Merge pull request #2052 from github/update-v3.22.12-40cb08c12

Merge main into releases/v3

.github/actions/release-branches/release-branches.py

@@ -1,12 +1,19 @@
 import argparse
 import json
 import os
-import subprocess
+import configparser
 
 # Name of the remote
 ORIGIN = 'origin'
 
-OLDEST_SUPPORTED_MAJOR_VERSION = 2
+script_dir = os.path.dirname(os.path.realpath(__file__))
+grandparent_dir = os.path.dirname(os.path.dirname(script_dir))
+
+config = configparser.ConfigParser()
+with open(os.path.join(grandparent_dir, 'releases.ini')) as stream:
+    config.read_string('[default]\n' + stream.read())
+
+OLDEST_SUPPORTED_MAJOR_VERSION = int(config['default']['OLDEST_SUPPORTED_MAJOR_VERSION'])
 
 def main():
 

.github/releases.ini

@@ -0,0 +1 @@
+OLDEST_SUPPORTED_MAJOR_VERSION=2

.github/workflows/script/update-required-checks.sh

@@ -2,6 +2,11 @@
 # Update the required checks based on the current branch.
 # Typically, this will be main.
 
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+REPO_DIR="$(dirname "$SCRIPT_DIR")"
+GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
+source "$GRANDPARENT_DIR/releases.ini"
+
 if ! gh auth status 2>/dev/null; then
   gh auth status
   echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
@@ -29,7 +34,22 @@ echo "$CHECKS" | jq
 
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 
-for BRANCH in main releases/v2; do
+echo "Updating main"
+gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
+
+# list all branchs on origin remote matching releases/v*
+BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
+
+for BRANCH in $BRANCHES; do
+
+  # strip exact 'releases/v' prefix from $BRANCH using count of characters
+  VERSION="${BRANCH:10}"
+
+  if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
+    echo "Skipping $BRANCH"
+    continue
+  fi
+
   echo "Updating $BRANCH"
   gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
 done

CHANGELOG.md

@@ -4,9 +4,9 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
-## [UNRELEASED]
+## 3.22.12 - 22 Dec 2023
 
-No user facing changes.
+- Update default CodeQL bundle version to 2.15.5. [#2047](https://github.com/github/codeql-action/pull/2047)
 
 ## 3.22.11 - 13 Dec 2023
 

CONTRIBUTING.md

@@ -76,7 +76,9 @@ Since the `codeql-action` runs most of its testing through individual Actions wo
 
 1. By default, this script retrieves the checks from the latest SHA on `main`, so make sure that your `main` branch is up to date.
 2. Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument.
-3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v1`, and `v2` have been updated.
+3. After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v2`, and `v3` have been updated.
+
+Note that any updates to checks need to be backported to the `releases/v2` branch, in order to maintain the same set of names for required checks.
 
 ## Deprecating a CodeQL version (write access required)
 
@@ -111,8 +113,8 @@ To deprecate an older version of the Action:
    - Add a changelog note announcing the deprecation.
    - Implement an Actions warning for customers using the deprecated version.
 1. Wait for the deprecation period to pass.
-1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported. 
-1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [release-branches.py](.github/actions/release-branches/release-branches.py).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
+1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
+1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
 
 ## Resources
 

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.15.4",
-    "cliVersion": "2.15.4",
-    "priorBundleVersion": "codeql-bundle-v2.15.3",
-    "priorCliVersion": "2.15.3"
+    "bundleVersion": "codeql-bundle-v2.15.5",
+    "cliVersion": "2.15.5",
+    "priorBundleVersion": "codeql-bundle-v2.15.4",
+    "priorCliVersion": "2.15.4"
 }

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.15.4",
-  "cliVersion": "2.15.4",
-  "priorBundleVersion": "codeql-bundle-v2.15.3",
-  "priorCliVersion": "2.15.3"
+  "bundleVersion": "codeql-bundle-v2.15.5",
+  "cliVersion": "2.15.5",
+  "priorBundleVersion": "codeql-bundle-v2.15.4",
+  "priorCliVersion": "2.15.4"
 }