Merge branch 'main' into mbg/ci/no-more-draft-prs

Author: mbg

.github/workflows/__multi-language-autodetect.yml

@@ -36,7 +36,7 @@
     "follow-redirects": "^1.16.0",
     "get-folder-size": "^5.0.0",
     "https-proxy-agent": "^7.0.6",
-    "js-yaml": "^4.2.0",
+    "js-yaml": "^5.0.0",
     "jsonschema": "1.5.0",
     "long": "^5.3.2",
     "node-forge": "^1.4.0",

.github/workflows/__swift-custom-build.yml

@@ -4,6 +4,16 @@ operatingSystems:
   - ubuntu
   - os: macos
     runner-image: macos-latest-xlarge
+  # Older CodeQL CLI versions only support Swift up to 6.1, which requires Xcode 16. That is
+  # not available on macOS 26, so run these versions on macOS 15 where we select Xcode 16
+  # below. See https://github.com/actions/runner-images/issues/14167.
+  - os: macos
+    runner-image: macos-15-xlarge
+    codeql-versions:
+      - stable-v2.19.4
+      - stable-v2.20.7
+      - stable-v2.21.4
+      - stable-v2.22.4
 env:
   CODEQL_ACTION_RESOLVE_SUPPORTED_LANGUAGES_USING_CLI: true
 installGo: true
@@ -18,7 +28,8 @@ steps:
       python-version: "3.13"
 
   - name: Use Xcode 16
-    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
+    # Only the older CodeQL CLI versions need Xcode 16, and these run on macOS 15.
+    if: matrix.os == 'macos-15-xlarge'
     run: sudo xcode-select -s "/Applications/Xcode_16.app"
 
   - uses: ./../action/init

lib/entry-points.js

@@ -11,9 +11,6 @@ installDotNet: true
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
-  - name: Use Xcode 16
-    if: runner.os == 'macOS' && matrix.version != 'nightly-latest'
-    run: sudo xcode-select -s "/Applications/Xcode_16.app"
   - uses: ./../action/init
     id: init
     with:

package-lock.json

@@ -54,6 +54,13 @@ type OperatingSystem =
       os: OperatingSystemIdentifier;
       /** Optional runner image label. */
       "runner-image"?: string;
+      /**
+       * Optional CodeQL versions to run on this entry. If specified, this entry runs only these
+       * versions. A sibling entry for the same OS that omits `codeql-versions` runs all versions
+       * not claimed by any sibling entry. This allows pinning specific CodeQL versions to a
+       * particular runner image while letting the remaining versions default to another.
+       */
+      "codeql-versions"?: string[];
     };
 
 /**
@@ -352,6 +359,28 @@ function generateJobMatrix(
 ): Array<Record<string, any>> {
   let matrix: Array<Record<string, any>> = [];
 
+  const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];
+
+  // For each OS, collect the CodeQL versions explicitly claimed by entries that specify
+  // `codeql-versions`. A sibling entry for the same OS that omits `codeql-versions` runs all
+  // versions not in this set.
+  const claimedVersionsByOs = new Map<string, Set<string>>();
+  for (const operatingSystemConfig of operatingSystems) {
+    if (typeof operatingSystemConfig === "string") {
+      continue;
+    }
+    const entryVersions = operatingSystemConfig["codeql-versions"];
+    if (!entryVersions) {
+      continue;
+    }
+    const claimed =
+      claimedVersionsByOs.get(operatingSystemConfig.os) ?? new Set<string>();
+    for (const entryVersion of entryVersions) {
+      claimed.add(entryVersion);
+    }
+    claimedVersionsByOs.set(operatingSystemConfig.os, claimed);
+  }
+
   for (const version of checkSpecification.versions ?? defaultTestVersions) {
     if (version === "latest") {
       throw new Error(
@@ -364,7 +393,6 @@ function generateJobMatrix(
       "macos-latest",
       "windows-latest",
     ];
-    const operatingSystems = checkSpecification.operatingSystems ?? ["ubuntu"];
 
     for (const operatingSystemConfig of operatingSystems) {
       const operatingSystem =
@@ -379,6 +407,19 @@ function generateJobMatrix(
         continue;
       }
 
+      // An entry that specifies `codeql-versions` runs only those versions. A sibling entry for
+      // the same OS that omits `codeql-versions` runs all versions not claimed by its siblings.
+      const entryVersions =
+        typeof operatingSystemConfig === "string"
+          ? undefined
+          : operatingSystemConfig["codeql-versions"];
+      const runsThisVersion = entryVersions
+        ? entryVersions.includes(version)
+        : !claimedVersionsByOs.get(operatingSystem)?.has(version);
+      if (!runsThisVersion) {
+        continue;
+      }
+
       const runnerImagesForOs =
         typeof operatingSystemConfig === "string" ||
         operatingSystemConfig["runner-image"] === undefined

package.json

@@ -281,11 +281,11 @@ extensions:
         .join(checkoutPath, range.path)
         .replaceAll(path.sep, "/");
 
-      // Using yaml.dump() with `forceQuotes: true` ensures that all special
+      // Using yaml.dump() with `quoteStyle: "double"` ensures that all special
       // characters are escaped, and that the path is always rendered as a
       // quoted string on a single line.
       return (
-        `      - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
+        `      - [${yaml.dump(filename, { quoteStyle: "single" }).trim()}, ` +
         `${range.startLine}, ${range.endLine}]\n`
       );
     })