From a796e3e4ed79ee0f1517ab0535d1fb7196eb5ac9 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 15:14:04 +0100 Subject: [PATCH 1/5] Add OverlayAnalysisMatchCodeqlVersion feature flag --- lib/analyze-action-post.js | 5 +++++ lib/analyze-action.js | 5 +++++ lib/autobuild-action.js | 5 +++++ lib/init-action-post.js | 5 +++++ lib/init-action.js | 5 +++++ lib/resolve-environment-action.js | 5 +++++ lib/setup-codeql-action.js | 5 +++++ lib/start-proxy-action-post.js | 5 +++++ lib/start-proxy-action.js | 5 +++++ lib/upload-lib.js | 5 +++++ lib/upload-sarif-action-post.js | 5 +++++ lib/upload-sarif-action.js | 5 +++++ src/feature-flags.ts | 12 ++++++++++++ 13 files changed, 72 insertions(+) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 7c1046ab3a..0ecdbe3fe4 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -162803,6 +162803,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 163a41c7e8..558ad51478 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -108403,6 +108403,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 8fdbf5fa64..3ba5265792 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -104855,6 +104855,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index e4fa85efbe..f589829b3b 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -166326,6 +166326,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/init-action.js b/lib/init-action.js index 60fb14071c..2dbf6b3d0e 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105960,6 +105960,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index efa88bd40f..c819d2eda5 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -104846,6 +104846,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 1d25f46c20..86a1340f44 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -104697,6 +104697,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 9cc3c099a9..d65876fc25 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -162123,6 +162123,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index ad8b42d02e..d3dbfcc989 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -121494,6 +121494,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index a0e9fc0c5f..9ab80fc08a 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -108009,6 +108009,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 7415e2ba97..1913fac84b 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -162293,6 +162293,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 088eef3937..00df3fef8b 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -107682,6 +107682,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 80adce550a..b9afbb8499 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -72,6 +72,13 @@ export enum Feature { OverlayAnalysisGo = "overlay_analysis_go", OverlayAnalysisJava = "overlay_analysis_java", OverlayAnalysisJavascript = "overlay_analysis_javascript", + /** + * When set, chooses the default CodeQL CLI version as the highest version that is both enabled by + * feature flags and present as an overlay-base database in the Actions cache for the configured + * languages. Falls back to the highest feature flagged version if no intersecting overlay-base + * database exists in the cache. + */ + OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version", OverlayAnalysisPython = "overlay_analysis_python", /** * Controls whether lower disk space requirements are used for overlay hardware checks. @@ -277,6 +284,11 @@ export const featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: undefined, }, + [Feature.OverlayAnalysisMatchCodeqlVersion]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: undefined, + }, [Feature.OverlayAnalysisResourceChecksV2]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", From b0942116d7fb70909c0153ccfe7e4a54dd932def Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 15:53:38 +0100 Subject: [PATCH 2/5] Expose all enabled default CLI versions --- lib/analyze-action-post.js | 22 ++++---- lib/analyze-action.js | 83 +++++++++++++++++-------------- lib/autobuild-action.js | 71 +++++++++++++++----------- lib/init-action-post.js | 83 +++++++++++++++++-------------- lib/init-action.js | 83 +++++++++++++++++-------------- lib/resolve-environment-action.js | 22 ++++---- lib/setup-codeql-action.js | 83 +++++++++++++++++-------------- lib/start-proxy-action-post.js | 22 ++++---- lib/start-proxy-action.js | 75 ++++++++++++++++------------ lib/upload-lib.js | 34 ++++++------- lib/upload-sarif-action-post.js | 22 ++++---- lib/upload-sarif-action.js | 83 +++++++++++++++++-------------- src/codeql.test.ts | 29 +++++++---- src/feature-flags.test.ts | 39 ++++++++++----- src/feature-flags.ts | 79 ++++++++++++++++++++--------- src/init-action.ts | 5 +- src/setup-codeql-action.ts | 5 +- src/setup-codeql.test.ts | 5 +- src/setup-codeql.ts | 8 +-- src/start-proxy.test.ts | 6 ++- src/start-proxy.ts | 4 +- src/testing-utils.ts | 16 +++--- src/upload-lib.ts | 5 +- 23 files changed, 507 insertions(+), 377 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 0ecdbe3fe4..fe1995a459 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -162803,11 +162803,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -162824,6 +162819,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 558ad51478..5801253939 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -108403,11 +108403,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -108424,6 +108419,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108484,10 +108484,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -108592,11 +108596,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -108655,34 +108659,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -109673,8 +109684,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -109686,8 +109697,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -113070,9 +113081,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 3ba5265792..bff71e9b74 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -104855,11 +104855,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -104876,6 +104871,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -104936,10 +104936,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -105044,11 +105048,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -105107,34 +105111,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } diff --git a/lib/init-action-post.js b/lib/init-action-post.js index f589829b3b..ca42109527 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -166326,11 +166326,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -166347,6 +166342,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -166407,10 +166407,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -166515,11 +166519,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -166578,34 +166582,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -167518,8 +167529,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -167531,8 +167542,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -170298,9 +170309,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/lib/init-action.js b/lib/init-action.js index 2dbf6b3d0e..03ad45b9a4 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -51280,8 +51280,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -105960,11 +105960,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -105981,6 +105976,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -106041,10 +106041,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -106149,11 +106153,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -106212,34 +106216,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver5.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -108614,8 +108625,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -108627,8 +108638,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -110538,9 +110549,7 @@ async function run(startedAt) { `The 'init' action should not be run in the same workflow as 'setup-codeql'.` ); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index c819d2eda5..6d9b50f18a 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -104846,11 +104846,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -104867,6 +104862,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index 86a1340f44..e647efada1 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -104697,11 +104697,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -104718,6 +104713,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -104778,10 +104778,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -104886,11 +104890,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -104949,34 +104953,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -106129,8 +106140,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -106142,8 +106153,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -107386,9 +107397,7 @@ async function run(startedAt) { if (statusReportBase !== void 0) { await sendStatusReport(statusReportBase); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index d65876fc25..86f78ffdac 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -162123,11 +162123,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -162144,6 +162139,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index d3dbfcc989..bd1e56c2b9 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare = require_compare(); - var rcompare = (a, b, loose) => compare(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51951,8 +51951,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare(b, a, loose); } exports2.sort = sort; @@ -121494,11 +121494,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -121515,6 +121510,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -121575,10 +121575,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -121683,11 +121687,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -121746,34 +121750,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -122653,7 +122664,7 @@ async function getReleaseByVersion(version) { } async function getCliVersionFromFeatures(features) { const gitHubVersion = await getGitHubVersion(); - return await features.getDefaultCliVersion(gitHubVersion.type); + return await features.getEnabledDefaultCliVersions(gitHubVersion.type); } async function getDownloadUrl(logger, features) { const proxyPackage = getProxyPackage(); @@ -122661,7 +122672,7 @@ async function getDownloadUrl(logger, features) { const useFeaturesToDetermineCLI = await features.getValue( "start_proxy_use_features_release" /* StartProxyUseFeaturesRelease */ ); - const versionInfo = useFeaturesToDetermineCLI ? await getCliVersionFromFeatures(features) : { + const versionInfo = useFeaturesToDetermineCLI ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : { cliVersion, tagName: bundleVersion }; diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 9ab80fc08a..17dbf166e5 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -45983,8 +45983,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare2; } }); @@ -47209,7 +47209,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -47247,7 +47247,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -108009,11 +108009,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -108030,6 +108025,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108815,8 +108815,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -108828,8 +108828,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -111060,9 +111060,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 1913fac84b..d0733a4718 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -153559,8 +153559,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -162293,11 +162293,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -162314,6 +162309,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 00df3fef8b..1ba53990b3 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare; + var rcompare2 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare2; } }); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare = require_rcompare(); + var rcompare2 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare, + rcompare: rcompare2, compareLoose, compareBuild, sort, @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare; - function rcompare(a, b, loose) { + exports2.rcompare = rcompare2; + function rcompare2(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -107682,11 +107682,6 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVASCRIPT", minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_JAVASCRIPT }, - ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { - defaultValue: false, - envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", - minimumVersion: void 0 - }, ["overlay_analysis_python" /* OverlayAnalysisPython */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON", @@ -107703,6 +107698,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -107763,10 +107763,14 @@ var OfflineFeatures = class { this.logger = logger; } logger; - async getDefaultCliVersion(_variant) { + async getEnabledDefaultCliVersions(_variant) { return { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; } /** @@ -107871,11 +107875,11 @@ var Features = class extends OfflineFeatures { logger ); } - async getDefaultCliVersion(variant) { + async getEnabledDefaultCliVersions(variant) { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** * @@ -107934,34 +107938,41 @@ var GitHubFeatureFlags = class { } return version; } - async getDefaultCliVersionFromFlags() { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags() { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response).map( + const sortedCliVersions = Object.entries(response).map( ([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : void 0 - ).filter((f) => f !== void 0); - if (enabledFeatureFlagCliVersions.length === 0) { + ).filter((f) => f !== void 0).sort(semver4.rcompare); + if (sortedCliVersions.length === 0) { this.logger.warning( `Feature flags do not specify a default CLI version. Falling back to the CLI version shipped with the Action. This is ${cliVersion}.` ); const result = { - cliVersion, - tagName: bundleVersion + enabledVersions: [ + { + cliVersion, + tagName: bundleVersion + } + ] }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; } return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0] - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.` + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.` ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion2) => ({ + cliVersion: cliVersion2, + tagName: `codeql-bundle-v${cliVersion2}` + })), toolsFeatureFlagsValid: true }; } @@ -109481,8 +109492,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); @@ -109494,8 +109505,8 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian } } } else { - cliVersion2 = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -111655,9 +111666,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo url: getRequiredEnvParam("GITHUB_SERVER_URL"), apiURL: getRequiredEnvParam("GITHUB_API_URL") }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type - ); + const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( void 0, // There is no tools input on the upload action diff --git a/src/codeql.test.ts b/src/codeql.test.ts index eccad6895b..de7c400960 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -70,7 +70,7 @@ async function installIntoToolcache({ tmpDir, util.GitHubVariant.GHES, cliVersion !== undefined - ? { cliVersion, tagName } + ? { enabledVersions: [{ cliVersion, tagName }] } : SAMPLE_DEFAULT_CLI_VERSION, createFeatures([]), getRunnerLogger(true), @@ -284,11 +284,11 @@ for (const { for (const toolcacheVersion of [ // Test that we use the tools from the toolcache when `SAMPLE_DEFAULT_CLI_VERSION` is requested // and `SAMPLE_DEFAULT_CLI_VERSION-` is in the toolcache. - SAMPLE_DEFAULT_CLI_VERSION.cliVersion, - `${SAMPLE_DEFAULT_CLI_VERSION.cliVersion}-20230101`, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + `${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion}-20230101`, ]) { test.serial( - `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.cliVersion} is requested and ` + + `uses tools from toolcache when ${SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion} is requested and ` + `${toolcacheVersion} is installed`, async (t) => { const features = createFeatures([]); @@ -312,7 +312,10 @@ for (const toolcacheVersion of [ getRunnerLogger(true), false, ); - t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion); + t.is( + result.toolsVersion, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + ); t.is(result.toolsSource, ToolsSource.Toolcache); t.is(result.toolsDownloadStatusReport?.combinedDurationMs, undefined); t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined); @@ -342,8 +345,12 @@ test.serial( tmpDir, util.GitHubVariant.GHES, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }, features, getRunnerLogger(true), @@ -384,8 +391,12 @@ test.serial( tmpDir, util.GitHubVariant.GHES, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }, features, getRunnerLogger(true), diff --git a/src/feature-flags.test.ts b/src/feature-flags.test.ts index 85007df139..d8b5eea04d 100644 --- a/src/feature-flags.test.ts +++ b/src/feature-flags.test.ts @@ -451,12 +451,16 @@ test.serial(`selects CLI from defaults.json on GHES`, async (t) => { await withTmpDir(async (tmpDir) => { const features = setUpFeatureFlagTests(tmpDir); - const defaultCliVersion = await features.getDefaultCliVersion( + const defaultCliVersion = await features.getEnabledDefaultCliVersions( GitHubVariant.GHES, ); t.deepEqual(defaultCliVersion, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }); }); }); @@ -482,10 +486,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { false; mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: "2.20.1", - tagName: "codeql-bundle-v2.20.1", + enabledVersions: [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], toolsFeatureFlagsValid: true, }); }); @@ -500,10 +507,15 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { const expectedFeatureEnablement = initializeFeatures(true); mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], toolsFeatureFlagsValid: false, }); }); @@ -529,10 +541,13 @@ for (const variant of [GitHubVariant.DOTCOM, GitHubVariant.GHEC_DR]) { ] = true; mockFeatureFlagApiEndpoint(200, expectedFeatureEnablement); - const defaultCliVersion = await features.getDefaultCliVersion(variant); + const defaultCliVersion = + await features.getEnabledDefaultCliVersions(variant); t.deepEqual(defaultCliVersion, { - cliVersion: "2.20.1", - tagName: "codeql-bundle-v2.20.1", + enabledVersions: [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], toolsFeatureFlagsValid: true, }); diff --git a/src/feature-flags.ts b/src/feature-flags.ts index b9afbb8499..d6a6ba7bb4 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -29,9 +29,27 @@ const DEFAULT_VERSION_FEATURE_FLAG_SUFFIX = "_enabled"; */ export const CODEQL_VERSION_ZSTD_BUNDLE = "2.19.0"; -export interface CodeQLDefaultVersionInfo { +export interface CodeQLVersionInfo { + /** The version number of the CodeQL CLI, e.g. `2.19.0`. */ cliVersion: string; + /** + * The tag name of the CodeQL Bundle associated with this version, e.g. `codeql-bundle-v2.19.0`. + */ tagName: string; +} + +export interface CodeQLDefaultVersionInfo { + /** + * CodeQL CLI versions that are enabled as defaults, sorted from highest to lowest. + * + * Guaranteed to be non-empty. When feature flags are unavailable, this falls back to a single + * entry containing the version pinned in `defaults.json`. + */ + enabledVersions: CodeQLVersionInfo[]; + /** + * If accessed, whether the tools feature flags are valid, i.e. contain at least one enabled + * version. + */ toolsFeatureFlagsValid?: boolean; } @@ -358,8 +376,12 @@ export type FeatureWithoutCLI = { }[keyof typeof featureConfig]; export interface FeatureEnablement { - /** Gets the default version of the CodeQL tools. */ - getDefaultCliVersion( + /** + * Returns the set of default CodeQL CLI versions to consider, sorted from + * highest to lowest. The first entry is the version that the CodeQL Action + * will use by default. The list is always non-empty. + */ + getEnabledDefaultCliVersions( variant: util.GitHubVariant, ): Promise; getValue(feature: FeatureWithoutCLI): Promise; @@ -383,12 +405,16 @@ export const FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json"; class OfflineFeatures implements FeatureEnablement { constructor(protected readonly logger: Logger) {} - async getDefaultCliVersion( + async getEnabledDefaultCliVersions( _variant: util.GitHubVariant, ): Promise { return { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }; } @@ -530,13 +556,13 @@ class Features extends OfflineFeatures { ); } - async getDefaultCliVersion( + async getEnabledDefaultCliVersions( variant: util.GitHubVariant, ): Promise { if (supportsFeatureFlags(variant)) { - return await this.gitHubFeatureFlags.getDefaultCliVersionFromFlags(); + return await this.gitHubFeatureFlags.getEnabledDefaultCliVersionsFromFlags(); } - return super.getDefaultCliVersion(variant); + return super.getEnabledDefaultCliVersions(variant); } /** @@ -612,16 +638,22 @@ class GitHubFeatureFlags { return version; } - async getDefaultCliVersionFromFlags(): Promise { + /** + * Returns CLI versions enabled by `default_codeql_version_*_enabled` feature + * flags, sorted from highest to lowest. Falls back to the version pinned in + * `defaults.json` if no such flags are enabled. + */ + async getEnabledDefaultCliVersionsFromFlags(): Promise { const response = await this.getAllFeatures(); - const enabledFeatureFlagCliVersions = Object.entries(response) + const sortedCliVersions = Object.entries(response) .map(([f, isEnabled]) => isEnabled ? this.getCliVersionFromFeatureFlag(f) : undefined, ) - .filter((f): f is string => f !== undefined); + .filter((f): f is string => f !== undefined) + .sort(semver.rcompare); - if (enabledFeatureFlagCliVersions.length === 0) { + if (sortedCliVersions.length === 0) { // We expect at least one default CLI version to be enabled on Dotcom at any time. However if // the feature flags are misconfigured, rather than crashing, we fall back to the CLI version // shipped with the Action in defaults.json. This has the effect of immediately rolling out @@ -637,8 +669,12 @@ class GitHubFeatureFlags { `shipped with the Action. This is ${defaults.cliVersion}.`, ); const result: CodeQLDefaultVersionInfo = { - cliVersion: defaults.cliVersion, - tagName: defaults.bundleVersion, + enabledVersions: [ + { + cliVersion: defaults.cliVersion, + tagName: defaults.bundleVersion, + }, + ], }; if (this.hasAccessedRemoteFeatureFlags) { result.toolsFeatureFlagsValid = false; @@ -646,17 +682,14 @@ class GitHubFeatureFlags { return result; } - const maxCliVersion = enabledFeatureFlagCliVersions.reduce( - (maxVersion, currentVersion) => - currentVersion > maxVersion ? currentVersion : maxVersion, - enabledFeatureFlagCliVersions[0], - ); this.logger.debug( - `Derived default CLI version of ${maxCliVersion} from feature flags.`, + `Derived default CLI version of ${sortedCliVersions[0]} from feature flags.`, ); return { - cliVersion: maxCliVersion, - tagName: `codeql-bundle-v${maxCliVersion}`, + enabledVersions: sortedCliVersions.map((cliVersion) => ({ + cliVersion, + tagName: `codeql-bundle-v${cliVersion}`, + })), toolsFeatureFlagsValid: true, }; } diff --git a/src/init-action.ts b/src/init-action.ts index 859dcefa2c..3d599d5452 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -298,9 +298,8 @@ async function run(startedAt: Date) { ); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index bd504f3fd3..34d5d76aa8 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -136,9 +136,8 @@ async function run(startedAt: Date): Promise { if (statusReportBase !== undefined) { await sendStatusReport(statusReportBase); } - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 555352bd21..c35bd1d9d9 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -514,7 +514,10 @@ const toolcacheInputFallbackMacro = test.macro({ // Check that `sourceType` and `toolsVersion` match expectations. t.is(source.sourceType, "download"); - t.is(source.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion); + t.is( + source.toolsVersion, + SAMPLE_DEFAULT_CLI_VERSION.enabledVersions[0].cliVersion, + ); // Check that key messages we would expect to find in the log are present. for (const expectedMessage of expectedMessages) { diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 4ca3302f95..41eb7f1e46 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -438,8 +438,8 @@ export async function getCodeQLSource( } } - cliVersion = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. @@ -455,8 +455,8 @@ export async function getCodeQLSource( } } else { // Otherwise, use the default CLI version passed in. - cliVersion = defaultCliVersion.cliVersion; - tagName = defaultCliVersion.tagName; + cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; + tagName = defaultCliVersion.enabledVersions[0].tagName; } const bundleVersion = diff --git a/src/start-proxy.test.ts b/src/start-proxy.test.ts index 621b8d499e..a9d8be8943 100644 --- a/src/start-proxy.test.ts +++ b/src/start-proxy.test.ts @@ -1019,8 +1019,10 @@ test.serial( return true; }); const getDefaultCliVersion = sinon - .stub(features, "getDefaultCliVersion") - .resolves({ cliVersion: "2.20.1", tagName: expectedTag }); + .stub(features, "getEnabledDefaultCliVersions") + .resolves({ + enabledVersions: [{ cliVersion: "2.20.1", tagName: expectedTag }], + }); const path = await startProxyExports.getProxyBinaryPath(logger, features); t.assert(getDefaultCliVersion.calledOnce); diff --git a/src/start-proxy.ts b/src/start-proxy.ts index 1013ae3868..d6111510f6 100644 --- a/src/start-proxy.ts +++ b/src/start-proxy.ts @@ -415,7 +415,7 @@ async function getCliVersionFromFeatures( features: FeatureEnablement, ): Promise { const gitHubVersion = await getGitHubVersion(); - return await features.getDefaultCliVersion(gitHubVersion.type); + return await features.getEnabledDefaultCliVersions(gitHubVersion.type); } /** @@ -440,7 +440,7 @@ export async function getDownloadUrl( // Retrieve information about the CLI version we should use. This will be either the linked // version, or the one enabled by FFs. const versionInfo = useFeaturesToDetermineCLI - ? await getCliVersionFromFeatures(features) + ? (await getCliVersionFromFeatures(features)).enabledVersions[0] : { cliVersion: defaults.cliVersion, tagName: defaults.bundleVersion, diff --git a/src/testing-utils.ts b/src/testing-utils.ts index fcb7149b56..29966c1adc 100644 --- a/src/testing-utils.ts +++ b/src/testing-utils.ts @@ -36,16 +36,20 @@ export const SAMPLE_DOTCOM_API_DETAILS = { apiURL: "https://api.github.com", }; -export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = { - cliVersion: "2.20.0", - tagName: "codeql-bundle-v2.20.0", -}; - export const LINKED_CLI_VERSION = { cliVersion: defaults.cliVersion, tagName: defaults.bundleVersion, }; +export const SAMPLE_DEFAULT_CLI_VERSION: CodeQLDefaultVersionInfo = { + enabledVersions: [ + { + cliVersion: "2.20.0", + tagName: "codeql-bundle-v2.20.0", + }, + ], +}; + type TestContext = { stdoutWrite: any; stderrWrite: any; @@ -442,7 +446,7 @@ export function mockCodeQLVersion( */ export function createFeatures(enabledFeatures: Feature[]): FeatureEnablement { return { - getDefaultCliVersion: async () => { + getEnabledDefaultCliVersions: async () => { throw new Error("not implemented"); }, getValue: async (feature) => { diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 2464fe5eaa..e4230b6f9a 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -156,9 +156,8 @@ async function combineSarifFilesUsingCLI( apiURL: getRequiredEnvParam("GITHUB_API_URL"), }; - const codeQLDefaultVersionInfo = await features.getDefaultCliVersion( - gitHubVersion.type, - ); + const codeQLDefaultVersionInfo = + await features.getEnabledDefaultCliVersions(gitHubVersion.type); const initCodeQLResult = await initCodeQL( undefined, // There is no tools input on the upload action From 55d6319f962eaad44a2f20b6bacf0ed4cac7d20a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 17:42:31 +0100 Subject: [PATCH 3/5] Match CLI version to cached overlay-base database --- lib/analyze-action-post.js | 108 +++--- lib/analyze-action.js | 532 +++++++++++++++++++----------- lib/autobuild-action.js | 100 +++--- lib/init-action-post.js | 444 +++++++++++++++++-------- lib/init-action.js | 530 ++++++++++++++++++----------- lib/resolve-environment-action.js | 100 +++--- lib/setup-codeql-action.js | 418 +++++++++++++++++------ lib/start-proxy-action-post.js | 108 +++--- lib/upload-lib.js | 402 ++++++++++++++++------ lib/upload-sarif-action-post.js | 108 +++--- lib/upload-sarif-action.js | 402 ++++++++++++++++------ src/codeql.test.ts | 10 + src/codeql.ts | 3 + src/init-action.ts | 4 + src/init.ts | 2 + src/setup-codeql-action.ts | 1 + src/setup-codeql.test.ts | 161 +++++++++ src/setup-codeql.ts | 104 +++++- src/upload-lib.ts | 1 + 19 files changed, 2437 insertions(+), 1101 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index fe1995a459..95609b3a24 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs9 = __importStar2(require("fs")); var path9 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path9 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99856,7 +99856,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path9 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs9.existsSync(cachePath) && fs9.existsSync(`${cachePath}.complete`)) { @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs9.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -108004,7 +108004,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -108014,9 +108014,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -162985,20 +162985,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts @@ -163595,7 +163601,7 @@ var core12 = __toESM(require_core()); // src/dependency-caching.ts var import_path = require("path"); -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); function getJavaTempDependencyDir() { return (0, import_path.join)(getTemporaryDirectory(), "codeql_java", "repository"); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 5801253939..f94d5a0dc7 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -107131,6 +107131,32 @@ var persistInputs = function() { ); core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -107227,7 +107253,7 @@ var SarifScanOrder = [ ]; // src/analyze.ts -var fs13 = __toESM(require("fs")); +var fs14 = __toESM(require("fs")); var path12 = __toESM(require("path")); var import_perf_hooks2 = require("perf_hooks"); var io5 = __toESM(require_io()); @@ -107511,7 +107537,7 @@ function wrapApiConfigurationError(e) { } // src/codeql.ts -var fs12 = __toESM(require("fs")); +var fs13 = __toESM(require("fs")); var path11 = __toESM(require("path")); var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); @@ -108868,6 +108894,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -109080,11 +109117,11 @@ function getPrimaryAnalysisConfig(config) { } // src/setup-codeql.ts -var fs10 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var path9 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -109130,14 +109167,203 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var fs8 = __toESM(require("fs")); +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION2 = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +var MAX_CACHE_OPERATION_MS2 = 6e5; +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + if (!fs8.existsSync(baseDatabaseOidsFilePath)) { + logger.warning( + `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` + ); + return false; + } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.debug( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; +} +async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { + const overlayDatabaseMode = config.overlayDatabaseMode; + if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) { + logger.debug( + `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.` + ); + return false; + } + if (!config.useOverlayDatabaseCaching) { + logger.debug( + "Overlay database caching is disabled. Skip uploading overlay-base database to cache." + ); + return false; + } + if (isInTestMode()) { + logger.debug( + "In test mode. Skip uploading overlay-base database to cache." + ); + return false; + } + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, + config, + logger, + "Abort uploading overlay-base database to cache" + ); + if (!databaseIsValid) { + return false; + } + await withGroupAsync("Cleaning up databases", async () => { + await codeql.databaseCleanupCluster(config, "overlay" /* Overlay */); + }); + const dbLocation = config.dbLocation; + const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); + if (databaseSizeBytes === void 0) { + logger.warning( + "Failed to determine database size. Skip uploading overlay-base database to cache." + ); + return false; + } + if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) { + const databaseSizeMB = Math.round(databaseSizeBytes / 1e6); + logger.warning( + `Database size (${databaseSizeMB} MB) exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). Skip uploading overlay-base database to cache.` + ); + return false; + } + const codeQlVersion = (await codeql.getVersion()).version; + const checkoutPath = getRequiredInput("checkout_path"); + const cacheSaveKey = await getCacheSaveKey( + config, + codeQlVersion, + checkoutPath, + logger + ); + logger.info( + `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}` + ); + try { + const cacheId = await waitForResultWithTimeLimit( + MAX_CACHE_OPERATION_MS2, + actionsCache3.saveCache([dbLocation], cacheSaveKey), + () => { + } + ); + if (cacheId === void 0) { + logger.warning("Timed out while uploading overlay-base database"); + return false; + } + } catch (error3) { + logger.warning( + `Failed to upload overlay-base database to cache: ${error3 instanceof Error ? error3.message : String(error3)}` + ); + return false; + } + logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`); + return true; +} +async function getCacheSaveKey(config, codeQlVersion, checkoutPath, logger) { + let runId = 1; + let attemptId = 1; + try { + runId = getWorkflowRunID(); + attemptId = getWorkflowRunAttempt(); + } catch (e) { + logger.warning( + `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}` + ); + } + const sha = await getCommitOid(checkoutPath); + const restoreKeyPrefix = await getCacheRestoreKeyPrefix( + config, + codeQlVersion + ); + return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`; +} +async function getCacheRestoreKeyPrefix(config, codeQlVersion) { + return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; +} +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); -var fs8 = __toESM(require("fs")); +var fs9 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -109179,9 +109405,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -109190,7 +109416,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -109205,7 +109431,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs8.mkdirSync(dest, { recursive: true }); + fs9.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -109289,7 +109515,7 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs9 = __toESM(require("fs")); +var fs10 = __toESM(require("fs")); var os2 = __toESM(require("os")); var path8 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); @@ -109297,7 +109523,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -109396,7 +109622,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs9.mkdirSync(dest, { recursive: true }); + fs10.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -109427,13 +109653,13 @@ function getToolcacheDirectory(version) { return path8.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os2.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs9.writeFileSync(markerFilePath, ""); + fs10.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -109552,13 +109778,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -109568,7 +109794,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs10.existsSync(path9.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs11.existsSync(path9.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -109590,7 +109816,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -109684,21 +109958,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -109895,7 +110181,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -109905,6 +110191,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -109963,7 +110250,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -109995,7 +110282,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -110015,7 +110302,7 @@ function isReservedToolsValue(tools) { } // src/tracer-config.ts -var fs11 = __toESM(require("fs")); +var fs12 = __toESM(require("fs")); var path10 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { @@ -110035,14 +110322,14 @@ async function endTracingForCluster(codeql, config, logger) { config.dbLocation, "temp/tracingEnvironment/end-tracing.json" ); - if (!fs11.existsSync(envVariablesFile)) { + if (!fs12.existsSync(envVariablesFile)) { throw new Error( `Environment file for ending tracing not found: ${envVariablesFile}` ); } try { const endTracingEnvVariables = JSON.parse( - fs11.readFileSync(envVariablesFile, "utf8") + fs12.readFileSync(envVariablesFile, "utf8") ); for (const [key, value] of Object.entries(endTracingEnvVariables)) { if (value !== null) { @@ -110065,7 +110352,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -110079,6 +110366,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -110154,7 +110442,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { "tools", "tracing-config.lua" ); - return fs12.existsSync(tracingConfigPath); + return fs13.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -110630,7 +110918,7 @@ async function writeCodeScanningConfigFile(config, logger) { logger.startGroup("Augmented user configuration file contents"); logger.info(dump(augmentedConfig)); logger.endGroup(); - fs12.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); + fs13.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -110722,7 +111010,7 @@ async function runAutobuild(config, language, logger) { // src/dependency-caching.ts var os3 = __toESM(require("os")); var import_path2 = require("path"); -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies"; var CODEQL_DEPENDENCY_CACHE_VERSION = 1; @@ -110860,7 +111148,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) { ); try { const start = performance.now(); - await actionsCache3.saveCache( + await actionsCache4.saveCache( await cacheConfig.getDependencyPaths(codeql, features), key ); @@ -110872,7 +111160,7 @@ async function uploadDependencyCaches(codeql, features, config, logger) { upload_duration_ms }); } catch (error3) { - if (error3 instanceof actionsCache3.ReserveCacheError) { + if (error3 instanceof actionsCache4.ReserveCacheError) { logger.info( `Not uploading cache for ${language}, because ${key} is already in use.` ); @@ -110980,7 +111268,7 @@ function dbIsFinalized(config, language, logger) { const dbPath = getCodeQLDatabasePath(config, language); try { const dbInfo = load( - fs13.readFileSync(path12.resolve(dbPath, "codeql-database.yml"), "utf8") + fs14.readFileSync(path12.resolve(dbPath, "codeql-database.yml"), "utf8") ); return !("inProgress" in dbInfo); } catch { @@ -111065,8 +111353,8 @@ function writeDiffRangeDataExtensionPack(logger, ranges, checkoutPath) { ranges = [{ path: "", startLine: 0, endLine: 0 }]; } const diffRangeDir = path12.join(getTemporaryDirectory(), "pr-diff-range"); - fs13.mkdirSync(diffRangeDir, { recursive: true }); - fs13.writeFileSync( + fs14.mkdirSync(diffRangeDir, { recursive: true }); + fs14.writeFileSync( path12.join(diffRangeDir, "qlpack.yml"), ` name: codeql-action/pr-diff-range @@ -111083,7 +111371,7 @@ dataExtensions: checkoutPath ); const extensionFilePath = path12.join(diffRangeDir, "pr-diff-range.yml"); - fs13.writeFileSync(extensionFilePath, extensionContents); + fs14.writeFileSync(extensionFilePath, extensionContents); logger.debug( `Wrote pr-diff-range extension pack to ${extensionFilePath}: ${extensionContents}` @@ -111235,7 +111523,7 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir } function getPerQueryAlertCounts(sarifPath) { const sarifObject = JSON.parse( - fs13.readFileSync(sarifPath, "utf8") + fs14.readFileSync(sarifPath, "utf8") ); const perQueryAlertCounts = {}; for (const sarifRun of sarifObject.runs) { @@ -111253,13 +111541,13 @@ async function runQueries(sarifFolder, memoryFlag, threadsFlag, diffRangePackDir } async function runFinalize(features, outputDir, threadsFlag, memoryFlag, codeql, config, logger) { try { - await fs13.promises.rm(outputDir, { force: true, recursive: true }); + await fs14.promises.rm(outputDir, { force: true, recursive: true }); } catch (error3) { if (error3?.code !== "ENOENT") { throw error3; } } - await fs13.promises.mkdir(outputDir, { recursive: true }); + await fs14.promises.mkdir(outputDir, { recursive: true }); const timings = await finalizeDatabaseCreation( codeql, features, @@ -111303,7 +111591,7 @@ async function warnIfGoInstalledAfterInit(config, logger) { } // src/database-upload.ts -var fs14 = __toESM(require("fs")); +var fs15 = __toESM(require("fs")); async function cleanupAndUploadDatabases(repositoryNwo, codeql, config, apiDetails, features, logger) { if (getRequiredInput("upload-database") !== "true") { logger.debug("Database upload disabled in workflow. Skipping upload."); @@ -111339,7 +111627,7 @@ async function cleanupAndUploadDatabases(repositoryNwo, codeql, config, apiDetai const bundledDb = await bundleDb(config, language, codeql, language, { includeDiagnostics: false }); - bundledDbSize = fs14.statSync(bundledDb).size; + bundledDbSize = fs15.statSync(bundledDb).size; const commitOid = await getCommitOid( getRequiredInput("checkout_path") ); @@ -111402,7 +111690,7 @@ async function uploadBundledDatabase(repositoryNwo, language, commitOid, bundled if (uploadsBaseUrl.endsWith("/")) { uploadsBaseUrl = uploadsBaseUrl.slice(0, -1); } - const bundledDbReadStream = fs14.createReadStream(bundledDb); + const bundledDbReadStream = fs15.createReadStream(bundledDb); try { const startTime = performance.now(); await client.request( @@ -111432,151 +111720,6 @@ async function uploadBundledDatabase(repositoryNwo, language, commitOid, bundled } } -// src/overlay/caching.ts -var fs15 = __toESM(require("fs")); -var actionsCache4 = __toESM(require_cache5()); -var semver9 = __toESM(require_semver2()); -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; -var CACHE_VERSION2 = 1; -var CACHE_PREFIX = "codeql-overlay-base-database"; -var MAX_CACHE_OPERATION_MS2 = 6e5; -async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - if (!fs15.existsSync(baseDatabaseOidsFilePath)) { - logger.warning( - `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` - ); - return false; - } - for (const language of config.languages) { - const dbPath = getCodeQLDatabasePath(config, language); - try { - const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); - if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { - logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); - return false; - } else { - logger.debug( - `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` - ); - } - } catch (e) { - logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); - return false; - } - } - return true; -} -async function cleanupAndUploadOverlayBaseDatabaseToCache(codeql, config, logger) { - const overlayDatabaseMode = config.overlayDatabaseMode; - if (overlayDatabaseMode !== "overlay-base" /* OverlayBase */) { - logger.debug( - `Overlay database mode is ${overlayDatabaseMode}. Skip uploading overlay-base database to cache.` - ); - return false; - } - if (!config.useOverlayDatabaseCaching) { - logger.debug( - "Overlay database caching is disabled. Skip uploading overlay-base database to cache." - ); - return false; - } - if (isInTestMode()) { - logger.debug( - "In test mode. Skip uploading overlay-base database to cache." - ); - return false; - } - const databaseIsValid = await checkOverlayBaseDatabase( - codeql, - config, - logger, - "Abort uploading overlay-base database to cache" - ); - if (!databaseIsValid) { - return false; - } - await withGroupAsync("Cleaning up databases", async () => { - await codeql.databaseCleanupCluster(config, "overlay" /* Overlay */); - }); - const dbLocation = config.dbLocation; - const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); - if (databaseSizeBytes === void 0) { - logger.warning( - "Failed to determine database size. Skip uploading overlay-base database to cache." - ); - return false; - } - if (databaseSizeBytes > OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES) { - const databaseSizeMB = Math.round(databaseSizeBytes / 1e6); - logger.warning( - `Database size (${databaseSizeMB} MB) exceeds maximum upload size (${OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB} MB). Skip uploading overlay-base database to cache.` - ); - return false; - } - const codeQlVersion = (await codeql.getVersion()).version; - const checkoutPath = getRequiredInput("checkout_path"); - const cacheSaveKey = await getCacheSaveKey( - config, - codeQlVersion, - checkoutPath, - logger - ); - logger.info( - `Uploading overlay-base database to Actions cache with key ${cacheSaveKey}` - ); - try { - const cacheId = await waitForResultWithTimeLimit( - MAX_CACHE_OPERATION_MS2, - actionsCache4.saveCache([dbLocation], cacheSaveKey), - () => { - } - ); - if (cacheId === void 0) { - logger.warning("Timed out while uploading overlay-base database"); - return false; - } - } catch (error3) { - logger.warning( - `Failed to upload overlay-base database to cache: ${error3 instanceof Error ? error3.message : String(error3)}` - ); - return false; - } - logger.info(`Successfully uploaded overlay-base database from ${dbLocation}`); - return true; -} -async function getCacheSaveKey(config, codeQlVersion, checkoutPath, logger) { - let runId = 1; - let attemptId = 1; - try { - runId = getWorkflowRunID(); - attemptId = getWorkflowRunAttempt(); - } catch (e) { - logger.warning( - `Failed to get workflow run ID or attempt ID. Reason: ${getErrorMessage(e)}` - ); - } - const sha = await getCommitOid(checkoutPath); - const restoreKeyPrefix = await getCacheRestoreKeyPrefix( - config, - codeQlVersion - ); - return `${restoreKeyPrefix}${sha}-${runId}-${attemptId}`; -} -async function getCacheRestoreKeyPrefix(config, codeQlVersion) { - return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; -} -async function getCacheKeyPrefixBase(parsedLanguages) { - const languagesComponent = [...parsedLanguages].sort().join("_"); - const cacheKeyComponents = { - automationID: await getAutomationID() - // Add more components here as needed in the future - }; - const componentsHash = createCacheKeyHash(cacheKeyComponents); - return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; -} - // src/status-report.ts var os4 = __toESM(require("os")); var core13 = __toESM(require_core()); @@ -112919,7 +113062,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -112933,6 +113076,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -113089,6 +113233,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index bff71e9b74..4e1a75aac4 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs8 = __importStar2(require("fs")); var path9 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var path9 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99856,7 +99856,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path9 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path9.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs8.existsSync(cachePath) && fs8.existsSync(`${cachePath}.complete`)) { @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io5.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path9.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path9.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs8.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -105375,20 +105375,26 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts diff --git a/lib/init-action-post.js b/lib/init-action-post.js index ca42109527..4ed2d691b0 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var os4 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -25260,11 +25260,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -25537,7 +25537,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -25552,7 +25552,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -26616,8 +26616,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -38021,13 +38021,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -38040,7 +38040,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -38112,9 +38112,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -38134,7 +38134,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -38164,7 +38164,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles2; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core19 = __importStar2(require_core()); var fs21 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core19.info : core19.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs21.createReadStream(file), hash2); result.write(hash2.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec3 = __importStar2(require_exec()); var glob2 = __importStar2(require_glob()); var io7 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var path19 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path19.join(baseLocation, "actions", "temp"); } - const dest = path19.join(tempDirectory, crypto2.randomUUID()); + const dest = path19.join(tempDirectory, crypto3.randomUUID()); yield io7.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core19.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core19 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core19 = __importStar2(require_core()); var path19 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core19.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core19.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os4 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core19 = __importStar2(require_core()); var io7 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os4 = __importStar2(require("os")); var path19 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path19.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path19.join(_getTempDirectory(), crypto3.randomUUID()); yield io7.mkdirP(path19.dirname(dest)); core19.debug(`Downloading ${url2}`); core19.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os4.arch(); core19.debug(`Caching tool ${tool} ${version} ${arch2}`); core19.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os4.arch(); core19.debug(`Caching tool ${tool} ${version} ${arch2}`); core19.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path19.join(_getCacheDirectory(), toolName, versionSpec, arch2); core19.debug(`checking cache: ${cachePath}`); if (fs21.existsSync(cachePath) && fs21.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path19.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path19.join(_getTempDirectory(), crypto3.randomUUID()); } yield io7.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path19.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path19.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core19.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io7.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path19.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path19.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs21.writeFileSync(markerPath, ""); core19.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core19.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core19.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core19.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core19.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -103730,7 +103730,7 @@ var require_blob_upload = __commonJS({ var storage_blob_1 = require_commonjs15(); var config_1 = require_config2(); var core19 = __importStar2(require_core()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var stream2 = __importStar2(require("stream")); var errors_1 = require_errors4(); function uploadZipToBlobStorage(authenticatedUploadURL, zipUploadStream) { @@ -103768,7 +103768,7 @@ var require_blob_upload = __commonJS({ }; let sha256Hash = void 0; const uploadStream = new stream2.PassThrough(); - const hashStream = crypto2.createHash("sha256"); + const hashStream = crypto3.createHash("sha256"); zipUploadStream.pipe(uploadStream); zipUploadStream.pipe(hashStream).setEncoding("hex"); core19.info("Beginning upload of artifact content to blob storage"); @@ -108004,7 +108004,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream2, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -108014,9 +108014,9 @@ var require_stream_writable = __commonJS({ if (er) { stream2.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -132571,11 +132571,11 @@ var require_util25 = __commonJS({ var assert = require("assert"); var { isUint8Array } = require("util/types"); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("crypto"); + crypto3 = require("crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -132852,7 +132852,7 @@ var require_util25 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -132867,7 +132867,7 @@ var require_util25 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -134213,8 +134213,8 @@ var require_body3 = __commonJS({ var { parseMIMEType, serializeAMimeType } = require_dataURL(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -145264,9 +145264,9 @@ var require_connection3 = __commonJS({ channels.open = diagnosticsChannel.channel("undici:websocket:open"); channels.close = diagnosticsChannel.channel("undici:websocket:close"); channels.socketError = diagnosticsChannel.channel("undici:websocket:socket_error"); - var crypto2; + var crypto3; try { - crypto2 = require("crypto"); + crypto3 = require("crypto"); } catch { } function establishWebSocketConnection(url2, protocols, ws, onEstablish, options) { @@ -145285,7 +145285,7 @@ var require_connection3 = __commonJS({ const headersList = new Headers(options.headers)[kHeadersList]; request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -145314,7 +145314,7 @@ var require_connection3 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -145394,9 +145394,9 @@ var require_frame3 = __commonJS({ "node_modules/undici/lib/websocket/frame.js"(exports2, module2) { "use strict"; var { maxUnsigned16Bit } = require_constants24(); - var crypto2; + var crypto3; try { - crypto2 = require("crypto"); + crypto3 = require("crypto"); } catch { } var WebsocketFrameSend = class { @@ -145405,7 +145405,7 @@ var require_frame3 = __commonJS({ */ constructor(data) { this.frameData = data; - this.maskKey = crypto2.randomBytes(4); + this.maskKey = crypto3.randomBytes(4); } createFrame(opcode) { const bodyLength = this.frameData?.byteLength ?? 0; @@ -152794,7 +152794,7 @@ var require_download_artifact = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.downloadArtifactInternal = exports2.downloadArtifactPublic = exports2.streamExtractExternal = void 0; var promises_1 = __importDefault2(require("fs/promises")); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var stream2 = __importStar2(require("stream")); var github4 = __importStar2(require_github2()); var core19 = __importStar2(require_core()); @@ -152855,7 +152855,7 @@ var require_download_artifact = __commonJS({ reject(timeoutError); }; const timer = setTimeout(timerFn, opts.timeout); - const hashStream = crypto2.createHash("sha256").setEncoding("hex"); + const hashStream = crypto3.createHash("sha256").setEncoding("hex"); const passThrough = new stream2.PassThrough(); response.message.pipe(passThrough); passThrough.pipe(hashStream); @@ -153884,7 +153884,7 @@ var require_file_command2 = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.prepareKeyValueMessage = exports2.issueFileCommand = void 0; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs21 = __importStar2(require("fs")); var os4 = __importStar2(require("os")); var utils_1 = require_utils12(); @@ -153902,7 +153902,7 @@ var require_file_command2 = __commonJS({ } exports2.issueFileCommand = issueFileCommand; function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -156659,7 +156659,7 @@ var require_tmp = __commonJS({ var fs21 = require("fs"); var os4 = require("os"); var path19 = require("path"); - var crypto2 = require("crypto"); + var crypto3 = require("crypto"); var _c = { fs: fs21.constants, os: os4.constants }; var RANDOM_CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; var TEMPLATE_PATTERN = /XXXXXX/; @@ -156839,9 +156839,9 @@ var require_tmp = __commonJS({ function _randomChars(howMany) { let value = [], rnd = null; try { - rnd = crypto2.randomBytes(howMany); + rnd = crypto3.randomBytes(howMany); } catch (e) { - rnd = crypto2.pseudoRandomBytes(howMany); + rnd = crypto3.pseudoRandomBytes(howMany); } for (let i = 0; i < howMany; i++) { value.push(RANDOM_CHARS[rnd[i] % RANDOM_CHARS.length]); @@ -165103,6 +165103,32 @@ var restoreInputs = function() { } } }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -165326,6 +165352,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -165391,7 +165422,13 @@ function wrapApiConfigurationError(e) { } // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/codeql.ts var fs12 = __toESM(require("fs")); @@ -166791,6 +166828,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var fs7 = __toESM(require("fs")); @@ -166929,7 +166977,7 @@ var fs11 = __toESM(require("fs")); var path10 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -166975,6 +167023,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs9 = __toESM(require("fs")); @@ -166982,7 +167091,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -167024,9 +167133,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -167035,7 +167144,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -167142,7 +167251,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -167272,7 +167381,7 @@ function getToolcacheDirectory(version) { return path9.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -167397,13 +167506,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -167435,7 +167544,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -167529,21 +167686,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -167740,7 +167909,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -167750,6 +167919,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -167808,7 +167978,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -167840,7 +168010,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -167877,7 +168047,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -167891,6 +168061,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -168502,7 +168673,7 @@ var io5 = __toESM(require_io()); var core12 = __toESM(require_core()); // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); var CODEQL_DEPENDENCY_CACHE_PREFIX = "codeql-dependencies"; async function getDependencyCacheUsage(logger) { @@ -170147,7 +170318,7 @@ var core14 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io6 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -170161,6 +170332,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -170317,6 +170489,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -170332,7 +170506,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run2 of sarifFile.runs || []) { if (run2.automationDetails === void 0) { @@ -170345,7 +170519,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/lib/init-action.js b/lib/init-action.js index 03ad45b9a4..c4310c848c 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -104817,6 +104817,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} async function getRepositoryProperties(repositoryNwo) { return getApiClient().request("GET /repos/:owner/:repo/properties/values", { owner: repositoryNwo.owner, @@ -106556,6 +106568,17 @@ var BuiltInLanguage = /* @__PURE__ */ ((BuiltInLanguage2) => { return BuiltInLanguage2; })(BuiltInLanguage || {}); var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/diagnostics.ts async function addOverlayDisablementDiagnostics(config, codeql, overlayDisabledReason) { @@ -107803,7 +107826,7 @@ var internal = { }; // src/init.ts -var fs15 = __toESM(require("fs")); +var fs16 = __toESM(require("fs")); var path15 = __toESM(require("path")); var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); @@ -107811,7 +107834,7 @@ var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); // src/codeql.ts -var fs14 = __toESM(require("fs")); +var fs15 = __toESM(require("fs")); var path14 = __toESM(require("path")); var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); @@ -108065,20 +108088,221 @@ function wrapCliConfigurationError(cliError) { } // src/setup-codeql.ts -var fs12 = __toESM(require("fs")); +var fs13 = __toESM(require("fs")); var path12 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var fs10 = __toESM(require("fs")); +var actionsCache4 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION2 = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +var MAX_CACHE_OPERATION_MS3 = 6e5; +async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { + const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); + if (!fs10.existsSync(baseDatabaseOidsFilePath)) { + logger.warning( + `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` + ); + return false; + } + for (const language of config.languages) { + const dbPath = getCodeQLDatabasePath(config, language); + try { + const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); + if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { + logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); + return false; + } else { + logger.debug( + `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` + ); + } + } catch (e) { + logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); + return false; + } + } + return true; +} +async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { + const overlayDatabaseMode = config.overlayDatabaseMode; + if (overlayDatabaseMode !== "overlay" /* Overlay */) { + logger.debug( + `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.` + ); + return void 0; + } + if (!config.useOverlayDatabaseCaching) { + logger.debug( + "Overlay database caching is disabled. Skip downloading overlay-base database from cache." + ); + return void 0; + } + if (isInTestMode()) { + logger.debug( + "In test mode. Skip downloading overlay-base database from cache." + ); + return void 0; + } + const dbLocation = config.dbLocation; + const codeQlVersion = (await codeql.getVersion()).version; + const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix( + config, + codeQlVersion + ); + logger.info( + `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}` + ); + let databaseDownloadDurationMs = 0; + try { + const databaseDownloadStart = performance.now(); + const foundKey = await waitForResultWithTimeLimit( + // This ten-minute limit for the cache restore operation is mainly to + // guard against the possibility that the cache service is unresponsive + // and hangs outside the data download. + // + // Data download (which is normally the most time-consuming part of the + // restore operation) should not run long enough to hit this limit. Even + // for an extremely large 10GB database, at a download speed of 40MB/s + // (see below), the download should complete within five minutes. If we + // do hit this limit, there are likely more serious problems other than + // mere slow download speed. + // + // This is important because we don't want any ongoing file operations + // on the database directory when we do hit this limit. Hitting this + // time limit takes us to a fallback path where we re-initialize the + // database from scratch at dbLocation, and having the cache restore + // operation continue to write into dbLocation in the background would + // really mess things up. We want to hit this limit only in the case + // of a hung cache service, not just slow download speed. + MAX_CACHE_OPERATION_MS3, + actionsCache4.restoreCache( + [dbLocation], + cacheRestoreKeyPrefix, + void 0, + { + // Azure SDK download (which is the default) uses 128MB segments; see + // https://github.com/actions/toolkit/blob/main/packages/cache/README.md. + // Setting segmentTimeoutInMs to 3000 translates to segment download + // speed of about 40 MB/s, which should be achievable unless the + // download is unreliable (in which case we do want to abort). + segmentTimeoutInMs: 3e3 + } + ), + () => { + logger.info("Timed out downloading overlay-base database from cache"); + } + ); + databaseDownloadDurationMs = Math.round( + performance.now() - databaseDownloadStart + ); + if (foundKey === void 0) { + logger.info("No overlay-base database found in Actions cache"); + return void 0; + } + logger.info( + `Downloaded overlay-base database in cache with key ${foundKey}` + ); + } catch (error3) { + logger.warning( + `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}` + ); + return void 0; + } + const databaseIsValid = await checkOverlayBaseDatabase( + codeql, + config, + logger, + "Downloaded overlay-base database is invalid" + ); + if (!databaseIsValid) { + logger.warning("Downloaded overlay-base database failed validation"); + return void 0; + } + const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); + if (databaseSizeBytes === void 0) { + logger.info( + "Filesystem error while accessing downloaded overlay-base database" + ); + return void 0; + } + logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`); + return { + databaseSizeBytes: Math.round(databaseSizeBytes), + databaseDownloadDurationMs + }; +} +async function getCacheRestoreKeyPrefix(config, codeQlVersion) { + return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; +} +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} // src/tar.ts var import_child_process = require("child_process"); -var fs10 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -108120,9 +108344,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -108131,7 +108355,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -108146,7 +108370,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs10.mkdirSync(dest, { recursive: true }); + fs11.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -108230,7 +108454,7 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs11 = __toESM(require("fs")); +var fs12 = __toESM(require("fs")); var os4 = __toESM(require("os")); var path11 = __toESM(require("path")); var import_perf_hooks2 = require("perf_hooks"); @@ -108238,7 +108462,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -108337,7 +108561,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs11.mkdirSync(dest, { recursive: true }); + fs12.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -108368,13 +108592,13 @@ function getToolcacheDirectory(version) { return path11.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os4.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs11.writeFileSync(markerFilePath, ""); + fs12.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url) { @@ -108493,13 +108717,13 @@ function tryGetTagNameFromUrl(url, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -108509,7 +108733,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs12.existsSync(path12.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs13.existsSync(path12.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -108531,7 +108755,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -108625,21 +108897,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -108836,7 +109120,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -108846,6 +109130,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -108904,7 +109189,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -108936,7 +109221,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -108956,7 +109241,7 @@ function isReservedToolsValue(tools) { } // src/tracer-config.ts -var fs13 = __toESM(require("fs")); +var fs14 = __toESM(require("fs")); var path13 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { @@ -108969,7 +109254,7 @@ async function shouldEnableIndirectTracing(codeql, config) { } async function getTracerConfigForCluster(config) { const tracingEnvVariables = JSON.parse( - fs13.readFileSync( + fs14.readFileSync( path13.resolve( config.dbLocation, "temp/tracingEnvironment/start-tracing.json" @@ -108995,7 +109280,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -109009,6 +109294,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -109078,7 +109364,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { "tools", "tracing-config.lua" ); - return fs14.existsSync(tracingConfigPath); + return fs15.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -109554,7 +109840,7 @@ async function writeCodeScanningConfigFile(config, logger) { logger.startGroup("Augmented user configuration file contents"); logger.info(dump(augmentedConfig)); logger.endGroup(); - fs14.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); + fs15.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -109598,7 +109884,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -109612,6 +109898,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -109632,7 +109919,7 @@ async function initConfig2(features, inputs) { }); } async function runDatabaseInitCluster(databaseInitEnvironment, codeql, config, sourceRoot, processName, qlconfigFile, logger) { - fs15.mkdirSync(config.dbLocation, { recursive: true }); + fs16.mkdirSync(config.dbLocation, { recursive: true }); await wrapEnvironment( databaseInitEnvironment, async () => await codeql.databaseInitCluster( @@ -109668,24 +109955,24 @@ async function checkPacksForOverlayCompatibility(codeql, config, logger) { function checkPackForOverlayCompatibility(packDir, codeQlOverlayVersion, logger) { try { let qlpackPath = path15.join(packDir, "qlpack.yml"); - if (!fs15.existsSync(qlpackPath)) { + if (!fs16.existsSync(qlpackPath)) { qlpackPath = path15.join(packDir, "codeql-pack.yml"); } const qlpackContents = load( - fs15.readFileSync(qlpackPath, "utf8") + fs16.readFileSync(qlpackPath, "utf8") ); if (!qlpackContents.buildMetadata) { return true; } const packInfoPath = path15.join(packDir, ".packinfo"); - if (!fs15.existsSync(packInfoPath)) { + if (!fs16.existsSync(packInfoPath)) { logger.warning( `The query pack at ${packDir} does not have a .packinfo file, so it cannot support overlay analysis. Recompiling the query pack with the latest CodeQL CLI should solve this problem.` ); return false; } const packInfoFileContents = JSON.parse( - fs15.readFileSync(packInfoPath, "utf8") + fs16.readFileSync(packInfoPath, "utf8") ); const packOverlayVersion = packInfoFileContents.overlayVersion; if (typeof packOverlayVersion !== "number") { @@ -109720,8 +110007,8 @@ async function checkInstallPython311(languages, codeql) { ]).exec(); } } -function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs15.rmSync) { - if (fs15.existsSync(config.dbLocation) && (fs15.statSync(config.dbLocation).isFile() || fs15.readdirSync(config.dbLocation).length > 0)) { +function cleanupDatabaseClusterDirectory(config, logger, options = {}, rmSync2 = fs16.rmSync) { + if (fs16.existsSync(config.dbLocation) && (fs16.statSync(config.dbLocation).isFile() || fs16.readdirSync(config.dbLocation).length > 0)) { if (!options.disableExistingDirectoryWarning) { logger.warning( `The database cluster directory ${config.dbLocation} must be empty. Attempting to clean it up.` @@ -109825,163 +110112,6 @@ To opt out of this change, ${envVarOptOut}`; core12.exportVariable("CODEQL_ACTION_DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION" /* DID_LOG_FILE_COVERAGE_ON_PRS_DEPRECATION */, "true"); } -// src/overlay/caching.ts -var fs16 = __toESM(require("fs")); -var actionsCache4 = __toESM(require_cache5()); -var semver9 = __toESM(require_semver2()); -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; -var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; -var CACHE_VERSION2 = 1; -var CACHE_PREFIX = "codeql-overlay-base-database"; -var MAX_CACHE_OPERATION_MS3 = 6e5; -async function checkOverlayBaseDatabase(codeql, config, logger, warningPrefix) { - const baseDatabaseOidsFilePath = getBaseDatabaseOidsFilePath(config); - if (!fs16.existsSync(baseDatabaseOidsFilePath)) { - logger.warning( - `${warningPrefix}: ${baseDatabaseOidsFilePath} does not exist` - ); - return false; - } - for (const language of config.languages) { - const dbPath = getCodeQLDatabasePath(config, language); - try { - const resolveDatabaseOutput = await codeql.resolveDatabase(dbPath); - if (resolveDatabaseOutput === void 0 || !("overlayBaseSpecifier" in resolveDatabaseOutput)) { - logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`); - return false; - } else { - logger.debug( - `Overlay base specifier for ${language} overlay-base database found: ${resolveDatabaseOutput.overlayBaseSpecifier}` - ); - } - } catch (e) { - logger.warning(`${warningPrefix}: failed to resolve database: ${e}`); - return false; - } - } - return true; -} -async function downloadOverlayBaseDatabaseFromCache(codeql, config, logger) { - const overlayDatabaseMode = config.overlayDatabaseMode; - if (overlayDatabaseMode !== "overlay" /* Overlay */) { - logger.debug( - `Overlay database mode is ${overlayDatabaseMode}. Skip downloading overlay-base database from cache.` - ); - return void 0; - } - if (!config.useOverlayDatabaseCaching) { - logger.debug( - "Overlay database caching is disabled. Skip downloading overlay-base database from cache." - ); - return void 0; - } - if (isInTestMode()) { - logger.debug( - "In test mode. Skip downloading overlay-base database from cache." - ); - return void 0; - } - const dbLocation = config.dbLocation; - const codeQlVersion = (await codeql.getVersion()).version; - const cacheRestoreKeyPrefix = await getCacheRestoreKeyPrefix( - config, - codeQlVersion - ); - logger.info( - `Looking in Actions cache for overlay-base database with restore key ${cacheRestoreKeyPrefix}` - ); - let databaseDownloadDurationMs = 0; - try { - const databaseDownloadStart = performance.now(); - const foundKey = await waitForResultWithTimeLimit( - // This ten-minute limit for the cache restore operation is mainly to - // guard against the possibility that the cache service is unresponsive - // and hangs outside the data download. - // - // Data download (which is normally the most time-consuming part of the - // restore operation) should not run long enough to hit this limit. Even - // for an extremely large 10GB database, at a download speed of 40MB/s - // (see below), the download should complete within five minutes. If we - // do hit this limit, there are likely more serious problems other than - // mere slow download speed. - // - // This is important because we don't want any ongoing file operations - // on the database directory when we do hit this limit. Hitting this - // time limit takes us to a fallback path where we re-initialize the - // database from scratch at dbLocation, and having the cache restore - // operation continue to write into dbLocation in the background would - // really mess things up. We want to hit this limit only in the case - // of a hung cache service, not just slow download speed. - MAX_CACHE_OPERATION_MS3, - actionsCache4.restoreCache( - [dbLocation], - cacheRestoreKeyPrefix, - void 0, - { - // Azure SDK download (which is the default) uses 128MB segments; see - // https://github.com/actions/toolkit/blob/main/packages/cache/README.md. - // Setting segmentTimeoutInMs to 3000 translates to segment download - // speed of about 40 MB/s, which should be achievable unless the - // download is unreliable (in which case we do want to abort). - segmentTimeoutInMs: 3e3 - } - ), - () => { - logger.info("Timed out downloading overlay-base database from cache"); - } - ); - databaseDownloadDurationMs = Math.round( - performance.now() - databaseDownloadStart - ); - if (foundKey === void 0) { - logger.info("No overlay-base database found in Actions cache"); - return void 0; - } - logger.info( - `Downloaded overlay-base database in cache with key ${foundKey}` - ); - } catch (error3) { - logger.warning( - `Failed to download overlay-base database from cache: ${error3 instanceof Error ? error3.message : String(error3)}` - ); - return void 0; - } - const databaseIsValid = await checkOverlayBaseDatabase( - codeql, - config, - logger, - "Downloaded overlay-base database is invalid" - ); - if (!databaseIsValid) { - logger.warning("Downloaded overlay-base database failed validation"); - return void 0; - } - const databaseSizeBytes = await tryGetFolderBytes(dbLocation, logger); - if (databaseSizeBytes === void 0) { - logger.info( - "Filesystem error while accessing downloaded overlay-base database" - ); - return void 0; - } - logger.info(`Successfully downloaded overlay-base database to ${dbLocation}`); - return { - databaseSizeBytes: Math.round(databaseSizeBytes), - databaseDownloadDurationMs - }; -} -async function getCacheRestoreKeyPrefix(config, codeQlVersion) { - return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`; -} -async function getCacheKeyPrefixBase(parsedLanguages) { - const languagesComponent = [...parsedLanguages].sort().join("_"); - const cacheKeyComponents = { - automationID: await getAutomationID() - // Add more components here as needed in the future - }; - const componentsHash = createCacheKeyHash(cacheKeyComponents); - return `${CACHE_PREFIX}-${CACHE_VERSION2}-${componentsHash}-${languagesComponent}-`; -} - // src/status-report.ts var os5 = __toESM(require("os")); var core13 = __toESM(require_core()); @@ -110551,12 +110681,16 @@ async function run(startedAt) { } const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = getRawLanguagesNoAutodetect( + getOptionalInput("languages") + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + rawLanguages, features, logger ); diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 6d9b50f18a..2d03ee8081 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs6 = __importStar2(require("fs")); var path7 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core14.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var path7 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99856,7 +99856,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path7 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch}`); core14.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch}`); core14.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path7.join(_getCacheDirectory(), toolName, versionSpec, arch); core14.debug(`checking cache: ${cachePath}`); if (fs6.existsSync(cachePath) && fs6.existsSync(`${cachePath}.complete`)) { @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core14.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io5.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path7.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path7.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs6.writeFileSync(markerPath, ""); core14.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core14.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core14.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core14.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core14.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -105034,20 +105034,26 @@ var toolrunner3 = __toESM(require_toolrunner()); // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index e647efada1..fd4f84a37b 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var os3 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); + supportedHashes = crypto3.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -25260,11 +25260,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); + supportedHashes = crypto3.getHashes().filter((hash) => possibleRelevantHashes.includes(hash)); } catch { } function responseURL(response) { @@ -25537,7 +25537,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -25552,7 +25552,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -26616,8 +26616,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -38021,13 +38021,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -38040,7 +38040,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -38112,9 +38112,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url, protocols, client, ws, onEstablish, options) { @@ -38134,7 +38134,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -38164,7 +38164,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core15 = __importStar2(require_core()); var fs10 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core15.info : core15.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash = crypto2.createHash("sha256"); + const hash = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs10.createReadStream(file), hash); result.write(hash.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var path10 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path10.join(baseLocation, "actions", "temp"); } - const dest = path10.join(tempDirectory, crypto2.randomUUID()); + const dest = path10.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core15 = __importStar2(require_core()); var path10 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os3 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core15 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs10 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os3 = __importStar2(require("os")); var path10 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path10.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path10.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path10.dirname(dest)); core15.debug(`Downloading ${url}`); core15.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch2}`); core15.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch2}`); core15.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path10.join(_getCacheDirectory(), toolName, versionSpec, arch2); core15.debug(`checking cache: ${cachePath}`); if (fs10.existsSync(cachePath) && fs10.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path10.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path10.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path10.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path10.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path10.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path10.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs10.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -103784,6 +103784,12 @@ async function checkForTimeout() { process.exit(); } } +function parseMatrixInput(matrixInput) { + if (matrixInput === void 0 || matrixInput === "null") { + return void 0; + } + return JSON.parse(matrixInput); +} function wrapError(error3) { return error3 instanceof Error ? error3 : new Error(String(error3)); } @@ -104003,6 +104009,32 @@ async function runTool(cmd, args = [], opts = {}) { } return stdout; } +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} // src/api-client.ts var core5 = __toESM(require_core()); @@ -104202,6 +104234,37 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} +function computeAutomationID(analysis_key, environment) { + let automationID = `${analysis_key}/`; + const matrix = parseMatrixInput(environment); + if (matrix !== void 0) { + for (const entry of Object.entries(matrix).sort()) { + if (typeof entry[1] === "string") { + automationID += `${entry[0]}:${entry[1]}/`; + } else { + automationID += `${entry[0]}:/`; + } + } + } + return automationID; +} +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -105384,7 +105447,13 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core7 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -105529,6 +105598,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -105584,7 +105664,68 @@ var fs8 = __toESM(require("fs")); var path8 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} // src/tar.ts var import_child_process = require("child_process"); @@ -105593,7 +105734,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -105635,9 +105776,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -105646,7 +105787,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -105753,7 +105894,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -105883,7 +106024,7 @@ function getToolcacheDirectory(version) { return path7.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -106008,13 +106149,13 @@ function tryGetTagNameFromUrl(url, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -106046,7 +106187,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -106140,21 +106329,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url ?? "unknown"; @@ -106351,7 +106552,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -106361,6 +106562,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -106419,7 +106621,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -106451,7 +106653,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -106488,7 +106690,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -106502,6 +106704,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -107091,7 +107294,7 @@ async function getJobRunUuidSarifOptions(codeql) { } // src/init.ts -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -107105,6 +107308,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -107405,6 +107609,8 @@ async function run(startedAt) { getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: currently, setup-codeql is not language aware features, logger ); diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 86f78ffdac..60fa054a65 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -51958,7 +51958,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs3 = __importStar2(require("fs")); var path4 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path4 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -106616,7 +106616,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -106626,9 +106626,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -157681,7 +157681,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -157695,7 +157695,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -157704,7 +157704,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -157964,7 +157964,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path4 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -158237,7 +158237,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -158255,7 +158255,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -158285,7 +158285,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path4.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) { @@ -158365,7 +158365,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -158375,30 +158375,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path4.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path4.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs3.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -162446,24 +162446,30 @@ var cliErrorsConfig = { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache5()); +var actionsCache4 = __toESM(require_cache5()); var glob = __toESM(require_glob()); // src/artifact-scanner.ts diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 17dbf166e5..0dfb131c1c 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var os2 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -21922,16 +21922,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -22220,8 +22220,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -22234,8 +22234,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -26565,11 +26565,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -26842,7 +26842,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -26857,7 +26857,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -27921,8 +27921,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -39326,13 +39326,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -39345,7 +39345,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -39417,9 +39417,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -39439,7 +39439,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -39469,7 +39469,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -45836,11 +45836,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -45983,8 +45983,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -47200,7 +47200,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -47209,7 +47209,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -47238,7 +47238,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -47247,7 +47247,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core14 = __importStar2(require_core()); var fs14 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core14.info : core14.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs14.createReadStream(file), hash2); result.write(hash2.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var path12 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path12.join(baseLocation, "actions", "temp"); } - const dest = path12.join(tempDirectory, crypto2.randomUUID()); + const dest = path12.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core14.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core14 = __importStar2(require_core()); var path12 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core14.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core14 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs14 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os2 = __importStar2(require("os")); var path12 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path12.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path12.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path12.dirname(dest)); core14.debug(`Downloading ${url2}`); core14.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch2}`); core14.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os2.arch(); core14.debug(`Caching tool ${tool} ${version} ${arch2}`); core14.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path12.join(_getCacheDirectory(), toolName, versionSpec, arch2); core14.debug(`checking cache: ${cachePath}`); if (fs14.existsSync(cachePath) && fs14.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path12.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path12.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core14.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path12.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path12.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs14.writeFileSync(markerPath, ""); core14.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core14.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core14.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core14.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core14.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -106809,6 +106809,32 @@ async function runTool(cmd, args = [], opts = {}) { } return stdout; } +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -107091,6 +107117,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -107105,6 +107136,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -107403,7 +107446,13 @@ var path6 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core6 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -108136,6 +108185,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -108215,7 +108275,7 @@ var fs9 = __toESM(require("fs")); var path8 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -108261,6 +108321,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs7 = __toESM(require("fs")); @@ -108268,7 +108389,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -108310,9 +108431,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -108321,7 +108442,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -108428,7 +108549,7 @@ var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -108558,7 +108679,7 @@ function getToolcacheDirectory(version) { return path7.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os.arch() || "" ); } @@ -108683,13 +108804,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -108721,7 +108842,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -108815,21 +108984,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -109026,7 +109207,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -109036,6 +109217,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -109094,7 +109276,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -109126,7 +109308,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -109163,7 +109345,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -109177,6 +109359,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -110898,7 +111081,7 @@ var core12 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -110912,6 +111095,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -111068,6 +111252,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -111083,7 +111269,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run of sarifFile.runs || []) { if (run.automationDetails === void 0) { @@ -111096,7 +111282,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index d0733a4718..4824e45956 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare2 = require_compare(); - var rcompare2 = (a, b, loose) => compare2(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare2(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare2 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare2, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -98792,7 +98792,7 @@ var require_stream_writable = __commonJS({ pna.nextTick(cb, er); } function validChunk(stream, state, chunk, cb) { - var valid3 = true; + var valid4 = true; var er = false; if (chunk === null) { er = new TypeError("May not write null values to stream"); @@ -98802,9 +98802,9 @@ var require_stream_writable = __commonJS({ if (er) { stream.emit("error", er); pna.nextTick(cb, er); - valid3 = false; + valid4 = false; } - return valid3; + return valid4; } Writable.prototype.write = function(chunk, encoding, cb) { var state = this._writableState; @@ -150217,16 +150217,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -150515,8 +150515,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -150529,8 +150529,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -153258,8 +153258,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -153559,8 +153559,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare2(b, a, loose); } exports2.sort = sort; @@ -154388,7 +154388,7 @@ var require_cacheUtils = __commonJS({ var crypto2 = __importStar2(require("crypto")); var fs3 = __importStar2(require("fs")); var path3 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants24(); var versionSalt = "1.0"; @@ -154481,7 +154481,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core15.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -155791,7 +155791,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache4; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -155968,7 +155968,7 @@ Other caches with similar key:`); })); }); } - function saveCache4(cacheId, archivePath, signedUploadURL, options) { + function saveCache5(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -157242,8 +157242,8 @@ var require_cache6 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache4; - exports2.saveCache = saveCache4; + exports2.restoreCache = restoreCache5; + exports2.saveCache = saveCache5; var core15 = __importStar2(require_core()); var path3 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -157300,7 +157300,7 @@ var require_cache6 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache5(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -157444,7 +157444,7 @@ var require_cache6 = __commonJS({ return void 0; }); } - function saveCache4(paths_1, key_1, options_1) { + function saveCache5(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core15.debug(`Cache service version: ${cacheServiceVersion}`); @@ -157681,7 +157681,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os2 = require("os"); var cp = require("child_process"); @@ -157695,7 +157695,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -157704,7 +157704,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -157964,7 +157964,7 @@ var require_tool_cache = __commonJS({ var os2 = __importStar2(require("os")); var path3 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -158237,7 +158237,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source dir: ${sourceDir}`); @@ -158255,7 +158255,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch = arch || os2.arch(); core15.debug(`Caching tool ${tool} ${version} ${arch}`); core15.debug(`source file: ${sourceFile}`); @@ -158285,7 +158285,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path3.join(_getCacheDirectory(), toolName, versionSpec, arch); core15.debug(`checking cache: ${cachePath}`); if (fs3.existsSync(cachePath) && fs3.existsSync(`${cachePath}.complete`)) { @@ -158365,7 +158365,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); core15.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -158375,30 +158375,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch) { - const folderPath = path3.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch || ""); + const folderPath = path3.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch || ""); const markerPath = `${folderPath}.complete`; fs3.writeFileSync(markerPath, ""); core15.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core15.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core15.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core15.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core15.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -162433,24 +162433,30 @@ var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); + +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache6()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tools-download.ts var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/dependency-caching.ts -var actionsCache3 = __toESM(require_cache6()); +var actionsCache4 = __toESM(require_cache6()); var glob = __toESM(require_glob2()); // src/artifact-scanner.ts diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 1ba53990b3..520b5270cb 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -203,7 +203,7 @@ var require_file_command = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.issueFileCommand = issueFileCommand; exports2.prepareKeyValueMessage = prepareKeyValueMessage; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var os3 = __importStar2(require("os")); var utils_1 = require_utils(); @@ -220,7 +220,7 @@ var require_file_command = __commonJS({ }); } function prepareKeyValueMessage(key, value) { - const delimiter = `ghadelimiter_${crypto2.randomUUID()}`; + const delimiter = `ghadelimiter_${crypto3.randomUUID()}`; const convertedValue = (0, utils_1.toCommandValue)(value); if (key.includes(delimiter)) { throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`); @@ -4262,11 +4262,11 @@ var require_util2 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -4539,7 +4539,7 @@ var require_util2 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -4554,7 +4554,7 @@ var require_util2 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -5618,8 +5618,8 @@ var require_body = __commonJS({ var { multipartFormDataParser } = require_formdata_parser(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -17023,13 +17023,13 @@ var require_frame = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants5(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -17042,7 +17042,7 @@ var require_frame = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -17114,9 +17114,9 @@ var require_connection = __commonJS({ var { Headers, getHeadersList } = require_headers(); var { getDecodeSplit } = require_util2(); var { WebsocketFrameSend } = require_frame(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -17136,7 +17136,7 @@ var require_connection = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -17166,7 +17166,7 @@ var require_connection = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -25260,11 +25260,11 @@ var require_util10 = __commonJS({ var { isUint8Array } = require("node:util/types"); var { webidl } = require_webidl2(); var supportedHashes = []; - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); const possibleRelevantHashes = ["sha256", "sha384", "sha512"]; - supportedHashes = crypto2.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); + supportedHashes = crypto3.getHashes().filter((hash2) => possibleRelevantHashes.includes(hash2)); } catch { } function responseURL(response) { @@ -25537,7 +25537,7 @@ var require_util10 = __commonJS({ } } function bytesMatch(bytes, metadataList) { - if (crypto2 === void 0) { + if (crypto3 === void 0) { return true; } const parsedMetadata = parseMetadata(metadataList); @@ -25552,7 +25552,7 @@ var require_util10 = __commonJS({ for (const item of metadata) { const algorithm = item.algo; const expectedValue = item.hash; - let actualValue = crypto2.createHash(algorithm).update(bytes).digest("base64"); + let actualValue = crypto3.createHash(algorithm).update(bytes).digest("base64"); if (actualValue[actualValue.length - 1] === "=") { if (actualValue[actualValue.length - 2] === "=") { actualValue = actualValue.slice(0, -2); @@ -26616,8 +26616,8 @@ var require_body2 = __commonJS({ var { multipartFormDataParser } = require_formdata_parser2(); var random; try { - const crypto2 = require("node:crypto"); - random = (max) => crypto2.randomInt(0, max); + const crypto3 = require("node:crypto"); + random = (max) => crypto3.randomInt(0, max); } catch { random = (max) => Math.floor(Math.random(max)); } @@ -38021,13 +38021,13 @@ var require_frame2 = __commonJS({ "use strict"; var { maxUnsigned16Bit } = require_constants10(); var BUFFER_SIZE = 16386; - var crypto2; + var crypto3; var buffer = null; var bufIdx = BUFFER_SIZE; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { - crypto2 = { + crypto3 = { // not full compatibility, but minimum. randomFillSync: function randomFillSync(buffer2, _offset, _size) { for (let i = 0; i < buffer2.length; ++i) { @@ -38040,7 +38040,7 @@ var require_frame2 = __commonJS({ function generateMask() { if (bufIdx === BUFFER_SIZE) { bufIdx = 0; - crypto2.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); + crypto3.randomFillSync(buffer ??= Buffer.allocUnsafe(BUFFER_SIZE), 0, BUFFER_SIZE); } return [buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++], buffer[bufIdx++]]; } @@ -38112,9 +38112,9 @@ var require_connection2 = __commonJS({ var { Headers, getHeadersList } = require_headers2(); var { getDecodeSplit } = require_util10(); var { WebsocketFrameSend } = require_frame2(); - var crypto2; + var crypto3; try { - crypto2 = require("node:crypto"); + crypto3 = require("node:crypto"); } catch { } function establishWebSocketConnection(url2, protocols, client, ws, onEstablish, options) { @@ -38134,7 +38134,7 @@ var require_connection2 = __commonJS({ const headersList = getHeadersList(new Headers(options.headers)); request2.headersList = headersList; } - const keyValue = crypto2.randomBytes(16).toString("base64"); + const keyValue = crypto3.randomBytes(16).toString("base64"); request2.headersList.append("sec-websocket-key", keyValue); request2.headersList.append("sec-websocket-version", "13"); for (const protocol of protocols) { @@ -38164,7 +38164,7 @@ var require_connection2 = __commonJS({ return; } const secWSAccept = response.headersList.get("Sec-WebSocket-Accept"); - const digest = crypto2.createHash("sha1").update(keyValue + uid).digest("base64"); + const digest = crypto3.createHash("sha1").update(keyValue + uid).digest("base64"); if (secWSAccept !== digest) { failWebsocketConnection(ws, "Incorrect hash received in Sec-WebSocket-Accept header."); return; @@ -44531,11 +44531,11 @@ var require_valid = __commonJS({ "node_modules/semver/functions/valid.js"(exports2, module2) { "use strict"; var parse2 = require_parse3(); - var valid3 = (version, options) => { + var valid4 = (version, options) => { const v = parse2(version, options); return v ? v.version : null; }; - module2.exports = valid3; + module2.exports = valid4; } }); @@ -44678,8 +44678,8 @@ var require_rcompare = __commonJS({ "node_modules/semver/functions/rcompare.js"(exports2, module2) { "use strict"; var compare3 = require_compare(); - var rcompare2 = (a, b, loose) => compare3(b, a, loose); - module2.exports = rcompare2; + var rcompare3 = (a, b, loose) => compare3(b, a, loose); + module2.exports = rcompare3; } }); @@ -45895,7 +45895,7 @@ var require_semver2 = __commonJS({ var SemVer = require_semver(); var identifiers = require_identifiers(); var parse2 = require_parse3(); - var valid3 = require_valid(); + var valid4 = require_valid(); var clean3 = require_clean(); var inc = require_inc(); var diff = require_diff(); @@ -45904,7 +45904,7 @@ var require_semver2 = __commonJS({ var patch = require_patch(); var prerelease = require_prerelease(); var compare3 = require_compare(); - var rcompare2 = require_rcompare(); + var rcompare3 = require_rcompare(); var compareLoose = require_compare_loose(); var compareBuild = require_compare_build(); var sort = require_sort(); @@ -45933,7 +45933,7 @@ var require_semver2 = __commonJS({ var subset = require_subset(); module2.exports = { parse: parse2, - valid: valid3, + valid: valid4, clean: clean3, inc, diff, @@ -45942,7 +45942,7 @@ var require_semver2 = __commonJS({ patch, prerelease, compare: compare3, - rcompare: rcompare2, + rcompare: rcompare3, compareLoose, compareBuild, sort, @@ -47732,16 +47732,16 @@ var require_attribute = __commonJS({ var result = new ValidatorResult(instance, schema2, options, ctx); var self2 = this; schema2.allOf.forEach(function(v, i) { - var valid3 = self2.validateSchema(instance, v, options, ctx); - if (!valid3.valid) { + var valid4 = self2.validateSchema(instance, v, options, ctx); + if (!valid4.valid) { var id = v.$id || v.id; var msg = id || v.title && JSON.stringify(v.title) || v["$ref"] && "<" + v["$ref"] + ">" || "[subschema " + i + "]"; result.addError({ name: "allOf", - argument: { id: msg, length: valid3.errors.length, valid: valid3 }, - message: "does not match allOf schema " + msg + " with " + valid3.errors.length + " error[s]:" + argument: { id: msg, length: valid4.errors.length, valid: valid4 }, + message: "does not match allOf schema " + msg + " with " + valid4.errors.length + " error[s]:" }); - result.importErrors(valid3); + result.importErrors(valid4); } }); return result; @@ -48030,8 +48030,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMinimum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance > schema2.exclusiveMinimum; - if (!valid3) { + var valid4 = instance > schema2.exclusiveMinimum; + if (!valid4) { result.addError({ name: "exclusiveMinimum", argument: schema2.exclusiveMinimum, @@ -48044,8 +48044,8 @@ var require_attribute = __commonJS({ if (typeof schema2.exclusiveMaximum === "boolean") return; if (!this.types.number(instance)) return; var result = new ValidatorResult(instance, schema2, options, ctx); - var valid3 = instance < schema2.exclusiveMaximum; - if (!valid3) { + var valid4 = instance < schema2.exclusiveMaximum; + if (!valid4) { result.addError({ name: "exclusiveMaximum", argument: schema2.exclusiveMaximum, @@ -50550,7 +50550,7 @@ var require_internal_hash_files = __commonJS({ }; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.hashFiles = hashFiles; - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var core16 = __importStar2(require_core()); var fs15 = __importStar2(require("fs")); var stream2 = __importStar2(require("stream")); @@ -50563,7 +50563,7 @@ var require_internal_hash_files = __commonJS({ const writeDelegate = verbose ? core16.info : core16.debug; let hasMatch = false; const githubWorkspace = currentWorkspace ? currentWorkspace : (_d = process.env["GITHUB_WORKSPACE"]) !== null && _d !== void 0 ? _d : process.cwd(); - const result = crypto2.createHash("sha256"); + const result = crypto3.createHash("sha256"); let count = 0; try { for (var _e = true, _f = __asyncValues2(globber.globGenerator()), _g; _g = yield _f.next(), _a = _g.done, !_a; _e = true) { @@ -50579,7 +50579,7 @@ var require_internal_hash_files = __commonJS({ writeDelegate(`Skip directory '${file}'.`); continue; } - const hash2 = crypto2.createHash("sha256"); + const hash2 = crypto3.createHash("sha256"); const pipeline = util.promisify(stream2.pipeline); yield pipeline(fs15.createReadStream(file), hash2); result.write(hash2.digest()); @@ -50828,8 +50828,8 @@ var require_semver3 = __commonJS({ return null; } } - exports2.valid = valid3; - function valid3(version, options) { + exports2.valid = valid4; + function valid4(version, options) { var v = parse2(version, options); return v ? v.version : null; } @@ -51129,8 +51129,8 @@ var require_semver3 = __commonJS({ var versionB = new SemVer(b, loose); return versionA.compare(versionB) || versionA.compareBuild(versionB); } - exports2.rcompare = rcompare2; - function rcompare2(a, b, loose) { + exports2.rcompare = rcompare3; + function rcompare3(a, b, loose) { return compare3(b, a, loose); } exports2.sort = sort; @@ -51955,10 +51955,10 @@ var require_cacheUtils = __commonJS({ var exec = __importStar2(require_exec()); var glob = __importStar2(require_glob()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var path13 = __importStar2(require("path")); - var semver9 = __importStar2(require_semver3()); + var semver10 = __importStar2(require_semver3()); var util = __importStar2(require("util")); var constants_1 = require_constants12(); var versionSalt = "1.0"; @@ -51979,7 +51979,7 @@ var require_cacheUtils = __commonJS({ } tempDirectory = path13.join(baseLocation, "actions", "temp"); } - const dest = path13.join(tempDirectory, crypto2.randomUUID()); + const dest = path13.join(tempDirectory, crypto3.randomUUID()); yield io6.mkdirP(dest); return dest; }); @@ -52051,7 +52051,7 @@ var require_cacheUtils = __commonJS({ function getCompressionMethod() { return __awaiter2(this, void 0, void 0, function* () { const versionOutput = yield getVersion("zstd", ["--quiet"]); - const version = semver9.clean(versionOutput); + const version = semver10.clean(versionOutput); core16.debug(`zstd version: ${version}`); if (versionOutput === "") { return constants_1.CompressionMethod.Gzip; @@ -52087,7 +52087,7 @@ var require_cacheUtils = __commonJS({ components.push("windows-only"); } components.push(versionSalt); - return crypto2.createHash("sha256").update(components.join("|")).digest("hex"); + return crypto3.createHash("sha256").update(components.join("|")).digest("hex"); } function getRuntimeToken() { const token = process.env["ACTIONS_RUNTIME_TOKEN"]; @@ -93457,7 +93457,7 @@ var require_cacheHttpClient = __commonJS({ exports2.getCacheEntry = getCacheEntry; exports2.downloadCache = downloadCache; exports2.reserveCache = reserveCache; - exports2.saveCache = saveCache3; + exports2.saveCache = saveCache4; var core16 = __importStar2(require_core()); var http_client_1 = require_lib(); var auth_1 = require_auth(); @@ -93634,7 +93634,7 @@ Other caches with similar key:`); })); }); } - function saveCache3(cacheId, archivePath, signedUploadURL, options) { + function saveCache4(cacheId, archivePath, signedUploadURL, options) { return __awaiter2(this, void 0, void 0, function* () { const uploadOptions = (0, options_1.getUploadOptions)(options); if (uploadOptions.useAzureSdk) { @@ -99134,8 +99134,8 @@ var require_cache5 = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.FinalizeCacheError = exports2.ReserveCacheError = exports2.ValidationError = void 0; exports2.isFeatureAvailable = isFeatureAvailable; - exports2.restoreCache = restoreCache3; - exports2.saveCache = saveCache3; + exports2.restoreCache = restoreCache4; + exports2.saveCache = saveCache4; var core16 = __importStar2(require_core()); var path13 = __importStar2(require("path")); var utils = __importStar2(require_cacheUtils()); @@ -99192,7 +99192,7 @@ var require_cache5 = __commonJS({ return !!process.env["ACTIONS_CACHE_URL"]; } } - function restoreCache3(paths_1, primaryKey_1, restoreKeys_1, options_1) { + function restoreCache4(paths_1, primaryKey_1, restoreKeys_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, primaryKey, restoreKeys, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core16.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99336,7 +99336,7 @@ var require_cache5 = __commonJS({ return void 0; }); } - function saveCache3(paths_1, key_1, options_1) { + function saveCache4(paths_1, key_1, options_1) { return __awaiter2(this, arguments, void 0, function* (paths, key, options, enableCrossOsArchive = false) { const cacheServiceVersion = (0, config_1.getCacheServiceVersion)(); core16.debug(`Cache service version: ${cacheServiceVersion}`); @@ -99573,7 +99573,7 @@ var require_manifest = __commonJS({ exports2._findMatch = _findMatch; exports2._getOsVersion = _getOsVersion; exports2._readLinuxVersionFile = _readLinuxVersionFile; - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var core_1 = require_core(); var os3 = require("os"); var cp = require("child_process"); @@ -99587,7 +99587,7 @@ var require_manifest = __commonJS({ for (const candidate of candidates) { const version = candidate.version; (0, core_1.debug)(`check ${version} satisfies ${versionSpec}`); - if (semver9.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { + if (semver10.satisfies(version, versionSpec) && (!stable || candidate.stable === stable)) { file = candidate.files.find((item) => { (0, core_1.debug)(`${item.arch}===${archFilter} && ${item.platform}===${platFilter}`); let chk = item.arch === archFilter && item.platform === platFilter; @@ -99596,7 +99596,7 @@ var require_manifest = __commonJS({ if (osVersion === item.platform_version) { chk = true; } else { - chk = semver9.satisfies(osVersion, item.platform_version); + chk = semver10.satisfies(osVersion, item.platform_version); } } return chk; @@ -99850,13 +99850,13 @@ var require_tool_cache = __commonJS({ exports2.evaluateVersions = evaluateVersions; var core16 = __importStar2(require_core()); var io6 = __importStar2(require_io()); - var crypto2 = __importStar2(require("crypto")); + var crypto3 = __importStar2(require("crypto")); var fs15 = __importStar2(require("fs")); var mm = __importStar2(require_manifest()); var os3 = __importStar2(require("os")); var path13 = __importStar2(require("path")); var httpm = __importStar2(require_lib()); - var semver9 = __importStar2(require_semver2()); + var semver10 = __importStar2(require_semver2()); var stream2 = __importStar2(require("stream")); var util = __importStar2(require("util")); var assert_1 = require("assert"); @@ -99875,7 +99875,7 @@ var require_tool_cache = __commonJS({ var userAgent2 = "actions/tool-cache"; function downloadTool2(url2, dest, auth2, headers) { return __awaiter2(this, void 0, void 0, function* () { - dest = dest || path13.join(_getTempDirectory(), crypto2.randomUUID()); + dest = dest || path13.join(_getTempDirectory(), crypto3.randomUUID()); yield io6.mkdirP(path13.dirname(dest)); core16.debug(`Downloading ${url2}`); core16.debug(`Destination ${dest}`); @@ -100129,7 +100129,7 @@ var require_tool_cache = __commonJS({ } function cacheDir(sourceDir, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core16.debug(`Caching tool ${tool} ${version} ${arch2}`); core16.debug(`source dir: ${sourceDir}`); @@ -100147,7 +100147,7 @@ var require_tool_cache = __commonJS({ } function cacheFile(sourceFile, targetFile, tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - version = semver9.clean(version) || version; + version = semver10.clean(version) || version; arch2 = arch2 || os3.arch(); core16.debug(`Caching tool ${tool} ${version} ${arch2}`); core16.debug(`source file: ${sourceFile}`); @@ -100177,7 +100177,7 @@ var require_tool_cache = __commonJS({ } let toolPath = ""; if (versionSpec) { - versionSpec = semver9.clean(versionSpec) || ""; + versionSpec = semver10.clean(versionSpec) || ""; const cachePath = path13.join(_getCacheDirectory(), toolName, versionSpec, arch2); core16.debug(`checking cache: ${cachePath}`); if (fs15.existsSync(cachePath) && fs15.existsSync(`${cachePath}.complete`)) { @@ -100249,7 +100249,7 @@ var require_tool_cache = __commonJS({ function _createExtractFolder(dest) { return __awaiter2(this, void 0, void 0, function* () { if (!dest) { - dest = path13.join(_getTempDirectory(), crypto2.randomUUID()); + dest = path13.join(_getTempDirectory(), crypto3.randomUUID()); } yield io6.mkdirP(dest); return dest; @@ -100257,7 +100257,7 @@ var require_tool_cache = __commonJS({ } function _createToolPath(tool, version, arch2) { return __awaiter2(this, void 0, void 0, function* () { - const folderPath = path13.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path13.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); core16.debug(`destination ${folderPath}`); const markerPath = `${folderPath}.complete`; yield io6.rmRF(folderPath); @@ -100267,30 +100267,30 @@ var require_tool_cache = __commonJS({ }); } function _completeToolPath(tool, version, arch2) { - const folderPath = path13.join(_getCacheDirectory(), tool, semver9.clean(version) || version, arch2 || ""); + const folderPath = path13.join(_getCacheDirectory(), tool, semver10.clean(version) || version, arch2 || ""); const markerPath = `${folderPath}.complete`; fs15.writeFileSync(markerPath, ""); core16.debug("finished caching tool"); } function isExplicitVersion(versionSpec) { - const c = semver9.clean(versionSpec) || ""; + const c = semver10.clean(versionSpec) || ""; core16.debug(`isExplicit: ${c}`); - const valid3 = semver9.valid(c) != null; - core16.debug(`explicit? ${valid3}`); - return valid3; + const valid4 = semver10.valid(c) != null; + core16.debug(`explicit? ${valid4}`); + return valid4; } function evaluateVersions(versions, versionSpec) { let version = ""; core16.debug(`evaluating ${versions.length} versions`); versions = versions.sort((a, b) => { - if (semver9.gt(a, b)) { + if (semver10.gt(a, b)) { return 1; } return -1; }); for (let i = versions.length - 1; i >= 0; i--) { const potential = versions[i]; - const satisfied = semver9.satisfies(potential, versionSpec); + const satisfied = semver10.satisfies(potential, versionSpec); if (satisfied) { version = potential; break; @@ -106847,6 +106847,32 @@ var persistInputs = function() { ); core4.saveState(persistedInputsKey, JSON.stringify(inputEnvironmentVariables)); }; +function getPullRequestBranches() { + const pullRequest = github.context.payload.pull_request; + if (pullRequest) { + return { + base: pullRequest.base.ref, + // We use the head label instead of the head ref here, because the head + // ref lacks owner information and by itself does not uniquely identify + // the head branch (which may be in a forked repository). + head: pullRequest.head.label + }; + } + const codeScanningRef = process.env.CODE_SCANNING_REF; + const codeScanningBaseBranch = process.env.CODE_SCANNING_BASE_BRANCH; + if (codeScanningRef && codeScanningBaseBranch) { + return { + base: codeScanningBaseBranch, + // PR analysis under Default Setup analyzes the PR head commit instead of + // the merge commit, so we can use the provided ref directly. + head: codeScanningRef + }; + } + return void 0; +} +function isAnalyzingPullRequest() { + return getPullRequestBranches() !== void 0; +} var qualityCategoryMapping = { "c#": "csharp", cpp: "c-cpp", @@ -107139,6 +107165,11 @@ async function getAnalysisKey() { core5.exportVariable("CODEQL_ACTION_ANALYSIS_KEY" /* ANALYSIS_KEY */, analysisKey); return analysisKey; } +async function getAutomationID() { + const analysis_key = await getAnalysisKey(); + const environment = getRequiredInput("matrix"); + return computeAutomationID(analysis_key, environment); +} function computeAutomationID(analysis_key, environment) { let automationID = `${analysis_key}/`; const matrix = parseMatrixInput(environment); @@ -107153,6 +107184,18 @@ function computeAutomationID(analysis_key, environment) { } return automationID; } +async function listActionsCaches(keyPrefix, ref) { + const repositoryNwo = getRepositoryNwo(); + return await getApiClient().paginate( + "GET /repos/{owner}/{repo}/actions/caches", + { + owner: repositoryNwo.owner, + repo: repositoryNwo.repo, + key: keyPrefix, + ref + } + ); +} function isEnablementError(msg) { return [ /Code Security must be enabled/i, @@ -108202,7 +108245,13 @@ var path7 = __toESM(require("path")); var core9 = __toESM(require_core()); // src/caching-utils.ts +var crypto2 = __toESM(require("crypto")); var core8 = __toESM(require_core()); +var cacheKeyHashLength = 16; +function createCacheKeyHash(components) { + const componentsJson = JSON.stringify(components); + return crypto2.createHash("sha256").update(componentsJson).digest("hex").substring(0, cacheKeyHashLength); +} // src/config/db-config.ts var jsonschema = __toESM(require_lib2()); @@ -108343,6 +108392,17 @@ var builtin_default = { // src/languages/index.ts var builtInLanguageSet = new Set(builtin_default.languages); +function isBuiltInLanguage(language) { + return builtInLanguageSet.has(language); +} +function parseBuiltInLanguage(language) { + language = language.trim().toLowerCase(); + language = builtin_default.aliases[language] ?? language; + if (isBuiltInLanguage(language)) { + return language; + } + return void 0; +} // src/overlay/status.ts var actionsCache = __toESM(require_cache5()); @@ -108892,7 +108952,7 @@ var fs11 = __toESM(require("fs")); var path9 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver8 = __toESM(require_semver2()); +var semver9 = __toESM(require_semver2()); // node_modules/uuid/dist-node/stringify.js var byteToHex = []; @@ -108938,6 +108998,67 @@ function _v4(options, buf, offset) { } var v4_default = v4; +// src/overlay/caching.ts +var actionsCache3 = __toESM(require_cache5()); +var semver6 = __toESM(require_semver2()); +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB = 7500; +var OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_BYTES = OVERLAY_BASE_DATABASE_MAX_UPLOAD_SIZE_MB * 1e6; +var CACHE_VERSION = 1; +var CACHE_PREFIX = "codeql-overlay-base-database"; +async function getCacheKeyPrefixBase(parsedLanguages) { + const languagesComponent = [...parsedLanguages].sort().join("_"); + const cacheKeyComponents = { + automationID: await getAutomationID() + // Add more components here as needed in the future + }; + const componentsHash = createCacheKeyHash(cacheKeyComponents); + return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`; +} +async function getCodeQlVersionsForOverlayBaseDatabases(rawLanguages, logger) { + const languages = rawLanguages.map(parseBuiltInLanguage); + if (languages.includes(void 0)) { + logger.warning( + "One or more provided languages are not recognized as built-in languages. Skipping searching for overlay-base databases in cache." + ); + return void 0; + } + const cacheKeyPrefix = await getCacheKeyPrefixBase( + languages.filter((l) => l !== void 0) + ); + logger.debug( + `Searching for overlay-base databases in Actions cache with prefix ${cacheKeyPrefix}` + ); + const caches = await listActionsCaches(cacheKeyPrefix); + if (caches.length === 0) { + logger.info("No overlay-base databases found in Actions cache."); + return []; + } + logger.info( + `Found ${caches.length} overlay-base ${caches.length === 1 ? "database" : "databases"} in the Actions cache.` + ); + const versionRegex = /^([\d.]+)-/; + const versionSet = /* @__PURE__ */ new Set(); + for (const cache of caches) { + if (!cache.key) continue; + const suffix = cache.key.substring(cacheKeyPrefix.length); + const match = suffix.match(versionRegex); + if (match && semver6.valid(match[1])) { + versionSet.add(match[1]); + } + } + if (versionSet.size === 0) { + logger.info( + "Could not parse any CodeQL versions from overlay-base database cache keys." + ); + return []; + } + const versions = [...versionSet].sort(semver6.rcompare); + logger.info( + `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}` + ); + return versions; +} + // src/tar.ts var import_child_process = require("child_process"); var fs9 = __toESM(require("fs")); @@ -108945,7 +109066,7 @@ var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -108987,9 +109108,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver6.gte( - semver6.coerce(version), - semver6.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver7.gte( + semver7.coerce(version), + semver7.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -108998,7 +109119,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver6.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver7.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -109105,7 +109226,7 @@ var core11 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver7 = __toESM(require_semver2()); +var semver8 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -109235,7 +109356,7 @@ function getToolcacheDirectory(version) { return path8.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver7.clean(version) || version, + semver8.clean(version) || version, os2.arch() || "" ); } @@ -109360,13 +109481,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver8.valid(version)) { + if (!semver9.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver8.clean(version); + const s = semver9.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -109398,7 +109519,55 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { } return void 0; } -async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, variant, tarSupportsZstd, features, logger) { +async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, rawLanguages, features, logger) { + if (rawLanguages === void 0 || rawLanguages.length === 0) { + return []; + } + if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + return []; + } + let cachedVersions; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}` + ); + return []; + } + if (cachedVersions === void 0 || cachedVersions.length === 0) { + return []; + } + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter( + (v) => cachedVersionsSet.has(v.cliVersion) + ); +} +async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the highest enabled version that has a cached overlay-base database.` + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` + ); + return defaultCliVersion.enabledVersions[0]; +} +async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { if (toolsInput && !isReservedToolsValue(toolsInput) && !toolsInput.startsWith("http")) { logger.info(`Using CodeQL CLI from local path ${toolsInput}`); const compressionMethod2 = inferCompressionMethod(toolsInput); @@ -109492,21 +109661,33 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian ); } } - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== void 0) { tagName = tryGetTagNameFromUrl(toolsInput, logger); url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver8.valid(bundleVersion3)) { + if (bundleVersion3 && semver9.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } } else { - cliVersion2 = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger + ); + cliVersion2 = version.cliVersion; + tagName = version.tagName; } const bundleVersion2 = tagName && tryGetBundleVersionFromTagName(tagName, logger); const humanReadableVersion = cliVersion2 ?? (bundleVersion2 && convertToSemVer(bundleVersion2, logger)) ?? tagName ?? url2 ?? "unknown"; @@ -109703,7 +109884,7 @@ function getCanonicalToolcacheVersion(cliVersion2, bundleVersion2, logger) { } return cliVersion2; } -async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { if (!await isBinaryAccessible("tar", logger)) { throw new ConfigurationError( "Could not find tar in PATH, so unable to extract CodeQL bundle." @@ -109713,6 +109894,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, @@ -109771,7 +109953,7 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver8.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver9.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { @@ -109803,7 +109985,7 @@ async function getNightlyToolsUrl(logger) { } } function getLatestToolcacheVersion(logger) { - const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver8.compare(b, a)); + const allVersions = toolcache3.findAllVersions("CodeQL").sort((a, b) => semver9.compare(b, a)); logger.debug( `Found the following versions of the CodeQL tools in the toolcache: ${JSON.stringify( allVersions @@ -109840,7 +110022,7 @@ var CODEQL_NEXT_MINIMUM_VERSION = "2.19.4"; var GHES_VERSION_MOST_RECENTLY_DEPRECATED = "3.15"; var GHES_MOST_RECENT_DEPRECATION_DATE = "2026-04-09"; var EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; -async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger, checkVersion) { +async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger, checkVersion) { try { const { codeqlFolder, @@ -109854,6 +110036,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV tempDir, variant, defaultCliVersion, + rawLanguages, features, logger ); @@ -111575,7 +111758,7 @@ var core13 = __toESM(require_core()); var toolrunner4 = __toESM(require_toolrunner()); var github2 = __toESM(require_github()); var io5 = __toESM(require_io()); -async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, features, logger) { +async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVersion, rawLanguages, features, logger) { logger.startGroup("Setup CodeQL tools"); const { codeql, @@ -111589,6 +111772,7 @@ async function initCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliVe tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true @@ -111674,6 +111858,8 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + void 0, + // rawLanguages: upload-lib does not run analysis features, logger ); @@ -111689,7 +111875,7 @@ async function combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, lo return readSarifFile(outputFile); } function populateRunAutomationDetails(sarifFile, category, analysis_key, environment) { - const automationID = getAutomationID(category, analysis_key, environment); + const automationID = getAutomationID2(category, analysis_key, environment); if (automationID !== void 0) { for (const run2 of sarifFile.runs || []) { if (run2.automationDetails === void 0) { @@ -111702,7 +111888,7 @@ function populateRunAutomationDetails(sarifFile, category, analysis_key, environ } return sarifFile; } -function getAutomationID(category, analysis_key, environment) { +function getAutomationID2(category, analysis_key, environment) { if (category !== void 0) { let automationID = category; if (!automationID.endsWith("/")) { diff --git a/src/codeql.test.ts b/src/codeql.test.ts index de7c400960..60756101fd 100644 --- a/src/codeql.test.ts +++ b/src/codeql.test.ts @@ -72,6 +72,7 @@ async function installIntoToolcache({ cliVersion !== undefined ? { enabledVersions: [{ cliVersion, tagName }] } : SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages createFeatures([]), getRunnerLogger(true), false, @@ -143,6 +144,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -175,6 +177,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -214,6 +217,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -264,6 +268,7 @@ for (const { tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -308,6 +313,7 @@ for (const toolcacheVersion of [ tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -352,6 +358,7 @@ test.serial( }, ], }, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -398,6 +405,7 @@ test.serial( }, ], }, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -437,6 +445,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, @@ -478,6 +487,7 @@ test.serial( tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, getRunnerLogger(true), false, diff --git a/src/codeql.ts b/src/codeql.ts index ecad2ea199..046d3e7192 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -305,6 +305,7 @@ const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++"; * @param tempDir * @param variant * @param defaultCliVersion + * @param rawLanguages Raw set of languages. * @param features Information about the features that are enabled. * @param logger * @param checkVersion Whether to check that CodeQL CLI meets the minimum @@ -317,6 +318,7 @@ export async function setupCodeQL( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, checkVersion: boolean, @@ -340,6 +342,7 @@ export async function setupCodeQL( tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, ); diff --git a/src/init-action.ts b/src/init-action.ts index 3d599d5452..96745e2034 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -301,12 +301,16 @@ async function run(startedAt: Date) { const codeQLDefaultVersionInfo = await features.getEnabledDefaultCliVersions(gitHubVersion.type); toolsFeatureFlagsValid = codeQLDefaultVersionInfo.toolsFeatureFlagsValid; + const rawLanguages = configUtils.getRawLanguagesNoAutodetect( + getOptionalInput("languages"), + ); const initCodeQLResult = await initCodeQL( getOptionalInput("tools"), apiDetails, getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + rawLanguages, features, logger, ); diff --git a/src/init.ts b/src/init.ts index 8ed6f64005..ef1f426d02 100644 --- a/src/init.ts +++ b/src/init.ts @@ -39,6 +39,7 @@ export async function initCodeQL( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, ): Promise<{ @@ -61,6 +62,7 @@ export async function initCodeQL( tempDir, variant, defaultCliVersion, + rawLanguages, features, logger, true, diff --git a/src/setup-codeql-action.ts b/src/setup-codeql-action.ts index 34d5d76aa8..5e6c82442c 100644 --- a/src/setup-codeql-action.ts +++ b/src/setup-codeql-action.ts @@ -145,6 +145,7 @@ async function run(startedAt: Date): Promise { getTemporaryDirectory(), gitHubVersion.type, codeQLDefaultVersionInfo, + undefined, // rawLanguages: currently, setup-codeql is not language aware features, logger, ); diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index c35bd1d9d9..820e6acd4e 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -107,6 +107,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( `https://github.com/github/codeql-action/releases/download/${tagName}/codeql-bundle-linux64.tar.gz`, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -130,6 +131,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "linked", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -155,6 +157,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "latest", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -211,6 +214,7 @@ test.serial( "tmp/codeql_action_test/", GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, logger, ); @@ -266,6 +270,7 @@ test.serial( "tmp/codeql_action_test/", GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages features, logger, ); @@ -317,6 +322,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "nightly", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -378,6 +384,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( undefined, SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -432,6 +439,7 @@ test.serial( const source = await setupCodeql.getCodeQLSource( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -499,6 +507,7 @@ const toolcacheInputFallbackMacro = test.macro({ const source = await setupCodeql.getCodeQLSource( "toolcache", SAMPLE_DEFAULT_CLI_VERSION, + undefined, // rawLanguages SAMPLE_DOTCOM_API_DETAILS, GitHubVariant.DOTCOM, false, @@ -601,3 +610,155 @@ test.serial( t.is(setupCodeql.getLatestToolcacheVersion(getRunnerLogger(true)), "3.2.1"); }, ); + +function makeOverlayMatchFeatures( + matchFlagEnabled: boolean, +): FeatureEnablement { + return { + getEnabledDefaultCliVersions: async () => { + throw new Error("not implemented"); + }, + getValue: async (feature) => { + if (feature === Feature.OverlayAnalysisMatchCodeqlVersion) { + return matchFlagEnabled; + } + return false; + }, + }; +} + +const overlayMatchEnabledVersions = { + enabledVersions: [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ], + toolsFeatureFlagsValid: true, +}; + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns flag-enabled versions present in cache, sorted desc", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + // Newer than any flag-enabled version: should be filtered out. + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.21.0-abc-1-1", + }, + // Flag-enabled versions present in the cache. + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-def-2-1", + }, + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.0-ghi-3-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, + { cliVersion: "2.20.0", tagName: "codeql-bundle-v2.20.0" }, + ]); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns empty when no cached version is flag-enabled", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.19.0-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when gate is off", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(false), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches when the gating feature flag is off.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", + async (t) => { + const listStub = sinon.stub(api, "listActionsCaches").resolves([]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + undefined, + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + t.assert( + listStub.notCalled, + "Should not list Actions caches without rawLanguages.", + ); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed")); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases includes the highest version when it is cached", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.2-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures(true), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + ]); + }, +); diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 41eb7f1e46..6a0071eb16 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -7,17 +7,23 @@ import { default as deepEqual } from "fast-deep-equal"; import * as semver from "semver"; import { v4 as uuidV4 } from "uuid"; -import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util"; +import { + isAnalyzingPullRequest, + isDynamicWorkflow, + isRunningLocalAction, +} from "./actions-util"; import * as api from "./api-client"; import * as defaults from "./defaults.json"; import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics"; import { CODEQL_VERSION_ZSTD_BUNDLE, CodeQLDefaultVersionInfo, + CodeQLVersionInfo, Feature, FeatureEnablement, } from "./feature-flags"; import { Logger } from "./logging"; +import { getCodeQlVersionsForOverlayBaseDatabases } from "./overlay/caching"; import * as tar from "./tar"; import { downloadAndExtract, @@ -264,12 +270,84 @@ async function findOverridingToolsInCache( return undefined; } +/** Returns the sorted set of enabled versions that have cached overlay-base databases. */ +export async function getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, + features: FeatureEnablement, + logger: Logger, +): Promise { + if (rawLanguages === undefined || rawLanguages.length === 0) { + return []; + } + if (!(await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersion))) { + return []; + } + + let cachedVersions: string[] | undefined; + try { + cachedVersions = await getCodeQlVersionsForOverlayBaseDatabases( + rawLanguages, + logger, + ); + } catch (e) { + logger.warning( + `While setting up CodeQL, was unable to list overlay-base databases in the Actions cache. Details: ${e}`, + ); + return []; + } + if (cachedVersions === undefined || cachedVersions.length === 0) { + return []; + } + + const cachedVersionsSet = new Set(cachedVersions); + return defaultCliVersion.enabledVersions.filter((v) => + cachedVersionsSet.has(v.cliVersion), + ); +} + +/** + * Resolves the newest enabled default CLI version that has a cached overlay-base database for the + * relevant languages, if analyzing a pull request and one exists. Otherwise, falls back to the + * newest enabled default CLI version. + */ +async function resolveDefaultCliVersion( + defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, + features: FeatureEnablement, + logger: Logger, +): Promise { + if (!isAnalyzingPullRequest()) { + return defaultCliVersion.enabledVersions[0]; + } + + const overlayVersions = await getEnabledVersionsWithOverlayBaseDatabases( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + if (overlayVersions.length > 0) { + logger.info( + `Using CodeQL version ${overlayVersions[0].cliVersion} since this is the ` + + `highest enabled version that has a cached overlay-base database.`, + ); + return overlayVersions[0]; + } + logger.info( + `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled ` + + `versions with cached overlay-base databases were found.`, + ); + return defaultCliVersion.enabledVersions[0]; +} + /** * Determines where the CodeQL CLI we want to use comes from. This can be from a local file, * the Actions toolcache, or a download. * * @param toolsInput The argument provided for the `tools` input, if any. * @param defaultCliVersion The default CLI version that's linked to the CodeQL Action. + * @param rawLanguages Raw set of languages. * @param apiDetails Information about the GitHub API. * @param variant The GitHub variant we are running on. * @param tarSupportsZstd Whether zstd is supported by `tar`. @@ -281,6 +359,7 @@ async function findOverridingToolsInCache( export async function getCodeQLSource( toolsInput: string | undefined, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, apiDetails: api.GitHubApiDetails, variant: util.GitHubVariant, tarSupportsZstd: boolean, @@ -438,8 +517,14 @@ export async function getCodeQLSource( } } - cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + cliVersion = version.cliVersion; + tagName = version.tagName; } } else if (toolsInput !== undefined) { // If a tools URL was provided, then use that. @@ -454,9 +539,14 @@ export async function getCodeQLSource( } } } else { - // Otherwise, use the default CLI version passed in. - cliVersion = defaultCliVersion.enabledVersions[0].cliVersion; - tagName = defaultCliVersion.enabledVersions[0].tagName; + const version = await resolveDefaultCliVersion( + defaultCliVersion, + rawLanguages, + features, + logger, + ); + cliVersion = version.cliVersion; + tagName = version.tagName; } const bundleVersion = @@ -791,6 +881,7 @@ export async function setupCodeQLBundle( tempDir: string, variant: util.GitHubVariant, defaultCliVersion: CodeQLDefaultVersionInfo, + rawLanguages: string[] | undefined, features: FeatureEnablement, logger: Logger, ): Promise { @@ -804,6 +895,7 @@ export async function setupCodeQLBundle( const source = await getCodeQLSource( toolsInput, defaultCliVersion, + rawLanguages, apiDetails, variant, zstdAvailability.available, diff --git a/src/upload-lib.ts b/src/upload-lib.ts index e4230b6f9a..5db40f26de 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -165,6 +165,7 @@ async function combineSarifFilesUsingCLI( tempDir, gitHubVersion.type, codeQLDefaultVersionInfo, + undefined, // rawLanguages: upload-lib does not run analysis features, logger, ); From b967fdfbdcb34cdf41bdd304aec7e2c548eff473 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 18:30:24 +0100 Subject: [PATCH 4/5] Add dry run mode so we can dark ship --- lib/analyze-action-post.js | 5 ++ lib/analyze-action.js | 54 ++++++++++++++-- lib/autobuild-action.js | 5 ++ lib/init-action-post.js | 54 ++++++++++++++-- lib/init-action.js | 44 +++++++++++-- lib/resolve-environment-action.js | 5 ++ lib/setup-codeql-action.js | 54 ++++++++++++++-- lib/start-proxy-action-post.js | 5 ++ lib/start-proxy-action.js | 5 ++ lib/upload-lib.js | 54 ++++++++++++++-- lib/upload-sarif-action-post.js | 5 ++ lib/upload-sarif-action.js | 54 ++++++++++++++-- src/feature-flags.ts | 11 ++++ src/setup-codeql.test.ts | 101 +++++++++++++++++++++++------- src/setup-codeql.ts | 64 ++++++++++++++++--- 15 files changed, 460 insertions(+), 60 deletions(-) diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 95609b3a24..45ab0ffb44 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -162824,6 +162824,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/analyze-action.js b/lib/analyze-action.js index f94d5a0dc7..06d7e6c907 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -107934,6 +107934,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs6 = __toESM(require("fs")); @@ -108450,6 +108460,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -109820,7 +109835,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -109839,9 +109858,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -109859,9 +109906,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index 4e1a75aac4..a080b6928b 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -104876,6 +104876,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/init-action-post.js b/lib/init-action-post.js index 4ed2d691b0..a406b54d1a 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -165864,6 +165864,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs6 = __toESM(require("fs")); @@ -166384,6 +166394,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -167548,7 +167563,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -167567,9 +167586,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -167587,9 +167634,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/init-action.js b/lib/init-action.js index c4310c848c..60b2aa4bc0 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -105993,6 +105993,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108759,7 +108764,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -108778,9 +108787,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -108798,9 +108835,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 2d03ee8081..0fe58bb3d7 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -104867,6 +104867,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/setup-codeql-action.js b/lib/setup-codeql-action.js index fd4f84a37b..59458a705c 100644 --- a/lib/setup-codeql-action.js +++ b/lib/setup-codeql-action.js @@ -104781,6 +104781,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -105568,6 +105573,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/languages/builtin.json var builtin_default = { @@ -106191,7 +106206,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -106210,9 +106229,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -106230,9 +106277,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js index 60fa054a65..8767a0138b 100644 --- a/lib/start-proxy-action-post.js +++ b/lib/start-proxy-action-post.js @@ -162144,6 +162144,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js index bd1e56c2b9..0d4c0e7331 100644 --- a/lib/start-proxy-action.js +++ b/lib/start-proxy-action.js @@ -121515,6 +121515,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 0dfb131c1c..cab779a62b 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -107567,6 +107567,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs5 = __toESM(require("fs")); @@ -108079,6 +108089,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108846,7 +108861,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -108865,9 +108884,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -108885,9 +108932,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 4824e45956..cb645d0082 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -162314,6 +162314,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 520b5270cb..fec1bf2245 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -107746,6 +107746,11 @@ var featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: void 0 }, + ["overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: void 0 + }, ["overlay_analysis_resource_checks_v2" /* OverlayAnalysisResourceChecksV2 */]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", @@ -108339,6 +108344,16 @@ function writeDiagnostic(config, language, diagnostic) { logger.debug(JSON.stringify(diagnostic)); } } +function makeTelemetryDiagnostic(id, name, attributes) { + return makeDiagnostic(id, name, { + attributes, + visibility: { + cliSummaryTable: false, + statusPage: false, + telemetry: true + } + }); +} // src/diff-informed-analysis-utils.ts var fs7 = __toESM(require("fs")); @@ -109523,7 +109538,11 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw if (rawLanguages === void 0 || rawLanguages.length === 0) { return []; } - if (!await features.getValue("overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */)) { + const isEnabled = await features.getValue( + "overlay_analysis_match_codeql_version" /* OverlayAnalysisMatchCodeqlVersion */ + ); + const isDryRun = !isEnabled && await features.getValue("overlay_analysis_match_codeql_version_dry_run" /* OverlayAnalysisMatchCodeqlVersionDryRun */); + if (!isEnabled && !isDryRun) { return []; } let cachedVersions; @@ -109542,9 +109561,37 @@ async function getEnabledVersionsWithOverlayBaseDatabases(defaultCliVersion, raw return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter( + const overlayVersions = defaultCliVersion.enabledVersions.filter( (v) => cachedVersionsSet.has(v.cliVersion) ); + if (overlayVersions.length === 0) { + return []; + } + const isCachedVersionDifferent = overlayVersions[0].cliVersion !== defaultCliVersion.enabledVersions[0].cliVersion; + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + void 0, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion + } + ) + ); + } + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.` + ); + return []; + } + return overlayVersions; } async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, features, logger) { if (!isAnalyzingPullRequest()) { @@ -109562,9 +109609,6 @@ async function resolveDefaultCliVersion(defaultCliVersion, rawLanguages, feature ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled versions with cached overlay-base databases were found.` - ); return defaultCliVersion.enabledVersions[0]; } async function getCodeQLSource(toolsInput, defaultCliVersion, rawLanguages, apiDetails, variant, tarSupportsZstd, features, logger) { diff --git a/src/feature-flags.ts b/src/feature-flags.ts index d6a6ba7bb4..ae3d242672 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -97,6 +97,12 @@ export enum Feature { * database exists in the cache. */ OverlayAnalysisMatchCodeqlVersion = "overlay_analysis_match_codeql_version", + /** + * Like `OverlayAnalysisMatchCodeqlVersion`, but only logs a diagnostic with the version that + * would have been chosen instead of actually changing the default CodeQL CLI version. + * `OverlayAnalysisMatchCodeqlVersion` overrides this flag. + */ + OverlayAnalysisMatchCodeqlVersionDryRun = "overlay_analysis_match_codeql_version_dry_run", OverlayAnalysisPython = "overlay_analysis_python", /** * Controls whether lower disk space requirements are used for overlay hardware checks. @@ -307,6 +313,11 @@ export const featureConfig = { envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION", minimumVersion: undefined, }, + [Feature.OverlayAnalysisMatchCodeqlVersionDryRun]: { + defaultValue: false, + envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_MATCH_CODEQL_VERSION_DRY_RUN", + minimumVersion: undefined, + }, [Feature.OverlayAnalysisResourceChecksV2]: { defaultValue: false, envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2", diff --git a/src/setup-codeql.test.ts b/src/setup-codeql.test.ts index 820e6acd4e..39f2422bda 100644 --- a/src/setup-codeql.test.ts +++ b/src/setup-codeql.test.ts @@ -611,16 +611,20 @@ test.serial( }, ); -function makeOverlayMatchFeatures( - matchFlagEnabled: boolean, -): FeatureEnablement { +function makeOverlayMatchFeatures(opts: { + matchFlagEnabled?: boolean; + dryRunFlagEnabled?: boolean; +}): FeatureEnablement { return { getEnabledDefaultCliVersions: async () => { throw new Error("not implemented"); }, getValue: async (feature) => { if (feature === Feature.OverlayAnalysisMatchCodeqlVersion) { - return matchFlagEnabled; + return opts.matchFlagEnabled ?? false; + } + if (feature === Feature.OverlayAnalysisMatchCodeqlVersionDryRun) { + return opts.dryRunFlagEnabled ?? false; } return false; }, @@ -657,7 +661,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, [ @@ -680,7 +684,7 @@ test.serial( const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, []); @@ -688,77 +692,130 @@ test.serial( ); test.serial( - "getEnabledVersionsWithOverlayBaseDatabases does not list caches when gate is off", + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", async (t) => { const listStub = sinon.stub(api, "listActionsCaches").resolves([]); const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, - ["javascript"], - makeOverlayMatchFeatures(false), + undefined, + makeOverlayMatchFeatures({ matchFlagEnabled: true }), getRunnerLogger(true), ); t.deepEqual(result, []); t.assert( listStub.notCalled, - "Should not list Actions caches when the gating feature flag is off.", + "Should not list Actions caches without rawLanguages.", ); }, ); test.serial( - "getEnabledVersionsWithOverlayBaseDatabases does not list caches when rawLanguages is empty", + "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed")); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, []); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases includes the highest version when it is cached", + async (t) => { + sinon.stub(api, "getAutomationID").resolves("test/"); + sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.2-abc-1-1", + }, + ]); + + const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( + overlayMatchEnabledVersions, + ["javascript"], + makeOverlayMatchFeatures({ matchFlagEnabled: true }), + getRunnerLogger(true), + ); + t.deepEqual(result, [ + { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + ]); + }, +); + +test.serial( + "getEnabledVersionsWithOverlayBaseDatabases does not list caches when both gates are off", async (t) => { const listStub = sinon.stub(api, "listActionsCaches").resolves([]); const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, - undefined, - makeOverlayMatchFeatures(true), + ["javascript"], + makeOverlayMatchFeatures({}), getRunnerLogger(true), ); t.deepEqual(result, []); t.assert( listStub.notCalled, - "Should not list Actions caches without rawLanguages.", + "Should not list Actions caches when both gating feature flags are off.", ); }, ); test.serial( - "getEnabledVersionsWithOverlayBaseDatabases returns empty when listing caches throws", + "getEnabledVersionsWithOverlayBaseDatabases dry-run returns empty but lists caches", async (t) => { sinon.stub(api, "getAutomationID").resolves("test/"); - sinon.stub(api, "listActionsCaches").rejects(new Error("listing failed")); + const listStub = sinon.stub(api, "listActionsCaches").resolves([ + { + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", + }, + ]); const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ dryRunFlagEnabled: true }), getRunnerLogger(true), ); - t.deepEqual(result, []); + t.deepEqual( + result, + [], + "Dry-run should return an empty list so the caller falls back.", + ); + t.assert( + listStub.calledOnce, + "Dry-run should still list Actions caches to populate the diagnostic.", + ); }, ); test.serial( - "getEnabledVersionsWithOverlayBaseDatabases includes the highest version when it is cached", + "getEnabledVersionsWithOverlayBaseDatabases match flag wins over dry-run", async (t) => { sinon.stub(api, "getAutomationID").resolves("test/"); sinon.stub(api, "listActionsCaches").resolves([ { - key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.2-abc-1-1", + key: "codeql-overlay-base-database-1-aaaaaaaaaaaaaaaa-javascript-2.20.1-abc-1-1", }, ]); const result = await setupCodeql.getEnabledVersionsWithOverlayBaseDatabases( overlayMatchEnabledVersions, ["javascript"], - makeOverlayMatchFeatures(true), + makeOverlayMatchFeatures({ + matchFlagEnabled: true, + dryRunFlagEnabled: true, + }), getRunnerLogger(true), ); t.deepEqual(result, [ - { cliVersion: "2.20.2", tagName: "codeql-bundle-v2.20.2" }, + { cliVersion: "2.20.1", tagName: "codeql-bundle-v2.20.1" }, ]); }, ); diff --git a/src/setup-codeql.ts b/src/setup-codeql.ts index 6a0071eb16..1082147352 100644 --- a/src/setup-codeql.ts +++ b/src/setup-codeql.ts @@ -14,7 +14,11 @@ import { } from "./actions-util"; import * as api from "./api-client"; import * as defaults from "./defaults.json"; -import { addNoLanguageDiagnostic, makeDiagnostic } from "./diagnostics"; +import { + addNoLanguageDiagnostic, + makeDiagnostic, + makeTelemetryDiagnostic, +} from "./diagnostics"; import { CODEQL_VERSION_ZSTD_BUNDLE, CodeQLDefaultVersionInfo, @@ -270,7 +274,13 @@ async function findOverridingToolsInCache( return undefined; } -/** Returns the sorted set of enabled versions that have cached overlay-base databases. */ +/** + * Returns the sorted set of enabled versions that have cached overlay-base databases for the + * given languages, or an empty list if neither the `OverlayAnalysisMatchCodeqlVersion` nor the + * `OverlayAnalysisMatchCodeqlVersionDryRun` feature flag is enabled. When only the dry-run flag + * is enabled, this performs the lookup and emits a telemetry diagnostic with the version that + * would have been chosen, but still returns an empty list so the caller falls back. + */ export async function getEnabledVersionsWithOverlayBaseDatabases( defaultCliVersion: CodeQLDefaultVersionInfo, rawLanguages: string[] | undefined, @@ -280,7 +290,13 @@ export async function getEnabledVersionsWithOverlayBaseDatabases( if (rawLanguages === undefined || rawLanguages.length === 0) { return []; } - if (!(await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersion))) { + const isEnabled = await features.getValue( + Feature.OverlayAnalysisMatchCodeqlVersion, + ); + const isDryRun = + !isEnabled && + (await features.getValue(Feature.OverlayAnalysisMatchCodeqlVersionDryRun)); + if (!isEnabled && !isDryRun) { return []; } @@ -296,14 +312,50 @@ export async function getEnabledVersionsWithOverlayBaseDatabases( ); return []; } + if (cachedVersions === undefined || cachedVersions.length === 0) { return []; } const cachedVersionsSet = new Set(cachedVersions); - return defaultCliVersion.enabledVersions.filter((v) => + const overlayVersions = defaultCliVersion.enabledVersions.filter((v) => cachedVersionsSet.has(v.cliVersion), ); + + if (overlayVersions.length === 0) { + return []; + } + + const isCachedVersionDifferent = + overlayVersions[0].cliVersion !== + defaultCliVersion.enabledVersions[0].cliVersion; + + if (isCachedVersionDifferent) { + addNoLanguageDiagnostic( + undefined, + makeTelemetryDiagnostic( + "codeql-action/overlay-aware-default-codeql-version", + "Overlay-aware default CodeQL version selection", + { + cachedVersions, + enabledVersions: defaultCliVersion.enabledVersions.map( + (v) => v.cliVersion, + ), + isDryRun, + overlayAwareVersion: overlayVersions[0].cliVersion, + }, + ), + ); + } + + if (isDryRun) { + logger.debug( + `Overlay-aware default CodeQL version selection is running in dry-run mode. Would have used version ${overlayVersions[0].cliVersion}.`, + ); + return []; + } + + return overlayVersions; } /** @@ -334,10 +386,6 @@ async function resolveDefaultCliVersion( ); return overlayVersions[0]; } - logger.info( - `Using CodeQL version ${defaultCliVersion.enabledVersions[0].cliVersion} since no enabled ` + - `versions with cached overlay-base databases were found.`, - ); return defaultCliVersion.enabledVersions[0]; } From 1b5632783cc2c3a7cbe006c984f5584851ab9484 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 6 May 2026 18:32:28 +0100 Subject: [PATCH 5/5] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b0d604e36..9c32d5ee76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Added an experimental change which, when analyzing a PR with [improved incremental analysis](https://github.com/github/roadmap/issues/1158) enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis when the latest version does not yet have a cached overlay-base database. We expect to roll this change out to everyone in May. [#3880](https://github.com/github/codeql-action/pull/3880) ## 4.35.3 - 01 May 2026