diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 66700fd68e..1be5ba9a41 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: all-platform-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: all-platform-bundle: strategy: @@ -95,7 +94,7 @@ jobs: - id: init uses: ./../action/init with: - # Swift is not supported on Ubuntu so we manually exclude it from the list here + # Swift is not supported on Ubuntu so we manually exclude it from the list here languages: cpp,csharp,go,java,javascript,python,ruby tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Build code diff --git a/.github/workflows/__analysis-kinds.yml b/.github/workflows/__analysis-kinds.yml index e59c1576b2..94b8877c7f 100644 --- a/.github/workflows/__analysis-kinds.yml +++ b/.github/workflows/__analysis-kinds.yml @@ -87,16 +87,16 @@ jobs: tools: ${{ steps.prepare-test.outputs.tools-url }} - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - post-processed-sarif-path: ${{ runner.temp }}/post-processed + post-processed-sarif-path: '${{ runner.temp }}/post-processed' - name: Upload SARIF files uses: actions/upload-artifact@v6 with: name: | analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} - path: ${{ runner.temp }}/results/*.sarif + path: '${{ runner.temp }}/results/*.sarif' retention-days: 7 - name: Upload post-processed SARIF @@ -104,7 +104,7 @@ jobs: with: name: | post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} - path: ${{ runner.temp }}/post-processed + path: '${{ runner.temp }}/post-processed' retention-days: 7 if-no-files-found: error @@ -112,7 +112,7 @@ jobs: if: contains(matrix.analysis-kinds, 'code-scanning') uses: actions/github-script@v8 env: - SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif + SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' EXPECT_PRESENT: 'false' with: script: ${{ env.CHECK_SCRIPT }} @@ -120,7 +120,7 @@ jobs: if: contains(matrix.analysis-kinds, 'code-quality') uses: actions/github-script@v8 env: - SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif + SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif' EXPECT_PRESENT: 'true' with: script: ${{ env.CHECK_SCRIPT }} diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index d28bbeb6a3..671e5f57b8 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: analyze-ref-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: analyze-ref-input: strategy: @@ -107,13 +106,12 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python - config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ - github.sha }} + config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} - name: Build code run: ./build.sh - uses: ./../action/analyze with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index ce7fe4be75..ed5cf19379 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -82,7 +82,7 @@ jobs: tools: ${{ steps.prepare-test.outputs.tools-url }} - uses: ./../action/autobuild env: - # Explicitly disable the CLR tracer. + # Explicitly disable the CLR tracer. COR_ENABLE_PROFILING: '' COR_PROFILER: '' COR_PROFILER_PATH_64: '' diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index 6711dc7271..4a411ad1b6 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -42,8 +42,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}} + group: autobuild-direct-tracing-with-working-dir-${{github.ref}}-${{inputs.java-version}} jobs: autobuild-direct-tracing-with-working-dir: strategy: diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 3d05b39636..2863793fdc 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -97,7 +97,7 @@ jobs: id: init with: build-mode: autobuild - db-location: ${{ runner.temp }}/customDbLocation + db-location: '${{ runner.temp }}/customDbLocation' languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 356c1b1fcf..b2723d64f9 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: build-mode-manual-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: build-mode-manual: strategy: @@ -92,7 +91,7 @@ jobs: id: init with: build-mode: manual - db-location: ${{ runner.temp }}/customDbLocation + db-location: '${{ runner.temp }}/customDbLocation' languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index a570869baf..5611d23811 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -64,7 +64,7 @@ jobs: id: init with: build-mode: none - db-location: ${{ runner.temp }}/customDbLocation + db-location: '${{ runner.temp }}/customDbLocation' languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} @@ -77,7 +77,7 @@ jobs: exit 1 fi - # The latest nightly supports omitting the autobuild Action when the build mode is specified. + # The latest nightly supports omitting the autobuild Action when the build mode is specified. - uses: ./../action/autobuild if: matrix.version != 'nightly-latest' diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index a213bd2674..b4dd4041bb 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -68,7 +68,7 @@ jobs: id: init with: build-mode: none - db-location: ${{ runner.temp }}/customDbLocation + db-location: '${{ runner.temp }}/customDbLocation' languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} diff --git a/.github/workflows/__bundle-from-nightly.yml b/.github/workflows/__bundle-from-nightly.yml index c052bff67f..a7dc934a0a 100644 --- a/.github/workflows/__bundle-from-nightly.yml +++ b/.github/workflows/__bundle-from-nightly.yml @@ -66,7 +66,7 @@ jobs: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: javascript - name: Fail if the CodeQL version is not a nightly - if: "!contains(steps.init.outputs.codeql-version, '+')" + if: ${{ !contains(steps.init.outputs.codeql-version, '+') }} run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index 6d794e28c1..cc41fea77a 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -67,7 +67,7 @@ jobs: id: init with: build-mode: none - db-location: ${{ runner.temp }}/customDbLocation + db-location: '${{ runner.temp }}/customDbLocation' languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 72d76b93f0..dce3fc85db 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -67,18 +67,18 @@ jobs: tools: ${{ steps.prepare-test.outputs.tools-url }} - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Upload SARIF uses: actions/upload-artifact@v6 with: name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json - path: ${{ runner.temp }}/results/javascript.sarif + path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check config properties appear in SARIF uses: actions/github-script@v8 env: - SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif + SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' with: script: | const fs = require('fs'); diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 29c92d9eca..c186416942 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -78,18 +78,18 @@ jobs: --ready-for-status-page - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Upload SARIF uses: actions/upload-artifact@v6 with: name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json - path: ${{ runner.temp }}/results/javascript.sarif + path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check diagnostics appear in SARIF uses: actions/github-script@v8 env: - SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif + SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' with: script: | const fs = require('fs'); diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 395317ad2b..ef33c6485f 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: export-file-baseline-information-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: export-file-baseline-information: strategy: @@ -101,12 +100,12 @@ jobs: run: ./build.sh - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' - name: Upload SARIF uses: actions/upload-artifact@v6 with: name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json - path: ${{ runner.temp }}/results/javascript.sarif + path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check results run: | diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index cc2120e869..f7d5a99f3b 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: go-custom-queries-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: go-custom-queries: strategy: diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 9c2f42ec4e..11497389f9 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -77,7 +77,7 @@ jobs: with: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} - # Deliberately change Go after the `init` step + # Deliberately change Go after the `init` step - uses: actions/setup-go@v6 with: go-version: '1.20' @@ -85,12 +85,12 @@ jobs: run: go build main.go - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Check diagnostic appears in SARIF uses: actions/github-script@v8 env: - SARIF_PATH: ${{ runner.temp }}/results/go.sarif + SARIF_PATH: '${{ runner.temp }}/results/go.sarif' with: script: | const fs = require('fs'); diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index 18645dcc3d..7d83904e69 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -42,8 +42,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}} + group: go-indirect-tracing-workaround-no-file-program-${{github.ref}}-${{inputs.go-version}} jobs: go-indirect-tracing-workaround-no-file-program: strategy: @@ -87,12 +86,12 @@ jobs: run: go build main.go - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Check diagnostic appears in SARIF uses: actions/github-script@v8 env: - SARIF_PATH: ${{ runner.temp }}/results/go.sarif + SARIF_PATH: '${{ runner.temp }}/results/go.sarif' with: script: | const fs = require('fs'); diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index 81532e8474..940784361d 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -50,7 +50,6 @@ jobs: permissions: contents: read packages: read - timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: @@ -66,7 +65,7 @@ jobs: - name: Init with registries uses: ./../action/init with: - db-location: ${{ runner.temp }}/customDbLocation + db-location: '${{ runner.temp }}/customDbLocation' tools: ${{ steps.prepare-test.outputs.tools-url }} config-file: ./.github/codeql/codeql-config-registries.yml languages: javascript diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index da32ec432b..3e48afbb1b 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -65,12 +65,12 @@ jobs: tools: ${{ steps.prepare-test.outputs.tools-url }} - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' - name: Upload SARIF uses: actions/upload-artifact@v6 with: name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json - path: ${{ runner.temp }}/results/javascript.sarif + path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check results run: | diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index afdc089f38..d64abe876d 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -63,7 +63,7 @@ jobs: languages: C#,java-kotlin,swift,typescript tools: ${{ steps.prepare-test.outputs.tools-url }} - - name: Check languages + - name: 'Check languages' run: | expected_languages="csharp,java,swift,javascript" actual_languages=$(jq -r '.languages | join(",")' "$RUNNER_TEMP"/config) diff --git a/.github/workflows/__local-bundle.yml b/.github/workflows/__local-bundle.yml index bc3ab5ed67..ae77983001 100644 --- a/.github/workflows/__local-bundle.yml +++ b/.github/workflows/__local-bundle.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: local-bundle-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: local-bundle: strategy: @@ -109,7 +108,7 @@ jobs: - id: init uses: ./../action/init with: - # Swift is not supported on Ubuntu so we manually exclude it from the list here + # Swift is not supported on Ubuntu so we manually exclude it from the list here languages: cpp,csharp,go,java,javascript,python,ruby tools: ./codeql-bundle-linux64.tar.zst - name: Build code diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index c0a573ffc5..9cae8d3622 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: multi-language-autodetect-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: multi-language-autodetect: strategy: @@ -144,9 +143,8 @@ jobs: - uses: ./../action/init id: init with: - db-location: ${{ runner.temp }}/customDbLocation - languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' - || '' }} + db-location: '${{ runner.temp }}/customDbLocation' + languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }} tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Build code diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 43b70163a7..d0304ecd1d 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: packaging-codescanning-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: packaging-codescanning-config-inputs-js: strategy: @@ -116,7 +115,7 @@ jobs: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - uses: ./../action/init with: - config-file: .github/codeql/codeql-config-packaging3.yml + config-file: '.github/codeql/codeql-config-packaging3.yml' packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} @@ -124,15 +123,14 @@ jobs: run: ./build.sh - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Check results uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 7ea2729c80..f971030093 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: packaging-config-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: packaging-config-inputs-js: strategy: @@ -101,7 +100,7 @@ jobs: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - uses: ./../action/init with: - config-file: .github/codeql/codeql-config-packaging3.yml + config-file: '.github/codeql/codeql-config-packaging3.yml' packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} @@ -109,15 +108,14 @@ jobs: run: ./build.sh - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Check results uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index 7c921cecc3..99bd171f9d 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: packaging-config-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: packaging-config-js: strategy: @@ -101,22 +100,21 @@ jobs: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - uses: ./../action/init with: - config-file: .github/codeql/codeql-config-packaging.yml + config-file: '.github/codeql/codeql-config-packaging.yml' languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Build code run: ./build.sh - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Check results uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 224b06305c..e5cd0182ec 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: packaging-inputs-js-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: packaging-inputs-js: strategy: @@ -101,7 +100,7 @@ jobs: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - uses: ./../action/init with: - config-file: .github/codeql/codeql-config-packaging2.yml + config-file: '.github/codeql/codeql-config-packaging2.yml' languages: javascript packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql tools: ${{ steps.prepare-test.outputs.tools-url }} @@ -109,14 +108,13 @@ jobs: run: ./build.sh - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' - name: Check results uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index a026117a7f..abf5cd21e2 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: remote-config-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: remote-config: strategy: @@ -109,8 +108,7 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python - config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ - github.sha }} + config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} - name: Build code run: ./build.sh - uses: ./../action/analyze diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 3acee8d64b..8b3391064a 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -84,8 +84,7 @@ jobs: language: javascript-typescript - name: Fail if JavaScript/TypeScript configuration present - if: - fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript + if: fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 9e1cad8e0e..58e547f367 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -99,7 +99,7 @@ jobs: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - uses: ./../action/init with: - config-file: .github/codeql/codeql-config-packaging3.yml + config-file: '.github/codeql/codeql-config-packaging3.yml' packs: +codeql-testing/codeql-pack1@1.0.0 languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} @@ -108,7 +108,7 @@ jobs: - uses: ./../action/analyze with: skip-queries: true - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Assert No Results @@ -119,7 +119,7 @@ jobs: fi - uses: ./../action/analyze with: - output: ${{ runner.temp }}/results + output: '${{ runner.temp }}/results' upload-database: false - name: Assert Results run: | diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index 438a994057..e1a0f833e0 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -71,8 +71,7 @@ jobs: id: proxy uses: ./../action/start-proxy with: - registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" - }]' + registry_secrets: '[{ "type": "nuget_feed", "url": "https://api.nuget.org/v3/index.json" }]' - name: Print proxy outputs run: | @@ -81,8 +80,7 @@ jobs: echo "${{ steps.proxy.outputs.proxy_urls }}" - name: Fail if proxy outputs are not set - if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) - || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls) + if: (!steps.proxy.outputs.proxy_host) || (!steps.proxy.outputs.proxy_port) || (!steps.proxy.outputs.proxy_ca_certificate) || (!steps.proxy.outputs.proxy_urls) run: exit 1 env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 93553d18df..2fdfeddfbf 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -49,8 +49,7 @@ jobs: if: github.triggering_actor != 'dependabot[bot]' permissions: contents: read - security-events: write # needed to upload the SARIF file - + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: @@ -69,26 +68,20 @@ jobs: languages: javascript tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Fail - # We want this job to pass if the Action correctly uploads the SARIF file for - # the failed run. - # Setting this step to continue on error means that it is marked as completing - # successfully, so will not fail the job. + # We want this job to pass if the Action correctly uploads the SARIF file for + # the failed run. + # Setting this step to continue on error means that it is marked as completing + # successfully, so will not fail the job. continue-on-error: true run: exit 1 - uses: ./analyze - # In a real workflow, this step wouldn't run. Since we used `continue-on-error` - # above, we manually disable it with an `if` condition. + # In a real workflow, this step wouldn't run. Since we used `continue-on-error` + # above, we manually disable it with an `if` condition. if: false with: - category: /test-codeql-version:${{ matrix.version }} + category: '/test-codeql-version:${{ matrix.version }}' env: - # Internal-only environment variable used to indicate that the post-init Action - # should expect to upload a SARIF file for the failed run. CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true - # Make sure the uploading SARIF files feature is enabled. CODEQL_ACTION_UPLOAD_FAILED_SARIF: true - # Upload the failed SARIF file as an integration test of the API endpoint. CODEQL_ACTION_TEST_MODE: false - # Mark telemetry for this workflow so it can be treated separately. CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks - diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index bc3e5d71fe..7749f1b814 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -52,8 +52,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} + group: swift-custom-build-${{github.ref}}-${{inputs.go-version}}-${{inputs.dotnet-version}} jobs: swift-custom-build: strategy: diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index b1918fe26d..5be68f8102 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: unset-environment-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: unset-environment: strategy: @@ -109,7 +108,7 @@ jobs: id: init with: db-location: ${{ runner.temp }}/customDbLocation - # Swift is not supported on Ubuntu so we manually exclude it from the list here + # Swift is not supported on Ubuntu so we manually exclude it from the list here languages: cpp,csharp,go,java,javascript,python,ruby tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Build code diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index ad242dd7c2..f9a832d7ee 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: upload-ref-sha-input-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: upload-ref-sha-input: strategy: @@ -107,19 +106,18 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: cpp,csharp,java,javascript,python - config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ - github.sha }} + config-file: ${{ github.repository }}/tests/multi-language-repo/.github/codeql/custom-queries.yml@${{ github.sha }} - name: Build code run: ./build.sh - # Generate some SARIF we can upload with the upload-sarif step + # Generate some SARIF we can upload with the upload-sarif step - uses: ./../action/analyze with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' upload: never - uses: ./../action/upload-sarif with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index 494731fa42..873ba5ca99 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: upload-sarif-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: upload-sarif: strategy: @@ -117,11 +116,11 @@ jobs: analysis-kinds: ${{ matrix.analysis-kinds }} - name: Build code run: ./build.sh - # Generate some SARIF we can upload with the upload-sarif step + # Generate some SARIF we can upload with the upload-sarif step - uses: ./../action/analyze with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' upload: never output: ${{ runner.temp }}/results @@ -130,15 +129,15 @@ jobs: uses: ./../action/upload-sarif id: upload-sarif with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/ - - name: Fail for missing output from `upload-sarif` step for `code-scanning` + - name: 'Fail for missing output from `upload-sarif` step for `code-scanning`' if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning) run: exit 1 - - name: Fail for missing output from `upload-sarif` step for `code-quality` + - name: 'Fail for missing output from `upload-sarif` step for `code-quality`' if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality) run: exit 1 @@ -147,28 +146,26 @@ jobs: id: upload-single-sarif-code-scanning if: contains(matrix.analysis-kinds, 'code-scanning') with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results/javascript.sarif category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/ - - name: Fail for missing output from `upload-single-sarif-code-scanning` step - if: contains(matrix.analysis-kinds, 'code-scanning') && - !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning) + - name: 'Fail for missing output from `upload-single-sarif-code-scanning` step' + if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning) run: exit 1 - name: Upload single SARIF file for Code Quality uses: ./../action/upload-sarif id: upload-single-sarif-code-quality if: contains(matrix.analysis-kinds, 'code-quality') with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results/javascript.quality.sarif category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/ - - name: Fail for missing output from `upload-single-sarif-code-quality` step - if: contains(matrix.analysis-kinds, 'code-quality') && - !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality) + - name: 'Fail for missing output from `upload-single-sarif-code-quality` step' + if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality) run: exit 1 - name: Change SARIF file extension @@ -179,12 +176,12 @@ jobs: id: upload-single-non-sarif if: contains(matrix.analysis-kinds, 'code-scanning') with: - ref: refs/heads/main - sha: 5e235361806c361d4d3f8859e3c897658025a9a2 + ref: 'refs/heads/main' + sha: '5e235361806c361d4d3f8859e3c897658025a9a2' sarif_file: ${{ runner.temp }}/results/javascript.sarif.json category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/ - - name: Fail for missing output from `upload-single-non-sarif` step + - name: 'Fail for missing output from `upload-single-non-sarif` step' if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning) run: exit 1 env: diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index c976b4e9b9..11f6e1dbc0 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -62,8 +62,7 @@ defaults: shell: bash concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' || false }} - group: - with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} + group: with-checkout-path-${{github.ref}}-${{inputs.go-version}}-${{inputs.python-version}}-${{inputs.dotnet-version}} jobs: with-checkout-path: strategy: @@ -80,6 +79,7 @@ jobs: timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: + # This ensures we don't accidentally use the original checkout for any part of the test. - name: Check out repository uses: actions/checkout@v6 - name: Prepare test @@ -109,8 +109,8 @@ jobs: # Actions does not support deleting the current working directory, so we # delete the contents of the directory instead. rm -rf ./* .github .git - # Check out the actions repo again, but at a different location. - # choose an arbitrary SHA so that we can later test that the commit_oid is not from main + # Check out the actions repo again, but at a different location. + # choose an arbitrary SHA so that we can later test that the commit_oid is not from main - uses: actions/checkout@v6 with: ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 @@ -119,7 +119,7 @@ jobs: - uses: ./../action/init with: tools: ${{ steps.prepare-test.outputs.tools-url }} - # it's enough to test one compiled language and one interpreted language + # it's enough to test one compiled language and one interpreted language languages: csharp,javascript source-root: x/y/z/some-path/tests/multi-language-repo diff --git a/eslint.config.mjs b/eslint.config.mjs index 3e1ea8a6ae..6ac800276e 100644 --- a/eslint.config.mjs +++ b/eslint.config.mjs @@ -21,6 +21,7 @@ export default [ "build.mjs", "eslint.config.mjs", ".github/**/*", + "pr-checks/**/*", ], }, // eslint recommended config diff --git a/pr-checks/.gitignore b/pr-checks/.gitignore index 979f35ea98..c06afdaf9e 100644 --- a/pr-checks/.gitignore +++ b/pr-checks/.gitignore @@ -1,3 +1,4 @@ env __pycache__/ *.pyc +node_modules/ diff --git a/pr-checks/checks/bundle-from-nightly.yml b/pr-checks/checks/bundle-from-nightly.yml index 4f68b7829a..ac7076cb0c 100644 --- a/pr-checks/checks/bundle-from-nightly.yml +++ b/pr-checks/checks/bundle-from-nightly.yml @@ -11,5 +11,5 @@ steps: tools: ${{ steps.prepare-test.outputs.tools-url }} languages: javascript - name: Fail if the CodeQL version is not a nightly - if: "!contains(steps.init.outputs.codeql-version, '+')" + if: ${{ !contains(steps.init.outputs.codeql-version, '+') }} run: exit 1 diff --git a/pr-checks/checks/upload-sarif.yml b/pr-checks/checks/upload-sarif.yml index cfe66a3f87..8009225c2e 100644 --- a/pr-checks/checks/upload-sarif.yml +++ b/pr-checks/checks/upload-sarif.yml @@ -32,16 +32,16 @@ steps: category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:all-files/ - name: "Fail for missing output from `upload-sarif` step for `code-scanning`" - if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning)" + if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-scanning) run: exit 1 - name: "Fail for missing output from `upload-sarif` step for `code-quality`" - if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality)" + if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-sarif.outputs.sarif-ids).code-quality) run: exit 1 - name: Upload single SARIF file for Code Scanning uses: ./../action/upload-sarif id: upload-single-sarif-code-scanning - if: "contains(matrix.analysis-kinds, 'code-scanning')" + if: contains(matrix.analysis-kinds, 'code-scanning') with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' @@ -49,12 +49,12 @@ steps: category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-scanning/ - name: "Fail for missing output from `upload-single-sarif-code-scanning` step" - if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning)" + if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-sarif-code-scanning.outputs.sarif-ids).code-scanning) run: exit 1 - name: Upload single SARIF file for Code Quality uses: ./../action/upload-sarif id: upload-single-sarif-code-quality - if: "contains(matrix.analysis-kinds, 'code-quality')" + if: contains(matrix.analysis-kinds, 'code-quality') with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' @@ -62,16 +62,16 @@ steps: category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:single-code-quality/ - name: "Fail for missing output from `upload-single-sarif-code-quality` step" - if: "contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality)" + if: contains(matrix.analysis-kinds, 'code-quality') && !(fromJSON(steps.upload-single-sarif-code-quality.outputs.sarif-ids).code-quality) run: exit 1 - name: Change SARIF file extension - if: "contains(matrix.analysis-kinds, 'code-scanning')" + if: contains(matrix.analysis-kinds, 'code-scanning') run: mv ${{ runner.temp }}/results/javascript.sarif ${{ runner.temp }}/results/javascript.sarif.json - name: Upload single non-`.sarif` file uses: ./../action/upload-sarif id: upload-single-non-sarif - if: "contains(matrix.analysis-kinds, 'code-scanning')" + if: contains(matrix.analysis-kinds, 'code-scanning') with: ref: 'refs/heads/main' sha: '5e235361806c361d4d3f8859e3c897658025a9a2' @@ -79,5 +79,5 @@ steps: category: | ${{ github.workflow }}:upload-sarif/analysis-kinds:${{ matrix.analysis-kinds }}/os:${{ matrix.os }}/version:${{ matrix.version }}/test:non-sarif/ - name: "Fail for missing output from `upload-single-non-sarif` step" - if: "contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning)" + if: contains(matrix.analysis-kinds, 'code-scanning') && !(fromJSON(steps.upload-single-non-sarif.outputs.sarif-ids).code-scanning) run: exit 1 diff --git a/pr-checks/package-lock.json b/pr-checks/package-lock.json new file mode 100644 index 0000000000..2facb73229 --- /dev/null +++ b/pr-checks/package-lock.json @@ -0,0 +1,605 @@ +{ + "name": "pr-checks", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "dependencies": { + "yaml": "^2.8.2" + }, + "devDependencies": { + "@types/node": "^20.19.9", + "tsx": "^4.21.0", + "typescript": "^5.9.3" + } + }, + "node_modules/@esbuild/aix-ppc64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz", + "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "aix" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-arm": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz", + "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz", + "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz", + "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/darwin-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz", + "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/darwin-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz", + "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/freebsd-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz", + "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/freebsd-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz", + "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-arm": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz", + "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz", + "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-ia32": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz", + "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-loong64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz", + "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==", + "cpu": [ + "loong64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-mips64el": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz", + "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==", + "cpu": [ + "mips64el" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-ppc64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz", + "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-riscv64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz", + "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==", + "cpu": [ + "riscv64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-s390x": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz", + "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==", + "cpu": [ + "s390x" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz", + "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz", + "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz", + "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz", + "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz", + "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openharmony-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz", + "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openharmony" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/sunos-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz", + "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "sunos" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-arm64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz", + "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-ia32": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz", + "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-x64": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz", + "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@types/node": { + "version": "20.19.35", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.35.tgz", + "integrity": "sha512-Uarfe6J91b9HAUXxjvSOdiO2UPOKLm07Q1oh0JHxoZ1y8HoqxDAu3gVrsrOHeiio0kSsoVBt4wFrKOm0dKxVPQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~6.21.0" + } + }, + "node_modules/esbuild": { + "version": "0.27.3", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz", + "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "bin": { + "esbuild": "bin/esbuild" + }, + "engines": { + "node": ">=18" + }, + "optionalDependencies": { + "@esbuild/aix-ppc64": "0.27.3", + "@esbuild/android-arm": "0.27.3", + "@esbuild/android-arm64": "0.27.3", + "@esbuild/android-x64": "0.27.3", + "@esbuild/darwin-arm64": "0.27.3", + "@esbuild/darwin-x64": "0.27.3", + "@esbuild/freebsd-arm64": "0.27.3", + "@esbuild/freebsd-x64": "0.27.3", + "@esbuild/linux-arm": "0.27.3", + "@esbuild/linux-arm64": "0.27.3", + "@esbuild/linux-ia32": "0.27.3", + "@esbuild/linux-loong64": "0.27.3", + "@esbuild/linux-mips64el": "0.27.3", + "@esbuild/linux-ppc64": "0.27.3", + "@esbuild/linux-riscv64": "0.27.3", + "@esbuild/linux-s390x": "0.27.3", + "@esbuild/linux-x64": "0.27.3", + "@esbuild/netbsd-arm64": "0.27.3", + "@esbuild/netbsd-x64": "0.27.3", + "@esbuild/openbsd-arm64": "0.27.3", + "@esbuild/openbsd-x64": "0.27.3", + "@esbuild/openharmony-arm64": "0.27.3", + "@esbuild/sunos-x64": "0.27.3", + "@esbuild/win32-arm64": "0.27.3", + "@esbuild/win32-ia32": "0.27.3", + "@esbuild/win32-x64": "0.27.3" + } + }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/get-tsconfig": { + "version": "4.13.6", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.6.tgz", + "integrity": "sha512-shZT/QMiSHc/YBLxxOkMtgSid5HFoauqCE3/exfsEcwg1WkeqjG+V40yBbBrsD+jW2HDXcs28xOfcbm2jI8Ddw==", + "dev": true, + "license": "MIT", + "dependencies": { + "resolve-pkg-maps": "^1.0.0" + }, + "funding": { + "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1" + } + }, + "node_modules/resolve-pkg-maps": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz", + "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1" + } + }, + "node_modules/tsx": { + "version": "4.21.0", + "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz", + "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==", + "dev": true, + "license": "MIT", + "dependencies": { + "esbuild": "~0.27.0", + "get-tsconfig": "^4.7.5" + }, + "bin": { + "tsx": "dist/cli.mjs" + }, + "engines": { + "node": ">=18.0.0" + }, + "optionalDependencies": { + "fsevents": "~2.3.3" + } + }, + "node_modules/typescript": { + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici-types": { + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/yaml": { + "version": "2.8.2", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz", + "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==", + "license": "ISC", + "bin": { + "yaml": "bin.mjs" + }, + "engines": { + "node": ">= 14.6" + }, + "funding": { + "url": "https://github.com/sponsors/eemeli" + } + } + } +} diff --git a/pr-checks/package.json b/pr-checks/package.json new file mode 100644 index 0000000000..b323b98b83 --- /dev/null +++ b/pr-checks/package.json @@ -0,0 +1,12 @@ +{ + "private": true, + "description": "Dependencies for the sync.ts", + "dependencies": { + "yaml": "^2.8.2" + }, + "devDependencies": { + "@types/node": "^20.19.9", + "tsx": "^4.21.0", + "typescript": "^5.9.3" + } +} diff --git a/pr-checks/sync.sh b/pr-checks/sync.sh index 85df3272ce..3ddbcd4c0b 100755 --- a/pr-checks/sync.sh +++ b/pr-checks/sync.sh @@ -2,8 +2,6 @@ set -e cd "$(dirname "$0")" -python3 -m venv env -source env/*/activate -pip3 install ruamel.yaml==0.17.31 -python3 sync.py +npm install --no-audit --no-fund +npx tsx sync.ts diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts new file mode 100755 index 0000000000..d4e5ea2e0f --- /dev/null +++ b/pr-checks/sync.ts @@ -0,0 +1,528 @@ +#!/usr/bin/env npx tsx + +import * as fs from "fs"; +import * as path from "path"; + +import * as yaml from "yaml"; + +/** + * Represents workflow input definitions. + */ +interface WorkflowInput { + type: string; + description: string; + required: boolean; + default: string; +} + +/** + * Represents PR check specifications. + */ +interface Specification { + /** The display name for the check. */ + name: string; + /** The workflow steps specific to this check. */ + steps: any[]; + /** Workflow-level input definitions forwarded to `workflow_dispatch`/`workflow_call`. */ + inputs?: Record; + /** CodeQL bundle versions to test against. Defaults to `DEFAULT_TEST_VERSIONS`. */ + versions?: string[]; + /** Operating system prefixes used to select runner images (e.g. `["ubuntu", "macos"]`). */ + operatingSystems?: string[]; + /** Whether to use the all-platform CodeQL bundle. */ + useAllPlatformBundle?: string; + /** Values for the `analysis-kinds` matrix dimension. */ + analysisKinds?: string[]; + + installNode?: string | boolean; + installGo?: string | boolean; + installJava?: string | boolean; + installPython?: string | boolean; + installDotNet?: string | boolean; + installYq?: string | boolean; + + /** Container image configuration for the job. */ + container?: any; + /** Service containers for the job. */ + services?: any; + + /** Custom permissions override for the job. */ + permissions?: Record; + /** Extra environment variables for the job. */ + env?: Record; + + /** If set, this check is part of a named collection that gets its own caller workflow. */ + collection?: string; +} + +// The default set of CodeQL Bundle versions to use for the PR checks. +const defaultTestVersions = [ + // The oldest supported CodeQL version. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts` + "stable-v2.17.6", + // The last CodeQL release in the 2.18 series. + "stable-v2.18.4", + // The last CodeQL release in the 2.19 series. + "stable-v2.19.4", + // The last CodeQL release in the 2.20 series. + "stable-v2.20.7", + // The last CodeQL release in the 2.21 series. + "stable-v2.21.4", + // The last CodeQL release in the 2.22 series. + "stable-v2.22.4", + // The default version of CodeQL for Dotcom, as determined by feature flags. + "default", + // The version of CodeQL shipped with the Action in `defaults.json`. During the release process + // for a new CodeQL release, there will be a period of time during which this will be newer than + // the default version on Dotcom. + "linked", + // A nightly build directly from the our private repo, built in the last 24 hours. + "nightly-latest", +]; + +const THIS_DIR = __dirname; +const CHECKS_DIR = path.join(THIS_DIR, "checks"); +const OUTPUT_DIR = path.join(THIS_DIR, "..", ".github", "workflows"); + +/** + * Loads and parses a YAML file. + */ +function loadYaml(filePath: string): yaml.Document { + const content = fs.readFileSync(filePath, "utf8"); + return yaml.parseDocument(content); +} + +/** + * Serialize a value to YAML and write it to a file, prepended with the + * standard header comment. + */ +function writeYaml(filePath: string, workflow: any): void { + const header = `# Warning: This file is generated automatically, and should not be modified. +# Instead, please modify the template in the pr-checks directory and run: +# pr-checks/sync.sh +# to regenerate this file. + +`; + const workflowDoc = new yaml.Document(workflow, { + aliasDuplicateObjects: false, + }); + const yamlStr = yaml.stringify(workflowDoc, { + aliasDuplicateObjects: false, + singleQuote: true, + lineWidth: 0, + }); + fs.writeFileSync(filePath, stripTrailingWhitespace(header + yamlStr), "utf8"); +} + +function isTruthy(value: string | boolean | undefined): boolean { + if (typeof value === "string") { + return value.toLowerCase() === "true"; + } + return Boolean(value); +} + +/** + * Strip trailing whitespace from each line. + */ +function stripTrailingWhitespace(content: string): string { + return content + .split("\n") + .map((line) => line.trimEnd()) + .join("\n"); +} + +/** + * Main entry point for the sync script. + */ +function main(): void { + // Ensure the output directory exists. + fs.mkdirSync(OUTPUT_DIR, { recursive: true }); + + // Discover and sort all check specification files. + const checkFiles = fs + .readdirSync(CHECKS_DIR) + .filter((f) => f.endsWith(".yml")) + .sort() + .map((f) => path.join(CHECKS_DIR, f)); + + console.log(`Found ${checkFiles.length} check specification(s).`); + + const collections: Record< + string, + Array<{ + specification: Specification; + checkName: string; + inputs: Record; + }> + > = {}; + + for (const file of checkFiles) { + const checkName = path.basename(file, ".yml"); + const specDocument = loadYaml(file); + const checkSpecification = specDocument.toJS() as Specification; + + console.log(`Processing: ${checkName} — "${checkSpecification.name}"`); + + let workflowInputs: Record = {}; + if (checkSpecification.inputs) { + workflowInputs = checkSpecification.inputs; + } + + let matrix: Array> = []; + + for (const version of checkSpecification.versions ?? defaultTestVersions) { + if (version === "latest") { + throw new Error( + 'Did not recognise "version: latest". Did you mean "version: linked"?', + ); + } + + const runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"]; + const operatingSystems = checkSpecification.operatingSystems ?? [ + "ubuntu", + ]; + + for (const operatingSystem of operatingSystems) { + const runnerImagesForOs = runnerImages.filter((image) => + image.startsWith(operatingSystem), + ); + + for (const runnerImage of runnerImagesForOs) { + matrix.push({ + os: runnerImage, + version, + }); + } + } + } + + let useAllPlatformBundle = "false"; // Default to false + if (checkSpecification.useAllPlatformBundle) { + useAllPlatformBundle = checkSpecification.useAllPlatformBundle; + } + + if (checkSpecification.analysisKinds) { + const newMatrix: Array> = []; + for (const matrixInclude of matrix) { + for (const analysisKind of checkSpecification.analysisKinds) { + newMatrix.push({ + ...matrixInclude, + "analysis-kinds": analysisKind, + }); + } + } + matrix = newMatrix; + } + + // Construct the workflow steps needed for this check. + const steps: any[] = [ + { + name: "Check out repository", + uses: "actions/checkout@v6", + }, + ]; + + const installNode = isTruthy(checkSpecification.installNode); + + if (installNode) { + steps.push( + { + name: "Install Node.js", + uses: "actions/setup-node@v6", + with: { + "node-version": "20.x", + cache: "npm", + }, + }, + { + name: "Install dependencies", + run: "npm ci", + }, + ); + } + + steps.push({ + name: "Prepare test", + id: "prepare-test", + uses: "./.github/actions/prepare-test", + with: { + version: "${{ matrix.version }}", + "use-all-platform-bundle": useAllPlatformBundle, + // If the action is being run from a container, then do not setup kotlin. + // This is because the kotlin binaries cannot be downloaded from the container. + "setup-kotlin": String( + !("container" in checkSpecification), + ).toLowerCase(), + }, + }); + + const installGo = isTruthy(checkSpecification.installGo); + + if (installGo) { + const baseGoVersionExpr = ">=1.21.0"; + workflowInputs["go-version"] = { + type: "string", + description: "The version of Go to install", + required: false, + default: baseGoVersionExpr, + }; + + steps.push({ + name: "Install Go", + uses: "actions/setup-go@v6", + with: { + "go-version": + "${{ inputs.go-version || '" + baseGoVersionExpr + "' }}", + // to avoid potentially misleading autobuilder results where we expect it to download + // dependencies successfully, but they actually come from a warm cache + cache: false, + }, + }); + } + + const installJava = isTruthy(checkSpecification.installJava); + + if (installJava) { + const baseJavaVersionExpr = "17"; + workflowInputs["java-version"] = { + type: "string", + description: "The version of Java to install", + required: false, + default: baseJavaVersionExpr, + }; + + steps.push({ + name: "Install Java", + uses: "actions/setup-java@v5", + with: { + "java-version": + "${{ inputs.java-version || '" + baseJavaVersionExpr + "' }}", + distribution: "temurin", + }, + }); + } + + const installPython = isTruthy(checkSpecification.installPython); + + if (installPython) { + const basePythonVersionExpr = "3.13"; + workflowInputs["python-version"] = { + type: "string", + description: "The version of Python to install", + required: false, + default: basePythonVersionExpr, + }; + + steps.push({ + name: "Install Python", + if: "matrix.version != 'nightly-latest'", + uses: "actions/setup-python@v6", + with: { + "python-version": + "${{ inputs.python-version || '" + basePythonVersionExpr + "' }}", + }, + }); + } + + const installDotNet = isTruthy(checkSpecification.installDotNet); + + if (installDotNet) { + const baseDotNetVersionExpr = "9.x"; + workflowInputs["dotnet-version"] = { + type: "string", + description: "The version of .NET to install", + required: false, + default: baseDotNetVersionExpr, + }; + + steps.push({ + name: "Install .NET", + uses: "actions/setup-dotnet@v5", + with: { + "dotnet-version": + "${{ inputs.dotnet-version || '" + baseDotNetVersionExpr + "' }}", + }, + }); + } + + const installYq = isTruthy(checkSpecification.installYq); + + if (installYq) { + steps.push({ + name: "Install yq", + if: "runner.os == 'Windows'", + env: { + YQ_PATH: "${{ runner.temp }}/yq", + // This is essentially an arbitrary version of `yq`, which happened to be the one that + // `choco` fetched when we moved away from using that here. + // See https://github.com/github/codeql-action/pull/3423 + YQ_VERSION: "v4.50.1", + }, + run: + 'gh release download --repo mikefarah/yq --pattern "yq_windows_amd64.exe" "$YQ_VERSION" -O "$YQ_PATH/yq.exe"\n' + + 'echo "$YQ_PATH" >> "$GITHUB_PATH"', + }); + } + + // Extract the sequence of steps from the YAML document to persist as much formatting as possible. + const specSteps = specDocument.get("steps") as yaml.YAMLSeq; + + // A handful of workflow specifications use double quotes for values, while we generally use single quotes. + // This replaces double quotes with single quotes for consistency. + yaml.visit(specSteps, { + Scalar(_key, node) { + if (node.type === "QUOTE_DOUBLE") { + node.type = "QUOTE_SINGLE"; + } + } + }); + + // Add the generated steps in front of the ones from the specification. + specSteps.items.unshift(...steps); + + const checkJob: Record = { + strategy: { + "fail-fast": false, + matrix: { + include: matrix, + }, + }, + name: checkSpecification.name, + if: "github.triggering_actor != 'dependabot[bot]'", + permissions: { + contents: "read", + "security-events": "read", + }, + "timeout-minutes": 45, + "runs-on": "${{ matrix.os }}", + steps: specSteps, + }; + + if (checkSpecification.permissions) { + checkJob.permissions = checkSpecification.permissions; + } + + for (const key of ["env", "container", "services"] as const) { + if (checkSpecification[key] !== undefined) { + checkJob[key] = checkSpecification[key]; + } + } + + checkJob.env = checkJob.env ?? {}; + if (!("CODEQL_ACTION_TEST_MODE" in checkJob.env)) { + checkJob.env.CODEQL_ACTION_TEST_MODE = true; + } + + // If this check belongs to a named collection, record it. + if (checkSpecification.collection) { + const collectionName = checkSpecification.collection; + if (!collections[collectionName]) { + collections[collectionName] = []; + } + collections[collectionName].push({ + specification: checkSpecification, + checkName, + inputs: workflowInputs, + }); + } + + let extraGroupName = ""; + for (const inputName of Object.keys(workflowInputs)) { + extraGroupName += "-${{inputs." + inputName + "}}"; + } + + const cron = new yaml.Scalar("0 5 * * *"); + cron.type = yaml.Scalar.QUOTE_SINGLE; + + const workflow = { + name: `PR Check - ${checkSpecification.name}`, + env: { + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}", + GO111MODULE: "auto", + }, + on: { + push: { + branches: ["main", "releases/v*"], + }, + pull_request: { + types: ["opened", "synchronize", "reopened", "ready_for_review"], + }, + merge_group: { + types: ["checks_requested"], + }, + schedule: [{ cron }], + workflow_dispatch: { + inputs: workflowInputs, + }, + workflow_call: { + inputs: workflowInputs, + }, + }, + defaults: { + run: { + shell: "bash", + }, + }, + concurrency: { + "cancel-in-progress": + "${{ github.event_name == 'pull_request' || false }}", + group: checkName + "-${{github.ref}}" + extraGroupName, + }, + jobs: { + [checkName]: checkJob, + }, + }; + + const outputPath = path.join(OUTPUT_DIR, `__${checkName}.yml`); + writeYaml(outputPath, workflow); + } + + // Write workflow files for collections. + for (const collectionName of Object.keys(collections)) { + const jobs: Record = {}; + let combinedInputs: Record = {}; + + for (const check of collections[collectionName]) { + const { checkName, specification, inputs: checkInputs } = check; + const checkWith: Record = {}; + + combinedInputs = { ...combinedInputs, ...checkInputs }; + + for (const inputName of Object.keys(checkInputs)) { + checkWith[inputName] = "${{ inputs." + inputName + " }}"; + } + + jobs[checkName] = { + name: specification.name, + permissions: { + contents: "read", + "security-events": "read", + }, + uses: `./.github/workflows/__${checkName}.yml`, + with: checkWith, + }; + } + + const collectionWorkflow = { + name: `Manual Check - ${collectionName}`, + env: { + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}", + GO111MODULE: "auto", + }, + on: { + workflow_dispatch: { + inputs: combinedInputs, + }, + }, + jobs, + }; + + const outputPath = path.join(OUTPUT_DIR, `__${collectionName}.yml`); + writeYaml(outputPath, collectionWorkflow); + } + + console.log( + `\nDone. Wrote ${checkFiles.length} workflow file(s) to ${OUTPUT_DIR}`, + ); +} + +main(); diff --git a/tsconfig.json b/tsconfig.json index 7676dc322e..6be84577ad 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -28,5 +28,5 @@ "esModuleInterop": true, /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ "resolveJsonModule": true, }, - "exclude": ["node_modules"] + "exclude": ["node_modules", "pr-checks"] }