infrastructure/actions
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit of actions

Browse source
This commit is contained in:
Dominik Polakovics Polakovics 2026-01-31 18:56:04 +01:00
commit 949ece5785
44660 changed files with 12034344 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

64
github/codeql-action-v2/.github/workflows/__all-platform-bundle.yml generated vendored Normal file
View file

@ -0,0 +1,64 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - All-platform bundle
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
all-platform-bundle:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: All-platform bundle
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'true'
setup-kotlin: 'true'
- id: init
uses: ./../action/init
with:
# Swift is not supported on Ubuntu so we manually exclude it from the list here
languages: cpp,csharp,go,java,javascript,python,ruby
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

71
github/codeql-action-v2/.github/workflows/__analyze-ref-input.yml generated vendored Normal file
View file

@ -0,0 +1,71 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
analyze-ref-input:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
name: "Analyze: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: cpp,csharp,java,javascript,python
config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
github.sha }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
ref: refs/heads/main
sha: 5e235361806c361d4d3f8859e3c897658025a9a2
env:
CODEQL_ACTION_TEST_MODE: true

80
github/codeql-action-v2/.github/workflows/__autobuild-action.yml generated vendored Normal file
View file

@ -0,0 +1,80 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - autobuild-action
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
autobuild-action:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
name: autobuild-action
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: csharp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
env:
# Explicitly disable the CLR tracer.
COR_ENABLE_PROFILING: ''
COR_PROFILER: ''
COR_PROFILER_PATH_64: ''
CORECLR_ENABLE_PROFILING: ''
CORECLR_PROFILER: ''
CORECLR_PROFILER_PATH_64: ''
- uses: ./../action/analyze
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d csharp ]]; then
echo "Did not find a C# database"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

85
github/codeql-action-v2/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored Normal file
View file

@ -0,0 +1,85 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Autobuild direct tracing (custom working directory)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
autobuild-direct-tracing-with-working-dir:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: Autobuild direct tracing (custom working directory)
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Test setup
shell: bash
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...
cp -a ../action/tests/java-repo autobuild-dir
# ... and fails if attempted in the current directory
echo > build.gradle
- uses: ./../action/init
with:
build-mode: autobuild
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check that indirect tracing is disabled
shell: bash
run: |
if [[ ! -z "${CODEQL_RUNNER}" ]]; then
echo "Expected indirect tracing to be disabled, but the" \
"CODEQL_RUNNER environment variable is set."
exit 1
fi
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
- uses: ./../action/analyze
env:
CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
CODEQL_ACTION_TEST_MODE: true

86
github/codeql-action-v2/.github/workflows/__autobuild-direct-tracing.yml generated vendored Normal file
View file

@ -0,0 +1,86 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Autobuild direct tracing
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
autobuild-direct-tracing:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: Autobuild direct tracing
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Java test repo configuration
shell: bash
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: autobuild
db-location: ${{ runner.temp }}/customDbLocation
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check that indirect tracing is disabled
shell: bash
run: |
if [[ ! -z "${CODEQL_RUNNER}" ]]; then
echo "Expected indirect tracing to be disabled, but the" \
"CODEQL_RUNNER environment variable is set."
exit 1
fi
- uses: ./../action/analyze
env:
CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
CODEQL_ACTION_TEST_MODE: true

78
github/codeql-action-v2/.github/workflows/__build-mode-autobuild.yml generated vendored Normal file
View file

@ -0,0 +1,78 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Build mode autobuild
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
build-mode-autobuild:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: Build mode autobuild
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: autobuild
db-location: ${{ runner.temp }}/customDbLocation
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "autobuild" ]]; then
echo "Expected build mode to be 'autobuild' but was $build_mode"
exit 1
fi
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

76
github/codeql-action-v2/.github/workflows/__build-mode-manual.yml generated vendored Normal file
View file

@ -0,0 +1,76 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Build mode manual
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
build-mode-manual:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: Build mode manual
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
build-mode: manual
db-location: ${{ runner.temp }}/customDbLocation
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "manual" ]]; then
echo "Expected build mode to be 'manual' but was $build_mode"
exit 1
fi
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

78
github/codeql-action-v2/.github/workflows/__build-mode-none.yml generated vendored Normal file
View file

@ -0,0 +1,78 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Build mode none
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
build-mode-none:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
name: Build mode none
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: ${{ runner.temp }}/customDbLocation
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "none" ]]; then
echo "Expected build mode to be 'none' but was $build_mode"
exit 1
fi
# The latest nightly supports omitting the autobuild Action when the build mode is specified.
- uses: ./../action/autobuild
if: matrix.version != 'nightly-latest'
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

79
github/codeql-action-v2/.github/workflows/__build-mode-rollback.yml generated vendored Normal file
View file

@ -0,0 +1,79 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Build mode rollback
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
build-mode-rollback:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: Build mode rollback
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: ${{ runner.temp }}/customDbLocation
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "autobuild" ]]; then
echo "Expected build mode to be 'autobuild' but was $build_mode"
exit 1
fi
- uses: ./../action/analyze
env:
CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
CODEQL_ACTION_TEST_MODE: true

74
github/codeql-action-v2/.github/workflows/__cleanup-db-cluster-dir.yml generated vendored Normal file
View file

@ -0,0 +1,74 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Clean up database cluster directory
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
cleanup-db-cluster-dir:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
name: Clean up database cluster directory
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Add a file to the database cluster directory
run: |
mkdir -p "${{ runner.temp }}/customDbLocation/javascript"
touch "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt"
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: ${{ runner.temp }}/customDbLocation
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate file cleaned up
run: |
if [[ -f "${{ runner.temp }}/customDbLocation/javascript/a-file-to-clean-up.txt" ]]; then
echo "File was not cleaned up"
exit 1
fi
echo "File was cleaned up"
env:
CODEQL_ACTION_TEST_MODE: true

105
github/codeql-action-v2/.github/workflows/__config-export.yml generated vendored Normal file
View file

@ -0,0 +1,105 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Config export
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
config-export:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: Config export
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: javascript
queries: security-extended
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check config properties appear in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const configSummary = run.properties.codeqlConfigSummary;
if (configSummary === undefined) {
core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
}
if (configSummary.disableDefaultQueries !== false) {
core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
`${JSON.stringify(configSummary.disableDefaultQueries)}.`);
}
const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
// Use JSON.stringify to deep-equal the arrays.
if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
`${JSON.stringify(configSummary.queries)}.`);
}
core.info('Finished config export tests.');
env:
CODEQL_ACTION_TEST_MODE: true

82
github/codeql-action-v2/.github/workflows/__config-input.yml generated vendored Normal file
View file

@ -0,0 +1,82 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Config input
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
config-input:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
name: Config input
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Copy queries into workspace
run: |
cp -a ../action/queries .
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: javascript
build-mode: none
config: |
disable-default-queries: true
queries:
- name: Run custom query
uses: ./queries/default-setup-environment-variables.ql
paths-ignore:
- tests
- lib
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Check SARIF
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/codeql-action/default-setup-env-vars
queries-not-run: javascript/codeql-action/default-setup-context-properties
env:
CODEQL_ACTION_TEST_MODE: true

78
github/codeql-action-v2/.github/workflows/__cpp-deptrace-disabled.yml generated vendored Normal file
View file

@ -0,0 +1,78 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - C/C++: disabling autoinstalling dependencies (Linux)'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
cpp-deptrace-disabled:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: default
- os: ubuntu-latest
version: nightly-latest
name: 'C/C++: disabling autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
- shell: bash
run: |
if ls /usr/bin/errno; then
echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
exit 1
fi
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

76
github/codeql-action-v2/.github/workflows/__cpp-deptrace-enabled-on-macos.yml generated vendored Normal file
View file

@ -0,0 +1,76 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - C/C++: autoinstalling dependencies is skipped (macOS)'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
cpp-deptrace-enabled-on-macos:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: nightly-latest
name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
- shell: bash
run: |
if ! ls /usr/bin/errno; then
echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
else
echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
exit 1
fi
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

78
github/codeql-action-v2/.github/workflows/__cpp-deptrace-enabled.yml generated vendored Normal file
View file

@ -0,0 +1,78 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - C/C++: autoinstalling dependencies (Linux)'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
cpp-deptrace-enabled:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: default
- os: ubuntu-latest
version: nightly-latest
name: 'C/C++: autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
- shell: bash
run: |
if ! ls /usr/bin/errno; then
echo "Did not autoinstall errno"
exit 1
fi
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

142
github/codeql-action-v2/.github/workflows/__diagnostics-export.yml generated vendored Normal file
View file

@ -0,0 +1,142 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Diagnostic export
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
diagnostics-export:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: Diagnostic export
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Add test diagnostics
shell: bash
env:
CODEQL_PATH: ${{ steps.init.outputs.codeql-path }}
run: |
"$CODEQL_PATH" database add-diagnostic \
"$RUNNER_TEMP/codeql_databases/javascript" \
--file-path /path/to/file \
--plaintext-message "Plaintext message" \
--source-id "lang/diagnostics/example" \
--source-name "Diagnostic name" \
--ready-for-status-page
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check diagnostics appear in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
with:
script: |
const fs = require('fs');
function checkStatusPageNotification(n) {
const expectedMessage = 'Plaintext message';
if (n.message.text !== expectedMessage) {
core.setFailed(`Expected the status page diagnostic to have the message '${expectedMessage}', but found '${n.message.text}'.`);
}
if (n.locations.length !== 1) {
core.setFailed(`Expected the status page diagnostic to have exactly 1 location, but found ${n.locations.length}.`);
}
}
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const statusPageNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'lang/diagnostics/example' && n.properties?.visibility?.statusPage
);
if (statusPageNotifications.length !== 1) {
core.setFailed(
'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}
checkStatusPageNotification(statusPageNotifications[0]);
const notifications = run.tool.driver.notifications;
const diagnosticNotification = notifications.filter(n =>
n.id === 'lang/diagnostics/example' && n.name === 'lang/diagnostics/example' &&
n.fullDescription.text === 'Diagnostic name'
);
if (diagnosticNotification.length !== 1) {
core.setFailed(
'Expected exactly one notification for this diagnostic in the ' +
`'runs[].tool.driver.notifications[]' SARIF property, but found ` +
`${diagnosticNotification.length}. All notifications: ` +
`${JSON.stringify(notifications)}.`
);
}
core.info('Finished diagnostic export test');
env:
CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
CODEQL_ACTION_TEST_MODE: true

100
github/codeql-action-v2/.github/workflows/__export-file-baseline-information.yml generated vendored Normal file
View file

@ -0,0 +1,100 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Export file baseline information
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
export-file-baseline-information:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: Export file baseline information
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
if: runner.os == 'macOS'
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
expected_baseline_languages="c csharp go java kotlin javascript python ruby"
if [[ $RUNNER_OS == "macOS" ]]; then
expected_baseline_languages+=" swift"
fi
for lang in ${expected_baseline_languages}; do
rule_name="cli/expected-extracted-files/${lang}"
found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
if [[ "${found_notification}" != "true" ]]; then
echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
exit 1
else
echo "Found notification '${rule_name}'."
fi
done
env:
CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
CODEQL_ACTION_TEST_MODE: true

101
github/codeql-action-v2/.github/workflows/__extract-direct-to-toolcache.yml generated vendored Normal file
View file

@ -0,0 +1,101 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Extract directly to toolcache
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
extract-direct-to-toolcache:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: linked
- os: ubuntu-latest
version: linked
- os: windows-latest
version: linked
name: Extract directly to toolcache
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Remove CodeQL from toolcache
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const path = require('path');
const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
fs.rmdirSync(codeqlPath, { recursive: true });
- name: Install @actions/tool-cache
run: npm install @actions/tool-cache
- name: Check toolcache does not contain CodeQL
uses: actions/github-script@v7
with:
script: |
const toolcache = require('@actions/tool-cache');
const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
if (allCodeqlVersions.length !== 0) {
throw new Error(`CodeQL should not be found in the toolcache, but found ${allCodeqlVersions}`);
}
console.log('No versions of CodeQL found in the toolcache');
- id: init
uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Check CodeQL is installed within the toolcache
uses: actions/github-script@v7
with:
script: |
const toolcache = require('@actions/tool-cache');
const allCodeqlVersions = toolcache.findAllVersions('CodeQL');
console.log(`Found CodeQL versions: ${allCodeqlVersions}`);
if (allCodeqlVersions.length === 0) {
throw new Error('CodeQL not found in toolcache');
}
if (allCodeqlVersions.length > 1) {
throw new Error('Multiple CodeQL versions found in toolcache');
}
env:
CODEQL_ACTION_EXTRACT_TOOLCACHE: true
CODEQL_ACTION_TEST_MODE: true

78
github/codeql-action-v2/.github/workflows/__extractor-ram-threads.yml generated vendored Normal file
View file

@ -0,0 +1,78 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Extractor ram and threads options test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
extractor-ram-threads:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
name: Extractor ram and threads options test
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: java
ram: 230
threads: 1
- name: Assert Results
shell: bash
run: |
if [ "${CODEQL_RAM}" != "230" ]; then
echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230"
exit 1
fi
if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then
echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230"
exit 1
fi
if [ "${CODEQL_THREADS}" != "1" ]; then
echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1"
exit 1
fi
if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then
echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

69
github/codeql-action-v2/.github/workflows/__go-custom-queries.yml generated vendored Normal file
View file

@ -0,0 +1,69 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: Custom queries'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-custom-queries:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
name: 'Go: Custom queries'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
- uses: ./../action/init
with:
languages: go
config-file: ./.github/codeql/custom-queries.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

96
github/codeql-action-v2/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored Normal file
View file

@ -0,0 +1,96 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: diagnostic when Go is changed after init step'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-indirect-tracing-workaround-diagnostic:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
name: 'Go: diagnostic when Go is changed after init step'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: '>=1.21.0'
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
# Deliberately change Go after the `init` step
- uses: actions/setup-go@v5
with:
go-version: '1.20'
- name: Build code
shell: bash
run: go build main.go
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Check diagnostic appears in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/go.sarif
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const statusPageNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
);
if (statusPageNotifications.length !== 1) {
core.setFailed(
'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}
env:
CODEQL_ACTION_TEST_MODE: true

97
github/codeql-action-v2/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored Normal file
View file

@ -0,0 +1,97 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: diagnostic when `file` is not installed'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-indirect-tracing-workaround-no-file-program:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
name: 'Go: diagnostic when `file` is not installed'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: '>=1.21.0'
- name: Remove `file` program
run: |
echo $(which file)
sudo rm -rf $(which file)
echo $(which file)
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: go build main.go
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Check diagnostic appears in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/go.sarif
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const statusPageNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'go/workflow/file-program-unavailable' && n.properties?.visibility?.statusPage
);
if (statusPageNotifications.length !== 1) {
core.setFailed(
'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}
env:
CODEQL_ACTION_TEST_MODE: true

92
github/codeql-action-v2/.github/workflows/__go-indirect-tracing-workaround.yml generated vendored Normal file
View file

@ -0,0 +1,92 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: workaround for indirect tracing'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-indirect-tracing-workaround:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
name: 'Go: workaround for indirect tracing'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: '>=1.21.0'
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: go build main.go
- uses: ./../action/analyze
- shell: bash
run: |
if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
"CODEQL_ACTION_GO_BINARY environment variable is not set."
exit 1
fi
if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
exit 1
fi
# Once we start running Bash 4.2 in all environments, we can replace the
# `! -z` flag with the more elegant `-v` which confirms that the variable
# is actually unset and not potentially set to a blank value.
if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
echo "Expected the Go autobuilder not to be run, but the" \
"CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
exit 1
fi
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

109
github/codeql-action-v2/.github/workflows/__go-tracing-autobuilder.yml generated vendored Normal file
View file

@ -0,0 +1,109 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: tracing with autobuilder step'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-tracing-autobuilder:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: stable-v2.15.5
- os: macos-latest
version: stable-v2.15.5
- os: ubuntu-latest
version: stable-v2.16.6
- os: macos-latest
version: stable-v2.16.6
- os: ubuntu-latest
version: stable-v2.17.6
- os: macos-latest
version: stable-v2.17.6
- os: ubuntu-latest
version: stable-v2.18.4
- os: macos-latest
version: stable-v2.18.4
- os: ubuntu-latest
version: stable-v2.19.4
- os: macos-latest
version: stable-v2.19.4
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: 'Go: tracing with autobuilder step'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
go-version: ~1.23.0
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
- uses: ./../action/analyze
- shell: bash
run: |
if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then
echo "Expected the Go autobuilder to be run, but the" \
"CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was not true."
exit 1
fi
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

113
github/codeql-action-v2/.github/workflows/__go-tracing-custom-build-steps.yml generated vendored Normal file
View file

@ -0,0 +1,113 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: tracing with custom build steps'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-tracing-custom-build-steps:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: stable-v2.15.5
- os: macos-latest
version: stable-v2.15.5
- os: ubuntu-latest
version: stable-v2.16.6
- os: macos-latest
version: stable-v2.16.6
- os: ubuntu-latest
version: stable-v2.17.6
- os: macos-latest
version: stable-v2.17.6
- os: ubuntu-latest
version: stable-v2.18.4
- os: macos-latest
version: stable-v2.18.4
- os: ubuntu-latest
version: stable-v2.19.4
- os: macos-latest
version: stable-v2.19.4
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: 'Go: tracing with custom build steps'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
go-version: ~1.23.0
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: go build main.go
- uses: ./../action/analyze
- shell: bash
run: |
# Once we start running Bash 4.2 in all environments, we can replace the
# `! -z` flag with the more elegant `-v` which confirms that the variable
# is actually unset and not potentially set to a blank value.
if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
echo "Expected the Go autobuilder not to be run, but the" \
"CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
exit 1
fi
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

103
github/codeql-action-v2/.github/workflows/__go-tracing-legacy-workflow.yml generated vendored Normal file
View file

@ -0,0 +1,103 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Go: tracing with legacy workflow'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
go-tracing-legacy-workflow:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: stable-v2.15.5
- os: macos-latest
version: stable-v2.15.5
- os: ubuntu-latest
version: stable-v2.16.6
- os: macos-latest
version: stable-v2.16.6
- os: ubuntu-latest
version: stable-v2.17.6
- os: macos-latest
version: stable-v2.17.6
- os: ubuntu-latest
version: stable-v2.18.4
- os: macos-latest
version: stable-v2.18.4
- os: ubuntu-latest
version: stable-v2.19.4
- os: macos-latest
version: stable-v2.19.4
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: 'Go: tracing with legacy workflow'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
go-version: ~1.23.0
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
- shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d go ]]; then
echo "Did not find a Go database"
exit 1
fi
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

134
github/codeql-action-v2/.github/workflows/__init-with-registries.yml generated vendored Normal file
View file

@ -0,0 +1,134 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Packaging: Download using registries'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
init-with-registries:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: 'Packaging: Download using registries'
permissions:
contents: read
packages: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Init with registries
uses: ./../action/init
with:
db-location: ${{ runner.temp }}/customDbLocation
tools: ${{ steps.prepare-test.outputs.tools-url }}
config-file: ./.github/codeql/codeql-config-registries.yml
languages: javascript
registries: |
- url: "https://ghcr.io/v2/"
packages: "*/*"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Verify packages installed
shell: bash
run: |
PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
if [[ -d $PRIVATE_PACK ]]
then
echo "$PRIVATE_PACK was installed."
else
echo "::error $PRIVATE_PACK pack was not installed."
exit 1
fi
if [[ -d $CODEQL_PACK1 ]]
then
echo "$CODEQL_PACK1 was installed."
else
echo "::error $CODEQL_PACK1 pack was not installed."
exit 1
fi
- name: Verify qlconfig.yml file was created
shell: bash
run: |
QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
echo "Expected qlconfig.yml file to be created at $QLCONFIG_PATH"
if [[ -f $QLCONFIG_PATH ]]
then
echo "qlconfig.yml file was created."
else
echo "::error qlconfig.yml file was not created."
exit 1
fi
- name: Verify contents of qlconfig.yml
# yq is not available on windows
if: runner.os != 'Windows'
shell: bash
run: |
QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml
cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")'
if [[ $? -eq 0 ]]
then
echo "Registry was added to qlconfig.yml file."
else
echo "::error Registry was not added to qlconfig.yml file."
echo "Contents of qlconfig.yml file:"
cat $QLCONFIG_PATH
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

79
github/codeql-action-v2/.github/workflows/__javascript-source-root.yml generated vendored Normal file
View file

@ -0,0 +1,79 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Custom source root
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
javascript-source-root:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: default
- os: ubuntu-latest
version: nightly-latest
name: Custom source root
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Move codeql-action
shell: bash
run: |
mkdir ../new-source-root
mv * ../new-source-root
- uses: ./../action/init
with:
languages: javascript
source-root: ../new-source-root
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
skip-queries: true
- name: Assert database exists
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d javascript ]]; then
echo "Did not find a JavaScript database"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

79
github/codeql-action-v2/.github/workflows/__job-run-uuid-sarif.yml generated vendored Normal file
View file

@ -0,0 +1,79 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Job run UUID added to SARIF
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
job-run-uuid-sarif:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: Job run UUID added to SARIF
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
exit 1
else
echo "Found job run UUID '$actual'."
fi
env:
CODEQL_ACTION_TEST_MODE: true

69
github/codeql-action-v2/.github/workflows/__language-aliases.yml generated vendored Normal file
View file

@ -0,0 +1,69 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Language aliases
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
language-aliases:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
name: Language aliases
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: C#,java-kotlin,swift,typescript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check languages
run: |
expected_languages="csharp,java,swift,javascript"
actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config)
if [ "$expected_languages" != "$actual_languages" ]; then
echo "Resolved languages did not match expected list. " \
"Expected languages: $expected_languages. Actual languages: $actual_languages."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

158
github/codeql-action-v2/.github/workflows/__multi-language-autodetect.yml generated vendored Normal file
View file

@ -0,0 +1,158 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Multi-language repository
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
multi-language-autodetect:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: stable-v2.15.5
- os: ubuntu-latest
version: stable-v2.15.5
- os: macos-latest
version: stable-v2.16.6
- os: ubuntu-latest
version: stable-v2.16.6
- os: macos-latest
version: stable-v2.17.6
- os: ubuntu-latest
version: stable-v2.17.6
- os: macos-latest
version: stable-v2.18.4
- os: ubuntu-latest
version: stable-v2.18.4
- os: macos-latest
version: stable-v2.19.4
- os: ubuntu-latest
version: stable-v2.19.4
- os: macos-latest
version: default
- os: ubuntu-latest
version: default
- os: macos-latest
version: linked
- os: ubuntu-latest
version: linked
- os: macos-latest
version: nightly-latest
- os: ubuntu-latest
version: nightly-latest
name: Multi-language repository
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
- uses: ./../action/init
id: init
with:
db-location: ${{ runner.temp }}/customDbLocation
languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby'
|| '' }}
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
if: runner.os == 'macOS'
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check language autodetect for all languages excluding Swift
shell: bash
run: |
CPP_DB=${{ fromJson(steps.analysis.outputs.db-locations).cpp }}
if [[ ! -d $CPP_DB ]] || [[ ! $CPP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for CPP, or created it in the wrong location."
exit 1
fi
CSHARP_DB=${{ fromJson(steps.analysis.outputs.db-locations).csharp }}
if [[ ! -d $CSHARP_DB ]] || [[ ! $CSHARP_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for C Sharp, or created it in the wrong location."
exit 1
fi
GO_DB=${{ fromJson(steps.analysis.outputs.db-locations).go }}
if [[ ! -d $GO_DB ]] || [[ ! $GO_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Go, or created it in the wrong location."
exit 1
fi
JAVA_DB=${{ fromJson(steps.analysis.outputs.db-locations).java }}
if [[ ! -d $JAVA_DB ]] || [[ ! $JAVA_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Java, or created it in the wrong location."
exit 1
fi
JAVASCRIPT_DB=${{ fromJson(steps.analysis.outputs.db-locations).javascript }}
if [[ ! -d $JAVASCRIPT_DB ]] || [[ ! $JAVASCRIPT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Javascript, or created it in the wrong location."
exit 1
fi
PYTHON_DB=${{ fromJson(steps.analysis.outputs.db-locations).python }}
if [[ ! -d $PYTHON_DB ]] || [[ ! $PYTHON_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Python, or created it in the wrong location."
exit 1
fi
RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
if [[ ! -d $RUBY_DB ]] || [[ ! $RUBY_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Ruby, or created it in the wrong location."
exit 1
fi
- name: Check language autodetect for Swift on macOS
if: runner.os == 'macOS'
shell: bash
run: |
SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
if [[ ! -d $SWIFT_DB ]] || [[ ! $SWIFT_DB == ${{ runner.temp }}/customDbLocation/* ]]; then
echo "Did not create a database for Swift, or created it in the wrong location."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

106
github/codeql-action-v2/.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored Normal file
View file

@ -0,0 +1,106 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Packaging: Config and input passed to the CLI'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
packaging-codescanning-config-inputs-js:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: 'Packaging: Config and input passed to the CLI'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Check results
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run:
javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

106
github/codeql-action-v2/.github/workflows/__packaging-config-inputs-js.yml generated vendored Normal file
View file

@ -0,0 +1,106 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Packaging: Config and input'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
packaging-config-inputs-js:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: 'Packaging: Config and input'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Check results
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run:
javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

105
github/codeql-action-v2/.github/workflows/__packaging-config-js.yml generated vendored Normal file
View file

@ -0,0 +1,105 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Packaging: Config file'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
packaging-config-js:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: 'Packaging: Config file'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging.yml
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Check results
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run:
javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

105
github/codeql-action-v2/.github/workflows/__packaging-inputs-js.yml generated vendored Normal file
View file

@ -0,0 +1,105 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: 'PR Check - Packaging: Action input'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
packaging-inputs-js:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: 'Packaging: Action input'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging2.yml
languages: javascript
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Check results
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run:
javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

66
github/codeql-action-v2/.github/workflows/__remote-config.yml generated vendored Normal file
View file

@ -0,0 +1,66 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Remote config file
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
remote-config:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
name: Remote config file
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: cpp,csharp,java,javascript,python
config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
github.sha }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

95
github/codeql-action-v2/.github/workflows/__resolve-environment-action.yml generated vendored Normal file
View file

@ -0,0 +1,95 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Resolve environment
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
resolve-environment-action:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: Resolve environment
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: go,javascript-typescript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Resolve environment for Go
uses: ./../action/resolve-environment
id: resolve-environment-go
with:
language: go
- name: Fail if Go configuration missing
if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
run: exit 1
- name: Resolve environment for JavaScript/TypeScript
uses: ./../action/resolve-environment
id: resolve-environment-js
with:
language: javascript-typescript
- name: Fail if JavaScript/TypeScript configuration present
if:
fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
run: exit 1
env:
CODEQL_ACTION_TEST_MODE: true

74
github/codeql-action-v2/.github/workflows/__rubocop-multi-language.yml generated vendored Normal file
View file

@ -0,0 +1,74 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - RuboCop multi-language
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
rubocop-multi-language:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
name: RuboCop multi-language
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.6
- name: Install Code Scanning integration
shell: bash
run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
- name: Install dependencies
shell: bash
run: bundle install
- name: RuboCop run
shell: bash
run: |
bash -c "
bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
[[ $? -ne 2 ]]
"
- uses: ./../action/upload-sarif
with:
sarif_file: rubocop.sarif
env:
CODEQL_ACTION_TEST_MODE: true

80
github/codeql-action-v2/.github/workflows/__ruby.yml generated vendored Normal file
View file

@ -0,0 +1,80 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Ruby analysis
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
ruby:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: Ruby analysis
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: ruby
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check database
shell: bash
run: |
RUBY_DB="${{ fromJson(steps.analysis.outputs.db-locations).ruby }}"
if [[ ! -d "$RUBY_DB" ]]; then
echo "Did not create a database for Ruby."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

104
github/codeql-action-v2/.github/workflows/__split-workflow.yml generated vendored Normal file
View file

@ -0,0 +1,104 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Split workflow
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
split-workflow:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: Split workflow
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
skip-queries: true
output: ${{ runner.temp }}/results
upload-database: false
- name: Assert No Results
shell: bash
run: |
if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
echo "Expected results directory to be empty after skipping query execution!"
exit 1
fi
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

80
github/codeql-action-v2/.github/workflows/__start-proxy.yml generated vendored Normal file
View file

@ -0,0 +1,80 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Start proxy
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
start-proxy:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
name: Start proxy
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
languages: csharp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Setup proxy for registries
id: proxy
uses: ./../action/start-proxy
with:
registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json"
}]'
- name: Print proxy outputs
run: |
echo "${{ steps.proxy.outputs.proxy_host }}"
echo "${{ steps.proxy.outputs.proxy_port }}"
echo "${{ steps.proxy.outputs.proxy_urls }}"
- name: Fail if proxy outputs are not set
if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port)
|| (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls)
run: exit 1
env:
CODEQL_ACTION_TEST_MODE: true

85
github/codeql-action-v2/.github/workflows/__submit-sarif-failure.yml generated vendored Normal file
View file

@ -0,0 +1,85 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Submit SARIF after failure
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
submit-sarif-failure:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: default
- os: ubuntu-latest
version: nightly-latest
name: Submit SARIF after failure
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: actions/checkout@v4
- uses: ./init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Fail
# We want this job to pass if the Action correctly uploads the SARIF file for
# the failed run.
# Setting this step to continue on error means that it is marked as completing
# successfully, so will not fail the job.
continue-on-error: true
run: exit 1
- uses: ./analyze
# In a real workflow, this step wouldn't run. Since we used `continue-on-error`
# above, we manually disable it with an `if` condition.
if: false
with:
category: /test-codeql-version:${{ matrix.version }}
env:
# Internal-only environment variable used to indicate that the post-init Action
# should expect to upload a SARIF file for the failed run.
CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
# Make sure the uploading SARIF files feature is enabled.
CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
# Upload the failed SARIF file as an integration test of the API endpoint.
CODEQL_ACTION_TEST_MODE: false
# Mark telemetry for this workflow so it can be treated separately.
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

80
github/codeql-action-v2/.github/workflows/__swift-autobuild.yml generated vendored Normal file
View file

@ -0,0 +1,80 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Swift analysis using autobuild
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
swift-autobuild:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: nightly-latest
name: Swift analysis using autobuild
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
languages: swift
build-mode: autobuild
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- uses: ./../action/autobuild
timeout-minutes: 30
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check database
shell: bash
run: |
SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
if [[ ! -d "$SWIFT_DB" ]]; then
echo "Did not create a database for Swift."
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

85
github/codeql-action-v2/.github/workflows/__swift-custom-build.yml generated vendored Normal file
View file

@ -0,0 +1,85 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Swift analysis using a custom build command
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
swift-custom-build:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: linked
- os: macos-latest
version: default
- os: macos-latest
version: nightly-latest
name: Swift analysis using a custom build command
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check database
shell: bash
run: |
SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
if [[ ! -d "$SWIFT_DB" ]]; then
echo "Did not create a database for Swift."
exit 1
fi
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

77
github/codeql-action-v2/.github/workflows/__test-autobuild-working-dir.yml generated vendored Normal file
View file

@ -0,0 +1,77 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Autobuild working directory
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
test-autobuild-working-dir:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
name: Autobuild working directory
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Test setup
shell: bash
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...
cp -a ../action/tests/java-repo autobuild-dir
# ... and fails if attempted in the current directory
echo > build.gradle
- uses: ./../action/init
with:
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
- uses: ./../action/analyze
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d java ]]; then
echo "Did not find a Java database"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

70
github/codeql-action-v2/.github/workflows/__test-local-codeql.yml generated vendored Normal file
View file

@ -0,0 +1,70 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Local CodeQL bundle
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
test-local-codeql:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: Local CodeQL bundle
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Fetch a CodeQL bundle
shell: bash
env:
CODEQL_URL: ${{ steps.prepare-test.outputs.tools-url }}
run: |
wget "$CODEQL_URL"
- id: init
uses: ./../action/init
with:
# Swift is not supported on Ubuntu so we manually exclude it from the list here
languages: cpp,csharp,go,java,javascript,python,ruby
tools: ./codeql-bundle-linux64.tar.zst
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

81
github/codeql-action-v2/.github/workflows/__test-proxy.yml generated vendored Normal file
View file

@ -0,0 +1,81 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Proxy test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
test-proxy:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
name: Proxy test
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
# These steps are required to initialise the `gh` cli in a container that doesn't
# come pre-installed with it. The reason for that is that this is later
# needed by the `prepare-test` workflow to find the latest release of CodeQL.
- name: Set up GitHub CLI
run: |
apt update
apt install -y curl libreadline8 gnupg2 software-properties-common zstd
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
apt-key add /usr/share/keyrings/githubcli-archive-keyring.gpg
apt-add-repository https://cli.github.com/packages
apt install -y gh
env: {}
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'false'
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
env:
https_proxy: http://squid-proxy:3128
CODEQL_ACTION_TEST_MODE: true
container:
image: ubuntu:22.04
services:
squid-proxy:
image: ubuntu/squid:latest
ports:
- 3128:3128

111
github/codeql-action-v2/.github/workflows/__unset-environment.yml generated vendored Normal file
View file

@ -0,0 +1,111 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Test unsetting environment variables
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
unset-environment:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: ubuntu-latest
version: nightly-latest
name: Test unsetting environment variables
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
id: init
with:
db-location: ${{ runner.temp }}/customDbLocation
# Swift is not supported on Ubuntu so we manually exclude it from the list here
languages: cpp,csharp,go,java,javascript,python,ruby
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: actions/setup-go@v5
with:
go-version: '>=1.21.0'
- name: Build code
shell: bash
run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- shell: bash
run: |
CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}"
if [[ ! -d "$CPP_DB" ]] || [[ ! "$CPP_DB" == "${RUNNER_TEMP}/customDbLocation/cpp" ]]; then
echo "::error::Did not create a database for CPP, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/cpp' but actual was '${CPP_DB}'"
exit 1
fi
CSHARP_DB="${{ fromJson(steps.analysis.outputs.db-locations).csharp }}"
if [[ ! -d "$CSHARP_DB" ]] || [[ ! "$CSHARP_DB" == "${RUNNER_TEMP}/customDbLocation/csharp" ]]; then
echo "::error::Did not create a database for C Sharp, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/csharp' but actual was '${CSHARP_DB}'"
exit 1
fi
GO_DB="${{ fromJson(steps.analysis.outputs.db-locations).go }}"
if [[ ! -d "$GO_DB" ]] || [[ ! "$GO_DB" == "${RUNNER_TEMP}/customDbLocation/go" ]]; then
echo "::error::Did not create a database for Go, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/go' but actual was '${GO_DB}'"
exit 1
fi
JAVA_DB="${{ fromJson(steps.analysis.outputs.db-locations).java }}"
if [[ ! -d "$JAVA_DB" ]] || [[ ! "$JAVA_DB" == "${RUNNER_TEMP}/customDbLocation/java" ]]; then
echo "::error::Did not create a database for Java, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/java' but actual was '${JAVA_DB}'"
exit 1
fi
JAVASCRIPT_DB="${{ fromJson(steps.analysis.outputs.db-locations).javascript }}"
if [[ ! -d "$JAVASCRIPT_DB" ]] || [[ ! "$JAVASCRIPT_DB" == "${RUNNER_TEMP}/customDbLocation/javascript" ]]; then
echo "::error::Did not create a database for Javascript, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/javascript' but actual was '${JAVASCRIPT_DB}'"
exit 1
fi
PYTHON_DB="${{ fromJson(steps.analysis.outputs.db-locations).python }}"
if [[ ! -d "$PYTHON_DB" ]] || [[ ! "$PYTHON_DB" == "${RUNNER_TEMP}/customDbLocation/python" ]]; then
echo "::error::Did not create a database for Python, or created it in the wrong location." \
"Expected location was '${RUNNER_TEMP}/customDbLocation/python' but actual was '${PYTHON_DB}'"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

77
github/codeql-action-v2/.github/workflows/__upload-ref-sha-input.yml generated vendored Normal file
View file

@ -0,0 +1,77 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
upload-ref-sha-input:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: windows-latest
version: default
name: "Upload-sarif: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: cpp,csharp,java,javascript,python
config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{
github.sha }}
- name: Build code
shell: bash
run: ./build.sh
# Generate some SARIF we can upload with the upload-sarif step
- uses: ./../action/analyze
with:
ref: refs/heads/main
sha: 5e235361806c361d4d3f8859e3c897658025a9a2
upload: never
- uses: ./../action/upload-sarif
with:
ref: refs/heads/main
sha: 5e235361806c361d4d3f8859e3c897658025a9a2
env:
CODEQL_ACTION_TEST_MODE: true

119
github/codeql-action-v2/.github/workflows/__with-checkout-path.yml generated vendored Normal file
View file

@ -0,0 +1,119 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Use a custom `checkout_path`
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
with-checkout-path:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: windows-latest
version: linked
name: Use a custom `checkout_path`
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Delete original checkout
shell: bash
run: |
# delete the original checkout so we don't accidentally use it.
# Actions does not support deleting the current working directory, so we
# delete the contents of the directory instead.
rm -rf ./* .github .git
# Check out the actions repo again, but at a different location.
# choose an arbitrary SHA so that we can later test that the commit_oid is not from main
- uses: actions/checkout@v4
with:
ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
path: x/y/z/some-path
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
# it's enough to test one compiled language and one interpreted language
languages: csharp,javascript
source-root: x/y/z/some-path/tests/multi-language-repo
- name: Build code
shell: bash
working-directory: x/y/z/some-path/tests/multi-language-repo
run: |
./build.sh
- uses: ./../action/analyze
with:
checkout_path: x/y/z/some-path/tests/multi-language-repo
ref: v1.1.0
sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
- name: Verify SARIF after upload
shell: bash
run: |
EXPECTED_COMMIT_OID="474bbf07f9247ffe1856c6a0f94aeeb10e7afee6"
EXPECTED_REF="v1.1.0"
EXPECTED_CHECKOUT_URI_SUFFIX="/x/y/z/some-path/tests/multi-language-repo"
ACTUAL_COMMIT_OID="$(cat "$RUNNER_TEMP/payload.json" | jq -r .commit_oid)"
ACTUAL_REF="$(cat "$RUNNER_TEMP/payload.json" | jq -r .ref)"
ACTUAL_CHECKOUT_URI="$(cat "$RUNNER_TEMP/payload.json" | jq -r .checkout_uri)"
if [[ "$EXPECTED_COMMIT_OID" != "$ACTUAL_COMMIT_OID" ]]; then
echo "::error Invalid commit oid. Expected: $EXPECTED_COMMIT_OID Actual: $ACTUAL_COMMIT_OID"
echo "$RUNNER_TEMP/payload.json"
exit 1
fi
if [[ "$EXPECTED_REF" != "$ACTUAL_REF" ]]; then
echo "::error Invalid ref. Expected: '$EXPECTED_REF' Actual: '$ACTUAL_REF'"
echo "$RUNNER_TEMP/payload.json"
exit 1
fi
if [[ "$ACTUAL_CHECKOUT_URI" != *$EXPECTED_CHECKOUT_URI_SUFFIX ]]; then
echo "::error Invalid checkout URI suffix. Expected suffix: $EXPECTED_CHECKOUT_URI_SUFFIX Actual uri: $ACTUAL_CHECKOUT_URI"
echo "$RUNNER_TEMP/payload.json"
exit 1
fi
env:
CODEQL_ACTION_TEST_MODE: true

115
github/codeql-action-v2/.github/workflows/__zstd-bundle-streaming.yml generated vendored Normal file
View file

@ -0,0 +1,115 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Zstandard bundle (streaming)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
zstd-bundle-streaming:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: linked
- os: ubuntu-latest
version: linked
name: Zstandard bundle (streaming)
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Remove CodeQL from toolcache
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const path = require('path');
const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
if (codeqlPath !== undefined) {
fs.rmdirSync(codeqlPath, { recursive: true });
}
- id: init
uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-zstd-bundle.sarif
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check diagnostic with expected tools URL appears in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'codeql-action/bundle-download-telemetry'
);
if (downloadTelemetryNotifications.length !== 1) {
core.setFailed(
'Expected exactly one reporting descriptor in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}
const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
console.log(`Found tools URL: ${toolsUrl}`);
if (!toolsUrl.endsWith('.tar.zst')) {
core.setFailed(
`Expected the tools URL to be a .tar.zst file, but found ${toolsUrl}.`
);
}
env:
CODEQL_ACTION_ZSTD_BUNDLE: true
CODEQL_ACTION_ZSTD_BUNDLE_STREAMING_EXTRACTION: true
CODEQL_ACTION_TEST_MODE: true

118
github/codeql-action-v2/.github/workflows/__zstd-bundle.yml generated vendored Normal file
View file

@ -0,0 +1,118 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
# to regenerate this file.
name: PR Check - Zstandard bundle
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
zstd-bundle:
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
version: linked
- os: ubuntu-latest
version: linked
- os: windows-latest
version: linked
name: Zstandard bundle
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Setup Python on macOS
uses: actions/setup-python@v5
if: runner.os == 'macOS' && matrix.version == 'stable-v2.14.6'
with:
python-version: '3.11'
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: 'false'
setup-kotlin: 'true'
- name: Remove CodeQL from toolcache
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const path = require('path');
const codeqlPath = path.join(process.env['RUNNER_TOOL_CACHE'], 'CodeQL');
if (codeqlPath !== undefined) {
fs.rmdirSync(codeqlPath, { recursive: true });
}
- id: init
uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
- name: Upload SARIF
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-zstd-bundle.sarif
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check diagnostic with expected tools URL appears in SARIF
uses: actions/github-script@v7
env:
SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif
with:
script: |
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
const run = sarif.runs[0];
const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
const downloadTelemetryNotifications = toolExecutionNotifications.filter(n =>
n.descriptor.id === 'codeql-action/bundle-download-telemetry'
);
if (downloadTelemetryNotifications.length !== 1) {
core.setFailed(
'Expected exactly one reporting descriptor in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${downloadTelemetryNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}
const toolsUrl = downloadTelemetryNotifications[0].properties.attributes.toolsUrl;
console.log(`Found tools URL: ${toolsUrl}`);
const expectedExtension = process.env['RUNNER_OS'] === 'Windows' ? '.tar.gz' : '.tar.zst';
if (!toolsUrl.endsWith(expectedExtension)) {
core.setFailed(
`Expected the tools URL to be a ${expectedExtension} file, but found ${toolsUrl}.`
);
}
env:
CODEQL_ACTION_ZSTD_BUNDLE: true
CODEQL_ACTION_TEST_MODE: true

25
github/codeql-action-v2/.github/workflows/check-expected-release-files.yml vendored Normal file
View file

@ -0,0 +1,25 @@
name: Check Expected Release Files
on:
pull_request:
paths:
- .github/workflows/check-expected-release-files.yml
- src/defaults.json
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
types: [opened, synchronize, reopened, ready_for_review]
jobs:
check-expected-release-files:
runs-on: ubuntu-latest
steps:
- name: Checkout CodeQL Action
uses: actions/checkout@v4
- name: Check Expected Release Files
run: |
bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
set -x
for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
done

101
github/codeql-action-v2/.github/workflows/codeql.yml vendored Normal file
View file

@ -0,0 +1,101 @@
name: "CodeQL action"
on:
push:
branches: [main, releases/v*]
pull_request:
branches: [main, releases/v*]
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
types: [opened, synchronize, reopened, ready_for_review]
schedule:
# Weekly on Sunday.
- cron: '30 1 * * 0'
workflow_dispatch:
env:
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
jobs:
# Identify the CodeQL tool versions to use in the analysis job.
check-codeql-versions:
runs-on: ubuntu-latest
outputs:
versions: ${{ steps.compare.outputs.versions }}
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: Init with default CodeQL bundle from the VM image
id: init-default
uses: ./init
with:
languages: javascript
- name: Remove empty database
# allows us to run init a second time
run: |
rm -rf "$RUNNER_TEMP/codeql_databases"
- name: Init with latest CodeQL bundle
id: init-latest
uses: ./init
with:
tools: linked
languages: javascript
- name: Compare default and latest CodeQL bundle versions
id: compare
env:
CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
run: |
CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
# If we're running on a pull request, run with both bundles, even if `tools: linked` would
# be the same as `tools: null`. This allows us to make the job for each of the bundles a
# required status check.
#
# If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
# the same as running with `tools: null`.
if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
VERSIONS_JSON='[null]'
else
VERSIONS_JSON='[null, "linked"]'
fi
# Output a JSON-encoded list with the distinct versions to test against.
echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
build:
needs: [check-codeql-versions]
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14]
tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
runs-on: ${{ matrix.os }}
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: ./init
id: init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config.yml
tools: ${{ matrix.tools }}
# confirm steps.init.outputs.codeql-path points to the codeql binary
- name: Print CodeQL Version
run: ${{steps.init.outputs.codeql-path}} version --format=json
- name: Perform CodeQL Analysis
uses: ./analyze
with:
category: "/language:javascript"

208
github/codeql-action-v2/.github/workflows/codescanning-config-cli.yml vendored Normal file
View file

@ -0,0 +1,208 @@
# Tests that the generated code scanning config file contains the expected contents
name: Code-Scanning config CLI tests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
code-scanning-config-tests:
continue-on-error: true
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: linked
- os: macos-latest
version: linked
- os: ubuntu-latest
version: default
- os: macos-latest
version: default
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
# Code-Scanning config not created because environment variable is not set
name: Code Scanning Configuration tests
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Empty file
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: "{}"
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Packs from input
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Packs from input with +
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries from input
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }]
}
languages: javascript
queries: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries from input with +
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }]
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from input with +
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
"packs": {
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
}
languages: javascript
config-file-test: .github/codeql/queries-and-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config overriden by input
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
"packs": ["codeql/javascript-queries"]
}
languages: javascript
queries: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: codeql/javascript-queries
config-file-test: .github/codeql/queries-and-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config merging with input
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
],
"packs": {
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
}
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: + codeql/javascript-queries
config-file-test: .github/codeql/queries-and-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Multi-language packs from config
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": {
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
"ruby": ["codeql/ruby-queries"]
},
"queries": [
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
]
}
languages: javascript,ruby
config-file-test: .github/codeql/multi-language-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Other config properties
if: success() || failure()
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"name": "Config using all properties",
"packs": ["codeql/javascript-queries" ],
"disable-default-queries": true,
"paths-ignore": ["xxx"],
"paths": ["yyy"]
}
languages: javascript
packs: + codeql/javascript-queries
config-file-test: .github/codeql/other-config-properties.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}

87
github/codeql-action-v2/.github/workflows/debug-artifacts-failure.yml vendored Normal file
View file

@ -0,0 +1,87 @@
# Checks logs, SARIF, and database bundle debug artifacts exist
# when the analyze step fails.
name: PR Check - Debug artifacts after failure
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
upload-artifacts:
name: Upload debug artifacts after failure in analyze
continue-on-error: true
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Dump GitHub event
run: cat "${GITHUB_EVENT_PATH}"
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: linked
- uses: actions/setup-go@v5
with:
go-version: ^1.13.1
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
debug: true
debug-artifact-name: my-debug-artifacts
debug-database-name: my-db
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
id: analysis
env:
# Forces a failure in this step.
CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
with:
expect-error: true
download-and-check-artifacts:
name: Download and check debug artifacts after failure in analyze
needs: upload-artifacts
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
- name: Check expected artifacts exist
shell: bash
run: |
LANGUAGES="cpp csharp go java javascript python"
cd "./my-debug-artifacts"
echo "Artifacts from run:"
for language in $LANGUAGES; do
echo "- Checking $language"
if [[ ! -f "my-db-$language-partial.zip" ]] ; then
echo "Missing a partial database bundle for $language"
exit 1
fi
if [[ ! -d "log" ]] ; then
echo "Missing database initialization logs"
exit 1
fi
if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
echo "Missing logs for $language"
exit 1
fi
done
env:
GO111MODULE: auto

97
github/codeql-action-v2/.github/workflows/debug-artifacts.yml vendored Normal file
View file

@ -0,0 +1,97 @@
# Checks logs, SARIF, and database bundle debug artifacts exist.
name: PR Check - Debug artifact upload
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
upload-artifacts:
strategy:
fail-fast: false
matrix:
version:
- stable-v2.15.5
- stable-v2.16.6
- stable-v2.17.6
- stable-v2.18.4
- stable-v2.19.4
- default
- linked
- nightly-latest
name: Upload debug artifacts
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/setup-go@v5
with:
go-version: ^1.13.1
- uses: ./../action/init
id: init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
debug: true
debug-artifact-name: my-debug-artifacts
debug-database-name: my-db
# We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
languages: cpp,csharp,go,java,javascript,python,ruby
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
id: analysis
download-and-check-artifacts:
name: Download and check debug artifacts
needs: upload-artifacts
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
- name: Check expected artifacts exist
shell: bash
run: |
VERSIONS="stable-v2.15.5 stable-v2.16.6 stable-v2.17.6 stable-v2.18.4 stable-v2.19.4 default linked nightly-latest"
LANGUAGES="cpp csharp go java javascript python"
for version in $VERSIONS; do
pushd "./my-debug-artifacts-${version//./}"
echo "Artifacts from version $version:"
for language in $LANGUAGES; do
echo "- Checking $language"
if [[ ! -f "$language.sarif" ]] ; then
echo "Missing a SARIF file for $language"
exit 1
fi
if [[ ! -f "my-db-$language.zip" ]] ; then
echo "Missing a database bundle for $language"
exit 1
fi
if [[ ! -d "$language/log" ]] ; then
echo "Missing logs for $language"
exit 1
fi
done
popd
done
env:
GO111MODULE: auto

49
github/codeql-action-v2/.github/workflows/expected-queries-runs.yml vendored Normal file
View file

@ -0,0 +1,49 @@
name: Check queries that ran
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
expected-queries:
name: Expected Queries Tests
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: linked
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Check Sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection
queries-not-run: foo,bar

184
github/codeql-action-v2/.github/workflows/post-release-mergeback.yml vendored Normal file
View file

@ -0,0 +1,184 @@
# This workflow runs after a merge to any release branch of the action. It:
# 1. Tags the merge commit on the release branch that represents the new release with an `vN.x.y`
# tag
# 2. Updates the `vN` tag to refer to this merge commit.
# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
# Typically, this is two commits one to update the version number and one to update dependencies.
name: Tag release and merge back
on:
workflow_dispatch:
inputs:
baseBranch:
description: 'The base branch to merge into'
default: main
required: false
push:
branches:
- releases/v*
jobs:
merge-back:
runs-on: ubuntu-latest
environment: Automation
if: github.repository == 'github/codeql-action'
env:
BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
steps:
- name: Dump environment
run: env
- name: Dump GitHub context
env:
GITHUB_CONTEXT: '${{ toJson(github) }}'
run: echo "${GITHUB_CONTEXT}"
- uses: actions/checkout@v4
with:
fetch-depth: 0 # ensure we have all tags and can push commits
- uses: actions/setup-node@v4
- name: Update git config
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
- name: Get version and new branch
id: getVersion
run: |
VERSION="v$(jq '.version' -r 'package.json')"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
short_sha="${GITHUB_SHA:0:8}"
NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${short_sha}"
echo "newBranch=${NEW_BRANCH}" >> $GITHUB_OUTPUT
LATEST_RELEASE_BRANCH=$(git branch -r | grep -E "origin/releases/v[0-9]+$" | sed 's/origin\///g' | sort -V | tail -1 | xargs)
echo "latest_release_branch=${LATEST_RELEASE_BRANCH}" >> $GITHUB_OUTPUT
- name: Dump branches
env:
NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
run: |
echo "BASE_BRANCH ${BASE_BRANCH}"
echo "HEAD_BRANCH ${HEAD_BRANCH}"
echo "NEW_BRANCH ${NEW_BRANCH}"
echo "LATEST_RELEASE_BRANCH ${LATEST_RELEASE_BRANCH}"
echo "GITHUB_REF ${GITHUB_REF}"
- name: Create mergeback branch
env:
NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
run: |
git checkout -b "${NEW_BRANCH}"
- name: Check for tag
id: check
env:
VERSION: "${{ steps.getVersion.outputs.version }}"
run: |
set +e # don't fail on an errored command
git ls-remote --tags origin | grep "${VERSION}"
exists="$?"
if [ "${exists}" -eq 0 ]; then
echo "Tag ${VERSION} exists. Not going to re-release."
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "Tag ${VERSION} does not exist yet."
fi
# we didn't tag the release during the update-release-branch workflow because the
# commit that actually makes it to the release branch is a merge commit,
# and not yet known during the first workflow. We tag now because we know the correct commit.
- name: Tag release
if: steps.check.outputs.exists != 'true'
env:
VERSION: ${{ steps.getVersion.outputs.version }}
run: |
# Create the `vx.y.z` tag
git tag --annotate "${VERSION}" --message "${VERSION}"
# Update the `vx` tag
major_version_tag=$(cut -d '.' -f1 <<< "${VERSION}")
# Use `--force` to overwrite the major version tag
git tag --annotate "${major_version_tag}" --message "${major_version_tag}" --force
# Push the tags, using:
# - `--atomic` to make sure we either update both tags or neither (an intermediate state,
# e.g. where we update the vN.x.y tag on the remote but not the vN tag, could result in
# unwanted Dependabot updates, e.g. from vN to vN.x.y)
# - `--force` since we're overwriting the `vN` tag
git push origin --atomic --force refs/tags/"${VERSION}" refs/tags/"${major_version_tag}"
- name: Prepare partial Changelog
env:
PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
VERSION: "${{ steps.getVersion.outputs.version }}"
run: |
python .github/workflows/script/prepare_changelog.py CHANGELOG.md "$VERSION" > $PARTIAL_CHANGELOG
echo "::group::Partial CHANGELOG"
cat $PARTIAL_CHANGELOG
echo "::endgroup::"
- name: Create mergeback branch
if: ${{ steps.check.outputs.exists != 'true' && endsWith(github.ref_name, steps.getVersion.outputs.latest_release_branch) }}
env:
VERSION: "${{ steps.getVersion.outputs.version }}"
NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: |
set -exu
pr_title="Mergeback ${VERSION} ${HEAD_BRANCH} into ${BASE_BRANCH}"
pr_body=$(cat << EOF
This PR bumps the version number and updates the changelog after the ${VERSION} release.
Please do the following:
- [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
- [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
- [ ] Mark the PR as ready for review to trigger the full set of PR checks.
- [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
selected rather than "Squash and merge" or "Rebase and merge".
EOF
)
# Update the version number ready for the next release
npm version patch --no-git-tag-version
# Update the changelog, adding a new version heading directly above the most recent existing one
awk '!f && /##/{print "'"## [UNRELEASED]\n\nNo user facing changes.\n"'"; f=1}1' CHANGELOG.md > temp && mv temp CHANGELOG.md
git add .
git commit -m "Update changelog and version after ${VERSION}"
git push origin "${NEW_BRANCH}"
# PR checks won't be triggered on PRs created by Actions. Therefore mark the PR as draft
# so that a maintainer can take the PR out of draft, thereby triggering the PR checks.
gh pr create \
--head "${NEW_BRANCH}" \
--base "${BASE_BRANCH}" \
--title "${pr_title}" \
--label "Update dependencies" \
--body "${pr_body}" \
--assignee "${GITHUB_ACTOR}" \
--draft
- name: Generate token
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
- name: Create the GitHub release
env:
PARTIAL_CHANGELOG: "${{ runner.temp }}/partial_changelog.md"
VERSION: "${{ steps.getVersion.outputs.version }}"
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
# Do not mark this release as latest. The most recent CLI release must be marked as latest.
gh release create \
"$VERSION" \
--latest=false \
--title "$VERSION" \
--notes-file "$PARTIAL_CHANGELOG"

162
github/codeql-action-v2/.github/workflows/pr-checks.yml vendored Normal file
View file

@ -0,0 +1,162 @@
name: PR Checks
on:
push:
pull_request:
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
types: [opened, synchronize, reopened, ready_for_review]
workflow_dispatch:
jobs:
check-js:
name: Check JS
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
node-types-version: [16.11, current] # we backport this matrix job in order to maintain the same check names
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Lint
id: lint
run: npm run-script lint-ci
- name: Upload sarif
uses: github/codeql-action/upload-sarif@v3
# Only upload SARIF for the latest version of Node.js
if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')"
with:
sarif_file: eslint.sarif
category: eslint
- name: Update version of @types/node
if: matrix.node-types-version != 'current'
env:
NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
run: |
# Export `NODE_TYPES_VERSION` so it's available to jq
export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
echo "${contents}" > package.json
# Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
# However we're not checking in the updated lockfile here, so it's fine to run
# `npm install` on Linux.
npm install
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
# The period in `git add --all .` ensures that we stage deleted files too.
git add --all .
git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
fi
- name: Check generated JS
if: matrix.node-types-version != 'current' # we do not need to test the newer node on the v2 branch
run: .github/workflows/script/check-js.sh
check-node-modules:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check modules up to date
runs-on: macos-latest
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
- name: Check node modules up to date
run: .github/workflows/script/check-node-modules.sh
check-file-contents:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check file contents
runs-on: ubuntu-latest
timeout-minutes: 45
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.11
- name: Install dependencies
run: |
python -m pip install --upgrade pip
# When updating this, update the autogenerated code header in `sync.py` too.
pip install ruamel.yaml==0.17.31
# Ensure the generated PR check workflows are up to date.
- name: Verify PR checks up to date
run: .github/workflows/script/verify-pr-checks.sh
npm-test:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Unit Test
needs: [check-js, check-node-modules]
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
- name: npm test
run: |
# Run any commands referenced in package.json using Bash, otherwise
# we won't be able to find them on Windows.
npm config set script-shell bash
npm test
check-node-version:
if: github.event.pull_request
name: Check Action Node versions
runs-on: ubuntu-latest
timeout-minutes: 45
env:
BASE_REF: ${{ github.base_ref }}
steps:
- uses: actions/checkout@v4
- id: head-version
name: Verify all Actions use the same Node version
run: |
NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
echo "NODE_VERSION: ${NODE_VERSION}"
if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
echo "::error::More than one node version used in 'action.yml' files."
exit 1
fi
echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
- id: checkout-base
name: 'Backport: Check out base ref'
if: ${{ startsWith(github.head_ref, 'backport-') }}
uses: actions/checkout@v4
with:
ref: ${{ env.BASE_REF }}
- name: 'Backport: Verify Node versions unchanged'
if: steps.checkout-base.outcome == 'success'
env:
HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
run: |
BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
echo "HEAD_VERSION: ${HEAD_VERSION}"
echo "BASE_VERSION: ${BASE_VERSION}"
if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
echo "::error::Cannot change the Node version of an Action in a backport PR."
exit 1
fi

35
github/codeql-action-v2/.github/workflows/publish-immutable-action.yml vendored Normal file
View file

@ -0,0 +1,35 @@
name: 'Publish Immutable Action Version'
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Check release name
id: check
env:
RELEASE_NAME: ${{ github.event.release.name }}
run: |
echo "Release name: ${{ github.event.release.name }}"
if [[ $RELEASE_NAME == v* ]]; then
echo "This is a CodeQL Action release. Create an Immutable Action"
echo "is-action-release=true" >> $GITHUB_OUTPUT
else
echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
echo "is-action-release=false" >> $GITHUB_OUTPUT
fi
- name: Checking out
if: steps.check.outputs.is-action-release == 'true'
uses: actions/checkout@v4
- name: Publish
if: steps.check.outputs.is-action-release == 'true'
id: publish
uses: actions/publish-immutable-action@v0.0.4

41
github/codeql-action-v2/.github/workflows/python312-windows.yml vendored Normal file
View file

@ -0,0 +1,41 @@
name: Test that the workaround for python 3.12 on windows works
on:
push:
branches: [main, releases/v*]
pull_request:
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
types: [opened, synchronize, reopened, ready_for_review]
schedule:
# Weekly on Monday.
- cron: '0 0 * * 1'
workflow_dispatch:
jobs:
test-setup-python-scripts:
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
runs-on: windows-latest
steps:
- uses: actions/setup-python@v5
with:
python-version: 3.12
- uses: actions/checkout@v4
- name: Prepare test
uses: ./.github/actions/prepare-test
with:
version: default
- name: Initialize CodeQL
uses: ./../action/init
with:
tools: linked
languages: python
- name: Analyze
uses: ./../action/analyze

57
github/codeql-action-v2/.github/workflows/query-filters.yml vendored Normal file
View file

@ -0,0 +1,57 @@
name: Query filters tests
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
query-filters:
name: Query Filters Tests
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: linked
- name: Check SARIF for default queries with Single include, Single exclude
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
queries-not-run: js/path-injection
config-file: ./.github/codeql/codeql-config-query-filters1.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check SARIF for query packs with Single include, Single exclude
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
queries-not-run: js/path-injection
config-file: ./.github/codeql/codeql-config-query-filters2.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check SARIF for query packs and local queries with Single include, Single exclude
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
config-file: ./.github/codeql/codeql-config-query-filters3.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}

79
github/codeql-action-v2/.github/workflows/rebuild.yml vendored Normal file
View file

@ -0,0 +1,79 @@
name: Rebuild Action
on:
pull_request:
types: [labeled]
workflow_dispatch:
jobs:
rebuild:
name: Rebuild Action
runs-on: ubuntu-latest
if: github.event.label.name == 'Rebuild'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Remove label
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
gh pr edit --repo github/codeql-action "$PR_NUMBER" \
--remove-label "Rebuild"
- name: Merge in changes from base branch
env:
BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
run: |
git fetch origin "$BASE_BRANCH"
# Allow merge conflicts in `lib`, since rebuilding should resolve them.
git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected"
# Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
# since `node_modules/@types/semver/README.md` fails it.
if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
echo "Merge conflicts detected outside of lib/ directory. Please resolve them manually."
git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
exit 1
fi
- name: Compile TypeScript
run: |
npm install
npm run lint -- --fix
npm run build
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: 3.11
- name: Generate workflows
run: |
cd pr-checks
python -m pip install --upgrade pip
pip install ruamel.yaml==0.17.31
python3 sync.py
- name: Check for changes and push
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git add --all
git commit -m "Rebuild"
git push origin "HEAD:$BRANCH"
echo "Pushed a commit to rebuild the Action." \
"Please mark the PR as ready for review to trigger PR checks." |
gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
fi

21
github/codeql-action-v2/.github/workflows/script/check-js.sh vendored Executable file
View file

@ -0,0 +1,21 @@
#!/bin/bash
set -eu
# Sanity check that repo is clean to start with
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then this workflow needs attention...
>&2 echo "Failed: Repo should be clean before testing!"
exit 1
fi
# Wipe the lib directory in case there are extra unnecessary files in there
rm -rf lib
# Generate the JavaScript files
npm run-script build
# Check that repo is still clean
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then the PR needs attention
>&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update"
git status
exit 1
fi
echo "Success: JavaScript files are up to date"

20
github/codeql-action-v2/.github/workflows/script/check-node-modules.sh vendored Executable file
View file

@ -0,0 +1,20 @@
#!/bin/bash
set -eu
# Sanity check that repo is clean to start with
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then this workflow needs attention...
>&2 echo "Failed: Repo should be clean before testing!"
exit 1
fi
"$(dirname "$0")/update-node-modules.sh" check-only
# Check that repo is still clean
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then the PR needs attention
>&2 echo "Failed: node_modules are not up to date. Add the 'Update dependencies' label to your PR to update them. Note it is important that node modules are updated on macOS and not any other operating system as there is one dependency (fsevents) that is needed for macOS and may not be installed if dependencies are updated on a Windows or Linux machine."
git status
exit 1
fi
echo "Success: node_modules are up to date"

37
github/codeql-action-v2/.github/workflows/script/prepare_changelog.py vendored Normal file
View file

@ -0,0 +1,37 @@
import os
import sys
EMPTY_CHANGELOG = 'No changes.\n\n'
# Prepare the changelog for the new release
# This function will extract the part of the changelog that
# we want to include in the new release.
def extract_changelog_snippet(changelog_file, version_tag):
output = ''
if (not os.path.exists(changelog_file)):
output = EMPTY_CHANGELOG
else:
with open('CHANGELOG.md', 'r') as f:
lines = f.readlines()
# Include everything up to, but excluding the second heading
found_first_section = False
for i, line in enumerate(lines):
if line.startswith('## '):
if found_first_section:
break
found_first_section = True
output += line
output += f"See the full [CHANGELOG.md](https://github.com/github/codeql-action/blob/{version_tag}/CHANGELOG.md) for more information."
return output
if len(sys.argv) < 3:
raise Exception('Expecting argument: changelog_file version_tag')
changelog_file = sys.argv[1]
version_tag = sys.argv[2]
print(extract_changelog_snippet(changelog_file, version_tag))

21
github/codeql-action-v2/.github/workflows/script/update-node-modules.sh vendored Executable file
View file

@ -0,0 +1,21 @@
#!/bin/bash
set -eu
if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
>&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
exit 1
fi
npm install --force -g npm@9.2.0
# clean the npm cache to ensure we don't have any files owned by root
sudo npm cache clean --force
if [ "$1" = "update" ]; then
npm install
fi
# Reinstall modules and then clean to remove absolute paths
# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
npm ci
npm run removeNPMAbsolutePaths

57
github/codeql-action-v2/.github/workflows/script/update-required-checks.sh vendored Executable file
View file

@ -0,0 +1,57 @@
#!/usr/bin/env bash
# Update the required checks based on the current branch.
# Typically, this will be main.
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
REPO_DIR="$(dirname "$SCRIPT_DIR")"
GRANDPARENT_DIR="$(dirname "$REPO_DIR")"
source "$GRANDPARENT_DIR/releases.ini"
if ! gh auth status 2>/dev/null; then
gh auth status
echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
exit 1
fi
if [ "$#" -eq 1 ]; then
# If we were passed an argument, use that as the SHA
GITHUB_SHA="$1"
elif [ "$#" -gt 1 ]; then
echo "Usage: $0 [SHA]"
echo "Update the required checks based on the SHA, or main."
exit 1
elif [ -z "$GITHUB_SHA" ]; then
# If we don't have a SHA, use main
GITHUB_SHA="$(git rev-parse main)"
fi
echo "Getting checks for $GITHUB_SHA"
# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
echo "$CHECKS" | jq
echo "{\"contexts\": ${CHECKS}}" > checks.json
echo "Updating main"
gh api --silent -X "PATCH" "repos/github/codeql-action/branches/main/protection/required_status_checks" --input checks.json
# list all branchs on origin remote matching releases/v*
BRANCHES="$(git ls-remote --heads origin 'releases/v*' | sed 's?.*refs/heads/??' | sort -V)"
for BRANCH in $BRANCHES; do
# strip exact 'releases/v' prefix from $BRANCH using count of characters
VERSION="${BRANCH:10}"
if [ "$VERSION" -lt "$OLDEST_SUPPORTED_MAJOR_VERSION" ]; then
echo "Skipping $BRANCH"
continue
fi
echo "Updating $BRANCH"
gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
done
rm checks.json

25
github/codeql-action-v2/.github/workflows/script/verify-pr-checks.sh vendored Executable file
View file

@ -0,0 +1,25 @@
#!/bin/bash
set -eu
# Sanity check that repo is clean to start with
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then this workflow needs attention...
>&2 echo "Failed: Repo should be clean before testing!"
exit 1
fi
# Wipe the generated PR checks in case there are extra unnecessary files in there
rm -rf .github/workflows/__*
# Generate the PR checks
cd pr-checks && python3 sync.py
# Check that repo is still clean
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then the PR needs attention
git diff
git status
>&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update"
exit 1
fi
echo "Success: PR checks are up to date"

53
github/codeql-action-v2/.github/workflows/test-codeql-bundle-all.yml vendored Normal file
View file

@ -0,0 +1,53 @@
name: 'PR Check - CodeQL Bundle All'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v*
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
schedule:
- cron: '0 5 * * *'
workflow_dispatch: {}
jobs:
test-codeql-bundle-all:
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
version: nightly-latest
name: 'CodeQL Bundle All'
permissions:
contents: read
security-events: write
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare test
id: prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
use-all-platform-bundle: true
- id: init
uses: ./../action/init
with:
# We manually exclude Swift from the languages list here, as it is not supported on Ubuntu
languages: cpp,csharp,go,java,javascript,python,ruby
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
env:
CODEQL_ACTION_TEST_MODE: true

91
github/codeql-action-v2/.github/workflows/update-bundle.yml vendored Normal file
View file

@ -0,0 +1,91 @@
name: Update default CodeQL bundle
on:
release:
# From https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
# Note: The prereleased type will not trigger for pre-releases published
# from draft releases, but the published type will trigger. If you want a
# workflow to run when stable and pre-releases publish, subscribe to
# published instead of released and prereleased.
#
# From https://github.com/orgs/community/discussions/26281
# As a work around, in published type workflow, you could add if condition
# to filter pre-release attribute.
types: [published]
jobs:
update-bundle:
if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-latest
steps:
- name: Dump environment
run: env
- name: Dump GitHub context
env:
GITHUB_CONTEXT: '${{ toJson(github) }}'
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v4
- name: Update git config
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
- name: Update bundle
uses: ./.github/actions/update-bundle
- name: Rebuild Action
run: npm run build
- name: Commit and push changes
env:
RELEASE_TAG: "${{ github.event.release.tag_name }}"
run: |
git checkout -b "update-bundle/$RELEASE_TAG"
git commit -am "Update default bundle to $RELEASE_TAG"
git push --set-upstream origin "update-bundle/$RELEASE_TAG"
- name: Open pull request
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cli_version=$(jq -r '.cliVersion' src/defaults.json)
pr_url=$(gh pr create \
--title "Update default bundle to $cli_version" \
--body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
--assignee "$GITHUB_ACTOR" \
--draft \
)
echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
- name: Create changelog note
shell: python
run: |
import os
import re
# Get the PR number from the PR URL.
pr_number = os.environ['PR_URL'].split('/')[-1]
changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
# Use perl to avoid having to escape the newline character.
with open('CHANGELOG.md', 'r') as f:
changelog = f.read()
changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
# Add the changelog note to the bottom of the "[UNRELEASED]" section.
changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
with open('CHANGELOG.md', 'w') as f:
f.write(changelog)
- name: Push changelog note
run: |
git commit -am "Add changelog note"
git push

42
github/codeql-action-v2/.github/workflows/update-dependencies.yml vendored Normal file
View file

@ -0,0 +1,42 @@
name: Update dependencies
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, labeled]
jobs:
update:
name: Update dependencies
timeout-minutes: 45
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Remove PR label
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
REPOSITORY: '${{ github.repository }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
run: |
gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
- name: Push updated dependencies
env:
BRANCH: '${{ github.head_ref }}'
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: |
git fetch origin "$BRANCH" --depth=1
git checkout "origin/$BRANCH"
.github/workflows/script/update-node-modules.sh update
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git add node_modules
git commit -am "Update checked-in dependencies"
git push origin "HEAD:$BRANCH"
echo "Pushed a commit to update the checked-in dependencies." \
"Please mark the PR as ready for review to trigger PR checks." |
gh pr comment --body-file - --repo github/codeql-action "${{ github.event.pull_request.number }}"
gh pr ready --undo --repo github/codeql-action "${{ github.event.pull_request.number }}"
fi

141
github/codeql-action-v2/.github/workflows/update-release-branch.yml vendored Normal file
View file

@ -0,0 +1,141 @@
name: Update release branch
on:
# You can trigger this workflow via workflow dispatch to start a release.
# This will open a PR to update the latest release branch.
workflow_dispatch:
# When a release is complete this workflow will open up backport PRs to older release branches.
# NB while it will trigger on any release branch update, the backport job will not proceed for
# anything other than than releases/v{latest}
push:
branches:
- releases/*
jobs:
prepare:
runs-on: ubuntu-latest
if: github.repository == 'github/codeql-action'
outputs:
version: ${{ steps.versions.outputs.version }}
major_version: ${{ steps.versions.outputs.major_version }}
latest_tag: ${{ steps.versions.outputs.latest_tag }}
backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Need full history for calculation of diffs
- uses: ./.github/actions/release-initialise
- name: Get version tags
id: versions
run: |
VERSION="v$(jq '.version' -r 'package.json')"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
MAJOR_VERSION=$(cut -d '.' -f1 <<< "${VERSION}")
echo "major_version=${MAJOR_VERSION}" >> $GITHUB_OUTPUT
LATEST_TAG=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
echo "latest_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
- id: branches
name: Determine older release branches
uses: ./.github/actions/release-branches
with:
major_version: ${{ steps.versions.outputs.major_version }}
latest_tag: ${{ steps.versions.outputs.latest_tag }}
- name: debug logging
run: |
echo 'version: ${{ steps.versions.outputs.version }}'
echo 'major_version: ${{ steps.versions.outputs.major_version }}'
echo 'latest_tag: ${{ steps.versions.outputs.latest_tag }}'
echo 'backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}'
echo 'backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}'
update:
timeout-minutes: 45
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
needs: [prepare]
env:
REF_NAME: "${{ github.ref_name }}"
REPOSITORY: "${{ github.repository }}"
MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Need full history for calculation of diffs
- uses: ./.github/actions/release-initialise
# when the workflow has been manually triggered on main,
# we know that we definitely want the release branch to exist
- name: Ensure release branch exists
run: |
echo "MAJOR_VERSION ${MAJOR_VERSION}"
RELEASE_BRANCH=releases/${MAJOR_VERSION}
if git checkout $RELEASE_BRANCH > /dev/null 2>&1; then
echo "Branch $RELEASE_BRANCH already exists"
echo ""
else
echo "Creating $RELEASE_BRANCH branch"
git checkout -b ${RELEASE_BRANCH} ${LATEST_TAG}
git push --set-upstream origin ${RELEASE_BRANCH}
git branch --show-current
echo ""
fi
echo "Returning to branch: ${REF_NAME}"
git checkout ${REF_NAME}
- name: Update current release branch
if: github.event_name == 'workflow_dispatch'
run: |
echo SOURCE_BRANCH=${REF_NAME}
echo TARGET_BRANCH=releases/${MAJOR_VERSION}
python .github/update-release-branch.py \
--github-token ${{ secrets.GITHUB_TOKEN }} \
--repository-nwo ${{ github.repository }} \
--source-branch '${{ env.REF_NAME }}' \
--target-branch 'releases/${{ env.MAJOR_VERSION }}' \
--is-primary-release \
--conductor ${GITHUB_ACTOR}
backport:
timeout-minutes: 45
runs-on: ubuntu-latest
environment: Automation
needs: [prepare]
if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
strategy:
fail-fast: false
matrix:
target_branch: ${{ fromJson(needs.prepare.outputs.backport_target_branches) }}
env:
SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
TARGET_BRANCH: ${{ matrix.target_branch }}
steps:
- name: Generate token
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Need full history for calculation of diffs
token: ${{ steps.app-token.outputs.token }}
- uses: ./.github/actions/release-initialise
- name: Update older release branch
run: |
echo SOURCE_BRANCH=${SOURCE_BRANCH}
echo TARGET_BRANCH=${TARGET_BRANCH}
python .github/update-release-branch.py \
--github-token ${{ secrets.GITHUB_TOKEN }} \
--repository-nwo ${{ github.repository }} \
--source-branch ${SOURCE_BRANCH} \
--target-branch ${TARGET_BRANCH} \
--conductor ${GITHUB_ACTOR}

65
github/codeql-action-v2/.github/workflows/update-supported-enterprise-server-versions.yml vendored Normal file
View file

@ -0,0 +1,65 @@
name: Update Supported Enterprise Server Versions
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
jobs:
update-supported-enterprise-server-versions:
name: Update Supported Enterprise Server Versions
timeout-minutes: 45
runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }}
steps:
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.7"
- name: Checkout CodeQL Action
uses: actions/checkout@v4
- name: Checkout Enterprise Releases
uses: actions/checkout@v4
with:
repository: github/enterprise-releases
ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}
path: ${{ github.workspace }}/enterprise-releases/
- name: Update Supported Enterprise Server Versions
run: |
cd ./.github/workflows/update-supported-enterprise-server-versions/
python3 -m pip install pipenv
pipenv install
pipenv run ./update.py
rm --recursive "$ENTERPRISE_RELEASES_PATH"
npm run build
env:
ENTERPRISE_RELEASES_PATH: ${{ github.workspace }}/enterprise-releases/
- name: Update git config
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
- name: Commit changes and open PR
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [[ -z $(git status --porcelain) ]]; then
echo "No changes to commit"
else
git checkout -b update-supported-enterprise-server-versions
git add .
git commit --message "Update supported GitHub Enterprise Server versions"
git push origin update-supported-enterprise-server-versions
body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
body+="version is about to be feature frozen, or because an old release has been deprecated."
body+=$'\n\n'
body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
body+="deprecate the corresponding version of CodeQL."
gh pr create --draft \
--title "Update supported GitHub Enterprise Server versions" \
--body "$body"
fi

9
github/codeql-action-v2/.github/workflows/update-supported-enterprise-server-versions/Pipfile vendored Normal file
View file

@ -0,0 +1,9 @@
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
[packages]
semver = "*"

27
github/codeql-action-v2/.github/workflows/update-supported-enterprise-server-versions/Pipfile.lock generated vendored Normal file
View file

@ -0,0 +1,27 @@
{
"_meta": {
"hash": {
"sha256": "e3ba923dcb4888e05de5448c18a732bf40197e80fabfa051a61c01b22c504879"
},
"pipfile-spec": 6,
"requires": {},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"semver": {
"hashes": [
"sha256:ced8b23dceb22134307c1b8abfa523da14198793d9787ac838e70e29e77458d4",
"sha256:fa0fe2722ee1c3f57eac478820c3a5ae2f624af8264cbdf9000c980ff7f75e3f"
],
"index": "pypi",
"version": "==2.13.0"
}
},
"develop": {}
}

51
github/codeql-action-v2/.github/workflows/update-supported-enterprise-server-versions/update.py vendored Executable file
View file

@ -0,0 +1,51 @@
#!/usr/bin/env python3
import datetime
import json
import os
import pathlib
import semver
_API_COMPATIBILITY_PATH = pathlib.Path(__file__).absolute().parents[3] / "src" / "api-compatibility.json"
_ENTERPRISE_RELEASES_PATH = pathlib.Path(os.environ["ENTERPRISE_RELEASES_PATH"])
_RELEASE_FILE_PATH = _ENTERPRISE_RELEASES_PATH / "releases.json"
_FIRST_SUPPORTED_RELEASE = semver.VersionInfo.parse("2.22.0") # Versions older than this did not include Code Scanning.
def main():
api_compatibility_data = json.loads(_API_COMPATIBILITY_PATH.read_text())
releases = json.loads(_RELEASE_FILE_PATH.read_text())
# Remove GHES version using a previous version numbering scheme.
if "11.10" in releases:
del releases["11.10"]
oldest_supported_release = None
newest_supported_release = semver.VersionInfo.parse(api_compatibility_data["maximumVersion"] + ".0")
for release_version_string, release_data in releases.items():
release_version = semver.VersionInfo.parse(release_version_string + ".0")
if release_version < _FIRST_SUPPORTED_RELEASE:
continue
if release_version > newest_supported_release:
feature_freeze_date = datetime.date.fromisoformat(release_data["feature_freeze"])
if feature_freeze_date < datetime.date.today() + datetime.timedelta(weeks=2):
newest_supported_release = release_version
if oldest_supported_release is None or release_version < oldest_supported_release:
end_of_life_date = datetime.date.fromisoformat(release_data["end"])
# The GHES version is not actually end of life until the end of the day specified by
# `end_of_life_date`. Wait an extra week to be safe.
is_end_of_life = datetime.date.today() > end_of_life_date + datetime.timedelta(weeks=1)
if not is_end_of_life:
oldest_supported_release = release_version
api_compatibility_data = {
"minimumVersion": f"{oldest_supported_release.major}.{oldest_supported_release.minor}",
"maximumVersion": f"{newest_supported_release.major}.{newest_supported_release.minor}",
}
_API_COMPATIBILITY_PATH.write_text(json.dumps(api_compatibility_data, sort_keys=True) + "\n")
if __name__ == "__main__":
main()