({
 const mockLogger = (0, logging_1.getRunnerLogger)(true);
 const calculateAugmentationMacro = ava_1.default.macro({
     exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
-        const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);
+        const actualAugmentationProperties = await configUtils.calculateAugmentation((0, codeql_1.getCachedCodeQL)(), (0, testing_utils_1.createFeatures)([]), rawPacksInput, rawQueriesInput, languages, mockLogger);
         t.deepEqual(actualAugmentationProperties, expectedAugmentationProperties);
     },
     title: (_, title) => `Calculate Augmentation: ${title}`,
@@ -634,34 +634,39 @@ const calculateAugmentationMacro = ava_1.default.macro({
     queriesInput: undefined,
     packsInputCombines: false,
     packsInput: undefined,
+    defaultQueryFilters: [],
 });
 (0, ava_1.default)(calculateAugmentationMacro, "With queries", undefined, " a, b , c, d", [languages_1.Language.javascript], {
     queriesInputCombines: false,
     queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
     packsInputCombines: false,
     packsInput: undefined,
+    defaultQueryFilters: [],
 });
 (0, ava_1.default)(calculateAugmentationMacro, "With queries combining", undefined, "   +   a, b , c, d ", [languages_1.Language.javascript], {
     queriesInputCombines: true,
     queriesInput: [{ uses: "a" }, { uses: "b" }, { uses: "c" }, { uses: "d" }],
     packsInputCombines: false,
     packsInput: undefined,
+    defaultQueryFilters: [],
 });
 (0, ava_1.default)(calculateAugmentationMacro, "With packs", "   codeql/a , codeql/b   , codeql/c  , codeql/d  ", undefined, [languages_1.Language.javascript], {
     queriesInputCombines: false,
     queriesInput: undefined,
     packsInputCombines: false,
     packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
+    defaultQueryFilters: [],
 });
 (0, ava_1.default)(calculateAugmentationMacro, "With packs combining", "   +   codeql/a, codeql/b, codeql/c, codeql/d", undefined, [languages_1.Language.javascript], {
     queriesInputCombines: false,
     queriesInput: undefined,
     packsInputCombines: true,
     packsInput: ["codeql/a", "codeql/b", "codeql/c", "codeql/d"],
+    defaultQueryFilters: [],
 });
 const calculateAugmentationErrorMacro = ava_1.default.macro({
     exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedError) => {
-        t.throws(() => configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages), { message: expectedError });
+        await t.throwsAsync(() => configUtils.calculateAugmentation((0, codeql_1.getCachedCodeQL)(), (0, testing_utils_1.createFeatures)([]), rawPacksInput, rawQueriesInput, languages, mockLogger), { message: expectedError });
     },
     title: (_, title) => `Calculate Augmentation Error: ${title}`,
 });

lib/debug-artifacts.js

@@ -46,7 +46,7 @@ const path = __importStar(require("path"));
 const artifact = __importStar(require("@actions/artifact"));
 const artifactLegacy = __importStar(require("@actions/artifact-legacy"));
 const core = __importStar(require("@actions/core"));
-const adm_zip_1 = __importDefault(require("adm-zip"));
+const archiver_1 = __importDefault(require("archiver"));
 const del_1 = __importDefault(require("del"));
 const actions_util_1 = require("./actions-util");
 const analyze_1 = require("./analyze");
@@ -56,7 +56,7 @@ const logging_1 = require("./logging");
 const tools_features_1 = require("./tools-features");
 const util_1 = require("./util");
 function sanitizeArtifactName(name) {
-    return name.replace(/[^a-zA-Z0-9_\\-]+/g, "");
+    return name.replace(/[^a-zA-Z0-9_-]+/g, "");
 }
 /**
  * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
@@ -250,9 +250,20 @@ async function createPartialDatabaseBundle(config, language) {
     if (fs.existsSync(databaseBundlePath)) {
         await (0, del_1.default)(databaseBundlePath, { force: true });
     }
-    const zip = new adm_zip_1.default();
-    zip.addLocalFolder(databasePath);
-    zip.writeZip(databaseBundlePath);
+    const output = fs.createWriteStream(databaseBundlePath);
+    const zip = (0, archiver_1.default)("zip");
+    zip.on("error", (err) => {
+        throw err;
+    });
+    zip.on("warning", (err) => {
+        // Ignore ENOENT warnings. There's nothing anyone can do about it.
+        if (err.code !== "ENOENT") {
+            throw err;
+        }
+    });
+    zip.pipe(output);
+    zip.directory(databasePath, false);
+    await zip.finalize();
     return databaseBundlePath;
 }
 /**

lib/debug-artifacts.test.js

@@ -45,6 +45,7 @@ const util_1 = require("./util");
     t.deepEqual(debugArtifacts.sanitizeArtifactName("hello`world`"), "helloworld");
     t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
     t.deepEqual(debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"), "manyinvalid");
+    t.deepEqual(debugArtifacts.sanitizeArtifactName("\\foo\\bar//baz"), "foobarbaz");
 });
 // These next tests check the correctness of the logic to determine whether or not
 // artifacts are uploaded in debug mode. Since it's not easy to mock the actual

lib/debug-artifacts.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,kFAAkF;AAClF,+EAA+E;AAC/E,mFAAmF;AACnF,8CAA8C;AAC9C,EAAE;AACF,oFAAoF;AACpF,8BAA8B;AAE9B,IAAA,aAAI,EAAC,gFAAgF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjG,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,EAAE,EACF,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,wBAAwB,EACxB,wCAAwC,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mFAAmF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oFAAoF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sFAAsF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvG,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,sBAAsB,EACtB,sEAAsE,CACvE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"debug-artifacts.test.js","sourceRoot":"","sources":["../src/debug-artifacts.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8CAAuB;AAEvB,kEAAoD;AACpD,uCAA6C;AAC7C,iCAAuC;AAEvC,IAAA,aAAI,EAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE;IACjC,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,cAAc,CACf,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,cAAc,CAAC,EACnD,YAAY,CACb,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,oBAAoB,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC,CAAC;IAC5E,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,yBAAyB,CAAC,EAC9D,aAAa,CACd,CAAC;IACF,CAAC,CAAC,SAAS,CACT,cAAc,CAAC,oBAAoB,CAAC,iBAAiB,CAAC,EACtD,WAAW,CACZ,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,kFAAkF;AAClF,+EAA+E;AAC/E,mFAAmF;AACnF,8CAA8C;AAC9C,EAAE;AACF,oFAAoF;AACpF,8BAA8B;AAE9B,IAAA,aAAI,EAAC,gFAAgF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjG,2DAA2D;IAC3D,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,EAAE,EACF,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,wBAAwB,EACxB,wCAAwC,CACzC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mFAAmF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACpG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,SAAS,CACV,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oFAAoF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrG,sCAAsC;IACtC,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ;QACR,8FAA8F;QAC9F,eAAe,EACf,kEAAkE,CACnE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,sFAAsF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACvG,0CAA0C;IAC1C,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,CAAC,CAAC,cAAc,CAAC,KAAK,IAAI,EAAE;QAChC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,oBAAoB,CACxD,MAAM,EACN,CAAC,SAAS,CAAC,EACX,cAAc,EACd,cAAc,EACd,oBAAa,CAAC,MAAM,EACpB,QAAQ,CACT,CAAC;QACF,CAAC,CAAC,EAAE,CACF,QAAQ,EACR,sBAAsB,EACtB,sEAAsE,CACvE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.20.6",
-    "cliVersion": "2.20.6",
-    "priorBundleVersion": "codeql-bundle-v2.20.5",
-    "priorCliVersion": "2.20.5"
+    "bundleVersion": "codeql-bundle-v2.21.4",
+    "cliVersion": "2.21.4",
+    "priorBundleVersion": "codeql-bundle-v2.21.3",
+    "priorCliVersion": "2.21.3"
 }

lib/dependency-caching.js

@@ -33,54 +33,68 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getJavaTempDependencyDir = getJavaTempDependencyDir;
 exports.downloadDependencyCaches = downloadDependencyCaches;
 exports.uploadDependencyCaches = uploadDependencyCaches;
 const os = __importStar(require("os"));
 const path_1 = require("path");
 const actionsCache = __importStar(require("@actions/cache"));
 const glob = __importStar(require("@actions/glob"));
+const actions_util_1 = require("./actions-util");
 const caching_utils_1 = require("./caching-utils");
 const environment_1 = require("./environment");
 const util_1 = require("./util");
 const CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies";
 const CODEQL_DEPENDENCY_CACHE_VERSION = 1;
+/**
+ * Returns a path to a directory intended to be used to store .jar files
+ * for the Java `build-mode: none` extractor.
+ * @returns The path to the directory that should be used by the `build-mode: none` extractor.
+ */
+function getJavaTempDependencyDir() {
+    return (0, path_1.join)((0, actions_util_1.getTemporaryDirectory)(), "codeql_java", "repository");
+}
 /**
  * Default caching configurations per language.
  */
-const CODEQL_DEFAULT_CACHE_CONFIG = {
-    java: {
-        paths: [
-            // Maven
-            (0, path_1.join)(os.homedir(), ".m2", "repository"),
-            // Gradle
-            (0, path_1.join)(os.homedir(), ".gradle", "caches"),
-        ],
-        hash: [
-            // Maven
-            "**/pom.xml",
-            // Gradle
-            "**/*.gradle*",
-            "**/gradle-wrapper.properties",
-            "buildSrc/**/Versions.kt",
-            "buildSrc/**/Dependencies.kt",
-            "gradle/*.versions.toml",
-            "**/versions.properties",
-        ],
-    },
-    csharp: {
-        paths: [(0, path_1.join)(os.homedir(), ".nuget", "packages")],
-        hash: [
-            // NuGet
-            "**/packages.lock.json",
-            // Paket
-            "**/paket.lock",
-        ],
-    },
-    go: {
-        paths: [(0, path_1.join)(os.homedir(), "go", "pkg", "mod")],
-        hash: ["**/go.sum"],
-    },
-};
+function getDefaultCacheConfig() {
+    return {
+        java: {
+            paths: [
+                // Maven
+                (0, path_1.join)(os.homedir(), ".m2", "repository"),
+                // Gradle
+                (0, path_1.join)(os.homedir(), ".gradle", "caches"),
+                // CodeQL Java build-mode: none
+                getJavaTempDependencyDir(),
+            ],
+            hash: [
+                // Maven
+                "**/pom.xml",
+                // Gradle
+                "**/*.gradle*",
+                "**/gradle-wrapper.properties",
+                "buildSrc/**/Versions.kt",
+                "buildSrc/**/Dependencies.kt",
+                "gradle/*.versions.toml",
+                "**/versions.properties",
+            ],
+        },
+        csharp: {
+            paths: [(0, path_1.join)(os.homedir(), ".nuget", "packages")],
+            hash: [
+                // NuGet
+                "**/packages.lock.json",
+                // Paket
+                "**/paket.lock",
+            ],
+        },
+        go: {
+            paths: [(0, path_1.join)(os.homedir(), "go", "pkg", "mod")],
+            hash: ["**/go.sum"],
+        },
+    };
+}
 async function makeGlobber(patterns) {
     return glob.create(patterns.join("\n"));
 }
@@ -94,7 +108,7 @@ async function makeGlobber(patterns) {
 async function downloadDependencyCaches(languages, logger) {
     const restoredCaches = [];
     for (const language of languages) {
-        const cacheConfig = CODEQL_DEFAULT_CACHE_CONFIG[language];
+        const cacheConfig = getDefaultCacheConfig()[language];
         if (cacheConfig === undefined) {
             logger.info(`Skipping download of dependency cache for ${language} as we have no caching configuration for it.`);
             continue;
@@ -128,7 +142,7 @@ async function downloadDependencyCaches(languages, logger) {
  */
 async function uploadDependencyCaches(config, logger) {
     for (const language of config.languages) {
-        const cacheConfig = CODEQL_DEFAULT_CACHE_CONFIG[language];
+        const cacheConfig = getDefaultCacheConfig()[language];
         if (cacheConfig === undefined) {
             logger.info(`Skipping upload of dependency cache for ${language} as we have no caching configuration for it.`);
             continue;

lib/dependency-caching.js.map

@@ -1 +1 @@
-{"version":3,"file":"dependency-caching.js","sourceRoot":"","sources":["../src/dependency-caching.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+EA,4DAmDC;AAQD,wDAiEC;AA3MD,uCAAyB;AACzB,+BAA4B;AAE5B,6DAA+C;AAC/C,oDAAsC;AAEtC,mDAAoD;AAEpD,+CAAuC;AAGvC,iCAA6C;AAgB7C,MAAM,8BAA8B,GAAG,qBAAqB,CAAC;AAC7D,MAAM,+BAA+B,GAAG,CAAC,CAAC;AAE1C;;GAEG;AACH,MAAM,2BAA2B,GAAwC;IACvE,IAAI,EAAE;QACJ,KAAK,EAAE;YACL,QAAQ;YACR,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,YAAY,CAAC;YACvC,SAAS;YACT,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC;SACxC;QACD,IAAI,EAAE;YACJ,QAAQ;YACR,YAAY;YACZ,SAAS;YACT,cAAc;YACd,8BAA8B;YAC9B,yBAAyB;YACzB,6BAA6B;YAC7B,wBAAwB;YACxB,wBAAwB;SACzB;KACF;IACD,MAAM,EAAE;QACN,KAAK,EAAE,CAAC,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjD,IAAI,EAAE;YACJ,QAAQ;YACR,uBAAuB;YACvB,QAAQ;YACR,eAAe;SAChB;KACF;IACD,EAAE,EAAE;QACF,KAAK,EAAE,CAAC,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;QAC/C,IAAI,EAAE,CAAC,WAAW,CAAC;KACpB;CACF,CAAC;AAEF,KAAK,UAAU,WAAW,CAAC,QAAkB;IAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,wBAAwB,CAC5C,SAAqB,EACrB,MAAc;IAEd,MAAM,cAAc,GAAe,EAAE,CAAC;IAEtC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;QAE1D,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CACT,6CAA6C,QAAQ,8CAA8C,CACpG,CAAC;YACF,SAAS;QACX,CAAC;QAED,gGAAgG;QAChG,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CACT,6CAA6C,QAAQ,mDAAmD,CACzG,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACzD,MAAM,WAAW,GAAa,CAAC,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE5D,MAAM,CAAC,IAAI,CACT,yBAAyB,QAAQ,aAAa,UAAU,qBAAqB,WAAW,CAAC,IAAI,CAC3F,IAAI,CACL,EAAE,CACJ,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,YAAY,CAC5C,WAAW,CAAC,KAAK,EACjB,UAAU,EACV,WAAW,CACZ,CAAC;QAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,oBAAoB,MAAM,QAAQ,QAAQ,GAAG,CAAC,CAAC;YAC3D,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,+BAA+B,QAAQ,GAAG,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,sBAAsB,CAAC,MAAc,EAAE,MAAc;IACzE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;QAE1D,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CACT,2CAA2C,QAAQ,8CAA8C,CAClG,CAAC;YACF,SAAS;QACX,CAAC;QAED,gGAAgG;QAChG,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CACT,2CAA2C,QAAQ,mDAAmD,CACvG,CAAC;YACF,SAAS;QACX,CAAC;QAED,yGAAyG;QACzG,uGAAuG;QACvG,uCAAuC;QACvC,uGAAuG;QACvG,uGAAuG;QACvG,sCAAsC;QACtC,uGAAuG;QACvG,sGAAsG;QACtG,sGAAsG;QACtG,4CAA4C;QAC5C,MAAM,IAAI,GAAG,MAAM,IAAA,iCAAiB,EAAC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAEtE,iCAAiC;QACjC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CACT,2CAA2C,QAAQ,qBAAqB,CACzE,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAElD,MAAM,CAAC,IAAI,CACT,2BAA2B,IAAI,QAAQ,QAAQ,aAAa,GAAG,KAAK,CACrE,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,YAAY,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yFAAyF;YACzF,uFAAuF;YACvF,gCAAgC;YAChC,IAAI,KAAK,YAAY,YAAY,CAAC,iBAAiB,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CACT,2BAA2B,QAAQ,aAAa,GAAG,qBAAqB,CACzE,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACN,kCAAkC;gBAClC,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,QAAQ,CACrB,QAAkB,EAClB,WAAwB;IAExB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/D,OAAO,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,CAAC;AACjD,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,WAAW,CAAC,QAAkB;IAC3C,MAAM,QAAQ,GAAG,IAAA,0BAAmB,EAAC,WAAW,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,yBAAyB,CAAC,CAAC;IACnE,IAAI,MAAM,GAAG,8BAA8B,CAAC;IAE5C,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,GAAG,GAAG,MAAM,IAAI,YAAY,EAAE,CAAC;IACvC,CAAC;IAED,OAAO,GAAG,MAAM,IAAI,+BAA+B,IAAI,QAAQ,IAAI,QAAQ,GAAG,CAAC;AACjF,CAAC"}
+{"version":3,"file":"dependency-caching.js","sourceRoot":"","sources":["../src/dependency-caching.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoCA,4DAEC;AAuDD,4DAmDC;AAQD,wDAiEC;AAzND,uCAAyB;AACzB,+BAA4B;AAE5B,6DAA+C;AAC/C,oDAAsC;AAEtC,iDAAuD;AACvD,mDAAoD;AAEpD,+CAAuC;AAGvC,iCAA6C;AAgB7C,MAAM,8BAA8B,GAAG,qBAAqB,CAAC;AAC7D,MAAM,+BAA+B,GAAG,CAAC,CAAC;AAE1C;;;;GAIG;AACH,SAAgB,wBAAwB;IACtC,OAAO,IAAA,WAAI,EAAC,IAAA,oCAAqB,GAAE,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB;IAC5B,OAAO;QACL,IAAI,EAAE;YACJ,KAAK,EAAE;gBACL,QAAQ;gBACR,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,YAAY,CAAC;gBACvC,SAAS;gBACT,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC;gBACvC,+BAA+B;gBAC/B,wBAAwB,EAAE;aAC3B;YACD,IAAI,EAAE;gBACJ,QAAQ;gBACR,YAAY;gBACZ,SAAS;gBACT,cAAc;gBACd,8BAA8B;gBAC9B,yBAAyB;gBACzB,6BAA6B;gBAC7B,wBAAwB;gBACxB,wBAAwB;aACzB;SACF;QACD,MAAM,EAAE;YACN,KAAK,EAAE,CAAC,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YACjD,IAAI,EAAE;gBACJ,QAAQ;gBACR,uBAAuB;gBACvB,QAAQ;gBACR,eAAe;aAChB;SACF;QACD,EAAE,EAAE;YACF,KAAK,EAAE,CAAC,IAAA,WAAI,EAAC,EAAE,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;YAC/C,IAAI,EAAE,CAAC,WAAW,CAAC;SACpB;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,QAAkB;IAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,wBAAwB,CAC5C,SAAqB,EACrB,MAAc;IAEd,MAAM,cAAc,GAAe,EAAE,CAAC;IAEtC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,qBAAqB,EAAE,CAAC,QAAQ,CAAC,CAAC;QAEtD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CACT,6CAA6C,QAAQ,8CAA8C,CACpG,CAAC;YACF,SAAS;QACX,CAAC;QAED,gGAAgG;QAChG,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CACT,6CAA6C,QAAQ,mDAAmD,CACzG,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACzD,MAAM,WAAW,GAAa,CAAC,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE5D,MAAM,CAAC,IAAI,CACT,yBAAyB,QAAQ,aAAa,UAAU,qBAAqB,WAAW,CAAC,IAAI,CAC3F,IAAI,CACL,EAAE,CACJ,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,YAAY,CAC5C,WAAW,CAAC,KAAK,EACjB,UAAU,EACV,WAAW,CACZ,CAAC;QAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC,oBAAoB,MAAM,QAAQ,QAAQ,GAAG,CAAC,CAAC;YAC3D,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,+BAA+B,QAAQ,GAAG,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,sBAAsB,CAAC,MAAc,EAAE,MAAc;IACzE,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,qBAAqB,EAAE,CAAC,QAAQ,CAAC,CAAC;QAEtD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CACT,2CAA2C,QAAQ,8CAA8C,CAClG,CAAC;YACF,SAAS;QACX,CAAC;QAED,gGAAgG;QAChG,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAEpD,IAAI,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CACT,2CAA2C,QAAQ,mDAAmD,CACvG,CAAC;YACF,SAAS;QACX,CAAC;QAED,yGAAyG;QACzG,uGAAuG;QACvG,uCAAuC;QACvC,uGAAuG;QACvG,uGAAuG;QACvG,sCAAsC;QACtC,uGAAuG;QACvG,sGAAsG;QACtG,sGAAsG;QACtG,4CAA4C;QAC5C,MAAM,IAAI,GAAG,MAAM,IAAA,iCAAiB,EAAC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAEtE,iCAAiC;QACjC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CACT,2CAA2C,QAAQ,qBAAqB,CACzE,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAElD,MAAM,CAAC,IAAI,CACT,2BAA2B,IAAI,QAAQ,QAAQ,aAAa,GAAG,KAAK,CACrE,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,YAAY,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yFAAyF;YACzF,uFAAuF;YACvF,gCAAgC;YAChC,IAAI,KAAK,YAAY,YAAY,CAAC,iBAAiB,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CACT,2BAA2B,QAAQ,aAAa,GAAG,qBAAqB,CACzE,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACN,kCAAkC;gBAClC,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,QAAQ,CACrB,QAAkB,EAClB,WAAwB;IAExB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/D,OAAO,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,CAAC;AACjD,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,WAAW,CAAC,QAAkB;IAC3C,MAAM,QAAQ,GAAG,IAAA,0BAAmB,EAAC,WAAW,CAAC,CAAC;IAClD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAM,CAAC,yBAAyB,CAAC,CAAC;IACnE,IAAI,MAAM,GAAG,8BAA8B,CAAC;IAE5C,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,GAAG,GAAG,MAAM,IAAI,YAAY,EAAE,CAAC;IACvC,CAAC;IAED,OAAO,GAAG,MAAM,IAAI,+BAA+B,IAAI,QAAQ,IAAI,QAAQ,GAAG,CAAC;AACjF,CAAC"}

lib/diff-filtering-utils.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"diff-filtering-utils.js","sourceRoot":"","sources":["../src/diff-filtering-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgBA,0DAUC;AAED,wDAaC;AAzCD,uCAAyB;AACzB,2CAA6B;AAE7B,4DAA8C;AAS9C,SAAS,yBAAyB;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,oBAAoB,CAAC,CAAC;AAC9E,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAAc,EACd,MAAwB;IAExB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,yBAAyB,EAAE,CAAC;IACjD,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IAC7C,MAAM,CAAC,KAAK,CACV,oCAAoC,YAAY,MAAM,YAAY,EAAE,CACrE,CAAC;AACJ,CAAC;AAED,SAAgB,sBAAsB,CACpC,MAAc;IAEd,MAAM,YAAY,GAAG,yBAAyB,EAAE,CAAC;IACjD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,2CAA2C,YAAY,EAAE,CAAC,CAAC;QACxE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,YAAY,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC3D,MAAM,CAAC,KAAK,CACV,qCAAqC,YAAY,MAAM,YAAY,EAAE,CACtE,CAAC;IACF,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAqB,CAAC;AACtD,CAAC"}

lib/diff-informed-analysis-utils.js

@@ -0,0 +1,114 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shouldPerformDiffInformedAnalysis = shouldPerformDiffInformedAnalysis;
+exports.getDiffInformedAnalysisBranches = getDiffInformedAnalysisBranches;
+exports.writeDiffRangesJsonFile = writeDiffRangesJsonFile;
+exports.readDiffRangesJsonFile = readDiffRangesJsonFile;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const github = __importStar(require("@actions/github"));
+const actionsUtil = __importStar(require("./actions-util"));
+const feature_flags_1 = require("./feature-flags");
+function getPullRequestBranches() {
+    const pullRequest = github.context.payload.pull_request;
+    if (pullRequest) {
+        return {
+            base: pullRequest.base.ref,
+            // We use the head label instead of the head ref here, because the head
+            // ref lacks owner information and by itself does not uniquely identify
+            // the head branch (which may be in a forked repository).
+            head: pullRequest.head.label,
+        };
+    }
+    // PR analysis under Default Setup does not have the pull_request context,
+    // but it should set CODE_SCANNING_REF and CODE_SCANNING_BASE_BRANCH.
+    const codeScanningRef = process.env.CODE_SCANNING_REF;
+    const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH;
+    if (codeScanningRef && codeScanningBaseBranch) {
+        return {
+            base: codeScanningBaseBranch,
+            // PR analysis under Default Setup analyzes the PR head commit instead of
+            // the merge commit, so we can use the provided ref directly.
+            head: codeScanningRef,
+        };
+    }
+    return undefined;
+}
+/**
+ * Check if the action should perform diff-informed analysis.
+ */
+async function shouldPerformDiffInformedAnalysis(codeql, features, logger) {
+    return ((await getDiffInformedAnalysisBranches(codeql, features, logger)) !==
+        undefined);
+}
+/**
+ * Get the branches to use for diff-informed analysis.
+ *
+ * @returns If the action should perform diff-informed analysis, return
+ * the base and head branches that should be used to compute the diff ranges.
+ * Otherwise return `undefined`.
+ */
+async function getDiffInformedAnalysisBranches(codeql, features, logger) {
+    if (!(await features.getValue(feature_flags_1.Feature.DiffInformedQueries, codeql))) {
+        return undefined;
+    }
+    const branches = getPullRequestBranches();
+    if (!branches) {
+        logger.info("Not performing diff-informed analysis " +
+            "because we are not analyzing a pull request.");
+    }
+    return branches;
+}
+function getDiffRangesJsonFilePath() {
+    return path.join(actionsUtil.getTemporaryDirectory(), "pr-diff-range.json");
+}
+function writeDiffRangesJsonFile(logger, ranges) {
+    const jsonContents = JSON.stringify(ranges, null, 2);
+    const jsonFilePath = getDiffRangesJsonFilePath();
+    fs.writeFileSync(jsonFilePath, jsonContents);
+    logger.debug(`Wrote pr-diff-range JSON file to ${jsonFilePath}:\n${jsonContents}`);
+}
+function readDiffRangesJsonFile(logger) {
+    const jsonFilePath = getDiffRangesJsonFilePath();
+    if (!fs.existsSync(jsonFilePath)) {
+        logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`);
+        return undefined;
+    }
+    const jsonContents = fs.readFileSync(jsonFilePath, "utf8");
+    logger.debug(`Read pr-diff-range JSON file from ${jsonFilePath}:\n${jsonContents}`);
+    return JSON.parse(jsonContents);
+}
+//# sourceMappingURL=diff-informed-analysis-utils.js.map

lib/diff-informed-analysis-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff-informed-analysis-utils.js","sourceRoot":"","sources":["../src/diff-informed-analysis-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6CA,8EASC;AASD,0EAiBC;AAYD,0DAUC;AAED,wDAaC;AArHD,uCAAyB;AACzB,2CAA6B;AAE7B,wDAA0C;AAE1C,4DAA8C;AAE9C,mDAA6D;AAQ7D,SAAS,sBAAsB;IAC7B,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;IACxD,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG;YAC1B,uEAAuE;YACvE,uEAAuE;YACvE,yDAAyD;YACzD,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,KAAK;SAC7B,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,qEAAqE;IACrE,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IACtD,MAAM,sBAAsB,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IACrE,IAAI,eAAe,IAAI,sBAAsB,EAAE,CAAC;QAC9C,OAAO;YACL,IAAI,EAAE,sBAAsB;YAC5B,yEAAyE;YACzE,6DAA6D;YAC7D,IAAI,EAAE,eAAe;SACtB,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,iCAAiC,CACrD,MAAc,EACd,QAA2B,EAC3B,MAAc;IAEd,OAAO,CACL,CAAC,MAAM,+BAA+B,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjE,SAAS,CACV,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,+BAA+B,CACnD,MAAc,EACd,QAA2B,EAC3B,MAAc;IAEd,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;QACpE,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,QAAQ,GAAG,sBAAsB,EAAE,CAAC;IAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CACT,wCAAwC;YACtC,8CAA8C,CACjD,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAQD,SAAS,yBAAyB;IAChC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,oBAAoB,CAAC,CAAC;AAC9E,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAAc,EACd,MAAwB;IAExB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,yBAAyB,EAAE,CAAC;IACjD,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;IAC7C,MAAM,CAAC,KAAK,CACV,oCAAoC,YAAY,MAAM,YAAY,EAAE,CACrE,CAAC;AACJ,CAAC;AAED,SAAgB,sBAAsB,CACpC,MAAc;IAEd,MAAM,YAAY,GAAG,yBAAyB,EAAE,CAAC;IACjD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,2CAA2C,YAAY,EAAE,CAAC,CAAC;QACxE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,YAAY,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC3D,MAAM,CAAC,KAAK,CACV,qCAAqC,YAAY,MAAM,YAAY,EAAE,CACtE,CAAC;IACF,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAqB,CAAC;AACtD,CAAC"}

lib/feature-flags.js

@@ -96,8 +96,7 @@ exports.featureConfig = {
     [Feature.DiffInformedQueries]: {
         defaultValue: false,
         envVar: "CODEQL_ACTION_DIFF_INFORMED_QUERIES",
-        minimumVersion: undefined,
-        toolsFeature: tools_features_1.ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty,
+        minimumVersion: "2.21.0",
     },
     [Feature.DisableCsharpBuildless]: {
         defaultValue: false,

lib/git-utils.js

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getGitRoot = exports.decodeGitFilePath = exports.gitRepack = exports.gitFetch = exports.deepenGitHistory = exports.determineBaseBranchHeadCommitOid = exports.getCommitOid = void 0;
+exports.getFileOidsUnderPath = exports.getGitRoot = exports.decodeGitFilePath = exports.gitRepack = exports.gitFetch = exports.deepenGitHistory = exports.determineBaseBranchHeadCommitOid = exports.getCommitOid = exports.runGitCommand = void 0;
 exports.getRef = getRef;
 exports.isAnalyzingDefaultBranch = isAnalyzingDefaultBranch;
 const core = __importStar(require("@actions/core"));
@@ -41,7 +41,7 @@ const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const io = __importStar(require("@actions/io"));
 const actions_util_1 = require("./actions-util");
 const util_1 = require("./util");
-async function runGitCommand(checkoutPath, args, customErrorMessage) {
+const runGitCommand = async function (workingDirectory, args, customErrorMessage) {
     let stdout = "";
     let stderr = "";
     core.debug(`Running git command: git ${args.join(" ")}`);
@@ -56,7 +56,7 @@ async function runGitCommand(checkoutPath, args, customErrorMessage) {
                     stderr += data.toString();
                 },
             },
-            cwd: checkoutPath,
+            cwd: workingDirectory,
         }).exec();
         return stdout;
     }
@@ -69,7 +69,8 @@ async function runGitCommand(checkoutPath, args, customErrorMessage) {
         core.info(`git call failed. ${customErrorMessage} Error: ${reason}`);
         throw error;
     }
-}
+};
+exports.runGitCommand = runGitCommand;
 /**
  * Gets the SHA of the commit that is currently checked out.
  */
@@ -82,7 +83,7 @@ const getCommitOid = async function (checkoutPath, ref = "HEAD") {
     // Even if this does go wrong, it's not a huge problem for the alerts to
     // reported on the merge commit.
     try {
-        const stdout = await runGitCommand(checkoutPath, ["rev-parse", ref], "Continuing with commit SHA from user input or environment.");
+        const stdout = await (0, exports.runGitCommand)(checkoutPath, ["rev-parse", ref], "Continuing with commit SHA from user input or environment.");
         return stdout.trim();
     }
     catch {
@@ -106,7 +107,7 @@ const determineBaseBranchHeadCommitOid = async function (checkoutPathOverride) {
         let commitOid = "";
         let baseOid = "";
         let headOid = "";
-        const stdout = await runGitCommand(checkoutPath, ["show", "-s", "--format=raw", mergeSha], "Will calculate the base branch SHA on the server.");
+        const stdout = await (0, exports.runGitCommand)(checkoutPath, ["show", "-s", "--format=raw", mergeSha], "Will calculate the base branch SHA on the server.");
         for (const data of stdout.split("\n")) {
             if (data.startsWith("commit ") && commitOid === "") {
                 commitOid = data.substring(7);
@@ -141,7 +142,7 @@ exports.determineBaseBranchHeadCommitOid = determineBaseBranchHeadCommitOid;
  */
 const deepenGitHistory = async function () {
     try {
-        await runGitCommand((0, actions_util_1.getOptionalInput)("checkout_path"), [
+        await (0, exports.runGitCommand)((0, actions_util_1.getOptionalInput)("checkout_path"), [
             "fetch",
             "origin",
             "HEAD",
@@ -163,7 +164,7 @@ exports.deepenGitHistory = deepenGitHistory;
  */
 const gitFetch = async function (branch, extraFlags) {
     try {
-        await runGitCommand((0, actions_util_1.getOptionalInput)("checkout_path"), ["fetch", "--no-tags", ...extraFlags, "origin", `${branch}:${branch}`], `Cannot fetch ${branch}.`);
+        await (0, exports.runGitCommand)((0, actions_util_1.getOptionalInput)("checkout_path"), ["fetch", "--no-tags", ...extraFlags, "origin", `${branch}:${branch}`], `Cannot fetch ${branch}.`);
     }
     catch {
         // Errors are already logged by runGitCommand()
@@ -178,7 +179,7 @@ exports.gitFetch = gitFetch;
  */
 const gitRepack = async function (flags) {
     try {
-        await runGitCommand((0, actions_util_1.getOptionalInput)("checkout_path"), ["repack", ...flags], "Cannot repack the repository.");
+        await (0, exports.runGitCommand)((0, actions_util_1.getOptionalInput)("checkout_path"), ["repack", ...flags], "Cannot repack the repository.");
     }
     catch {
         // Errors are already logged by runGitCommand()
@@ -238,7 +239,7 @@ exports.decodeGitFilePath = decodeGitFilePath;
  */
 const getGitRoot = async function (sourceRoot) {
     try {
-        const stdout = await runGitCommand(sourceRoot, ["rev-parse", "--show-toplevel"], `Cannot find Git repository root from the source root ${sourceRoot}.`);
+        const stdout = await (0, exports.runGitCommand)(sourceRoot, ["rev-parse", "--show-toplevel"], `Cannot find Git repository root from the source root ${sourceRoot}.`);
         return stdout.trim();
     }
     catch {
@@ -247,6 +248,41 @@ const getGitRoot = async function (sourceRoot) {
     }
 };
 exports.getGitRoot = getGitRoot;
+/**
+ * Returns the Git OIDs of all tracked files (in the index and in the working
+ * tree) that are under the given base path, including files in active
+ * submodules. Untracked files and files not under the given base path are
+ * ignored.
+ *
+ * @param basePath A path into the Git repository.
+ * @returns a map from file paths (relative to `basePath`) to Git OIDs.
+ * @throws {Error} if "git ls-tree" produces unexpected output.
+ */
+const getFileOidsUnderPath = async function (basePath) {
+    // Without the --full-name flag, the path is relative to the current working
+    // directory of the git command, which is basePath.
+    const stdout = await (0, exports.runGitCommand)(basePath, ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"], "Cannot list Git OIDs of tracked files.");
+    const fileOidMap = {};
+    // With --format=%(objectname)_%(path), the output is a list of lines like:
+    // 30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js
+    // d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map
+    const regex = /^([0-9a-f]{40})_(.+)$/;
+    for (const line of stdout.split("\n")) {
+        if (line) {
+            const match = line.match(regex);
+            if (match) {
+                const oid = match[1];
+                const path = (0, exports.decodeGitFilePath)(match[2]);
+                fileOidMap[path] = oid;
+            }
+            else {
+                throw new Error(`Unexpected "git ls-files" output: ${line}`);
+            }
+        }
+    }
+    return fileOidMap;
+};
+exports.getFileOidsUnderPath = getFileOidsUnderPath;
 function getRefFromEnv() {
     // To workaround a limitation of Actions dynamic workflows not setting
     // the GITHUB_REF in some cases, we accept also the ref within the

lib/git-utils.test.js

@@ -265,4 +265,75 @@ const util_1 = require("./util");
     t.deepEqual(gitUtils.decodeGitFilePath('"foo\\vbar"'), "foo\vbar");
     t.deepEqual(gitUtils.decodeGitFilePath('"\\a\\b\\f\\n\\r\\t\\v"'), "\x07\b\f\n\r\t\v");
 });
+(0, ava_1.default)("getFileOidsUnderPath returns correct file mapping", async (t) => {
+    const runGitCommandStub = sinon
+        .stub(gitUtils, "runGitCommand")
+        .resolves("30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
+        "d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map\n" +
+        "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts");
+    try {
+        const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+        t.deepEqual(result, {
+            "lib/git-utils.js": "30d998ded095371488be3a729eb61d86ed721a18",
+            "lib/git-utils.js.map": "d89514599a9a99f22b4085766d40af7b99974827",
+            "src/git-utils.ts": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
+        });
+        t.deepEqual(runGitCommandStub.firstCall.args, [
+            "/fake/path",
+            ["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
+            "Cannot list Git OIDs of tracked files.",
+        ]);
+    }
+    finally {
+        runGitCommandStub.restore();
+    }
+});
+(0, ava_1.default)("getFileOidsUnderPath handles quoted paths", async (t) => {
+    const runGitCommandStub = sinon
+        .stub(gitUtils, "runGitCommand")
+        .resolves("30d998ded095371488be3a729eb61d86ed721a18_lib/normal-file.js\n" +
+        'd89514599a9a99f22b4085766d40af7b99974827_"lib/file with spaces.js"\n' +
+        'a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_"lib/file\\twith\\ttabs.js"');
+    try {
+        const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+        t.deepEqual(result, {
+            "lib/normal-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
+            "lib/file with spaces.js": "d89514599a9a99f22b4085766d40af7b99974827",
+            "lib/file\twith\ttabs.js": "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96",
+        });
+    }
+    finally {
+        runGitCommandStub.restore();
+    }
+});
+(0, ava_1.default)("getFileOidsUnderPath handles empty output", async (t) => {
+    const runGitCommandStub = sinon
+        .stub(gitUtils, "runGitCommand")
+        .resolves("");
+    try {
+        const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+        t.deepEqual(result, {});
+    }
+    finally {
+        runGitCommandStub.restore();
+    }
+});
+(0, ava_1.default)("getFileOidsUnderPath throws on unexpected output format", async (t) => {
+    const runGitCommandStub = sinon
+        .stub(gitUtils, "runGitCommand")
+        .resolves("30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
+        "invalid-line-format\n" +
+        "a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts");
+    try {
+        await t.throwsAsync(async () => {
+            await gitUtils.getFileOidsUnderPath("/fake/path");
+        }, {
+            instanceOf: Error,
+            message: 'Unexpected "git ls-files" output: invalid-line-format',
+        });
+    }
+    finally {
+        runGitCommandStub.restore();
+    }
+});
 //# sourceMappingURL=git-utils.test.js.map

lib/init-action-post-helper.js

@@ -173,7 +173,7 @@ async function removeUploadedSarif(uploadFailedSarifResult, logger) {
         logger.info(`In test mode, therefore deleting the failed analysis to avoid impacting tool status for the Action repository. SARIF ID to delete: ${sarifID}.`);
         const client = (0, api_client_1.getApiClient)();
         try {
-            const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+            const repositoryNwo = (0, repository_1.getRepositoryNwo)();
             // Wait to make sure the analysis is ready for download before requesting it.
             await (0, util_1.delay)(5000);
             // Get the analysis associated with the uploaded sarif

lib/init-action-post.js

@@ -59,7 +59,7 @@ async function runWrapper() {
         (0, actions_util_1.restoreInputs)();
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
-        const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+        const repositoryNwo = (0, repository_1.getRepositoryNwo)();
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
         config = await (0, config_utils_1.getConfig)((0, actions_util_1.getTemporaryDirectory)(), logger);
         if (config === undefined) {
@@ -87,7 +87,9 @@ async function runWrapper() {
             ...uploadFailedSarifResult,
             job_status: initActionPostHelper.getFinalJobStatus(),
         };
+        logger.info("Sending status report for init-post step.");
         await (0, status_report_1.sendStatusReport)(statusReport);
+        logger.info("Status report sent for init-post step.");
     }
 }
 void runWrapper();

lib/init-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,iDAAmD;AACnD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,mDAOyB;AACzB,iCAKgB;AAOhB,KAAK,UAAU,UAAU;IACvB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,MAA0B,CAAC;IAC/B,IAAI,uBAES,CAAC;IACd,IAAI,CAAC;QACH,qCAAqC;QACrC,IAAA,4BAAa,GAAE,CAAC;QAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,mCAAmC,EAClD,6BAAc,EACd,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAA,uCAAuB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAE5E,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAAyB;YACzC,GAAG,gBAAgB;YACnB,GAAG,uBAAuB;YAC1B,UAAU,EAAE,oBAAoB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,iDAAmD;AACnD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAgD;AAChD,mDAOyB;AACzB,iCAA8E;AAO9E,KAAK,UAAU,UAAU;IACvB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,MAA0B,CAAC;IAC/B,IAAI,uBAES,CAAC;IACd,IAAI,CAAC;QACH,qCAAqC;QACrC,IAAA,4BAAa,GAAE,CAAC;QAEhB,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,6BAAgB,GAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,mCAAmC,EAClD,6BAAc,EACd,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAA,gCAAgB,EAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;IACT,CAAC;IACD,MAAM,SAAS,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,yBAAyB,IAAA,uCAAuB,EAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAE5E,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,QAAQ,EACnB,SAAS,EACT,SAAS,EACT,MAAM,EACN,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAAyB;YACzC,GAAG,gBAAgB;YACnB,GAAG,uBAAuB;YAC1B,UAAU,EAAE,oBAAoB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACzD,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACxD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/init-action.js

@@ -160,7 +160,7 @@ async function run() {
     const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
     (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
     (0, util_1.checkActionVersion)((0, actions_util_1.getActionVersion)(), gitHubVersion);
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
     const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
     const jobRunUuid = (0, uuid_1.v4)();
     logger.info(`Job run UUID is ${jobRunUuid}.`);
@@ -319,7 +319,8 @@ async function run() {
         // for details.
         core.exportVariable("CODEQL_RAM", process.env["CODEQL_RAM"] ||
             (0, util_1.getMemoryFlagValue)((0, actions_util_1.getOptionalInput)("ram"), logger).toString());
-        core.exportVariable("CODEQL_THREADS", (0, util_1.getThreadsFlagValue)((0, actions_util_1.getOptionalInput)("threads"), logger).toString());
+        core.exportVariable("CODEQL_THREADS", process.env["CODEQL_THREADS"] ||
+            (0, util_1.getThreadsFlagValue)((0, actions_util_1.getOptionalInput)("threads"), logger).toString());
         // Disable Kotlin extractor if feature flag set
         if (await features.getValue(feature_flags_1.Feature.DisableKotlinAnalysisEnabled)) {
             core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");

lib/overlay-database-utils.js

@@ -1,6 +1,45 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CODEQL_OVERLAY_MINIMUM_VERSION = exports.OverlayDatabaseMode = void 0;
+exports.writeBaseDatabaseOidsFile = writeBaseDatabaseOidsFile;
+exports.writeOverlayChangesFile = writeOverlayChangesFile;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const actions_util_1 = require("./actions-util");
+const git_utils_1 = require("./git-utils");
 var OverlayDatabaseMode;
 (function (OverlayDatabaseMode) {
     OverlayDatabaseMode["Overlay"] = "overlay";
@@ -8,4 +47,83 @@ var OverlayDatabaseMode;
     OverlayDatabaseMode["None"] = "none";
 })(OverlayDatabaseMode || (exports.OverlayDatabaseMode = OverlayDatabaseMode = {}));
 exports.CODEQL_OVERLAY_MINIMUM_VERSION = "2.20.5";
+/**
+ * Writes a JSON file containing Git OIDs for all tracked files (represented
+ * by path relative to the source root) under the source root. The file is
+ * written into the database location specified in the config.
+ *
+ * @param config The configuration object containing the database location
+ * @param sourceRoot The root directory containing the source files to process
+ * @throws {Error} If the Git repository root cannot be determined
+ */
+async function writeBaseDatabaseOidsFile(config, sourceRoot) {
+    const gitFileOids = await (0, git_utils_1.getFileOidsUnderPath)(sourceRoot);
+    const gitFileOidsJson = JSON.stringify(gitFileOids);
+    const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
+    await fs.promises.writeFile(baseDatabaseOidsFilePath, gitFileOidsJson);
+}
+/**
+ * Reads and parses the JSON file containing the base database Git OIDs.
+ * This file contains the mapping of file paths to their corresponding Git OIDs
+ * that was previously written by writeBaseDatabaseOidsFile().
+ *
+ * @param config The configuration object containing the database location
+ * @param logger The logger instance to use for error reporting
+ * @returns An object mapping file paths (relative to source root) to their Git OIDs
+ * @throws {Error} If the file cannot be read or parsed
+ */
+async function readBaseDatabaseOidsFile(config, logger) {
+    const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config);
+    try {
+        const contents = await fs.promises.readFile(baseDatabaseOidsFilePath, "utf-8");
+        return JSON.parse(contents);
+    }
+    catch (e) {
+        logger.error("Failed to read overlay-base file OIDs from " +
+            `${baseDatabaseOidsFilePath}: ${e.message || e}`);
+        throw e;
+    }
+}
+function getBaseDatabaseOidsFilePath(config) {
+    return path.join(config.dbLocation, "base-database-oids.json");
+}
+/**
+ * Writes a JSON file containing the source-root-relative paths of files under
+ * `sourceRoot` that have changed (added, removed, or modified) from the overlay
+ * base database.
+ *
+ * This function uses the Git index to determine which files have changed, so it
+ * requires the following preconditions, both when this function is called and
+ * when the overlay-base database was initialized:
+ *
+ * - It requires that `sourceRoot` is inside a Git repository.
+ * - It assumes that all changes in the working tree are staged in the index.
+ * - It assumes that all files of interest are tracked by Git, e.g. not covered
+ *   by `.gitignore`.
+ */
+async function writeOverlayChangesFile(config, sourceRoot, logger) {
+    const baseFileOids = await readBaseDatabaseOidsFile(config, logger);
+    const overlayFileOids = await (0, git_utils_1.getFileOidsUnderPath)(sourceRoot);
+    const changedFiles = computeChangedFiles(baseFileOids, overlayFileOids);
+    logger.info(`Found ${changedFiles.length} changed file(s) under ${sourceRoot}.`);
+    const changedFilesJson = JSON.stringify({ changes: changedFiles });
+    const overlayChangesFile = path.join((0, actions_util_1.getTemporaryDirectory)(), "overlay-changes.json");
+    logger.debug(`Writing overlay changed files to ${overlayChangesFile}: ${changedFilesJson}`);
+    await fs.promises.writeFile(overlayChangesFile, changedFilesJson);
+    return overlayChangesFile;
+}
+function computeChangedFiles(baseFileOids, overlayFileOids) {
+    const changes = [];
+    for (const [file, oid] of Object.entries(overlayFileOids)) {
+        if (!(file in baseFileOids) || baseFileOids[file] !== oid) {
+            changes.push(file);
+        }
+    }
+    for (const file of Object.keys(baseFileOids)) {
+        if (!(file in overlayFileOids)) {
+            changes.push(file);
+        }
+    }
+    return changes;
+}
 //# sourceMappingURL=overlay-database-utils.js.map

lib/overlay-database-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"overlay-database-utils.js","sourceRoot":"","sources":["../src/overlay-database-utils.ts"],"names":[],"mappings":";;;AAAA,IAAY,mBAIX;AAJD,WAAY,mBAAmB;IAC7B,0CAAmB,CAAA;IACnB,mDAA4B,CAAA;IAC5B,oCAAa,CAAA;AACf,CAAC,EAJW,mBAAmB,mCAAnB,mBAAmB,QAI9B;AAEY,QAAA,8BAA8B,GAAG,QAAQ,CAAC"}
+{"version":3,"file":"overlay-database-utils.js","sourceRoot":"","sources":["../src/overlay-database-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBA,8DAQC;AAkDD,0DAsBC;AAzGD,uCAAyB;AACzB,2CAA6B;AAE7B,iDAAuD;AAEvD,2CAAmD;AAGnD,IAAY,mBAIX;AAJD,WAAY,mBAAmB;IAC7B,0CAAmB,CAAA;IACnB,mDAA4B,CAAA;IAC5B,oCAAa,CAAA;AACf,CAAC,EAJW,mBAAmB,mCAAnB,mBAAmB,QAI9B;AAEY,QAAA,8BAA8B,GAAG,QAAQ,CAAC;AAEvD;;;;;;;;GAQG;AACI,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,UAAkB;IAElB,MAAM,WAAW,GAAG,MAAM,IAAA,gCAAoB,EAAC,UAAU,CAAC,CAAC;IAC3D,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,wBAAwB,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;IACrE,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,wBAAwB,EAAE,eAAe,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,wBAAwB,CACrC,MAAc,EACd,MAAc;IAEd,MAAM,wBAAwB,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;IACrE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CACzC,wBAAwB,EACxB,OAAO,CACR,CAAC;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAA8B,CAAC;IAC3D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CACV,6CAA6C;YAC3C,GAAG,wBAAwB,KAAM,CAAS,CAAC,OAAO,IAAI,CAAC,EAAE,CAC5D,CAAC;QACF,MAAM,CAAC,CAAC;IACV,CAAC;AACH,CAAC;AAED,SAAS,2BAA2B,CAAC,MAAc;IACjD,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,uBAAuB,CAC3C,MAAc,EACd,UAAkB,EAClB,MAAc;IAEd,MAAM,YAAY,GAAG,MAAM,wBAAwB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,eAAe,GAAG,MAAM,IAAA,gCAAoB,EAAC,UAAU,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAG,mBAAmB,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;IACxE,MAAM,CAAC,IAAI,CACT,SAAS,YAAY,CAAC,MAAM,0BAA0B,UAAU,GAAG,CACpE,CAAC;IAEF,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;IACnE,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAClC,IAAA,oCAAqB,GAAE,EACvB,sBAAsB,CACvB,CAAC;IACF,MAAM,CAAC,KAAK,CACV,oCAAoC,kBAAkB,KAAK,gBAAgB,EAAE,CAC9E,CAAC;IACF,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;IAClE,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,SAAS,mBAAmB,CAC1B,YAAuC,EACvC,eAA0C;IAE1C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAC1D,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,CAAC,IAAI,IAAI,eAAe,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

lib/overlay-database-utils.test.js

@@ -0,0 +1,94 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const ava_1 = __importDefault(require("ava"));
+const sinon = __importStar(require("sinon"));
+const actionsUtil = __importStar(require("./actions-util"));
+const gitUtils = __importStar(require("./git-utils"));
+const logging_1 = require("./logging");
+const overlay_database_utils_1 = require("./overlay-database-utils");
+const testing_utils_1 = require("./testing-utils");
+const util_1 = require("./util");
+(0, testing_utils_1.setupTests)(ava_1.default);
+(0, ava_1.default)("writeOverlayChangesFile generates correct changes file", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const dbLocation = path.join(tmpDir, "db");
+        await fs.promises.mkdir(dbLocation, { recursive: true });
+        const sourceRoot = path.join(tmpDir, "src");
+        await fs.promises.mkdir(sourceRoot, { recursive: true });
+        const tempDir = path.join(tmpDir, "temp");
+        await fs.promises.mkdir(tempDir, { recursive: true });
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const config = (0, testing_utils_1.createTestConfig)({ dbLocation });
+        // Mock the getFileOidsUnderPath function to return base OIDs
+        const baseOids = {
+            "unchanged.js": "aaa111",
+            "modified.js": "bbb222",
+            "deleted.js": "ccc333",
+        };
+        const getFileOidsStubForBase = sinon
+            .stub(gitUtils, "getFileOidsUnderPath")
+            .resolves(baseOids);
+        // Write the base database OIDs file
+        await (0, overlay_database_utils_1.writeBaseDatabaseOidsFile)(config, sourceRoot);
+        getFileOidsStubForBase.restore();
+        // Mock the getFileOidsUnderPath function to return overlay OIDs
+        const currentOids = {
+            "unchanged.js": "aaa111",
+            "modified.js": "ddd444", // Changed OID
+            "added.js": "eee555", // New file
+        };
+        const getFileOidsStubForOverlay = sinon
+            .stub(gitUtils, "getFileOidsUnderPath")
+            .resolves(currentOids);
+        // Write the overlay changes file, which uses the mocked overlay OIDs
+        // and the base database OIDs file
+        const getTempDirStub = sinon
+            .stub(actionsUtil, "getTemporaryDirectory")
+            .returns(tempDir);
+        const changesFilePath = await (0, overlay_database_utils_1.writeOverlayChangesFile)(config, sourceRoot, logger);
+        getFileOidsStubForOverlay.restore();
+        getTempDirStub.restore();
+        const fileContent = await fs.promises.readFile(changesFilePath, "utf-8");
+        const parsedContent = JSON.parse(fileContent);
+        t.deepEqual(parsedContent.changes.sort(), ["added.js", "deleted.js", "modified.js"], "Should identify added, deleted, and modified files");
+    });
+});
+//# sourceMappingURL=overlay-database-utils.test.js.map

lib/overlay-database-utils.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"overlay-database-utils.test.js","sourceRoot":"","sources":["../src/overlay-database-utils.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,sDAAwC;AACxC,uCAA4C;AAC5C,qEAGkC;AAClC,mDAA+D;AAC/D,iCAAoC;AAEpC,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,wDAAwD,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACzE,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC5C,MAAM,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,EAAE,UAAU,EAAE,CAAC,CAAC;QAEhD,6DAA6D;QAC7D,MAAM,QAAQ,GAAG;YACf,cAAc,EAAE,QAAQ;YACxB,aAAa,EAAE,QAAQ;YACvB,YAAY,EAAE,QAAQ;SACvB,CAAC;QACF,MAAM,sBAAsB,GAAG,KAAK;aACjC,IAAI,CAAC,QAAQ,EAAE,sBAAsB,CAAC;aACtC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEtB,oCAAoC;QACpC,MAAM,IAAA,kDAAyB,EAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACpD,sBAAsB,CAAC,OAAO,EAAE,CAAC;QAEjC,gEAAgE;QAChE,MAAM,WAAW,GAAG;YAClB,cAAc,EAAE,QAAQ;YACxB,aAAa,EAAE,QAAQ,EAAE,cAAc;YACvC,UAAU,EAAE,QAAQ,EAAE,WAAW;SAClC,CAAC;QACF,MAAM,yBAAyB,GAAG,KAAK;aACpC,IAAI,CAAC,QAAQ,EAAE,sBAAsB,CAAC;aACtC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEzB,qEAAqE;QACrE,kCAAkC;QAClC,MAAM,cAAc,GAAG,KAAK;aACzB,IAAI,CAAC,WAAW,EAAE,uBAAuB,CAAC;aAC1C,OAAO,CAAC,OAAO,CAAC,CAAC;QACpB,MAAM,eAAe,GAAG,MAAM,IAAA,gDAAuB,EACnD,MAAM,EACN,UAAU,EACV,MAAM,CACP,CAAC;QACF,yBAAyB,CAAC,OAAO,EAAE,CAAC;QACpC,cAAc,CAAC,OAAO,EAAE,CAAC;QAEzB,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QACzE,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAA0B,CAAC;QAEvE,CAAC,CAAC,SAAS,CACT,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,EAC5B,CAAC,UAAU,EAAE,YAAY,EAAE,aAAa,CAAC,EACzC,oDAAoD,CACrD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

lib/repository.js

@@ -1,7 +1,33 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRepositoryNwo = getRepositoryNwo;
+exports.getRepositoryNwoFromEnv = getRepositoryNwoFromEnv;
 exports.parseRepositoryNwo = parseRepositoryNwo;
 const util_1 = require("./util");
+/**
+ * Get the repository name with owner from the environment variable
+ * `GITHUB_REPOSITORY`.
+ *
+ * @returns The repository name with owner.
+ */
+function getRepositoryNwo() {
+    return getRepositoryNwoFromEnv("GITHUB_REPOSITORY");
+}
+/**
+ * Get the repository name with owner from the first environment variable that
+ * is set and non-empty.
+ *
+ * @param envVarNames The names of the environment variables to check.
+ * @returns The repository name with owner.
+ * @throws ConfigurationError if none of the environment variables are set.
+ */
+function getRepositoryNwoFromEnv(...envVarNames) {
+    const envVarName = envVarNames.find((name) => process.env[name]);
+    if (!envVarName) {
+        throw new util_1.ConfigurationError(`None of the env vars ${envVarNames.join(", ")} are set`);
+    }
+    return parseRepositoryNwo((0, util_1.getRequiredEnvParam)(envVarName));
+}
 function parseRepositoryNwo(input) {
     const parts = input.split("/");
     if (parts.length !== 2) {

lib/repository.js.map

@@ -1 +1 @@
-{"version":3,"file":"repository.js","sourceRoot":"","sources":["../src/repository.ts"],"names":[],"mappings":";;AAQA,gDASC;AAjBD,iCAA4C;AAQ5C,SAAgB,kBAAkB,CAAC,KAAa;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,yBAAkB,CAAC,IAAI,KAAK,kCAAkC,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO;QACL,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;QACf,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;KACf,CAAC;AACJ,CAAC"}
+{"version":3,"file":"repository.js","sourceRoot":"","sources":["../src/repository.ts"],"names":[],"mappings":";;AAcA,4CAEC;AAUD,0DAUC;AAED,gDASC;AA/CD,iCAAiE;AAQjE;;;;;GAKG;AACH,SAAgB,gBAAgB;IAC9B,OAAO,uBAAuB,CAAC,mBAAmB,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,uBAAuB,CACrC,GAAG,WAAqB;IAExB,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,yBAAkB,CAC1B,wBAAwB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CACzD,CAAC;IACJ,CAAC;IACD,OAAO,kBAAkB,CAAC,IAAA,0BAAmB,EAAC,UAAU,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,SAAgB,kBAAkB,CAAC,KAAa;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,yBAAkB,CAAC,IAAI,KAAK,kCAAkC,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO;QACL,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;QACf,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;KACf,CAAC;AACJ,CAAC"}

lib/start-proxy-action.js

@@ -43,8 +43,8 @@ const logging_1 = require("./logging");
 const start_proxy_1 = require("./start-proxy");
 const util = __importStar(require("./util"));
 const UPDATEJOB_PROXY = "update-job-proxy";
-const UPDATEJOB_PROXY_VERSION = "v2.0.20241023203727";
-const UPDATEJOB_PROXY_URL_PREFIX = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.18.1/";
+const UPDATEJOB_PROXY_VERSION = "v2.0.20250424171100";
+const UPDATEJOB_PROXY_URL_PREFIX = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.21.1/";
 const KEY_SIZE = 2048;
 const KEY_EXPIRY_YEARS = 2;
 const CERT_SUBJECT = [

lib/start-proxy.js

@@ -10,10 +10,10 @@ const LANGUAGE_TO_REGISTRY_TYPE = {
     python: "python_index",
     ruby: "rubygems_server",
     rust: "cargo_registry",
+    go: "goproxy_server",
     // We do not have an established proxy type for these languages, thus leaving empty.
     actions: "",
     cpp: "",
-    go: "",
     swift: "",
 };
 // getCredentials returns registry credentials from action inputs.

lib/start-proxy.js.map

@@ -1 +1 @@
-{"version":3,"file":"start-proxy.js","sourceRoot":"","sources":["../src/start-proxy.ts"],"names":[],"mappings":";;AA8BA,wCA2EC;AAzGD,2CAAsD;AAEtD,iCAA4C;AAW5C,MAAM,yBAAyB,GAA6B;IAC1D,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,cAAc;IAC1B,MAAM,EAAE,cAAc;IACtB,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE,gBAAgB;IACtB,oFAAoF;IACpF,OAAO,EAAE,EAAE;IACX,GAAG,EAAE,EAAE;IACP,EAAE,EAAE,EAAE;IACN,KAAK,EAAE,EAAE;CACD,CAAC;AAEX,kEAAkE;AAClE,+DAA+D;AAC/D,gDAAgD;AAChD,SAAgB,cAAc,CAC5B,MAAc,EACd,eAAmC,EACnC,qBAAyC,EACzC,cAAkC;IAElC,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,MAAM,uBAAuB,GAAG,QAAQ;QACtC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,cAAsB,CAAC;IAC3B,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC3E,CAAC;SAAM,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC7C,cAAc,GAAG,eAAe,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,qCAAqC;IACrC,IAAI,MAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAiB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;QACpE,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtD,MAAM,IAAI,yBAAkB,CAAC,6BAA6B,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChD,yFAAyF;YACzF,MAAM,IAAI,yBAAkB,CAC1B,gDAAgD,CACjD,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,iEAAiE;QACjE,IAAI,uBAAuB,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAClE,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,GAAuB,EAAW,EAAE;YACvD,OAAO,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC,CAAC;QAEF,IACE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC;YACnB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,EACrB,CAAC;YACD,MAAM,IAAI,yBAAkB,CAC1B,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
+{"version":3,"file":"start-proxy.js","sourceRoot":"","sources":["../src/start-proxy.ts"],"names":[],"mappings":";;AA8BA,wCA2EC;AAzGD,2CAAsD;AAEtD,iCAA4C;AAW5C,MAAM,yBAAyB,GAA6B;IAC1D,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,cAAc;IAC1B,MAAM,EAAE,cAAc;IACtB,IAAI,EAAE,iBAAiB;IACvB,IAAI,EAAE,gBAAgB;IACtB,EAAE,EAAE,gBAAgB;IACpB,oFAAoF;IACpF,OAAO,EAAE,EAAE;IACX,GAAG,EAAE,EAAE;IACP,KAAK,EAAE,EAAE;CACD,CAAC;AAEX,kEAAkE;AAClE,+DAA+D;AAC/D,gDAAgD;AAChD,SAAgB,cAAc,CAC5B,MAAc,EACd,eAAmC,EACnC,qBAAyC,EACzC,cAAkC;IAElC,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,IAAA,yBAAa,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,MAAM,uBAAuB,GAAG,QAAQ;QACtC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,cAAsB,CAAC;IAC3B,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACnD,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC3E,CAAC;SAAM,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC7C,cAAc,GAAG,eAAe,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,qCAAqC;IACrC,IAAI,MAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAAiB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,oEAAoE;QACpE,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtD,MAAM,IAAI,yBAAkB,CAAC,6BAA6B,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAChD,yFAAyF;YACzF,MAAM,IAAI,yBAAkB,CAC1B,gDAAgD,CACjD,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,iEAAiE;QACjE,IAAI,uBAAuB,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YAClE,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,GAAuB,EAAW,EAAE;YACvD,OAAO,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC,CAAC;QAEF,IACE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC;YACnB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;YACxB,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,EACrB,CAAC;YACD,MAAM,IAAI,yBAAkB,CAC1B,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

lib/status-report.js

@@ -35,6 +35,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JobStatus = exports.ActionName = void 0;
 exports.isFirstPartyAnalysis = isFirstPartyAnalysis;
+exports.isThirdPartyAnalysis = isThirdPartyAnalysis;
 exports.getActionsStatus = getActionsStatus;
 exports.getJobStatusDisplayName = getJobStatusDisplayName;
 exports.createStatusReportBase = createStatusReportBase;
@@ -46,6 +47,7 @@ const api_client_1 = require("./api-client");
 const doc_url_1 = require("./doc-url");
 const environment_1 = require("./environment");
 const git_utils_1 = require("./git-utils");
+const repository_1 = require("./repository");
 const util_1 = require("./util");
 var ActionName;
 (function (ActionName) {
@@ -70,6 +72,12 @@ function isFirstPartyAnalysis(actionName) {
     }
     return process.env[environment_1.EnvVar.INIT_ACTION_HAS_RUN] === "true";
 }
+/**
+ * @returns true if the analysis is considered to be third party.
+ */
+function isThirdPartyAnalysis(actionName) {
+    return !isFirstPartyAnalysis(actionName);
+}
 /** Overall status of the entire job. String values match the Hydro schema. */
 var JobStatus;
 (function (JobStatus) {
@@ -141,10 +149,10 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
         const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
         const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
         const actionRef = process.env["GITHUB_ACTION_REF"] || "";
-        const testingEnvironment = process.env[environment_1.EnvVar.TESTING_ENVIRONMENT] || "";
+        const testingEnvironment = (0, util_1.getTestingEnvironment)();
         // re-export the testing environment variable so that it is available to subsequent steps,
         // even if it was only set for this step
-        if (testingEnvironment !== "") {
+        if (testingEnvironment) {
             core.exportVariable(environment_1.EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
         }
         const isSteadyStateDefaultSetupRun = process.env["CODE_SCANNING_IS_STEADY_STATE_DEFAULT_SETUP"] === "true";
@@ -165,7 +173,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
             started_at: workflowStartedAt,
             status,
             steady_state_default_setup: isSteadyStateDefaultSetupRun,
-            testing_environment: testingEnvironment,
+            testing_environment: testingEnvironment || "",
             workflow_name: workflowName,
             workflow_run_attempt: workflowRunAttempt,
             workflow_run_id: workflowRunID,
@@ -248,13 +256,12 @@ async function sendStatusReport(statusReport) {
         core.debug("In test mode. Status reports are not uploaded.");
         return;
     }
-    const nwo = (0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY");
-    const [owner, repo] = nwo.split("/");
+    const nwo = (0, repository_1.getRepositoryNwo)();
     const client = (0, api_client_1.getApiClient)();
     try {
         await client.request("PUT /repos/:owner/:repo/code-scanning/analysis/status", {
-            owner,
-            repo,
+            owner: nwo.owner,
+            repo: nwo.repo,
             data: statusReportJSON,
         });
     }

lib/status-report.test.js

@@ -109,4 +109,14 @@ function setupEnvironmentAndStub(tmpDir) {
         t.is((await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Analyze, "failure", new Date("May 19, 2023 05:19:00"), (0, testing_utils_1.createTestConfig)({}), { numAvailableBytes: 100, numTotalBytes: 500 }, (0, logging_1.getRunnerLogger)(false), "failure cause", "exception stack trace"))?.first_party_analysis, true);
     });
 });
+(0, ava_1.default)("getActionStatus handling correctly various types of errors", (t) => {
+    t.is((0, status_report_1.getActionsStatus)(new Error("arbitrary error")), "failure", "We categorise an arbitrary error as a failure");
+    t.is((0, status_report_1.getActionsStatus)(new util_1.ConfigurationError("arbitrary error")), "user-error", "We categorise a ConfigurationError as a user error");
+    t.is((0, status_report_1.getActionsStatus)(new Error("exit code 1"), "multiple things went wrong"), "failure", "getActionsStatus should return failure if passed an arbitrary error and an additional failure cause");
+    t.is((0, status_report_1.getActionsStatus)(new util_1.ConfigurationError("exit code 1"), "multiple things went wrong"), "user-error", "getActionsStatus should return user-error if passed a configuration error and an additional failure cause");
+    t.is((0, status_report_1.getActionsStatus)(), "success", "getActionsStatus should return success if no error is passed");
+    t.is((0, status_report_1.getActionsStatus)(new Object()), "failure", "getActionsStatus should return failure if passed an arbitrary object");
+    t.is((0, status_report_1.getActionsStatus)(null, "an error occurred"), "failure", "getActionsStatus should return failure if passed null and an additional failure cause");
+    t.is((0, status_report_1.getActionsStatus)((0, util_1.wrapError)(new util_1.ConfigurationError("arbitrary error"))), "user-error", "We still recognise a wrapped ConfigurationError as a user error");
+});
 //# sourceMappingURL=status-report.test.js.map

lib/upload-lib.js

@@ -40,10 +40,13 @@ exports.InvalidSarifUploadError = void 0;
 exports.shouldShowCombineSarifFilesDeprecationWarning = shouldShowCombineSarifFilesDeprecationWarning;
 exports.populateRunAutomationDetails = populateRunAutomationDetails;
 exports.findSarifFilesInDir = findSarifFilesInDir;
+exports.readSarifFile = readSarifFile;
 exports.validateSarifFileSchema = validateSarifFileSchema;
 exports.buildPayload = buildPayload;
 exports.uploadFiles = uploadFiles;
 exports.waitForProcessing = waitForProcessing;
+exports.shouldConsiderConfigurationError = shouldConsiderConfigurationError;
+exports.shouldConsiderInvalidRequest = shouldConsiderInvalidRequest;
 exports.validateUniqueCategory = validateUniqueCategory;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
@@ -58,7 +61,7 @@ const api = __importStar(require("./api-client"));
 const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
-const diff_filtering_utils_1 = require("./diff-filtering-utils");
+const diff_informed_analysis_utils_1 = require("./diff-informed-analysis-utils");
 const environment_1 = require("./environment");
 const fingerprints = __importStar(require("./fingerprints"));
 const gitUtils = __importStar(require("./git-utils"));
@@ -322,17 +325,24 @@ function countResultsInSarif(sarif) {
     }
     return numResults;
 }
-// Validates that the given file path refers to a valid SARIF file.
-// Throws an error if the file is invalid.
-function validateSarifFileSchema(sarifFilePath, logger) {
-    logger.info(`Validating ${sarifFilePath}`);
-    let sarif;
+function readSarifFile(sarifFilePath) {
     try {
-        sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8"));
+        return JSON.parse(fs.readFileSync(sarifFilePath, "utf8"));
     }
     catch (e) {
         throw new InvalidSarifUploadError(`Invalid SARIF. JSON syntax error: ${(0, util_1.getErrorMessage)(e)}`);
     }
+}
+// Validates the given SARIF object and throws an error if the SARIF object is invalid.
+// The file path is only used in error messages to improve clarity.
+function validateSarifFileSchema(sarif, sarifFilePath, logger) {
+    if (areAllRunsProducedByCodeQL([sarif]) &&
+        // We want to validate CodeQL SARIF in testing environments.
+        !util.getTestingEnvironment()) {
+        logger.debug(`Skipping SARIF schema validation for ${sarifFilePath} as all runs are produced by CodeQL.`);
+        return;
+    }
+    logger.info(`Validating ${sarifFilePath}`);
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     const schema = require("../src/sarif-schema-2.1.0.json");
     const result = new jsonschema.Validator().validate(sarif, schema);
@@ -400,19 +410,28 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
     return payloadObj;
 }
 /**
- * Uploads a single SARIF file or a directory of SARIF files depending on what `sarifPath` refers
+ * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
  * to.
  */
-async function uploadFiles(sarifPath, checkoutPath, category, features, logger) {
-    const sarifFiles = getSarifFilePaths(sarifPath);
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger) {
+    const sarifPaths = getSarifFilePaths(inputSarifPath);
     logger.startGroup("Uploading results");
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifFiles)}`);
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
     const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
-    // Validate that the files we were asked to upload are all valid SARIF files
-    for (const file of sarifFiles) {
-        validateSarifFileSchema(file, logger);
+    let sarif;
+    if (sarifPaths.length > 1) {
+        // Validate that the files we were asked to upload are all valid SARIF files
+        for (const sarifPath of sarifPaths) {
+            const parsedSarif = readSarifFile(sarifPath);
+            validateSarifFileSchema(parsedSarif, sarifPath, logger);
+        }
+        sarif = await combineSarifFilesUsingCLI(sarifPaths, gitHubVersion, features, logger);
+    }
+    else {
+        const sarifPath = sarifPaths[0];
+        sarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(sarif, sarifPath, logger);
     }
-    let sarif = await combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, logger);
     sarif = filterAlertsByDiffRange(logger, sarif);
     sarif = await fingerprints.addFingerprints(sarif, checkoutPath, logger);
     const analysisKey = await api.getAnalysisKey();
@@ -435,7 +454,7 @@ async function uploadFiles(sarifPath, checkoutPath, category, features, logger)
     const numResultInSarif = countResultsInSarif(sarifPayload);
     logger.debug(`Number of results in upload: ${numResultInSarif}`);
     // Make the upload
-    const sarifID = await uploadPayload(payload, (0, repository_1.parseRepositoryNwo)(util.getRequiredEnvParam("GITHUB_REPOSITORY")), logger);
+    const sarifID = await uploadPayload(payload, (0, repository_1.getRepositoryNwo)(), logger);
     logger.endGroup();
     return {
         statusReport: {
@@ -524,9 +543,12 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
  * Returns whether the provided processing errors are a configuration error.
  */
 function shouldConsiderConfigurationError(processingErrors) {
+    const expectedConfigErrors = [
+        "CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled",
+        "rejecting delivery as the repository has too many logical alerts",
+    ];
     return (processingErrors.length === 1 &&
-        processingErrors[0] ===
-            "CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled");
+        expectedConfigErrors.some((msg) => processingErrors[0].includes(msg)));
 }
 /**
  * Returns whether the provided processing errors are the result of an invalid SARIF upload request.
@@ -610,7 +632,7 @@ class InvalidSarifUploadError extends Error {
 }
 exports.InvalidSarifUploadError = InvalidSarifUploadError;
 function filterAlertsByDiffRange(logger, sarif) {
-    const diffRanges = (0, diff_filtering_utils_1.readDiffRangesJsonFile)(logger);
+    const diffRanges = (0, diff_informed_analysis_utils_1.readDiffRangesJsonFile)(logger);
     if (!diffRanges?.length) {
         return sarif;
     }

lib/upload-lib.test.js

@@ -49,11 +49,11 @@ ava_1.default.beforeEach(() => {
 });
 (0, ava_1.default)("validateSarifFileSchema - valid", (t) => {
     const inputFile = `${__dirname}/../src/testdata/valid-sarif.sarif`;
-    t.notThrows(() => uploadLib.validateSarifFileSchema(inputFile, (0, logging_1.getRunnerLogger)(true)));
+    t.notThrows(() => uploadLib.validateSarifFileSchema(uploadLib.readSarifFile(inputFile), inputFile, (0, logging_1.getRunnerLogger)(true)));
 });
 (0, ava_1.default)("validateSarifFileSchema - invalid", (t) => {
     const inputFile = `${__dirname}/../src/testdata/invalid-sarif.sarif`;
-    t.throws(() => uploadLib.validateSarifFileSchema(inputFile, (0, logging_1.getRunnerLogger)(true)));
+    t.throws(() => uploadLib.validateSarifFileSchema(uploadLib.readSarifFile(inputFile), inputFile, (0, logging_1.getRunnerLogger)(true)));
 });
 (0, ava_1.default)("validate correct payload used for push, PR merge commit, and PR head", async (t) => {
     process.env["GITHUB_EVENT_NAME"] = "push";
@@ -202,7 +202,7 @@ ava_1.default.beforeEach(() => {
         },
     };
     const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
-    uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
+    uploadLib.validateSarifFileSchema(uploadLib.readSarifFile(sarifFile), sarifFile, mockLogger);
     t.deepEqual(loggedMessages.length, 3);
     t.deepEqual(loggedMessages[1], "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].tool.driver.rules[0].helpUri'.", "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.");
 });
@@ -244,6 +244,41 @@ ava_1.default.beforeEach(() => {
         type: util_1.GitHubVariant.DOTCOM,
     }));
 });
+(0, ava_1.default)("shouldConsiderConfigurationError correctly detects configuration errors", (t) => {
+    const error1 = [
+        "CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled",
+    ];
+    t.true(uploadLib.shouldConsiderConfigurationError(error1));
+    const error2 = [
+        "rejecting delivery as the repository has too many logical alerts",
+    ];
+    t.true(uploadLib.shouldConsiderConfigurationError(error2));
+    // We fail cases where we get > 1 error messages back
+    const error3 = [
+        "rejecting delivery as the repository has too many alerts",
+        "extra error message",
+    ];
+    t.false(uploadLib.shouldConsiderConfigurationError(error3));
+});
+(0, ava_1.default)("shouldConsiderInvalidRequest returns correct recognises processing errors", (t) => {
+    const error1 = [
+        "rejecting SARIF",
+        "an invalid URI was provided as a SARIF location",
+    ];
+    t.true(uploadLib.shouldConsiderInvalidRequest(error1));
+    const error2 = [
+        "locationFromSarifResult: expected artifact location",
+        "an invalid URI was provided as a SARIF location",
+    ];
+    t.true(uploadLib.shouldConsiderInvalidRequest(error2));
+    // We expect ALL errors to be of processing errors, for the outcome to be classified as
+    // an invalid SARIF upload error.
+    const error3 = [
+        "could not convert rules: invalid security severity value, is not a number",
+        "an unknown error occurred",
+    ];
+    t.false(uploadLib.shouldConsiderInvalidRequest(error3));
+});
 function createMockSarif(id, tool) {
     return {
         runs: [

lib/upload-sarif-action.js

@@ -61,7 +61,7 @@ async function run() {
     (0, util_1.checkActionVersion)((0, actions_util_1.getActionVersion)(), gitHubVersion);
     // Make inputs accessible in the `post` step.
     actionsUtil.persistInputs();
-    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const repositoryNwo = (0, repository_1.getRepositoryNwo)();
     const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
     const startingStatusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.UploadSarif, "starting", startedAt, undefined, await (0, util_1.checkDiskUsage)(logger), logger);
     if (startingStatusReportBase !== undefined) {
@@ -75,12 +75,12 @@ async function run() {
             core.debug("In test mode. Waiting for processing is disabled.");
         }
         else if (actionsUtil.getRequiredInput("wait-for-processing") === "true") {
-            await upload_lib.waitForProcessing((0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY")), uploadResult.sarifID, logger);
+            await upload_lib.waitForProcessing((0, repository_1.getRepositoryNwo)(), uploadResult.sarifID, logger);
         }
         await sendSuccessStatusReport(startedAt, uploadResult.statusReport, logger);
     }
     catch (unwrappedError) {
-        const error = !(0, status_report_1.isFirstPartyAnalysis)(status_report_1.ActionName.UploadSarif) &&
+        const error = (0, status_report_1.isThirdPartyAnalysis)(status_report_1.ActionName.UploadSarif) &&
             unwrappedError instanceof upload_lib.InvalidSarifUploadError
             ? new util_1.ConfigurationError(unwrappedError.message)
             : (0, util_1.wrapError)(unwrappedError);

lib/upload-sarif-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAAyE;AACzE,6CAAgD;AAChD,mDAA2C;AAC3C,uCAAqD;AACrD,6CAAkD;AAClD,mDAOyB;AACzB,yDAA2C;AAC3C,iCASgB;AAMhB,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C,EAC1C,MAAc;IAEd,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,WAAW,EACtB,SAAS,EACT,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAA4B;YAC5C,GAAG,gBAAgB;YACnB,GAAG,WAAW;SACf,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,IAAA,yBAAkB,EAAC,IAAA,+BAAgB,GAAE,EAAE,aAAa,CAAC,CAAC;IAEtD,6CAA6C;IAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;IAE5B,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IAEF,MAAM,wBAAwB,GAAG,MAAM,IAAA,sCAAsB,EAC3D,0BAAU,CAAC,WAAW,EACtB,UAAU,EACV,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;QAC3C,MAAM,IAAA,gCAAgB,EAAC,wBAAwB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,WAAW,CAC/C,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,EAC7C,WAAW,CAAC,gBAAgB,CAAC,UAAU,CAAC,EACxC,QAAQ,EACR,MAAM,CACP,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,IAAA,mBAAY,GAAE,EAAE,CAAC;YACnB,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QAClE,CAAC;aAAM,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE,CAAC;YAC1E,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,+BAAkB,EAAC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,EAC5D,YAAY,CAAC,OAAO,EACpB,MAAM,CACP,CAAC;QACJ,CAAC;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GACT,CAAC,IAAA,oCAAoB,EAAC,0BAAU,CAAC,WAAW,CAAC;YAC7C,cAAc,YAAY,UAAU,CAAC,uBAAuB;YAC1D,CAAC,CAAC,IAAI,yBAAkB,CAAC,cAAc,CAAC,OAAO,CAAC;YAChD,CAAC,CAAC,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAExB,MAAM,qBAAqB,GAAG,MAAM,IAAA,sCAAsB,EACxD,0BAAU,CAAC,WAAW,EACtB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,OAAO,EACP,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;YACxC,MAAM,IAAA,gCAAgB,EAAC,qBAAqB,CAAC,CAAC;QAChD,CAAC;QACD,OAAO;IACT,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,sCAAsC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC/D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"upload-sarif-action.js","sourceRoot":"","sources":["../src/upload-sarif-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAAyE;AACzE,6CAAgD;AAChD,mDAA2C;AAC3C,uCAAqD;AACrD,6CAAgD;AAChD,mDAOyB;AACzB,yDAA2C;AAC3C,iCAQgB;AAMhB,KAAK,UAAU,uBAAuB,CACpC,SAAe,EACf,WAA0C,EAC1C,MAAc;IAEd,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,0BAAU,CAAC,WAAW,EACtB,SAAS,EACT,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,GAA4B;YAC5C,GAAG,gBAAgB;YACnB,GAAG,WAAW;SACf,CAAC;QACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,IAAA,yBAAkB,EAAC,IAAA,+BAAgB,GAAE,EAAE,aAAa,CAAC,CAAC;IAEtD,6CAA6C;IAC7C,WAAW,CAAC,aAAa,EAAE,CAAC;IAE5B,MAAM,aAAa,GAAG,IAAA,6BAAgB,GAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IAEF,MAAM,wBAAwB,GAAG,MAAM,IAAA,sCAAsB,EAC3D,0BAAU,CAAC,WAAW,EACtB,UAAU,EACV,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,CACP,CAAC;IACF,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;QAC3C,MAAM,IAAA,gCAAgB,EAAC,wBAAwB,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,WAAW,CAC/C,WAAW,CAAC,gBAAgB,CAAC,YAAY,CAAC,EAC1C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,EAC7C,WAAW,CAAC,gBAAgB,CAAC,UAAU,CAAC,EACxC,QAAQ,EACR,MAAM,CACP,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,IAAA,mBAAY,GAAE,EAAE,CAAC;YACnB,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QAClE,CAAC;aAAM,IAAI,WAAW,CAAC,gBAAgB,CAAC,qBAAqB,CAAC,KAAK,MAAM,EAAE,CAAC;YAC1E,MAAM,UAAU,CAAC,iBAAiB,CAChC,IAAA,6BAAgB,GAAE,EAClB,YAAY,CAAC,OAAO,EACpB,MAAM,CACP,CAAC;QACJ,CAAC;QACD,MAAM,uBAAuB,CAAC,SAAS,EAAE,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,cAAc,EAAE,CAAC;QACxB,MAAM,KAAK,GACT,IAAA,oCAAoB,EAAC,0BAAU,CAAC,WAAW,CAAC;YAC5C,cAAc,YAAY,UAAU,CAAC,uBAAuB;YAC1D,CAAC,CAAC,IAAI,yBAAkB,CAAC,cAAc,CAAC,OAAO,CAAC;YAChD,CAAC,CAAC,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAExB,MAAM,qBAAqB,GAAG,MAAM,IAAA,sCAAsB,EACxD,0BAAU,CAAC,WAAW,EACtB,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,MAAM,EACN,OAAO,EACP,KAAK,CAAC,KAAK,CACZ,CAAC;QACF,IAAI,qBAAqB,KAAK,SAAS,EAAE,CAAC;YACxC,MAAM,IAAA,gCAAgB,EAAC,qBAAqB,CAAC,CAAC;QAChD,CAAC;QACD,OAAO;IACT,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,SAAS,CACZ,sCAAsC,IAAA,sBAAe,EAAC,KAAK,CAAC,EAAE,CAC/D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/util.js

@@ -62,6 +62,7 @@ exports.bundleDb = bundleDb;
 exports.delay = delay;
 exports.isGoodVersion = isGoodVersion;
 exports.isInTestMode = isInTestMode;
+exports.getTestingEnvironment = getTestingEnvironment;
 exports.doesDirectoryExist = doesDirectoryExist;
 exports.listFolder = listFolder;
 exports.tryGetFolderBytes = tryGetFolderBytes;
@@ -577,15 +578,27 @@ async function delay(milliseconds, opts) {
 function isGoodVersion(versionSpec) {
     return !BROKEN_VERSIONS.includes(versionSpec);
 }
-/*
- * Returns whether we are in test mode.
+/**
+ * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
  *
  * In test mode, we don't upload SARIF results or status reports to the GitHub API.
  */
 function isInTestMode() {
     return process.env[environment_1.EnvVar.TEST_MODE] === "true";
 }
-/*
+/**
+ * Get the testing environment.
+ *
+ * This is set if the CodeQL Action is running in a non-production environment.
+ */
+function getTestingEnvironment() {
+    const testingEnvironment = process.env[environment_1.EnvVar.TESTING_ENVIRONMENT] || "";
+    if (testingEnvironment === "") {
+        return undefined;
+    }
+    return testingEnvironment;
+}
+/**
  * Returns whether the path in the argument represents an existing directory.
  */
 function doesDirectoryExist(dirPath) {

lib/workflow.js

@@ -51,7 +51,6 @@ const zlib_1 = __importDefault(require("zlib"));
 const core = __importStar(require("@actions/core"));
 const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
-const environment_1 = require("./environment");
 const util_1 = require("./util");
 function toCodedErrors(errors) {
     return Object.entries(errors).reduce((acc, [code, message]) => {
@@ -274,8 +273,7 @@ function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
  * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
  */
 function getAnalyzeActionName() {
-    if ((0, util_1.isInTestMode)() ||
-        process.env[environment_1.EnvVar.TESTING_ENVIRONMENT] === "codeql-action-pr-checks") {
+    if ((0, util_1.isInTestMode)() || (0, util_1.getTestingEnvironment)() === "codeql-action-pr-checks") {
         return "./analyze";
     }
     else {

node_modules/@actions/artifact/node_modules/@octokit/types/LICENSE

@@ -0,0 +1,7 @@
+MIT License Copyright (c) 2019 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

node_modules/@actions/artifact/node_modules/@octokit/types/README.md

@@ -0,0 +1,65 @@
+# types.ts
+
+> Shared TypeScript definitions for Octokit projects
+
+[![@latest](https://img.shields.io/npm/v/@octokit/types.svg)](https://www.npmjs.com/package/@octokit/types)
+[![Build Status](https://github.com/octokit/types.ts/workflows/Test/badge.svg)](https://github.com/octokit/types.ts/actions?workflow=Test)
+
+<!-- toc -->
+
+- [Usage](#usage)
+- [Examples](#examples)
+  - [Get parameter and response data types for a REST API endpoint](#get-parameter-and-response-data-types-for-a-rest-api-endpoint)
+  - [Get response types from endpoint methods](#get-response-types-from-endpoint-methods)
+- [Contributing](#contributing)
+- [License](#license)
+
+<!-- tocstop -->
+
+## Usage
+
+See all exported types at https://octokit.github.io/types.ts
+
+## Examples
+
+### Get parameter and response data types for a REST API endpoint
+
+```ts
+import { Endpoints } from "@octokit/types";
+
+type listUserReposParameters =
+  Endpoints["GET /repos/{owner}/{repo}"]["parameters"];
+type listUserReposResponse = Endpoints["GET /repos/{owner}/{repo}"]["response"];
+
+async function listRepos(
+  options: listUserReposParameters,
+): listUserReposResponse["data"] {
+  // ...
+}
+```
+
+### Get response types from endpoint methods
+
+```ts
+import {
+  GetResponseTypeFromEndpointMethod,
+  GetResponseDataTypeFromEndpointMethod,
+} from "@octokit/types";
+import { Octokit } from "@octokit/rest";
+
+const octokit = new Octokit();
+type CreateLabelResponseType = GetResponseTypeFromEndpointMethod<
+  typeof octokit.issues.createLabel
+>;
+type CreateLabelResponseDataType = GetResponseDataTypeFromEndpointMethod<
+  typeof octokit.issues.createLabel
+>;
+```
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md)
+
+## License
+
+[MIT](LICENSE)

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/AuthInterface.d.ts

@@ -0,0 +1,31 @@
+import type { EndpointOptions } from "./EndpointOptions.js";
+import type { OctokitResponse } from "./OctokitResponse.js";
+import type { RequestInterface } from "./RequestInterface.js";
+import type { RequestParameters } from "./RequestParameters.js";
+import type { Route } from "./Route.js";
+/**
+ * Interface to implement complex authentication strategies for Octokit.
+ * An object Implementing the AuthInterface can directly be passed as the
+ * `auth` option in the Octokit constructor.
+ *
+ * For the official implementations of the most common authentication
+ * strategies, see https://github.com/octokit/auth.js
+ */
+export interface AuthInterface<AuthOptions extends any[], Authentication extends any> {
+    (...args: AuthOptions): Promise<Authentication>;
+    hook: {
+        /**
+         * Sends a request using the passed `request` instance
+         *
+         * @param {object} endpoint Must set `method` and `url`. Plus URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+         */
+        <T = any>(request: RequestInterface, options: EndpointOptions): Promise<OctokitResponse<T>>;
+        /**
+         * Sends a request using the passed `request` instance
+         *
+         * @param {string} route Request method + URL. Example: `'GET /orgs/{org}'`
+         * @param {object} [parameters] URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+         */
+        <T = any>(request: RequestInterface, route: Route, parameters?: RequestParameters): Promise<OctokitResponse<T>>;
+    };
+}

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/EndpointDefaults.d.ts

@@ -0,0 +1,21 @@
+import type { RequestHeaders } from "./RequestHeaders.js";
+import type { RequestMethod } from "./RequestMethod.js";
+import type { RequestParameters } from "./RequestParameters.js";
+import type { Url } from "./Url.js";
+/**
+ * The `.endpoint()` method is guaranteed to set all keys defined by RequestParameters
+ * as well as the method property.
+ */
+export type EndpointDefaults = RequestParameters & {
+    baseUrl: Url;
+    method: RequestMethod;
+    url?: Url;
+    headers: RequestHeaders & {
+        accept: string;
+        "user-agent": string;
+    };
+    mediaType: {
+        format: string;
+        previews?: string[];
+    };
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/EndpointInterface.d.ts

@@ -0,0 +1,65 @@
+import type { EndpointDefaults } from "./EndpointDefaults.js";
+import type { RequestOptions } from "./RequestOptions.js";
+import type { RequestParameters } from "./RequestParameters.js";
+import type { Route } from "./Route.js";
+import type { Endpoints } from "./generated/Endpoints.js";
+export interface EndpointInterface<D extends object = object> {
+    /**
+     * Transforms a GitHub REST API endpoint into generic request options
+     *
+     * @param {object} endpoint Must set `url` unless it's set defaults. Plus URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+     */
+    <O extends RequestParameters = RequestParameters>(options: O & {
+        method?: string;
+    } & ("url" extends keyof D ? {
+        url?: string;
+    } : {
+        url: string;
+    })): RequestOptions & Pick<D & O, keyof RequestOptions>;
+    /**
+     * Transforms a GitHub REST API endpoint into generic request options
+     *
+     * @param {string} route Request method + URL. Example: `'GET /orgs/{org}'`
+     * @param {object} [parameters] URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+     */
+    <R extends Route, P extends RequestParameters = R extends keyof Endpoints ? Endpoints[R]["parameters"] & RequestParameters : RequestParameters>(route: keyof Endpoints | R, parameters?: P): (R extends keyof Endpoints ? Endpoints[R]["request"] : RequestOptions) & Pick<P, keyof RequestOptions>;
+    /**
+     * Object with current default route and parameters
+     */
+    DEFAULTS: D & EndpointDefaults;
+    /**
+     * Returns a new `endpoint` interface with new defaults
+     */
+    defaults: <O extends RequestParameters = RequestParameters>(newDefaults: O) => EndpointInterface<D & O>;
+    merge: {
+        /**
+         * Merges current endpoint defaults with passed route and parameters,
+         * without transforming them into request options.
+         *
+         * @param {string} route Request method + URL. Example: `'GET /orgs/{org}'`
+         * @param {object} [parameters] URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+         *
+         */
+        <R extends Route, P extends RequestParameters = R extends keyof Endpoints ? Endpoints[R]["parameters"] & RequestParameters : RequestParameters>(route: keyof Endpoints | R, parameters?: P): D & (R extends keyof Endpoints ? Endpoints[R]["request"] & Endpoints[R]["parameters"] : EndpointDefaults) & P;
+        /**
+         * Merges current endpoint defaults with passed route and parameters,
+         * without transforming them into request options.
+         *
+         * @param {object} endpoint Must set `method` and `url`. Plus URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+         */
+        <P extends RequestParameters = RequestParameters>(options: P): EndpointDefaults & D & P;
+        /**
+         * Returns current default options.
+         *
+         * @deprecated use endpoint.DEFAULTS instead
+         */
+        (): D & EndpointDefaults;
+    };
+    /**
+     * Stateless method to turn endpoint options into request options.
+     * Calling `endpoint(options)` is the same as calling `endpoint.parse(endpoint.merge(options))`.
+     *
+     * @param {object} options `method`, `url`. Plus URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+     */
+    parse: <O extends EndpointDefaults = EndpointDefaults>(options: O) => RequestOptions & Pick<O, keyof RequestOptions>;
+}

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/EndpointOptions.d.ts

@@ -0,0 +1,7 @@
+import type { RequestMethod } from "./RequestMethod.js";
+import type { Url } from "./Url.js";
+import type { RequestParameters } from "./RequestParameters.js";
+export type EndpointOptions = RequestParameters & {
+    method: RequestMethod;
+    url: Url;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/Fetch.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Browser's fetch method (or compatible such as fetch-mock)
+ */
+export type Fetch = any;

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/GetResponseTypeFromEndpointMethod.d.ts

@@ -0,0 +1,5 @@
+type Unwrap<T> = T extends Promise<infer U> ? U : T;
+type AnyFunction = (...args: any[]) => any;
+export type GetResponseTypeFromEndpointMethod<T extends AnyFunction> = Unwrap<ReturnType<T>>;
+export type GetResponseDataTypeFromEndpointMethod<T extends AnyFunction> = Unwrap<ReturnType<T>>["data"];
+export {};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/OctokitResponse.d.ts

@@ -0,0 +1,17 @@
+import type { ResponseHeaders } from "./ResponseHeaders.js";
+import type { Url } from "./Url.js";
+export interface OctokitResponse<T, S extends number = number> {
+    headers: ResponseHeaders;
+    /**
+     * http response code
+     */
+    status: S;
+    /**
+     * URL of response after all redirects
+     */
+    url: Url;
+    /**
+     * Response data as documented in the REST API reference documentation at https://docs.github.com/rest/reference
+     */
+    data: T;
+}

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestError.d.ts

@@ -0,0 +1,11 @@
+export type RequestError = {
+    name: string;
+    status: number;
+    documentation_url: string;
+    errors?: Array<{
+        resource: string;
+        code: string;
+        field: string;
+        message?: string;
+    }>;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestHeaders.d.ts

@@ -0,0 +1,15 @@
+export type RequestHeaders = {
+    /**
+     * Avoid setting `headers.accept`, use `mediaType.{format|previews}` option instead.
+     */
+    accept?: string;
+    /**
+     * Use `authorization` to send authenticated request, remember `token ` / `bearer ` prefixes. Example: `token 1234567890abcdef1234567890abcdef12345678`
+     */
+    authorization?: string;
+    /**
+     * `user-agent` is set do a default and can be overwritten as needed.
+     */
+    "user-agent"?: string;
+    [header: string]: string | number | undefined;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestInterface.d.ts

@@ -0,0 +1,34 @@
+import type { EndpointInterface } from "./EndpointInterface.js";
+import type { OctokitResponse } from "./OctokitResponse.js";
+import type { RequestParameters } from "./RequestParameters.js";
+import type { Route } from "./Route.js";
+import type { Endpoints } from "./generated/Endpoints.js";
+export interface RequestInterface<D extends object = object> {
+    /**
+     * Sends a request based on endpoint options
+     *
+     * @param {object} endpoint Must set `method` and `url`. Plus URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+     */
+    <T = any, O extends RequestParameters = RequestParameters>(options: O & {
+        method?: string;
+    } & ("url" extends keyof D ? {
+        url?: string;
+    } : {
+        url: string;
+    })): Promise<OctokitResponse<T>>;
+    /**
+     * Sends a request based on endpoint options
+     *
+     * @param {string} route Request method + URL. Example: `'GET /orgs/{org}'`
+     * @param {object} [parameters] URL, query or body parameters, as well as `headers`, `mediaType.{format|previews}`, `request`, or `baseUrl`.
+     */
+    <R extends Route>(route: keyof Endpoints | R, options?: R extends keyof Endpoints ? Endpoints[R]["parameters"] & RequestParameters : RequestParameters): R extends keyof Endpoints ? Promise<Endpoints[R]["response"]> : Promise<OctokitResponse<any>>;
+    /**
+     * Returns a new `request` with updated route and parameters
+     */
+    defaults: <O extends RequestParameters = RequestParameters>(newDefaults: O) => RequestInterface<D & O>;
+    /**
+     * Octokit endpoint API, see {@link https://github.com/octokit/endpoint.js|@octokit/endpoint}
+     */
+    endpoint: EndpointInterface<D>;
+}

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestMethod.d.ts

@@ -0,0 +1,4 @@
+/**
+ * HTTP Verb supported by GitHub's REST API
+ */
+export type RequestMethod = "DELETE" | "GET" | "HEAD" | "PATCH" | "POST" | "PUT";

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestOptions.d.ts

@@ -0,0 +1,14 @@
+import type { RequestHeaders } from "./RequestHeaders.js";
+import type { RequestMethod } from "./RequestMethod.js";
+import type { RequestRequestOptions } from "./RequestRequestOptions.js";
+import type { Url } from "./Url.js";
+/**
+ * Generic request options as they are returned by the `endpoint()` method
+ */
+export type RequestOptions = {
+    method: RequestMethod;
+    url: Url;
+    headers: RequestHeaders;
+    body?: any;
+    request?: RequestRequestOptions;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestParameters.d.ts

@@ -0,0 +1,55 @@
+import type { RequestRequestOptions } from "./RequestRequestOptions.js";
+import type { RequestHeaders } from "./RequestHeaders.js";
+import type { Url } from "./Url.js";
+/**
+ * Parameters that can be passed into `request(route, parameters)` or `endpoint(route, parameters)` methods
+ */
+export type RequestParameters = {
+    /**
+     * Base URL to be used when a relative URL is passed, such as `/orgs/{org}`.
+     * If `baseUrl` is `https://enterprise.acme-inc.com/api/v3`, then the request
+     * will be sent to `https://enterprise.acme-inc.com/api/v3/orgs/{org}`.
+     */
+    baseUrl?: Url;
+    /**
+     * HTTP headers. Use lowercase keys.
+     */
+    headers?: RequestHeaders;
+    /**
+     * Media type options, see {@link https://developer.github.com/v3/media/|GitHub Developer Guide}
+     */
+    mediaType?: {
+        /**
+         * `json` by default. Can be `raw`, `text`, `html`, `full`, `diff`, `patch`, `sha`, `base64`. Depending on endpoint
+         */
+        format?: string;
+        /**
+         * Custom media type names of {@link https://docs.github.com/en/graphql/overview/schema-previews|GraphQL API Previews} without the `-preview` suffix.
+         * Example for single preview: `['squirrel-girl']`.
+         * Example for multiple previews: `['squirrel-girl', 'mister-fantastic']`.
+         */
+        previews?: string[];
+    };
+    /**
+     * The name of the operation to execute.
+     * Required only if multiple operations are present in the query document.
+     */
+    operationName?: string;
+    /**
+     * The GraphQL query string to be sent in the request.
+     * This is required and must contain a valid GraphQL document.
+     */
+    query?: string;
+    /**
+     * Pass custom meta information for the request. The `request` object will be returned as is.
+     */
+    request?: RequestRequestOptions;
+    /**
+     * Any additional parameter will be passed as follows
+     * 1. URL parameter if `':parameter'` or `{parameter}` is part of `url`
+     * 2. Query parameter if `method` is `'GET'` or `'HEAD'`
+     * 3. Request body if `parameter` is `'data'`
+     * 4. JSON in the request body in the form of `body[parameter]` unless `parameter` key is `'data'`
+     */
+    [parameter: string]: unknown;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/RequestRequestOptions.d.ts

@@ -0,0 +1,20 @@
+import type { Fetch } from "./Fetch.js";
+/**
+ * Octokit-specific request options which are ignored for the actual request, but can be used by Octokit or plugins to manipulate how the request is sent or how a response is handled
+ */
+export type RequestRequestOptions = {
+    /**
+     * Custom replacement for built-in fetch method. Useful for testing or request hooks.
+     */
+    fetch?: Fetch;
+    /**
+     * Use an `AbortController` instance to cancel a request. In node you can only cancel streamed requests.
+     */
+    signal?: AbortSignal;
+    /**
+     * If set to `false`, the response body will not be parsed and will be returned as a stream.
+     */
+    parseSuccessResponseBody?: boolean;
+    redirect?: "follow" | "error" | "manual";
+    [option: string]: any;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/ResponseHeaders.d.ts

@@ -0,0 +1,21 @@
+export type ResponseHeaders = {
+    "cache-control"?: string;
+    "content-length"?: number;
+    "content-type"?: string;
+    date?: string;
+    etag?: string;
+    "last-modified"?: string;
+    link?: string;
+    location?: string;
+    server?: string;
+    status?: string;
+    vary?: string;
+    "x-accepted-github-permissions"?: string;
+    "x-github-mediatype"?: string;
+    "x-github-request-id"?: string;
+    "x-oauth-scopes"?: string;
+    "x-ratelimit-limit"?: string;
+    "x-ratelimit-remaining"?: string;
+    "x-ratelimit-reset"?: string;
+    [header: string]: string | number | undefined;
+};

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/Route.d.ts

@@ -0,0 +1,4 @@
+/**
+ * String consisting of an optional HTTP method and relative path or absolute URL. Examples: `'/orgs/{org}'`, `'PUT /orgs/{org}'`, `GET https://example.com/foo/bar`
+ */
+export type Route = string;

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/StrategyInterface.d.ts

@@ -0,0 +1,4 @@
+import type { AuthInterface } from "./AuthInterface.js";
+export interface StrategyInterface<StrategyOptions extends any[], AuthOptions extends any[], Authentication extends object> {
+    (...args: StrategyOptions): AuthInterface<AuthOptions, Authentication>;
+}

node_modules/@actions/artifact/node_modules/@octokit/types/dist-types/Url.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Relative or absolute URL. Examples: `'/orgs/{org}'`, `https://example.com/foo/bar`
+ */
+export type Url = string;