From 3df807292ad75b40f30540b1126508b01bfb9504 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 14:38:33 +0200 Subject: [PATCH 01/26] Only run PR checks on Ubuntu by default --- .github/workflows/__analyze-ref-input.yml | 4 --- .github/workflows/__config-export.yml | 8 ----- .github/workflows/__diagnostics-export.yml | 8 ----- .github/workflows/__init-with-registries.yml | 14 -------- ...ackaging-codescanning-config-inputs-js.yml | 12 ------- .../__packaging-config-inputs-js.yml | 12 ------- .github/workflows/__packaging-config-js.yml | 12 ------- .github/workflows/__packaging-inputs-js.yml | 12 ------- .github/workflows/__quality-queries.yml | 36 ------------------- .../__resolve-environment-action.yml | 12 ------- .github/workflows/__upload-quality-sarif.yml | 4 --- .github/workflows/__upload-ref-sha-input.yml | 4 --- .github/workflows/__with-checkout-path.yml | 4 --- pr-checks/checks/all-platform-bundle.yml | 1 - pr-checks/checks/autobuild-action.yml | 1 + pr-checks/checks/build-mode-autobuild.yml | 1 - pr-checks/checks/build-mode-manual.yml | 1 - pr-checks/checks/build-mode-none.yml | 1 - pr-checks/checks/build-mode-rollback.yml | 1 - pr-checks/checks/cleanup-db-cluster-dir.yml | 1 - pr-checks/checks/config-input.yml | 1 - pr-checks/checks/cpp-deptrace-disabled.yml | 1 - pr-checks/checks/cpp-deptrace-enabled.yml | 1 - .../export-file-baseline-information.yml | 1 + pr-checks/checks/extractor-ram-threads.yml | 1 - ...indirect-tracing-workaround-diagnostic.yml | 1 - ...ect-tracing-workaround-no-file-program.yml | 1 - .../checks/go-indirect-tracing-workaround.yml | 1 - pr-checks/checks/init-with-registries.yml | 2 -- pr-checks/checks/javascript-source-root.yml | 1 - pr-checks/checks/job-run-uuid-sarif.yml | 1 - pr-checks/checks/language-aliases.yml | 1 - pr-checks/checks/overlay-init-fallback.yml | 1 - pr-checks/checks/rubocop-multi-language.yml | 1 - pr-checks/checks/rust.yml | 1 - pr-checks/checks/submit-sarif-failure.yml | 1 - .../checks/test-autobuild-working-dir.yml | 1 - pr-checks/checks/test-local-codeql.yml | 1 - pr-checks/checks/test-proxy.yml | 1 - pr-checks/sync.py | 13 +------ 40 files changed, 3 insertions(+), 179 deletions(-) diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index f2f9f45a58..90571df094 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Analyze: 'ref' and 'sha' from inputs" permissions: contents: read diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 85118c3fad..17677c5e61 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -38,16 +38,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Config export permissions: contents: read diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 1b8618798c..8260646e97 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -38,16 +38,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Diagnostic export permissions: contents: read diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index f570a05e0f..3a883b95a3 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Download using registries' permissions: contents: read @@ -117,8 +105,6 @@ jobs: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 0d7d4cf9ed..8fb5150f6a 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input passed to the CLI' permissions: contents: read diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 7067a4d734..b66365abd6 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input' permissions: contents: read diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index d6bd2cf7d4..542d67e707 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config file' permissions: contents: read diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 03a81db686..b0f90bfe40 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Action input' permissions: contents: read diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml index 50f24c61ef..281aedf47e 100644 --- a/.github/workflows/__quality-queries.yml +++ b/.github/workflows/__quality-queries.yml @@ -45,24 +45,6 @@ jobs: - os: ubuntu-latest version: linked analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning - - os: macos-latest - version: linked - analysis-kinds: code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning - - os: windows-latest - version: linked - analysis-kinds: code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning,code-quality - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning @@ -72,24 +54,6 @@ jobs: - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: macos-latest - version: nightly-latest - analysis-kinds: code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: windows-latest - version: nightly-latest - analysis-kinds: code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality name: Quality queries input permissions: contents: read diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index f7ca252762..da2d3c0f92 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Resolve environment permissions: contents: read diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index 90a1c9ef12..50637c31ba 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: 'Upload-sarif: code quality endpoint' permissions: contents: read diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 41036c61a2..a527d7b983 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Upload-sarif: 'ref' and 'sha' from inputs" permissions: contents: read diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index ea694d7c6f..9296f11946 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked name: Use a custom `checkout_path` permissions: contents: read diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index 332f129308..75c75c8b5e 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -1,7 +1,6 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" versions: ["nightly-latest"] -operatingSystems: ["ubuntu"] useAllPlatformBundle: "true" installGo: true steps: diff --git a/pr-checks/checks/autobuild-action.yml b/pr-checks/checks/autobuild-action.yml index ac67a81fef..91ae7834cc 100644 --- a/pr-checks/checks/autobuild-action.yml +++ b/pr-checks/checks/autobuild-action.yml @@ -1,5 +1,6 @@ name: "autobuild-action" description: "Tests that the C# autobuild action works" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["linked"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 7e840d15a2..5a51477882 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -1,6 +1,5 @@ name: "Build mode autobuild" description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] steps: - name: Set up Java test repo configuration diff --git a/pr-checks/checks/build-mode-manual.yml b/pr-checks/checks/build-mode-manual.yml index 64009c2eeb..f1815b7ff0 100644 --- a/pr-checks/checks/build-mode-manual.yml +++ b/pr-checks/checks/build-mode-manual.yml @@ -1,6 +1,5 @@ name: "Build mode manual" description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] installGo: true steps: diff --git a/pr-checks/checks/build-mode-none.yml b/pr-checks/checks/build-mode-none.yml index 4d23614a90..669ea7915e 100644 --- a/pr-checks/checks/build-mode-none.yml +++ b/pr-checks/checks/build-mode-none.yml @@ -1,6 +1,5 @@ name: "Build mode none" description: "An end-to-end integration test of a Java repository built using 'build-mode: none'" -operatingSystems: ["ubuntu"] versions: ["linked", "nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/build-mode-rollback.yml b/pr-checks/checks/build-mode-rollback.yml index 1d935314e2..49bcfdd1f0 100644 --- a/pr-checks/checks/build-mode-rollback.yml +++ b/pr-checks/checks/build-mode-rollback.yml @@ -1,6 +1,5 @@ name: "Build mode rollback" description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled." -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] env: CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true diff --git a/pr-checks/checks/cleanup-db-cluster-dir.yml b/pr-checks/checks/cleanup-db-cluster-dir.yml index 1c181a57e6..d2cacf47eb 100644 --- a/pr-checks/checks/cleanup-db-cluster-dir.yml +++ b/pr-checks/checks/cleanup-db-cluster-dir.yml @@ -1,6 +1,5 @@ name: "Clean up database cluster directory" description: "The database cluster directory is cleaned up if it is not empty." -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Add a file to the database cluster directory diff --git a/pr-checks/checks/config-input.yml b/pr-checks/checks/config-input.yml index 5807e85946..f139ff90e6 100644 --- a/pr-checks/checks/config-input.yml +++ b/pr-checks/checks/config-input.yml @@ -1,7 +1,6 @@ name: "Config input" description: "Tests specifying configuration using the config input" installNode: true -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Copy queries into workspace diff --git a/pr-checks/checks/cpp-deptrace-disabled.yml b/pr-checks/checks/cpp-deptrace-disabled.yml index 1073d0194a..5b6e82726a 100644 --- a/pr-checks/checks/cpp-deptrace-disabled.yml +++ b/pr-checks/checks/cpp-deptrace-disabled.yml @@ -1,6 +1,5 @@ name: "C/C++: disabling autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/cpp-deptrace-enabled.yml b/pr-checks/checks/cpp-deptrace-enabled.yml index f92f29d212..e35910a756 100644 --- a/pr-checks/checks/cpp-deptrace-enabled.yml +++ b/pr-checks/checks/cpp-deptrace-enabled.yml @@ -1,6 +1,5 @@ name: "C/C++: autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index 2eb0e6d525..f7698f885e 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -1,5 +1,6 @@ name: "Export file baseline information" description: "Tests that file baseline information is exported when the feature is enabled" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] installGo: true env: diff --git a/pr-checks/checks/extractor-ram-threads.yml b/pr-checks/checks/extractor-ram-threads.yml index 435c9f41e6..43638af180 100644 --- a/pr-checks/checks/extractor-ram-threads.yml +++ b/pr-checks/checks/extractor-ram-threads.yml @@ -1,7 +1,6 @@ name: "Extractor ram and threads options test" description: "Tests passing RAM and threads limits to extractors" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index e7cd79185a..6709401245 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when Go is changed after init step" description: "Checks that we emit a diagnostic if Go is changed after the init step" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 3f2fa90b9f..85e21356c4 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when `file` is not installed" description: "Checks that we emit a diagnostic if the `file` program is not installed" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/go-indirect-tracing-workaround.yml b/pr-checks/checks/go-indirect-tracing-workaround.yml index 5c6690128f..222b964c78 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround.yml @@ -1,7 +1,6 @@ name: "Go: workaround for indirect tracing" description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/init-with-registries.yml b/pr-checks/checks/init-with-registries.yml index bc45d255aa..cedc62aab0 100644 --- a/pr-checks/checks/init-with-registries.yml +++ b/pr-checks/checks/init-with-registries.yml @@ -62,8 +62,6 @@ steps: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/pr-checks/checks/javascript-source-root.yml b/pr-checks/checks/javascript-source-root.yml index 9c933576e1..b06dc7bfa2 100644 --- a/pr-checks/checks/javascript-source-root.yml +++ b/pr-checks/checks/javascript-source-root.yml @@ -1,7 +1,6 @@ name: "Custom source root" description: "Checks that the argument specifying a non-default source root works" versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs -operatingSystems: ["ubuntu"] steps: - name: Move codeql-action run: | diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml index 196e321780..9c0f843d40 100644 --- a/pr-checks/checks/job-run-uuid-sarif.yml +++ b/pr-checks/checks/job-run-uuid-sarif.yml @@ -1,6 +1,5 @@ name: "Job run UUID added to SARIF" description: "Tests that the job run UUID is added to the SARIF output" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/language-aliases.yml b/pr-checks/checks/language-aliases.yml index 16f5f044f9..b0db1288a3 100644 --- a/pr-checks/checks/language-aliases.yml +++ b/pr-checks/checks/language-aliases.yml @@ -1,7 +1,6 @@ name: "Language aliases" description: "Tests that language aliases are resolved correctly" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/overlay-init-fallback.yml b/pr-checks/checks/overlay-init-fallback.yml index 44d19d79c3..bfcfd27e79 100644 --- a/pr-checks/checks/overlay-init-fallback.yml +++ b/pr-checks/checks/overlay-init-fallback.yml @@ -1,7 +1,6 @@ name: "Overlay database init fallback" description: "Tests that overlay init action succeeds with non-overlay packs" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index b4439a2d39..10819a4619 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -1,6 +1,5 @@ name: "RuboCop multi-language" description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF" -operatingSystems: ["ubuntu"] # This check doesn't use CodeQL, so the `version` matrix variable is unused. versions: ["default"] steps: diff --git a/pr-checks/checks/rust.yml b/pr-checks/checks/rust.yml index 67920538d7..c19fc986da 100644 --- a/pr-checks/checks/rust.yml +++ b/pr-checks/checks/rust.yml @@ -8,7 +8,6 @@ versions: - linked - default - nightly-latest -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index ba67db39f0..97332e4c94 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -1,7 +1,6 @@ name: Submit SARIF after failure description: Check that a SARIF file is submitted for the workflow run if it fails versions: ["linked", "default", "nightly-latest"] -operatingSystems: ["ubuntu"] env: # Internal-only environment variable used to indicate that the post-init Action diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/test-autobuild-working-dir.yml index eda3677f67..77c1f73c84 100644 --- a/pr-checks/checks/test-autobuild-working-dir.yml +++ b/pr-checks/checks/test-autobuild-working-dir.yml @@ -1,7 +1,6 @@ name: "Autobuild working directory" description: "Tests working-directory input of autobuild action" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - name: Test setup run: | diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/test-local-codeql.yml index 1e41e5dd3d..c16c2bf503 100644 --- a/pr-checks/checks/test-local-codeql.yml +++ b/pr-checks/checks/test-local-codeql.yml @@ -1,7 +1,6 @@ name: "Local CodeQL bundle" description: "Tests using a CodeQL bundle from a local file rather than a URL" versions: ["linked"] -operatingSystems: ["ubuntu"] installGo: true steps: - name: Fetch latest CodeQL bundle diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/test-proxy.yml index 39efb214e1..1d64125748 100644 --- a/pr-checks/checks/test-proxy.yml +++ b/pr-checks/checks/test-proxy.yml @@ -1,7 +1,6 @@ name: "Proxy test" description: "Tests using a proxy specified by the https_proxy environment variable" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] container: image: ubuntu:22.04 container-init-steps: diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 206519cc46..fc756c7883 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -29,12 +29,6 @@ "nightly-latest" ] -def is_os_and_version_excluded(os, version, exclude_params): - for exclude_param in exclude_params: - if exclude_param[0] == os and exclude_param[1] == version: - return True - return False - # When updating the ruamel.yaml version here, update the PR check in # `.github/workflows/pr-checks.yml` too. header = """# Warning: This file is generated automatically, and should not be modified. @@ -78,22 +72,17 @@ def writeHeader(checkStream): if 'inputs' in checkSpecification: workflowInputs = checkSpecification['inputs'] - excludedOsesAndVersions = checkSpecification.get('excludeOsAndVersionCombination', []) for version in checkSpecification.get('versions', defaultTestVersions): if version == "latest": raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?') runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"] - operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu", "macos", "windows"]) + operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"]) for operatingSystem in operatingSystems: runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)] for runnerImage in runnerImagesForOs: - # Skip appending this combination to the matrix if it is explicitly excluded. - if is_os_and_version_excluded(operatingSystem, version, excludedOsesAndVersions): - continue - matrix.append({ 'os': runnerImage, 'version': version From 29a4b8731d5be5fe16b29b85e89d351c547b84d0 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 14:40:02 +0200 Subject: [PATCH 02/26] Run code scanning config tests on Linux only --- .github/workflows/codescanning-config-cli.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 316cb7d13c..eca3902c2c 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -41,16 +41,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest # Code-Scanning config not created because environment variable is not set name: Code Scanning Configuration tests From 50fc7e92364bd020436526d367fe64dc7f3eaf3e Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 14:53:29 +0200 Subject: [PATCH 03/26] Fix `tools: linked` log message --- lib/analyze-action.js | 20 +++++++--------- lib/init-action-post.js | 20 +++++++--------- lib/init-action.js | 20 +++++++--------- lib/upload-lib.js | 20 +++++++--------- lib/upload-sarif-action.js | 20 +++++++--------- src/setup-codeql.ts | 49 +++++++++++++++++++------------------- 6 files changed, 69 insertions(+), 80 deletions(-) diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 9ec4e5c9a9..129f5cd894 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -92219,17 +92219,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -92239,9 +92228,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 9f5ee320db..5bbbca2029 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -130162,17 +130162,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -130182,9 +130171,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/lib/init-action.js b/lib/init-action.js index 0794a537d3..54629c8d8d 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -88991,17 +88991,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url; @@ -89011,9 +89000,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 712684630f..ef4ae60b62 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -89990,17 +89990,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -90010,9 +89999,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 6e83644638..f179541d5e 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -90691,17 +90691,6 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian toolsVersion: "local" }; } - const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.` - ); - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." - ); - } - } let cliVersion2; let tagName; let url2; @@ -90711,9 +90700,18 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); toolsInput = await getNightlyToolsUrl(logger); } + const forceShippedTools = toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); if (forceShippedTools) { cliVersion2 = cliVersion; tagName = bundleVersion; + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion2}, the version shipped with the Action.` + ); + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required." + ); + } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 5a0f671fa5..a387a8b7ea 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -298,31 +298,6 @@ export async function getCodeQLSource( }; } - /** - * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced. - * - * We use the special value of 'linked' to prioritize the version in `defaults.json` over the - * version specified by the feature flags on Dotcom and over any pinned cached version on - * Enterprise Server. - * - * Previously we have been using 'latest' to force the shipped tools, but this was not clear - * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for - * backwards compatibility. - */ - const forceShippedTools = - toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); - if (forceShippedTools) { - logger.info( - `'tools: ${toolsInput}' was requested, so using CodeQL version ${defaultCliVersion.cliVersion}, the version shipped with the Action.`, - ); - - if (toolsInput === "latest") { - logger.warning( - "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.", - ); - } - } - /** CLI version number, for example 2.12.6. */ let cliVersion: string | undefined; /** Tag name of the CodeQL bundle, for example `codeql-bundle-20230120`. */ @@ -344,9 +319,33 @@ export async function getCodeQLSource( toolsInput = await getNightlyToolsUrl(logger); } + /** + * Whether the tools shipped with the Action, i.e. those in `defaults.json`, have been forced. + * + * We use the special value of 'linked' to prioritize the version in `defaults.json` over the + * version specified by the feature flags on Dotcom and over any pinned cached version on + * Enterprise Server. + * + * Previously we have been using 'latest' to force the shipped tools, but this was not clear + * enough for the users, so it has been changed to `linked`. We're keeping around `latest` for + * backwards compatibility. + */ + const forceShippedTools = + toolsInput && CODEQL_BUNDLE_VERSION_ALIAS.includes(toolsInput); + if (forceShippedTools) { cliVersion = defaults.cliVersion; tagName = defaults.bundleVersion; + + logger.info( + `'tools: ${toolsInput}' was requested, so using CodeQL version ${cliVersion}, the version shipped with the Action.`, + ); + + if (toolsInput === "latest") { + logger.warning( + "`tools: latest` has been renamed to `tools: linked`, but the old name is still supported. No action is required.", + ); + } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. tagName = tryGetTagNameFromUrl(toolsInput, logger); From 1b12ed7ea89162bf793ecab8dff3911b47ae8878 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 15:15:15 +0200 Subject: [PATCH 04/26] Run resolve environment PR checks cross-platform --- .github/workflows/__resolve-environment-action.yml | 12 ++++++++++++ pr-checks/checks/resolve-environment-action.yml | 1 + 2 files changed, 13 insertions(+) diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index da2d3c0f92..f7ca252762 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,10 +38,22 @@ jobs: include: - os: ubuntu-latest version: default + - os: macos-latest + version: default + - os: windows-latest + version: default - os: ubuntu-latest version: linked + - os: macos-latest + version: linked + - os: windows-latest + version: linked - os: ubuntu-latest version: nightly-latest + - os: macos-latest + version: nightly-latest + - os: windows-latest + version: nightly-latest name: Resolve environment permissions: contents: read diff --git a/pr-checks/checks/resolve-environment-action.yml b/pr-checks/checks/resolve-environment-action.yml index 9722b72285..ed78e0bdb4 100644 --- a/pr-checks/checks/resolve-environment-action.yml +++ b/pr-checks/checks/resolve-environment-action.yml @@ -1,5 +1,6 @@ name: "Resolve environment" description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["default", "linked", "nightly-latest"] steps: - uses: ./../action/init From 67a00809333bd1a0e6f33b9185ba2b6dee33600e Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:36:35 +0200 Subject: [PATCH 05/26] Test all-platform bundle on all platforms --- .github/workflows/__all-platform-bundle.yml | 4 ++++ pr-checks/checks/all-platform-bundle.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 40d6d81c98..d6762100e8 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -48,6 +48,10 @@ jobs: include: - os: ubuntu-latest version: nightly-latest + - os: macos-latest + version: nightly-latest + - os: windows-latest + version: nightly-latest name: All-platform bundle permissions: contents: read diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index 75c75c8b5e..3396be22a7 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -1,5 +1,6 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] useAllPlatformBundle: "true" installGo: true From 79bbb1744e64f7d47524ad3ea64f8cdda0087b5c Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:40:19 +0200 Subject: [PATCH 06/26] Remove PR checks that are now duplicated Direct tracing is now enabled by default. --- .../workflows/__autobuild-direct-tracing.yml | 103 ------------------ .github/workflows/__build-mode-autobuild.yml | 33 +++++- pr-checks/checks/autobuild-direct-tracing.yml | 31 ------ pr-checks/checks/build-mode-autobuild.yml | 12 +- 4 files changed, 42 insertions(+), 137 deletions(-) delete mode 100644 .github/workflows/__autobuild-direct-tracing.yml delete mode 100644 pr-checks/checks/autobuild-direct-tracing.yml diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml deleted file mode 100644 index aed873e573..0000000000 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ /dev/null @@ -1,103 +0,0 @@ -# Warning: This file is generated automatically, and should not be modified. -# Instead, please modify the template in the pr-checks directory and run: -# pr-checks/sync.sh -# to regenerate this file. - -name: PR Check - Autobuild direct tracing -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GO111MODULE: auto -on: - push: - branches: - - main - - releases/v* - pull_request: - types: - - opened - - synchronize - - reopened - - ready_for_review - schedule: - - cron: '0 5 * * *' - workflow_dispatch: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' - workflow_call: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' -defaults: - run: - shell: bash -concurrency: - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - group: ${{ github.workflow }}-${{ github.ref }} -jobs: - autobuild-direct-tracing: - strategy: - fail-fast: false - matrix: - include: - - os: ubuntu-latest - version: linked - - os: windows-latest - version: linked - - os: ubuntu-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest - name: Autobuild direct tracing - permissions: - contents: read - security-events: read - timeout-minutes: 45 - runs-on: ${{ matrix.os }} - steps: - - name: Check out repository - uses: actions/checkout@v5 - - name: Prepare test - id: prepare-test - uses: ./.github/actions/prepare-test - with: - version: ${{ matrix.version }} - use-all-platform-bundle: 'false' - setup-kotlin: 'true' - - name: Install Java - uses: actions/setup-java@v5 - with: - java-version: ${{ inputs.java-version || '17' }} - distribution: temurin - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: ${{ runner.temp }}/customDbLocation - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze - env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true - CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index e24c170cfa..07e73d1b6d 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -21,9 +21,19 @@ on: schedule: - cron: '0 5 * * *' workflow_dispatch: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' workflow_call: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' defaults: run: shell: bash @@ -37,6 +47,12 @@ jobs: matrix: include: - os: ubuntu-latest + version: linked + - os: windows-latest + version: linked + - os: ubuntu-latest + version: nightly-latest + - os: windows-latest version: nightly-latest name: Build mode autobuild permissions: @@ -54,6 +70,11 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' + - name: Install Java + uses: actions/setup-java@v5 + with: + java-version: ${{ inputs.java-version || '17' }} + distribution: temurin - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ @@ -77,6 +98,14 @@ jobs: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/autobuild-direct-tracing.yml b/pr-checks/checks/autobuild-direct-tracing.yml deleted file mode 100644 index 1e9d2d9002..0000000000 --- a/pr-checks/checks/autobuild-direct-tracing.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: "Autobuild direct tracing" -description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled" -operatingSystems: ["ubuntu", "windows"] -versions: ["linked", "nightly-latest"] -installJava: "true" -env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true -steps: - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: "${{ runner.temp }}/customDbLocation" - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 5a51477882..668621490e 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -1,6 +1,8 @@ name: "Build mode autobuild" description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'" -versions: ["nightly-latest"] +operatingSystems: ["ubuntu", "windows"] +versions: ["linked", "nightly-latest"] +installJava: "true" steps: - name: Set up Java test repo configuration run: | @@ -25,4 +27,12 @@ steps: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze From 8633a151d578ff89ce2a5cc58e0c2c2dfdfc172c Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:45:10 +0200 Subject: [PATCH 07/26] Remove unnecessary "test" prefix from check names --- ...st-autobuild-working-dir.yml => __autobuild-working-dir.yml} | 2 +- .github/workflows/{__test-proxy.yml => __global-proxy.yml} | 2 +- .../workflows/{__test-local-codeql.yml => __local-bundle.yml} | 2 +- ...test-autobuild-working-dir.yml => autobuild-working-dir.yml} | 0 pr-checks/checks/{test-proxy.yml => global-proxy.yml} | 0 pr-checks/checks/{test-local-codeql.yml => local-bundle.yml} | 0 6 files changed, 3 insertions(+), 3 deletions(-) rename .github/workflows/{__test-autobuild-working-dir.yml => __autobuild-working-dir.yml} (98%) rename .github/workflows/{__test-proxy.yml => __global-proxy.yml} (99%) rename .github/workflows/{__test-local-codeql.yml => __local-bundle.yml} (99%) rename pr-checks/checks/{test-autobuild-working-dir.yml => autobuild-working-dir.yml} (100%) rename pr-checks/checks/{test-proxy.yml => global-proxy.yml} (100%) rename pr-checks/checks/{test-local-codeql.yml => local-bundle.yml} (100%) diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml similarity index 98% rename from .github/workflows/__test-autobuild-working-dir.yml rename to .github/workflows/__autobuild-working-dir.yml index 853836cbe9..5b1423d0f7 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__autobuild-working-dir.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-autobuild-working-dir: + autobuild-working-dir: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__global-proxy.yml similarity index 99% rename from .github/workflows/__test-proxy.yml rename to .github/workflows/__global-proxy.yml index 92f3330591..575b84385c 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__global-proxy.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-proxy: + global-proxy: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__local-bundle.yml similarity index 99% rename from .github/workflows/__test-local-codeql.yml rename to .github/workflows/__local-bundle.yml index 09e47d922e..00b509f54c 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__local-bundle.yml @@ -41,7 +41,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-local-codeql: + local-bundle: strategy: fail-fast: false matrix: diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/autobuild-working-dir.yml similarity index 100% rename from pr-checks/checks/test-autobuild-working-dir.yml rename to pr-checks/checks/autobuild-working-dir.yml diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/global-proxy.yml similarity index 100% rename from pr-checks/checks/test-proxy.yml rename to pr-checks/checks/global-proxy.yml diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/local-bundle.yml similarity index 100% rename from pr-checks/checks/test-local-codeql.yml rename to pr-checks/checks/local-bundle.yml From ba58de7d6180a03bc7550e8149bbc9746327c10e Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:51:03 +0200 Subject: [PATCH 08/26] Run resolve environment test against Ubuntu only There isn't really anything platform-specific at the moment. --- .github/workflows/__resolve-environment-action.yml | 12 ------------ pr-checks/checks/resolve-environment-action.yml | 1 - 2 files changed, 13 deletions(-) diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index f7ca252762..da2d3c0f92 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Resolve environment permissions: contents: read diff --git a/pr-checks/checks/resolve-environment-action.yml b/pr-checks/checks/resolve-environment-action.yml index ed78e0bdb4..9722b72285 100644 --- a/pr-checks/checks/resolve-environment-action.yml +++ b/pr-checks/checks/resolve-environment-action.yml @@ -1,6 +1,5 @@ name: "Resolve environment" description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript" -operatingSystems: ["ubuntu", "macos", "windows"] versions: ["default", "linked", "nightly-latest"] steps: - uses: ./../action/init From 4082f8c39f733490d46a4f6effa3e7caa9d565c2 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 13:24:00 +0200 Subject: [PATCH 09/26] Install yq --- .github/workflows/__build-mode-autobuild.yml | 5 +++++ pr-checks/checks/build-mode-autobuild.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 07e73d1b6d..9f0997106d 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -89,6 +89,11 @@ jobs: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 668621490e..26b8626f22 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -18,6 +18,11 @@ steps: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" From 0a3e31778d645861be7b47588d40429f308bcf3b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:19:26 +0000 Subject: [PATCH 10/26] Update changelog and version after v3.30.4 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9e4e8a184..d2e5bd94af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 3.30.4 - 25 Sep 2025 - We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the `codeql-action/init` step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the `codeql-action/init` step. [#3099](https://github.com/github/codeql-action/pull/3099) and [#3100](https://github.com/github/codeql-action/pull/3100) diff --git a/package-lock.json b/package-lock.json index 2974494647..b6da79aac6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "license": "MIT", "dependencies": { "@actions/artifact": "^2.3.1", diff --git a/package.json b/package.json index 96fe4d3aa1..8920aacd17 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "3.30.4", + "version": "3.30.5", "private": true, "description": "CodeQL action", "scripts": { From 4d32274da69afda36c1c37b0343e38fa77cb0ece Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:50:17 +0000 Subject: [PATCH 11/26] Rebuild --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 4a01511046..4c38451e83 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/analyze-action.js b/lib/analyze-action.js index c7e6b7b1a1..4b25ff4434 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index f6a3cdd902..0ec50725c2 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 65dadeb7de..27a7a1682d 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/init-action.js b/lib/init-action.js index e8cd76dc98..5bd9f385a9 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index f63ac24681..41d3e68bb1 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 8507bab0e0..484ceb79e6 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 32691c1cca..21508de07e 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44966,7 +44966,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 78ccf503c9..934d9c7e58 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33584,7 +33584,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 95ddd53074..0e1dd29920 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26438,7 +26438,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 88e26e3ca8..5cc12ec1bf 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32287,7 +32287,7 @@ var require_package = __commonJS({ "package.json"(exports2, module2) { module2.exports = { name: "codeql", - version: "3.30.4", + version: "3.30.5", private: true, description: "CodeQL action", scripts: { From c5ce5e5d1c11324097adc5a2c65c9d8cf97755be Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 12:12:42 +0100 Subject: [PATCH 12/26] Don't dry-run `rollback-release` workflow on release branches --- .github/workflows/rollback-release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml index 937c413f90..8d8e872fa7 100644 --- a/.github/workflows/rollback-release.yml +++ b/.github/workflows/rollback-release.yml @@ -10,6 +10,10 @@ on: required: true # Only for dry-runs of changes to the workflow. push: + # Don't run dry-run on release branches, to avoid an issue where the + # "new" tag determined by the "Prepare release" job already exists. + branches-ignore: + - releases/v* paths: - .github/workflows/rollback-release.yml - .github/actions/prepare-mergeback-branch/** From 6a72568b19e19de80199f03a61072469476cfac7 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 13:00:48 +0100 Subject: [PATCH 13/26] Run more checks in `unit-tests` job, even when previous checks failed --- .github/workflows/pr-checks.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index fa80525f90..2fd737de86 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -55,17 +55,20 @@ jobs: run: .github/workflows/script/check-js.sh - name: Verify PR checks up to date + if: always() run: .github/workflows/script/verify-pr-checks.sh - name: Run unit tests + if: always() run: npm test - name: Run pr-checks tests + if: always() working-directory: pr-checks run: python -m unittest discover - name: Lint - if: matrix.os != 'windows-latest' + if: always() && matrix.os != 'windows-latest' run: npm run lint-ci - name: Upload sarif From 9cf3a96f631b621a1c5c6182316dad71c651eb70 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 13:06:14 +0100 Subject: [PATCH 14/26] Add transpiled JS to job summary if changed --- .github/workflows/script/check-js.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/script/check-js.sh b/.github/workflows/script/check-js.sh index f8f5d19d08..34d58f68b0 100755 --- a/.github/workflows/script/check-js.sh +++ b/.github/workflows/script/check-js.sh @@ -16,6 +16,13 @@ if [ ! -z "$(git status --porcelain)" ]; then # If we get a fail here then the PR needs attention >&2 echo "Failed: JavaScript files are not up to date. Run 'rm -rf lib && npm run-script build' to update" git status + + echo "### Transpiled JS diff" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```diff' >> $GITHUB_STEP_SUMMARY + git diff --output="$RUNNER_TEMP/js.diff" + cat "$RUNNER_TEMP/js.diff" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY exit 1 fi echo "Success: JavaScript files are up to date" From b4db1860cd5c764a128deefd38d53e7521cd0417 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 13:16:03 +0100 Subject: [PATCH 15/26] Reset working directory before failing in `check-js.sh` --- .github/workflows/script/check-js.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/script/check-js.sh b/.github/workflows/script/check-js.sh index 34d58f68b0..57638dcf25 100755 --- a/.github/workflows/script/check-js.sh +++ b/.github/workflows/script/check-js.sh @@ -23,6 +23,11 @@ if [ ! -z "$(git status --porcelain)" ]; then git diff --output="$RUNNER_TEMP/js.diff" cat "$RUNNER_TEMP/js.diff" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY + + # Reset bundled files to allow other checks to test for changes + git checkout lib + + # Fail this check exit 1 fi echo "Success: JavaScript files are up to date" From 4e65cda8c2d89fa176f6f3cbd94dbcd238bd7ec7 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 13:30:00 +0100 Subject: [PATCH 16/26] Add generated workflow diff to job summary if changed --- .github/workflows/script/verify-pr-checks.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/script/verify-pr-checks.sh b/.github/workflows/script/verify-pr-checks.sh index cf9e79bada..6aa1381e2c 100755 --- a/.github/workflows/script/verify-pr-checks.sh +++ b/.github/workflows/script/verify-pr-checks.sh @@ -20,6 +20,14 @@ if [ ! -z "$(git status --porcelain)" ]; then git diff git status >&2 echo "Failed: PR checks are not up to date. Run 'cd pr-checks && python3 sync.py' to update" + + echo "### Generated workflows diff" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```diff' >> $GITHUB_STEP_SUMMARY + git diff --output="$RUNNER_TEMP/workflows.diff" + cat "$RUNNER_TEMP/workflows.diff" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + exit 1 fi -echo "Success: PR checks are up to date" \ No newline at end of file +echo "Success: PR checks are up to date" From a645d167d6cc46378b74f2e63dda29f94dd7c2b5 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 12:27:43 +0100 Subject: [PATCH 17/26] Add `npm run ava` command (for `ava` without a specific path) --- lib/analyze-action-post.js | 3 ++- lib/analyze-action.js | 3 ++- lib/autobuild-action.js | 3 ++- lib/init-action-post.js | 3 ++- lib/init-action.js | 3 ++- lib/resolve-environment-action.js | 3 ++- lib/start-proxy-action-post.js | 3 ++- lib/start-proxy-action.js | 3 ++- lib/upload-lib.js | 3 ++- lib/upload-sarif-action-post.js | 3 ++- lib/upload-sarif-action.js | 3 ++- package.json | 3 ++- 12 files changed, 24 insertions(+), 12 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 4c38451e83..10b5ba3f7c 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26447,7 +26447,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 4b25ff4434..54e1c30da6 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32296,7 +32296,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 0ec50725c2..ca3d71e98e 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26447,7 +26447,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 27a7a1682d..26412f352c 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32296,7 +32296,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/init-action.js b/lib/init-action.js index 5bd9f385a9..08298bc816 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32296,7 +32296,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 41d3e68bb1..0eaf2183eb 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26447,7 +26447,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 484ceb79e6..25d1e2d1aa 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26447,7 +26447,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 21508de07e..8a94566569 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44975,7 +44975,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 934d9c7e58..8dfb2a1e22 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33593,7 +33593,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 0e1dd29920..216b905035 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26447,7 +26447,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 5cc12ec1bf..828d74c212 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32296,7 +32296,8 @@ var require_package = __commonJS({ lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - test: "npm run transpile && ava src/ --serial --verbose", + ava: "npm run transpile && ava --serial --verbose", + test: "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", transpile: "tsc --build --verbose" }, diff --git a/package.json b/package.json index 8920aacd17..178ee04344 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,8 @@ "lint": "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", - "test": "npm run transpile && ava src/ --serial --verbose", + "ava": "npm run transpile && ava --serial --verbose", + "test": "npm run ava -- src/", "test-debug": "npm run test -- --timeout=20m", "transpile": "tsc --build --verbose" }, From e2e1db3e4e0d1c9bd8d7fdac3ea940623f37c41f Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 12:28:27 +0100 Subject: [PATCH 18/26] Update `CONTRIBUTING.md` with `npm run ava` --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 83fff23936..493ae847cf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,6 +20,7 @@ Before you start, ensure that you have a recent version of node (16 or higher) i * Transpile the TypeScript to JavaScript: `npm run build`. Note that the JavaScript files are committed to git. * Run tests: `npm run test`. You’ll need to ensure that the JavaScript files are up-to-date first by running the command above. * Run the linter: `npm run lint`. +* Run tests for a specific path: `npm run ava -- ./src/filename.test.ts` or `npm run ava -- ./src/feature-flags/` This project also includes configuration to run tests from VSCode (with support for breakpoints) - open the test file you wish to run and choose "Debug AVA test file" from the Run menu in the Run panel. From 77a92597617510db41350515489014b0b8067d26 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 12:32:31 +0100 Subject: [PATCH 19/26] Exclude transpiled code and dependencies from VSCode search --- .vscode/settings.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.vscode/settings.json b/.vscode/settings.json index 629fb7b542..f417dd2a6e 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -8,6 +8,11 @@ "build": true, "lib": true, }, + "search.exclude": { + "**/node_modules": true, + "build": true, + "lib": true, + }, // Installing a new Node package often triggers VS Code's git limit warnings as there is typically // an intermediate stage where many files are modified. This setting suppresses these warnings. "git.ignoreLimitWarning": true, From 48be21c31e49b7f7e9eff3faeb80181955f64cbb Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 12:37:18 +0100 Subject: [PATCH 20/26] Use `npm run ava` in `justfile` --- justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/justfile b/justfile index c951b4b063..ed9d9eb1db 100644 --- a/justfile +++ b/justfile @@ -22,7 +22,7 @@ test: build # Run the tests for a single file test_file filename: build - npx ava --serial --verbose {{filename}} + npm run ava {{filename}} [doc("Refresh the .js build artefacts in the lib directory")] [confirm] From 455038c8a7196eb98da2e14af7ee12f16afb042b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 14:20:30 +0100 Subject: [PATCH 21/26] Add script to check whether `npm i` needs to be run and add it to the `build` command --- lib/analyze-action-post.js | 2 +- lib/analyze-action.js | 2 +- lib/autobuild-action.js | 2 +- lib/init-action-post.js | 2 +- lib/init-action.js | 2 +- lib/resolve-environment-action.js | 2 +- lib/start-proxy-action-post.js | 2 +- lib/start-proxy-action.js | 2 +- lib/upload-lib.js | 2 +- lib/upload-sarif-action-post.js | 2 +- lib/upload-sarif-action.js | 2 +- package.json | 2 +- scripts/check-node-modules.sh | 7 +++++++ 13 files changed, 19 insertions(+), 12 deletions(-) create mode 100755 scripts/check-node-modules.sh diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 10b5ba3f7c..4466b39598 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26443,7 +26443,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 54e1c30da6..7129a18960 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -32292,7 +32292,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index ca3d71e98e..cf4e82a6bb 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26443,7 +26443,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 26412f352c..73fb6e86c8 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -32292,7 +32292,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/init-action.js b/lib/init-action.js index 08298bc816..a4ecce9a33 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -32292,7 +32292,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 0eaf2183eb..816fa8eed2 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26443,7 +26443,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 25d1e2d1aa..98cff4159e 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26443,7 +26443,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 8a94566569..56006078a3 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44971,7 +44971,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 8dfb2a1e22..eebca8831c 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -33589,7 +33589,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 216b905035..2bad6677a0 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26443,7 +26443,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 828d74c212..103783ec0c 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -32292,7 +32292,7 @@ var require_package = __commonJS({ description: "CodeQL action", scripts: { _build_comment: "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - build: "npm run transpile && node build.mjs", + build: "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", lint: "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/package.json b/package.json index 178ee04344..89183893e8 100644 --- a/package.json +++ b/package.json @@ -5,7 +5,7 @@ "description": "CodeQL action", "scripts": { "_build_comment": "echo 'Run the full build so we typecheck the project and can reuse the transpiled files in npm test'", - "build": "npm run transpile && node build.mjs", + "build": "./scripts/check-node-modules.sh && npm run transpile && node build.mjs", "lint": "eslint --report-unused-disable-directives --max-warnings=0 .", "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif", "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix", diff --git a/scripts/check-node-modules.sh b/scripts/check-node-modules.sh new file mode 100755 index 0000000000..a777406d31 --- /dev/null +++ b/scripts/check-node-modules.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -e + +# Check if npm install is likely needed before proceeding +if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then + npm install +fi From b27a8ef21f72b5c541232d50400874a3f0a374b9 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 20:22:47 +0100 Subject: [PATCH 22/26] Exit if running in an Actions workflow --- scripts/check-node-modules.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/check-node-modules.sh b/scripts/check-node-modules.sh index a777406d31..28ffc38de9 100755 --- a/scripts/check-node-modules.sh +++ b/scripts/check-node-modules.sh @@ -1,6 +1,12 @@ #!/bin/bash + set -e +# Check if running in GitHub Actions +if [ "$GITHUB_ACTIONS" = "true" ]; then + exit 0 +fi + # Check if npm install is likely needed before proceeding if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then npm install From a0ae9ba2026911d58db9df06e6b074d8ef6c24c9 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Thu, 25 Sep 2025 20:24:58 +0100 Subject: [PATCH 23/26] Log what the script is doing --- scripts/check-node-modules.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/check-node-modules.sh b/scripts/check-node-modules.sh index 28ffc38de9..3fc2c74374 100755 --- a/scripts/check-node-modules.sh +++ b/scripts/check-node-modules.sh @@ -4,10 +4,14 @@ set -e # Check if running in GitHub Actions if [ "$GITHUB_ACTIONS" = "true" ]; then + echo "Running in a GitHub Actions workflow; not running 'npm install'" exit 0 fi # Check if npm install is likely needed before proceeding if [ ! -d node_modules ] || [ package-lock.json -nt node_modules/.package-lock.json ]; then + echo "Running 'npm install' because 'node_modules/.package-lock.json' appears to be outdated..." npm install +else + echo "Skipping 'npm install' because 'node_modules/.package-lock.json' appears to be up-to-date." fi From 0b7fc5664842c1a6bb23c4ef64b85438afcb76c5 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 26 Sep 2025 17:47:38 +0100 Subject: [PATCH 24/26] Fix `upload-sarif` not uploading non-`.sarif` files --- lib/upload-sarif-action.js | 2 +- src/upload-sarif-action.ts | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 341b173e0d..59c660b275 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -93424,7 +93424,7 @@ async function findAndUpload(logger, features, sarifPath, pathStats, checkoutPat sarifPath, analysis.sarifPredicate ); - } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) { + } else if (pathStats.isFile() && (analysis.sarifPredicate(sarifPath) || analysis.kind === "code-scanning" /* CodeScanning */ && !CodeQuality.sarifPredicate(sarifPath))) { sarifFiles = [sarifPath]; } else { return void 0; diff --git a/src/upload-sarif-action.ts b/src/upload-sarif-action.ts index aa1a5a4443..4da0427490 100644 --- a/src/upload-sarif-action.ts +++ b/src/upload-sarif-action.ts @@ -61,7 +61,12 @@ async function findAndUpload( sarifPath, analysis.sarifPredicate, ); - } else if (pathStats.isFile() && analysis.sarifPredicate(sarifPath)) { + } else if ( + pathStats.isFile() && + (analysis.sarifPredicate(sarifPath) || + (analysis.kind === analyses.AnalysisKind.CodeScanning && + !analyses.CodeQuality.sarifPredicate(sarifPath))) + ) { sarifFiles = [sarifPath]; } else { return undefined; From 8e34f2f3bf0f3f0b192913b0e0f234372329699b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Fri, 26 Sep 2025 17:52:17 +0100 Subject: [PATCH 25/26] Add changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2e5bd94af..6e2575a489 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- We fixed a bug that was introduced in `3.30.4` with `upload-sarif` which resulted in files without a `.sarif` extension not getting uploaded. [#3160](https://github.com/github/codeql-action/pull/3160) ## 3.30.4 - 25 Sep 2025 From 2ca0085e584affd600efbd3930bc90e48dbacb46 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 17:09:07 +0000 Subject: [PATCH 26/26] Update changelog for v3.30.5 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e2575a489..ab3bbca6b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 3.30.5 - 26 Sep 2025 - We fixed a bug that was introduced in `3.30.4` with `upload-sarif` which resulted in files without a `.sarif` extension not getting uploaded. [#3160](https://github.com/github/codeql-action/pull/3160)