Drive-by linting fix

Previously we were implicitly converting `any` type to `string`; this does so explicitly.

.github/actions/query-filter-test/action.yml

@@ -40,11 +40,11 @@ runs:
       with:
         output: ${{ runner.temp }}/results
         upload-database: false
-        upload: false
+        upload: never
       env:
         CODEQL_ACTION_TEST_MODE: "true"
     - name: Check SARIF
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file:  ${{ inputs.sarif-file }}
         queries-run: ${{ inputs.queries-run}}

.github/actions/setup-swift/action.yml

@@ -26,7 +26,7 @@ runs:
           VERSION="5.7.0"
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
-    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+    - uses: swift-actions/setup-swift@da0e3e04b5e3e15dbc3861bd835ad9f0afe56296 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
       if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
       with:
         swift-version: "${{steps.get_swift_version.outputs.version}}"

.github/actions/update-bundle/action.yml

@@ -0,0 +1,14 @@
+name: Update default CodeQL bundle
+description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
+
+runs:
+  using: composite
+  steps:
+    - name: Install ts-node
+      shell: bash
+      run: npm install -g ts-node
+
+    - name: Run update script
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts

.github/actions/update-bundle/index.ts

@@ -0,0 +1,69 @@
+import * as fs from 'fs';
+import * as github from '@actions/github';
+
+interface BundleInfo {
+  bundleVersion: string;
+  cliVersion: string;
+}
+
+interface Defaults {
+  bundleVersion: string;
+  cliVersion: string;
+  priorBundleVersion: string;
+  priorCliVersion: string;
+}
+
+const CODEQL_BUNDLE_PREFIX = 'codeql-bundle-';
+
+function getCodeQLCliVersionForRelease(release): string {
+  // We do not currently tag CodeQL bundles based on the CLI version they contain.
+  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
+  // This marker file is uploaded as a release asset for all new CodeQL bundles.
+  const cliVersionsFromMarkerFiles = release.assets
+  .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
+  .filter((v) => v)
+  .map((v) => v as string);
+  if (cliVersionsFromMarkerFiles.length > 1) {
+    throw new Error(
+      `Release ${release.tag_name} has multiple CLI version marker files.`
+      );
+    } else if (cliVersionsFromMarkerFiles.length === 0) {
+      throw new Error(
+        `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
+        );
+      }
+      return cliVersionsFromMarkerFiles[0];
+    }
+
+    async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
+      return {
+        bundleVersion: release.tag_name.substring(CODEQL_BUNDLE_PREFIX.length),
+        cliVersion: getCodeQLCliVersionForRelease(release)
+      };
+    }
+
+    async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
+      const release = github.context.payload.release;
+      console.log('Updating default bundle as a result of the following release: ' +
+      `${JSON.stringify(release)}.`)
+
+      const bundleInfo = await getBundleInfoFromRelease(release);
+      return {
+        bundleVersion: bundleInfo.bundleVersion,
+        cliVersion: bundleInfo.cliVersion,
+        priorBundleVersion: currentDefaults.bundleVersion,
+        priorCliVersion: currentDefaults.cliVersion
+      };
+    }
+
+    async function main() {
+      const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
+      const newDefaults = await getNewDefaults(previousDefaults);
+      // Update the source file in the repository. Calling workflows should subsequently rebuild
+      // the Action to update `lib/defaults.json`.
+      fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
+    }
+
+    // Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
+    // So instead we rely on the fact that Node won't exit until the event loop is empty.
+    main();

.github/codeql/codeql-config.yml

@@ -7,6 +7,7 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
+  - uses: security-experimental
   - uses: security-extended
   - uses: security-and-quality
 paths-ignore:

.github/dependabot.yml

@@ -15,3 +15,7 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+  - package-ecosystem: github-actions
+    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    schedule:
+      interval: weekly

.github/workflows/__analyze-ref-input.yml

@@ -69,12 +69,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -88,6 +88,7 @@ jobs:
       run: ./build.sh
     - uses: ./../action/analyze
       with:
+        upload-database: false
         ref: refs/heads/main
         sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:

.github/workflows/__autobuild-action.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -56,6 +56,8 @@ jobs:
         CORECLR_PROFILER: ''
         CORECLR_PROFILER_PATH_64: ''
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     - name: Check database
       shell: bash
       run: |

.github/workflows/__config-export.yml

@@ -0,0 +1,95 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Config export
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  config-export:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: Config export
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        queries: security-extended
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check config properties appear in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+      with:
+        script: |
+          const fs = require('fs');
+
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
+          const configSummary = run.properties.codeqlConfigSummary;
+
+          if (configSummary === undefined) {
+            core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
+          }
+          if (configSummary.disableDefaultQueries !== false) {
+            core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' + 
+              `${JSON.stringify(configSummary.disableDefaultQueries)}.`);
+          }
+          const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
+          // Use JSON.stringify to deep-equal the arrays.
+          if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
+            core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` + 
+              `${JSON.stringify(configSummary.queries)}.`);
+          }
+          core.info('Finished config export tests.');
+    env:
+      CODEQL_ACTION_EXPORT_CODE_SCANNING_CONFIG: true
+      CODEQL_PASS_CONFIG_TO_CLI: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__diagnostics-export.yml

@@ -0,0 +1,140 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Diagnostic export
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  diagnostics-export:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20230317
+        - os: macos-latest
+          version: stable-20230317
+        - os: windows-latest
+          version: stable-20230317
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: Diagnostic export
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      id: init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Add test diagnostics
+      shell: bash
+      env:
+        CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
+      run: |
+        for i in {1..2}; do
+          # Use the same location twice to test the workaround for the bug in CodeQL CLI 2.12.5 that
+          # produces an invalid diagnostic with multiple identical location objects.
+          "$CODEQL_PATH" database add-diagnostic \
+            "$RUNNER_TEMP/codeql_databases/javascript" \
+            --file-path /path/to/file \
+            --plaintext-message "Plaintext message $i" \
+            --source-id "lang/diagnostics/example" \
+            --source-name "Diagnostic name" \
+            --ready-for-status-page
+        done
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check diagnostics appear in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
+      with:
+        script: |
+          const fs = require('fs');
+
+          function checkStatusPageNotification(n) {
+            const expectedMessage = 'Plaintext message 1\n\nCodeQL also found 1 other diagnostic like this. See the workflow log for details.';
+            if (n.message.text !== expectedMessage) {
+              core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
+            }
+            if (n.locations.length !== 1) {
+              core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
+            }
+          }
+
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
+
+          const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+          const statusPageNotifications = toolExecutionNotifications.filter(n =>
+            n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
+          );
+          if (statusPageNotifications.length !== 1) {
+            core.setFailed(
+              'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                `${statusPageNotifications.length}. All notification reporting descriptors: ` + 
+                `${JSON.stringify(toolExecutionNotifications)}.`
+            );
+          }
+          checkStatusPageNotification(statusPageNotifications[0]);
+
+          const notifications = run.tool.driver.notifications;
+          const diagnosticNotification = notifications.filter(n =>
+            n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
+              n.fullDescription.text === 'Diagnostic name'
+          );
+          if (diagnosticNotification.length !== 1) {
+            core.setFailed(
+              'Expected exactly one notification for this diagnostic in the ' +
+                `'runs[].tool.driver.notifications[]' SARIF property, but found ` +
+                `${diagnosticNotification.length}. All notifications: ` +
+                `${JSON.stringify(notifications)}.`
+            );
+          }
+
+          core.info('Finished diagnostic export test');
+    env:
+      CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__export-file-baseline-information.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -49,7 +49,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
       env:
         CODEQL_FILE_BASELINE_INFORMATION: true
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Build code

.github/workflows/__extractor-ram-threads.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init

.github/workflows/__go-custom-queries.yml

@@ -69,12 +69,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -86,6 +86,8 @@ jobs:
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-autobuilder.yml

@@ -57,12 +57,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -71,6 +71,8 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - uses: ./../action/autobuild
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     - shell: bash
       run: |
         if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -57,12 +57,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -73,6 +73,8 @@ jobs:
       shell: bash
       run: go build main.go
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     - shell: bash
       run: |
         # Once we start running Bash 4.2 in all environments, we can replace the

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -57,12 +57,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -70,6 +70,8 @@ jobs:
         languages: go
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     - shell: bash
       run: |
         cd "$RUNNER_TEMP/codeql_databases"

.github/workflows/__init-with-registries.yml

@@ -25,6 +25,18 @@ jobs:
     strategy:
       matrix:
         include:
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
@@ -39,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Init with registries
@@ -57,8 +69,8 @@ jobs:
     - name: Verify packages installed
       shell: bash
       run: |
-        PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
-        CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
+        PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
+        CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
 
         if [[ -d $PRIVATE_PACK ]]
         then
@@ -75,5 +87,39 @@ jobs:
             echo "::error $CODEQL_PACK1 pack was not installed."
             exit 1
         fi
+
+    - name: Verify qlconfig.yml file was created
+      shell: bash
+      run: |
+        QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
+        echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
+        if [[ -f $QLCONFIG_PATH ]]
+        then
+            echo "qlconfig.yml file was created."
+        else
+            echo "::error qlconfig.yml file was not created."
+            exit 1
+        fi
+
+    - name: Verify contents of qlconfig.yml
+    # yq is not available on windows
+      if: runner.os != 'Windows'
+      shell: bash
+      run: |
+        QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
+        cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
+        if [[ $? -eq 0 ]]
+        then
+            echo "Registry was added to qlconfig.yml file."
+        else
+            echo "::error Registry was not added to qlconfig.yml file."
+            echo "Contents of qlconfig.yml file:"
+            cat $QLCONFIG_PATH
+            exit 1
+        fi
+    permissions:
+      contents: read
+      packages: read
+
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__javascript-source-root.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Move codeql-action
@@ -54,8 +54,9 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - uses: ./../action/analyze
       with:
+        upload-database: false
         skip-queries: true
-        upload: false
+        upload: never
     - name: Assert database exists
       shell: bash
       run: |

.github/workflows/__ml-powered-queries.yml

@@ -57,12 +57,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -85,7 +85,7 @@ jobs:
         retention-days: 7
 
     - name: Check sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
     # Running on Windows requires CodeQL CLI 2.9.0+.
       if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
       with:

.github/workflows/__multi-language-autodetect.yml

@@ -57,12 +57,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -71,7 +71,7 @@ jobs:
         db-location: ${{ runner.temp }}/customDbLocation
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
 
@@ -81,6 +81,8 @@ jobs:
 
     - uses: ./../action/analyze
       id: analysis
+      with:
+        upload-database: false
 
     - name: Check language autodetect for all languages excluding Ruby, Swift
       shell: bash

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -51,13 +51,13 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
+        packs: +codeql-testing/codeql-pack1@1.0.0
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
@@ -66,9 +66,10 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
+        upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__packaging-config-inputs-js.yml

@@ -51,13 +51,13 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
+        packs: +codeql-testing/codeql-pack1@1.0.0
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
@@ -66,9 +66,10 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
+        upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__packaging-config-js.yml

@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -65,9 +65,10 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
+        upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__packaging-inputs-js.yml

@@ -51,14 +51,14 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging2.yml
         languages: javascript
-        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
+        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
       shell: bash
@@ -68,7 +68,7 @@ jobs:
         output: ${{ runner.temp }}/results
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

.github/workflows/__remote-config.yml

@@ -69,12 +69,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init

.github/workflows/__rubocop-multi-language.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Ruby

.github/workflows/__ruby.yml

@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -54,6 +54,8 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - uses: ./../action/analyze
       id: analysis
+      with:
+        upload-database: false
     - name: Check database
       shell: bash
       run: |

.github/workflows/__split-workflow.yml

@@ -45,13 +45,13 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
       with:
         config-file: .github/codeql/codeql-config-packaging3.yml
-        packs: +dsp-testing/codeql-pack1@1.0.0
+        packs: +codeql-testing/codeql-pack1@1.0.0
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - name: Build code
@@ -61,6 +61,7 @@ jobs:
       with:
         skip-queries: true
         output: ${{ runner.temp }}/results
+        upload-database: false
 
     - name: Assert No Results
       shell: bash

.github/workflows/__submit-sarif-failure.yml

@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: actions/checkout@v3

.github/workflows/__swift-autobuild.yml

@@ -1,70 +0,0 @@
-# Warning: This file is generated automatically, and should not be modified.
-# Instead, please modify the template in the pr-checks directory and run:
-#     pip install ruamel.yaml && python3 sync.py
-# to regenerate this file.
-
-name: PR Check - Swift analysis using autobuild
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  GO111MODULE: auto
-  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
-on:
-  push:
-    branches:
-    - main
-    - releases/v2
-  pull_request:
-    types:
-    - opened
-    - synchronize
-    - reopened
-    - ready_for_review
-  workflow_dispatch: {}
-jobs:
-  swift-autobuild:
-    strategy:
-      matrix:
-        include:
-        - os: macos-latest
-          version: latest
-        - os: macos-latest
-          version: cached
-        - os: macos-latest
-          version: nightly-latest
-    name: Swift analysis using autobuild
-    timeout-minutes: 45
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Check out repository
-      uses: actions/checkout@v3
-    - name: Prepare test
-      id: prepare-test
-      uses: ./.github/prepare-test
-      with:
-        version: ${{ matrix.version }}
-    - uses: ./../action/init
-      id: init
-      with:
-        languages: swift
-        tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/.github/setup-swift
-      with:
-        codeql-path: ${{steps.init.outputs.codeql-path}}
-    - name: Check working directory
-      shell: bash
-      run: pwd
-    - uses: ./../action/autobuild
-      timeout-minutes: 10
-    - uses: ./../action/analyze
-      id: analysis
-    - name: Check database
-      shell: bash
-      run: |
-        SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
-        if [[ ! -d "$SWIFT_DB" ]]; then
-          echo "Did not create a database for Swift."
-          exit 1
-        fi
-    env:
-      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
-      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__swift-custom-build.yml

@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -53,7 +53,7 @@ jobs:
       with:
         languages: swift
         tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Check working directory
@@ -64,6 +64,8 @@ jobs:
       run: ./build.sh
     - uses: ./../action/analyze
       id: analysis
+      with:
+        upload-database: false
     - name: Check database
       shell: bash
       run: |

.github/workflows/__test-autobuild-working-dir.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Test setup
@@ -53,6 +53,8 @@ jobs:
       with:
         working-directory: autobuild-dir
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     - name: Check database
       shell: bash
       run: |

.github/workflows/__test-local-codeql.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Fetch a CodeQL bundle
@@ -51,5 +51,7 @@ jobs:
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-proxy.yml

@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -43,6 +43,8 @@ jobs:
         languages: javascript
         tools: ${{ steps.prepare-test.outputs.tools-url }}
     - uses: ./../action/analyze
+      with:
+        upload-database: false
     env:
       https_proxy: http://squid-proxy:3128
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__unset-environment.yml

@@ -45,12 +45,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -65,6 +65,8 @@ jobs:
         ./build.sh
     - uses: ./../action/analyze
       id: analysis
+      with:
+        upload-database: false
     - shell: bash
       run: |
         CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"

.github/workflows/__upload-ref-sha-input.yml

@@ -69,12 +69,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: ./../action/init
@@ -88,9 +88,10 @@ jobs:
       run: ./build.sh
     - uses: ./../action/analyze
       with:
+        upload-database: false
         ref: refs/heads/main
         sha: 5e235361806c361d4d3f8859e3c897658025a9a2
-        upload: false
+        upload: never
     - uses: ./../action/upload-sarif
       with:
         ref: refs/heads/main

.github/workflows/__with-checkout-path.yml

@@ -69,12 +69,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
       if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ^1.13.1
     - uses: actions/checkout@v3
@@ -103,7 +103,8 @@ jobs:
         checkout_path: x/y/z/some-path/tests/multi-language-repo
         ref: v1.1.0
         sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-        upload: false
+        upload: never
+        upload-database: false
 
     - uses: ./../action/upload-sarif
       with:

.github/workflows/codescanning-config-cli.yml

@@ -47,12 +47,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
 
     - name: Empty file
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
@@ -60,31 +60,31 @@ jobs:
 
     - name: Packs from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
-        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -96,7 +96,7 @@ jobs:
 
     - name: Queries from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -108,27 +108,27 @@ jobs:
 
     - name: Queries and packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
-            "packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+            "packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
           }
         languages: javascript
         queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
-        packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
+        packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Queries and packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
             }
           }
         languages: javascript
@@ -137,7 +137,7 @@ jobs:
 
     - name: Queries and packs from config overriden by input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -152,7 +152,7 @@ jobs:
 
     - name: Queries and packs from config merging with input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -161,7 +161,7 @@ jobs:
               { "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
             ],
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
             }
           }
         languages: javascript
@@ -172,12 +172,12 @@ jobs:
 
     - name: Multi-language packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
             "packs": {
-              "javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
+              "javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
               "ruby": ["codeql/ruby-queries"]
             },
             "queries": [
@@ -190,7 +190,7 @@ jobs:
 
     - name: Other config properties
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -209,7 +209,7 @@ jobs:
       if: success() || failure()
       env:
         CODEQL_PASS_CONFIG_TO_CLI: false
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: ""
         languages: javascript

.github/workflows/debug-artifacts-failure.yml

@@ -36,10 +36,10 @@ jobs:
         uses: actions/checkout@v3
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: latest
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
         with:
           go-version: ^1.13.1
       - uses: ./../action/init

.github/workflows/debug-artifacts.yml

@@ -56,10 +56,10 @@ jobs:
         uses: actions/checkout@v3
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
         with:
           go-version: ^1.13.1
       - uses: ./../action/init

.github/workflows/expected-queries-runs.yml

@@ -25,7 +25,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: latest
     - uses: ./../action/init
@@ -36,10 +36,10 @@ jobs:
       with:
         output: ${{ runner.temp }}/results
         upload-database: false
-        upload: false
+        upload: never
 
     - name: Check Sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/incomplete-hostname-regexp,js/path-injection

.github/workflows/query-filters.yml

@@ -23,12 +23,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: latest
 
     - name: Check SARIF for default queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip
@@ -37,7 +37,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block
@@ -46,7 +46,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs and local queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs

.github/workflows/script/check-node-modules.sh

@@ -7,13 +7,9 @@ if [ ! -z "$(git status --porcelain)" ]; then
     >&2 echo "Failed: Repo should be clean before testing!"
     exit 1
 fi
-# When updating this, make sure to update the npm version in
-# `.github/workflows/update-dependencies.yml` too.
-sudo npm install --force -g npm@9.2.0
-# Reinstall modules and then clean to remove absolute paths
-# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
-npm ci
-npm run removeNPMAbsolutePaths
+
+"$(dirname "$0")/update-node-modules.sh" check-only
+
 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
     # If we get a fail here then the PR needs attention

.github/workflows/script/update-node-modules.sh

@@ -0,0 +1,18 @@
+if [ "$1" != "update" && "$1" != "check-only" ]; then
+    >&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
+    exit 1
+fi
+
+sudo npm install --force -g npm@9.2.0
+
+# clean the npm cache to ensure we don't have any files owned by root
+sudo npm cache clean --force
+
+if [ "$1" = "update" ]; then
+    npm install
+fi
+
+# Reinstall modules and then clean to remove absolute paths
+# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
+npm ci
+npm run removeNPMAbsolutePaths

.github/workflows/update-bundle.yml

@@ -0,0 +1,82 @@
+name: Update default CodeQL bundle
+
+on:
+  release:
+    types: [prereleased]
+
+jobs:
+  update-bundle:
+    if: startsWith(github.event.release.tag_name, 'codeql-bundle-')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump environment
+        run: env
+
+      - name: Dump GitHub context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github) }}'
+        run: echo "$GITHUB_CONTEXT"
+
+      - uses: actions/checkout@v3
+
+      - name: Update git config
+        run: |
+          git config --global user.email "github-actions@github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update bundle
+        uses: ./.github/actions/update-bundle
+
+      - name: Rebuild Action
+        run: npm run build
+
+      - name: Commit and push changes
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+        run: |
+          git checkout -b "update-bundle/$RELEASE_TAG"
+          git commit -am "Update default bundle to $RELEASE_TAG"
+          git push --set-upstream origin "update-bundle/$RELEASE_TAG"
+
+      - name: Open pull request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          pr_url=$(gh pr create \
+            --title "Update default bundle to $cli_version" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
+            --assignee "$GITHUB_ACTOR" \
+            --draft \
+          )
+          echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
+          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
+
+      - name: Create changelog note
+        shell: python
+        run: |
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
+
+      - name: Push changelog note
+        run: |
+          git commit -am "Add changelog note"
+          git push

.github/workflows/update-dependencies.yml

@@ -27,12 +27,7 @@ jobs:
       run: |
         git fetch origin "$BRANCH" --depth=1
         git checkout "origin/$BRANCH"
-        # When updating this, make sure to update the npm version in
-        # `.github/workflows/script/check-node-modules.sh` too.
-        sudo npm install --force -g npm@9.2.0
-        npm install
-        npm ci
-        npm run removeNPMAbsolutePaths
+        .github/workflows/script/update-node-modules.sh update
         if [ ! -z "$(git status --porcelain)" ]; then
           git config --global user.email "github-actions@github.com"
           git config --global user.name "github-actions[bot]"

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -3,6 +3,7 @@ name: Update Supported Enterprise Server Versions
 on:
   schedule:
     - cron: "0 0 * * *"
+  workflow_dispatch:
 
 jobs:
   update-supported-enterprise-server-versions:
@@ -35,7 +36,7 @@ jobs:
         env:
           ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
       - name: Commit Changes
-        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
+        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4
         with:
           commit-message: Update supported GitHub Enterprise Server versions.
           title: Update supported GitHub Enterprise Server versions.

.github/workflows/update-supported-enterprise-server-versions/update.py

@@ -15,6 +15,11 @@ def main():
 	api_compatibility_data = json.loads(_API_COMPATIBILITY_PATH.read_text())
 
 	releases = json.loads(_RELEASE_FILE_PATH.read_text())
+
+	# Remove GHES version using a previous version numbering scheme.
+	if "11.10.340" in releases:
+		del releases["11.10.340"]
+
 	oldest_supported_release = None
 	newest_supported_release = semver.VersionInfo.parse(api_compatibility_data["maximumVersion"] + ".0")
 

CHANGELOG.md

@@ -1,5 +1,43 @@
 # CodeQL Action Changelog
 
+## [UNRELEASED]
+
+No user facing changes.
+
+## 2.2.11 - 06 Apr 2023
+
+No user facing changes.
+
+## 2.2.10 - 05 Apr 2023
+
+- Update default CodeQL bundle version to 2.12.6. [#1629](https://github.com/github/codeql-action/pull/1629)
+
+## 2.2.9 - 27 Mar 2023
+
+- Customers post-processing the SARIF output of the `analyze` Action before uploading it to Code Scanning will benefit from an improved debugging experience. [#1598](https://github.com/github/codeql-action/pull/1598)
+  - The CodeQL Action will now upload a SARIF file with debugging information to Code Scanning on failed runs for customers using `upload: false`. Previously, this was only available for customers using the default value of the `upload` input.
+  - The `upload` input to the `analyze` Action now accepts the following values:
+    - `always` is the default value, which uploads the SARIF file to Code Scanning for successful and failed runs.
+    - `failure-only` is recommended for customers post-processing the SARIF file before uploading it to Code Scanning. This option uploads debugging information to Code Scanning for failed runs to improve the debugging experience.
+    - `never` avoids uploading the SARIF file to Code Scanning even if the code scanning run fails. This is not recommended for external users since it complicates debugging.
+    - The legacy `true` and `false` options will be interpreted as `always` and `failure-only` respectively.
+
+## 2.2.8 - 22 Mar 2023
+
+- Update default CodeQL bundle version to 2.12.5. [#1585](https://github.com/github/codeql-action/pull/1585)
+
+## 2.2.7 - 15 Mar 2023
+
+No user facing changes.
+
+## 2.2.6 - 10 Mar 2023
+
+- Update default CodeQL bundle version to 2.12.4. [#1561](https://github.com/github/codeql-action/pull/1561)
+
+## 2.2.5 - 24 Feb 2023
+
+- Update default CodeQL bundle version to 2.12.3. [#1543](https://github.com/github/codeql-action/pull/1543)
+
 ## 2.2.4 - 10 Feb 2023
 
 No user facing changes.

CONTRIBUTING.md

@@ -67,12 +67,8 @@ Here are a few things you can do that will increase the likelihood of your pull
     This mergeback incorporates the changelog updates into `main`, tags the release using the merge commit of the "Merge main into releases/v2" pull request, and bumps the patch version of the CodeQL Action.
 
     Approve the mergeback PR and automerge it.
-1. When the "Merge main into releases/v2" pull request is merged into the `releases/v2` branch, the "Update release branch" workflow will create a "Merge releases/v2 into releases/v1" pull request to merge the changes since the last release into the `releases/v1` release branch.
-    This ensures we keep both the `releases/v1` and `releases/v2` release branches up to date and fully supported.
 
-    Review the checklist items in the pull request description.
-    Once you've checked off all the items, approve the PR and automerge it.
-1. Once the mergeback has been merged to `main` and the "Merge releases/v2 into releases/v1" PR has been merged to `releases/v1`, the release is complete.
+Once the mergeback has been merged to `main`, the release is complete.
 
 ## Keeping the PR checks up to date (admin access required)
 

analyze/action.yml

@@ -10,10 +10,14 @@ inputs:
     required: false
     default: "../results"
   upload:
-    description: Upload the SARIF file to Code Scanning
+    description: >-
+      Upload the SARIF file to Code Scanning.
+      Defaults to 'always' which uploads the SARIF file to Code Scanning for successful and failed runs.
+      'failure-only' only uploads debugging information to Code Scanning if the workflow run fails, for users post-processing the SARIF file before uploading it to Code Scanning.
+      'never' avoids uploading the SARIF file to Code Scanning, even if the code scanning run fails. This is not recommended for external users since it complicates debugging.
     required: false
     # If changing this, make sure to update workflow.ts accordingly.
-    default: "true"
+    default: "always"
   cleanup-level:
     description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
     required: false

lib/actions-util.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionVersion = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.workflowEventName = exports.sendStatusReport = exports.createStatusReportBase = exports.getActionVersion = exports.getActionsStatus = exports.getRef = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -295,6 +295,11 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
     if (workflowRunIDStr) {
         workflowRunID = parseInt(workflowRunIDStr, 10);
     }
+    const workflowRunAttemptStr = process.env["GITHUB_RUN_ATTEMPT"];
+    let workflowRunAttempt = -1;
+    if (workflowRunAttemptStr) {
+        workflowRunAttempt = parseInt(workflowRunAttemptStr, 10);
+    }
     const workflowName = process.env["GITHUB_WORKFLOW"] || "";
     const jobName = process.env["GITHUB_JOB"] || "";
     const analysis_key = await getAnalysisKey();
@@ -314,6 +319,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
     }
     const statusReport = {
         workflow_run_id: workflowRunID,
+        workflow_run_attempt: workflowRunAttempt,
         workflow_name: workflowName,
         job_name: jobName,
         analysis_key,
@@ -478,9 +484,14 @@ function getWorkflowEvent() {
 function removeRefsHeadsPrefix(ref) {
     return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref;
 }
-// Is the version of the repository we are currently analyzing from the default branch,
-// or alternatively from another branch or a pull request.
+// Returns whether we are analyzing the default branch for the repository.
+// For cases where the repository information might not be available (e.g.,
+// dynamic workflows), this can be forced by the environment variable
+// CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH.
 async function isAnalyzingDefaultBranch() {
+    if (process.env.CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH === "true") {
+        return true;
+    }
     // Get the current ref and trim and refs/heads/ prefix
     let currentRef = await getRef();
     currentRef = removeRefsHeadsPrefix(currentRef);
@@ -521,4 +532,22 @@ async function printDebugLogs(config) {
     }
 }
 exports.printDebugLogs = printDebugLogs;
+// Parses the `upload` input into an `UploadKind`, converting unspecified and deprecated upload inputs appropriately.
+function getUploadValue(input) {
+    switch (input) {
+        case undefined:
+        case "true":
+        case "always":
+            return "always";
+        case "false":
+        case "failure-only":
+            return "failure-only";
+        case "never":
+            return "never";
+        default:
+            core.warning(`Unrecognized 'upload' input to 'analyze' Action: ${input}. Defaulting to 'always'.`);
+            return "always";
+    }
+}
+exports.getUploadValue = getUploadValue;
 //# sourceMappingURL=actions-util.js.map

lib/actions-util.test.js

@@ -172,6 +172,9 @@ const util_1 = require("./util");
     t.deepEqual(process.env.CODEQL_ACTION_VERSION, "1.2.3");
 });
 (0, ava_1.default)("isAnalyzingDefaultBranch()", async (t) => {
+    process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
+    t.deepEqual(await actionsutil.isAnalyzingDefaultBranch(), true);
+    process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "false";
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
         const envFile = path.join(tmpDir, "event.json");

lib/analyze-action-post.js

@@ -31,13 +31,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const analyzeActionPostHelper = __importStar(require("./analyze-action-post-helper"));
 const debugArtifacts = __importStar(require("./debug-artifacts"));
+const util_1 = require("./util");
 async function runWrapper() {
     try {
         await analyzeActionPostHelper.run(debugArtifacts.uploadSarifDebugArtifact);
     }
     catch (error) {
-        core.setFailed(`analyze post-action step failed: ${error}`);
-        console.log(error);
+        core.setFailed(`analyze post-action step failed: ${(0, util_1.wrapError)(error).message}`);
     }
 }
 void runWrapper();

lib/analyze-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,sFAAwE;AACxE,kEAAoD;AAEpD,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,wBAAwB,CAAC,CAAC;KAC5E;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,oCAAoC,KAAK,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"analyze-action-post.js","sourceRoot":"","sources":["../src/analyze-action-post.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;GAIG;AACH,oDAAsC;AAEtC,sFAAwE;AACxE,kEAAoD;AACpD,iCAAmC;AAEnC,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,uBAAuB,CAAC,GAAG,CAAC,cAAc,CAAC,wBAAwB,CAAC,CAAC;KAC5E;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,oCAAoC,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAC/D,CAAC;KACH;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/analyze-action.js

@@ -103,7 +103,7 @@ function doesGoExtractionOutputExist(config) {
  * an autobuild step or manual build steps.
  *
  * - We detect whether an autobuild step is present by checking the
- * `util.DID_AUTOBUILD_GO_ENV_VAR_NAME` environment variable, which is set
+ * `CODEQL_ACTION_DID_AUTOBUILD_GOLANG` environment variable, which is set
  * when the autobuilder is invoked.
  * - We detect whether the Go database has already been finalized in case it
  * has been manually set in a prior Action step.
@@ -114,7 +114,7 @@ async function runAutobuildIfLegacyGoWorkflow(config, logger) {
     if (!config.languages.includes(languages_1.Language.go)) {
         return;
     }
-    if (process.env[util.DID_AUTOBUILD_GO_ENV_VAR_NAME] === "true") {
+    if (process.env[shared_environment_1.CODEQL_ACTION_DID_AUTOBUILD_GOLANG] === "true") {
         logger.debug("Won't run Go autobuild since it has already been run.");
         return;
     }
@@ -155,7 +155,7 @@ async function run() {
         if (hasBadExpectErrorInput()) {
             throw new Error("`expect-error` input parameter is for internal use only. It should only be set by codeql-action or a fork.");
         }
-        await util.enrichEnvironment(await (0, codeql_1.getCodeQL)(config.codeQLCmd));
+        await (0, codeql_1.enrichEnvironment)(await (0, codeql_1.getCodeQL)(config.codeQLCmd));
         const apiDetails = (0, api_client_1.getApiDetails)();
         const outputDir = actionsUtil.getRequiredInput("output");
         const threads = util.getThreadsFlag(actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"], logger);
@@ -176,7 +176,8 @@ async function run() {
             dbLocations[language] = util.getCodeQLDatabasePath(config, language);
         }
         core.setOutput("db-locations", dbLocations);
-        if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
+        const uploadInput = actionsUtil.getOptionalInput("upload");
+        if (runStats && actionsUtil.getUploadValue(uploadInput) === "always") {
             uploadResult = await upload_lib.uploadFromActions(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), logger);
             core.setOutput("sarif-id", uploadResult.sarifID);
         }
@@ -204,8 +205,8 @@ async function run() {
         }
         core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
     }
-    catch (origError) {
-        const error = origError instanceof Error ? origError : new Error(String(origError));
+    catch (unwrappedError) {
+        const error = (0, util_1.wrapError)(unwrappedError);
         if (actionsUtil.getOptionalInput("expect-error") !== "true" ||
             hasBadExpectErrorInput()) {
             core.setFailed(error.message);
@@ -238,7 +239,7 @@ async function runWrapper() {
         await exports.runPromise;
     }
     catch (error) {
-        core.setFailed(`analyze action failed: ${error}`);
+        core.setFailed(`analyze action failed: ${(0, util_1.wrapError)(error).message}`);
     }
     await (0, util_1.checkForTimeout)();
 }

lib/analyze.js

@@ -123,16 +123,17 @@ async function finalizeDatabaseCreation(config, threadsFlag, memoryFlag, logger)
     };
 }
 // Runs queries and creates sarif files in the given folder
-async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, automationDetailsId, config, logger, featureEnablement) {
+async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag, automationDetailsId, config, logger, features) {
     const statusReport = {};
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-    await util.logCodeScanningConfigInCli(codeql, featureEnablement, logger);
+    const queryFlags = [memoryFlag, threadsFlag];
+    await util.logCodeScanningConfigInCli(codeql, features, logger);
     for (const language of config.languages) {
         const queries = config.queries[language];
         const queryFilters = validateQueryFilters(config.originalUserInput["query-filters"]);
         const packsWithVersion = config.packs[language] || [];
         try {
-            if (await util.useCodeScanningConfigInCli(codeql, featureEnablement)) {
+            if (await util.useCodeScanningConfigInCli(codeql, features)) {
                 // If we are using the code scanning config in the CLI,
                 // much of the work needed to generate the query suites
                 // is done in the CLI. We just need to make a single
@@ -140,7 +141,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                 // another to interpret the results.
                 logger.startGroup(`Running queries for ${language}`);
                 const startTimeBuiltIn = new Date().getTime();
-                await runQueryGroup(language, "all", undefined, undefined);
+                await runQueryGroup(language, "all", undefined, undefined, true);
                 // TODO should not be using `builtin` here. We should be using `all` instead.
                 // The status report does not support `all` yet.
                 statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
@@ -164,24 +165,29 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
                     !hasPackWithCustomQueries) {
                     throw new Error(`Unable to analyze ${language} as no queries were selected for this language`);
                 }
+                const customQueryIndices = [];
+                for (let i = 0; i < queries.custom.length; ++i) {
+                    if (queries.custom[i].queries.length > 0) {
+                        customQueryIndices.push(i);
+                    }
+                }
                 logger.startGroup(`Running queries for ${language}`);
                 const querySuitePaths = [];
-                if (queries["builtin"].length > 0) {
+                if (queries.builtin.length > 0) {
                     const startTimeBuiltIn = new Date().getTime();
-                    querySuitePaths.push((await runQueryGroup(language, "builtin", createQuerySuiteContents(queries["builtin"], queryFilters), undefined)));
+                    querySuitePaths.push((await runQueryGroup(language, "builtin", createQuerySuiteContents(queries.builtin, queryFilters), undefined, customQueryIndices.length === 0 && packsWithVersion.length === 0)));
                     statusReport[`analyze_builtin_queries_${language}_duration_ms`] =
                         new Date().getTime() - startTimeBuiltIn;
                 }
                 const startTimeCustom = new Date().getTime();
                 let ranCustom = false;
-                for (let i = 0; i < queries["custom"].length; ++i) {
-                    if (queries["custom"][i].queries.length > 0) {
-                        querySuitePaths.push((await runQueryGroup(language, `custom-${i}`, createQuerySuiteContents(queries["custom"][i].queries, queryFilters), queries["custom"][i].searchPath)));
-                        ranCustom = true;
-                    }
+                for (const i of customQueryIndices) {
+                    querySuitePaths.push((await runQueryGroup(language, `custom-${i}`, createQuerySuiteContents(queries.custom[i].queries, queryFilters), queries.custom[i].searchPath, i === customQueryIndices[customQueryIndices.length - 1] &&
+                        packsWithVersion.length === 0)));
+                    ranCustom = true;
                 }
                 if (packsWithVersion.length > 0) {
-                    querySuitePaths.push(await runQueryPacks(language, "packs", packsWithVersion, queryFilters));
+                    querySuitePaths.push(await runQueryPacks(language, "packs", packsWithVersion, queryFilters, true));
                     ranCustom = true;
                 }
                 if (ranCustom) {
@@ -212,13 +218,13 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
     return statusReport;
     async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
-        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
+        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId, config, features, logger);
     }
     async function runPrintLinesOfCode(language) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
         return await codeql.databasePrintBaseline(databasePath);
     }
-    async function runQueryGroup(language, type, querySuiteContents, searchPath) {
+    async function runQueryGroup(language, type, querySuiteContents, searchPath, optimizeForLastQueryRun) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
         // Pass the queries to codeql using a file instead of using the command
         // line to avoid command line length restrictions, particularly on windows.
@@ -229,11 +235,11 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
             fs.writeFileSync(querySuitePath, querySuiteContents);
             logger.debug(`Query suite file for ${language}-${type}...\n${querySuiteContents}`);
         }
-        await codeql.databaseRunQueries(databasePath, searchPath, querySuitePath, memoryFlag, threadsFlag);
+        await codeql.databaseRunQueries(databasePath, searchPath, querySuitePath, queryFlags, optimizeForLastQueryRun);
         logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
         return querySuitePath;
     }
-    async function runQueryPacks(language, type, packs, queryFilters) {
+    async function runQueryPacks(language, type, packs, queryFilters, optimizeForLastQueryRun) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
         for (const pack of packs) {
             logger.debug(`Running query pack for ${language}-${type}: ${pack}`);
@@ -243,7 +249,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
         const querySuitePath = `${databasePath}-queries-${type}.qls`;
         fs.writeFileSync(querySuitePath, yaml.dump(querySuite));
         logger.debug(`BQRS results produced for ${language} (queries: ${type})"`);
-        await codeql.databaseRunQueries(databasePath, undefined, querySuitePath, memoryFlag, threadsFlag);
+        await codeql.databaseRunQueries(databasePath, undefined, querySuitePath, queryFlags, optimizeForLastQueryRun);
         return querySuitePath;
     }
 }

lib/analyze.test.js

@@ -30,8 +30,10 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const yaml = __importStar(require("js-yaml"));
+const sinon = __importStar(require("sinon"));
 const analyze_1 = require("./analyze");
 const codeql_1 = require("./codeql");
+const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
@@ -188,6 +190,126 @@ const util = __importStar(require("./util"));
         }
     }
 });
+function mockCodeQL() {
+    return {
+        getVersion: async () => "2.12.2",
+        databaseRunQueries: sinon.spy(),
+        databaseInterpretResults: async () => "",
+        databasePrintBaseline: async () => "",
+    };
+}
+function createBaseConfig(tmpDir) {
+    return {
+        languages: [],
+        queries: {},
+        pathsIgnore: [],
+        paths: [],
+        originalUserInput: {},
+        tempDir: "tempDir",
+        codeQLCmd: "",
+        gitHubVersion: {
+            type: util.GitHubVariant.DOTCOM,
+        },
+        dbLocation: path.resolve(tmpDir, "codeql_databases"),
+        packs: {},
+        debugMode: false,
+        debugArtifactName: util.DEFAULT_DEBUG_ARTIFACT_NAME,
+        debugDatabaseName: util.DEFAULT_DEBUG_DATABASE_NAME,
+        augmentationProperties: {
+            injectedMlQueries: false,
+            packsInputCombines: false,
+            queriesInputCombines: false,
+        },
+        trapCaches: {},
+        trapCacheDownloadTime: 0,
+    };
+}
+function createQueryConfig(builtin, custom) {
+    return {
+        builtin,
+        custom: custom.map((c) => ({ searchPath: "/search", queries: [c] })),
+    };
+}
+async function runQueriesWithConfig(config, features) {
+    for (const language of config.languages) {
+        fs.mkdirSync(util.getCodeQLDatabasePath(config, language), {
+            recursive: true,
+        });
+    }
+    return (0, analyze_1.runQueries)("sarif-folder", "--memFlag", "--addSnippetsFlag", "--threadsFlag", undefined, config, (0, logging_1.getRunnerLogger)(true), (0, testing_utils_1.createFeatures)(features));
+}
+function getDatabaseRunQueriesCalls(mock) {
+    return mock.databaseRunQueries.getCalls();
+}
+(0, ava_1.default)("optimizeForLastQueryRun for one language", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp];
+        config.queries.cpp = createQueryConfig(["foo.ql"], []);
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        config.queries.cpp = createQueryConfig(["foo.ql"], []);
+        config.queries.java = createQueryConfig(["bar.ql"], []);
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true, true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages, with custom queries", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        config.queries.cpp = createQueryConfig(["foo.ql"], ["c1.ql", "c2.ql"]);
+        config.queries.java = createQueryConfig(["bar.ql"], ["c3.ql"]);
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [false, false, true, false, true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages, with custom queries and packs", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        config.queries.cpp = createQueryConfig(["foo.ql"], ["c1.ql", "c2.ql"]);
+        config.queries.java = createQueryConfig(["bar.ql"], ["c3.ql"]);
+        config.packs.cpp = ["a/cpp-pack1@0.1.0"];
+        config.packs.java = ["b/java-pack1@0.2.0", "b/java-pack2@0.3.3"];
+        await runQueriesWithConfig(config, []);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [false, false, false, true, false, false, true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for one language, CliConfigFileEnabled", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp];
+        await runQueriesWithConfig(config, [feature_flags_1.Feature.CliConfigFileEnabled]);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true]);
+    });
+});
+(0, ava_1.default)("optimizeForLastQueryRun for two languages, CliConfigFileEnabled", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const codeql = mockCodeQL();
+        (0, codeql_1.setCodeQL)(codeql);
+        const config = createBaseConfig(tmpDir);
+        config.languages = [languages_1.Language.cpp, languages_1.Language.java];
+        await runQueriesWithConfig(config, [feature_flags_1.Feature.CliConfigFileEnabled]);
+        t.deepEqual(getDatabaseRunQueriesCalls(codeql).map((c) => c.args[4]), [true, true]);
+    });
+});
 (0, ava_1.default)("validateQueryFilters", (t) => {
     t.notThrows(() => (0, analyze_1.validateQueryFilters)([]));
     t.notThrows(() => (0, analyze_1.validateQueryFilters)(undefined));

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.8", "minimumVersion": "3.4" }
+{ "maximumVersion": "3.9", "minimumVersion": "3.5" }

lib/autobuild-action.js

@@ -30,6 +30,7 @@ const autobuild_1 = require("./autobuild");
 const configUtils = __importStar(require("./config-utils"));
 const languages_1 = require("./languages");
 const logging_1 = require("./logging");
+const shared_environment_1 = require("./shared-environment");
 const util_1 = require("./util");
 async function sendCompletedStatusReport(startedAt, allLanguages, failingLanguage, cause) {
     (0, util_1.initializeEnvironment)((0, actions_util_1.getActionVersion)());
@@ -68,15 +69,15 @@ async function run() {
                 currentLanguage = language;
                 await (0, autobuild_1.runAutobuild)(language, config, logger);
                 if (language === languages_1.Language.go) {
-                    core.exportVariable(util_1.DID_AUTOBUILD_GO_ENV_VAR_NAME, "true");
+                    core.exportVariable(shared_environment_1.CODEQL_ACTION_DID_AUTOBUILD_GOLANG, "true");
                 }
             }
         }
     }
-    catch (error) {
-        core.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  ${error instanceof Error ? error.message : String(error)}`);
-        console.log(error);
-        await sendCompletedStatusReport(startedAt, languages ?? [], currentLanguage, error instanceof Error ? error : new Error(String(error)));
+    catch (unwrappedError) {
+        const error = (0, util_1.wrapError)(unwrappedError);
+        core.setFailed(`We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. ${error.message}`);
+        await sendCompletedStatusReport(startedAt, languages ?? [], currentLanguage, error);
         return;
     }
     await sendCompletedStatusReport(startedAt, languages ?? []);
@@ -86,8 +87,7 @@ async function runWrapper() {
         await run();
     }
     catch (error) {
-        core.setFailed(`autobuild action failed. ${error}`);
-        console.log(error);
+        core.setFailed(`autobuild action failed. ${(0, util_1.wrapError)(error).message}`);
     }
 }
 void runWrapper();

lib/autobuild-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAQwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,4DAA8C;AAC9C,2CAAuC;AACvC,uCAA6C;AAC7C,iCAIgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,cAAc,CAAC,oCAA6B,EAAE,MAAM,CAAC,CAAC;iBAC5D;aACF;SACF;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAQwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,4DAA8C;AAC9C,2CAAuC;AACvC,uCAA6C;AAC7C,6DAA0E;AAC1E,iCAIgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,cAAc,CAAC,uDAAkC,EAAE,MAAM,CAAC,CAAC;iBACjE;aACF;SACF;KACF;IAAC,OAAO,cAAc,EAAE;QACvB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;KACxE;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/codeql.js

@@ -23,18 +23,23 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
+exports.enrichEnvironment = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const core = __importStar(require("@actions/core"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const yaml = __importStar(require("js-yaml"));
 const actions_util_1 = require("./actions-util");
+const config_utils_1 = require("./config-utils");
 const error_matcher_1 = require("./error-matcher");
+const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const setupCodeql = __importStar(require("./setup-codeql"));
+const shared_environment_1 = require("./shared-environment");
 const toolrunner_error_catcher_1 = require("./toolrunner-error-catcher");
 const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
+const util_1 = require("./util");
 class CommandInvocationError extends Error {
     constructor(cmd, args, exitCode, error, output) {
         super(`Failure invoking ${cmd} with arguments ${args}.\n
@@ -98,6 +103,10 @@ exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
  * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for each language.
  */
 exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
+/**
+ * Versions 2.12.4+ of the CodeQL CLI support the `--qlconfig-file` flag in calls to `database init`.
+ */
+exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
 /**
  * Set up CodeQL CLI access.
  *
@@ -130,7 +139,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV
         };
     }
     catch (e) {
-        logger.error(e instanceof Error ? e : new Error(String(e)));
+        logger.error((0, util_1.wrapError)(e).message);
         throw new Error("Unable to download and extract CodeQL CLI");
     }
 }
@@ -183,6 +192,7 @@ function setCodeQL(partialCodeql) {
         databaseRunQueries: resolveFunction(partialCodeql, "databaseRunQueries"),
         databaseInterpretResults: resolveFunction(partialCodeql, "databaseInterpretResults"),
         databasePrintBaseline: resolveFunction(partialCodeql, "databasePrintBaseline"),
+        databaseExportDiagnostics: resolveFunction(partialCodeql, "databaseExportDiagnostics"),
         diagnosticsExport: resolveFunction(partialCodeql, "diagnosticsExport"),
     };
     return cachedCodeQL;
@@ -302,7 +312,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 ...getExtraOptionsFromEnv(["database", "init"]),
             ]);
         },
-        async databaseInitCluster(config, sourceRoot, processName, featureEnablement, logger) {
+        async databaseInitCluster(config, sourceRoot, processName, features, qlconfigFile, logger) {
             const extraArgs = config.languages.map((language) => `--language=${language}`);
             if (config.languages.filter((l) => (0, languages_1.isTracedLanguage)(l)).length > 0) {
                 extraArgs.push("--begin-tracing");
@@ -320,17 +330,21 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                     extraArgs.push("--no-internal-use-lua-tracing");
                 }
             }
-            // A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
-            const configLocation = await generateCodeScanningConfig(codeql, config, featureEnablement, logger);
+            // A code scanning config file is only generated if the CliConfigFileEnabled feature flag is enabled.
+            const codeScanningConfigFile = await generateCodeScanningConfig(codeql, config, features, logger);
             // Only pass external repository token if a config file is going to be parsed by the CLI.
             let externalRepositoryToken;
-            if (configLocation) {
-                extraArgs.push(`--codescanning-config=${configLocation}`);
+            if (codeScanningConfigFile) {
                 externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
+                extraArgs.push(`--codescanning-config=${codeScanningConfigFile}`);
                 if (externalRepositoryToken) {
                     extraArgs.push("--external-repository-token-stdin");
                 }
             }
+            if (qlconfigFile !== undefined &&
+                (await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_INIT_WITH_QLCONFIG))) {
+                extraArgs.push(`--qlconfig-file=${qlconfigFile}`);
+            }
             await runTool(cmd, [
                 "database",
                 "init",
@@ -472,17 +486,20 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 throw new Error(`Unexpected output from codeql resolve queries: ${e}`);
             }
         },
-        async databaseRunQueries(databasePath, extraSearchPath, querySuitePath, memoryFlag, threadsFlag) {
+        async databaseRunQueries(databasePath, extraSearchPath, querySuitePath, flags, optimizeForLastQueryRun) {
             const codeqlArgs = [
                 "database",
                 "run-queries",
-                memoryFlag,
-                threadsFlag,
+                ...flags,
                 databasePath,
                 "--min-disk-free=1024",
                 "-v",
                 ...getExtraOptionsFromEnv(["database", "run-queries"]),
             ];
+            if (optimizeForLastQueryRun &&
+                (await util.supportExpectDiscardedCache(this))) {
+                codeqlArgs.push("--expect-discarded-cache");
+            }
             if (extraSearchPath !== undefined) {
                 codeqlArgs.push("--additional-packs", extraSearchPath);
             }
@@ -491,18 +508,25 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
         },
-        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId) {
+        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, config, features, logger) {
+            const shouldExportDiagnostics = await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, this);
+            // Update this to take into account the CodeQL version when we have a version with the fix.
+            const shouldWorkaroundInvalidNotifications = shouldExportDiagnostics;
+            const codeqlOutputFile = shouldWorkaroundInvalidNotifications
+                ? path.join(config.tempDir, "codeql-intermediate-results.sarif")
+                : sarifFile;
             const codeqlArgs = [
                 "database",
                 "interpret-results",
                 threadsFlag,
                 "--format=sarif-latest",
                 verbosityFlag,
-                `--output=${sarifFile}`,
+                `--output=${codeqlOutputFile}`,
                 addSnippetsFlag,
                 "--print-diagnostics-summary",
                 "--print-metrics-summary",
                 "--sarif-group-rules-by-pack",
+                ...(await getCodeScanningConfigExportArguments(config, this, features)),
                 ...getExtraOptionsFromEnv(["database", "interpret-results"]),
             ];
             if (await util.codeQlVersionAbove(this, CODEQL_VERSION_CUSTOM_QUERY_HELP))
@@ -513,12 +537,21 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             if (await util.codeQlVersionAbove(this, CODEQL_VERSION_FILE_BASELINE_INFORMATION)) {
                 codeqlArgs.push("--sarif-add-baseline-file-info");
             }
+            if (shouldExportDiagnostics) {
+                codeqlArgs.push("--sarif-include-diagnostics");
+            }
+            else if (await util.codeQlVersionAbove(this, "2.12.4")) {
+                codeqlArgs.push("--no-sarif-include-diagnostics");
+            }
             codeqlArgs.push(databasePath);
             if (querySuitePaths) {
                 codeqlArgs.push(...querySuitePaths);
             }
             // capture stdout, which contains analysis summaries
             const returnState = await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
+            if (shouldWorkaroundInvalidNotifications) {
+                util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
+            }
             return returnState.stdout;
         },
         async databasePrintBaseline(databasePath) {
@@ -595,12 +628,39 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             ];
             await new toolrunner.ToolRunner(cmd, args).exec();
         },
-        async diagnosticsExport(sarifFile, automationDetailsId) {
+        async databaseExportDiagnostics(databasePath, sarifFile, automationDetailsId, tempDir, logger) {
+            // Update this to take into account the CodeQL version when we have a version with the fix.
+            const shouldWorkaroundInvalidNotifications = true;
+            const codeqlOutputFile = shouldWorkaroundInvalidNotifications
+                ? path.join(tempDir, "codeql-intermediate-results.sarif")
+                : sarifFile;
+            const args = [
+                "database",
+                "export-diagnostics",
+                `${databasePath}`,
+                "--db-cluster",
+                "--format=sarif-latest",
+                `--output=${codeqlOutputFile}`,
+                "--sarif-include-diagnostics",
+                "-vvv",
+                ...getExtraOptionsFromEnv(["diagnostics", "export"]),
+            ];
+            if (automationDetailsId !== undefined) {
+                args.push("--sarif-category", automationDetailsId);
+            }
+            await new toolrunner.ToolRunner(cmd, args).exec();
+            if (shouldWorkaroundInvalidNotifications) {
+                // Fix invalid notifications in the SARIF file output by CodeQL.
+                util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
+            }
+        },
+        async diagnosticsExport(sarifFile, automationDetailsId, config, features) {
             const args = [
                 "diagnostics",
                 "export",
                 "--format=sarif-latest",
                 `--output=${sarifFile}`,
+                ...(await getCodeScanningConfigExportArguments(config, this, features)),
                 ...getExtraOptionsFromEnv(["diagnostics", "export"]),
             ];
             if (automationDetailsId !== undefined) {
@@ -711,11 +771,11 @@ async function runTool(cmd, args = [], opts = {}) {
  * @param config The configuration to use.
  * @returns the path to the generated user configuration file.
  */
-async function generateCodeScanningConfig(codeql, config, featureEnablement, logger) {
-    if (!(await util.useCodeScanningConfigInCli(codeql, featureEnablement))) {
+async function generateCodeScanningConfig(codeql, config, features, logger) {
+    if (!(await util.useCodeScanningConfigInCli(codeql, features))) {
         return;
     }
-    const configLocation = path.resolve(config.tempDir, "user-config.yaml");
+    const codeScanningConfigFile = (0, config_utils_1.getGeneratedCodeScanningConfigPath)(config);
     // make a copy so we can modify it
     const augmentedConfig = cloneObject(config.originalUserInput);
     // Inject the queries from the input
@@ -769,14 +829,43 @@ async function generateCodeScanningConfig(codeql, config, featureEnablement, log
             augmentedConfig.packs["javascript"].push(packString);
         }
     }
-    logger.info(`Writing augmented user configuration file to ${configLocation}`);
+    logger.info(`Writing augmented user configuration file to ${codeScanningConfigFile}`);
     logger.startGroup("Augmented user configuration file contents");
     logger.info(yaml.dump(augmentedConfig));
     logger.endGroup();
-    fs.writeFileSync(configLocation, yaml.dump(augmentedConfig));
-    return configLocation;
+    fs.writeFileSync(codeScanningConfigFile, yaml.dump(augmentedConfig));
+    return codeScanningConfigFile;
 }
 function cloneObject(obj) {
     return JSON.parse(JSON.stringify(obj));
 }
+/**
+ * Gets arguments for passing the code scanning configuration file to interpretation commands like
+ * `codeql database interpret-results` and `codeql database export-diagnostics`.
+ *
+ * Returns an empty list if a code scanning configuration file was not generated by the CLI.
+ */
+async function getCodeScanningConfigExportArguments(config, codeql, features) {
+    const codeScanningConfigPath = (0, config_utils_1.getGeneratedCodeScanningConfigPath)(config);
+    if (fs.existsSync(codeScanningConfigPath) &&
+        (await features.getValue(feature_flags_1.Feature.ExportCodeScanningConfigEnabled, codeql))) {
+        return ["--sarif-codescanning-config", codeScanningConfigPath];
+    }
+    return [];
+}
+/**
+ * Enrich the environment variables with further flags that we cannot
+ * know the value of until we know what version of CodeQL we're running.
+ */
+async function enrichEnvironment(codeql) {
+    if (await util.codeQlVersionAbove(codeql, exports.CODEQL_VERSION_NEW_TRACING)) {
+        core.exportVariable(shared_environment_1.EnvVar.FEATURE_MULTI_LANGUAGE, "false");
+        core.exportVariable(shared_environment_1.EnvVar.FEATURE_SANDWICH, "false");
+    }
+    else {
+        core.exportVariable(shared_environment_1.EnvVar.FEATURE_MULTI_LANGUAGE, "true");
+        core.exportVariable(shared_environment_1.EnvVar.FEATURE_SANDWICH, "true");
+    }
+}
+exports.enrichEnvironment = enrichEnvironment;
 //# sourceMappingURL=codeql.js.map

lib/codeql.test.js

@@ -382,11 +382,11 @@ for (const isBundleVersionInUrl of [true, false]) {
             tagName: "codeql-bundle-20230203",
         });
         mockDownloadApi({
-            repo: "dsp-testing/codeql-cli-nightlies",
+            repo: "codeql-testing/codeql-cli-nightlies",
             platformSpecific: false,
             tagName: "codeql-bundle-20230203",
         });
-        const result = await codeql.setupCodeQL("https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
+        const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
         t.is(result.toolsVersion, "0.0.0-20230203");
         t.is(result.toolsSource, init_1.ToolsSource.Download);
         t.true(Number.isInteger(result.toolsDownloadDurationMs));
@@ -424,7 +424,7 @@ for (const isBundleVersionInUrl of [true, false]) {
     sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
     // safeWhich throws because of the test CodeQL object.
     sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
     t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
 });
 (0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
@@ -433,7 +433,7 @@ for (const isBundleVersionInUrl of [true, false]) {
     sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
     // safeWhich throws because of the test CodeQL object.
     sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
     t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
 });
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
@@ -452,11 +452,11 @@ for (const isBundleVersionInUrl of [true, false]) {
                 packsInputCombines: false,
             },
         };
-        await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+        await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), "/path/to/qlconfig.yml", (0, logging_1.getRunnerLogger)(true));
         const args = runnerConstructorStub.firstCall.args[1];
         // should NOT have used an config file
         const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
-        t.falsy(configArg, "Should have injected a codescanning config");
+        t.falsy(configArg, "Should NOT have injected a codescanning config");
     });
 });
 // Test macro for ensuring different variants of injected augmented configurations
@@ -474,7 +474,7 @@ const injectedConfigMacro = ava_1.default.macro({
                 tempDir,
                 augmentationProperties,
             };
-            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), (0, logging_1.getRunnerLogger)(true));
+            await codeqlObject.databaseInitCluster(thisStubConfig, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), undefined, (0, logging_1.getRunnerLogger)(true));
             const args = runnerConstructorStub.firstCall.args[1];
             // should have used an config file
             const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
@@ -665,24 +665,67 @@ const injectedConfigMacro = ava_1.default.macro({
         queries: [],
     },
 }, {});
-(0, ava_1.default)("does not use injected config", async (t) => {
-    const origCODEQL_PASS_CONFIG_TO_CLI = process.env.CODEQL_PASS_CONFIG_TO_CLI;
-    process.env["CODEQL_PASS_CONFIG_TO_CLI"] = "false";
-    try {
+(0, ava_1.default)("does not pass a code scanning config or qlconfig file to the CLI when CLI config passing is disabled", async (t) => {
+    await util.withTmpDir(async (tempDir) => {
+        const runnerConstructorStub = stubToolRunnerConstructor();
+        const codeqlObject = await codeql.getCodeQLForTesting();
+        // stubbed version doesn't matter. It just needs to be valid semver.
+        sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, (0, testing_utils_1.createFeatures)([]), "/path/to/qlconfig.yml", (0, logging_1.getRunnerLogger)(true));
+        const args = runnerConstructorStub.firstCall.args[1];
+        // should not have used a config file
+        const hasConfigArg = args.some((arg) => arg.startsWith("--codescanning-config="));
+        t.false(hasConfigArg, "Should NOT have injected a codescanning config");
+        // should not have passed a qlconfig file
+        const hasQlconfigArg = args.some((arg) => arg.startsWith("--qlconfig-file="));
+        t.false(hasQlconfigArg, "Should NOT have passed a qlconfig file");
+    });
+});
+(0, ava_1.default)("passes a code scanning config AND qlconfig to the CLI when CLI config passing is enabled", async (t) => {
+    await util.withTmpDir(async (tempDir) => {
         const runnerConstructorStub = stubToolRunnerConstructor();
         const codeqlObject = await codeql.getCodeQLForTesting();
         sinon
             .stub(codeqlObject, "getVersion")
-            .resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
-        await codeqlObject.databaseInitCluster(stubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
+            .resolves(codeql.CODEQL_VERSION_INIT_WITH_QLCONFIG);
+        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), "/path/to/qlconfig.yml", (0, logging_1.getRunnerLogger)(true));
         const args = runnerConstructorStub.firstCall.args[1];
-        // should have used an config file
-        const configArg = args.find((arg) => arg.startsWith("--codescanning-config="));
-        t.falsy(configArg, "Should NOT have injected a codescanning config");
-    }
-    finally {
-        process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
-    }
+        // should have used a config file
+        const hasCodeScanningConfigArg = args.some((arg) => arg.startsWith("--codescanning-config="));
+        t.true(hasCodeScanningConfigArg, "Should have injected a qlconfig");
+        // should have passed a qlconfig file
+        const hasQlconfigArg = args.some((arg) => arg.startsWith("--qlconfig-file="));
+        t.truthy(hasQlconfigArg, "Should have injected a codescanning config");
+    });
+});
+(0, ava_1.default)("passes a code scanning config BUT NOT a qlconfig to the CLI when CLI config passing is enabled", async (t) => {
+    await util.withTmpDir(async (tempDir) => {
+        const runnerConstructorStub = stubToolRunnerConstructor();
+        const codeqlObject = await codeql.getCodeQLForTesting();
+        sinon.stub(codeqlObject, "getVersion").resolves("2.12.2");
+        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), "/path/to/qlconfig.yml", (0, logging_1.getRunnerLogger)(true));
+        const args = runnerConstructorStub.firstCall.args[1];
+        // should have used a config file
+        const hasCodeScanningConfigArg = args.some((arg) => arg.startsWith("--codescanning-config="));
+        t.true(hasCodeScanningConfigArg, "Should have injected a codescanning config");
+        // should not have passed a qlconfig file
+        const hasQlconfigArg = args.some((arg) => arg.startsWith("--qlconfig-file="));
+        t.false(hasQlconfigArg, "should NOT have injected a qlconfig");
+    });
+});
+(0, ava_1.default)("does not pass a qlconfig to the CLI when it is undefined", async (t) => {
+    await util.withTmpDir(async (tempDir) => {
+        const runnerConstructorStub = stubToolRunnerConstructor();
+        const codeqlObject = await codeql.getCodeQLForTesting();
+        sinon
+            .stub(codeqlObject, "getVersion")
+            .resolves(codeql.CODEQL_VERSION_INIT_WITH_QLCONFIG);
+        await codeqlObject.databaseInitCluster({ ...stubConfig, tempDir }, "", undefined, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CliConfigFileEnabled]), undefined, // undefined qlconfigFile
+        (0, logging_1.getRunnerLogger)(true));
+        const args = runnerConstructorStub.firstCall.args[1];
+        const hasQlconfigArg = args.some((arg) => arg.startsWith("--qlconfig-file="));
+        t.false(hasQlconfigArg, "should NOT have injected a qlconfig");
+    });
 });
 (0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info for 2.11.3", async (t) => {
     const runnerConstructorStub = stubToolRunnerConstructor();
@@ -690,7 +733,7 @@ const injectedConfigMacro = ava_1.default.macro({
     sinon.stub(codeqlObject, "getVersion").resolves("2.11.3");
     // safeWhich throws because of the test CodeQL object.
     sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
     t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
 });
 (0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info for 2.11.2", async (t) => {
@@ -699,7 +742,7 @@ const injectedConfigMacro = ava_1.default.macro({
     sinon.stub(codeqlObject, "getVersion").resolves("2.11.2");
     // safeWhich throws because of the test CodeQL object.
     sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
     t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
 });
 function stubToolRunnerConstructor() {

lib/config-utils.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.downloadPacks = exports.getConfig = exports.getPathToParsedConfigFile = exports.initConfig = exports.parsePacks = exports.validatePackSpecification = exports.prettyPrintPack = exports.parsePacksSpecification = exports.parsePacksFromConfig = exports.calculateAugmentation = exports.getDefaultConfig = exports.getRawLanguages = exports.getLanguages = exports.getLanguagesInRepo = exports.getUnknownLanguagesError = exports.getNoLanguagesError = exports.getConfigFileDirectoryGivenMessage = exports.getConfigFileFormatInvalidMessage = exports.getConfigFileRepoFormatInvalidMessage = exports.getConfigFileDoesNotExistErrorMessage = exports.getConfigFileOutsideWorkspaceErrorMessage = exports.getLocalPathDoesNotExist = exports.getLocalPathOutsideOfRepository = exports.getPacksStrInvalid = exports.getPacksInvalid = exports.getPacksInvalidSplit = exports.getPathsInvalid = exports.getPathsIgnoreInvalid = exports.getQueryUsesInvalid = exports.getQueriesMissingUses = exports.getQueriesInvalid = exports.getDisableDefaultQueriesInvalid = exports.getNameInvalid = exports.validateAndSanitisePath = exports.defaultAugmentationProperties = void 0;
+exports.getGeneratedCodeScanningConfigPath = exports.wrapEnvironment = exports.generateRegistries = exports.downloadPacks = exports.getConfig = exports.getPathToParsedConfigFile = exports.initConfig = exports.parsePacks = exports.validatePackSpecification = exports.prettyPrintPack = exports.parsePacksSpecification = exports.parsePacksFromConfig = exports.calculateAugmentation = exports.getDefaultConfig = exports.getRawLanguages = exports.getLanguages = exports.getLanguagesInRepo = exports.getUnknownLanguagesError = exports.getNoLanguagesError = exports.getConfigFileDirectoryGivenMessage = exports.getConfigFileFormatInvalidMessage = exports.getConfigFileRepoFormatInvalidMessage = exports.getConfigFileDoesNotExistErrorMessage = exports.getConfigFileOutsideWorkspaceErrorMessage = exports.getLocalPathDoesNotExist = exports.getLocalPathOutsideOfRepository = exports.getPacksStrInvalid = exports.getPacksInvalid = exports.getPacksInvalidSplit = exports.getPathsInvalid = exports.getPathsIgnoreInvalid = exports.getQueryUsesInvalid = exports.getQueriesMissingUses = exports.getQueriesInvalid = exports.getDisableDefaultQueriesInvalid = exports.getNameInvalid = exports.validateAndSanitisePath = exports.defaultAugmentationProperties = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const perf_hooks_1 = require("perf_hooks");
@@ -141,7 +141,7 @@ const builtinSuites = [
  * Throws an error if suiteName is not a valid builtin suite.
  * May inject ML queries, and the return value will declare if this was done.
  */
-async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suiteName, featureEnablement, configFile) {
+async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suiteName, features, configFile) {
     let injectedMlQueries = false;
     const found = builtinSuites.find((suite) => suite === suiteName);
     if (!found) {
@@ -149,7 +149,7 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
     }
     if (suiteName === "security-experimental" &&
         !(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE))) {
-        throw new Error(`The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than 
+        throw new Error(`The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than
       ${codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE}. Please upgrade to CodeQL CLI version
       ${codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE} or later.`);
     }
@@ -165,7 +165,7 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
             found === "security-extended" ||
             found === "security-and-quality") &&
         !packs.javascript?.some(isMlPoweredJsQueriesPack) &&
-        (await featureEnablement.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, codeQL))) {
+        (await features.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, codeQL))) {
         if (!packs.javascript) {
             packs.javascript = [];
         }
@@ -240,7 +240,7 @@ async function addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetail
  *
  * @returns whether or not we injected ML queries into the packs
  */
-async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, tempDir, workspacePath, apiDetails, featureEnablement, logger, configFile) {
+async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, tempDir, workspacePath, apiDetails, features, logger, configFile) {
     queryUses = queryUses.trim();
     if (queryUses === "") {
         throw new Error(getQueryUsesInvalid(configFile));
@@ -252,12 +252,12 @@ async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, te
     }
     // Check for one of the builtin suites
     if (queryUses.indexOf("/") === -1 && queryUses.indexOf("@") === -1) {
-        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureEnablement, configFile);
+        return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, features, configFile);
     }
     // Otherwise, must be a reference to another repo.
     // If config parsing is handled in CLI, then this repo will be downloaded
     // later by the CLI.
-    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, features))) {
         await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
     }
     return false;
@@ -503,13 +503,13 @@ async function getRawLanguages(languagesInput, repository, logger) {
     return { rawLanguages, autodetected };
 }
 exports.getRawLanguages = getRawLanguages;
-async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, resultMap, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger) {
+async function addQueriesAndPacksFromWorkflow(codeQL, queriesInput, languages, resultMap, packs, tempDir, workspacePath, apiDetails, features, logger) {
     let injectedMlQueries = false;
     queriesInput = queriesInput.trim();
     // "+" means "don't override config file" - see shouldAddConfigFileQueries
     queriesInput = queriesInput.replace(/^\+/, "");
     for (const query of queriesInput.split(",")) {
-        const didInject = await parseQueryUses(languages, codeQL, resultMap, packs, query, tempDir, workspacePath, apiDetails, featureEnablement, logger);
+        const didInject = await parseQueryUses(languages, codeQL, resultMap, packs, query, tempDir, workspacePath, apiDetails, features, logger);
         injectedMlQueries = injectedMlQueries || didInject;
     }
     return injectedMlQueries;
@@ -527,7 +527,7 @@ function shouldAddConfigFileQueries(queriesInput) {
 /**
  * Get the default config for when the user has not supplied one.
  */
-async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
+async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
     const languages = await getLanguages(codeQL, languagesInput, repository, logger);
     const queries = {};
     for (const language of languages) {
@@ -545,7 +545,7 @@ async function getDefaultConfig(languagesInput, rawQueriesInput, rawPacksInput,
         : {};
     if (rawQueriesInput) {
         augmentationProperties.injectedMlQueries =
-            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger);
+            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, features, logger);
     }
     const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logger);
     return {
@@ -581,7 +581,7 @@ async function downloadCacheWithTime(trapCachingEnabled, codeQL, languages, logg
 /**
  * Load the config from the given file.
  */
-async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
+async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
     let parsedYAML;
     if (isLocal(configFile)) {
         // Treat the config file as relative to the workspace
@@ -629,7 +629,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
     // in the config file.
     if (rawQueriesInput) {
         augmentationProperties.injectedMlQueries =
-            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, featureEnablement, logger);
+            await addQueriesAndPacksFromWorkflow(codeQL, rawQueriesInput, languages, queries, packs, tempDir, workspacePath, apiDetails, features, logger);
     }
     if (shouldAddConfigFileQueries(rawQueriesInput) &&
         QUERIES_PROPERTY in parsedYAML) {
@@ -641,7 +641,7 @@ async function loadConfig(languagesInput, rawQueriesInput, rawPacksInput, config
             if (typeof query[QUERIES_USES_PROPERTY] !== "string") {
                 throw new Error(getQueriesMissingUses(configFile));
             }
-            await parseQueryUses(languages, codeQL, queries, packs, query[QUERIES_USES_PROPERTY], tempDir, workspacePath, apiDetails, featureEnablement, logger, configFile);
+            await parseQueryUses(languages, codeQL, queries, packs, query[QUERIES_USES_PROPERTY], tempDir, workspacePath, apiDetails, features, logger, configFile);
         }
     }
     if (PATHS_IGNORE_PROPERTY in parsedYAML) {
@@ -725,7 +725,7 @@ function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) {
     }
     const trimmedInput = queriesInputCombines
         ? rawQueriesInput.trim().slice(1).trim()
-        : rawQueriesInput?.trim();
+        : rawQueriesInput?.trim() ?? "";
     if (queriesInputCombines && trimmedInput.length === 0) {
         throw new Error(getConfigFilePropertyError(undefined, "queries", "A '+' was used in the 'queries' input to specify that you wished to add some packs to your CodeQL analysis. However, no packs were specified. Please either remove the '+' or specify some packs."));
     }
@@ -932,21 +932,21 @@ function dbLocationOrDefault(dbLocation, tempDir) {
  * This will parse the config from the user input if present, or generate
  * a default config. The parsed config is then stored to a known location.
  */
-async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
+async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
     let config;
     // If no config file was provided create an empty one
     if (!configFile) {
         logger.debug("No configuration file was provided");
-        config = await getDefaultConfig(languagesInput, queriesInput, packsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
+        config = await getDefaultConfig(languagesInput, queriesInput, packsInput, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
     }
     else {
-        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
+        config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
     }
     // When using the codescanning config in the CLI, pack downloads
     // happen in the CLI during the `database init` command, so no need
     // to download them here.
-    await (0, util_1.logCodeScanningConfigInCli)(codeQL, featureEnablement, logger);
-    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
+    await (0, util_1.logCodeScanningConfigInCli)(codeQL, features, logger);
+    if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, features))) {
         // The list of queries should not be empty for any language. If it is then
         // it is a user configuration error.
         // This check occurs in the CLI when it parses the config file.
@@ -959,8 +959,7 @@ async function initConfig(languagesInput, queriesInput, packsInput, registriesIn
                     "Please make sure that the default queries are enabled, or you are specifying queries to run.");
             }
         }
-        const registries = parseRegistries(registriesInput);
-        await downloadPacks(codeQL, config.languages, config.packs, registries, apiDetails, config.tempDir, logger);
+        await downloadPacks(codeQL, config.languages, config.packs, apiDetails, registriesInput, config.tempDir, logger);
     }
     // Save the config so we can easily access it again in the future
     await saveConfig(config, logger);
@@ -1056,21 +1055,9 @@ async function getConfig(tempDir, logger) {
     return JSON.parse(configString);
 }
 exports.getConfig = getConfig;
-async function downloadPacks(codeQL, languages, packs, registries, apiDetails, tmpDir, logger) {
-    let qlconfigFile;
-    let registriesAuthTokens;
-    if (registries) {
-        if (!(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD))) {
-            throw new Error(`'registries' input is not supported on CodeQL versions less than ${codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD}.`);
-        }
-        // generate a qlconfig.yml file to hold the registry configs.
-        const qlconfig = createRegistriesBlock(registries);
-        qlconfigFile = path.join(tmpDir, "qlconfig.yml");
-        fs.writeFileSync(qlconfigFile, yaml.dump(qlconfig), "utf8");
-        registriesAuthTokens = registries
-            .map((registry) => `${registry.url}=${registry.token}`)
-            .join(",");
-    }
+async function downloadPacks(codeQL, languages, packs, apiDetails, registriesInput, tempDir, logger) {
+    // This code path is only used when config parsing occurs in the Action.
+    const { registriesAuthTokens, qlconfigFile } = await generateRegistries(registriesInput, codeQL, tempDir, logger);
     await wrapEnvironment({
         GITHUB_TOKEN: apiDetails.auth,
         CODEQL_REGISTRIES_AUTH: registriesAuthTokens,
@@ -1098,6 +1085,48 @@ async function downloadPacks(codeQL, languages, packs, registries, apiDetails, t
     });
 }
 exports.downloadPacks = downloadPacks;
+/**
+ * Generate a `qlconfig.yml` file from the `registries` input.
+ * This file is used by the CodeQL CLI to list the registries to use for each
+ * pack.
+ *
+ * @param registriesInput The value of the `registries` input.
+ * @param codeQL a codeQL object, used only for checking the version of CodeQL.
+ * @param tempDir a temporary directory to store the generated qlconfig.yml file.
+ * @param logger a logger object.
+ * @returns The path to the generated `qlconfig.yml` file and the auth tokens to
+ *        use for each registry.
+ */
+async function generateRegistries(registriesInput, codeQL, tempDir, logger) {
+    const registries = parseRegistries(registriesInput);
+    let registriesAuthTokens;
+    let qlconfigFile;
+    if (registries) {
+        if (!(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD))) {
+            throw new Error(`The 'registries' input is not supported on CodeQL CLI versions earlier than ${codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD}. Please upgrade to CodeQL CLI version ${codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD} or later.`);
+        }
+        // generate a qlconfig.yml file to hold the registry configs.
+        const qlconfig = createRegistriesBlock(registries);
+        qlconfigFile = path.join(tempDir, "qlconfig.yml");
+        const qlconfigContents = yaml.dump(qlconfig);
+        fs.writeFileSync(qlconfigFile, qlconfigContents, "utf8");
+        logger.debug("Generated qlconfig.yml:");
+        logger.debug(qlconfigContents);
+        registriesAuthTokens = registries
+            .map((registry) => `${registry.url}=${registry.token}`)
+            .join(",");
+    }
+    if (typeof process.env.CODEQL_REGISTRIES_AUTH === "string") {
+        logger.debug("Using CODEQL_REGISTRIES_AUTH environment variable to authenticate with registries.");
+    }
+    return {
+        registriesAuthTokens: 
+        // if the user has explicitly set the CODEQL_REGISTRIES_AUTH env var then use that
+        process.env.CODEQL_REGISTRIES_AUTH ?? registriesAuthTokens,
+        qlconfigFile,
+    };
+}
+exports.generateRegistries = generateRegistries;
 function createRegistriesBlock(registries) {
     if (!Array.isArray(registries) ||
         registries.some((r) => !r.url || !r.packages)) {
@@ -1147,4 +1176,14 @@ async function wrapEnvironment(env, operation) {
         }
     }
 }
+exports.wrapEnvironment = wrapEnvironment;
+/**
+ * Get the path to the code scanning configuration generated by the CLI.
+ *
+ * This will not exist if the configuration is being parsed in the Action.
+ */
+function getGeneratedCodeScanningConfigPath(config) {
+    return path.resolve(config.tempDir, "user-config.yaml");
+}
+exports.getGeneratedCodeScanningConfigPath = getGeneratedCodeScanningConfigPath;
 //# sourceMappingURL=config-utils.js.map

lib/config-utils.test.js

@@ -1114,8 +1114,8 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
             java: ["a", "b"],
             go: ["c", "d"],
             python: ["e", "f"],
-        }, undefined, // registries
-        sampleApiDetails, tmpDir, logger);
+        }, sampleApiDetails, undefined, // registriesAuthTokens
+        tmpDir, logger);
         // Expecting packs to be downloaded once for java and once for python
         t.deepEqual(packDownloadStub.callCount, 2);
         // no config file was created, so pass `undefined` as the config file path
@@ -1128,13 +1128,13 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
     // associated env vars
     return await util.withTmpDir(async (tmpDir) => {
         process.env.GITHUB_TOKEN = "not-a-token";
-        process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
+        process.env.CODEQL_REGISTRIES_AUTH = undefined;
         const logger = (0, logging_1.getRunnerLogger)(true);
-        const registries = [
+        const registriesInput = yaml.dump([
             {
                 // no slash
                 url: "http://ghcr.io",
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
             {
@@ -1143,8 +1143,9 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
                 packages: "semmle/*",
                 token: "still-not-a-token",
             },
-        ];
+        ]);
         // append a slash to the first url
+        const registries = yaml.load(registriesInput);
         const expectedRegistries = registries.map((r, i) => ({
             packages: r.packages,
             url: i === 0 ? `${r.url}/` : r.url,
@@ -1173,7 +1174,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
             java: ["a", "b"],
             go: ["c", "d"],
             python: ["e", "f"],
-        }, registries, sampleApiDetails, tmpDir, logger);
+        }, sampleApiDetails, registriesInput, tmpDir, logger);
         // Same packs are downloaded as in previous test
         t.deepEqual(packDownloadStub.callCount, 2);
         t.deepEqual(packDownloadStub.firstCall.args, [
@@ -1186,7 +1187,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
         ]);
         // Verify that the env vars were unset.
         t.deepEqual(process.env.GITHUB_TOKEN, "not-a-token");
-        t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, "not-a-registries-auth");
+        t.deepEqual(process.env.CODEQL_REGISTRIES_AUTH, undefined);
     });
 });
 (0, ava_1.default)("downloadPacks-with-registries fails on 2.10.3", async (t) => {
@@ -1196,10 +1197,10 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
         process.env.GITHUB_TOKEN = "not-a-token";
         process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
         const logger = (0, logging_1.getRunnerLogger)(true);
-        const registries = [
+        const registriesInput = yaml.dump([
             {
                 url: "http://ghcr.io",
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
             {
@@ -1207,12 +1208,12 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
                 packages: "semmle/*",
                 token: "still-not-a-token",
             },
-        ];
+        ]);
         const codeQL = (0, codeql_1.setCodeQL)({
             getVersion: () => Promise.resolve("2.10.3"),
         });
         await t.throwsAsync(async () => {
-            return await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {}, registries, sampleApiDetails, tmpDir, logger);
+            return await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {}, sampleApiDetails, registriesInput, tmpDir, logger);
         }, { instanceOf: Error }, "'registries' input is not supported on CodeQL versions less than 2.10.4.");
     });
 });
@@ -1223,10 +1224,10 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
         process.env.GITHUB_TOKEN = "not-a-token";
         process.env.CODEQL_REGISTRIES_AUTH = "not-a-registries-auth";
         const logger = (0, logging_1.getRunnerLogger)(true);
-        const registries = [
+        const registriesInput = yaml.dump([
             {
                 // missing url property
-                packages: ["codeql/*", "dsp-testing/*"],
+                packages: ["codeql/*", "codeql-testing/*"],
                 token: "not-a-token",
             },
             {
@@ -1234,15 +1235,68 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
                 packages: "semmle/*",
                 token: "still-not-a-token",
             },
-        ];
+        ]);
         const codeQL = (0, codeql_1.setCodeQL)({
             getVersion: () => Promise.resolve("2.10.4"),
         });
         await t.throwsAsync(async () => {
-            return await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {}, registries, sampleApiDetails, tmpDir, logger);
+            return await configUtils.downloadPacks(codeQL, [languages_1.Language.javascript, languages_1.Language.java, languages_1.Language.python], {}, sampleApiDetails, registriesInput, tmpDir, logger);
         }, { instanceOf: Error }, "Invalid 'registries' input. Must be an array of objects with 'url' and 'packages' properties.");
     });
 });
+// the happy path for generateRegistries is already tested in downloadPacks.
+// these following tests are for the error cases and when nothing is generated.
+(0, ava_1.default)("no generateRegistries when CLI is too old", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const registriesInput = yaml.dump([
+            {
+                // no slash
+                url: "http://ghcr.io",
+                packages: ["codeql/*", "codeql-testing/*"],
+                token: "not-a-token",
+            },
+        ]);
+        const codeQL = (0, codeql_1.setCodeQL)({
+            // Accepted CLI versions are 2.10.4 or higher
+            getVersion: () => Promise.resolve("2.10.3"),
+        });
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        await t.throwsAsync(async () => await configUtils.generateRegistries(registriesInput, codeQL, tmpDir, logger), undefined, "'registries' input is not supported on CodeQL versions less than 2.10.4.");
+    });
+});
+(0, ava_1.default)("no generateRegistries when registries is undefined", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        const registriesInput = undefined;
+        const codeQL = (0, codeql_1.setCodeQL)({
+            // Accepted CLI versions are 2.10.4 or higher
+            getVersion: () => Promise.resolve(codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD),
+        });
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const { registriesAuthTokens, qlconfigFile } = await configUtils.generateRegistries(registriesInput, codeQL, tmpDir, logger);
+        t.is(registriesAuthTokens, undefined);
+        t.is(qlconfigFile, undefined);
+    });
+});
+(0, ava_1.default)("generateRegistries prefers original CODEQL_REGISTRIES_AUTH", async (t) => {
+    return await util.withTmpDir(async (tmpDir) => {
+        process.env.CODEQL_REGISTRIES_AUTH = "original";
+        const registriesInput = yaml.dump([
+            {
+                url: "http://ghcr.io",
+                packages: ["codeql/*", "codeql-testing/*"],
+                token: "not-a-token",
+            },
+        ]);
+        const codeQL = (0, codeql_1.setCodeQL)({
+            // Accepted CLI versions are 2.10.4 or higher
+            getVersion: () => Promise.resolve(codeql_1.CODEQL_VERSION_GHES_PACK_DOWNLOAD),
+        });
+        const logger = (0, logging_1.getRunnerLogger)(true);
+        const { registriesAuthTokens, qlconfigFile } = await configUtils.generateRegistries(registriesInput, codeQL, tmpDir, logger);
+        t.is(registriesAuthTokens, "original");
+        t.is(qlconfigFile, path.join(tmpDir, "qlconfig.yml"));
+    });
+});
 // getLanguages
 const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
 // eslint-disable-next-line github/array-foreach

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20230207",
-    "cliVersion": "2.12.2",
-    "priorBundleVersion": "codeql-bundle-20230120",
-    "priorCliVersion": "2.12.1"
+    "bundleVersion": "codeql-bundle-20230403",
+    "cliVersion": "2.12.6",
+    "priorBundleVersion": "codeql-bundle-20230317",
+    "priorCliVersion": "2.12.5"
 }

lib/feature-flags.js

@@ -36,30 +36,41 @@ var Feature;
 (function (Feature) {
     Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
     Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
+    Feature["ExportCodeScanningConfigEnabled"] = "export_code_scanning_config_enabled";
+    Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
     Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
-    Feature["TrapCachingEnabled"] = "trap_caching_enabled";
     Feature["UploadFailedSarifEnabled"] = "upload_failed_sarif_enabled";
 })(Feature = exports.Feature || (exports.Feature = {}));
 exports.featureConfig = {
     [Feature.DisableKotlinAnalysisEnabled]: {
         envVar: "CODEQL_DISABLE_KOTLIN_ANALYSIS",
         minimumVersion: undefined,
+        defaultValue: false,
     },
     [Feature.CliConfigFileEnabled]: {
         envVar: "CODEQL_PASS_CONFIG_TO_CLI",
         minimumVersion: "2.11.6",
+        defaultValue: true,
+    },
+    [Feature.ExportCodeScanningConfigEnabled]: {
+        envVar: "CODEQL_ACTION_EXPORT_CODE_SCANNING_CONFIG",
+        minimumVersion: "2.12.3",
+        defaultValue: true,
+    },
+    [Feature.ExportDiagnosticsEnabled]: {
+        envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
+        minimumVersion: "2.12.4",
+        defaultValue: true,
     },
     [Feature.MlPoweredQueriesEnabled]: {
         envVar: "CODEQL_ML_POWERED_QUERIES",
         minimumVersion: "2.7.5",
-    },
-    [Feature.TrapCachingEnabled]: {
-        envVar: "CODEQL_TRAP_CACHING",
-        minimumVersion: undefined,
+        defaultValue: false,
     },
     [Feature.UploadFailedSarifEnabled]: {
         envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
         minimumVersion: "2.11.3",
+        defaultValue: true,
     },
 };
 exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
@@ -70,6 +81,7 @@ exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";
  */
 class Features {
     constructor(gitHubVersion, repositoryNwo, tempDir, logger) {
+        this.logger = logger;
         this.gitHubFeatureFlags = new GitHubFeatureFlags(gitHubVersion, repositoryNwo, path.join(tempDir, exports.FEATURE_FLAGS_FILE_NAME), logger);
     }
     async getDefaultCliVersion(variant) {
@@ -94,21 +106,36 @@ class Features {
         const envVar = (process.env[exports.featureConfig[feature].envVar] || "").toLocaleLowerCase();
         // Do not use this feature if user explicitly disables it via an environment variable.
         if (envVar === "false") {
+            this.logger.debug(`Feature ${feature} is disabled via the environment variable ${exports.featureConfig[feature].envVar}.`);
             return false;
         }
         // Never use this feature if the CLI version explicitly can't support it.
         const minimumVersion = exports.featureConfig[feature].minimumVersion;
         if (codeql && minimumVersion) {
             if (!(await util.codeQlVersionAbove(codeql, minimumVersion))) {
+                this.logger.debug(`Feature ${feature} is disabled because the CodeQL CLI version is older than the minimum ` +
+                    `version ${minimumVersion}.`);
                 return false;
             }
+            else {
+                this.logger.debug(`CodeQL CLI version ${await codeql.getVersion()} is newer than the minimum ` +
+                    `version ${minimumVersion} for feature ${feature}.`);
+            }
         }
         // Use this feature if user explicitly enables it via an environment variable.
         if (envVar === "true") {
+            this.logger.debug(`Feature ${feature} is enabled via the environment variable ${exports.featureConfig[feature].envVar}.`);
             return true;
         }
         // Ask the GitHub API if the feature is enabled.
-        return await this.gitHubFeatureFlags.getValue(feature);
+        const apiValue = await this.gitHubFeatureFlags.getValue(feature);
+        if (apiValue !== undefined) {
+            this.logger.debug(`Feature ${feature} is ${apiValue ? "enabled" : "disabled"} via the GitHub API.`);
+            return apiValue;
+        }
+        const defaultValue = exports.featureConfig[feature].defaultValue;
+        this.logger.debug(`Feature ${feature} is ${defaultValue ? "enabled" : "disabled"} due to its default value.`);
+        return defaultValue;
     }
 }
 exports.Features = Features;
@@ -184,15 +211,15 @@ class GitHubFeatureFlags {
     async getValue(feature) {
         const response = await this.getAllFeatures();
         if (response === undefined) {
-            this.logger.debug(`No feature flags API response for ${feature}, considering it disabled.`);
-            return false;
+            this.logger.debug(`No feature flags API response for ${feature}.`);
+            return undefined;
         }
-        const featureEnablement = response[feature];
-        if (featureEnablement === undefined) {
-            this.logger.debug(`Feature '${feature}' undefined in API response, considering it disabled.`);
-            return false;
+        const features = response[feature];
+        if (features === undefined) {
+            this.logger.debug(`Feature '${feature}' undefined in API response.`);
+            return undefined;
         }
-        return !!featureEnablement;
+        return !!features;
     }
     async getAllFeatures() {
         // if we have an in memory cache, use that

lib/feature-flags.test.js

@@ -51,9 +51,9 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
     (0, ava_1.default)(`All features are disabled if running against ${variant.description}`, async (t) => {
         await (0, util_1.withTmpDir)(async (tmpDir) => {
             const loggedMessages = [];
-            const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages), variant.gitHubVersion);
+            const features = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages), variant.gitHubVersion);
             for (const feature of Object.values(feature_flags_1.Feature)) {
-                t.false(await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature)));
+                t.deepEqual(await features.getValue(feature, includeCodeQlIfRequired(feature)), feature_flags_1.featureConfig[feature].defaultValue);
             }
             t.assert(loggedMessages.find((v) => v.type === "debug" &&
                 v.message ===
@@ -61,33 +61,35 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
         });
     });
 }
-(0, ava_1.default)("API response missing", async (t) => {
+(0, ava_1.default)("API response missing and features use default value", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         const loggedMessages = [];
-        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const features = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(403, {});
         for (const feature of Object.values(feature_flags_1.Feature)) {
-            t.assert((await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature))) === false);
+            t.assert((await features.getValue(feature, includeCodeQlIfRequired(feature))) ===
+                feature_flags_1.featureConfig[feature].defaultValue);
         }
         assertAllFeaturesUndefinedInApi(t, loggedMessages);
     });
 });
-(0, ava_1.default)("Features are disabled if they're not returned in API response", async (t) => {
+(0, ava_1.default)("Features use default value if they're not returned in API response", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         const loggedMessages = [];
-        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const features = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, {});
         for (const feature of Object.values(feature_flags_1.Feature)) {
-            t.assert((await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature))) === false);
+            t.assert((await features.getValue(feature, includeCodeQlIfRequired(feature))) ===
+                feature_flags_1.featureConfig[feature].defaultValue);
         }
         assertAllFeaturesUndefinedInApi(t, loggedMessages);
     });
 });
 (0, ava_1.default)("Feature flags exception is propagated if the API request errors", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
-        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const features = setUpFeatureFlagTests(tmpDir);
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(500, {});
-        await t.throwsAsync(async () => featureEnablement.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.MlPoweredQueriesEnabled)), {
+        await t.throwsAsync(async () => features.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.MlPoweredQueriesEnabled)), {
             message: "Encountered an error while trying to determine feature enablement: Error: some error message",
         });
     });
@@ -95,7 +97,7 @@ for (const variant of ALL_FEATURES_DISABLED_VARIANTS) {
 for (const feature of Object.keys(feature_flags_1.featureConfig)) {
     (0, ava_1.default)(`Only feature '${feature}' is enabled if enabled in the API response. Other features disabled`, async (t) => {
         await (0, util_1.withTmpDir)(async (tmpDir) => {
-            const featureEnablement = setUpFeatureFlagTests(tmpDir);
+            const features = setUpFeatureFlagTests(tmpDir);
             // set all features to false except the one we're testing
             const expectedFeatureEnablement = {};
             for (const f of Object.keys(feature_flags_1.featureConfig)) {
@@ -105,7 +107,7 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
             // retrieve the values of the actual features
             const actualFeatureEnablement = {};
             for (const f of Object.keys(feature_flags_1.featureConfig)) {
-                actualFeatureEnablement[f] = await featureEnablement.getValue(f, includeCodeQlIfRequired(f));
+                actualFeatureEnablement[f] = await features.getValue(f, includeCodeQlIfRequired(f));
             }
             // All features should be false except the one we're testing
             t.deepEqual(actualFeatureEnablement, expectedFeatureEnablement);
@@ -113,35 +115,35 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
     });
     (0, ava_1.default)(`Only feature '${feature}' is enabled if the associated environment variable is true. Others disabled.`, async (t) => {
         await (0, util_1.withTmpDir)(async (tmpDir) => {
-            const featureEnablement = setUpFeatureFlagTests(tmpDir);
+            const features = setUpFeatureFlagTests(tmpDir);
             const expectedFeatureEnablement = initializeFeatures(false);
             (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
             // feature should be disabled initially
-            t.assert(!(await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature))));
+            t.assert(!(await features.getValue(feature, includeCodeQlIfRequired(feature))));
             // set env var to true and check that the feature is now enabled
             process.env[feature_flags_1.featureConfig[feature].envVar] = "true";
-            t.assert(await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature)));
+            t.assert(await features.getValue(feature, includeCodeQlIfRequired(feature)));
         });
     });
     (0, ava_1.default)(`Feature '${feature}' is disabled if the associated environment variable is false, even if enabled in API`, async (t) => {
         await (0, util_1.withTmpDir)(async (tmpDir) => {
-            const featureEnablement = setUpFeatureFlagTests(tmpDir);
+            const features = setUpFeatureFlagTests(tmpDir);
             const expectedFeatureEnablement = initializeFeatures(true);
             (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
             // feature should be enabled initially
-            t.assert(await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature)));
+            t.assert(await features.getValue(feature, includeCodeQlIfRequired(feature)));
             // set env var to false and check that the feature is now disabled
             process.env[feature_flags_1.featureConfig[feature].envVar] = "false";
-            t.assert(!(await featureEnablement.getValue(feature, includeCodeQlIfRequired(feature))));
+            t.assert(!(await features.getValue(feature, includeCodeQlIfRequired(feature))));
         });
     });
     if (feature_flags_1.featureConfig[feature].minimumVersion !== undefined) {
         (0, ava_1.default)(`Getting feature '${feature} should throw if no codeql is provided`, async (t) => {
             await (0, util_1.withTmpDir)(async (tmpDir) => {
-                const featureEnablement = setUpFeatureFlagTests(tmpDir);
+                const features = setUpFeatureFlagTests(tmpDir);
                 const expectedFeatureEnablement = initializeFeatures(true);
                 (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
-                await t.throwsAsync(async () => featureEnablement.getValue(feature), {
+                await t.throwsAsync(async () => features.getValue(feature), {
                     message: `Internal error: A minimum version is specified for feature ${feature}, but no instance of CodeQL was provided.`,
                 });
             });
@@ -150,24 +152,24 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
     if (feature_flags_1.featureConfig[feature].minimumVersion !== undefined) {
         (0, ava_1.default)(`Feature '${feature}' is disabled if the minimum CLI version is below ${feature_flags_1.featureConfig[feature].minimumVersion}`, async (t) => {
             await (0, util_1.withTmpDir)(async (tmpDir) => {
-                const featureEnablement = setUpFeatureFlagTests(tmpDir);
+                const features = setUpFeatureFlagTests(tmpDir);
                 const expectedFeatureEnablement = initializeFeatures(true);
                 (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
                 // feature should be disabled when an old CLI version is set
                 let codeql = (0, testing_utils_1.mockCodeQLVersion)("2.0.0");
-                t.assert(!(await featureEnablement.getValue(feature, codeql)));
+                t.assert(!(await features.getValue(feature, codeql)));
                 // even setting the env var to true should not enable the feature if
                 // the minimum CLI version is not met
                 process.env[feature_flags_1.featureConfig[feature].envVar] = "true";
-                t.assert(!(await featureEnablement.getValue(feature, codeql)));
+                t.assert(!(await features.getValue(feature, codeql)));
                 // feature should be enabled when a new CLI version is set
                 // and env var is not set
                 process.env[feature_flags_1.featureConfig[feature].envVar] = "";
                 codeql = (0, testing_utils_1.mockCodeQLVersion)(feature_flags_1.featureConfig[feature].minimumVersion);
-                t.assert(await featureEnablement.getValue(feature, codeql));
+                t.assert(await features.getValue(feature, codeql));
                 // set env var to false and check that the feature is now disabled
                 process.env[feature_flags_1.featureConfig[feature].envVar] = "false";
-                t.assert(!(await featureEnablement.getValue(feature, codeql)));
+                t.assert(!(await features.getValue(feature, codeql)));
             });
         });
     }
@@ -184,12 +186,12 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
 });
 (0, ava_1.default)("Feature flags are saved to disk", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
-        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const features = setUpFeatureFlagTests(tmpDir);
         const expectedFeatureEnablement = initializeFeatures(true);
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
         const cachedFeatureFlags = path.join(tmpDir, feature_flags_1.FEATURE_FLAGS_FILE_NAME);
         t.false(fs.existsSync(cachedFeatureFlags), "Feature flag cached file should not exist before getting feature flags");
-        t.true(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled initially");
+        t.true(await features.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled initially");
         t.true(fs.existsSync(cachedFeatureFlags), "Feature flag cached file should exist after getting feature flags");
         const actualFeatureEnablement = JSON.parse(fs.readFileSync(cachedFeatureFlags, "utf8"));
         t.deepEqual(actualFeatureEnablement, expectedFeatureEnablement);
@@ -197,20 +199,20 @@ for (const feature of Object.keys(feature_flags_1.featureConfig)) {
         actualFeatureEnablement[feature_flags_1.Feature.CliConfigFileEnabled] = false;
         fs.writeFileSync(cachedFeatureFlags, JSON.stringify(actualFeatureEnablement));
         // delete the in memory cache so that we are forced to use the cached file
-        featureEnablement.gitHubFeatureFlags.cachedApiResponse = undefined;
-        t.false(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled after reading from cached file");
+        features.gitHubFeatureFlags.cachedApiResponse = undefined;
+        t.false(await features.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled after reading from cached file");
     });
 });
 (0, ava_1.default)("Environment variable can override feature flag cache", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
-        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const features = setUpFeatureFlagTests(tmpDir);
         const expectedFeatureEnablement = initializeFeatures(true);
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
         const cachedFeatureFlags = path.join(tmpDir, feature_flags_1.FEATURE_FLAGS_FILE_NAME);
-        t.true(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled initially");
+        t.true(await features.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be enabled initially");
         t.true(fs.existsSync(cachedFeatureFlags), "Feature flag cached file should exist after getting feature flags");
         process.env.CODEQL_PASS_CONFIG_TO_CLI = "false";
-        t.false(await featureEnablement.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be disabled after setting env var");
+        t.false(await features.getValue(feature_flags_1.Feature.CliConfigFileEnabled, includeCodeQlIfRequired(feature_flags_1.Feature.CliConfigFileEnabled)), "Feature flag should be disabled after setting env var");
     });
 });
 for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
@@ -228,7 +230,7 @@ for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
 }
 (0, ava_1.default)("selects CLI v2.12.1 on Dotcom when feature flags enable v2.12.0 and v2.12.1", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
-        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const features = setUpFeatureFlagTests(tmpDir);
         const expectedFeatureEnablement = initializeFeatures(true);
         expectedFeatureEnablement["default_codeql_version_2_12_0_enabled"] = true;
         expectedFeatureEnablement["default_codeql_version_2_12_1_enabled"] = true;
@@ -237,7 +239,7 @@ for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
         expectedFeatureEnablement["default_codeql_version_2_12_4_enabled"] = false;
         expectedFeatureEnablement["default_codeql_version_2_12_5_enabled"] = false;
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
-        const defaultCliVersion = await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM);
+        const defaultCliVersion = await features.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM);
         t.deepEqual(defaultCliVersion, {
             cliVersion: "2.12.1",
             toolsFeatureFlagsValid: true,
@@ -247,10 +249,10 @@ for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
 });
 (0, ava_1.default)(`selects CLI from defaults.json on Dotcom when no default version feature flags are enabled`, async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
-        const featureEnablement = setUpFeatureFlagTests(tmpDir);
+        const features = setUpFeatureFlagTests(tmpDir);
         const expectedFeatureEnablement = initializeFeatures(true);
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
-        const defaultCliVersion = await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM);
+        const defaultCliVersion = await features.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM);
         t.deepEqual(defaultCliVersion, {
             cliVersion: defaults.cliVersion,
             toolsFeatureFlagsValid: false,
@@ -261,14 +263,14 @@ for (const variant of [util_1.GitHubVariant.GHAE, util_1.GitHubVariant.GHES]) {
 (0, ava_1.default)("ignores invalid version numbers in default version feature flags", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         const loggedMessages = [];
-        const featureEnablement = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        const features = setUpFeatureFlagTests(tmpDir, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
         const expectedFeatureEnablement = initializeFeatures(true);
         expectedFeatureEnablement["default_codeql_version_2_12_0_enabled"] = true;
         expectedFeatureEnablement["default_codeql_version_2_12_1_enabled"] = true;
         expectedFeatureEnablement["default_codeql_version_2_12_invalid_enabled"] =
             true;
         (0, testing_utils_1.mockFeatureFlagApiEndpoint)(200, expectedFeatureEnablement);
-        const defaultCliVersion = await featureEnablement.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM);
+        const defaultCliVersion = await features.getDefaultCliVersion(util_1.GitHubVariant.DOTCOM);
         t.deepEqual(defaultCliVersion, {
             cliVersion: "2.12.1",
             toolsFeatureFlagsValid: true,
@@ -283,7 +285,7 @@ function assertAllFeaturesUndefinedInApi(t, loggedMessages) {
     for (const feature of Object.keys(feature_flags_1.featureConfig)) {
         t.assert(loggedMessages.find((v) => v.type === "debug" &&
             v.message.includes(feature) &&
-            v.message.includes("considering it disabled")) !== undefined);
+            v.message.includes("undefined in API response")) !== undefined);
     }
 }
 function initializeFeatures(initialValue) {

lib/init-action-post-helper.js

@@ -34,43 +34,54 @@ const uploadLib = __importStar(require("./upload-lib"));
 const util_1 = require("./util");
 const workflow_1 = require("./workflow");
 function createFailedUploadFailedSarifResult(error) {
+    const wrappedError = (0, util_1.wrapError)(error);
     return {
-        upload_failed_run_error: error instanceof Error ? error.message : String(error),
-        upload_failed_run_stack_trace: error instanceof Error ? error.stack : undefined,
+        upload_failed_run_error: wrappedError.message,
+        upload_failed_run_stack_trace: wrappedError.stack,
     };
 }
 /**
  * Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
  * category for the workflow.
  */
-async function maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
+async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
     if (!config.codeQLCmd) {
         return { upload_failed_run_skipped_because: "CodeQL command not found" };
     }
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-    if (!(await featureEnablement.getValue(feature_flags_1.Feature.UploadFailedSarifEnabled, codeql))) {
+    if (!(await features.getValue(feature_flags_1.Feature.UploadFailedSarifEnabled, codeql))) {
         return { upload_failed_run_skipped_because: "Feature disabled" };
     }
     const workflow = await (0, workflow_1.getWorkflow)();
     const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
     const matrix = (0, util_1.parseMatrixInput)(actionsUtil.getRequiredInput("matrix"));
-    if ((0, workflow_1.getUploadInputOrThrow)(workflow, jobName, matrix) !== "true" ||
+    const shouldUpload = (0, workflow_1.getUploadInputOrThrow)(workflow, jobName, matrix);
+    if (!["always", "failure-only"].includes(actionsUtil.getUploadValue(shouldUpload)) ||
         (0, util_1.isInTestMode)()) {
         return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
     }
     const category = (0, workflow_1.getCategoryInputOrThrow)(workflow, jobName, matrix);
     const checkoutPath = (0, workflow_1.getCheckoutPathInputOrThrow)(workflow, jobName, matrix);
+    const databasePath = config.dbLocation;
     const sarifFile = "../codeql-failed-run.sarif";
-    await codeql.diagnosticsExport(sarifFile, category);
+    // If there is no database or the feature flag is off, we run 'export diagnostics'
+    if (databasePath === undefined ||
+        !(await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, codeql))) {
+        await codeql.diagnosticsExport(sarifFile, category, config, features);
+    }
+    else {
+        // We call 'database export-diagnostics' to find any per-database diagnostics.
+        await codeql.databaseExportDiagnostics(databasePath, sarifFile, category, config.tempDir, logger);
+    }
     core.info(`Uploading failed SARIF file ${sarifFile}`);
     const uploadResult = await uploadLib.uploadFromActions(sarifFile, checkoutPath, category, logger);
     await uploadLib.waitForProcessing(repositoryNwo, uploadResult.sarifID, logger, { isUnsuccessfulExecution: true });
     return uploadResult?.statusReport ?? {};
 }
-async function tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
+async function tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger) {
     if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
         try {
-            return await maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
+            return await maybeUploadFailedSarif(config, repositoryNwo, features, logger);
         }
         catch (e) {
             logger.debug(`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`);
@@ -84,13 +95,13 @@ async function tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablemen
     }
 }
 exports.tryUploadSarifIfRunFailed = tryUploadSarifIfRunFailed;
-async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs, repositoryNwo, featureEnablement, logger) {
+async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs, repositoryNwo, features, logger) {
     const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
     if (config === undefined) {
         logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
         return;
     }
-    const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
+    const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger);
     if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
         logger.debug("Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
             `${uploadFailedSarifResult.upload_failed_run_skipped_because}.`);

lib/init-action-post-helper.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,YAAY,EAAE,YAAY,IAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AApDD,kBAoDC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAKgB;AAChB,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,YAAY,GAAG,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC;IACtC,OAAO;QACL,uBAAuB,EAAE,YAAY,CAAC,OAAO;QAC7C,6BAA6B,EAAE,YAAY,CAAC,KAAK;KAClD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EAAE;QACxE,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACtE,IACE,CAAC,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,QAAQ,CAClC,WAAW,CAAC,cAAc,CAAC,YAAY,CAAC,CACzC;QACD,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC;IAEvC,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAE/C,kFAAkF;IAClF,IACE,YAAY,KAAK,SAAS;QAC1B,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,EACpE;QACA,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;KACvE;SAAM;QACL,8EAA8E;QAC9E,MAAM,MAAM,CAAC,yBAAyB,CACpC,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,YAAY,EAAE,YAAY,IAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,QAA2B,EAC3B,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;IAEF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AArDD,kBAqDC"}

lib/init-action-post-helper.test.js

@@ -84,7 +84,7 @@ const workflow = __importStar(require("./workflow"));
         t.assert(printDebugLogsSpy.called);
     });
 });
-(0, ava_1.default)("uploads failed SARIF run for typical workflow", async (t) => {
+(0, ava_1.default)("uploads failed SARIF run with `diagnostics export` if feature flag is off", async (t) => {
     const actionsWorkflow = createTestWorkflow([
         {
             name: "Checkout repository",
@@ -107,7 +107,7 @@ const workflow = __importStar(require("./workflow"));
     ]);
     await testFailedSarifUpload(t, actionsWorkflow, { category: "my-category" });
 });
-(0, ava_1.default)("doesn't upload failed SARIF for workflow with upload: false", async (t) => {
+(0, ava_1.default)("uploads failed SARIF run with `diagnostics export` if the database doesn't exist", async (t) => {
     const actionsWorkflow = createTestWorkflow([
         {
             name: "Checkout repository",
@@ -125,15 +125,98 @@ const workflow = __importStar(require("./workflow"));
             uses: "github/codeql-action/analyze@v2",
             with: {
                 category: "my-category",
-                upload: false,
             },
         },
     ]);
-    const result = await testFailedSarifUpload(t, actionsWorkflow, {
-        expectUpload: false,
+    await testFailedSarifUpload(t, actionsWorkflow, {
+        category: "my-category",
+        databaseExists: false,
     });
-    t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
 });
+(0, ava_1.default)("uploads failed SARIF run with database export-diagnostics if the database exists and feature flag is on", async (t) => {
+    const actionsWorkflow = createTestWorkflow([
+        {
+            name: "Checkout repository",
+            uses: "actions/checkout@v3",
+        },
+        {
+            name: "Initialize CodeQL",
+            uses: "github/codeql-action/init@v2",
+            with: {
+                languages: "javascript",
+            },
+        },
+        {
+            name: "Perform CodeQL Analysis",
+            uses: "github/codeql-action/analyze@v2",
+            with: {
+                category: "my-category",
+            },
+        },
+    ]);
+    await testFailedSarifUpload(t, actionsWorkflow, {
+        category: "my-category",
+        exportDiagnosticsEnabled: true,
+    });
+});
+const UPLOAD_INPUT_TEST_CASES = [
+    {
+        uploadInput: "true",
+        shouldUpload: true,
+    },
+    {
+        uploadInput: "false",
+        shouldUpload: true,
+    },
+    {
+        uploadInput: "always",
+        shouldUpload: true,
+    },
+    {
+        uploadInput: "failure-only",
+        shouldUpload: true,
+    },
+    {
+        uploadInput: "never",
+        shouldUpload: false,
+    },
+    {
+        uploadInput: "unrecognized-value",
+        shouldUpload: true,
+    },
+];
+for (const { uploadInput, shouldUpload } of UPLOAD_INPUT_TEST_CASES) {
+    (0, ava_1.default)(`does ${shouldUpload ? "" : "not "}upload failed SARIF run for workflow with upload: ${uploadInput}`, async (t) => {
+        const actionsWorkflow = createTestWorkflow([
+            {
+                name: "Checkout repository",
+                uses: "actions/checkout@v3",
+            },
+            {
+                name: "Initialize CodeQL",
+                uses: "github/codeql-action/init@v2",
+                with: {
+                    languages: "javascript",
+                },
+            },
+            {
+                name: "Perform CodeQL Analysis",
+                uses: "github/codeql-action/analyze@v2",
+                with: {
+                    category: "my-category",
+                    upload: uploadInput,
+                },
+            },
+        ]);
+        const result = await testFailedSarifUpload(t, actionsWorkflow, {
+            category: "my-category",
+            expectUpload: shouldUpload,
+        });
+        if (!shouldUpload) {
+            t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
+        }
+    });
+}
 (0, ava_1.default)("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
     const actionsWorkflow = createTestWorkflow([
         {
@@ -221,13 +304,16 @@ function createTestWorkflow(steps) {
         },
     };
 }
-async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUpload = true, matrix = {}, } = {}) {
+async function testFailedSarifUpload(t, actionsWorkflow, { category, databaseExists = true, expectUpload = true, exportDiagnosticsEnabled = false, matrix = {}, } = {}) {
     const config = {
         codeQLCmd: "codeql",
         debugMode: true,
         languages: [],
         packs: [],
     };
+    if (databaseExists) {
+        config.dbLocation = "path/to/database";
+    }
     process.env["GITHUB_JOB"] = "analyze";
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
     process.env["GITHUB_WORKSPACE"] =
@@ -238,6 +324,7 @@ async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUploa
         .returns(JSON.stringify(matrix));
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
+    const databaseExportDiagnosticsStub = sinon.stub(codeqlObject, "databaseExportDiagnostics");
     const diagnosticsExportStub = sinon.stub(codeqlObject, "diagnosticsExport");
     sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
     const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
@@ -246,15 +333,22 @@ async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUploa
         statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
     });
     const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
-    const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, logging_1.getRunnerLogger)(true));
+    const features = [feature_flags_1.Feature.UploadFailedSarifEnabled];
+    if (exportDiagnosticsEnabled) {
+        features.push(feature_flags_1.Feature.ExportDiagnosticsEnabled);
+    }
+    const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)(features), (0, logging_1.getRunnerLogger)(true));
     if (expectUpload) {
         t.deepEqual(result, {
             raw_upload_size_bytes: 20,
             zipped_upload_size_bytes: 10,
         });
-    }
-    if (expectUpload) {
-        t.true(diagnosticsExportStub.calledOnceWith(sinon.match.string, category), `Actual args were: ${diagnosticsExportStub.args}`);
+        if (databaseExists && exportDiagnosticsEnabled) {
+            t.true(databaseExportDiagnosticsStub.calledOnceWith(config.dbLocation, sinon.match.string, category, sinon.match.any, sinon.match.any), `Actual args were: ${databaseExportDiagnosticsStub.args}`);
+        }
+        else {
+            t.true(diagnosticsExportStub.calledOnceWith(sinon.match.string, category, config, sinon.match.any), `Actual args were: ${diagnosticsExportStub.args}`);
+        }
         t.true(uploadFromActions.calledOnceWith(sinon.match.string, sinon.match.string, category, sinon.match.any), `Actual args were: ${uploadFromActions.args}`);
         t.true(waitForProcessing.calledOnceWith(sinon.match.any, "42", sinon.match.any, {
             isUnsuccessfulExecution: true,

lib/init-action-post.js

@@ -48,10 +48,10 @@ async function runWrapper() {
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
         uploadFailedSarifResult = await initActionPostHelper.run(debugArtifacts.uploadDatabaseBundleDebugArtifact, debugArtifacts.uploadLogsDebugArtifact, actions_util_1.printDebugLogs, repositoryNwo, features, logger);
     }
-    catch (e) {
-        core.setFailed(e instanceof Error ? e.message : String(e));
-        console.log(e);
-        await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init-post", (0, actions_util_1.getActionsStatus)(e), startedAt, String(e), e instanceof Error ? e.stack : undefined));
+    catch (unwrappedError) {
+        const error = (0, util_1.wrapError)(unwrappedError);
+        core.setFailed(error.message);
+        await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init-post", (0, actions_util_1.getActionsStatus)(error), startedAt, error.message, error.stack));
         return;
     }
     const statusReportBase = await (0, actions_util_1.createStatusReportBase)("init-post", "success", startedAt);

lib/init-action-post.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAOwB;AACxB,6CAAgD;AAChD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,iCAAwE;AAMxE,KAAK,UAAU,UAAU;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,uBAES,CAAC;IACd,IAAI;QACF,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,iCAAiC,EAChD,cAAc,CAAC,uBAAuB,EACtC,6BAAc,EACd,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;KACH;IAAC,OAAO,CAAC,EAAE;QACV,IAAI,CAAC,SAAS,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAE3D,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,IAAA,+BAAgB,EACpB,MAAM,IAAA,qCAAsB,EAC1B,WAAW,EACX,IAAA,+BAAgB,EAAC,CAAC,CAAC,EACnB,SAAS,EACT,MAAM,CAAC,CAAC,CAAC,EACT,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CACzC,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAAyB;QACzC,GAAG,gBAAgB;QACnB,GAAG,uBAAuB;KAC3B,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"init-action-post.js","sourceRoot":"","sources":["../src/init-action-post.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AAEtC,iDAOwB;AACxB,6CAAgD;AAChD,kEAAoD;AACpD,mDAA2C;AAC3C,gFAAkE;AAClE,uCAA6C;AAC7C,6CAAkD;AAClD,iCAIgB;AAMhB,KAAK,UAAU,UAAU;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,uBAES,CAAC;IACd,IAAI;QACF,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;QACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QAEF,uBAAuB,GAAG,MAAM,oBAAoB,CAAC,GAAG,CACtD,cAAc,CAAC,iCAAiC,EAChD,cAAc,CAAC,uBAAuB,EACtC,6BAAc,EACd,aAAa,EACb,QAAQ,EACR,MAAM,CACP,CAAC;KACH;IAAC,OAAO,cAAc,EAAE;QACvB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE9B,MAAM,IAAA,+BAAgB,EACpB,MAAM,IAAA,qCAAsB,EAC1B,WAAW,EACX,IAAA,+BAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;QACF,OAAO;KACR;IACD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,SAAS,EACT,SAAS,CACV,CAAC;IACF,MAAM,YAAY,GAAyB;QACzC,GAAG,gBAAgB;QACnB,GAAG,uBAAuB;KAC3B,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/init-action.js

@@ -36,8 +36,8 @@ const repository_1 = require("./repository");
 const trap_caching_1 = require("./trap-caching");
 const util_1 = require("./util");
 const workflow_1 = require("./workflow");
-async function sendInitStatusReport(actionStatus, startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger) {
-    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("init", actionStatus, startedAt);
+async function sendCompletedStatusReport(startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error) {
+    const statusReportBase = await (0, actions_util_1.createStatusReportBase)("init", (0, actions_util_1.getActionsStatus)(error), startedAt, error?.message, error?.stack);
     const workflowLanguages = (0, actions_util_1.getOptionalInput)("languages");
     const initStatusReport = {
         ...statusReportBase,
@@ -46,12 +46,13 @@ async function sendInitStatusReport(actionStatus, startedAt, config, toolsDownlo
         tools_source: toolsSource || init_1.ToolsSource.Unknown,
         workflow_languages: workflowLanguages || "",
     };
-    let initToolsDownloadFields = {};
-    if (toolsSource === init_1.ToolsSource.Download) {
-        initToolsDownloadFields = {
-            tools_download_duration_ms: toolsDownloadDurationMs,
-            tools_feature_flags_valid: toolsFeatureFlagsValid,
-        };
+    const initToolsDownloadFields = {};
+    if (toolsDownloadDurationMs !== undefined) {
+        initToolsDownloadFields.tools_download_duration_ms =
+            toolsDownloadDurationMs;
+    }
+    if (toolsFeatureFlagsValid !== undefined) {
+        initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
     }
     if (config !== undefined) {
         const languages = config.languages.join(",");
@@ -112,6 +113,7 @@ async function run() {
     const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
     (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
     const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    const registriesInput = (0, actions_util_1.getOptionalInput)("registries");
     const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, (0, actions_util_1.getTemporaryDirectory)(), logger);
     try {
         const workflowErrors = await (0, workflow_1.validateWorkflow)();
@@ -127,8 +129,8 @@ async function run() {
         toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs;
         toolsVersion = initCodeQLResult.toolsVersion;
         toolsSource = initCodeQLResult.toolsSource;
-        await (0, util_1.enrichEnvironment)(codeql);
-        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), (0, actions_util_1.getOptionalInput)("registries"), (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), await getTrapCachingEnabled(features), 
+        await (0, codeql_1.enrichEnvironment)(codeql);
+        config = await (0, init_1.initConfig)((0, actions_util_1.getOptionalInput)("languages"), (0, actions_util_1.getOptionalInput)("queries"), (0, actions_util_1.getOptionalInput)("packs"), registriesInput, (0, actions_util_1.getOptionalInput)("config-file"), (0, actions_util_1.getOptionalInput)("db-location"), getTrapCachingEnabled(), 
         // Debug mode is enabled if:
         // - The `init` Action is passed `debug: true`.
         // - Actions step debugging is enabled (e.g. by [enabling debug logging for a rerun](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow),
@@ -139,17 +141,16 @@ async function run() {
             try {
                 await (0, init_1.installPythonDeps)(codeql, logger);
             }
-            catch (err) {
-                const message = err instanceof Error ? err.message : String(err);
-                logger.warning(`${message} You can call this action with 'setup-python-dependencies: false' to disable this process`);
+            catch (unwrappedError) {
+                const error = (0, util_1.wrapError)(unwrappedError);
+                logger.warning(`${error.message} You can call this action with 'setup-python-dependencies: false' to disable this process`);
             }
         }
     }
-    catch (e) {
-        const message = e instanceof Error ? e.message : String(e);
-        core.setFailed(message);
-        console.log(e);
-        await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init", "aborted", startedAt, message));
+    catch (unwrappedError) {
+        const error = (0, util_1.wrapError)(unwrappedError);
+        core.setFailed(error.message);
+        await (0, actions_util_1.sendStatusReport)(await (0, actions_util_1.createStatusReportBase)("init", "aborted", startedAt, error.message, error.stack));
         return;
     }
     try {
@@ -172,7 +173,7 @@ async function run() {
             core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true");
         }
         const sourceRoot = path.resolve((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), (0, actions_util_1.getOptionalInput)("source-root") || "");
-        const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", features, logger);
+        const tracerConfig = await (0, init_1.runInit)(codeql, config, sourceRoot, "Runner.Worker.exe", registriesInput, features, apiDetails, logger);
         if (tracerConfig !== undefined) {
             for (const [key, value] of Object.entries(tracerConfig.env)) {
                 core.exportVariable(key, value);
@@ -184,15 +185,15 @@ async function run() {
         }
         core.setOutput("codeql-path", config.codeQLCmd);
     }
-    catch (error) {
-        core.setFailed(String(error));
-        console.log(error);
-        await sendInitStatusReport((0, actions_util_1.getActionsStatus)(error), startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger);
+    catch (unwrappedError) {
+        const error = (0, util_1.wrapError)(unwrappedError);
+        core.setFailed(error.message);
+        await sendCompletedStatusReport(startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger, error);
         return;
     }
-    await sendInitStatusReport("success", startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger);
+    await sendCompletedStatusReport(startedAt, config, toolsDownloadDurationMs, toolsFeatureFlagsValid, toolsSource, toolsVersion, logger);
 }
-async function getTrapCachingEnabled(featureEnablement) {
+function getTrapCachingEnabled() {
     // If the workflow specified something always respect that
     const trapCaching = (0, actions_util_1.getOptionalInput)("trap-caching");
     if (trapCaching !== undefined)
@@ -200,16 +201,15 @@ async function getTrapCachingEnabled(featureEnablement) {
     // On self-hosted runners which may have slow network access, disable TRAP caching by default
     if (!(0, util_1.isHostedRunner)())
         return false;
-    // On hosted runners, respect the feature flag
-    return await featureEnablement.getValue(feature_flags_1.Feature.TrapCachingEnabled);
+    // On hosted runners, enable TRAP caching by default
+    return true;
 }
 async function runWrapper() {
     try {
         await run();
     }
     catch (error) {
-        core.setFailed(`init action failed: ${error}`);
-        console.log(error);
+        core.setFailed(`init action failed: ${(0, util_1.wrapError)(error).message}`);
     }
     await (0, util_1.checkForTimeout)();
 }

lib/init.js

@@ -49,20 +49,34 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe
     return { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion };
 }
 exports.initCodeQL = initCodeQL;
-async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger) {
+async function initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger) {
     logger.startGroup("Load language configuration");
-    const config = await configUtils.initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
+    const config = await configUtils.initConfig(languagesInput, queriesInput, packsInput, registriesInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, features, logger);
     analysisPaths.printPathFiltersWarning(config, logger);
     logger.endGroup();
     return config;
 }
 exports.initConfig = initConfig;
-async function runInit(codeql, config, sourceRoot, processName, featureEnablement, logger) {
+async function runInit(codeql, config, sourceRoot, processName, registriesInput, features, apiDetails, logger) {
     fs.mkdirSync(config.dbLocation, { recursive: true });
     try {
         if (await (0, util_1.codeQlVersionAbove)(codeql, codeql_1.CODEQL_VERSION_NEW_TRACING)) {
+            // When parsing the codeql config in the CLI, we have not yet created the qlconfig file.
+            // So, create it now.
+            // If we are parsing the config file in the Action, then the qlconfig file was already created
+            // before the `pack download` command was invoked. It is not required for the init command.
+            let registriesAuthTokens;
+            let qlconfigFile;
+            if (await util.useCodeScanningConfigInCli(codeql, features)) {
+                ({ registriesAuthTokens, qlconfigFile } =
+                    await configUtils.generateRegistries(registriesInput, codeql, config.tempDir, logger));
+            }
+            await configUtils.wrapEnvironment({
+                GITHUB_TOKEN: apiDetails.auth,
+                CODEQL_REGISTRIES_AUTH: registriesAuthTokens,
+            }, 
             // Init a database cluster
-            await codeql.databaseInitCluster(config, sourceRoot, processName, featureEnablement, logger);
+            async () => await codeql.databaseInitCluster(config, sourceRoot, processName, features, qlconfigFile, logger));
         }
         else {
             for (const language of config.languages) {

lib/setup-codeql.js

@@ -139,7 +139,7 @@ async function tryFindCliVersionDotcomOnly(tagName, logger) {
         return tryGetCodeQLCliVersionForRelease(release.data, logger);
     }
     catch (e) {
-        logger.debug(`Failed to find the CLI version for the CodeQL bundle tagged ${tagName}. ${e instanceof Error ? e.message : e}`);
+        logger.debug(`Failed to find the CLI version for the CodeQL bundle tagged ${tagName}. ${(0, util_1.wrapError)(e).message}`);
         return undefined;
     }
 }

lib/setup-codeql.test.js

@@ -57,7 +57,7 @@ ava_1.default.beforeEach(() => {
             t.deepEqual(parsedVersion, expectedVersion);
         }
         catch (e) {
-            t.fail(e instanceof Error ? e.message : String(e));
+            t.fail((0, util_1.wrapError)(e).message);
         }
     }
 });

lib/setup-codeql.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAA6C;AAC7C,iCAA+C;AAE/C,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;SACpD;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EACL,+EAA+E;KAClF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
+{"version":3,"file":"setup-codeql.test.js","sourceRoot":"","sources":["../src/setup-codeql.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,8CAAuB;AACvB,6CAA+B;AAE/B,4DAA8C;AAC9C,kDAAoC;AACpC,uCAA4C;AAC5C,4DAA8C;AAC9C,mDAA6C;AAC7C,iCAA0D;AAE1D,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,CAAC,CAAC,SAAS,CACT,WAAW,CAAC,mBAAmB,CAC7B,mDAAmD,CACpD,EACD,UAAU,CACX,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9B,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,gBAAgB;QAC5B,YAAY,EAAE,kBAAkB;QAChC,cAAc,EAAE,cAAc;QAC9B,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,aAAa;QAC5B,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,KAAK,MAAM,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;QAC9D,IAAI;YACF,MAAM,aAAa,GAAG,WAAW,CAAC,eAAe,CAC/C,OAAO,EACP,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,CAAC;YACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;SAC7C;QAAC,OAAO,CAAC,EAAE;YACV,CAAC,CAAC,IAAI,CAAC,IAAA,gBAAS,EAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC9B;KACF;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE;IACtC,MAAM,MAAM,GAAG,IAAA,yBAAe,EAAC,IAAI,CAAC,CAAC;IAErC,IAAA,4BAAqB,EAAC,OAAO,CAAC,CAAC;IAE/B,kCAAkC;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACtE,CAAC,CAAC,SAAS,CAAC,eAAe,EAAE,sBAAsB,CAAC,CAAC;IAErD,mCAAmC;IACnC,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC;IACpD,MAAM,OAAO,GAAG,WAAW,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAC9D,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAClC,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,yEAAyE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1F,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,CAAC,CAAC,EAAE,CACF,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACD,wBAAwB,CACzB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,iFAAiF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAClG,mDAAmD;IACnD,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3C,KAAK,EAAE;YACL,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC/C;QACD,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;YAC9B;gBACE,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,wBAAwB;qBAC/B;iBACF;gBACD,QAAQ,EAAE,wBAAwB;aACnC;SACF,CAAC;KACH,CAAC,CAAC,CAAC;IACJ,MAAM,CAAC,CAAC,WAAW,CACjB,KAAK,IAAI,EAAE,CACT,MAAM,WAAW,CAAC,6BAA6B,CAC7C,QAAQ,EACR,IAAA,yBAAe,EAAC,IAAI,CAAC,CACtB,EACH;QACE,OAAO,EACL,+EAA+E;KAClF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}

lib/shared-environment.js

@@ -1,6 +1,43 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = void 0;
+exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = exports.CODEQL_ACTION_DID_AUTOBUILD_GOLANG = exports.EnvVar = void 0;
+/**
+ * Environment variables to be set by codeql-action and used by the
+ * CLI.
+ */
+var EnvVar;
+(function (EnvVar) {
+    /**
+     * Semver of the codeql-action as specified in package.json.
+     */
+    EnvVar["VERSION"] = "CODEQL_ACTION_VERSION";
+    /**
+     * If set to a truthy value, then the codeql-action might combine SARIF
+     * output from several `interpret-results` runs for the same Language.
+     */
+    EnvVar["FEATURE_SARIF_COMBINE"] = "CODEQL_ACTION_FEATURE_SARIF_COMBINE";
+    /**
+     * If set to the "true" string, then the codeql-action will upload SARIF,
+     * not the cli.
+     */
+    EnvVar["FEATURE_WILL_UPLOAD"] = "CODEQL_ACTION_FEATURE_WILL_UPLOAD";
+    /**
+     * If set to the "true" string, then the codeql-action is using its
+     * own deprecated and non-standard way of scanning for multiple
+     * languages.
+     */
+    EnvVar["FEATURE_MULTI_LANGUAGE"] = "CODEQL_ACTION_FEATURE_MULTI_LANGUAGE";
+    /**
+     * If set to the "true" string, then the codeql-action is using its
+     * own sandwiched workflow mechanism
+     */
+    EnvVar["FEATURE_SANDWICH"] = "CODEQL_ACTION_FEATURE_SANDWICH";
+})(EnvVar = exports.EnvVar || (exports.EnvVar = {}));
+/**
+ * Environment variable that is set to true when the CodeQL Action has invoked
+ * the Go autobuilder.
+ */
+exports.CODEQL_ACTION_DID_AUTOBUILD_GOLANG = "CODEQL_ACTION_DID_AUTOBUILD_GOLANG";
 /**
  * This environment variable is set to true when the `analyze` Action
  * completes successfully.
@@ -9,6 +46,11 @@ exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = "CODEQL_ACTION_ANALYZE
 exports.CODEQL_ACTION_TESTING_ENVIRONMENT = "CODEQL_ACTION_TESTING_ENVIRONMENT";
 /** Used to disable uploading SARIF results or status reports to the GitHub API */
 exports.CODEQL_ACTION_TEST_MODE = "CODEQL_ACTION_TEST_MODE";
+/**
+ * Used to disable the SARIF post-processing in the Action that removes duplicate locations from
+ * notifications in the `run[].invocations[].toolExecutionNotifications` SARIF property.
+ */
+exports.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX = "CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX";
 /**
  * The time at which the first action (normally init) started executing.
  * If a workflow invokes a different action without first invoking the init

lib/shared-environment.js.map

@@ -1 +1 @@
-{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACU,QAAA,+CAA+C,GAC1D,iDAAiD,CAAC;AAEvC,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}
+{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,IAAY,MA8BX;AA9BD,WAAY,MAAM;IAChB;;OAEG;IACH,2CAAiC,CAAA;IAEjC;;;OAGG;IACH,uEAA6D,CAAA;IAE7D;;;OAGG;IACH,mEAAyD,CAAA;IAEzD;;;;OAIG;IACH,yEAA+D,CAAA;IAE/D;;;OAGG;IACH,6DAAmD,CAAA;AACrD,CAAC,EA9BW,MAAM,GAAN,cAAM,KAAN,cAAM,QA8BjB;AAED;;;GAGG;AACU,QAAA,kCAAkC,GAC7C,oCAAoC,CAAC;AAEvC;;;GAGG;AACU,QAAA,+CAA+C,GAC1D,iDAAiD,CAAC;AAEvC,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;GAGG;AACU,QAAA,4CAA4C,GACvD,8CAA8C,CAAC;AAEjD;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}