Merge pull request #2339 from github/backport-v2.25.10-23acc5c18

Merge releases/v3 into releases/v2

.github/actions/check-codescanning-config/action.yml

@@ -29,7 +29,16 @@ inputs:
   tools:
     required: true
     description: |
-      The url of codeql to use.
+      The version of CodeQL passed to the `tools` input of the init action.
+      This can be any of the following:
+
+      - A local path to a tarball containing the CodeQL tools, or
+      - A URL to a GitHub release assets containing the CodeQL tools, or
+      - A special value `linked` which is forcing the use of the CodeQL tools
+        that the action has been bundled with.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
 
 runs:
   using: composite

.github/actions/prepare-test/action.yml

@@ -2,7 +2,7 @@ name: "Prepare test"
 description: Performs some preparation to run tests
 inputs:
   version:
-    description: "The version of the CodeQL CLI to use. Can be 'latest', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
+    description: "The version of the CodeQL CLI to use. Can be 'linked', 'default', 'nightly-latest', 'nightly-YYYY-MM-DD', or 'stable-YYYY-MM-DD'."
     required: true
   use-all-platform-bundle:
     description: "If true, we output a tools URL with codeql-bundle.tar.gz file rather than platform-specific URL"
@@ -50,8 +50,8 @@ runs:
         elif [[ ${{ inputs.version }} == *"stable"* ]]; then
           version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
           echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
-        elif [[ ${{ inputs.version }} == "latest" ]]; then
-          echo "tools-url=latest" >> $GITHUB_OUTPUT
+        elif [[ ${{ inputs.version }} == "linked" ]]; then
+          echo "tools-url=linked" >> $GITHUB_OUTPUT
         elif [[ ${{ inputs.version }} == "default" ]]; then
           echo "tools-url=" >> $GITHUB_OUTPUT
         else

.github/actions/query-filter-test/action.yml

@@ -23,7 +23,16 @@ inputs:
   tools:
     required: true
     description: |
-      The url of codeql to use.
+      The version of CodeQL passed to the `tools` input of the init action.
+      This can be any of the following:
+
+      - A local path to a tarball containing the CodeQL tools, or
+      - A URL to a GitHub release assets containing the CodeQL tools, or
+      - A special value `linked` which is forcing the use of the CodeQL tools
+        that the action has been bundled with.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
 
 runs:
   using: composite
@@ -39,7 +48,6 @@ runs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
-        upload-database: false
         upload: never
       env:
         CODEQL_ACTION_TEST_MODE: "true"

.github/workflows/__all-platform-bundle.yml

@@ -68,7 +68,5 @@ jobs:
         shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
-        with:
-          upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__analyze-ref-input.yml

@@ -72,7 +72,6 @@ jobs:
         run: ./build.sh
       - uses: ./../action/analyze
         with:
-          upload-database: false
           ref: refs/heads/main
           sha: 5e235361806c361d4d3f8859e3c897658025a9a2
     env:

.github/workflows/__autobuild-action.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
     name: autobuild-action
     permissions:
       contents: read
@@ -75,8 +75,6 @@ jobs:
           CORECLR_PROFILER: ''
           CORECLR_PROFILER_PATH_64: ''
       - uses: ./../action/analyze
-        with:
-          upload-database: false
       - name: Check database
         shell: bash
         run: |

.github/workflows/__autobuild-direct-tracing-with-working-dir.yml

@@ -0,0 +1,92 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Autobuild direct tracing (custom working directory)
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  autobuild-direct-tracing-with-working-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+          - os: windows-latest
+            version: linked
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: windows-latest
+            version: nightly-latest
+    name: Autobuild direct tracing (custom working directory)
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-20230403' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+      - name: Test setup
+        shell: bash
+        run: |
+          # Make sure that Gradle build succeeds in autobuild-dir ...
+          cp -a ../action/tests/java-repo autobuild-dir
+          # ... and fails if attempted in the current directory
+          echo > build.gradle
+      - uses: ./../action/init
+        with:
+          build-mode: autobuild
+          languages: java
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+      - name: Check that indirect tracing is disabled
+        shell: bash
+        run: |
+          if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+            echo "Expected indirect tracing to be disabled, but the" \
+              "CODEQL_RUNNER environment variable is set."
+            exit 1
+          fi
+      - uses: ./../action/autobuild
+        with:
+          working-directory: autobuild-dir
+      - uses: ./../action/analyze
+    env:
+      CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__autobuild-direct-tracing.yml

@@ -29,9 +29,9 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: windows-latest

.github/workflows/__build-mode-none.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
     name: Build mode none

.github/workflows/__cleanup-db-cluster-dir.yml

@@ -0,0 +1,81 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: PR Check - Clean up database cluster directory
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+      - main
+      - releases/v*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  schedule:
+    - cron: '0 5 * * *'
+  workflow_dispatch: {}
+jobs:
+  cleanup-db-cluster-dir:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            version: linked
+    name: Clean up database cluster directory
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Setup Python on MacOS
+        uses: actions/setup-python@v5
+        if: >-
+          runner.os == 'macOS' && (
+
+          matrix.version == 'stable-20230403' ||
+
+          matrix.version == 'stable-v2.13.5' ||
+
+          matrix.version == 'stable-v2.14.6')
+        with:
+          python-version: '3.11'
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Prepare test
+        id: prepare-test
+        uses: ./.github/actions/prepare-test
+        with:
+          version: ${{ matrix.version }}
+          use-all-platform-bundle: 'false'
+      - name: Add a file to the database cluster directory
+        run: |
+          mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
+          touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
+
+      - uses: ./../action/init
+        id: init
+        with:
+          build-mode: none
+          db-location: ${{ runner.temp }}/customDbLocation
+          languages: javascript
+          tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+      - name: Validate file cleaned up
+        run: |
+          if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
+            echo "File was not cleaned up"
+            exit 1
+          fi
+          echo "File was cleaned up"
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__config-export.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest

.github/workflows/__config-input.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
     name: Config input
     permissions:
       contents: read

.github/workflows/__cpp-deptrace-disabled.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest

.github/workflows/__cpp-deptrace-enabled.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest

.github/workflows/__diagnostics-export.yml

@@ -35,11 +35,11 @@ jobs:
           - os: windows-latest
             version: stable-20230403
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest

.github/workflows/__extractor-ram-threads.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
     name: Extractor ram and threads options test
     permissions:
       contents: read

.github/workflows/__go-custom-queries.yml

@@ -65,11 +65,11 @@ jobs:
           - os: windows-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest
@@ -115,8 +115,6 @@ jobs:
         shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
-        with:
-          upload-database: false
     env:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -69,8 +69,6 @@ jobs:
         shell: bash
         run: go build main.go
       - uses: ./../action/analyze
-        with:
-          upload-database: false
       - shell: bash
         run: |
           if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then

.github/workflows/__go-tracing-autobuilder.yml

@@ -53,9 +53,9 @@ jobs:
           - os: macos-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest
@@ -99,8 +99,6 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/autobuild
       - uses: ./../action/analyze
-        with:
-          upload-database: false
       - shell: bash
         run: |
           if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -53,9 +53,9 @@ jobs:
           - os: macos-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest
@@ -101,8 +101,6 @@ jobs:
         shell: bash
         run: go build main.go
       - uses: ./../action/analyze
-        with:
-          upload-database: false
       - shell: bash
         run: |
           # Once we start running Bash 4.2 in all environments, we can replace the

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -53,9 +53,9 @@ jobs:
           - os: macos-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest
@@ -98,8 +98,6 @@ jobs:
           languages: go
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
-        with:
-          upload-database: false
       - shell: bash
         run: |
           cd "$RUNNER_TEMP/codeql_databases"

.github/workflows/__init-with-registries.yml

@@ -35,11 +35,11 @@ jobs:
           - os: windows-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest

.github/workflows/__javascript-source-root.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest
@@ -73,9 +73,7 @@ jobs:
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
         with:
-          upload-database: false
           skip-queries: true
-          upload: never
       - name: Assert database exists
         shell: bash
         run: |

.github/workflows/__language-aliases.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
     name: Language aliases
     permissions:
       contents: read

.github/workflows/__multi-language-autodetect.yml

@@ -28,36 +28,20 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-20230403
           - os: macos-12
             version: stable-20230403
-          - os: ubuntu-latest
-            version: stable-v2.13.5
           - os: macos-12
             version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
           - os: macos-12
             version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
           - os: macos-latest
             version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
           - os: macos-latest
             version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: default
           - os: macos-latest
             version: default
-          - os: ubuntu-latest
-            version: latest
           - os: macos-latest
-            version: latest
-          - os: ubuntu-latest
-            version: nightly-latest
+            version: linked
           - os: macos-latest
             version: nightly-latest
     name: Multi-language repository

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__packaging-config-inputs-js.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__packaging-config-js.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__packaging-inputs-js.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__remote-config.yml

@@ -65,11 +65,11 @@ jobs:
           - os: windows-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest

.github/workflows/__resolve-environment-action.yml

@@ -41,11 +41,11 @@ jobs:
           - os: windows-latest
             version: default
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: nightly-latest
           - os: macos-latest

.github/workflows/__ruby.yml

@@ -29,9 +29,9 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__scaling-reserved-ram.yml

@@ -28,36 +28,20 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-20230403
           - os: macos-12
             version: stable-20230403
-          - os: ubuntu-latest
-            version: stable-v2.13.5
           - os: macos-12
             version: stable-v2.13.5
-          - os: ubuntu-latest
-            version: stable-v2.14.6
           - os: macos-12
             version: stable-v2.14.6
-          - os: ubuntu-latest
-            version: stable-v2.15.5
           - os: macos-latest
             version: stable-v2.15.5
-          - os: ubuntu-latest
-            version: stable-v2.16.6
           - os: macos-latest
             version: stable-v2.16.6
-          - os: ubuntu-latest
-            version: default
           - os: macos-latest
             version: default
-          - os: ubuntu-latest
-            version: latest
           - os: macos-latest
-            version: latest
-          - os: ubuntu-latest
-            version: nightly-latest
+            version: linked
           - os: macos-latest
             version: nightly-latest
     name: Scaling reserved RAM

.github/workflows/__split-workflow.yml

@@ -29,9 +29,9 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: macos-latest

.github/workflows/__submit-sarif-failure.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: ubuntu-latest
             version: default
           - os: ubuntu-latest

.github/workflows/__swift-custom-build.yml

@@ -28,16 +28,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: latest
           - os: macos-latest
-            version: latest
-          - os: ubuntu-latest
-            version: default
+            version: linked
           - os: macos-latest
             version: default
-          - os: ubuntu-latest
-            version: nightly-latest
           - os: macos-latest
             version: nightly-latest
     name: Swift analysis using a custom build command

.github/workflows/__test-autobuild-working-dir.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
     name: Autobuild working directory
     permissions:
       contents: read
@@ -72,8 +72,6 @@ jobs:
         with:
           working-directory: autobuild-dir
       - uses: ./../action/analyze
-        with:
-          upload-database: false
       - name: Check database
         shell: bash
         run: |

.github/workflows/__test-local-codeql.yml

@@ -74,7 +74,5 @@ jobs:
         shell: bash
         run: ./build.sh
       - uses: ./../action/analyze
-        with:
-          upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__test-proxy.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
     name: Proxy test
     permissions:
       contents: read
@@ -62,8 +62,6 @@ jobs:
           languages: javascript
           tools: ${{ steps.prepare-test.outputs.tools-url }}
       - uses: ./../action/analyze
-        with:
-          upload-database: false
     env:
       https_proxy: http://squid-proxy:3128
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/__unset-environment.yml

@@ -28,21 +28,17 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
-            version: stable-20230403
-          - os: ubuntu-latest
-            version: stable-v2.13.5
-          - os: ubuntu-latest
+          - os: macos-12
             version: stable-v2.14.6
-          - os: ubuntu-latest
+          - os: macos-latest
             version: stable-v2.15.5
-          - os: ubuntu-latest
+          - os: macos-latest
             version: stable-v2.16.6
-          - os: ubuntu-latest
+          - os: macos-latest
+            version: linked
+          - os: macos-latest
             version: default
-          - os: ubuntu-latest
-            version: latest
-          - os: ubuntu-latest
+          - os: macos-latest
             version: nightly-latest
     name: Test unsetting environment variables
     permissions:
@@ -79,6 +75,9 @@ jobs:
       - uses: ./../action/.github/actions/setup-swift
         with:
           codeql-path: ${{ steps.init.outputs.codeql-path }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '>=1.21.0'
       - name: Build code
         shell: bash
     # Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a

.github/workflows/__upload-ref-sha-input.yml

@@ -70,9 +70,9 @@ jobs:
       - name: Build code
         shell: bash
         run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
       - uses: ./../action/analyze
         with:
-          upload-database: false
           ref: refs/heads/main
           sha: 5e235361806c361d4d3f8859e3c897658025a9a2
           upload: never

.github/workflows/__with-checkout-path.yml

@@ -29,11 +29,11 @@ jobs:
       matrix:
         include:
           - os: ubuntu-latest
-            version: latest
+            version: linked
           - os: macos-latest
-            version: latest
+            version: linked
           - os: windows-latest
-            version: latest
+            version: linked
     name: Use a custom `checkout_path`
     permissions:
       contents: read
@@ -93,14 +93,6 @@ jobs:
           checkout_path: x/y/z/some-path/tests/multi-language-repo
           ref: v1.1.0
           sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-          upload: never
-          upload-database: false
-
-      - uses: ./../action/upload-sarif
-        with:
-          ref: v1.1.0
-          sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-          checkout_path: x/y/z/some-path/tests/multi-language-repo
 
       - name: Verify SARIF after upload
         shell: bash

.github/workflows/codeql.yml

@@ -41,7 +41,7 @@ jobs:
       id: init-latest
       uses: ./init
       with:
-        tools: latest
+        tools: linked
         languages: javascript
     - name: Compare default and latest CodeQL bundle versions
       id: compare
@@ -54,16 +54,16 @@ jobs:
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
         echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
 
-        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
+        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
         # be the same as `tools: null`. This allows us to make the job for each of the bundles a
         # required status check.
         #
-        # If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
+        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
         # the same as running with `tools: null`.
         if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
           VERSIONS_JSON='[null]'
         else
-          VERSIONS_JSON='[null, "latest"]'
+          VERSIONS_JSON='[null, "linked"]'
         fi
 
         # Output a JSON-encoded list with the distinct versions to test against.

.github/workflows/codescanning-config-cli.yml

@@ -28,9 +28,9 @@ jobs:
       matrix:
         include:
         - os: ubuntu-latest
-          version: latest
+          version: linked
         - os: macos-latest
-          version: latest
+          version: linked
         - os: ubuntu-latest
           version: default
         - os: macos-latest

.github/workflows/debug-artifacts-failure.yml

@@ -37,7 +37,7 @@ jobs:
         id: prepare-test
         uses: ./.github/actions/prepare-test
         with:
-          version: latest
+          version: linked
       - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1

.github/workflows/debug-artifacts.yml

@@ -25,19 +25,20 @@ jobs:
       fail-fast: false
       matrix:
         version:
-        - stable-20230403
-        - stable-v2.13.5
-        - stable-v2.14.6
+        # TODO: Once CLI v2.17.4 is available and the platform is switched back to ubuntu,
+        #       stable-20230403, stable-v2.13.5, and stable-v2.14.6 can be added back to this matrix,
+        #       and the VERSIONS variable in the bash script below. 
+        #       Prior to CLI v2.15.1, ARM runners were not supported by the build tracer.
         - stable-v2.15.5
         - stable-v2.16.6
         - default
-        - latest
+        - linked
         - nightly-latest
     name: Upload debug artifacts
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
-    runs-on: ubuntu-latest
+    runs-on: macos-latest # TODO: Switch back to ubuntu for `nightly-latest` and `linked` once CLI v2.17.4 is available.
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
@@ -75,7 +76,7 @@ jobs:
       - name: Check expected artifacts exist
         shell: bash
         run: |
-          VERSIONS="stable-20230403 stable-v2.13.5 stable-v2.14.6 stable-v2.15.5 stable-v2.16.6 default latest nightly-latest"
+          VERSIONS="stable-v2.15.5 stable-v2.16.6 default linked nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"
           for version in $VERSIONS; do
             pushd "./my-debug-artifacts-${version//./}"

.github/workflows/expected-queries-runs.yml

@@ -29,7 +29,7 @@ jobs:
       id: prepare-test
       uses: ./.github/actions/prepare-test
       with:
-        version: latest
+        version: linked
     - uses: ./../action/init
       with:
         languages: javascript
@@ -37,8 +37,6 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
-        upload-database: false
-        upload: never
 
     - name: Check Sarif
       uses: ./../action/.github/actions/check-sarif

.github/workflows/python312-windows.yml

@@ -14,6 +14,8 @@ on:
 
 jobs:
   test-setup-python-scripts:
+    env:
+      CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
     runs-on: windows-latest
 
@@ -32,11 +34,8 @@ jobs:
     - name: Initialize CodeQL
       uses: ./../action/init
       with:
-        tools: latest
+        tools: linked
         languages: python
 
     - name: Analyze
       uses: ./../action/analyze
-      with:
-        upload: false
-        upload-database: false

.github/workflows/query-filters.yml

@@ -27,7 +27,7 @@ jobs:
       id: prepare-test
       uses: ./.github/actions/prepare-test
       with:
-        version: latest
+        version: linked
 
     - name: Check SARIF for default queries with Single include, Single exclude
       uses: ./../action/.github/actions/query-filter-test

.github/workflows/script/update-node-modules.sh

@@ -1,9 +1,12 @@
-if [ "$1" != "update" && "$1" != "check-only" ]; then
+#!/bin/bash
+set -eu
+
+if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
     >&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
     exit 1
 fi
 
-sudo npm install --force -g npm@9.2.0
+npm install --force -g npm@9.2.0
 
 # clean the npm cache to ensure we don't have any files owned by root
 sudo npm cache clean --force

.github/workflows/test-codeql-bundle-all.yml

@@ -53,7 +53,5 @@ jobs:
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
-      with:
-        upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

.github/workflows/update-bundle.yml

@@ -54,7 +54,7 @@ jobs:
           cli_version=$(jq -r '.cliVersion' src/defaults.json)
           pr_url=$(gh pr create \
             --title "Update default bundle to $cli_version" \
-            --body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
             --assignee "$GITHUB_ACTOR" \
             --draft \
           )

CHANGELOG.md

@@ -4,10 +4,32 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 2.25.10 - 13 Jun 2024
+
+- Update default CodeQL bundle version to 2.17.5. [#2327](https://github.com/github/codeql-action/pull/2327)
+
+## 2.25.9 - 12 Jun 2024
+
+- Avoid failing database creation if the database folder already exists and contains some unexpected files. Requires CodeQL 2.18.0 or higher. [#2330](https://github.com/github/codeql-action/pull/2330)
+- The init Action will attempt to clean up the database cluster directory before creating a new database and at the end of the job. This will help to avoid issues where the database cluster directory is left in an inconsistent state. [#2332](https://github.com/github/codeql-action/pull/2332)
+
+## 2.25.8 - 04 Jun 2024
+
+- Update default CodeQL bundle version to 2.17.4. [#2321](https://github.com/github/codeql-action/pull/2321)
+
+## 2.25.7 - 31 May 2024
+
+- We are rolling out a feature in May/June 2024 that will reduce the Actions cache usage of the Action by keeping only the newest TRAP cache for each language. [#2306](https://github.com/github/codeql-action/pull/2306)
+
+## 2.25.6 - 20 May 2024
+
+- Update default CodeQL bundle version to 2.17.3. [#2295](https://github.com/github/codeql-action/pull/2295)
+
 ## 2.25.5 - 13 May 2024
 
 - Add a compatibility matrix of supported CodeQL Action, CodeQL CLI, and GitHub Enterprise Server versions to the [README.md](README.md). [#2273](https://github.com/github/codeql-action/pull/2273)
 - Avoid printing out a warning for a missing `on.push` trigger when the CodeQL Action is triggered via a `workflow_call` event. [#2274](https://github.com/github/codeql-action/pull/2274)
+- The `tools: latest` input to the `init` Action has been renamed to `tools: linked`. This option specifies that the Action should use the tools shipped at the same time as the Action. The old name will continue to work for backwards compatibility, but we recommend that new workflows use the new name. [#2281](https://github.com/github/codeql-action/pull/2281)
 
 ## 2.25.4 - 08 May 2024
 

init/action.yml

@@ -3,9 +3,19 @@ description: 'Set up CodeQL'
 author: 'GitHub'
 inputs:
   tools:
-    description: URL of CodeQL tools
+    description: >-
+      By default, the Action will use the recommended version of the CodeQL
+      Bundle to analyze your project. You can override this choice using this
+      input. One of:
+
+      - A local path to a CodeQL Bundle tarball, or
+      - The URL of a CodeQL Bundle tarball GitHub release asset, or
+      - A special value `linked` which uses the version of the CodeQL tools
+        that the Action has been bundled with.
+
+      If not specified, the Action will check in several places until it finds
+      the CodeQL tools.
     required: false
-    # If not specified the Action will check in several places until it finds the CodeQL tools.
   languages:
     description: >-
       A comma-separated list of CodeQL languages to analyze.
@@ -26,10 +36,7 @@ inputs:
       - `none`:      The database will be created without building the source code.
                      Available for all interpreted languages and some compiled languages.
       - `autobuild`: The database will be created by attempting to automatically build the source
-                     code.
-                     To use this build mode, ensure that your workflow calls the `autobuild` action
-                     between the `init` and `analyze` steps.
-                     Available for all compiled languages.
+                     code. Available for all compiled languages.
       - `manual`:   The database will be created by building the source code using a manually
                      specified build command. To use this build mode, specify manual build steps in
                      your workflow between the `init` and `analyze` steps. Available for all

lib/actions-util.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getFileType = exports.FileCmdNotFoundError = exports.getWorkflowRunAttempt = exports.getWorkflowRunID = exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.getWorkflowEventName = exports.getActionVersion = exports.getRef = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.isSelfHostedRunner = exports.getFileType = exports.FileCmdNotFoundError = exports.getWorkflowRunAttempt = exports.getWorkflowRunID = exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getWorkflowEvent = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.getWorkflowEventName = exports.getActionVersion = exports.getRef = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -275,6 +275,7 @@ function getWorkflowEvent() {
         throw new Error(`Unable to read workflow event JSON from ${eventJsonFile}: ${e}`);
     }
 }
+exports.getWorkflowEvent = getWorkflowEvent;
 function removeRefsHeadsPrefix(ref) {
     return ref.startsWith("refs/heads/") ? ref.slice("refs/heads/".length) : ref;
 }
@@ -424,4 +425,8 @@ const getFileType = async (filePath) => {
     }
 };
 exports.getFileType = getFileType;
+function isSelfHostedRunner() {
+    return process.env.RUNNER_ENVIRONMENT === "self-hosted";
+}
+exports.isSelfHostedRunner = isSelfHostedRunner;
 //# sourceMappingURL=actions-util.js.map

lib/analyze-action.js

@@ -48,7 +48,7 @@ const status_report_1 = require("./status-report");
 const trap_caching_1 = require("./trap-caching");
 const uploadLib = __importStar(require("./upload-lib"));
 const util = __importStar(require("./util"));
-async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger) {
+async function sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanup, logger) {
     const status = (0, status_report_1.getActionsStatus)(error, stats?.analyze_failure_language);
     const statusReportBase = await (0, status_report_1.createStatusReportBase)(status_report_1.ActionName.Analyze, status, startedAt, config, await util.checkDiskUsage(), logger, error?.message, error?.stack);
     if (statusReportBase !== undefined) {
@@ -56,6 +56,7 @@ async function sendStatusReport(startedAt, config, stats, error, trapCacheUpload
             ...statusReportBase,
             ...(stats || {}),
             ...(dbCreationTimings || {}),
+            ...(trapCacheCleanup || {}),
         };
         if (config && didUploadTrapCaches) {
             const trapCacheUploadStatusReport = {
@@ -141,6 +142,7 @@ async function run() {
     let uploadResult = undefined;
     let runStats = undefined;
     let config = undefined;
+    let trapCacheCleanupTelemetry = undefined;
     let trapCacheUploadTime = undefined;
     let dbCreationTimings = undefined;
     let didUploadTrapCaches = false;
@@ -196,6 +198,8 @@ async function run() {
         const trapCacheUploadStartTime = perf_hooks_1.performance.now();
         didUploadTrapCaches = await (0, trap_caching_1.uploadTrapCaches)(codeql, config, logger);
         trapCacheUploadTime = perf_hooks_1.performance.now() - trapCacheUploadStartTime;
+        // Clean up TRAP caches
+        trapCacheCleanupTelemetry = await (0, trap_caching_1.cleanupTrapCaches)(config, features, logger);
         // We don't upload results in test mode, so don't wait for processing
         if (util.isInTestMode()) {
             logger.debug("In test mode. Waiting for processing is disabled.");
@@ -218,10 +222,10 @@ async function run() {
         }
         if (error instanceof analyze_1.CodeQLAnalysisError) {
             const stats = { ...error.queriesStatusReport };
-            await sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
+            await sendStatusReport(startedAt, config, stats, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanupTelemetry, logger);
         }
         else {
-            await sendStatusReport(startedAt, config, undefined, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
+            await sendStatusReport(startedAt, config, undefined, error, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanupTelemetry, logger);
         }
         return;
     }
@@ -229,13 +233,13 @@ async function run() {
         await sendStatusReport(startedAt, config, {
             ...runStats,
             ...uploadResult.statusReport,
-        }, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
+        }, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanupTelemetry, logger);
     }
     else if (runStats) {
-        await sendStatusReport(startedAt, config, { ...runStats }, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
+        await sendStatusReport(startedAt, config, { ...runStats }, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanupTelemetry, logger);
     }
     else {
-        await sendStatusReport(startedAt, config, undefined, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, logger);
+        await sendStatusReport(startedAt, config, undefined, undefined, trapCacheUploadTime, dbCreationTimings, didUploadTrapCaches, trapCacheCleanupTelemetry, logger);
     }
 }
 exports.runPromise = run();

lib/api-client.js

@@ -26,12 +26,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.wrapApiConfigurationError = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.getWorkflowRelativePath = exports.getGitHubVersion = exports.getGitHubVersionFromApi = exports.getApiClientWithExternalAuth = exports.getApiClient = exports.getApiDetails = exports.DisallowedAPIVersionReason = void 0;
+exports.wrapApiConfigurationError = exports.deleteActionsCache = exports.listActionsCaches = exports.computeAutomationID = exports.getAutomationID = exports.getAnalysisKey = exports.getWorkflowRelativePath = exports.getGitHubVersion = exports.getGitHubVersionFromApi = exports.getApiClientWithExternalAuth = exports.getApiClient = exports.getApiDetails = exports.DisallowedAPIVersionReason = void 0;
 const core = __importStar(require("@actions/core"));
 const githubUtils = __importStar(require("@actions/github/lib/utils"));
 const retry = __importStar(require("@octokit/plugin-retry"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
 const actions_util_1 = require("./actions-util");
+const repository_1 = require("./repository");
 const util_1 = require("./util");
 const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
 var DisallowedAPIVersionReason;
@@ -163,6 +164,27 @@ function computeAutomationID(analysis_key, environment) {
     return automationID;
 }
 exports.computeAutomationID = computeAutomationID;
+/** List all Actions cache entries matching the provided key and ref. */
+async function listActionsCaches(key, ref) {
+    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    return await getApiClient().paginate("GET /repos/{owner}/{repo}/actions/caches", {
+        owner: repositoryNwo.owner,
+        repo: repositoryNwo.repo,
+        key,
+        ref,
+    });
+}
+exports.listActionsCaches = listActionsCaches;
+/** Delete an Actions cache item by its ID. */
+async function deleteActionsCache(id) {
+    const repositoryNwo = (0, repository_1.parseRepositoryNwo)((0, util_1.getRequiredEnvParam)("GITHUB_REPOSITORY"));
+    await getApiClient().rest.actions.deleteActionsCacheById({
+        owner: repositoryNwo.owner,
+        repo: repositoryNwo.repo,
+        cache_id: id,
+    });
+}
+exports.deleteActionsCache = deleteActionsCache;
 function wrapApiConfigurationError(e) {
     if ((0, util_1.isHTTPError)(e)) {
         if (e.message.includes("API rate limit exceeded for site ID installation") ||

lib/api-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AACtC,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAoE;AACpE,iCASgB;AAEhB,MAAM,gCAAgC,GAAG,6BAA6B,CAAC;AAEvE,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,0CAA1B,0BAA0B,QAGrC;AAiBD,SAAS,0BAA0B,CACjC,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,UAAU,CAAC,MAAM;QAC1B,SAAS,EAAE,iBAAiB,IAAA,+BAAgB,GAAE,EAAE;QAChD,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,SAAgB,YAAY;IAC1B,OAAO,0BAA0B,CAAC,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAFD,oCAEC;AAED,SAAgB,4BAA4B,CAC1C,UAAoC;IAEpC,OAAO,0BAA0B,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;AACzE,CAAC;AAJD,oEAIC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAExD,KAAK,UAAU,uBAAuB,CAC3C,SAAc,EACd,UAA4B;IAE5B,iEAAiE;IACjE,IAAI,IAAA,qBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,KAAK,wBAAiB,EAAE,CAAC;QACzD,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,CAAC;IACxC,CAAC;IAED,8DAA8D;IAC9D,mEAAmE;IACnE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IAEjD,8EAA8E;IAC9E,wEAAwE;IACxE,IAAI,QAAQ,CAAC,OAAO,CAAC,gCAAgC,CAAC,KAAK,SAAS,EAAE,CAAC;QACrE,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,CAAC;IACxC,CAAC;IAED,IAAI,QAAQ,CAAC,OAAO,CAAC,gCAAgC,CAAC,KAAK,SAAS,EAAE,CAAC;QACrE,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,UAAU,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,gCAAgC,CAAW,CAAC;IAC7E,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/C,CAAC;AAzBD,0DAyBC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,gBAAgB;IACpC,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;QACtC,mBAAmB,GAAG,MAAM,uBAAuB,CACjD,YAAY,EAAE,EACd,aAAa,EAAE,CAChB,CAAC;IACJ,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,4CAQC;AAED;;GAEG;AACI,KAAK,UAAU,uBAAuB;IAC3C,MAAM,QAAQ,GAAG,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAA,0BAAmB,EAAC,eAAe,CAAC,CAAC,CAAC;IAE5D,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,OAAO,CAC1C,yEAAyE,EACzE;QACE,KAAK;QACL,IAAI;QACJ,MAAM;KACP,CACF,CAAC;IACF,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC;IAEnD,MAAM,gBAAgB,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,OAAO,WAAW,EAAE,CAAC,CAAC;IAEvE,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;AACpC,CAAC;AApBD,0DAoBC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,cAAc;IAClC,MAAM,iBAAiB,GAAG,4BAA4B,CAAC;IAEvD,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,uBAAuB,EAAE,CAAC;IACrD,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAElD,WAAW,GAAG,GAAG,YAAY,IAAI,OAAO,EAAE,CAAC;IAC3C,IAAI,CAAC,cAAc,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;IACpD,OAAO,WAAW,CAAC;AACrB,CAAC;AAdD,wCAcC;AAEM,KAAK,UAAU,eAAe;IACnC,MAAM,YAAY,GAAG,MAAM,cAAc,EAAE,CAAC;IAC5C,MAAM,WAAW,GAAG,IAAA,+BAAgB,EAAC,QAAQ,CAAC,CAAC;IAE/C,OAAO,mBAAmB,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC;AALD,0CAKC;AAED,SAAgB,mBAAmB,CACjC,YAAoB,EACpB,WAA+B;IAE/B,IAAI,YAAY,GAAG,GAAG,YAAY,GAAG,CAAC;IAEtC,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,uDAAuD;QACvD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YAClD,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjC,YAAY,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,qDAAqD;gBACrD,6CAA6C;gBAC7C,YAAY,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AArBD,kDAqBC;AAED,SAAgB,yBAAyB,CAAC,CAAU;IAClD,IAAI,IAAA,kBAAW,EAAC,CAAC,CAAC,EAAE,CAAC;QACnB,IACE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,kDAAkD,CAAC;YACtE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACtC,uCAAuC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EACvD,CAAC;YACD,OAAO,IAAI,yBAAkB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAXD,8DAWC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AACtC,uEAAyD;AACzD,6DAA+C;AAC/C,0EAAgD;AAEhD,iDAAoE;AACpE,6CAAkD;AAClD,iCASgB;AAEhB,MAAM,gCAAgC,GAAG,6BAA6B,CAAC;AAEvE,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,0CAA1B,0BAA0B,QAGrC;AAiBD,SAAS,0BAA0B,CACjC,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAE9B,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,OAAO,IAAI,eAAe,CACxB,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,UAAU,CAAC,MAAM;QAC1B,SAAS,EAAE,iBAAiB,IAAA,+BAAgB,GAAE,EAAE;QAChD,GAAG,EAAE,IAAA,2BAAe,EAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAgB,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,IAAA,+BAAgB,EAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,IAAA,0BAAmB,EAAC,mBAAmB,CAAC;QAC7C,MAAM,EAAE,IAAA,0BAAmB,EAAC,gBAAgB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAND,sCAMC;AAED,SAAgB,YAAY;IAC1B,OAAO,0BAA0B,CAAC,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAFD,oCAEC;AAED,SAAgB,4BAA4B,CAC1C,UAAoC;IAEpC,OAAO,0BAA0B,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;AACzE,CAAC;AAJD,oEAIC;AAED,IAAI,mBAAmB,GAA8B,SAAS,CAAC;AAExD,KAAK,UAAU,uBAAuB,CAC3C,SAAc,EACd,UAA4B;IAE5B,iEAAiE;IACjE,IAAI,IAAA,qBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,KAAK,wBAAiB,EAAE,CAAC;QACzD,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,CAAC;IACxC,CAAC;IAED,8DAA8D;IAC9D,mEAAmE;IACnE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IAEjD,8EAA8E;IAC9E,wEAAwE;IACxE,IAAI,QAAQ,CAAC,OAAO,CAAC,gCAAgC,CAAC,KAAK,SAAS,EAAE,CAAC;QACrE,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE,CAAC;IACxC,CAAC;IAED,IAAI,QAAQ,CAAC,OAAO,CAAC,gCAAgC,CAAC,KAAK,SAAS,EAAE,CAAC;QACrE,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,UAAU,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,gCAAgC,CAAW,CAAC;IAC7E,OAAO,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/C,CAAC;AAzBD,0DAyBC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,gBAAgB;IACpC,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;QACtC,mBAAmB,GAAG,MAAM,uBAAuB,CACjD,YAAY,EAAE,EACd,aAAa,EAAE,CAChB,CAAC;IACJ,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AARD,4CAQC;AAED;;GAEG;AACI,KAAK,UAAU,uBAAuB;IAC3C,MAAM,QAAQ,GAAG,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAA,0BAAmB,EAAC,eAAe,CAAC,CAAC,CAAC;IAE5D,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,OAAO,CAC1C,yEAAyE,EACzE;QACE,KAAK;QACL,IAAI;QACJ,MAAM;KACP,CACF,CAAC;IACF,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC;IAEnD,MAAM,gBAAgB,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,OAAO,WAAW,EAAE,CAAC,CAAC;IAEvE,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;AACpC,CAAC;AApBD,0DAoBC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,cAAc;IAClC,MAAM,iBAAiB,GAAG,4BAA4B,CAAC;IAEvD,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,uBAAuB,EAAE,CAAC;IACrD,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAElD,WAAW,GAAG,GAAG,YAAY,IAAI,OAAO,EAAE,CAAC;IAC3C,IAAI,CAAC,cAAc,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;IACpD,OAAO,WAAW,CAAC;AACrB,CAAC;AAdD,wCAcC;AAEM,KAAK,UAAU,eAAe;IACnC,MAAM,YAAY,GAAG,MAAM,cAAc,EAAE,CAAC;IAC5C,MAAM,WAAW,GAAG,IAAA,+BAAgB,EAAC,QAAQ,CAAC,CAAC;IAE/C,OAAO,mBAAmB,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC;AALD,0CAKC;AAED,SAAgB,mBAAmB,CACjC,YAAoB,EACpB,WAA+B;IAE/B,IAAI,YAAY,GAAG,GAAG,YAAY,GAAG,CAAC;IAEtC,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,uDAAuD;QACvD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YAClD,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjC,YAAY,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,qDAAqD;gBACrD,6CAA6C;gBAC7C,YAAY,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AArBD,kDAqBC;AASD,wEAAwE;AACjE,KAAK,UAAU,iBAAiB,CACrC,GAAW,EACX,GAAW;IAEX,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IAEF,OAAO,MAAM,YAAY,EAAE,CAAC,QAAQ,CAClC,0CAA0C,EAC1C;QACE,KAAK,EAAE,aAAa,CAAC,KAAK;QAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;QACxB,GAAG;QACH,GAAG;KACJ,CACF,CAAC;AACJ,CAAC;AAjBD,8CAiBC;AAED,8CAA8C;AACvC,KAAK,UAAU,kBAAkB,CAAC,EAAU;IACjD,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IAEF,MAAM,YAAY,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,sBAAsB,CAAC;QACvD,KAAK,EAAE,aAAa,CAAC,KAAK;QAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;QACxB,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;AACL,CAAC;AAVD,gDAUC;AAED,SAAgB,yBAAyB,CAAC,CAAU;IAClD,IAAI,IAAA,kBAAW,EAAC,CAAC,CAAC,EAAE,CAAC;QACnB,IACE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,kDAAkD,CAAC;YACtE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACtC,uCAAuC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EACvD,CAAC;YACD,OAAO,IAAI,yBAAkB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAXD,8DAWC"}

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.13", "minimumVersion": "3.9" }
+{ "maximumVersion": "3.14", "minimumVersion": "3.9" }

lib/cli-errors.js

@@ -117,10 +117,10 @@ function ensureEndsInPeriod(text) {
 var CliConfigErrorCategory;
 (function (CliConfigErrorCategory) {
     CliConfigErrorCategory["ExternalRepositoryCloneFailed"] = "ExternalRepositoryCloneFailed";
-    CliConfigErrorCategory["GracefulOutOfMemory"] = "GracefulOutOfMemory";
     CliConfigErrorCategory["GradleBuildFailed"] = "GradleBuildFailed";
     CliConfigErrorCategory["IncompatibleWithActionVersion"] = "IncompatibleWithActionVersion";
     CliConfigErrorCategory["InitCalledTwice"] = "InitCalledTwice";
+    CliConfigErrorCategory["InvalidConfigFile"] = "InvalidConfigFile";
     CliConfigErrorCategory["InvalidSourceRoot"] = "InvalidSourceRoot";
     CliConfigErrorCategory["MavenBuildFailed"] = "MavenBuildFailed";
     CliConfigErrorCategory["NoBuildCommandAutodetected"] = "NoBuildCommandAutodetected";
@@ -128,7 +128,9 @@ var CliConfigErrorCategory;
     CliConfigErrorCategory["NoSourceCodeSeen"] = "NoSourceCodeSeen";
     CliConfigErrorCategory["NoSupportedBuildCommandSucceeded"] = "NoSupportedBuildCommandSucceeded";
     CliConfigErrorCategory["NoSupportedBuildSystemDetected"] = "NoSupportedBuildSystemDetected";
+    CliConfigErrorCategory["OutOfMemoryOrDisk"] = "OutOfMemoryOrDisk";
     CliConfigErrorCategory["PackCannotBeFound"] = "PackCannotBeFound";
+    CliConfigErrorCategory["PackMissingAuth"] = "PackMissingAuth";
     CliConfigErrorCategory["SwiftBuildFailed"] = "SwiftBuildFailed";
     CliConfigErrorCategory["UnsupportedBuildMode"] = "UnsupportedBuildMode";
 })(CliConfigErrorCategory || (exports.CliConfigErrorCategory = CliConfigErrorCategory = {}));
@@ -142,9 +144,6 @@ exports.cliErrorsConfig = {
             new RegExp("Failed to clone external Git repository"),
         ],
     },
-    [CliConfigErrorCategory.GracefulOutOfMemory]: {
-        cliErrorMessageCandidates: [new RegExp("CodeQL is out of memory.")],
-    },
     [CliConfigErrorCategory.GradleBuildFailed]: {
         cliErrorMessageCandidates: [
             new RegExp("[autobuild] FAILURE: Build failed with an exception."),
@@ -162,6 +161,12 @@ exports.cliErrorsConfig = {
         ],
         additionalErrorMessageToAppend: `Is the "init" action called twice in the same job?`,
     },
+    [CliConfigErrorCategory.InvalidConfigFile]: {
+        cliErrorMessageCandidates: [
+            new RegExp("Config file .* is not valid"),
+            new RegExp("The supplied config file is empty"),
+        ],
+    },
     // Expected source location for database creation does not exist
     [CliConfigErrorCategory.InvalidSourceRoot]: {
         cliErrorMessageCandidates: [new RegExp("Invalid source root")],
@@ -200,11 +205,25 @@ exports.cliErrorsConfig = {
             new RegExp("No supported build system detected"),
         ],
     },
+    [CliConfigErrorCategory.OutOfMemoryOrDisk]: {
+        cliErrorMessageCandidates: [
+            new RegExp("CodeQL is out of memory."),
+            new RegExp("out of disk"),
+            new RegExp("No space left on device"),
+        ],
+        additionalErrorMessageToAppend: "For more information, see https://gh.io/troubleshooting-code-scanning/out-of-disk-or-memory",
+    },
     [CliConfigErrorCategory.PackCannotBeFound]: {
         cliErrorMessageCandidates: [
             new RegExp("Query pack .* cannot be found\\. Check the spelling of the pack\\."),
         ],
     },
+    [CliConfigErrorCategory.PackMissingAuth]: {
+        cliErrorMessageCandidates: [
+            new RegExp("GitHub Container registry .* 403 Forbidden"),
+            new RegExp("Do you need to specify a token to authenticate to the registry?"),
+        ],
+    },
     [CliConfigErrorCategory.SwiftBuildFailed]: {
         cliErrorMessageCandidates: [
             new RegExp("\\[autobuilder/build\\] \\[build-command-failed\\] `autobuild` failed to run the build command"),

lib/codeql.js

@@ -283,10 +283,13 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             else if (await util.codeQlVersionAtLeast(this, exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE)) {
                 extraArgs.push("--no-sublanguage-file-coverage");
             }
+            const overwriteFlag = (0, tools_features_1.isSupportedToolsFeature)(await this.getVersion(), tools_features_1.ToolsFeature.ForceOverwrite)
+                ? "--force-overwrite"
+                : "--overwrite";
             await runTool(cmd, [
                 "database",
                 "init",
-                "--overwrite",
+                overwriteFlag,
                 "--db-cluster",
                 config.dbLocation,
                 `--source-root=${sourceRoot}`,
@@ -340,6 +343,8 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                     "database",
                     "trace-command",
                     "--use-build-mode",
+                    "--working-dir",
+                    process.cwd(),
                     ...(await getTrapCachingExtractorConfigArgsForLang(config, language)),
                     ...getExtractionVerbosityArguments(config.debugMode),
                     ...getExtraOptionsFromEnv(["database", "trace-command"]),

lib/config-utils.js

@@ -674,6 +674,11 @@ async function parseBuildModeInput(input, languages, features, logger) {
     if (!Object.values(util_1.BuildMode).includes(input)) {
         throw new util_1.ConfigurationError(`Invalid build mode: '${input}'. Supported build modes are: ${Object.values(util_1.BuildMode).join(", ")}.`);
     }
+    if (languages.includes(languages_1.Language.csharp) &&
+        (await features.getValue(feature_flags_1.Feature.DisableCsharpBuildless))) {
+        logger.warning("Scanning C# code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.");
+        return util_1.BuildMode.Autobuild;
+    }
     if (languages.includes(languages_1.Language.java) &&
         (await features.getValue(feature_flags_1.Feature.DisableJavaBuildlessEnabled))) {
         logger.warning("Scanning Java code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.");

lib/config-utils.test.js

@@ -764,27 +764,40 @@ const mockRepositoryNwo = (0, repository_1.parseRepositoryNwo)("owner/repo");
         t.deepEqual(mockRequest.called, args.expectedApiCall);
     });
 });
-(0, ava_1.default)("Build mode not overridden when disable Java buildless feature flag disabled", async (t) => {
-    const messages = [];
-    const buildMode = await configUtils.parseBuildModeInput("none", [languages_1.Language.java], (0, testing_utils_1.createFeatures)([]), (0, testing_utils_1.getRecordingLogger)(messages));
-    t.is(buildMode, util_1.BuildMode.None);
-    t.deepEqual(messages, []);
-});
-(0, ava_1.default)("Build mode not overridden for other languages", async (t) => {
-    const messages = [];
-    const buildMode = await configUtils.parseBuildModeInput("none", [languages_1.Language.python], (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.DisableJavaBuildlessEnabled]), (0, testing_utils_1.getRecordingLogger)(messages));
-    t.is(buildMode, util_1.BuildMode.None);
-    t.deepEqual(messages, []);
-});
-(0, ava_1.default)("Build mode overridden when analyzing Java and disable Java buildless feature flag enabled", async (t) => {
-    const messages = [];
-    const buildMode = await configUtils.parseBuildModeInput("none", [languages_1.Language.java], (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.DisableJavaBuildlessEnabled]), (0, testing_utils_1.getRecordingLogger)(messages));
-    t.is(buildMode, util_1.BuildMode.Autobuild);
-    t.deepEqual(messages, [
-        {
-            message: "Scanning Java code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.",
-            type: "warning",
-        },
-    ]);
-});
+for (const { displayName, language, feature } of [
+    {
+        displayName: "Java",
+        language: languages_1.Language.java,
+        feature: feature_flags_1.Feature.DisableJavaBuildlessEnabled,
+    },
+    {
+        displayName: "C#",
+        language: languages_1.Language.csharp,
+        feature: feature_flags_1.Feature.DisableCsharpBuildless,
+    },
+]) {
+    (0, ava_1.default)(`Build mode not overridden when disable ${displayName} buildless feature flag disabled`, async (t) => {
+        const messages = [];
+        const buildMode = await configUtils.parseBuildModeInput("none", [language], (0, testing_utils_1.createFeatures)([]), (0, testing_utils_1.getRecordingLogger)(messages));
+        t.is(buildMode, util_1.BuildMode.None);
+        t.deepEqual(messages, []);
+    });
+    (0, ava_1.default)(`Build mode not overridden for other languages when disable ${displayName} buildless feature flag enabled`, async (t) => {
+        const messages = [];
+        const buildMode = await configUtils.parseBuildModeInput("none", [languages_1.Language.python], (0, testing_utils_1.createFeatures)([feature]), (0, testing_utils_1.getRecordingLogger)(messages));
+        t.is(buildMode, util_1.BuildMode.None);
+        t.deepEqual(messages, []);
+    });
+    (0, ava_1.default)(`Build mode overridden when analyzing ${displayName} and disable ${displayName} buildless feature flag enabled`, async (t) => {
+        const messages = [];
+        const buildMode = await configUtils.parseBuildModeInput("none", [language], (0, testing_utils_1.createFeatures)([feature]), (0, testing_utils_1.getRecordingLogger)(messages));
+        t.is(buildMode, util_1.BuildMode.Autobuild);
+        t.deepEqual(messages, [
+            {
+                message: `Scanning ${displayName} code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.`,
+                type: "warning",
+            },
+        ]);
+    });
+}
 //# sourceMappingURL=config-utils.test.js.map

lib/database-upload.js

@@ -35,9 +35,14 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
         logger.debug("Database upload disabled in workflow. Skipping upload.");
         return;
     }
+    if (util.isInTestMode()) {
+        logger.debug("In test mode. Skipping database upload.");
+        return;
+    }
     // Do nothing when not running against github.com
-    if (config.gitHubVersion.type !== util.GitHubVariant.DOTCOM) {
-        logger.debug("Not running against github.com. Skipping upload.");
+    if (config.gitHubVersion.type !== util.GitHubVariant.DOTCOM &&
+        config.gitHubVersion.type !== util.GitHubVariant.GHE_DOTCOM) {
+        logger.debug("Not running against github.com or GHEC-DR. Skipping upload.");
         return;
     }
     if (!(await actionsUtil.isAnalyzingDefaultBranch())) {
@@ -47,6 +52,14 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
     }
     const client = (0, api_client_1.getApiClient)();
     const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
+    const uploadsUrl = new URL((0, util_1.parseGitHubUrl)(apiDetails.url));
+    uploadsUrl.hostname = `uploads.${uploadsUrl.hostname}`;
+    // Octokit expects the baseUrl to not have a trailing slash,
+    // but it is included by default in a URL.
+    let uploadsBaseUrl = uploadsUrl.toString();
+    if (uploadsBaseUrl.endsWith("/")) {
+        uploadsBaseUrl = uploadsBaseUrl.slice(0, -1);
+    }
     for (const language of config.languages) {
         try {
             // Upload the database bundle.
@@ -58,7 +71,8 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
             const bundledDbReadStream = fs.createReadStream(bundledDb);
             const commitOid = await actionsUtil.getCommitOid(actionsUtil.getRequiredInput("checkout_path"));
             try {
-                await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name&commit_oid=:commit_oid`, {
+                await client.request(`POST /repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name&commit_oid=:commit_oid`, {
+                    baseUrl: uploadsBaseUrl,
                     owner: repositoryNwo.owner,
                     repo: repositoryNwo.repo,
                     language,

lib/database-upload.js.map

@@ -1 +1 @@
-{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,CAAC;QAC5D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;IACT,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE,CAAC;QACpD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,YAAY,CAC9C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAC9C,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAClB,+HAA+H,EAC/H;oBACE,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,UAAU,EAAE,SAAS;oBACrB,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;YACjE,CAAC;oBAAS,CAAC;gBACT,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAC9B,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;AACH,CAAC;AAjED,0CAiEC"}
+{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkD;AAE3C,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,iDAAiD;IACjD,IACE,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM;QACvD,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,UAAU,EAC3D,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE,CAAC;QACpD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAA,qBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3D,UAAU,CAAC,QAAQ,GAAG,WAAW,UAAU,CAAC,QAAQ,EAAE,CAAC;IAEvD,4DAA4D;IAC5D,0CAA0C;IAC1C,IAAI,cAAc,GAAG,UAAU,CAAC,QAAQ,EAAE,CAAC;IAC3C,IAAI,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,YAAY,CAC9C,WAAW,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAC9C,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAClB,qGAAqG,EACrG;oBACE,OAAO,EAAE,cAAc;oBACvB,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,UAAU,EAAE,SAAS;oBACrB,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;YACjE,CAAC;oBAAS,CAAC;gBACT,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAC9B,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;AACH,CAAC;AApFD,0CAoFC"}

lib/database-upload.test.js

@@ -57,7 +57,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
     // Passing an auth token is required, so we just use a dummy value
     const client = github.getOctokit("123");
     const requestSpy = sinon.stub(client, "request");
-    const url = "POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name&commit_oid=:commit_oid";
+    const url = "POST /repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name&commit_oid=:commit_oid";
     const databaseUploadSpy = requestSpy.withArgs(url);
     if (databaseUploadStatusCode < 300) {
         databaseUploadSpy.resolves(undefined);
@@ -66,6 +66,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
         databaseUploadSpy.throws(new util_1.HTTPError("some error message", databaseUploadStatusCode));
     }
     sinon.stub(apiClient, "getApiClient").value(() => client);
+    return databaseUploadSpy;
 }
 (0, ava_1.default)("Abort database upload if 'upload-database' input set to false", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
@@ -95,7 +96,8 @@ async function mockHttpRequests(databaseUploadStatusCode) {
         const loggedMessages = [];
         await (0, database_upload_1.uploadDatabases)(testRepoName, config, testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
         t.assert(loggedMessages.find((v) => v.type === "debug" &&
-            v.message === "Not running against github.com. Skipping upload.") !== undefined);
+            v.message ===
+                "Not running against github.com or GHEC-DR. Skipping upload.") !== undefined);
     });
 });
 (0, ava_1.default)("Abort database upload if not analyzing default branch", async (t) => {
@@ -133,7 +135,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
                 "Failed to upload database for javascript: Error: some error message") !== undefined);
     });
 });
-(0, ava_1.default)("Successfully uploading a database to api.github.com", async (t) => {
+(0, ava_1.default)("Successfully uploading a database to github.com", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
         sinon
@@ -153,7 +155,7 @@ async function mockHttpRequests(databaseUploadStatusCode) {
             v.message === "Successfully uploaded database for javascript") !== undefined);
     });
 });
-(0, ava_1.default)("Successfully uploading a database to uploads.github.com", async (t) => {
+(0, ava_1.default)("Successfully uploading a database to GHEC-DR", async (t) => {
     await (0, util_1.withTmpDir)(async (tmpDir) => {
         (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
         sinon
@@ -161,16 +163,21 @@ async function mockHttpRequests(databaseUploadStatusCode) {
             .withArgs("upload-database")
             .returns("true");
         sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
-        await mockHttpRequests(201);
+        const databaseUploadSpy = await mockHttpRequests(201);
         (0, codeql_1.setCodeQL)({
             async databaseBundle(_, outputFilePath) {
                 fs.writeFileSync(outputFilePath, "");
             },
         });
         const loggedMessages = [];
-        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), testApiDetails, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
+        await (0, database_upload_1.uploadDatabases)(testRepoName, getTestConfig(tmpDir), {
+            auth: "1234",
+            url: "https://tenant.ghe.com",
+            apiURL: undefined,
+        }, (0, testing_utils_1.getRecordingLogger)(loggedMessages));
         t.assert(loggedMessages.find((v) => v.type === "debug" &&
             v.message === "Successfully uploaded database for javascript") !== undefined);
+        t.assert(databaseUploadSpy.calledOnceWith(sinon.match.string, sinon.match.has("baseUrl", "https://uploads.tenant.ghe.com")));
     });
 });
 //# sourceMappingURL=database-upload.test.js.map

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.17.2",
-    "cliVersion": "2.17.2",
-    "priorBundleVersion": "codeql-bundle-v2.17.1",
-    "priorCliVersion": "2.17.1"
+    "bundleVersion": "codeql-bundle-v2.17.5",
+    "cliVersion": "2.17.5",
+    "priorBundleVersion": "codeql-bundle-v2.17.4",
+    "priorCliVersion": "2.17.4"
 }

lib/feature-flags.js

@@ -49,10 +49,11 @@ exports.CODEQL_VERSION_FINE_GRAINED_PARALLELISM = "2.15.1";
  */
 var Feature;
 (function (Feature) {
-    Feature["AutobuildDirectTracing"] = "autobuild_direct_tracing";
-    Feature["CombineSarifFilesDeprecationWarning"] = "combine_sarif_files_deprecation_warning_enabled";
+    Feature["AutobuildDirectTracing"] = "autobuild_direct_tracing_v2";
+    Feature["CleanupTrapCaches"] = "cleanup_trap_caches";
     Feature["CppDependencyInstallation"] = "cpp_dependency_installation_enabled";
     Feature["CppTrapCachingEnabled"] = "cpp_trap_caching_enabled";
+    Feature["DisableCsharpBuildless"] = "disable_csharp_buildless";
     Feature["DisableJavaBuildlessEnabled"] = "disable_java_buildless_enabled";
     Feature["DisableKotlinAnalysisEnabled"] = "disable_kotlin_analysis_enabled";
     Feature["ExportDiagnosticsEnabled"] = "export_diagnostics_enabled";
@@ -65,11 +66,9 @@ exports.featureConfig = {
         minimumVersion: undefined,
         toolsFeature: tools_features_1.ToolsFeature.TraceCommandUseBuildMode,
     },
-    [Feature.CombineSarifFilesDeprecationWarning]: {
+    [Feature.CleanupTrapCaches]: {
         defaultValue: false,
-        envVar: "CODEQL_ACTION_COMBINE_SARIF_FILES_DEPRECATION_WARNING",
-        legacyApi: true,
-        // Independent of the CLI version.
+        envVar: "CODEQL_ACTION_CLEANUP_TRAP_CACHES",
         minimumVersion: undefined,
     },
     [Feature.CppDependencyInstallation]: {
@@ -84,6 +83,11 @@ exports.featureConfig = {
         legacyApi: true,
         minimumVersion: "2.16.1",
     },
+    [Feature.DisableCsharpBuildless]: {
+        defaultValue: false,
+        envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",
+        minimumVersion: undefined,
+    },
     [Feature.DisableJavaBuildlessEnabled]: {
         defaultValue: false,
         envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS",

lib/init-action-post-helper.js

@@ -24,6 +24,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getFinalJobStatus = exports.run = exports.tryUploadSarifIfRunFailed = void 0;
+const fs = __importStar(require("fs"));
 const core = __importStar(require("@actions/core"));
 const github = __importStar(require("@actions/github"));
 const actionsUtil = __importStar(require("./actions-util"));
@@ -134,6 +135,23 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
         await uploadLogsDebugArtifact(config);
         await printDebugLogs(config);
     }
+    if (actionsUtil.isSelfHostedRunner()) {
+        try {
+            fs.rmSync(config.dbLocation, {
+                recursive: true,
+                force: true,
+                maxRetries: 3,
+            });
+            logger.info(`Cleaned up database cluster directory ${config.dbLocation}.`);
+        }
+        catch (e) {
+            logger.warning(`Failed to clean up database cluster directory ${config.dbLocation}. Details: ${e}`);
+        }
+    }
+    else {
+        logger.debug("Skipping cleanup of database cluster directory since we are running on a GitHub-hosted " +
+            "runner which will be automatically cleaned up.");
+    }
     return uploadFailedSarifResult;
 }
 exports.run = run;

lib/init-action.js

@@ -181,6 +181,7 @@ async function run() {
         return;
     }
     try {
+        (0, init_1.cleanupDatabaseClusterDirectory)(config, logger);
         // Forward Go flags
         const goFlags = process.env["GOFLAGS"];
         if (goFlags) {

lib/init.js

@@ -23,17 +23,19 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isSipEnabled = exports.checkInstallPython311 = exports.printPathFiltersWarning = exports.runInit = exports.initConfig = exports.initCodeQL = void 0;
+exports.cleanupDatabaseClusterDirectory = exports.isSipEnabled = exports.checkInstallPython311 = exports.printPathFiltersWarning = exports.runInit = exports.initConfig = exports.initCodeQL = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const exec = __importStar(require("@actions/exec/lib/exec"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const safeWhich = __importStar(require("@chrisgavin/safe-which"));
+const actions_util_1 = require("./actions-util");
 const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
 const languages_1 = require("./languages");
 const tools_features_1 = require("./tools-features");
 const tracer_config_1 = require("./tracer-config");
+const util = __importStar(require("./util"));
 async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger) {
     logger.startGroup("Setup CodeQL tools");
     const { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion } = await (0, codeql_1.setupCodeQL)(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, logger, true);
@@ -111,4 +113,39 @@ async function isSipEnabled(logger) {
     }
 }
 exports.isSipEnabled = isSipEnabled;
+function cleanupDatabaseClusterDirectory(config, logger, 
+// We can't stub the fs module in tests, so we allow the caller to override the rmSync function
+// for testing.
+rmSync = fs.rmSync) {
+    if (fs.existsSync(config.dbLocation) &&
+        (fs.statSync(config.dbLocation).isFile() ||
+            fs.readdirSync(config.dbLocation).length)) {
+        logger.warning(`The database cluster directory ${config.dbLocation} must be empty. Attempting to clean it up.`);
+        try {
+            rmSync(config.dbLocation, {
+                force: true,
+                maxRetries: 3,
+                recursive: true,
+            });
+            logger.info(`Cleaned up database cluster directory ${config.dbLocation}.`);
+        }
+        catch (e) {
+            const blurb = `The CodeQL Action requires an empty database cluster directory. ${(0, actions_util_1.getOptionalInput)("db-location")
+                ? `This is currently configured to be ${config.dbLocation}. `
+                : `By default, this is located at ${config.dbLocation}. ` +
+                    "You can customize it using the 'db-location' input to the init Action. "}An attempt was made to clean up the directory, but this failed.`;
+            // Hosted runners are automatically cleaned up, so this error should not occur for hosted runners.
+            if ((0, actions_util_1.isSelfHostedRunner)()) {
+                throw new util.ConfigurationError(`${blurb} This can happen if another process is using the directory or the directory is owned by a different user. ` +
+                    `Please clean up the directory manually and rerun the job. Details: ${util.wrapError(e).message}`);
+            }
+            else {
+                throw new Error(`${blurb} This shouldn't typically happen on hosted runners. ` +
+                    "If you are using an advanced setup, please check your workflow, otherwise we " +
+                    `recommend rerunning the job. Details: ${util.wrapError(e).message}`);
+            }
+        }
+    }
+}
+exports.cleanupDatabaseClusterDirectory = cleanupDatabaseClusterDirectory;
 //# sourceMappingURL=init.js.map

lib/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,6DAA+C;AAC/C,yEAA2D;AAC3D,kEAAoD;AAGpD,qCAA+C;AAC/C,4DAA8C;AAE9C,2CAA0D;AAG1D,qDAAgD;AAChD,mDAAwE;AAGjE,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,iBAA2C,EAC3C,MAAc;IAOd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,GAClE,MAAM,IAAA,oBAAW,EACf,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACJ,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxE,CAAC;AA3BD,gCA2BC;AAEM,KAAK,UAAU,UAAU,CAC9B,MAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7B,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACpD,IACE,CAAC,CAAC,MAAM,MAAM,CAAC,eAAe,CAC5B,6BAAY,CAAC,kCAAkC,CAChD,CAAC,EACF,CAAC;QACD,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AAhBD,gCAgBC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,eAAmC,EACnC,UAAoC,EACpC,QAA2B,EAC3B,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,MAAM,EAAE,oBAAoB,EAAE,YAAY,EAAE,GAC1C,MAAM,WAAW,CAAC,kBAAkB,CAClC,eAAe,EACf,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;IACJ,MAAM,WAAW,CAAC,eAAe,CAC/B;QACE,YAAY,EAAE,UAAU,CAAC,IAAI;QAC7B,sBAAsB,EAAE,oBAAoB;KAC7C;IAED,0BAA0B;IAC1B,KAAK,IAAI,EAAE,CACT,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CACJ,CAAC;IACF,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;AACjE,CAAC;AApCD,0BAoCC;AAED,SAAgB,uBAAuB,CACrC,MAA0B,EAC1B,MAAc;IAEd,qEAAqE;IACrE,sEAAsE;IACtE,IACE,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAM;QACrC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;QACnD,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,6BAAiB,CAAC,EAC1C,CAAC;QACD,MAAM,CAAC,OAAO,CACZ,mGAAmG,CACpG,CAAC;IACJ,CAAC;AACH,CAAC;AAfD,0DAeC;AAED;;;GAGG;AACI,KAAK,UAAU,qBAAqB,CACzC,SAAqB,EACrB,MAAc;IAEd,IACE,SAAS,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC;QACnC,OAAO,CAAC,QAAQ,KAAK,OAAO;QAC5B,CAAC,CAAC,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,EAAE,iBAAiB,EACxD,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CACzB,SAAS,EACT,iBAAiB,EACjB,oBAAoB,CACrB,CAAC;QACF,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;YACvE,MAAM;SACP,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAlBD,sDAkBC;AAED,uEAAuE;AACvE,mCAAmC;AAC5B,KAAK,UAAU,YAAY,CAAC,MAAM;IACvC,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QACnE,IAAI,eAAe,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YACnC,IACE,eAAe,CAAC,MAAM,CAAC,QAAQ,CAC7B,8CAA8C,CAC/C,EACD,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IACE,eAAe,CAAC,MAAM,CAAC,QAAQ,CAC7B,+CAA+C,CAChD,EACD,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,OAAO,CACZ,mEAAmE,CAAC,EAAE,CACvE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AA1BD,oCA0BC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,6DAA+C;AAC/C,yEAA2D;AAC3D,kEAAoD;AAEpD,iDAAsE;AAEtE,qCAA+C;AAC/C,4DAA8C;AAE9C,2CAA0D;AAG1D,qDAAgD;AAChD,mDAAwE;AACxE,6CAA+B;AAExB,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,iBAA2C,EAC3C,MAAc;IAOd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,GAClE,MAAM,IAAA,oBAAW,EACf,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,MAAM,EACN,IAAI,CACL,CAAC;IACJ,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACxE,CAAC;AA3BD,gCA2BC;AAEM,KAAK,UAAU,UAAU,CAC9B,MAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7B,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACpD,IACE,CAAC,CAAC,MAAM,MAAM,CAAC,eAAe,CAC5B,6BAAY,CAAC,kCAAkC,CAChD,CAAC,EACF,CAAC;QACD,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AAhBD,gCAgBC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,eAAmC,EACnC,UAAoC,EACpC,QAA2B,EAC3B,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,MAAM,EAAE,oBAAoB,EAAE,YAAY,EAAE,GAC1C,MAAM,WAAW,CAAC,kBAAkB,CAClC,eAAe,EACf,MAAM,CAAC,OAAO,EACd,MAAM,CACP,CAAC;IACJ,MAAM,WAAW,CAAC,eAAe,CAC/B;QACE,YAAY,EAAE,UAAU,CAAC,IAAI;QAC7B,sBAAsB,EAAE,oBAAoB;KAC7C;IAED,0BAA0B;IAC1B,KAAK,IAAI,EAAE,CACT,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CACJ,CAAC;IACF,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;AACjE,CAAC;AApCD,0BAoCC;AAED,SAAgB,uBAAuB,CACrC,MAA0B,EAC1B,MAAc;IAEd,qEAAqE;IACrE,sEAAsE;IACtE,IACE,CAAC,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAM;QACrC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;QACnD,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,6BAAiB,CAAC,EAC1C,CAAC;QACD,MAAM,CAAC,OAAO,CACZ,mGAAmG,CACpG,CAAC;IACJ,CAAC;AACH,CAAC;AAfD,0DAeC;AAED;;;GAGG;AACI,KAAK,UAAU,qBAAqB,CACzC,SAAqB,EACrB,MAAc;IAEd,IACE,SAAS,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC;QACnC,OAAO,CAAC,QAAQ,KAAK,OAAO;QAC5B,CAAC,CAAC,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,EAAE,iBAAiB,EACxD,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CACzB,SAAS,EACT,iBAAiB,EACjB,oBAAoB,CACrB,CAAC;QACF,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;YACvE,MAAM;SACP,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAlBD,sDAkBC;AAED,uEAAuE;AACvE,mCAAmC;AAC5B,KAAK,UAAU,YAAY,CAAC,MAAM;IACvC,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QACnE,IAAI,eAAe,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YACnC,IACE,eAAe,CAAC,MAAM,CAAC,QAAQ,CAC7B,8CAA8C,CAC/C,EACD,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IACE,eAAe,CAAC,MAAM,CAAC,QAAQ,CAC7B,+CAA+C,CAChD,EACD,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,OAAO,CACZ,mEAAmE,CAAC,EAAE,CACvE,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AA1BD,oCA0BC;AAED,SAAgB,+BAA+B,CAC7C,MAA0B,EAC1B,MAAc;AACd,+FAA+F;AAC/F,eAAe;AACf,MAAM,GAAG,EAAE,CAAC,MAAM;IAElB,IACE,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC;QAChC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE;YACtC,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,EAC3C,CAAC;QACD,MAAM,CAAC,OAAO,CACZ,kCAAkC,MAAM,CAAC,UAAU,4CAA4C,CAChG,CAAC;QACF,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE;gBACxB,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;gBACb,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,CAAC,IAAI,CACT,yCAAyC,MAAM,CAAC,UAAU,GAAG,CAC9D,CAAC;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,KAAK,GAAG,mEACZ,IAAA,+BAAgB,EAAC,aAAa,CAAC;gBAC7B,CAAC,CAAC,sCAAsC,MAAM,CAAC,UAAU,IAAI;gBAC7D,CAAC,CAAC,kCAAkC,MAAM,CAAC,UAAU,IAAI;oBACvD,yEACN,iEAAiE,CAAC;YAElE,kGAAkG;YAClG,IAAI,IAAA,iCAAkB,GAAE,EAAE,CAAC;gBACzB,MAAM,IAAI,IAAI,CAAC,kBAAkB,CAC/B,GAAG,KAAK,4GAA4G;oBAClH,sEACE,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OACpB,EAAE,CACL,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,sDAAsD;oBAC5D,+EAA+E;oBAC/E,yCACE,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OACpB,EAAE,CACL,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AApDD,0EAoDC"}

lib/init.test.js

@@ -1,12 +1,38 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path_1 = __importDefault(require("path"));
 const ava_1 = __importDefault(require("ava"));
 const init_1 = require("./init");
 const languages_1 = require("./languages");
 const testing_utils_1 = require("./testing-utils");
+const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 (0, ava_1.default)("printPathFiltersWarning does not trigger when 'paths' and 'paths-ignore' are undefined", async (t) => {
     const messages = [];
@@ -24,4 +50,61 @@ const testing_utils_1 = require("./testing-utils");
     }, (0, testing_utils_1.getRecordingLogger)(messages));
     t.is(messages.length, 0);
 });
+(0, ava_1.default)("cleanupDatabaseClusterDirectory cleans up where possible", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        const dbLocation = path_1.default.resolve(tmpDir, "dbs");
+        fs.mkdirSync(dbLocation, { recursive: true });
+        const fileToCleanUp = path_1.default.resolve(dbLocation, "something-to-cleanup.txt");
+        fs.writeFileSync(fileToCleanUp, "");
+        const messages = [];
+        (0, init_1.cleanupDatabaseClusterDirectory)((0, testing_utils_1.createTestConfig)({ dbLocation }), (0, testing_utils_1.getRecordingLogger)(messages));
+        t.is(messages.length, 2);
+        t.is(messages[0].type, "warning");
+        t.is(messages[0].message, `The database cluster directory ${dbLocation} must be empty. Attempting to clean it up.`);
+        t.is(messages[1].type, "info");
+        t.is(messages[1].message, `Cleaned up database cluster directory ${dbLocation}.`);
+        t.false(fs.existsSync(fileToCleanUp));
+    });
+});
+for (const { runnerEnv, ErrorConstructor, message } of [
+    {
+        runnerEnv: "self-hosted",
+        ErrorConstructor: util_1.ConfigurationError,
+        message: (dbLocation) => "The CodeQL Action requires an empty database cluster directory. By default, this is located " +
+            `at ${dbLocation}. You can customize it using the 'db-location' input to the init Action. An ` +
+            "attempt was made to clean up the directory, but this failed. This can happen if another " +
+            "process is using the directory or the directory is owned by a different user. Please clean " +
+            "up the directory manually and rerun the job.",
+    },
+    {
+        runnerEnv: "github-hosted",
+        ErrorConstructor: Error,
+        message: (dbLocation) => "The CodeQL Action requires an empty database cluster directory. By default, this is located " +
+            `at ${dbLocation}. You can customize it using the 'db-location' input to the init Action. An ` +
+            "attempt was made to clean up the directory, but this failed. This shouldn't typically " +
+            "happen on hosted runners. If you are using an advanced setup, please check your workflow, " +
+            "otherwise we recommend rerunning the job.",
+    },
+]) {
+    (0, ava_1.default)(`cleanupDatabaseClusterDirectory throws a ${ErrorConstructor.name} when cleanup fails on ${runnerEnv} runner`, async (t) => {
+        await (0, util_1.withTmpDir)(async (tmpDir) => {
+            process.env["RUNNER_ENVIRONMENT"] = runnerEnv;
+            const dbLocation = path_1.default.resolve(tmpDir, "dbs");
+            fs.mkdirSync(dbLocation, { recursive: true });
+            const fileToCleanUp = path_1.default.resolve(dbLocation, "something-to-cleanup.txt");
+            fs.writeFileSync(fileToCleanUp, "");
+            const rmSyncError = `Failed to clean up file ${fileToCleanUp}`;
+            const messages = [];
+            t.throws(() => (0, init_1.cleanupDatabaseClusterDirectory)((0, testing_utils_1.createTestConfig)({ dbLocation }), (0, testing_utils_1.getRecordingLogger)(messages), () => {
+                throw new Error(rmSyncError);
+            }), {
+                instanceOf: ErrorConstructor,
+                message: `${message(dbLocation)} Details: ${rmSyncError}`,
+            });
+            t.is(messages.length, 1);
+            t.is(messages[0].type, "warning");
+            t.is(messages[0].message, `The database cluster directory ${dbLocation} must be empty. Attempting to clean it up.`);
+        });
+    });
+}
 //# sourceMappingURL=init.test.js.map

lib/init.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.test.js","sourceRoot":"","sources":["../src/init.test.ts"],"names":[],"mappings":";;;;;AAAA,8CAAuB;AAGvB,iCAAiD;AACjD,2CAAuC;AACvC,mDAAgF;AAEhF,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,wFAAwF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACzG,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,IAAA,8BAAuB,EACrB;QACE,SAAS,EAAE,CAAC,oBAAQ,CAAC,GAAG,CAAC;QACzB,iBAAiB,EAAE,EAAE;KACO,EAC9B,IAAA,kCAAkB,EAAC,QAAQ,CAAC,CAC7B,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oFAAoF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrG,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,IAAA,8BAAuB,EACrB;QACE,SAAS,EAAE,CAAC,oBAAQ,CAAC,GAAG,CAAC;QACzB,iBAAiB,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;KACxB,EAC9B,IAAA,kCAAkB,EAAC,QAAQ,CAAC,CAC7B,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC"}
+{"version":3,"file":"init.test.js","sourceRoot":"","sources":["../src/init.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,gDAAwB;AAExB,8CAAuB;AAGvB,iCAGgB;AAChB,2CAAuC;AACvC,mDAKyB;AACzB,iCAAwD;AAExD,IAAA,0BAAU,EAAC,aAAI,CAAC,CAAC;AAEjB,IAAA,aAAI,EAAC,wFAAwF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACzG,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,IAAA,8BAAuB,EACrB;QACE,SAAS,EAAE,CAAC,oBAAQ,CAAC,GAAG,CAAC;QACzB,iBAAiB,EAAE,EAAE;KACO,EAC9B,IAAA,kCAAkB,EAAC,QAAQ,CAAC,CAC7B,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,oFAAoF,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrG,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,IAAA,8BAAuB,EACrB;QACE,SAAS,EAAE,CAAC,oBAAQ,CAAC,GAAG,CAAC;QACzB,iBAAiB,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;KACxB,EAC9B,IAAA,kCAAkB,EAAC,QAAQ,CAAC,CAC7B,CAAC;IACF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEH,IAAA,aAAI,EAAC,0DAA0D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC3E,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAc,EAAE,EAAE;QACxC,MAAM,UAAU,GAAG,cAAI,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC/C,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE9C,MAAM,aAAa,GAAG,cAAI,CAAC,OAAO,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAC;QAC3E,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAEpC,MAAM,QAAQ,GAAoB,EAAE,CAAC;QACrC,IAAA,sCAA+B,EAC7B,IAAA,gCAAgB,EAAC,EAAE,UAAU,EAAE,CAAC,EAChC,IAAA,kCAAkB,EAAC,QAAQ,CAAC,CAC7B,CAAC;QAEF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACzB,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAClC,CAAC,CAAC,EAAE,CACF,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,EACnB,kCAAkC,UAAU,4CAA4C,CACzF,CAAC;QACF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,EAAE,CACF,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,EACnB,yCAAyC,UAAU,GAAG,CACvD,CAAC;QAEF,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,KAAK,MAAM,EAAE,SAAS,EAAE,gBAAgB,EAAE,OAAO,EAAE,IAAI;IACrD;QACE,SAAS,EAAE,aAAa;QACxB,gBAAgB,EAAE,yBAAkB;QACpC,OAAO,EAAE,CAAC,UAAU,EAAE,EAAE,CACtB,8FAA8F;YAC9F,MAAM,UAAU,8EAA8E;YAC9F,0FAA0F;YAC1F,6FAA6F;YAC7F,8CAA8C;KACjD;IACD;QACE,SAAS,EAAE,eAAe;QAC1B,gBAAgB,EAAE,KAAK;QACvB,OAAO,EAAE,CAAC,UAAU,EAAE,EAAE,CACtB,8FAA8F;YAC9F,MAAM,UAAU,8EAA8E;YAC9F,wFAAwF;YACxF,4FAA4F;YAC5F,2CAA2C;KAC9C;CACF,EAAE,CAAC;IACF,IAAA,aAAI,EAAC,4CAA4C,gBAAgB,CAAC,IAAI,0BAA0B,SAAS,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC9H,MAAM,IAAA,iBAAU,EAAC,KAAK,EAAE,MAAc,EAAE,EAAE;YACxC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,GAAG,SAAS,CAAC;YAE9C,MAAM,UAAU,GAAG,cAAI,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC/C,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAE9C,MAAM,aAAa,GAAG,cAAI,CAAC,OAAO,CAChC,UAAU,EACV,0BAA0B,CAC3B,CAAC;YACF,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YAEpC,MAAM,WAAW,GAAG,2BAA2B,aAAa,EAAE,CAAC;YAE/D,MAAM,QAAQ,GAAoB,EAAE,CAAC;YACrC,CAAC,CAAC,MAAM,CACN,GAAG,EAAE,CACH,IAAA,sCAA+B,EAC7B,IAAA,gCAAgB,EAAC,EAAE,UAAU,EAAE,CAAC,EAChC,IAAA,kCAAkB,EAAC,QAAQ,CAAC,EAC5B,GAAG,EAAE;gBACH,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;YAC/B,CAAC,CACF,EACH;gBACE,UAAU,EAAE,gBAAgB;gBAC5B,OAAO,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,aAAa,WAAW,EAAE;aAC1D,CACF,CAAC;YAEF,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACzB,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YAClC,CAAC,CAAC,EAAE,CACF,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,EACnB,kCAAkC,UAAU,4CAA4C,CACzF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

lib/setup-codeql.js

@@ -52,6 +52,7 @@ var ToolsSource;
     ToolsSource["Download"] = "DOWNLOAD";
 })(ToolsSource || (exports.ToolsSource = ToolsSource = {}));
 exports.CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
+const CODEQL_BUNDLE_VERSION_ALIAS = ["linked", "latest"];
 function getCodeQLBundleName() {
     let platform;
     if (process.platform === "win32") {
@@ -222,7 +223,10 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) {
     return undefined;
 }
 async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, logger) {
-    if (toolsInput && toolsInput !== "latest" && !toolsInput.startsWith("http")) {
+    if (toolsInput &&
+        !CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput) &&
+        !toolsInput.startsWith("http")) {
+        logger.info(`Using CodeQL CLI from local path ${toolsInput}`);
         return {
             codeqlTarPath: toolsInput,
             sourceType: "local",
@@ -232,14 +236,21 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     /**
      * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced.
      *
-     * We use the special value of 'latest' to prioritize the version in `defaults.json` over the
+     * We use the special value of 'linked' to prioritize the version in `defaults.json` over the
      * version specified by the feature flags on Dotcom and over any pinned cached version on
      * Enterprise Server.
+     *
+     * Previously we have been using 'latest' to force the shipped tools, but this was not clear
+     * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for
+     * backwards compatibility.
      */
-    const forceShippedTools = toolsInput === "latest";
+    const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput);
     if (forceShippedTools) {
-        logger.info("Overriding the version of the CodeQL tools by the version shipped with the Action since " +
-            `"tools: latest" was requested.`);
+        logger.info(`Overriding the version of the CodeQL tools by ${defaultCliVersion.cliVersion}, the version shipped with the Action since ` +
+            `tools: ${toolsInput} was requested.`);
+        if (toolsInput === "latest") {
+            logger.warning("`tools: latest` has been renamed to `tools: linked`, but the old name is still supported for now. No action is required.");
+        }
     }
     /** CLI version number, for example 2.12.6. */
     let cliVersion;
@@ -329,6 +340,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
         logger.info(`Did not find CodeQL tools version ${humanReadableVersion} in the toolcache.`);
     }
     if (codeqlFolder) {
+        if (cliVersion) {
+            logger.info(`Using CodeQL CLI version ${cliVersion} from toolcache at ${codeqlFolder}`);
+        }
+        else {
+            logger.info(`Using CodeQL CLI from toolcache at ${codeqlFolder}`);
+        }
         return {
             codeqlFolder,
             sourceType: "toolcache",
@@ -349,6 +366,12 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian
     if (!url) {
         url = await getCodeQLBundleDownloadURL(tagName, apiDetails, logger);
     }
+    if (cliVersion) {
+        logger.info(`Using CodeQL CLI version ${cliVersion} sourced from ${url}.`);
+    }
+    else {
+        logger.info(`Using CodeQL CLI sourced from ${url}.`);
+    }
     return {
         bundleVersion: tagName && tryGetBundleVersionFromTagName(tagName, logger),
         cliVersion,
@@ -373,7 +396,9 @@ async function tryGetFallbackToolcacheVersion(cliVersion, tagName, logger) {
     return fallbackVersion;
 }
 exports.tryGetFallbackToolcacheVersion = tryGetFallbackToolcacheVersion;
-async function downloadCodeQL(codeqlURL, maybeBundleVersion, maybeCliVersion, apiDetails, variant, tempDir, logger) {
+// Exported using `export const` for testing purposes. Specifically, we want to
+// be able to stub this function and have other functions in this file use that stub.
+const downloadCodeQL = async function (codeqlURL, maybeBundleVersion, maybeCliVersion, apiDetails, variant, tempDir, logger) {
     const parsedCodeQLURL = new URL(codeqlURL);
     const searchParams = new URLSearchParams(parsedCodeQLURL.search);
     const headers = {
@@ -436,7 +461,7 @@ async function downloadCodeQL(codeqlURL, maybeBundleVersion, maybeCliVersion, ap
         codeqlFolder: toolcachedBundlePath,
         toolsDownloadDurationMs,
     };
-}
+};
 exports.downloadCodeQL = downloadCodeQL;
 function getCodeQLURLVersion(url) {
     const match = url.match(/\/codeql-bundle-(.*)\//);
@@ -503,7 +528,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau
             toolsSource = ToolsSource.Toolcache;
             break;
         case "download": {
-            const result = await downloadCodeQL(source.codeqlURL, source.bundleVersion, source.cliVersion, apiDetails, variant, tempDir, logger);
+            const result = await (0, exports.downloadCodeQL)(source.codeqlURL, source.bundleVersion, source.cliVersion, apiDetails, variant, tempDir, logger);
             toolsVersion = result.toolsVersion;
             codeqlFolder = result.codeqlFolder;
             toolsDownloadDurationMs = result.toolsDownloadDurationMs;

lib/setup-codeql.test.js

@@ -84,4 +84,74 @@ ava_1.default.beforeEach(() => {
         t.is(source["cliVersion"], "1.2.3");
     });
 });
+(0, ava_1.default)("getCodeQLSource correctly returns bundled CLI version when tools == linked", async (t) => {
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const source = await setupCodeql.getCodeQLSource("linked", testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, util_1.GitHubVariant.DOTCOM, (0, logging_1.getRunnerLogger)(true));
+        t.is(source.toolsVersion, testing_utils_1.LINKED_CLI_VERSION.cliVersion);
+        t.is(source.sourceType, "download");
+    });
+});
+(0, ava_1.default)("getCodeQLSource correctly returns bundled CLI version when tools == latest", async (t) => {
+    const loggedMessages = [];
+    const logger = (0, testing_utils_1.getRecordingLogger)(loggedMessages);
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const source = await setupCodeql.getCodeQLSource("latest", testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, util_1.GitHubVariant.DOTCOM, logger);
+        // First, ensure that the CLI version is the linked version, so that backwards
+        // compatibility is maintained.
+        t.is(source.toolsVersion, testing_utils_1.LINKED_CLI_VERSION.cliVersion);
+        t.is(source.sourceType, "download");
+        // Afterwards, ensure that we see the deprecation message in the log.
+        const expected_message = "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported for now. No action is required.";
+        t.assert(loggedMessages.some((msg) => typeof msg.message === "string" &&
+            msg.message.includes(expected_message)));
+    });
+});
+(0, ava_1.default)("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use linked tools", async (t) => {
+    const loggedMessages = [];
+    const logger = (0, testing_utils_1.getRecordingLogger)(loggedMessages);
+    // Stub the downloadCodeQL function to prevent downloading artefacts
+    // during testing from being called.
+    sinon.stub(setupCodeql, "downloadCodeQL").resolves({
+        toolsVersion: testing_utils_1.LINKED_CLI_VERSION.cliVersion,
+        codeqlFolder: "codeql",
+        toolsDownloadDurationMs: 200,
+    });
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const result = await setupCodeql.setupCodeQLBundle("linked", testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, "tmp/codeql_action_test/", util_1.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, logger);
+        // Basic sanity check that the version we got back is indeed
+        // the linked (default) CLI version.
+        t.is(result.toolsVersion, testing_utils_1.LINKED_CLI_VERSION.cliVersion);
+        // Ensure message logging CodeQL CLI version was present in user logs.
+        const expected_message = `Using CodeQL CLI version ${testing_utils_1.LINKED_CLI_VERSION.cliVersion}`;
+        t.assert(loggedMessages.some((msg) => typeof msg.message === "string" &&
+            msg.message.includes(expected_message)));
+    });
+});
+(0, ava_1.default)("setupCodeQLBundle logs the CodeQL CLI version being used when asked to download a non-default bundle", async (t) => {
+    const loggedMessages = [];
+    const logger = (0, testing_utils_1.getRecordingLogger)(loggedMessages);
+    const bundleUrl = "https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.16.0/codeql-bundle-linux64.tar.gz";
+    const expectedVersion = "2.16.0";
+    // Stub the downloadCodeQL function to prevent downloading artefacts
+    // during testing from being called.
+    sinon.stub(setupCodeql, "downloadCodeQL").resolves({
+        toolsVersion: expectedVersion,
+        codeqlFolder: "codeql",
+        toolsDownloadDurationMs: 200,
+    });
+    await (0, util_1.withTmpDir)(async (tmpDir) => {
+        (0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
+        const result = await setupCodeql.setupCodeQLBundle(bundleUrl, testing_utils_1.SAMPLE_DOTCOM_API_DETAILS, "tmp/codeql_action_test/", util_1.GitHubVariant.DOTCOM, testing_utils_1.SAMPLE_DEFAULT_CLI_VERSION, logger);
+        // Basic sanity check that the version we got back is indeed the version that the
+        // bundle contains..
+        t.is(result.toolsVersion, expectedVersion);
+        // Ensure message logging CodeQL CLI version was present in user logs.
+        const expected_message = `Using CodeQL CLI version 2.16.0 sourced from ${bundleUrl}.`;
+        t.assert(loggedMessages.some((msg) => typeof msg.message === "string" &&
+            msg.message.includes(expected_message)));
+    });
+});
 //# sourceMappingURL=setup-codeql.test.js.map

lib/status-report.js

@@ -133,6 +133,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
         if (testingEnvironment !== "") {
             core.exportVariable(environment_1.EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
         }
+        const isSteadyStateDefaultSetupRun = process.env["CODE_SCANNING_IS_STEADY_STATE_DEFAULT_SETUP"] === "true";
         const statusReport = {
             action_name: actionName,
             action_oid: "unknown", // TODO decide if it's possible to fill this in
@@ -149,6 +150,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
             runner_os: runnerOs,
             started_at: workflowStartedAt,
             status,
+            steady_state_default_setup: isSteadyStateDefaultSetupRun,
             testing_environment: testingEnvironment,
             workflow_name: workflowName,
             workflow_run_attempt: workflowRunAttempt,

lib/status-report.test.js

@@ -79,6 +79,7 @@ function setupEnvironmentAndStub(tmpDir) {
             t.is(statusReport.runner_os, process.env["RUNNER_OS"]);
             t.is(statusReport.started_at, process.env[environment_1.EnvVar.WORKFLOW_STARTED_AT]);
             t.is(statusReport.status, "failure");
+            t.is(statusReport.steady_state_default_setup, false);
             t.is(statusReport.workflow_name, process.env["GITHUB_WORKFLOW"] || "");
             t.is(statusReport.workflow_run_attempt, 2);
             t.is(statusReport.workflow_run_id, 100);

lib/testing-utils.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createTestConfig = exports.mockBundleDownloadApi = exports.createFeatures = exports.mockCodeQLVersion = exports.makeVersionInfo = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = exports.SAMPLE_DEFAULT_CLI_VERSION = exports.SAMPLE_DOTCOM_API_DETAILS = void 0;
+exports.createTestConfig = exports.mockBundleDownloadApi = exports.createFeatures = exports.mockCodeQLVersion = exports.makeVersionInfo = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = exports.LINKED_CLI_VERSION = exports.SAMPLE_DEFAULT_CLI_VERSION = exports.SAMPLE_DOTCOM_API_DETAILS = void 0;
 const node_util_1 = require("node:util");
 const path_1 = __importDefault(require("path"));
 const github = __importStar(require("@actions/github"));
@@ -34,6 +34,7 @@ const nock_1 = __importDefault(require("nock"));
 const sinon = __importStar(require("sinon"));
 const apiClient = __importStar(require("./api-client"));
 const codeql = __importStar(require("./codeql"));
+const defaults = __importStar(require("./defaults.json"));
 const util_1 = require("./util");
 exports.SAMPLE_DOTCOM_API_DETAILS = {
     auth: "token",
@@ -44,6 +45,10 @@ exports.SAMPLE_DEFAULT_CLI_VERSION = {
     cliVersion: "2.20.0",
     tagName: "codeql-bundle-v2.20.0",
 };
+exports.LINKED_CLI_VERSION = {
+    cliVersion: defaults.cliVersion,
+    tagName: defaults.bundleVersion,
+};
 function wrapOutput(context) {
     // Function signature taken from Socket.write.
     // Note there are two overloads:

lib/tools-features.js

@@ -10,6 +10,7 @@ var ToolsFeature;
     ToolsFeature["SetsCodeqlRunnerEnvVar"] = "setsCodeqlRunnerEnvVar";
     ToolsFeature["TraceCommandUseBuildMode"] = "traceCommandUseBuildMode";
     ToolsFeature["SarifMergeRunsFromEqualCategory"] = "sarifMergeRunsFromEqualCategory";
+    ToolsFeature["ForceOverwrite"] = "forceOverwrite";
 })(ToolsFeature || (exports.ToolsFeature = ToolsFeature = {}));
 /**
  * Determines if the given feature is supported by the CLI.

lib/tools-features.js.map

@@ -1 +1 @@
-{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;AAEA,IAAY,YAQX;AARD,WAAY,YAAY;IACtB,uEAAuD,CAAA;IACvD,mDAAmC,CAAA;IACnC,+FAA+E,CAAA;IAC/E,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,qEAAqD,CAAA;IACrD,mFAAmE,CAAA;AACrE,CAAC,EARW,YAAY,4BAAZ,YAAY,QAQvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC;AALD,0DAKC"}
+{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;AAEA,IAAY,YASX;AATD,WAAY,YAAY;IACtB,uEAAuD,CAAA;IACvD,mDAAmC,CAAA;IACnC,+FAA+E,CAAA;IAC/E,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,qEAAqD,CAAA;IACrD,mFAAmE,CAAA;IACnE,iDAAiC,CAAA;AACnC,CAAC,EATW,YAAY,4BAAZ,YAAY,QASvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC;AALD,0DAKC"}

lib/trap-caching.js

@@ -23,11 +23,13 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getTotalCacheSize = exports.getLanguagesSupportingCaching = exports.uploadTrapCaches = exports.downloadTrapCaches = void 0;
+exports.getTotalCacheSize = exports.getLanguagesSupportingCaching = exports.cleanupTrapCaches = exports.uploadTrapCaches = exports.downloadTrapCaches = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-const cache = __importStar(require("@actions/cache"));
+const actionsCache = __importStar(require("@actions/cache"));
 const actionsUtil = __importStar(require("./actions-util"));
+const apiClient = __importStar(require("./api-client"));
+const feature_flags_1 = require("./feature-flags");
 const util_1 = require("./util");
 // This constant should be bumped if we make a breaking change
 // to how the CodeQL Action stores or retrieves the TRAP cache,
@@ -35,6 +37,7 @@ const util_1 = require("./util");
 // this for CLI/extractor changes, since the CLI version also
 // goes into the cache key.
 const CACHE_VERSION = 1;
+const CODEQL_TRAP_CACHE_PREFIX = "codeql-trap";
 // This constant sets the minimum size in megabytes of a TRAP
 // cache for us to consider it worth uploading.
 const MINIMUM_CACHE_MB_TO_UPLOAD = 10;
@@ -81,7 +84,7 @@ async function downloadTrapCaches(codeql, languages, logger) {
         // The SHA from the base of the PR is the most similar commit we might have a cache for
         const preferredKey = await cacheKey(codeql, language, baseSha);
         logger.info(`Looking in Actions cache for TRAP cache with key ${preferredKey}`);
-        const found = await (0, util_1.withTimeout)(MAX_CACHE_OPERATION_MS, cache.restoreCache([cacheDir], preferredKey, [
+        const found = await (0, util_1.withTimeout)(MAX_CACHE_OPERATION_MS, actionsCache.restoreCache([cacheDir], preferredKey, [
             // Fall back to any cache with the right key prefix
             await cachePrefix(codeql, language),
         ]), () => {
@@ -123,13 +126,76 @@ async function uploadTrapCaches(codeql, config, logger) {
         }
         const key = await cacheKey(codeql, language, process.env.GITHUB_SHA || "unknown");
         logger.info(`Uploading TRAP cache to Actions cache with key ${key}`);
-        await (0, util_1.withTimeout)(MAX_CACHE_OPERATION_MS, cache.saveCache([cacheDir], key), () => {
+        await (0, util_1.withTimeout)(MAX_CACHE_OPERATION_MS, actionsCache.saveCache([cacheDir], key), () => {
             logger.info(`Timed out waiting for TRAP cache for ${language} to upload, will continue without uploading`);
         });
     }
     return true;
 }
 exports.uploadTrapCaches = uploadTrapCaches;
+async function cleanupTrapCaches(config, features, logger) {
+    if (!(await features.getValue(feature_flags_1.Feature.CleanupTrapCaches))) {
+        return {
+            trap_cache_cleanup_skipped_because: "feature disabled",
+        };
+    }
+    if (!(await actionsUtil.isAnalyzingDefaultBranch())) {
+        return {
+            trap_cache_cleanup_skipped_because: "not analyzing default branch",
+        };
+    }
+    try {
+        let totalBytesCleanedUp = 0;
+        const allCaches = await apiClient.listActionsCaches(CODEQL_TRAP_CACHE_PREFIX, await actionsUtil.getRef());
+        for (const language of config.languages) {
+            if (config.trapCaches[language]) {
+                const cachesToRemove = await getTrapCachesForLanguage(allCaches, language, logger);
+                // Dates returned by the API are in ISO 8601 format, so we can sort them lexicographically
+                cachesToRemove.sort((a, b) => a.created_at.localeCompare(b.created_at));
+                // Keep the most recent cache
+                const mostRecentCache = cachesToRemove.pop();
+                logger.debug(`Keeping most recent TRAP cache (${JSON.stringify(mostRecentCache)})`);
+                if (cachesToRemove.length === 0) {
+                    logger.info(`No TRAP caches to clean up for ${language}.`);
+                    continue;
+                }
+                for (const cache of cachesToRemove) {
+                    logger.debug(`Cleaning up TRAP cache (${JSON.stringify(cache)})`);
+                    await apiClient.deleteActionsCache(cache.id);
+                }
+                const bytesCleanedUp = cachesToRemove.reduce((acc, item) => acc + item.size_in_bytes, 0);
+                totalBytesCleanedUp += bytesCleanedUp;
+                const megabytesCleanedUp = (bytesCleanedUp / (1024 * 1024)).toFixed(2);
+                logger.info(`Cleaned up ${megabytesCleanedUp} MiB of old TRAP caches for ${language}.`);
+            }
+        }
+        return { trap_cache_cleanup_size_bytes: totalBytesCleanedUp };
+    }
+    catch (e) {
+        if ((0, util_1.isHTTPError)(e) && e.status === 403) {
+            logger.warning("Could not cleanup TRAP caches as the token did not have the required permissions. " +
+                'To clean up TRAP caches, ensure the token has the "actions:write" permission. ' +
+                "For more information, see https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs");
+        }
+        else {
+            logger.info(`Failed to cleanup TRAP caches, continuing. Details: ${e}`);
+        }
+        return { trap_cache_cleanup_error: (0, util_1.wrapError)(e).message };
+    }
+}
+exports.cleanupTrapCaches = cleanupTrapCaches;
+async function getTrapCachesForLanguage(allCaches, language, logger) {
+    logger.debug(`Listing TRAP caches for ${language}`);
+    for (const cache of allCaches) {
+        if (!cache.created_at || !cache.id || !cache.key || !cache.size_in_bytes) {
+            throw new Error("An unexpected cache item was returned from the API that was missing one or " +
+                `more required fields: ${JSON.stringify(cache)}`);
+        }
+    }
+    return allCaches.filter((cache) => {
+        return cache.key?.includes(`-${language}-`);
+    });
+}
 async function getLanguagesSupportingCaching(codeql, languages, logger) {
     const result = [];
     const resolveResult = await codeql.betterResolveLanguages();
@@ -169,6 +235,6 @@ async function cacheKey(codeql, language, baseSha) {
     return `${await cachePrefix(codeql, language)}${baseSha}`;
 }
 async function cachePrefix(codeql, language) {
-    return `codeql-trap-${CACHE_VERSION}-${(await codeql.getVersion()).version}-${language}-`;
+    return `${CODEQL_TRAP_CACHE_PREFIX}-${CACHE_VERSION}-${(await codeql.getVersion()).version}-${language}-`;
 }
 //# sourceMappingURL=trap-caching.js.map

lib/trap-caching.test.js

@@ -32,8 +32,11 @@ const cache = __importStar(require("@actions/cache"));
 const ava_1 = __importDefault(require("ava"));
 const sinon = __importStar(require("sinon"));
 const actionsUtil = __importStar(require("./actions-util"));
+const apiClient = __importStar(require("./api-client"));
 const codeql_1 = require("./codeql");
+const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
+const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
@@ -168,4 +171,74 @@ function getTestConfigWithTempDir(tempDir) {
         t.assert(fs.existsSync(path.resolve(tmpDir, "trapCaches", "javascript")));
     });
 });
+(0, ava_1.default)("cleanup removes only old CodeQL TRAP caches", async (t) => {
+    await util.withTmpDir(async (tmpDir) => {
+        // This config specifies that we are analyzing JavaScript and Ruby, but not Swift.
+        const config = getTestConfigWithTempDir(tmpDir);
+        sinon.stub(actionsUtil, "getRef").resolves("refs/heads/main");
+        sinon.stub(actionsUtil, "isAnalyzingDefaultBranch").resolves(true);
+        const listStub = sinon.stub(apiClient, "listActionsCaches").resolves([
+            // Should be kept, since it's not relevant to CodeQL. In reality, the API shouldn't return
+            // this in the first place, but this is a defensive check.
+            {
+                id: 1,
+                key: "some-other-key",
+                created_at: "2024-05-23T14:25:00Z",
+                size_in_bytes: 100 * 1024 * 1024,
+            },
+            // Should be kept, since it's the newest TRAP cache for JavaScript
+            {
+                id: 2,
+                key: "codeql-trap-1-2.0.0-javascript-newest",
+                created_at: "2024-04-23T14:25:00Z",
+                size_in_bytes: 50 * 1024 * 1024,
+            },
+            // Should be cleaned up
+            {
+                id: 3,
+                key: "codeql-trap-1-2.0.0-javascript-older",
+                created_at: "2024-03-22T14:25:00Z",
+                size_in_bytes: 200 * 1024 * 1024,
+            },
+            // Should be cleaned up
+            {
+                id: 4,
+                key: "codeql-trap-1-2.0.0-javascript-oldest",
+                created_at: "2024-02-21T14:25:00Z",
+                size_in_bytes: 300 * 1024 * 1024,
+            },
+            // Should be kept, since it's the newest TRAP cache for Ruby
+            {
+                id: 5,
+                key: "codeql-trap-1-2.0.0-ruby-newest",
+                created_at: "2024-02-20T14:25:00Z",
+                size_in_bytes: 300 * 1024 * 1024,
+            },
+            // Should be kept, since we aren't analyzing Swift
+            {
+                id: 6,
+                key: "codeql-trap-1-2.0.0-swift-newest",
+                created_at: "2024-02-22T14:25:00Z",
+                size_in_bytes: 300 * 1024 * 1024,
+            },
+            // Should be kept, since we aren't analyzing Swift
+            {
+                id: 7,
+                key: "codeql-trap-1-2.0.0-swift-older",
+                created_at: "2024-02-21T14:25:00Z",
+                size_in_bytes: 300 * 1024 * 1024,
+            },
+        ]);
+        const deleteStub = sinon.stub(apiClient, "deleteActionsCache").resolves();
+        const statusReport = await (0, trap_caching_1.cleanupTrapCaches)(config, (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.CleanupTrapCaches]), (0, logging_1.getRunnerLogger)(true));
+        t.is(listStub.callCount, 1);
+        t.assert(listStub.calledWithExactly("codeql-trap", "refs/heads/main"));
+        t.deepEqual(statusReport, {
+            trap_cache_cleanup_size_bytes: 500 * 1024 * 1024,
+        });
+        t.is(deleteStub.callCount, 2);
+        t.assert(deleteStub.calledWithExactly(3));
+        t.assert(deleteStub.calledWithExactly(4));
+    });
+});
 //# sourceMappingURL=trap-caching.test.js.map