diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b0d604e36..9c32d5ee76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Added an experimental change which, when analyzing a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis when the latest version does not yet have a cached overlay-base database. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) ## 4.35.3 - 01 May 2026 diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index fe47faa574..9402aa203a 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs9 = __importStar2(require("fs")); var path9 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path9 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path9 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) { @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs9.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -89825,7 +89825,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -89835,9 +89835,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -127883,6 +127883,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -128044,20 +128054,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts @@ -128654,7 +128670,7 @@ var core12 = __toESM(require_core()); // src/dependency-caching.ts var import_path = require("path"); -var actionsCache3 = __toESM(require_cache4()); +var actionsCache4 = __toESM(require_cache4()); var glob = __toESM(require_glob()); function getJavaTempDependencyDir() { return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 5d1779110f..6d2b9f7a5e 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -88952,6 +88952,32 @@ var persistInputs = function() { ); core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -89048,7 +89074,7 @@ var SarifScanOrder = [ ]; // src/analyze.ts -var fs13 = __toESM(require("fs")); +var fs14 = __toESM(require("fs")); var path12 = __toESM(require("path")); var import_perf_hooks2 = require("perf_hooks"); var io5 = __toESM(require_io()); @@ -89332,7 +89358,7 @@ function wrapApiConfigurationError(e) { } // src/codeql.ts -var fs12 = __toESM(require("fs")); +var fs13 = __toESM(require("fs")); var path11 = __toESM(require("path")); var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); @@ -89729,6 +89755,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs6 = __toESM(require("fs")); @@ -90240,6 +90276,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -90300,10 +90346,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -90408,11 +90458,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -90471,34 +90521,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -90673,6 +90730,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache4()); @@ -90885,11 +90953,11 @@ function getPrimaryAnalysisConfig(config) { } // src/setup-codeql.ts -var fs10 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var path9 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -90935,14 +91003,203 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var fs8 = __toESM(require("fs")); +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION2 = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +var MAX_CACHE_OPERATION_MS2 = 6e5; +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + if (!fs8.existsSync(baseDatabaseOidsFilePath)) { + logger.warning( + `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` + ); + return false; + } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.debug( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; +} +async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { + const overlayDatabaseMode = config.overlayDatabaseMode; + if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) { + logger.debug( + `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.` + ); + return false; + } + if (!config.useOverlayDatabaseCaching) { + logger.debug( + "Overlay database caching is disabled. Skip uploading overlay-base database to cache." + ); + return false; + } + if (isInTestMode()) { + logger.debug( + "In test mode. Skip uploading overlay-base database to cache." + ); + return false; + } + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, + config, + logger, + "Abort uploading overlay-base database to cache" + ); + if (!databaseIsValid) { + return false; + } + await withGroupAsync("Cleaning up databases", async () => { + await codeql.databaseCleanupCluster(config, "overlay" /* Overlay */); + }); + const dbLocation = config.dbLocation; + const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); + if (databaseSizeBytes === void 0) { + logger.warning( + "Failed to determine database size. Skip uploading overlay-base database to cache." + ); + return false; + } + if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) { + const databaseSizeMB = Math.round(databaseSizeBytes / 1e6); + logger.warning( + `Database size (${databaseSizeMB} MB) exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). Skip uploading overlay-base database to cache.` + ); + return false; + } + const codeQlVersion = (await codeql.getVersion()).version; + const checkoutPath = getRequiredInput("checkout_path"); + const cacheSaveKey = await getCacheSaveKey( + config, + codeQlVersion, + checkoutPath, + logger + ); + logger.info( + `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}` + ); + try { + const cacheId = await waitForResultWithTimeLimit( + MAX_CACHE_OPERATION_MS2, + actionsCache3.saveCache([dbLocation], cacheSaveKey), + () => { + } + ); + if (cacheId === void 0) { + logger.warning("Timed out while uploading overlay-base database"); + return false; + } + } catch (error3) { + logger.warning( + `Failed to upload overlay-base database to cache: ${error3 instanceof Error ? error3.message : String(error3)}` + ); + return false; + } + logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`); + return true; +} +async function getCacheSaveKey(config, codeQlVersion, checkoutPath, logger) { + let runId = 1; + let attemptId = 1; + try { + runId = getWorkflowRunID(); + attemptId = getWorkflowRunAttempt(); + } catch (e) { + logger.warning( + `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}` + ); + } + const sha = await getCommitOid(checkoutPath); + const restoreKeyPrefix = await getCacheRestoreKeyPrefix( + config, + codeQlVersion + ); + return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`; +} +async function getCacheRestoreKeyPrefix(config, codeQlVersion) { + return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; +} +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); -var fs8 = __toESM(require("fs")); +var fs9 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -90984,9 +91241,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -90995,7 +91252,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -91010,7 +91267,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs8.mkdirSync(dest, { recursive: true }); + fs9.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -91094,7 +91351,7 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs9 = __toESM(require("fs")); +var fs10 = __toESM(require("fs")); var os2 = __toESM(require("os")); var path8 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); @@ -91102,7 +91359,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -91201,7 +91458,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs9.mkdirSync(dest, { recursive: true }); + fs10.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -91232,13 +91489,13 @@ function getToolcacheDirectory(version) { return path8.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os2.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs9.writeFileSync(markerFilePath, ""); + fs10.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -91357,13 +91614,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -91373,7 +91630,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs10.existsSync(path9.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs11.existsSync(path9.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -91395,7 +91652,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -91489,21 +91823,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -91700,7 +92046,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -91710,6 +92056,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -91768,7 +92115,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -91800,7 +92147,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -91820,7 +92167,7 @@ function isReservedToolsValue(tools) { } // src/tracer-config.ts -var fs11 = __toESM(require("fs")); +var fs12 = __toESM(require("fs")); var path10 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { @@ -91840,14 +92187,14 @@ async function endTracingForCluster(codeql, config, logger) { config.dbLocation, "temp/tracingEnvironment/end-tracing.json" ); - if (!fs11.existsSync(envVariablesFile)) { + if (!fs12.existsSync(envVariablesFile)) { throw new Error( `Environment file for ending tracing not found: ${envVariablesFile}` ); } try { const endTracingEnvVariables = JSON.parse( - fs11.readFileSync(envVariablesFile, "utf8") + fs12.readFileSync(envVariablesFile, "utf8") ); for (const [key, value] of Object.entries(endTracingEnvVariables)) { if (value !== null) { @@ -91870,7 +92217,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -91884,6 +92231,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -91959,7 +92307,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { "tools", "tracing-config.lua" ); - return fs12.existsSync(tracingConfigPath); + return fs13.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -92435,7 +92783,7 @@ async function writeCodeScanningConfigFile(config, logger) { logger.startGroup("Augmented user configuration file contents"); logger.info(dump(augmentedConfig)); logger.endGroup(); - fs12.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); + fs13.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -92527,7 +92875,7 @@ async function runAutobuild(config, language, logger) { // src/dependency-caching.ts var os3 = __toESM(require("os")); var import_path2 = require("path"); -var actionsCache3 = __toESM(require_cache4()); +var actionsCache4 = __toESM(require_cache4()); var glob = __toESM(require_glob()); var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies"; var CODEQL_DEPENDENCY_CACHE_VERSION = 1; @@ -92665,7 +93013,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) { ); try { const start = performance.now(); - await actionsCache3.saveCache( + await actionsCache4.saveCache( await cacheConfig.getDependencyPaths(codeql, features), key ); @@ -92677,7 +93025,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) { upload_duration_ms }); } catch (error3) { - if (error3 instanceof actionsCache3.ReserveCacheError) { + if (error3 instanceof actionsCache4.ReserveCacheError) { logger.info( `Not uploading cache for ${language}, because ${key} is already in use.` ); @@ -92785,7 +93133,7 @@ function dbIsFinalized(config, language, logger) { const dbPath = getCodeQLDatabasePath(config, language); try { const dbInfo = load( - fs13.readFileSync(path12.resolve(dbPath, "codeql-database.yml"), "utf8") + fs14.readFileSync(path12.resolve(dbPath, "codeql-database.yml"), "utf8") ); return !("inProgress" in dbInfo); } catch { @@ -92870,8 +93218,8 @@ function writeDiffRangeDataExtensionPack(logger, ranges, checkoutPath) { ranges = [{ path: "", startLine: 0, endLine: 0 }]; } const diffRangeDir = path12.join(getTemporaryDirectory(), "pr-diff-range"); - fs13.mkdirSync(diffRangeDir, { recursive: true }); - fs13.writeFileSync( + fs14.mkdirSync(diffRangeDir, { recursive: true }); + fs14.writeFileSync( path12.join(diffRangeDir, "qlpack.yml"), ` name: codeql-action/pr-diff-range @@ -92888,7 +93236,7 @@ dataExtensions: checkoutPath ); const extensionFilePath = path12.join(diffRangeDir, "pr-diff-range.yml"); - fs13.writeFileSync(extensionFilePath, extensionContents); + fs14.writeFileSync(extensionFilePath, extensionContents); logger.debug( `Wrote pr-diff-range extension pack to ${extensionFilePath}: ${extensionContents}` @@ -93040,7 +93388,7 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir } function getPerQueryAlertCounts(sarifPath) { const sarifObject = JSON.parse( - fs13.readFileSync(sarifPath, "utf8") + fs14.readFileSync(sarifPath, "utf8") ); const perQueryAlertCounts = {}; for (const sarifRun of sarifObject.runs) { @@ -93058,13 +93406,13 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir } async function runFinalize(features, outputDir, threadsFlag, memoryFlag, codeql, config, logger) { try { - await fs13.promises.rm(outputDir, { force: true, recursive: true }); + await fs14.promises.rm(outputDir, { force: true, recursive: true }); } catch (error3) { if (error3?.code !== "ENOENT") { throw error3; } } - await fs13.promises.mkdir(outputDir, { recursive: true }); + await fs14.promises.mkdir(outputDir, { recursive: true }); const timings = await finalizeDatabaseCreation( codeql, features, @@ -93108,7 +93456,7 @@ async function warnIfGoInstalledAfterInit(config, logger) { } // src/database-upload.ts -var fs14 = __toESM(require("fs")); +var fs15 = __toESM(require("fs")); async function cleanupAndUploadDatabases(repositoryNwo, codeql, config, apiDetails, features, logger) { if (getRequiredInput("upload-database") !== "true") { logger.debug("Database upload disabled in workflow. Skipping upload."); @@ -93144,7 +93492,7 @@ async function cleanupAndUploadDatabases(repositoryNwo, codeql, config, apiDetai const bundledDb = await bundleDb(config, language, codeql, language, { includeDiagnostics: false }); - bundledDbSize = fs14.statSync(bundledDb).size; + bundledDbSize = fs15.statSync(bundledDb).size; const commitOid = await getCommitOid( getRequiredInput("checkout_path") ); @@ -93207,7 +93555,7 @@ async function uploadBundledDatabase(repositoryNwo, language, commitOid, bundled if (uploadsBaseUrl.endsWith("/")) { uploadsBaseUrl = uploadsBaseUrl.slice(0, -1); } - const bundledDbReadStream = fs14.createReadStream(bundledDb); + const bundledDbReadStream = fs15.createReadStream(bundledDb); try { const startTime = performance.now(); await client.request( @@ -93237,151 +93585,6 @@ async function uploadBundledDatabase(repositoryNwo, language, commitOid, bundled } } -// src/overlay/caching.ts -var fs15 = __toESM(require("fs")); -var actionsCache4 = __toESM(require_cache4()); -var semver9 = __toESM(require_semver2()); -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; -var CACHE_VERSION2 = 1; -var CACHE_PREFIX = "codeql-overlay-base-database"; -var MAX_CACHE_OPERATION_MS2 = 6e5; -async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - if (!fs15.existsSync(baseDatabaseOidsFilePath)) { - logger.warning( - `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` - ); - return false; - } - for (const language of config.languages) { - const dbPath = getCodeQLDatabasePath(config, language); - try { - const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); - if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { - logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); - return false; - } else { - logger.debug( - `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` - ); - } - } catch (e) { - logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); - return false; - } - } - return true; -} -async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { - const overlayDatabaseMode = config.overlayDatabaseMode; - if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) { - logger.debug( - `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.` - ); - return false; - } - if (!config.useOverlayDatabaseCaching) { - logger.debug( - "Overlay database caching is disabled. Skip uploading overlay-base database to cache." - ); - return false; - } - if (isInTestMode()) { - logger.debug( - "In test mode. Skip uploading overlay-base database to cache." - ); - return false; - } - const databaseIsValid = await checkOverlayBaseDatabase( - codeql, - config, - logger, - "Abort uploading overlay-base database to cache" - ); - if (!databaseIsValid) { - return false; - } - await withGroupAsync("Cleaning up databases", async () => { - await codeql.databaseCleanupCluster(config, "overlay" /* Overlay */); - }); - const dbLocation = config.dbLocation; - const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); - if (databaseSizeBytes === void 0) { - logger.warning( - "Failed to determine database size. Skip uploading overlay-base database to cache." - ); - return false; - } - if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) { - const databaseSizeMB = Math.round(databaseSizeBytes / 1e6); - logger.warning( - `Database size (${databaseSizeMB} MB) exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). Skip uploading overlay-base database to cache.` - ); - return false; - } - const codeQlVersion = (await codeql.getVersion()).version; - const checkoutPath = getRequiredInput("checkout_path"); - const cacheSaveKey = await getCacheSaveKey( - config, - codeQlVersion, - checkoutPath, - logger - ); - logger.info( - `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}` - ); - try { - const cacheId = await waitForResultWithTimeLimit( - MAX_CACHE_OPERATION_MS2, - actionsCache4.saveCache([dbLocation], cacheSaveKey), - () => { - } - ); - if (cacheId === void 0) { - logger.warning("Timed out while uploading overlay-base database"); - return false; - } - } catch (error3) { - logger.warning( - `Failed to upload overlay-base database to cache: ${error3 instanceof Error ? error3.message : String(error3)}` - ); - return false; - } - logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`); - return true; -} -async function getCacheSaveKey(config, codeQlVersion, checkoutPath, logger) { - let runId = 1; - let attemptId = 1; - try { - runId = getWorkflowRunID(); - attemptId = getWorkflowRunAttempt(); - } catch (e) { - logger.warning( - `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}` - ); - } - const sha = await getCommitOid(checkoutPath); - const restoreKeyPrefix = await getCacheRestoreKeyPrefix( - config, - codeQlVersion - ); - return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`; -} -async function getCacheRestoreKeyPrefix(config, codeQlVersion) { - return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; -} -async function getCacheKeyPrefixBase(parsedLanguages) { - const languagesComponent = [...parsedLanguages].sort().join("_"); - const cacheKeyComponents = { - automationID: await getAutomationID() - // Add more components here as needed in the future - }; - const componentsHash = createCacheKeyHash(cacheKeyComponents); - return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; -} - // src/status-report.ts var os4 = __toESM(require("os")); var core13 = __toESM(require_core()); @@ -94724,7 +94927,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -94738,6 +94941,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -94886,9 +95090,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action @@ -94896,6 +95098,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 17c427eda4..7dae64086c 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs8 = __importStar2(require("fs")); var path9 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var path9 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path9 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) { @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io5.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs8.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -86692,6 +86692,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -86752,10 +86762,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -86860,11 +86874,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -86923,34 +86937,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -87180,20 +87201,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 2794b130e2..ed46f610b9 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var os4 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4287,11 +4287,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4564,7 +4564,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4579,7 +4579,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5643,8 +5643,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17052,13 +17052,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17071,7 +17071,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17143,9 +17143,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17165,7 +17165,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17195,7 +17195,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32371,7 +32371,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles2; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core19 = __importStar2(require_core()); var fs21 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -32384,7 +32384,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core19.info : core19.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -32400,7 +32400,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs21.createReadStream(file), hash2); result.write(hash2.digest()); @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -33776,10 +33776,10 @@ var require_cacheUtils = __commonJS({ var exec3 = __importStar2(require_exec()); var glob2 = __importStar2(require_glob()); var io7 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var path19 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33800,7 +33800,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path19.join(baseLocation, "actions", "temp"); } - const dest = path19.join(tempDirectory, crypto2.randomUUID()); + const dest = path19.join(tempDirectory, crypto3.randomUUID()); yield io7.mkdirP(dest); return dest; }); @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core19.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -33908,7 +33908,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core19 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core19 = __importStar2(require_core()); var path19 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core19.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core19.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os4 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81671,13 +81671,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core19 = __importStar2(require_core()); var io7 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os4 = __importStar2(require("os")); var path19 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81696,7 +81696,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path19.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path19.join(_getTempDirectory(), crypto3.randomUUID()); yield io7.mkdirP(path19.dirname(dest)); core19.debug(`Downloading ${url2}`); core19.debug(`Destination ${dest}`); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os4.arch(); core19.debug(`Caching tool ${tool} ${version} ${arch2}`); core19.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os4.arch(); core19.debug(`Caching tool ${tool} ${version} ${arch2}`); core19.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path19.join(_getCacheDirectory(), toolName, versionSpec, arch2); core19.debug(`checking cache: ${cachePath}`); if (fs21.existsSync(cachePath) && fs21.existsSync(`${cachePath}.complete`)) { @@ -82070,7 +82070,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path19.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path19.join(_getTempDirectory(), crypto3.randomUUID()); } yield io7.mkdirP(dest); return dest; @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path19.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path19.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core19.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io7.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path19.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path19.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs21.writeFileSync(markerPath, ""); core19.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core19.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core19.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core19.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core19.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -85551,7 +85551,7 @@ var require_blob_upload = __commonJS({ var storage_blob_1 = require_commonjs15(); var config_1 = require_config2(); var core19 = __importStar2(require_core()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var stream2 = __importStar2(require("stream")); var errors_1 = require_errors3(); function uploadZipToBlobStorage(authenticatedUploadURL, zipUploadStream) { @@ -85589,7 +85589,7 @@ var require_blob_upload = __commonJS({ }; let sha256Hash = void 0; const uploadStream = new stream2.PassThrough(); - const hashStream = crypto2.createHash("sha256"); + const hashStream = crypto3.createHash("sha256"); zipUploadStream.pipe(uploadStream); zipUploadStream.pipe(hashStream).setEncoding("hex"); core19.info("Beginning upload of artifact content to blob storage"); @@ -89825,7 +89825,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream2, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -89835,9 +89835,9 @@ var require_stream_writable = __commonJS({ if (er) { stream2.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -117858,7 +117858,7 @@ var require_download_artifact = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.downloadArtifactInternal = exports2.downloadArtifactPublic = exports2.streamExtractExternal = void 0; var promises_1 = __importDefault2(require("fs/promises")); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var stream2 = __importStar2(require("stream")); var github4 = __importStar2(require_github2()); var core19 = __importStar2(require_core()); @@ -117919,7 +117919,7 @@ var require_download_artifact = __commonJS({ reject(timeoutError); }; const timer = setTimeout(timerFn, opts.timeout); - const hashStream = crypto2.createHash("sha256").setEncoding("hex"); + const hashStream = crypto3.createHash("sha256").setEncoding("hex"); const passThrough = new stream2.PassThrough(); response.message.pipe(passThrough); passThrough.pipe(hashStream); @@ -118948,7 +118948,7 @@ var require_file_command2 = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.prepareKeyValueMessage = exports2.issueFileCommand = void 0; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var os4 = __importStar2(require("os")); var utils_1 = require_utils10(); @@ -118966,7 +118966,7 @@ var require_file_command2 = __commonJS({ } exports2.issueFileCommand = issueFileCommand; function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -121723,7 +121723,7 @@ var require_tmp = __commonJS({ var fs21 = require("fs"); var os4 = require("os"); var path19 = require("path"); - var crypto2 = require("crypto"); + var crypto3 = require("crypto"); var _c = { fs: fs21.constants, os: os4.constants }; var RANDOM_CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; var TEMPLATE_PATTERN = /XXXXXX/; @@ -121903,9 +121903,9 @@ var require_tmp = __commonJS({ function _randomChars(howMany) { let value = [], rnd = null; try { - rnd = crypto2.randomBytes(howMany); + rnd = crypto3.randomBytes(howMany); } catch (e) { - rnd = crypto2.pseudoRandomBytes(howMany); + rnd = crypto3.pseudoRandomBytes(howMany); } for (let i = 0; i < howMany; i++) { value.push(RANDOM_CHARS[rnd[i] % RANDOM_CHARS.length]); @@ -130167,6 +130167,32 @@ var restoreInputs = function() { } } }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -130390,6 +130416,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -130455,7 +130486,13 @@ function wrapApiConfigurationError(e) { } // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/codeql.ts var fs12 = __toESM(require("fs")); @@ -130891,6 +130928,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs6 = __toESM(require("fs")); @@ -131406,6 +131453,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -131466,10 +131523,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -131574,11 +131635,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -131637,34 +131698,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -131839,6 +131907,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var fs7 = __toESM(require("fs")); @@ -131977,7 +132056,7 @@ var fs11 = __toESM(require("fs")); var path10 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -132023,6 +132102,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs9 = __toESM(require("fs")); @@ -132030,7 +132170,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -132072,9 +132212,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -132083,7 +132223,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -132190,7 +132330,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -132320,7 +132460,7 @@ function getToolcacheDirectory(version) { return path9.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -132445,13 +132585,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -132483,7 +132623,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -132577,21 +132794,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -132788,7 +133017,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -132798,6 +133027,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -132856,7 +133086,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -132888,7 +133118,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -132925,7 +133155,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -132939,6 +133169,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -133550,7 +133781,7 @@ var io5 = __toESM(require_io()); var core12 = __toESM(require_core()); // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache4()); +var actionsCache4 = __toESM(require_cache4()); var glob = __toESM(require_glob()); var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies"; async function getDependencyCacheUsage(logger) { @@ -135195,7 +135426,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -135209,6 +135440,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -135357,9 +135589,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action @@ -135367,6 +135597,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -135382,7 +135614,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run2 of sarifFile.runs || []) { if (run2.automationDetails === void 0) { @@ -135395,7 +135627,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/lib/init-action.js b/lib/init-action.js index 3769eab060..8424fffe0e 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -33101,8 +33101,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -86638,6 +86638,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} async function getRepositoryProperties(repositoryNwo) { return getApiClient().request("GET /repos/:owner/:repo/properties/values", { owner: repositoryNwo.owner, @@ -87797,6 +87809,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -87857,10 +87879,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -87965,11 +87991,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -88028,34 +88054,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -88361,6 +88394,17 @@ var BuiltInLanguage = /* @__PURE__ */ ((BuiltInLanguage2) => { return BuiltInLanguage2; })(BuiltInLanguage || {}); var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/diagnostics.ts async function addOverlayDisablementDiagnostics(config, codeql, overlayDisabledReason) { @@ -89608,7 +89652,7 @@ var internal = { }; // src/init.ts -var fs15 = __toESM(require("fs")); +var fs16 = __toESM(require("fs")); var path15 = __toESM(require("path")); var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); @@ -89616,7 +89660,7 @@ var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); // src/codeql.ts -var fs14 = __toESM(require("fs")); +var fs15 = __toESM(require("fs")); var path14 = __toESM(require("path")); var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); @@ -89870,20 +89914,221 @@ function wrapCliConfigurationError(cliError) { } // src/setup-codeql.ts -var fs12 = __toESM(require("fs")); +var fs13 = __toESM(require("fs")); var path12 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var fs10 = __toESM(require("fs")); +var actionsCache4 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION2 = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +var MAX_CACHE_OPERATION_MS3 = 6e5; +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + if (!fs10.existsSync(baseDatabaseOidsFilePath)) { + logger.warning( + `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` + ); + return false; + } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.debug( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; +} +async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { + const overlayDatabaseMode = config.overlayDatabaseMode; + if (overlayDatabaseMode !== "overlay" /* Overlay */) { + logger.debug( + `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.` + ); + return void 0; + } + if (!config.useOverlayDatabaseCaching) { + logger.debug( + "Overlay database caching is disabled. Skip downloading overlay-base database from cache." + ); + return void 0; + } + if (isInTestMode()) { + logger.debug( + "In test mode. Skip downloading overlay-base database from cache." + ); + return void 0; + } + const dbLocation = config.dbLocation; + const codeQlVersion = (await codeql.getVersion()).version; + const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix( + config, + codeQlVersion + ); + logger.info( + `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}` + ); + let databaseDownloadDurationMs = 0; + try { + const databaseDownloadStart = performance.now(); + const foundKey = await waitForResultWithTimeLimit( + // This ten-minute limit for the cache restore operation is mainly to + // guard against the possibility that the cache service is unresponsive + // and hangs outside the data download. + // + // Data download (which is normally the most time-consuming part of the + // restore operation) should not run long enough to hit this limit. Even + // for an extremely large 10GB database, at a download speed of 40MB/s + // (see below), the download should complete within five minutes. If we + // do hit this limit, there are likely more serious problems other than + // mere slow download speed. + // + // This is important because we don't want any ongoing file operations + // on the database directory when we do hit this limit. Hitting this + // time limit takes us to a fallback path where we re-initialize the + // database from scratch at dbLocation, and having the cache restore + // operation continue to write into dbLocation in the background would + // really mess things up. We want to hit this limit only in the case + // of a hung cache service, not just slow download speed. + MAX_CACHE_OPERATION_MS3, + actionsCache4.restoreCache( + [dbLocation], + cacheRestoreKeyPrefix, + void 0, + { + // Azure SDK download (which is the default) uses 128MB segments; see + // https://github.com/actions/toolkit/blob/main/packages/cache/README.md. + // Setting segmentTimeoutInMs to 3000 translates to segment download + // speed of about 40 MB/s, which should be achievable unless the + // download is unreliable (in which case we do want to abort). + segmentTimeoutInMs: 3e3 + } + ), + () => { + logger.info("Timed out downloading overlay-base database from cache"); + } + ); + databaseDownloadDurationMs = Math.round( + performance.now() - databaseDownloadStart + ); + if (foundKey === void 0) { + logger.info("No overlay-base database found in Actions cache"); + return void 0; + } + logger.info( + `Downloaded overlay-base database in cache with key ${foundKey}` + ); + } catch (error3) { + logger.warning( + `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}` + ); + return void 0; + } + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, + config, + logger, + "Downloaded overlay-base database is invalid" + ); + if (!databaseIsValid) { + logger.warning("Downloaded overlay-base database failed validation"); + return void 0; + } + const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); + if (databaseSizeBytes === void 0) { + logger.info( + "Filesystem error while accessing downloaded overlay-base database" + ); + return void 0; + } + logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`); + return { + databaseSizeBytes: Math.round(databaseSizeBytes), + databaseDownloadDurationMs + }; +} +async function getCacheRestoreKeyPrefix(config, codeQlVersion) { + return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; +} +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} // src/tar.ts var import_child_process = require("child_process"); -var fs10 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -89925,9 +90170,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -89936,7 +90181,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -89951,7 +90196,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs10.mkdirSync(dest, { recursive: true }); + fs11.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -90035,7 +90280,7 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs11 = __toESM(require("fs")); +var fs12 = __toESM(require("fs")); var os4 = __toESM(require("os")); var path11 = __toESM(require("path")); var import_perf_hooks2 = require("perf_hooks"); @@ -90043,7 +90288,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -90142,7 +90387,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs11.mkdirSync(dest, { recursive: true }); + fs12.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -90173,13 +90418,13 @@ function getToolcacheDirectory(version) { return path11.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os4.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs11.writeFileSync(markerFilePath, ""); + fs12.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url) { @@ -90298,13 +90543,13 @@ function tryGetTagNameFromUrl(url, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -90314,7 +90559,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs12.existsSync(path12.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs13.existsSync(path12.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -90336,7 +90581,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -90430,21 +90752,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -90641,7 +90975,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -90651,6 +90985,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -90709,7 +91044,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -90741,7 +91076,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -90761,7 +91096,7 @@ function isReservedToolsValue(tools) { } // src/tracer-config.ts -var fs13 = __toESM(require("fs")); +var fs14 = __toESM(require("fs")); var path13 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { @@ -90774,7 +91109,7 @@ async function shouldEnableIndirectTracing(codeql, config) { } async function getTracerConfigForCluster(config) { const tracingEnvVariables = JSON.parse( - fs13.readFileSync( + fs14.readFileSync( path13.resolve( config.dbLocation, "temp/tracingEnvironment/start-tracing.json" @@ -90800,7 +91135,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -90814,6 +91149,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -90883,7 +91219,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { "tools", "tracing-config.lua" ); - return fs14.existsSync(tracingConfigPath); + return fs15.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -91359,7 +91695,7 @@ async function writeCodeScanningConfigFile(config, logger) { logger.startGroup("Augmented user configuration file contents"); logger.info(dump(augmentedConfig)); logger.endGroup(); - fs14.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); + fs15.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -91403,7 +91739,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -91417,6 +91753,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -91437,7 +91774,7 @@ async function initConfig2(features, inputs) { }); } async function runDatabaseInitCluster(databaseInitEnvironment, codeql, config, sourceRoot, processName, qlconfigFile, logger) { - fs15.mkdirSync(config.dbLocation, { recursive: true }); + fs16.mkdirSync(config.dbLocation, { recursive: true }); await wrapEnvironment( databaseInitEnvironment, async () => await codeql.databaseInitCluster( @@ -91473,24 +91810,24 @@ async function checkPacksForOverlayCompatibility(codeql, config, logger) { function checkPackForOverlayCompatibility(packDir, codeQlOverlayVersion, logger) { try { let qlpackPath = path15.join(packDir, "qlpack.yml"); - if (!fs15.existsSync(qlpackPath)) { + if (!fs16.existsSync(qlpackPath)) { qlpackPath = path15.join(packDir, "codeql-pack.yml"); } const qlpackContents = load( - fs15.readFileSync(qlpackPath, "utf8") + fs16.readFileSync(qlpackPath, "utf8") ); if (!qlpackContents.buildMetadata) { return true; } const packInfoPath = path15.join(packDir, ".packinfo"); - if (!fs15.existsSync(packInfoPath)) { + if (!fs16.existsSync(packInfoPath)) { logger.warning( `The query pack at ${packDir} does not have a .packinfo file, so it cannot support overlay analysis. Recompiling the query pack with the latest CodeQL CLI should solve this problem.` ); return false; } const packInfoFileContents = JSON.parse( - fs15.readFileSync(packInfoPath, "utf8") + fs16.readFileSync(packInfoPath, "utf8") ); const packOverlayVersion = packInfoFileContents.overlayVersion; if (typeof packOverlayVersion !== "number") { @@ -91525,8 +91862,8 @@ async function checkInstallPython311(languages, codeql) { ]).exec(); } } -function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs15.rmSync) { - if (fs15.existsSync(config.dbLocation) && (fs15.statSync(config.dbLocation).isFile() || fs15.readdirSync(config.dbLocation).length > 0)) { +function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs16.rmSync) { + if (fs16.existsSync(config.dbLocation) && (fs16.statSync(config.dbLocation).isFile() || fs16.readdirSync(config.dbLocation).length > 0)) { if (!options.disableExistingDirectoryWarning) { logger.warning( `The database cluster directory ${config.dbLocation} must be empty. Attempting to clean it up.` @@ -91630,163 +91967,6 @@ To opt out of this change, ${envVarOptOut}`; core12.exportVariable("CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */, "true"); } -// src/overlay/caching.ts -var fs16 = __toESM(require("fs")); -var actionsCache4 = __toESM(require_cache4()); -var semver9 = __toESM(require_semver2()); -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; -var CACHE_VERSION2 = 1; -var CACHE_PREFIX = "codeql-overlay-base-database"; -var MAX_CACHE_OPERATION_MS3 = 6e5; -async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - if (!fs16.existsSync(baseDatabaseOidsFilePath)) { - logger.warning( - `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` - ); - return false; - } - for (const language of config.languages) { - const dbPath = getCodeQLDatabasePath(config, language); - try { - const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); - if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { - logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); - return false; - } else { - logger.debug( - `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` - ); - } - } catch (e) { - logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); - return false; - } - } - return true; -} -async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { - const overlayDatabaseMode = config.overlayDatabaseMode; - if (overlayDatabaseMode !== "overlay" /* Overlay */) { - logger.debug( - `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.` - ); - return void 0; - } - if (!config.useOverlayDatabaseCaching) { - logger.debug( - "Overlay database caching is disabled. Skip downloading overlay-base database from cache." - ); - return void 0; - } - if (isInTestMode()) { - logger.debug( - "In test mode. Skip downloading overlay-base database from cache." - ); - return void 0; - } - const dbLocation = config.dbLocation; - const codeQlVersion = (await codeql.getVersion()).version; - const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix( - config, - codeQlVersion - ); - logger.info( - `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}` - ); - let databaseDownloadDurationMs = 0; - try { - const databaseDownloadStart = performance.now(); - const foundKey = await waitForResultWithTimeLimit( - // This ten-minute limit for the cache restore operation is mainly to - // guard against the possibility that the cache service is unresponsive - // and hangs outside the data download. - // - // Data download (which is normally the most time-consuming part of the - // restore operation) should not run long enough to hit this limit. Even - // for an extremely large 10GB database, at a download speed of 40MB/s - // (see below), the download should complete within five minutes. If we - // do hit this limit, there are likely more serious problems other than - // mere slow download speed. - // - // This is important because we don't want any ongoing file operations - // on the database directory when we do hit this limit. Hitting this - // time limit takes us to a fallback path where we re-initialize the - // database from scratch at dbLocation, and having the cache restore - // operation continue to write into dbLocation in the background would - // really mess things up. We want to hit this limit only in the case - // of a hung cache service, not just slow download speed. - MAX_CACHE_OPERATION_MS3, - actionsCache4.restoreCache( - [dbLocation], - cacheRestoreKeyPrefix, - void 0, - { - // Azure SDK download (which is the default) uses 128MB segments; see - // https://github.com/actions/toolkit/blob/main/packages/cache/README.md. - // Setting segmentTimeoutInMs to 3000 translates to segment download - // speed of about 40 MB/s, which should be achievable unless the - // download is unreliable (in which case we do want to abort). - segmentTimeoutInMs: 3e3 - } - ), - () => { - logger.info("Timed out downloading overlay-base database from cache"); - } - ); - databaseDownloadDurationMs = Math.round( - performance.now() - databaseDownloadStart - ); - if (foundKey === void 0) { - logger.info("No overlay-base database found in Actions cache"); - return void 0; - } - logger.info( - `Downloaded overlay-base database in cache with key ${foundKey}` - ); - } catch (error3) { - logger.warning( - `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}` - ); - return void 0; - } - const databaseIsValid = await checkOverlayBaseDatabase( - codeql, - config, - logger, - "Downloaded overlay-base database is invalid" - ); - if (!databaseIsValid) { - logger.warning("Downloaded overlay-base database failed validation"); - return void 0; - } - const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); - if (databaseSizeBytes === void 0) { - logger.info( - "Filesystem error while accessing downloaded overlay-base database" - ); - return void 0; - } - logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`); - return { - databaseSizeBytes: Math.round(databaseSizeBytes), - databaseDownloadDurationMs - }; -} -async function getCacheRestoreKeyPrefix(config, codeQlVersion) { - return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; -} -async function getCacheKeyPrefixBase(parsedLanguages) { - const languagesComponent = [...parsedLanguages].sort().join("_"); - const cacheKeyComponents = { - automationID: await getAutomationID() - // Add more components here as needed in the future - }; - const componentsHash = createCacheKeyHash(cacheKeyComponents); - return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; -} - // src/status-report.ts var os5 = __toESM(require("os")); var core13 = __toESM(require_core()); @@ -92354,16 +92534,18 @@ async function run(startedAt) { `The 'init' action should not be run in the same workflow as 'setup-codeql'.` ); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = getRawLanguagesNoAutodetect( + getOptionalInput("languages") + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + rawLanguages, features, logger ); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index c103fb1be4..3c8d0d7941 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs6 = __importStar2(require("fs")); var path7 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core14.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var path7 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81677,7 +81677,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path7 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch}`); core14.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch}`); core14.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch); core14.debug(`checking cache: ${cachePath}`); if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) { @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core14.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io5.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs6.writeFileSync(markerPath, ""); core14.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core14.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core14.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core14.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core14.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -86683,6 +86683,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -86850,20 +86860,26 @@ var toolrunner3 = __toESM(require_toolrunner()); // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 72a24cede7..f63f90a7e1 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var os3 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4287,11 +4287,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); + supportedHashes = crypto3.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4564,7 +4564,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4579,7 +4579,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5643,8 +5643,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17052,13 +17052,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17071,7 +17071,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17143,9 +17143,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url, protocols, client, ws, onEstablish, options) { @@ -17165,7 +17165,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17195,7 +17195,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32371,7 +32371,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core15 = __importStar2(require_core()); var fs10 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -32384,7 +32384,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core15.info : core15.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -32400,7 +32400,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash = crypto2.createHash("sha256"); + const hash = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs10.createReadStream(file), hash); result.write(hash.digest()); @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -33776,10 +33776,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var path10 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33800,7 +33800,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path10.join(baseLocation, "actions", "temp"); } - const dest = path10.join(tempDirectory, crypto2.randomUUID()); + const dest = path10.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -33908,7 +33908,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var path10 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os3 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81671,13 +81671,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core15 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os3 = __importStar2(require("os")); var path10 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81696,7 +81696,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path10.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path10.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path10.dirname(dest)); core15.debug(`Downloading ${url}`); core15.debug(`Destination ${dest}`); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch2}`); core15.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch2}`); core15.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path10.join(_getCacheDirectory(), toolName, versionSpec, arch2); core15.debug(`checking cache: ${cachePath}`); if (fs10.existsSync(cachePath) && fs10.existsSync(`${cachePath}.complete`)) { @@ -82070,7 +82070,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path10.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path10.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path10.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path10.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path10.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path10.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs10.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -85605,6 +85605,12 @@ async function checkForTimeout() { process.exit(); } } +function parseMatrixInput(matrixInput) { + if (matrixInput === void 0 || matrixInput === "null") { + return void 0; + } + return JSON.parse(matrixInput); +} function wrapError(error3) { return error3 instanceof Error ? error3 : new Error(String(error3)); } @@ -85824,6 +85830,32 @@ async function runTool(cmd, args = [], opts = {}) { } return stdout; } +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} // src/api-client.ts var core5 = __toESM(require_core()); @@ -86023,6 +86055,37 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} +function computeAutomationID(analysis_key, environment) { + let automationID = `${analysis_key}/`; + const matrix = parseMatrixInput(environment); + if (matrix !== void 0) { + for (const entry of Object.entries(matrix).sort()) { + if (typeof entry[1] === "string") { + automationID += `${entry[0]}:${entry[1]}/`; + } else { + automationID += `${entry[0]}:/`; + } + } + } + return automationID; +} +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -86534,6 +86597,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -86594,10 +86667,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -86702,11 +86779,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -86765,34 +86842,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -87189,7 +87273,13 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core7 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -87304,6 +87394,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/languages/builtin.json var builtin_default = { @@ -87334,6 +87434,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache4()); @@ -87389,7 +87500,68 @@ var fs8 = __toESM(require("fs")); var path8 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} // src/tar.ts var import_child_process = require("child_process"); @@ -87398,7 +87570,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -87440,9 +87612,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -87451,7 +87623,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -87558,7 +87730,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -87688,7 +87860,7 @@ function getToolcacheDirectory(version) { return path7.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -87813,13 +87985,13 @@ function tryGetTagNameFromUrl(url, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -87851,7 +88023,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -87945,21 +88194,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -88156,7 +88417,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -88166,6 +88427,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -88224,7 +88486,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -88256,7 +88518,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -88293,7 +88555,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -88307,6 +88569,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -88896,7 +89159,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -88910,6 +89173,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -89202,9 +89466,7 @@ async function run(startedAt) { if (statusReportBase !== void 0) { await sendStatusReport(statusReportBase); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), @@ -89212,6 +89474,8 @@ async function run(startedAt) { getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: currently, setup-codeql is not language aware features, logger ); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 9c40cb5e66..2e59c565a5 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -33779,7 +33779,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs3 = __importStar2(require("fs")); var path4 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path4 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -88437,7 +88437,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -88447,9 +88447,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path4 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) { @@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs3.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -127203,6 +127203,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -127505,24 +127515,30 @@ var cliErrorsConfig = { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache4()); +var actionsCache4 = __toESM(require_cache4()); var glob = __toESM(require_glob()); // src/artifact-scanner.ts diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index 256c358c0c..56a24f63b6 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare = require_compare(); - var rcompare = (a, b, loose) => compare(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare(b, a, loose); + module2.exports = rcompare2; } }); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -33772,8 +33772,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare(b, a, loose); } exports2.sort = sort; @@ -103331,6 +103331,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -103391,10 +103401,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -103499,11 +103513,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -103562,34 +103576,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -104469,7 +104490,7 @@ async function getReleaseByVersion(version) { } async function getCliVersionFromFeatures(features) { const gitHubVersion = await getGitHubVersion(); - return await features.getDefaultCliVersion(gitHubVersion.type); + return await features.getEnabledDefaultCliVersions(gitHubVersion.type); } async function getDownloadUrl(logger, features) { const proxyPackage = getProxyPackage(); @@ -104477,7 +104498,7 @@ async function getDownloadUrl(logger, features) { const useFeaturesToDetermineCLI = await features.getValue( "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */ ); - const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : { + const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : { cliVersion, tagName: bundleVersion }; diff --git a/lib/upload-lib.js b/lib/upload-lib.js index c0a9964c16..5b9dd54b7f 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var os2 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4287,11 +4287,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4564,7 +4564,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4579,7 +4579,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5643,8 +5643,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17052,13 +17052,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17071,7 +17071,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17143,9 +17143,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17165,7 +17165,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17195,7 +17195,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -21993,16 +21993,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -22291,8 +22291,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -22305,8 +22305,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -27657,11 +27657,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -27804,8 +27804,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -29021,7 +29021,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -29030,7 +29030,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -29059,7 +29059,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -29068,7 +29068,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -32371,7 +32371,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core14 = __importStar2(require_core()); var fs14 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -32384,7 +32384,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core14.info : core14.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -32400,7 +32400,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs14.createReadStream(file), hash2); result.write(hash2.digest()); @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -33776,10 +33776,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var path12 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33800,7 +33800,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path12.join(baseLocation, "actions", "temp"); } - const dest = path12.join(tempDirectory, crypto2.randomUUID()); + const dest = path12.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core14.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -33908,7 +33908,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var path12 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81671,13 +81671,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core14 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os2 = __importStar2(require("os")); var path12 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81696,7 +81696,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path12.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path12.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path12.dirname(dest)); core14.debug(`Downloading ${url2}`); core14.debug(`Destination ${dest}`); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch2}`); core14.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch2}`); core14.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path12.join(_getCacheDirectory(), toolName, versionSpec, arch2); core14.debug(`checking cache: ${cachePath}`); if (fs14.existsSync(cachePath) && fs14.existsSync(`${cachePath}.complete`)) { @@ -82070,7 +82070,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path12.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path12.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core14.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs14.writeFileSync(markerPath, ""); core14.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core14.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core14.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core14.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core14.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -88630,6 +88630,32 @@ async function runTool(cmd, args = [], opts = {}) { } return stdout; } +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -88912,6 +88938,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -88926,6 +88957,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -89224,7 +89267,13 @@ var path6 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -89339,6 +89388,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs5 = __toESM(require("fs")); @@ -89846,6 +89905,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -89952,6 +90021,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache4()); @@ -90031,7 +90111,7 @@ var fs9 = __toESM(require("fs")); var path8 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -90077,6 +90157,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs7 = __toESM(require("fs")); @@ -90084,7 +90225,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -90126,9 +90267,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -90137,7 +90278,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -90244,7 +90385,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -90374,7 +90515,7 @@ function getToolcacheDirectory(version) { return path7.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -90499,13 +90640,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -90537,7 +90678,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -90631,21 +90849,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -90842,7 +91072,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -90852,6 +91082,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -90910,7 +91141,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -90942,7 +91173,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -90979,7 +91210,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -90993,6 +91224,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -92714,7 +92946,7 @@ var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -92728,6 +92960,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -92876,9 +93109,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action @@ -92886,6 +93117,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -92901,7 +93134,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run of sarifFile.runs || []) { if (run.automationDetails === void 0) { @@ -92914,7 +93147,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 12d1b216c3..884524e2bf 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -80613,7 +80613,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -80623,9 +80623,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -115281,16 +115281,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -115579,8 +115579,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -115593,8 +115593,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -118322,8 +118322,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -118623,8 +118623,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -119452,7 +119452,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs3 = __importStar2(require("fs")); var path3 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants14(); var versionSalt = "1.0"; @@ -119545,7 +119545,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -120855,7 +120855,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -121032,7 +121032,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -122306,8 +122306,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path3 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -122364,7 +122364,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -122508,7 +122508,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -122745,7 +122745,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -122759,7 +122759,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -122768,7 +122768,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -123028,7 +123028,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path3 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -123301,7 +123301,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -123319,7 +123319,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -123349,7 +123349,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) { @@ -123429,7 +123429,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -123439,30 +123439,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs3.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -127373,6 +127373,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -127492,24 +127502,30 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache4()); +var actionsCache4 = __toESM(require_cache4()); var glob = __toESM(require_glob2()); // src/artifact-scanner.ts diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 83c55ee866..eca5b7f007 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var os3 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4287,11 +4287,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4564,7 +4564,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4579,7 +4579,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5643,8 +5643,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17052,13 +17052,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17071,7 +17071,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17143,9 +17143,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17165,7 +17165,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17195,7 +17195,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -26352,11 +26352,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse2(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -26499,8 +26499,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -27716,7 +27716,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse2(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -27725,7 +27725,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -27754,7 +27754,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -27763,7 +27763,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -29553,16 +29553,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -29851,8 +29851,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -29865,8 +29865,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -32371,7 +32371,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core16 = __importStar2(require_core()); var fs15 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -32384,7 +32384,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core16.info : core16.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -32400,7 +32400,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs15.createReadStream(file), hash2); result.write(hash2.digest()); @@ -32649,8 +32649,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -32950,8 +32950,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -33776,10 +33776,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var path13 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants7(); var versionSalt = "1.0"; @@ -33800,7 +33800,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path13.join(baseLocation, "actions", "temp"); } - const dest = path13.join(tempDirectory, crypto2.randomUUID()); + const dest = path13.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -33872,7 +33872,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core16.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -33908,7 +33908,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -75278,7 +75278,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core16 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -75455,7 +75455,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -80955,8 +80955,8 @@ var require_cache4 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core16 = __importStar2(require_core()); var path13 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -81013,7 +81013,7 @@ var require_cache4 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core16.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81157,7 +81157,7 @@ var require_cache4 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core16.debug(`Cache service version: ${cacheServiceVersion}`); @@ -81394,7 +81394,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os3 = require("os"); var cp = require("child_process"); @@ -81408,7 +81408,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -81417,7 +81417,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -81671,13 +81671,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core16 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os3 = __importStar2(require("os")); var path13 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -81696,7 +81696,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path13.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path13.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path13.dirname(dest)); core16.debug(`Downloading ${url2}`); core16.debug(`Destination ${dest}`); @@ -81950,7 +81950,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core16.debug(`Caching tool ${tool} ${version} ${arch2}`); core16.debug(`source dir: ${sourceDir}`); @@ -81968,7 +81968,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core16.debug(`Caching tool ${tool} ${version} ${arch2}`); core16.debug(`source file: ${sourceFile}`); @@ -81998,7 +81998,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path13.join(_getCacheDirectory(), toolName, versionSpec, arch2); core16.debug(`checking cache: ${cachePath}`); if (fs15.existsSync(cachePath) && fs15.existsSync(`${cachePath}.complete`)) { @@ -82070,7 +82070,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path13.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path13.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -82078,7 +82078,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path13.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path13.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core16.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -82088,30 +82088,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path13.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path13.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs15.writeFileSync(markerPath, ""); core16.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core16.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core16.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core16.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core16.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -88668,6 +88668,32 @@ var persistInputs = function() { ); core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -88960,6 +88986,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -88974,6 +89005,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -89519,6 +89562,16 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -89579,10 +89632,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -89687,11 +89744,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -89750,34 +89807,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -90007,7 +90071,13 @@ var path7 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core8 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -90095,6 +90165,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs7 = __toESM(require("fs")); @@ -90148,6 +90228,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache4()); @@ -90697,7 +90788,7 @@ var fs11 = __toESM(require("fs")); var path9 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -90743,6 +90834,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache4()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs9 = __toESM(require("fs")); @@ -90750,7 +90902,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -90792,9 +90944,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -90803,7 +90955,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -90910,7 +91062,7 @@ var core11 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -91040,7 +91192,7 @@ function getToolcacheDirectory(version) { return path8.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os2.arch() || "" ); } @@ -91165,13 +91317,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -91203,7 +91355,84 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -91297,21 +91526,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -91508,7 +91749,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -91518,6 +91759,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -91576,7 +91818,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -91608,7 +91850,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -91645,7 +91887,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -91659,6 +91901,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -93380,7 +93623,7 @@ var core13 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -93394,6 +93637,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -93471,9 +93715,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action @@ -93481,6 +93723,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -93496,7 +93740,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run2 of sarifFile.runs || []) { if (run2.automationDetails === void 0) { @@ -93509,7 +93753,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/src/codeql.test.ts b/src/codeql.test.ts index eccad6895b..60756101fd 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -70,8 +70,9 @@ async function installIntoToolcache({ tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined - ? { cliVersion, tagName } + ? { enabledVersions: [{ cliVersion, tagName }] } : SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages createFeatures([]), getRunnerLogger(true), false, @@ -143,6 +144,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -175,6 +177,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -214,6 +217,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -264,6 +268,7 @@ for (const { tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -284,11 +289,11 @@ for (const { for (const toolcacheVersion of [ // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache. - SAMPLE_DEFAULT_CLI_VERSION.cliVersion, - `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`, ]) { test.serial( - `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` + + `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` + `${toolcacheVersion} is installed`, async (t) => { const features = createFeatures([]); @@ -308,11 +313,15 @@ for (const toolcacheVersion of [ tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, ); - t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion); + t.is( + result.toolsVersion, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + ); t.is(result.toolsSource, ToolsSource.Toolcache); t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined); t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined); @@ -342,9 +351,14 @@ test.serial( tmpDir, util.GitHubVariant.GHES, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -384,9 +398,14 @@ test.serial( tmpDir, util.GitHubVariant.GHES, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -426,6 +445,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -467,6 +487,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, diff --git a/src/codeql.ts b/src/codeql.ts index ecad2ea199..046d3e7192 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -305,6 +305,7 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; * @param tempDir * @param variant * @param defaultCliVersion + * @param rawLanguages Raw set of languages. * @param features Information about the features that are enabled. * @param logger * @param checkVersion Whether to check that CodeQL CLI meets the minimum @@ -317,6 +318,7 @@ export async function setupCodeQL( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, checkVersion: boolean, @@ -340,6 +342,7 @@ export async function setupCodeQL( tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, ); diff --git a/src/feature-flags.test.ts b/src/feature-flags.test.ts index 85007df139..d8b5eea04d 100644 --- a/src/feature-flags.test.ts +++ b/src/feature-flags.test.ts @@ -451,12 +451,16 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => { await withTmpDir(async (tmpDir) => { const features = setUpFeatureFlagTests(tmpDir); - const defaultCliVersion = await features.getDefaultCliVersion( + const defaultCliVersion = await features.getEnabledDefaultCliVersions( GitHubVariant.GHES, ); t.deepEqual(defaultCliVersion, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }); }); }); @@ -482,10 +486,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { false; mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: "2.20.1", - tagName: "codeql-bundle-v2.20.1", + enabledVersions: [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], toolsFeatureFlagsValid: true, }); }); @@ -500,10 +507,15 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { const expectedFeatureEnablement = initializeFeatures(true); mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], toolsFeatureFlagsValid: false, }); }); @@ -529,10 +541,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { ] = true; mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: "2.20.1", - tagName: "codeql-bundle-v2.20.1", + enabledVersions: [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], toolsFeatureFlagsValid: true, }); diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 80adce550a..ae3d242672 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -29,9 +29,27 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; */ export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; -export interface CodeQLDefaultVersionInfo { +export interface CodeQLVersionInfo { + /** The version number of the CodeQL CLI, e.g. `2.19.0`. */ cliVersion: string; + /** + * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`. + */ tagName: string; +} + +export interface CodeQLDefaultVersionInfo { + /** + * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest. + * + * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single + * entry containing the version pinned in `defaults.json`. + */ + enabledVersions: CodeQLVersionInfo[]; + /** + * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled + * version. + */ toolsFeatureFlagsValid?: boolean; } @@ -72,6 +90,19 @@ export enum Feature { OverlayAnalysisGo = "overlay_analysis_go", OverlayAnalysisJava = "overlay_analysis_java", OverlayAnalysisJavascript = "overlay_analysis_javascript", + /** + * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by + * feature flags and present as an overlay-base database in the Actions cache for the configured + * languages. Falls back to the highest feature flagged version if no intersecting overlay-base + * database exists in the cache. + */ + OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version", + /** + * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that + * would have been chosen instead of actually changing the default CodeQL CLI version. + * `OverlayAnalysisMatchCodeqlVersion` overrides this flag. + */ + OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run", OverlayAnalysisPython = "overlay_analysis_python", /** * Controls whether lower disk space requirements are used for overlay hardware checks. @@ -277,6 +308,16 @@ export const featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: undefined, }, + [Feature.OverlayAnalysisMatchCodeqlVersion]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: undefined, + }, + [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: undefined, + }, [Feature.OverlayAnalysisResourceChecksV2]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -346,8 +387,12 @@ export type FeatureWithoutCLI = { }[keyof typeof featureConfig]; export interface FeatureEnablement { - /** Gets the default version of the CodeQL tools. */ - getDefaultCliVersion( + /** + * Returns the set of default CodeQL CLI versions to consider, sorted from + * highest to lowest. The first entry is the version that the CodeQL Action + * will use by default. The list is always non-empty. + */ + getEnabledDefaultCliVersions( variant: util.GitHubVariant, ): Promise; getValue(feature: FeatureWithoutCLI): Promise; @@ -371,12 +416,16 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json"; class OfflineFeatures implements FeatureEnablement { constructor(protected readonly logger: Logger) {} - async getDefaultCliVersion( + async getEnabledDefaultCliVersions( _variant: util.GitHubVariant, ): Promise { return { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }; } @@ -518,13 +567,13 @@ class Features extends OfflineFeatures { ); } - async getDefaultCliVersion( + async getEnabledDefaultCliVersions( variant: util.GitHubVariant, ): Promise { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** @@ -600,16 +649,22 @@ class GitHubFeatureFlags { return version; } - async getDefaultCliVersionFromFlags(): Promise { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags(): Promise { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response) + const sortedCliVersions = Object.entries(response) .map(([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined, ) - .filter((f): f is string => f !== undefined); + .filter((f): f is string => f !== undefined) + .sort(semver.rcompare); - if (enabledFeatureFlagCliVersions.length === 0) { + if (sortedCliVersions.length === 0) { // We expect at least one default CLI version to be enabled on Dotcom at any time. However if // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version // shipped with the Action in defaults.json. This has the effect of immediately rolling out @@ -625,8 +680,12 @@ class GitHubFeatureFlags { `shipped with the Action. This is ${defaults.cliVersion}.`, ); const result: CodeQLDefaultVersionInfo = { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; @@ -634,17 +693,14 @@ class GitHubFeatureFlags { return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => - currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0], - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.`, + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`, ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion) => ({ + cliVersion, + tagName: `codeql-bundle-v${cliVersion}`, + })), toolsFeatureFlagsValid: true, }; } diff --git a/src/init-action.ts b/src/init-action.ts index 859dcefa2c..96745e2034 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -298,16 +298,19 @@ async function run(startedAt: Date) { ); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = configUtils.getRawLanguagesNoAutodetect( + getOptionalInput("languages"), + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + rawLanguages, features, logger, ); diff --git a/src/init.ts b/src/init.ts index 8ed6f64005..ef1f426d02 100644 --- a/src/init.ts +++ b/src/init.ts @@ -39,6 +39,7 @@ export async function initCodeQL( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, ): Promise<{ @@ -61,6 +62,7 @@ export async function initCodeQL( tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true, diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index bd504f3fd3..5e6c82442c 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -136,9 +136,8 @@ async function run(startedAt: Date): Promise { if (statusReportBase !== undefined) { await sendStatusReport(statusReportBase); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), @@ -146,6 +145,7 @@ async function run(startedAt: Date): Promise { getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + undefined, // rawLanguages: currently, setup-codeql is not language aware features, logger, ); diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 555352bd21..39f2422bda 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -107,6 +107,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -130,6 +131,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "linked", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -155,6 +157,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "latest", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -211,6 +214,7 @@ test.serial( "tmp/codeql_action_test/", GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, logger, ); @@ -266,6 +270,7 @@ test.serial( "tmp/codeql_action_test/", GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, logger, ); @@ -317,6 +322,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "nightly", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -378,6 +384,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( undefined, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -432,6 +439,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -499,6 +507,7 @@ const toolcacheInputFallbackMacro = test.macro({ const source = await setupCodeql.getCodeQLSource( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -514,7 +523,10 @@ const toolcacheInputFallbackMacro = test.macro({ // Check that `sourceType` and `toolsVersion` match expectations. t.is(source.sourceType, "download"); - t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion); + t.is( + source.toolsVersion, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + ); // Check that key messages we would expect to find in the log are present. for (const expectedMessage of expectedMessages) { @@ -598,3 +610,212 @@ test.serial( t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1"); }, ); + +function makeOverlayMatchFeatures(opts: { + matchFlagEnabled?: boolean; + dryRunFlagEnabled?: boolean; +}): FeatureEnablement { + return { + getEnabledDefaultCliVersions: async () => { + throw new Error("not implemented"); + }, + getValue: async (feature) => { + if (feature === Feature.OverlayAnalysisMatchCodeqlVersion) { + return opts.matchFlagEnabled ?? false; + } + if (feature === Feature.OverlayAnalysisMatchCodeqlVersionDryRun) { + return opts.dryRunFlagEnabled ?? false; + } + return false; + }, + }; +} + +const overlayMatchEnabledVersions = { + enabledVersions: [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], + toolsFeatureFlagsValid: true, +}; + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + // Newer than any flag-enabled version: should be filtered out. + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.21.0-abc-1-1", + }, + // Flag-enabled versions present in the cache. + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-def-2-1", + }, + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.0-ghi-3-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ]); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.19.0-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + undefined, + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches without rawLanguages.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed")); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases includes the highest version when it is cached", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.2-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + ]); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({}), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches when both gating feature flags are off.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + const listStub = sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ dryRunFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual( + result, + [], + "Dry-run should return an empty list so the caller falls back.", + ); + t.assert( + listStub.calledOnce, + "Dry-run should still list Actions caches to populate the diagnostic.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ + matchFlagEnabled: true, + dryRunFlagEnabled: true, + }), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + ]); + }, +); diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 4ca3302f95..1082147352 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -7,17 +7,27 @@ import { default as deepEqual } from "fast-deep-equal"; import * as semver from "semver"; import { v4 as uuidV4 } from "uuid"; -import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util"; +import { + isAnalyzingPullRequest, + isDynamicWorkflow, + isRunningLocalAction, +} from "./actions-util"; import * as api from "./api-client"; import * as defaults from "./defaults.json"; -import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics"; +import { + addNoLanguageDiagnostic, + makeDiagnostic, + makeTelemetryDiagnostic, +} from "./diagnostics"; import { CODEQL_VERSION_ZSTD_BUNDLE, CodeQLDefaultVersionInfo, + CodeQLVersionInfo, Feature, FeatureEnablement, } from "./feature-flags"; import { Logger } from "./logging"; +import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching"; import * as tar from "./tar"; import { downloadAndExtract, @@ -264,12 +274,128 @@ async function findOverridingToolsInCache( return undefined; } +/** + * Returns the sorted set of enabled versions that have cached overlay-base databases for the + * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the + * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag + * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that + * would have been chosen, but still returns an empty list so the caller falls back. + */ +export async function getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, + features: FeatureEnablement, + logger: Logger, +): Promise { + if (rawLanguages === undefined || rawLanguages.length === 0) { + return []; + } + const isEnabled = await features.getValue( + Feature.OverlayAnalysisMatchCodeqlVersion, + ); + const isDryRun = + !isEnabled && + (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun)); + if (!isEnabled && !isDryRun) { + return []; + } + + let cachedVersions: string[] | undefined; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger, + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}`, + ); + return []; + } + + if (cachedVersions === undefined || cachedVersions.length === 0) { + return []; + } + + const cachedVersionsSet = new Set(cachedVersions); + const overlayVersions = defaultCliVersion.enabledVersions.filter((v) => + cachedVersionsSet.has(v.cliVersion), + ); + + if (overlayVersions.length === 0) { + return []; + } + + const isCachedVersionDifferent = + overlayVersions[0].cliVersion !== + defaultCliVersion.enabledVersions[0].cliVersion; + + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + undefined, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion, + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion, + }, + ), + ); + } + + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`, + ); + return []; + } + + return overlayVersions; +} + +/** + * Resolves the newest enabled default CLI version that has a cached overlay-base database for the + * relevant languages, if analyzing a pull request and one exists. Otherwise, falls back to the + * newest enabled default CLI version. + */ +async function resolveDefaultCliVersion( + defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, + features: FeatureEnablement, + logger: Logger, +): Promise { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` + + `highest enabled version that has a cached overlay-base database.`, + ); + return overlayVersions[0]; + } + return defaultCliVersion.enabledVersions[0]; +} + /** * Determines where the CodeQL CLI we want to use comes from. This can be from a local file, * the Actions toolcache, or a download. * * @param toolsInput The argument provided for the `tools` input, if any. * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action. + * @param rawLanguages Raw set of languages. * @param apiDetails Information about the GitHub API. * @param variant The GitHub variant we are running on. * @param tarSupportsZstd Whether zstd is supported by `tar`. @@ -281,6 +407,7 @@ async function findOverridingToolsInCache( export async function getCodeQLSource( toolsInput: string | undefined, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, apiDetails: api.GitHubApiDetails, variant: util.GitHubVariant, tarSupportsZstd: boolean, @@ -438,8 +565,14 @@ export async function getCodeQLSource( } } - cliVersion = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + cliVersion = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. @@ -454,9 +587,14 @@ export async function getCodeQLSource( } } } else { - // Otherwise, use the default CLI version passed in. - cliVersion = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + cliVersion = version.cliVersion; + tagName = version.tagName; } const bundleVersion = @@ -791,6 +929,7 @@ export async function setupCodeQLBundle( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, ): Promise { @@ -804,6 +943,7 @@ export async function setupCodeQLBundle( const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts index 621b8d499e..a9d8be8943 100644 --- a/src/start-proxy.test.ts +++ b/src/start-proxy.test.ts @@ -1019,8 +1019,10 @@ test.serial( return true; }); const getDefaultCliVersion = sinon - .stub(features, "getDefaultCliVersion") - .resolves({ cliVersion: "2.20.1", tagName: expectedTag }); + .stub(features, "getEnabledDefaultCliVersions") + .resolves({ + enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }], + }); const path = await startProxyExports.getProxyBinaryPath(logger, features); t.assert(getDefaultCliVersion.calledOnce); diff --git a/src/start-proxy.ts b/src/start-proxy.ts index 1013ae3868..d6111510f6 100644 --- a/src/start-proxy.ts +++ b/src/start-proxy.ts @@ -415,7 +415,7 @@ async function getCliVersionFromFeatures( features: FeatureEnablement, ): Promise { const gitHubVersion = await getGitHubVersion(); - return await features.getDefaultCliVersion(gitHubVersion.type); + return await features.getEnabledDefaultCliVersions(gitHubVersion.type); } /** @@ -440,7 +440,7 @@ export async function getDownloadUrl( // Retrieve information about the CLI version we should use. This will be either the linked // version, or the one enabled by FFs. const versionInfo = useFeaturesToDetermineCLI - ? await getCliVersionFromFeatures(features) + ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : { cliVersion: defaults.cliVersion, tagName: defaults.bundleVersion, diff --git a/src/testing-utils.ts b/src/testing-utils.ts index fcb7149b56..29966c1adc 100644 --- a/src/testing-utils.ts +++ b/src/testing-utils.ts @@ -36,16 +36,20 @@ export const SAMPLE_DOTCOM_API_DETAILS = { apiURL: "https://api.github.com", }; -export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = { - cliVersion: "2.20.0", - tagName: "codeql-bundle-v2.20.0", -}; - export const LINKED_CLI_VERSION = { cliVersion: defaults.cliVersion, tagName: defaults.bundleVersion, }; +export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = { + enabledVersions: [ + { + cliVersion: "2.20.0", + tagName: "codeql-bundle-v2.20.0", + }, + ], +}; + type TestContext = { stdoutWrite: any; stderrWrite: any; @@ -442,7 +446,7 @@ export function mockCodeQLVersion( */ export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement { return { - getDefaultCliVersion: async () => { + getEnabledDefaultCliVersions: async () => { throw new Error("not implemented"); }, getValue: async (feature) => { diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 2464fe5eaa..5db40f26de 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -156,9 +156,8 @@ async function combineSarifFilesUsingCLI( apiURL: getRequiredEnvParam("GITHUB_API_URL"), }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( undefined, // There is no tools input on the upload action @@ -166,6 +165,7 @@ async function combineSarifFilesUsingCLI( tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + undefined, // rawLanguages: upload-lib does not run analysis features, logger, );