Fix toolcache behavior when downloading bundle from another repo #1523
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Suppose a user requests a specific version of CodeQL by passing a
tools: https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz
input to theinit
Action.Previously the Action did not take note of the fact the bundle came from
dsp-testing/codeql-cli-nightlies
, notgithub/codeql-action
. Most of the time, this would mean it wouldn't find a release with the requested tag, and the bundle would be correctly cached as0.0.0-<bundleVersion>
so as to avoid a clash with a stable CodeQL release. However if a release with the same tag existed on the CodeQL Action repository, then the Action would incorrectly associate the CLI version number from that stable bundle with the other bundle, and go on to cache the bundle as<cliVersion>-<bundleVersion>
. This led to bundles being cached with the wrong CLI version, for examplehttps://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz
was cached as 2.12.2, since it matched this release on thegithub/codeql-action
repo.To resolve this, before we try to look up the CLI version number associated with a particular bundle tag, we check that that bundle originates from
github/codeql-action
, either the original repository on Dotcom or a synced repository on Enterprise Server.Merge / deployment checklist