Merge pull request #1444 from github/henrymercer/reporting-failed-run-improvements

Improve reporting failed runs via SARIF

.github/setup-swift/action.yml

@@ -0,0 +1,32 @@
+name: "Set up Swift"
+description: Performs necessary steps to set up appropriate Swift version.
+inputs:
+  codeql-path:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      # We don't support Swift on Windows or prior versions of CLI.
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      shell: bash
+      env: 
+        CODEQL_PATH: ${{inputs.codeql-path}}
+      run: |
+        if [ $RUNNER_OS = "macOS" ]; then
+          PLATFORM="osx64"
+        else # We do not run this step on Windows.
+          PLATFORM="linux64"
+        fi 
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
+        # Specify 5.7.0, otherwise setup Action will default to latest minor version. 
+        if [ $VERSION = "5.7" ]; then
+          VERSION="5.7.0"
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+      if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+      with:
+        swift-version: "${{steps.get_swift_version.outputs.version}}"

.github/workflows/__export-file-baseline-information.yml

@@ -42,18 +42,16 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Windows doesn't support Swift, and only macOS latest and nightly-latest support Swift 5.7.1.
-      if: runner.os == 'Linux' || (runner.os == 'macOS' && matrix.version == 'cached')
-      with:
-        swift-version: 5.7.0
     - uses: ./../action/init
+      id: init
       with:
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
       env:
         CODEQL_FILE_BASELINE_INFORMATION: true
-        CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Build code
       shell: bash
       run: ./build.sh
@@ -62,7 +60,6 @@ jobs:
         output: ${{ runner.temp }}/results
       env:
         CODEQL_FILE_BASELINE_INFORMATION: true
-        CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
     - name: Upload SARIF
       uses: actions/upload-artifact@v3
       with:
@@ -87,4 +84,5 @@ jobs:
           fi
         done
     env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__multi-language-autodetect.yml

@@ -45,6 +45,10 @@ jobs:
           version: latest
         - os: macos-latest
           version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Multi-language repository
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
@@ -61,17 +65,16 @@ jobs:
       uses: actions/setup-go@v3
       with:
         go-version: ^1.13.1
-    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-      if: runner.os == 'Linux' || matrix.version == 'cached'
-      with:
-        swift-version: 5.7.0
-
     - uses: ./../action/init
+      id: init
       with:
         db-location: ${{ runner.temp }}/customDbLocation
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+
     - name: Build code
       shell: bash
       run: ./build.sh
@@ -125,8 +128,8 @@ jobs:
         fi
 
     - name: Check language autodetect for Swift
-      if: "!startsWith(matrix.os, 'windows') && (matrix.version == 'cached' || matrix.version\
+      if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
-        \ == 'latest' || matrix.version == 'nightly-latest')"
+        == 'nightly-latest')
       shell: bash
       run: |
         SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

.github/workflows/__swift-autobuild.yml

@@ -42,15 +42,17 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-      if: runner.os == 'Linux' || matrix.version == 'cached'
-      with:
-        swift-version: 5.7.0
     - uses: ./../action/init
+      id: init
       with:
         languages: swift
         tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
     - uses: ./../action/autobuild
     - uses: ./../action/analyze
       id: analysis
@@ -63,5 +65,5 @@ jobs:
           exit 1
         fi
     env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__swift-custom-build.yml

@@ -33,6 +33,10 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
     name: Swift analysis using a custom build command
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
@@ -44,15 +48,17 @@ jobs:
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-      if: runner.os == 'Linux' || matrix.version == 'cached'
-      with:
-        swift-version: 5.7.0
     - uses: ./../action/init
+      id: init
       with:
         languages: swift
         tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/.github/setup-swift
+      with:
+        codeql-path: ${{steps.init.outputs.codeql-path}}
+    - name: Check working directory
+      shell: bash
+      run: pwd
     - name: Build code
       shell: bash
       run: ./build.sh
@@ -67,6 +73,6 @@ jobs:
           exit 1
         fi
     env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/codeql.yml

@@ -8,6 +8,9 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
+  schedule:
+    # Weekly on Sunday.
+    - cron: '30 1 * * 0'
 
 env:
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
@@ -54,7 +57,7 @@ jobs:
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
         # required status check.
         #
-        # If we're running on push, then we can skip running with `tools: latest` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
         # the same as running with `tools: null`.
         if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
@@ -78,8 +81,10 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout
-    - uses: ./init
+      uses: actions/checkout@v3
+    - name: Initialize CodeQL
+      uses: ./init
       id: init
       with:
         languages: javascript
@@ -88,4 +93,5 @@ jobs:
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
       run: ${{steps.init.outputs.codeql-path}} version --format=json
-    - uses: ./analyze
+    - name: Perform CodeQL Analysis
+      uses: ./analyze

.github/workflows/python-deps.yml

@@ -28,17 +28,7 @@ jobs:
         matrix:
           os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
           python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
+          python_version: [3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
-            # Python2 is not available on ubuntu-22.04 by default -- see https://github.com/github/codeql-action/pull/1257
-            - python_version: 2
-              os: ubuntu-22.04
 
 
     env:
@@ -138,14 +128,7 @@ jobs:
         fail-fast: false
         matrix:
           python_deps_type: [pipenv, poetry, requirements, setup_py]
-          python_version: [2, 3]
+          python_version: [3]
-          exclude:
-            # Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
-            - python_version: 2
-              python_deps_type: poetry
-            # Python2 and pipenv are not supported since pipenv v2021.11.5
-            - python_version: 2
-              python_deps_type: pipenv
 
     env:
       CODEQL_ACTION_TEST_MODE: true

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CodeQL Action Changelog
 
+## [UNRELEASED]
+
+No user facing changes.
+
 ## 2.1.37 - 14 Dec 2022
 
 - Update default CodeQL bundle version to 2.11.6. [#1433](https://github.com/github/codeql-action/pull/1433)

lib/analyze-action.js

@@ -179,7 +179,6 @@ async function run() {
         if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
             uploadResult = await upload_lib.uploadFromActions(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), logger);
             core.setOutput("sarif-id", uploadResult.sarifID);
-            core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF, "true");
         }
         else {
             logger.info("Not uploading results");
@@ -203,6 +202,7 @@ async function run() {
         if (actionsUtil.getOptionalInput("expect-error") === "true") {
             core.setFailed(`expect-error input was set to true but no error was thrown.`);
         }
+        core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
     }
     catch (origError) {
         const error = origError instanceof Error ? origError : new Error(String(origError));

lib/init-action-post-helper.js

@@ -19,7 +19,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.run = exports.uploadSarifIfRunFailed = exports.uploadFailedSarif = void 0;
+exports.run = exports.tryUploadSarifIfRunFailed = void 0;
 const core = __importStar(require("@actions/core"));
 const actionsUtil = __importStar(require("./actions-util"));
 const codeql_1 = require("./codeql");
@@ -35,15 +35,17 @@ function createFailedUploadFailedSarifResult(error) {
         upload_failed_run_stack_trace: error instanceof Error ? error.stack : undefined,
     };
 }
-async function uploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
+/**
+ * Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
+ * category for the workflow.
+ */
+async function maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
     var _a;
     if (!config.codeQLCmd) {
-        logger.warning("CodeQL command not found. Unable to upload failed SARIF file.");
         return { upload_failed_run_skipped_because: "CodeQL command not found" };
     }
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
     if (!(await featureEnablement.getValue(feature_flags_1.Feature.UploadFailedSarifEnabled, codeql))) {
-        logger.debug("Uploading failed SARIF is disabled.");
         return { upload_failed_run_skipped_because: "Feature disabled" };
     }
     const workflow = await (0, workflow_1.getWorkflow)();
@@ -51,7 +53,6 @@ async function uploadFailedSarif(config, repositoryNwo, featureEnablement, logge
     const matrix = (0, util_1.parseMatrixInput)(actionsUtil.getRequiredInput("matrix"));
     if ((0, workflow_1.getUploadInputOrThrow)(workflow, jobName, matrix) !== "true" ||
         (0, util_1.isInTestMode)()) {
-        logger.debug("Won't upload a failed SARIF file since SARIF upload is disabled.");
         return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
     }
     const category = (0, workflow_1.getCategoryInputOrThrow)(workflow, jobName, matrix);
@@ -63,40 +64,41 @@ async function uploadFailedSarif(config, repositoryNwo, featureEnablement, logge
     await uploadLib.waitForProcessing(repositoryNwo, uploadResult.sarifID, logger, { isUnsuccessfulExecution: true });
     return (_a = uploadResult === null || uploadResult === void 0 ? void 0 : uploadResult.statusReport) !== null && _a !== void 0 ? _a : {};
 }
-exports.uploadFailedSarif = uploadFailedSarif;
+async function tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
-async function uploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
+    if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
-    // Environment variable used to integration test uploading a SARIF file for failed runs
-    const expectFailedSarifUpload = process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true";
-    if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF] !== "true") {
         try {
-            return await uploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
+            return await maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
         }
         catch (e) {
-            if (expectFailedSarifUpload) {
+            logger.debug(`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`);
-                throw new Error("Expected to upload a SARIF file for the failed run, but encountered " +
-                    `the following error: ${e}`);
-            }
-            logger.info(`Failed to upload a SARIF file for the failed run. Error: ${e}`);
             return createFailedUploadFailedSarifResult(e);
         }
     }
-    else if (expectFailedSarifUpload) {
-        throw new Error("Expected to upload a SARIF file for the failed run, but didn't.");
-    }
     else {
         return {
-            upload_failed_run_skipped_because: "SARIF file already uploaded",
+            upload_failed_run_skipped_because: "Analyze Action completed successfully",
         };
     }
 }
-exports.uploadSarifIfRunFailed = uploadSarifIfRunFailed;
+exports.tryUploadSarifIfRunFailed = tryUploadSarifIfRunFailed;
 async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs, repositoryNwo, featureEnablement, logger) {
     const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
     if (config === undefined) {
         logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
         return;
     }
-    const uploadFailedSarifResult = await uploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
+    const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
+    if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
+        logger.debug("Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
+            `${uploadFailedSarifResult.upload_failed_run_skipped_because}.`);
+    }
+    // Throw an error if in integration tests, we expected to upload a SARIF file for a failed run
+    // but we didn't upload anything.
+    if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
+        !uploadFailedSarifResult.raw_upload_size_bytes) {
+        throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
+            `but the result was instead ${uploadFailedSarifResult}.`);
+    }
     // Upload appropriate Actions artifacts for debugging
     if (config.debugMode) {
         core.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");

lib/init-action-post-helper.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAA8E;AAC9E,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,MAAM,CAAC,OAAO,CACZ,+DAA+D,CAChE,CAAC;QACF,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACpD,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,MAAM,CAAC,KAAK,CACV,kEAAkE,CACnE,CAAC;QACF,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,YAAY,mCAAI,EAAE,CAAC;AAC1C,CAAC;AAtDD,8CAsDC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,uFAAuF;IACvF,MAAM,uBAAuB,GAC3B,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM,CAAC;IAErE,IAAI,OAAO,CAAC,GAAG,CAAC,2DAAsC,CAAC,KAAK,MAAM,EAAE;QAClE,IAAI;YACF,OAAO,MAAM,iBAAiB,CAC5B,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,IAAI,uBAAuB,EAAE;gBAC3B,MAAM,IAAI,KAAK,CACb,sEAAsE;oBACpE,wBAAwB,CAAC,EAAE,CAC9B,CAAC;aACH;YACD,MAAM,CAAC,IAAI,CACT,4DAA4D,CAAC,EAAE,CAChE,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM,IAAI,uBAAuB,EAAE;QAClC,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;KACH;SAAM;QACL,OAAO;YACL,iCAAiC,EAAE,6BAA6B;SACjE,CAAC;KACH;AACH,CAAC;AAvCD,wDAuCC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,sBAAsB,CAC1D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IAEF,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AAnCD,kBAmCC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,YAAY,mCAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AApDD,kBAoDC"}

lib/init-action-post-helper.test.js

@@ -125,15 +125,63 @@ const workflow = __importStar(require("./workflow"));
             },
         },
     ]);
-    await testFailedSarifUpload(t, actionsWorkflow, {
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
-        expectedLogs: [
-            {
-                message: "Won't upload a failed SARIF file since SARIF upload is disabled.",
-                type: "debug",
-            },
-        ],
         expectUpload: false,
     });
+    t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
+});
+(0, ava_1.default)("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "/language:${{ matrix.language }}",
+            },
+        },
+    ]);
+    await testFailedSarifUpload(t, actionsWorkflow, {
+        category: "/language:csharp",
+        matrix: { language: "csharp" },
+    });
+});
+(0, ava_1.default)("uploading failed SARIF run fails when workflow uses a complex upload input", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                upload: "${{ matrix.language != 'csharp' }}",
+            },
+        },
+    ]);
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since it contained an " +
+        "unrecognized dynamic value.");
 });
 (0, ava_1.default)("uploading failed SARIF run fails when workflow does not reference github/codeql-action", async (t) => {
     const actionsWorkflow = createTestWorkflow([
@@ -142,7 +190,12 @@ const workflow = __importStar(require("./workflow"));
             uses: "actions/checkout@v3",
         },
     ]);
-    await t.throwsAsync(async () => await testFailedSarifUpload(t, actionsWorkflow));
+    const result = await testFailedSarifUpload(t, actionsWorkflow, {
+        expectUpload: false,
+    });
+    t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since the analyze job does not " +
+        "call github/codeql-action/analyze.");
+    t.truthy(result.upload_failed_run_stack_trace);
 });
 function createTestWorkflow(steps) {
     return {
@@ -164,28 +217,38 @@ function createTestWorkflow(steps) {
         },
     };
 }
-async function testFailedSarifUpload(t, actionsWorkflow, { category, expectedLogs = [], expectUpload = true, } = {}) {
+async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUpload = true, matrix = {}, } = {}) {
     const config = {
         codeQLCmd: "codeql",
         debugMode: true,
         languages: [],
         packs: [],
     };
-    const messages = [];
     process.env["GITHUB_JOB"] = "analyze";
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
     process.env["GITHUB_WORKSPACE"] =
         "/home/runner/work/codeql-action/codeql-action";
-    sinon.stub(actionsUtil, "getRequiredInput").withArgs("matrix").returns("{}");
+    sinon
+        .stub(actionsUtil, "getRequiredInput")
+        .withArgs("matrix")
+        .returns(JSON.stringify(matrix));
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
     const diagnosticsExportStub = sinon.stub(codeqlObject, "diagnosticsExport");
     sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
     const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
-    uploadFromActions.resolves({ sarifID: "42" });
+    uploadFromActions.resolves({
+        sarifID: "42",
+        statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
+    });
     const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
-    await initActionPostHelper.uploadFailedSarif(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, testing_utils_1.getRecordingLogger)(messages));
+    const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, logging_1.getRunnerLogger)(true));
-    t.deepEqual(messages, expectedLogs);
+    if (expectUpload) {
+        t.deepEqual(result, {
+            raw_upload_size_bytes: 20,
+            zipped_upload_size_bytes: 10,
+        });
+    }
     if (expectUpload) {
         t.true(diagnosticsExportStub.calledOnceWith(sinon.match.string, category), `Actual args were: ${diagnosticsExportStub.args}`);
         t.true(uploadFromActions.calledOnceWith(sinon.match.string, sinon.match.string, category, sinon.match.any), `Actual args were: ${uploadFromActions.args}`);
@@ -198,5 +261,6 @@ async function testFailedSarifUpload(t, actionsWorkflow, { category, expectedLog
         t.true(uploadFromActions.notCalled);
         t.true(waitForProcessing.notCalled);
     }
+    return result;
 }
 //# sourceMappingURL=init-action-post-helper.test.js.map

lib/shared-environment.js

@@ -1,12 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF = void 0;
+exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = void 0;
 /**
  * This environment variable is set to true when the `analyze` Action
- * successfully uploads a SARIF file. It does NOT indicate whether the
+ * completes successfully.
- * SARIF file was processed successfully.
  */
-exports.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF = "CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF";
+exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = "CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY";
 exports.CODEQL_ACTION_TESTING_ENVIRONMENT = "CODEQL_ACTION_TESTING_ENVIRONMENT";
 /** Used to disable uploading SARIF results or status reports to the GitHub API */
 exports.CODEQL_ACTION_TEST_MODE = "CODEQL_ACTION_TEST_MODE";

lib/shared-environment.js.map

@@ -1 +1 @@
-{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACU,QAAA,sCAAsC,GACjD,wCAAwC,CAAC;AAE9B,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}
+{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACU,QAAA,+CAA+C,GAC1D,iDAAiD,CAAC;AAEvC,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}

lib/workflow.js

@@ -213,7 +213,16 @@ exports.formatWorkflowCause = formatWorkflowCause;
 async function getWorkflow() {
     const relativePath = await getWorkflowPath();
     const absolutePath = path.join((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), relativePath);
+    try {
         return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
+    }
+    catch (e) {
+        if (e instanceof Error && e["code"] === "ENOENT") {
+            throw new Error(`Unable to load code scanning workflow from ${absolutePath}. This can happen if the currently ` +
+                "running workflow checks out a branch that doesn't contain the corresponding workflow file.");
+        }
+        throw e;
+    }
 }
 exports.getWorkflow = getWorkflow;
 /**
@@ -247,6 +256,9 @@ function getWorkflowRunID() {
 }
 exports.getWorkflowRunID = getWorkflowRunID;
 function getStepsCallingAction(job, actionName) {
+    if (job.uses) {
+        throw new Error(`Could not get steps calling ${actionName} since the job calls a reusable workflow.`);
+    }
     const steps = job.steps;
     if (!Array.isArray(steps)) {
         throw new Error(`Could not get steps calling ${actionName} since job.steps was not an array.`);

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.37",
+  "version": "2.1.38",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.1.37",
+  "version": "2.1.38",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.1.37",
+      "version": "2.1.38",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.37",
+  "version": "2.1.38",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/export-file-baseline-information.yml

@@ -1,19 +1,19 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
 versions: ["nightly-latest"]
+env: 
+  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
 steps:
-  - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Windows doesn't support Swift, and only macOS latest and nightly-latest support Swift 5.7.1.
-    if: runner.os == 'Linux' || (runner.os == 'macOS' && matrix.version == 'cached')
-    with:
-      swift-version: "5.7.0"
   - uses: ./../action/init
+    id: init
     with:
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
     env:
       CODEQL_FILE_BASELINE_INFORMATION: true
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
+  - uses: ./../action/.github/setup-swift
+    with:
+      codeql-path: ${{steps.init.outputs.codeql-path}}
   - name: Build code
     shell: bash
     run: ./build.sh
@@ -22,7 +22,6 @@ steps:
       output: "${{ runner.temp }}/results"
     env:
       CODEQL_FILE_BASELINE_INFORMATION: true
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
   - name: Upload SARIF
     uses: actions/upload-artifact@v3
     with:

pr-checks/checks/multi-language-autodetect.yml

@@ -1,22 +1,19 @@
 name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
-# Temporarily exclude nightly-latest to unblock release
-versions: ["stable-20211005", "stable-20220120", "stable-20220401", "cached", "latest"]
 operatingSystems: ["ubuntu", "macos"]
 env:
   CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
 steps:
-  - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-    if: runner.os == 'Linux' || matrix.version == 'cached'
-    with:
-      swift-version: "5.7.0"
-
   - uses: ./../action/init
+    id: init
     with:
       db-location: "${{ runner.temp }}/customDbLocation"
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   
+  - uses: ./../action/.github/setup-swift
+    with:
+      codeql-path: ${{steps.init.outputs.codeql-path}}
+
   - name: Build code
     shell: bash
     run: ./build.sh
@@ -69,7 +66,7 @@ steps:
       fi
 
   - name: Check language autodetect for Swift
-    if: "!startsWith(matrix.os, 'windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+    if: "(matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
     shell: bash
     run: |
       SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

pr-checks/checks/swift-autobuild.yml

@@ -4,17 +4,19 @@ versions: ["latest", "cached", "nightly-latest"]
 # Swift autobuilder is only supported on MacOS for private beta
 operatingSystems: ["macos"]
 env:
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true"
+  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
 steps:
-  - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-    if: runner.os == 'Linux' || matrix.version == 'cached'
-    with:
-      swift-version: "5.7.0"
   - uses: ./../action/init
+    id: init
     with:
       languages: swift
       tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/.github/setup-swift
+    with:
+      codeql-path: ${{steps.init.outputs.codeql-path}}
+  - name: Check working directory
+    shell: bash
+    run: pwd
   - uses: ./../action/autobuild
   - uses: ./../action/analyze
     id: analysis

pr-checks/checks/swift-custom-build.yml

@@ -1,21 +1,22 @@
 name: "Swift analysis using a custom build command"
 description: "Tests creation of a Swift database using custom build"
-# Temporarily exclude nightly-latest to unblock release
+versions: ["latest", "cached", "nightly-latest"]
-versions: ["latest", "cached"]
 operatingSystems: ["ubuntu", "macos"]
 env:
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true"
+  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
-  - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
-    # Only macOS latest and nightly-latest support Swift 5.7.1
-    if: runner.os == 'Linux' || matrix.version == 'cached'
-    with:
-      swift-version: "5.7.0"
   - uses: ./../action/init
+    id: init
     with:
       languages: swift
       tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/.github/setup-swift
+    with:
+      codeql-path: ${{steps.init.outputs.codeql-path}}
+  - name: Check working directory
+    shell: bash
+    run: pwd
   - name: Build code
     shell: bash
     run: ./build.sh

python-setup/tests/pipenv/requests-2/Pipfile

@@ -1,12 +0,0 @@
-[[source]]
-name = "pypi"
-url = "https://pypi.org/simple"
-verify_ssl = true
-
-[dev-packages]
-
-[packages]
-requests = "*"
-
-[requires]
-python_version = "2.7"

python-setup/tests/pipenv/requests-2/Pipfile.lock

@@ -1,60 +0,0 @@
-{
-    "_meta": {
-        "hash": {
-            "sha256": "76839637c628c87a4ac26d62aa559b8a572f4a742c8b6bd2f339f36514692676"
-        },
-        "pipfile-spec": 6,
-        "requires": {
-            "python_version": "2.7"
-        },
-        "sources": [
-            {
-                "name": "pypi",
-                "url": "https://pypi.org/simple",
-                "verify_ssl": true
-            }
-        ]
-    },
-    "default": {
-        "certifi": {
-            "hashes": [
-                "sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872",
-                "sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"
-            ],
-            "version": "==2021.10.8"
-        },
-        "chardet": {
-            "hashes": [
-                "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
-                "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
-            ],
-            "markers": "python_version < '3'",
-            "version": "==4.0.0"
-        },
-        "idna": {
-            "hashes": [
-                "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
-                "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
-            ],
-            "markers": "python_version < '3'",
-            "version": "==2.10"
-        },
-        "requests": {
-            "hashes": [
-                "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
-                "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
-            ],
-            "index": "pypi",
-            "version": "==2.26.0"
-        },
-        "urllib3": {
-            "hashes": [
-                "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
-                "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'",
-            "version": "==1.26.7"
-        }
-    },
-    "develop": {}
-}

python-setup/tests/poetry/requests-2/poetry.lock

@@ -1,81 +0,0 @@
-[[package]]
-name = "certifi"
-version = "2021.10.8"
-description = "Python package for providing Mozilla's CA Bundle."
-category = "main"
-optional = false
-python-versions = "*"
-
-[[package]]
-name = "chardet"
-version = "4.0.0"
-description = "Universal encoding detector for Python 2 and 3"
-category = "main"
-optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
-
-[[package]]
-name = "idna"
-version = "2.10"
-description = "Internationalized Domain Names in Applications (IDNA)"
-category = "main"
-optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
-
-[[package]]
-name = "requests"
-version = "2.26.0"
-description = "Python HTTP for Humans."
-category = "main"
-optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*"
-
-[package.dependencies]
-certifi = ">=2017.4.17"
-chardet = {version = ">=3.0.2,<5", markers = "python_version < \"3\""}
-idna = {version = ">=2.5,<3", markers = "python_version < \"3\""}
-urllib3 = ">=1.21.1,<1.27"
-
-[package.extras]
-socks = ["PySocks (>=1.5.6,!=1.5.7)", "win-inet-pton"]
-use_chardet_on_py3 = ["chardet (>=3.0.2,<5)"]
-
-[[package]]
-name = "urllib3"
-version = "1.26.7"
-description = "HTTP library with thread-safe connection pooling, file post, and more."
-category = "main"
-optional = false
-python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
-
-[package.extras]
-brotli = ["brotlipy (>=0.6.0)"]
-secure = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "certifi", "ipaddress"]
-socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
-
-[metadata]
-lock-version = "1.1"
-python-versions = "^2.7"
-content-hash = "c8501f2d45b33db399d74760be224bc771094fccce218ac8fe28f9b0ff85c63d"
-
-[metadata.files]
-certifi = [
-    {file = "certifi-2021.10.8-py2.py3-none-any.whl", hash = "sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"},
-    {file = "certifi-2021.10.8.tar.gz", hash = "sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872"},
-]
-chardet = [
-    {file = "chardet-4.0.0-py2.py3-none-any.whl", hash = "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"},
-    {file = "chardet-4.0.0.tar.gz", hash = "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa"},
-]
-idna = [
-    {file = "idna-2.10-py2.py3-none-any.whl", hash = "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"},
-    {file = "idna-2.10.tar.gz", hash = "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6"},
-]
-requests = [
-    {file = "requests-2.26.0-py2.py3-none-any.whl", hash = "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24"},
-    {file = "requests-2.26.0.tar.gz", hash = "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"},
-]
-urllib3 = [
-    {file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"},
-    {file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"},
-]

python-setup/tests/poetry/requests-2/pyproject.toml

@@ -1,15 +0,0 @@
-[tool.poetry]
-name = "autoinstall-test"
-version = "0.1.0"
-description = ""
-authors = ["Your Name <you@example.com>"]
-
-[tool.poetry.dependencies]
-python = "^2.7"
-requests = "*"
-
-[tool.poetry.dev-dependencies]
-
-[build-system]
-requires = ["poetry>=0.12"]
-build-backend = "poetry.masonry.api"

python-setup/tests/requirements/requests-2/requirements.txt

@@ -1 +0,0 @@
-requests==2.26.0

python-setup/tests/requirements/requests-2/setup.py

@@ -1,3 +0,0 @@
-# fake setup.py with Trove classifier to fool Python extractor to believe this is Python 2 for sure
-
-# Programming Language :: Python :: 2.7

python-setup/tests/setup_py/requests-2/setup.py

@@ -1,12 +0,0 @@
-from setuptools import setup
-
-# has fake Trove classifier to fool Python extractor to believe this is Python 2 for sure
-
-# Programming Language :: Python :: 2.7
-
-
-setup(
-    name="example-setup.py",
-    install_requires=["requests==2.26.0"],
-    python_requires=">=2.7, <3",
-)

src/analyze-action.ts

@@ -24,7 +24,7 @@ import { Features } from "./feature-flags";
 import { Language } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
-import { CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF } from "./shared-environment";
+import { CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY } from "./shared-environment";
 import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
 import * as upload_lib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
@@ -279,7 +279,6 @@ async function run() {
         logger
       );
       core.setOutput("sarif-id", uploadResult.sarifID);
-      core.exportVariable(CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF, "true");
     } else {
       logger.info("Not uploading results");
     }
@@ -312,6 +311,10 @@ async function run() {
         `expect-error input was set to true but no error was thrown.`
       );
     }
+    core.exportVariable(
+      CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY,
+      "true"
+    );
   } catch (origError) {
     const error =
       origError instanceof Error ? origError : new Error(String(origError));

src/init-action-post-helper.test.ts

@@ -8,12 +8,7 @@ import { Feature } from "./feature-flags";
 import * as initActionPostHelper from "./init-action-post-helper";
 import { getRunnerLogger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
-import {
+import { createFeatures, setupTests } from "./testing-utils";
-  createFeatures,
-  getRecordingLogger,
-  LoggedMessage,
-  setupTests,
-} from "./testing-utils";
 import * as uploadLib from "./upload-lib";
 import * as util from "./util";
 import * as workflow from "./workflow";
@@ -134,16 +129,68 @@ test("doesn't upload failed SARIF for workflow with upload: false", async (t) =>
       },
     },
   ]);
-  await testFailedSarifUpload(t, actionsWorkflow, {
+  const result = await testFailedSarifUpload(t, actionsWorkflow, {
-    expectedLogs: [
-      {
-        message:
-          "Won't upload a failed SARIF file since SARIF upload is disabled.",
-        type: "debug",
-      },
-    ],
     expectUpload: false,
   });
+  t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
+});
+
+test("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
+  const actionsWorkflow = createTestWorkflow([
+    {
+      name: "Checkout repository",
+      uses: "actions/checkout@v3",
+    },
+    {
+      name: "Initialize CodeQL",
+      uses: "github/codeql-action/init@v2",
+      with: {
+        languages: "javascript",
+      },
+    },
+    {
+      name: "Perform CodeQL Analysis",
+      uses: "github/codeql-action/analyze@v2",
+      with: {
+        category: "/language:${{ matrix.language }}",
+      },
+    },
+  ]);
+  await testFailedSarifUpload(t, actionsWorkflow, {
+    category: "/language:csharp",
+    matrix: { language: "csharp" },
+  });
+});
+
+test("uploading failed SARIF run fails when workflow uses a complex upload input", async (t) => {
+  const actionsWorkflow = createTestWorkflow([
+    {
+      name: "Checkout repository",
+      uses: "actions/checkout@v3",
+    },
+    {
+      name: "Initialize CodeQL",
+      uses: "github/codeql-action/init@v2",
+      with: {
+        languages: "javascript",
+      },
+    },
+    {
+      name: "Perform CodeQL Analysis",
+      uses: "github/codeql-action/analyze@v2",
+      with: {
+        upload: "${{ matrix.language != 'csharp' }}",
+      },
+    },
+  ]);
+  const result = await testFailedSarifUpload(t, actionsWorkflow, {
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_error,
+    "Could not get upload input to github/codeql-action/analyze since it contained an " +
+      "unrecognized dynamic value."
+  );
 });
 
 test("uploading failed SARIF run fails when workflow does not reference github/codeql-action", async (t) => {
@@ -153,9 +200,15 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
       uses: "actions/checkout@v3",
     },
   ]);
-  await t.throwsAsync(
+  const result = await testFailedSarifUpload(t, actionsWorkflow, {
-    async () => await testFailedSarifUpload(t, actionsWorkflow)
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_error,
+    "Could not get upload input to github/codeql-action/analyze since the analyze job does not " +
+      "call github/codeql-action/analyze."
   );
+  t.truthy(result.upload_failed_run_stack_trace);
 });
 
 function createTestWorkflow(
@@ -186,26 +239,28 @@ async function testFailedSarifUpload(
   actionsWorkflow: workflow.Workflow,
   {
     category,
-    expectedLogs = [],
     expectUpload = true,
+    matrix = {},
   }: {
     category?: string;
-    expectedLogs?: LoggedMessage[];
     expectUpload?: boolean;
+    matrix?: { [key: string]: string };
   } = {}
-): Promise<void> {
+): Promise<initActionPostHelper.UploadFailedSarifResult> {
   const config = {
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
     packs: [],
   } as unknown as configUtils.Config;
-  const messages = [];
   process.env["GITHUB_JOB"] = "analyze";
   process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
   process.env["GITHUB_WORKSPACE"] =
     "/home/runner/work/codeql-action/codeql-action";
-  sinon.stub(actionsUtil, "getRequiredInput").withArgs("matrix").returns("{}");
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("matrix")
+    .returns(JSON.stringify(matrix));
 
   const codeqlObject = await codeql.getCodeQLForTesting();
   sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
@@ -214,16 +269,24 @@ async function testFailedSarifUpload(
   sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
 
   const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
-  uploadFromActions.resolves({ sarifID: "42" } as uploadLib.UploadResult);
+  uploadFromActions.resolves({
+    sarifID: "42",
+    statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
+  } as uploadLib.UploadResult);
   const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
 
-  await initActionPostHelper.uploadFailedSarif(
+  const result = await initActionPostHelper.tryUploadSarifIfRunFailed(
     config,
     parseRepositoryNwo("github/codeql-action"),
     createFeatures([Feature.UploadFailedSarifEnabled]),
-    getRecordingLogger(messages)
+    getRunnerLogger(true)
   );
-  t.deepEqual(messages, expectedLogs);
+  if (expectUpload) {
+    t.deepEqual(result, {
+      raw_upload_size_bytes: 20,
+      zipped_upload_size_bytes: 10,
+    });
+  }
   if (expectUpload) {
     t.true(
       diagnosticsExportStub.calledOnceWith(sinon.match.string, category),
@@ -248,4 +311,5 @@ async function testFailedSarifUpload(
     t.true(uploadFromActions.notCalled);
     t.true(waitForProcessing.notCalled);
   }
+  return result;
 }

src/init-action-post-helper.ts

@@ -6,7 +6,7 @@ import { Config, getConfig } from "./config-utils";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Logger } from "./logging";
 import { RepositoryNwo } from "./repository";
-import { CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF } from "./shared-environment";
+import { CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY } from "./shared-environment";
 import * as uploadLib from "./upload-lib";
 import { getRequiredEnvParam, isInTestMode, parseMatrixInput } from "./util";
 import {
@@ -36,16 +36,17 @@ function createFailedUploadFailedSarifResult(
   };
 }
 
-export async function uploadFailedSarif(
+/**
+ * Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
+ * category for the workflow.
+ */
+async function maybeUploadFailedSarif(
   config: Config,
   repositoryNwo: RepositoryNwo,
   featureEnablement: FeatureEnablement,
   logger: Logger
 ): Promise<UploadFailedSarifResult> {
   if (!config.codeQLCmd) {
-    logger.warning(
-      "CodeQL command not found. Unable to upload failed SARIF file."
-    );
     return { upload_failed_run_skipped_because: "CodeQL command not found" };
   }
   const codeql = await getCodeQL(config.codeQLCmd);
@@ -55,7 +56,6 @@ export async function uploadFailedSarif(
       codeql
     ))
   ) {
-    logger.debug("Uploading failed SARIF is disabled.");
     return { upload_failed_run_skipped_because: "Feature disabled" };
   }
   const workflow = await getWorkflow();
@@ -65,9 +65,6 @@ export async function uploadFailedSarif(
     getUploadInputOrThrow(workflow, jobName, matrix) !== "true" ||
     isInTestMode()
   ) {
-    logger.debug(
-      "Won't upload a failed SARIF file since SARIF upload is disabled."
-    );
     return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
   }
   const category = getCategoryInputOrThrow(workflow, jobName, matrix);
@@ -92,43 +89,30 @@ export async function uploadFailedSarif(
   return uploadResult?.statusReport ?? {};
 }
 
-export async function uploadSarifIfRunFailed(
+export async function tryUploadSarifIfRunFailed(
   config: Config,
   repositoryNwo: RepositoryNwo,
   featureEnablement: FeatureEnablement,
   logger: Logger
 ): Promise<UploadFailedSarifResult> {
-  // Environment variable used to integration test uploading a SARIF file for failed runs
+  if (process.env[CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
-  const expectFailedSarifUpload =
-    process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true";
-
-  if (process.env[CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF] !== "true") {
     try {
-      return await uploadFailedSarif(
+      return await maybeUploadFailedSarif(
         config,
         repositoryNwo,
         featureEnablement,
         logger
       );
     } catch (e) {
-      if (expectFailedSarifUpload) {
+      logger.debug(
-        throw new Error(
+        `Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`
-          "Expected to upload a SARIF file for the failed run, but encountered " +
-            `the following error: ${e}`
-        );
-      }
-      logger.info(
-        `Failed to upload a SARIF file for the failed run. Error: ${e}`
       );
       return createFailedUploadFailedSarifResult(e);
     }
-  } else if (expectFailedSarifUpload) {
-    throw new Error(
-      "Expected to upload a SARIF file for the failed run, but didn't."
-    );
   } else {
     return {
-      upload_failed_run_skipped_because: "SARIF file already uploaded",
+      upload_failed_run_skipped_because:
+        "Analyze Action completed successfully",
     };
   }
 }
@@ -149,12 +133,29 @@ export async function run(
     return;
   }
 
-  const uploadFailedSarifResult = await uploadSarifIfRunFailed(
+  const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(
     config,
     repositoryNwo,
     featureEnablement,
     logger
   );
+  if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
+    logger.debug(
+      "Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
+        `${uploadFailedSarifResult.upload_failed_run_skipped_because}.`
+    );
+  }
+  // Throw an error if in integration tests, we expected to upload a SARIF file for a failed run
+  // but we didn't upload anything.
+  if (
+    process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
+    !uploadFailedSarifResult.raw_upload_size_bytes
+  ) {
+    throw new Error(
+      "Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
+        `but the result was instead ${uploadFailedSarifResult}.`
+    );
+  }
 
   // Upload appropriate Actions artifacts for debugging
   if (config.debugMode) {

src/shared-environment.ts

@@ -1,10 +1,9 @@
 /**
  * This environment variable is set to true when the `analyze` Action
- * successfully uploads a SARIF file. It does NOT indicate whether the
+ * completes successfully.
- * SARIF file was processed successfully.
  */
-export const CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF =
+export const CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY =
-  "CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF";
+  "CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY";
 
 export const CODEQL_ACTION_TESTING_ENVIRONMENT =
   "CODEQL_ACTION_TESTING_ENVIRONMENT";

src/workflow.ts

@@ -18,6 +18,7 @@ interface WorkflowJob {
   name?: string;
   "runs-on"?: string;
   steps?: WorkflowJobStep[];
+  uses?: string;
 }
 
 interface WorkflowTrigger {
@@ -258,7 +259,17 @@ export async function getWorkflow(): Promise<Workflow> {
     relativePath
   );
 
+  try {
     return yaml.load(fs.readFileSync(absolutePath, "utf-8")) as Workflow;
+  } catch (e) {
+    if (e instanceof Error && e["code"] === "ENOENT") {
+      throw new Error(
+        `Unable to load code scanning workflow from ${absolutePath}. This can happen if the currently ` +
+          "running workflow checks out a branch that doesn't contain the corresponding workflow file."
+      );
+    }
+    throw e;
+  }
 }
 
 /**
@@ -301,6 +312,11 @@ function getStepsCallingAction(
   job: WorkflowJob,
   actionName: string
 ): WorkflowJobStep[] {
+  if (job.uses) {
+    throw new Error(
+      `Could not get steps calling ${actionName} since the job calls a reusable workflow.`
+    );
+  }
   const steps = job.steps;
   if (!Array.isArray(steps)) {
     throw new Error(