From 865e471831225a3ac9568ebd5c2220b45dc50433 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 31 Jan 2024 15:51:49 -0500 Subject: [PATCH] Allow custom codeql token --- .github/workflows/__all-platform-bundle.yml | 2 ++ .github/workflows/__analyze-ref-input.yml | 2 ++ .github/workflows/__autobuild-action.yml | 4 ++++ .github/workflows/__config-export.yml | 2 ++ .github/workflows/__cpp-deptrace-disabled.yml | 2 ++ .github/workflows/__cpp-deptrace-enabled-on-macos.yml | 2 ++ .github/workflows/__cpp-deptrace-enabled.yml | 2 ++ .github/workflows/__diagnostics-export.yml | 2 ++ .github/workflows/__export-file-baseline-information.yml | 2 ++ .github/workflows/__go-custom-queries.yml | 2 ++ .../__go-indirect-tracing-workaround-diagnostic.yml | 2 ++ .github/workflows/__go-indirect-tracing-workaround.yml | 2 ++ .github/workflows/__go-tracing-autobuilder.yml | 4 ++++ .github/workflows/__go-tracing-custom-build-steps.yml | 2 ++ .github/workflows/__go-tracing-legacy-workflow.yml | 2 ++ .github/workflows/__init-with-registries.yml | 1 + .github/workflows/__javascript-source-root.yml | 1 + .github/workflows/__language-aliases.yml | 1 + .github/workflows/__multi-language-autodetect.yml | 2 ++ .../workflows/__packaging-codescanning-config-inputs-js.yml | 2 ++ .github/workflows/__packaging-config-inputs-js.yml | 2 ++ .github/workflows/__packaging-config-js.yml | 2 ++ .github/workflows/__packaging-inputs-js.yml | 1 + .github/workflows/__remote-config.yml | 3 +++ .github/workflows/__resolve-environment-action.yml | 1 + .github/workflows/__ruby.yml | 2 ++ .github/workflows/__scaling-reserved-ram.yml | 2 ++ .github/workflows/__split-workflow.yml | 3 +++ .github/workflows/__submit-sarif-failure.yml | 2 ++ .github/workflows/__swift-custom-build.yml | 2 ++ .github/workflows/__test-autobuild-working-dir.yml | 3 +++ .github/workflows/__test-local-codeql.yml | 2 ++ .github/workflows/__test-proxy.yml | 2 ++ .github/workflows/__unset-environment.yml | 2 ++ .github/workflows/__upload-ref-sha-input.yml | 1 + .github/workflows/__with-checkout-path.yml | 2 ++ .github/workflows/codeql.yml | 5 +++++ .github/workflows/debug-artifacts-failure.yml | 2 ++ .github/workflows/debug-artifacts.yml | 3 +++ .github/workflows/expected-queries-runs.yml | 1 + .github/workflows/python-deps.yml | 3 +++ .github/workflows/python312-windows.yml | 1 + .github/workflows/test-codeql-bundle-all.yml | 2 ++ pr-checks/checks/all-platform-bundle.yml | 1 + pr-checks/checks/analyze-ref-input.yml | 1 + pr-checks/checks/autobuild-action.yml | 2 ++ pr-checks/checks/config-export.yml | 1 + pr-checks/checks/cpp-deptrace-disabled.yml | 2 ++ pr-checks/checks/cpp-deptrace-enabled-on-macos.yml | 2 ++ pr-checks/checks/cpp-deptrace-enabled.yml | 2 ++ pr-checks/checks/diagnostics-export.yml | 2 ++ pr-checks/checks/export-file-baseline-information.yml | 2 ++ pr-checks/checks/extractor-ram-threads.yml | 1 + pr-checks/checks/go-custom-queries.yml | 2 ++ .../checks/go-indirect-tracing-workaround-diagnostic.yml | 2 ++ pr-checks/checks/go-indirect-tracing-workaround.yml | 2 ++ pr-checks/checks/go-tracing-autobuilder.yml | 4 ++++ pr-checks/checks/go-tracing-custom-build-steps.yml | 2 ++ pr-checks/checks/go-tracing-legacy-workflow.yml | 2 ++ pr-checks/checks/init-with-registries.yml | 2 +- pr-checks/checks/javascript-source-root.yml | 1 + pr-checks/checks/language-aliases.yml | 1 + pr-checks/checks/multi-language-autodetect.yml | 2 ++ pr-checks/checks/packaging-codescanning-config-inputs-js.yml | 2 ++ pr-checks/checks/packaging-config-inputs-js.yml | 2 ++ pr-checks/checks/packaging-config-js.yml | 2 ++ pr-checks/checks/packaging-inputs-js.yml | 2 ++ pr-checks/checks/remote-config.yml | 3 +++ pr-checks/checks/resolve-environment-action.yml | 1 + pr-checks/checks/rubocop-multi-language.yml | 1 + pr-checks/checks/ruby.yml | 2 ++ pr-checks/checks/scaling-reserved-ram.yml | 2 ++ pr-checks/checks/split-workflow.yml | 3 +++ pr-checks/checks/submit-sarif-failure.yml | 2 ++ pr-checks/checks/swift-custom-build.yml | 2 ++ pr-checks/checks/test-autobuild-working-dir.yml | 3 +++ pr-checks/checks/test-local-codeql.yml | 2 ++ pr-checks/checks/test-proxy.yml | 2 ++ pr-checks/checks/unset-environment.yml | 2 ++ pr-checks/checks/upload-ref-sha-input.yml | 2 ++ pr-checks/checks/with-checkout-path.yml | 2 ++ 81 files changed, 162 insertions(+), 1 deletion(-) diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 384d2dca48..808e6b6adb 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -64,6 +64,7 @@ jobs: uses: ./../action/init with: tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -73,5 +74,6 @@ jobs: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 6850a63ab1..6ca76ca630 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -70,6 +70,7 @@ jobs: languages: cpp,csharp,java,javascript,python config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -78,5 +79,6 @@ jobs: upload-database: false ref: refs/heads/main sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 84a0d95055..f1b81401e7 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -68,7 +68,10 @@ jobs: with: languages: csharp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild + with: + token: ${{ secrets.CODEQL_TOKEN }} env: # Explicitly disable the CLR tracer. COR_ENABLE_PROFILING: '' @@ -80,6 +83,7 @@ jobs: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index eeac29f05b..c9702710e7 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -75,10 +75,12 @@ jobs: languages: javascript queries: security-extended tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Upload SARIF uses: actions/upload-artifact@v3 with: diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index d68c72101a..93bde3ebbf 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -72,9 +72,11 @@ jobs: with: languages: cpp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false - shell: bash diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index 1f86c061aa..5e173978df 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -68,9 +68,11 @@ jobs: with: languages: cpp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true - shell: bash diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index ba99f61f1d..e5e6bf4ef6 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -72,9 +72,11 @@ jobs: with: languages: cpp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true - shell: bash diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 47983a3081..5ec971559f 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -81,6 +81,7 @@ jobs: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Add test diagnostics shell: bash env: @@ -101,6 +102,7 @@ jobs: with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Upload SARIF uses: actions/upload-artifact@v3 with: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index c395a5655d..1c9423b168 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -69,6 +69,7 @@ jobs: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -78,6 +79,7 @@ jobs: - uses: ./../action/analyze with: output: ${{ runner.temp }}/results + token: ${{ secrets.CODEQL_TOKEN }} - name: Upload SARIF uses: actions/upload-artifact@v3 with: diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index d8db274075..f3933980be 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -105,12 +105,14 @@ jobs: languages: go config-file: ./.github/codeql/custom-queries.yml tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} env: DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false' CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 19b5744110..0d1f22059d 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -68,6 +68,7 @@ jobs: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} # Deliberately change Go after the `init` step - uses: actions/setup-go@v5 with: @@ -79,6 +80,7 @@ jobs: with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check diagnostic appears in SARIF uses: actions/github-script@v7 env: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 11c164fa59..61b0aa088a 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -68,12 +68,14 @@ jobs: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: go build main.go - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 6e0cbae406..764251c283 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -93,10 +93,14 @@ jobs: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild + with: + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index 97db9e5c68..aedd1b0e97 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -93,12 +93,14 @@ jobs: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: go build main.go - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | # Once we start running Bash 4.2 in all environments, we can replace the diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index 2ed8d2adee..a2bd9f77fe 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -93,9 +93,11 @@ jobs: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | cd "$RUNNER_TEMP/codeql_databases" diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index 6e41cf0a00..6f64a8fe26 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -88,6 +88,7 @@ jobs: - url: "https://ghcr.io/v2/" packages: "*/*" token: "${{ secrets.GITHUB_TOKEN }}" + token: ${{ secrets.CODEQL_TOKEN }} - name: Verify packages installed shell: bash diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index f87d5f9d2b..de821fa342 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -74,6 +74,7 @@ jobs: languages: javascript source-root: ../new-source-root tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index c796fdc72f..ecca8ed130 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -64,6 +64,7 @@ jobs: with: languages: C#,java-kotlin,swift,typescript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Check languages run: | diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 0385d67f02..3db61f733f 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -91,6 +91,7 @@ jobs: with: db-location: ${{ runner.temp }}/customDbLocation tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: @@ -104,6 +105,7 @@ jobs: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check language autodetect for all languages excluding Swift shell: bash diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index cc6d6893e9..9dc0a62ade 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -82,6 +82,7 @@ jobs: packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -89,6 +90,7 @@ jobs: with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 4694180c7d..78e52c2022 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -82,6 +82,7 @@ jobs: packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -89,6 +90,7 @@ jobs: with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index 24a6145b18..e14dfc253c 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -81,6 +81,7 @@ jobs: config-file: .github/codeql/codeql-config-packaging.yml languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -88,6 +89,7 @@ jobs: with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 5808dafc8d..af00b60400 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -88,6 +88,7 @@ jobs: - uses: ./../action/analyze with: output: ${{ runner.temp }}/results + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index d0f0e0d83a..29420d643d 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -106,9 +106,12 @@ jobs: languages: cpp,csharp,java,javascript,python config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh - uses: ./../action/analyze + with: + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index ab7cb02e37..b17ecabecb 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -87,6 +87,7 @@ jobs: languages: ${{ matrix.version == 'stable-v2.13.4' && 'go' || 'go,javascript-typescript' }} tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Resolve environment for Go uses: ./../action/resolve-environment diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 2e48a2847d..7d816da56c 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -74,10 +74,12 @@ jobs: with: languages: ruby tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/.github/workflows/__scaling-reserved-ram.yml b/.github/workflows/__scaling-reserved-ram.yml index 5ca51822fb..b91bb9acbe 100644 --- a/.github/workflows/__scaling-reserved-ram.yml +++ b/.github/workflows/__scaling-reserved-ram.yml @@ -91,6 +91,7 @@ jobs: with: db-location: ${{ runner.temp }}/customDbLocation tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: @@ -104,6 +105,7 @@ jobs: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_ACTION_SCALING_RESERVED_RAM: true CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 11820f6ddb..4f023c8b5f 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -76,6 +76,7 @@ jobs: packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -84,6 +85,7 @@ jobs: skip-queries: true output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Assert No Results shell: bash @@ -96,6 +98,7 @@ jobs: with: output: ${{ runner.temp }}/results upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Assert Results shell: bash run: | diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index a50dc1aa92..5e3cdbffd9 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -68,6 +68,7 @@ jobs: - uses: ./init with: languages: javascript + token: ${{ secrets.CODEQL_TOKEN }} - name: Fail # We want this job to pass if the Action correctly uploads the SARIF file for # the failed run. @@ -81,6 +82,7 @@ jobs: if: false with: category: /test-codeql-version:${{ matrix.version }} + token: ${{ secrets.CODEQL_TOKEN }} env: # Internal-only environment variable used to indicate that the post-init Action # should expect to upload a SARIF file for the failed run. diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index 1643444139..79198d3579 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -75,6 +75,7 @@ jobs: with: languages: swift tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{steps.init.outputs.codeql-path}} @@ -88,6 +89,7 @@ jobs: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml index 658f93e95a..b170ee914c 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__test-autobuild-working-dir.yml @@ -71,12 +71,15 @@ jobs: with: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index c4e85c2b5c..7e80b3eb5a 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -70,6 +70,7 @@ jobs: uses: ./../action/init with: tools: ./codeql-bundle-linux64.tar.gz + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -79,5 +80,6 @@ jobs: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index b393677071..69c62bde1c 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -64,9 +64,11 @@ jobs: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} env: https_proxy: http://squid-proxy:3128 CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index f8dd0defe6..f978e07839 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -77,6 +77,7 @@ jobs: with: db-location: ${{ runner.temp }}/customDbLocation tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -90,6 +91,7 @@ jobs: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}" diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 37f0e6a16b..713e7dc5ba 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -70,6 +70,7 @@ jobs: languages: cpp,csharp,java,javascript,python config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index 9443a176d9..0984fab048 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -121,6 +121,7 @@ jobs: languages: csharp,javascript source-root: x/y/z/some-path/tests/multi-language-repo debug: true + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash @@ -141,6 +142,7 @@ jobs: ref: v1.1.0 sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 checkout_path: x/y/z/some-path/tests/multi-language-repo + token: ${{ secrets.CODEQL_TOKEN }} - name: Verify SARIF after upload shell: bash diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 378aa9f305..271acb24a6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -33,6 +33,7 @@ jobs: uses: ./init with: languages: javascript + token: ${{ secrets.CODEQL_TOKEN }} - name: Remove empty database # allows us to run init a second time run: | @@ -43,6 +44,7 @@ jobs: with: tools: latest languages: javascript + token: ${{ secrets.CODEQL_TOKEN }} - name: Compare default and latest CodeQL bundle versions id: compare env: @@ -91,8 +93,11 @@ jobs: languages: javascript config-file: ./.github/codeql/codeql-config.yml tools: ${{ matrix.tools }} + token: ${{ secrets.CODEQL_TOKEN }} # confirm steps.init.outputs.codeql-path points to the codeql binary - name: Print CodeQL Version run: ${{steps.init.outputs.codeql-path}} version --format=json - name: Perform CodeQL Analysis uses: ./analyze + with: + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/.github/workflows/debug-artifacts-failure.yml b/.github/workflows/debug-artifacts-failure.yml index 50c84f6f1e..1fa8c21820 100644 --- a/.github/workflows/debug-artifacts-failure.yml +++ b/.github/workflows/debug-artifacts-failure.yml @@ -48,6 +48,7 @@ jobs: debug: true debug-artifact-name: my-debug-artifacts debug-database-name: my-db + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -56,6 +57,7 @@ jobs: with: expect-error: true ram: 1 + token: ${{ secrets.CODEQL_TOKEN }} download-and-check-artifacts: name: Download and check debug artifacts after failure in analyze needs: upload-artifacts diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml index 53d53ed608..724c32fff2 100644 --- a/.github/workflows/debug-artifacts.yml +++ b/.github/workflows/debug-artifacts.yml @@ -65,6 +65,7 @@ jobs: debug: true debug-artifact-name: my-debug-artifacts debug-database-name: my-db + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -73,6 +74,8 @@ jobs: run: ./build.sh - uses: ./../action/analyze id: analysis + with: + token: ${{ secrets.CODEQL_TOKEN }} download-and-check-artifacts: name: Download and check debug artifacts needs: upload-artifacts diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml index 59c36b7dad..7db061426c 100644 --- a/.github/workflows/expected-queries-runs.yml +++ b/.github/workflows/expected-queries-runs.yml @@ -32,6 +32,7 @@ jobs: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: output: ${{ runner.temp }}/results diff --git a/.github/workflows/python-deps.yml b/.github/workflows/python-deps.yml index 79910225da..388efb5ed5 100644 --- a/.github/workflows/python-deps.yml +++ b/.github/workflows/python-deps.yml @@ -46,6 +46,7 @@ jobs: tools: latest languages: python setup-python-dependencies: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Test Auto Package Installation run: | @@ -93,6 +94,7 @@ jobs: tools: latest languages: python setup-python-dependencies: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Test Auto Package Installation run: | @@ -150,6 +152,7 @@ jobs: tools: latest languages: python setup-python-dependencies: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Test Auto Package Installation env: diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 31326de96a..d286e03112 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -34,6 +34,7 @@ jobs: with: tools: latest languages: python + token: ${{ secrets.CODEQL_TOKEN }} - name: Analyze uses: ./../action/analyze diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 0ea140261b..ae5fc2c641 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -43,6 +43,7 @@ jobs: uses: ./../action/init with: tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -52,5 +53,6 @@ jobs: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index b681ad6165..0f89932a5e 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -17,3 +17,4 @@ steps: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/analyze-ref-input.yml b/pr-checks/checks/analyze-ref-input.yml index 7bd309ef11..d41e0f0556 100644 --- a/pr-checks/checks/analyze-ref-input.yml +++ b/pr-checks/checks/analyze-ref-input.yml @@ -15,3 +15,4 @@ steps: upload-database: false ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/autobuild-action.yml b/pr-checks/checks/autobuild-action.yml index aa3cbdcca6..a346edd19a 100644 --- a/pr-checks/checks/autobuild-action.yml +++ b/pr-checks/checks/autobuild-action.yml @@ -6,6 +6,7 @@ steps: with: languages: csharp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild env: # Explicitly disable the CLR tracer. @@ -18,6 +19,7 @@ steps: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/pr-checks/checks/config-export.yml b/pr-checks/checks/config-export.yml index 7a86701756..dcf2eb2cc7 100644 --- a/pr-checks/checks/config-export.yml +++ b/pr-checks/checks/config-export.yml @@ -11,6 +11,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Upload SARIF uses: actions/upload-artifact@v3 with: diff --git a/pr-checks/checks/cpp-deptrace-disabled.yml b/pr-checks/checks/cpp-deptrace-disabled.yml index 118d01ae1c..2fadc76ae8 100644 --- a/pr-checks/checks/cpp-deptrace-disabled.yml +++ b/pr-checks/checks/cpp-deptrace-disabled.yml @@ -13,9 +13,11 @@ steps: with: languages: cpp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false - shell: bash diff --git a/pr-checks/checks/cpp-deptrace-enabled-on-macos.yml b/pr-checks/checks/cpp-deptrace-enabled-on-macos.yml index 8a70f82fa5..dddd2613d3 100644 --- a/pr-checks/checks/cpp-deptrace-enabled-on-macos.yml +++ b/pr-checks/checks/cpp-deptrace-enabled-on-macos.yml @@ -13,9 +13,11 @@ steps: with: languages: cpp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true - shell: bash diff --git a/pr-checks/checks/cpp-deptrace-enabled.yml b/pr-checks/checks/cpp-deptrace-enabled.yml index b3f7b1b733..258401c077 100644 --- a/pr-checks/checks/cpp-deptrace-enabled.yml +++ b/pr-checks/checks/cpp-deptrace-enabled.yml @@ -13,9 +13,11 @@ steps: with: languages: cpp tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} env: CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true - shell: bash diff --git a/pr-checks/checks/diagnostics-export.yml b/pr-checks/checks/diagnostics-export.yml index a13580322d..4af18cd7b6 100644 --- a/pr-checks/checks/diagnostics-export.yml +++ b/pr-checks/checks/diagnostics-export.yml @@ -11,6 +11,7 @@ steps: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Add test diagnostics shell: bash env: @@ -31,6 +32,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Upload SARIF uses: actions/upload-artifact@v3 with: diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index f0a8a5d853..4e8e5023e5 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -9,6 +9,7 @@ steps: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -18,6 +19,7 @@ steps: - uses: ./../action/analyze with: output: "${{ runner.temp }}/results" + token: ${{ secrets.CODEQL_TOKEN }} - name: Upload SARIF uses: actions/upload-artifact@v3 with: diff --git a/pr-checks/checks/extractor-ram-threads.yml b/pr-checks/checks/extractor-ram-threads.yml index 996d8b4bde..4456939f2e 100644 --- a/pr-checks/checks/extractor-ram-threads.yml +++ b/pr-checks/checks/extractor-ram-threads.yml @@ -8,6 +8,7 @@ steps: languages: java ram: 230 threads: 1 + token: ${{ secrets.CODEQL_TOKEN }} - name: Assert Results shell: bash run: | diff --git a/pr-checks/checks/go-custom-queries.yml b/pr-checks/checks/go-custom-queries.yml index 4d15805971..87d7c00935 100644 --- a/pr-checks/checks/go-custom-queries.yml +++ b/pr-checks/checks/go-custom-queries.yml @@ -8,9 +8,11 @@ steps: languages: go config-file: ./.github/codeql/custom-queries.yml tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index 39966b52cd..b74dc32888 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -13,6 +13,7 @@ steps: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} # Deliberately change Go after the `init` step - uses: actions/setup-go@v5 with: @@ -24,6 +25,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check diagnostic appears in SARIF uses: actions/github-script@v7 env: diff --git a/pr-checks/checks/go-indirect-tracing-workaround.yml b/pr-checks/checks/go-indirect-tracing-workaround.yml index a7b105788b..ff4a505619 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround.yml @@ -13,12 +13,14 @@ steps: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: go build main.go - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then diff --git a/pr-checks/checks/go-tracing-autobuilder.yml b/pr-checks/checks/go-tracing-autobuilder.yml index 8a1c757821..f9e9a2733d 100644 --- a/pr-checks/checks/go-tracing-autobuilder.yml +++ b/pr-checks/checks/go-tracing-autobuilder.yml @@ -11,10 +11,14 @@ steps: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild + with: + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then diff --git a/pr-checks/checks/go-tracing-custom-build-steps.yml b/pr-checks/checks/go-tracing-custom-build-steps.yml index 46d0f07d8c..db27e52f3f 100644 --- a/pr-checks/checks/go-tracing-custom-build-steps.yml +++ b/pr-checks/checks/go-tracing-custom-build-steps.yml @@ -9,12 +9,14 @@ steps: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: go build main.go - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | # Once we start running Bash 4.2 in all environments, we can replace the diff --git a/pr-checks/checks/go-tracing-legacy-workflow.yml b/pr-checks/checks/go-tracing-legacy-workflow.yml index bdcedf0408..7dc234d0f9 100644 --- a/pr-checks/checks/go-tracing-legacy-workflow.yml +++ b/pr-checks/checks/go-tracing-legacy-workflow.yml @@ -11,9 +11,11 @@ steps: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | cd "$RUNNER_TEMP/codeql_databases" diff --git a/pr-checks/checks/init-with-registries.yml b/pr-checks/checks/init-with-registries.yml index f0ef501cbe..755e40769a 100644 --- a/pr-checks/checks/init-with-registries.yml +++ b/pr-checks/checks/init-with-registries.yml @@ -26,7 +26,7 @@ steps: registries: | - url: "https://ghcr.io/v2/" packages: "*/*" - token: "${{ secrets.GITHUB_TOKEN }}" + token: ${{ secrets.CODEQL_TOKEN }} - name: Verify packages installed shell: bash diff --git a/pr-checks/checks/javascript-source-root.yml b/pr-checks/checks/javascript-source-root.yml index 9869f0a425..215cd3b7d3 100644 --- a/pr-checks/checks/javascript-source-root.yml +++ b/pr-checks/checks/javascript-source-root.yml @@ -13,6 +13,7 @@ steps: languages: javascript source-root: ../new-source-root tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false diff --git a/pr-checks/checks/language-aliases.yml b/pr-checks/checks/language-aliases.yml index c4441923dd..829768441f 100644 --- a/pr-checks/checks/language-aliases.yml +++ b/pr-checks/checks/language-aliases.yml @@ -7,6 +7,7 @@ steps: with: languages: C#,java-kotlin,swift,typescript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: "Check languages" run: | diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index 9ed1e85b8d..f396ebc3da 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -7,6 +7,7 @@ steps: with: db-location: "${{ runner.temp }}/customDbLocation" tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: @@ -20,6 +21,7 @@ steps: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check language autodetect for all languages excluding Swift shell: bash diff --git a/pr-checks/checks/packaging-codescanning-config-inputs-js.yml b/pr-checks/checks/packaging-codescanning-config-inputs-js.yml index 039108cd8a..44a4f93d34 100644 --- a/pr-checks/checks/packaging-codescanning-config-inputs-js.yml +++ b/pr-checks/checks/packaging-codescanning-config-inputs-js.yml @@ -8,6 +8,7 @@ steps: packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -15,6 +16,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/pr-checks/checks/packaging-config-inputs-js.yml b/pr-checks/checks/packaging-config-inputs-js.yml index a20c5d44dc..058581deca 100644 --- a/pr-checks/checks/packaging-config-inputs-js.yml +++ b/pr-checks/checks/packaging-config-inputs-js.yml @@ -8,6 +8,7 @@ steps: packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -15,6 +16,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/pr-checks/checks/packaging-config-js.yml b/pr-checks/checks/packaging-config-js.yml index 084a8ad72d..e010f8d409 100644 --- a/pr-checks/checks/packaging-config-js.yml +++ b/pr-checks/checks/packaging-config-js.yml @@ -7,6 +7,7 @@ steps: config-file: ".github/codeql/codeql-config-packaging.yml" languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -14,6 +15,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/pr-checks/checks/packaging-inputs-js.yml b/pr-checks/checks/packaging-inputs-js.yml index ff1e35a366..674ada17b1 100644 --- a/pr-checks/checks/packaging-inputs-js.yml +++ b/pr-checks/checks/packaging-inputs-js.yml @@ -8,12 +8,14 @@ steps: languages: javascript packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh - uses: ./../action/analyze with: output: "${{ runner.temp }}/results" + token: ${{ secrets.CODEQL_TOKEN }} - name: Check results uses: ./../action/.github/actions/check-sarif diff --git a/pr-checks/checks/remote-config.yml b/pr-checks/checks/remote-config.yml index 918c1cd0da..8ba0ac1025 100644 --- a/pr-checks/checks/remote-config.yml +++ b/pr-checks/checks/remote-config.yml @@ -6,7 +6,10 @@ steps: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh - uses: ./../action/analyze + with: + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/resolve-environment-action.yml b/pr-checks/checks/resolve-environment-action.yml index 5c57647049..7221a5fa5b 100644 --- a/pr-checks/checks/resolve-environment-action.yml +++ b/pr-checks/checks/resolve-environment-action.yml @@ -6,6 +6,7 @@ steps: with: languages: ${{ matrix.version == 'stable-v2.13.4' && 'go' || 'go,javascript-typescript' }} tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Resolve environment for Go uses: ./../action/resolve-environment diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index 90b41b6fa7..ec55d2be81 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -24,3 +24,4 @@ steps: - uses: ./../action/upload-sarif with: sarif_file: rubocop.sarif + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/ruby.yml b/pr-checks/checks/ruby.yml index a857fd3409..4048d87ea5 100644 --- a/pr-checks/checks/ruby.yml +++ b/pr-checks/checks/ruby.yml @@ -7,10 +7,12 @@ steps: with: languages: ruby tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/pr-checks/checks/scaling-reserved-ram.yml b/pr-checks/checks/scaling-reserved-ram.yml index fe2366ed7d..6770dac404 100644 --- a/pr-checks/checks/scaling-reserved-ram.yml +++ b/pr-checks/checks/scaling-reserved-ram.yml @@ -9,6 +9,7 @@ steps: with: db-location: "${{ runner.temp }}/customDbLocation" tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: @@ -22,3 +23,4 @@ steps: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/split-workflow.yml b/pr-checks/checks/split-workflow.yml index c752eca67c..984c6e7279 100644 --- a/pr-checks/checks/split-workflow.yml +++ b/pr-checks/checks/split-workflow.yml @@ -9,6 +9,7 @@ steps: packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -17,6 +18,7 @@ steps: skip-queries: true output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Assert No Results shell: bash @@ -29,6 +31,7 @@ steps: with: output: "${{ runner.temp }}/results" upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Assert Results shell: bash run: | diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index eba3b2220f..5694eee46a 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -19,6 +19,7 @@ steps: - uses: ./init with: languages: javascript + token: ${{ secrets.CODEQL_TOKEN }} - name: Fail # We want this job to pass if the Action correctly uploads the SARIF file for # the failed run. @@ -32,3 +33,4 @@ steps: if: false with: category: "/test-codeql-version:${{ matrix.version }}" + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/swift-custom-build.yml b/pr-checks/checks/swift-custom-build.yml index a5da41f568..432c62fcdc 100644 --- a/pr-checks/checks/swift-custom-build.yml +++ b/pr-checks/checks/swift-custom-build.yml @@ -10,6 +10,7 @@ steps: with: languages: swift tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{steps.init.outputs.codeql-path}} @@ -23,6 +24,7 @@ steps: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/test-autobuild-working-dir.yml index 56338ee325..6ae104936d 100644 --- a/pr-checks/checks/test-autobuild-working-dir.yml +++ b/pr-checks/checks/test-autobuild-working-dir.yml @@ -14,12 +14,15 @@ steps: with: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/autobuild with: working-directory: autobuild-dir + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - name: Check database shell: bash run: | diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/test-local-codeql.yml index 417c717dd2..e2648e8b11 100644 --- a/pr-checks/checks/test-local-codeql.yml +++ b/pr-checks/checks/test-local-codeql.yml @@ -13,6 +13,7 @@ steps: uses: ./../action/init with: tools: ./codeql-bundle-linux64.tar.gz + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -22,3 +23,4 @@ steps: - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/test-proxy.yml index 33955004e7..ad3bb7d4d8 100644 --- a/pr-checks/checks/test-proxy.yml +++ b/pr-checks/checks/test-proxy.yml @@ -17,6 +17,8 @@ steps: with: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/analyze with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/unset-environment.yml b/pr-checks/checks/unset-environment.yml index 2161bfc9dd..db3bc3cd46 100644 --- a/pr-checks/checks/unset-environment.yml +++ b/pr-checks/checks/unset-environment.yml @@ -7,6 +7,7 @@ steps: with: db-location: ${{ runner.temp }}/customDbLocation tools: ${{ steps.prepare-test.outputs.tools-url }} + token: ${{ secrets.CODEQL_TOKEN }} - uses: ./../action/.github/actions/setup-swift with: codeql-path: ${{ steps.init.outputs.codeql-path }} @@ -19,6 +20,7 @@ steps: id: analysis with: upload-database: false + token: ${{ secrets.CODEQL_TOKEN }} - shell: bash run: | CPP_DB="${{ fromJson(steps.analysis.outputs.db-locations).cpp }}" diff --git a/pr-checks/checks/upload-ref-sha-input.yml b/pr-checks/checks/upload-ref-sha-input.yml index ffd339b598..7447167d67 100644 --- a/pr-checks/checks/upload-ref-sha-input.yml +++ b/pr-checks/checks/upload-ref-sha-input.yml @@ -7,6 +7,7 @@ steps: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash run: ./build.sh @@ -20,3 +21,4 @@ steps: with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' + token: ${{ secrets.CODEQL_TOKEN }} diff --git a/pr-checks/checks/with-checkout-path.yml b/pr-checks/checks/with-checkout-path.yml index ccc8fa1a3b..75a3573356 100644 --- a/pr-checks/checks/with-checkout-path.yml +++ b/pr-checks/checks/with-checkout-path.yml @@ -23,6 +23,7 @@ steps: languages: csharp,javascript source-root: x/y/z/some-path/tests/multi-language-repo debug: true + token: ${{ secrets.CODEQL_TOKEN }} - name: Build code shell: bash @@ -43,6 +44,7 @@ steps: ref: v1.1.0 sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 checkout_path: x/y/z/some-path/tests/multi-language-repo + token: ${{ secrets.CODEQL_TOKEN }} - name: Verify SARIF after upload shell: bash