Merge remote-tracking branch 'upstream/main' into next

Author: jketema

.github/actions/check-permissions/action.yml

@@ -0,0 +1,49 @@
+name: Check current actor permissions
+description: |
+  Checks whether the current actor has the specified permssions
+inputs:
+  minimum-permission:
+    description: |
+      The minimum required permission. One of: read, write, admin
+    required: true
+outputs:
+  has-permission:
+    description: "Whether the actor had the minimum required permission"
+    value: ${{ steps.check-permission.outputs.has-permission }}
+
+runs:
+  using: composite
+  steps:
+  - uses: actions/github-script@v7
+    id: check-permission
+    env:
+      INPUT_MINIMUM-PERMISSION: ${{ inputs.minimum-permission }}
+    with:
+      script: |
+        // Valid permissions are none, read, write, admin (legacy base permissions)
+        const permissionsRanking = ["none", "read", "write", "admin"];
+
+        // Note: core.getInput doesn't work by default in a composite action - in this case
+        //       it would try to fetch the input to the github-script instead of the action
+        //       itself. Instead, we set the appropriate magic env var with the actions input.
+        //       See: https://github.com/actions/runner/issues/665
+        const minimumPermission = core.getInput('minimum-permission');
+        if (!permissionsRanking.includes(minimumPermission)) {
+          core.setFailed(`Invalid minimum permission: ${minimumPermission}`);
+          return;
+        }
+
+        const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          username: context.actor
+        });
+
+        // Confirm whether the actor permission is at least the selected permission
+        const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : "";
+        core.setOutput('has-permission', hasPermission);
+        if (!hasPermission) {
+          core.info(`Current actor (${context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        } else {
+          core.info(`Current actor (${context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        }

.github/workflows/code-scanning-pack-gen.yml

@@ -106,7 +106,7 @@ jobs:
           zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
 
       - name: Upload GHAS Query Pack
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-scanning-cpp-query-pack.zip
           path: code-scanning-cpp-query-pack.zip

.github/workflows/codeql_unit_tests.yml

@@ -151,7 +151,7 @@ jobs:
               file.close()
 
       - name: Upload test results
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.language }}-test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -160,11 +160,18 @@ jobs:
 
   validate-test-results:
     name: Validate test results
+    if: ${{ always() }}
     needs: run-test-suites
     runs-on: ubuntu-22.04
     steps:
+      - name: Check if run-test-suites job failed to complete, if so fail
+        if: ${{ needs.run-test-suites.result == 'failure' }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+            core.setFailed('Test run job failed')
       - name: Collect test results
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
 
       - name: Validate test results
         run: |

.github/workflows/dispatch-matrix-check.yml

@@ -3,39 +3,45 @@ name: 🤖 Run Matrix Check (On Comment)
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
-      - name: Dispatch Matrix Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
-        uses: peter-evans/repository-dispatch@v2
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
-          repository: github/codeql-coding-standards-release-engineering
-          event-type: matrix-test
-          client-payload: '{"pr": "${{ github.event.issue.number }}"}'
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
+      - name: Invoke matrix testing job
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
+        env:
+          ISSUE_NR: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          jq -n \
+          --arg issue_nr "$ISSUE_NR" \
+          '{"issue-nr": $issue_nr}' \
+          | \
+          gh workflow run pr-compiler-validation.yml \
+          --json \
+            -R github/codeql-coding-standards-release-engineering
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -3,39 +3,45 @@ name: 🏁 Run Release Performance Check
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
-      - name: Dispatch Performance Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
-        uses: peter-evans/repository-dispatch@v2
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
-          repository: github/codeql-coding-standards-release-engineering
-          event-type: performance-test
-          client-payload: '{"pr": "${{ github.event.issue.number }}"}'
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
+      - name: Invoke performance test
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
+        env:
+          ISSUE_NR: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          jq -n \
+          --arg issue_nr "$ISSUE_NR" \
+          '{"issue-nr": $issue_nr}' \
+          | \
+          gh workflow run pr-performance-testing.yml \
+          --json \
+          -R github/codeql-coding-standards-release-engineering
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/dispatch-release-performance-check.yml

@@ -103,7 +103,7 @@ jobs:
       - name: Generate token
         if: env.HOTFIX_RELEASE == 'false'
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/finalize-release.yml

@@ -35,7 +35,7 @@ jobs:
           python scripts/documentation/generate_iso26262_docs.py coding-standards-html-docs
 
       - name: Upload HTML documentation
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: coding-standards-docs-${{ github.sha }}
           path: coding-standards-html-docs/

.github/workflows/generate-html-docs.yml

@@ -143,7 +143,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/prepare-release.yml

@@ -143,7 +143,7 @@ jobs:
               }, test_summary_file)
 
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-${{runner.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library_ident}}
           path: |
@@ -162,7 +162,7 @@ jobs:
           python-version: "3.9"
 
       - name: Collect test results
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
 
       - name: Validate test results
         shell: python

.github/workflows/standard_library_upgrade_tests.yml

@@ -43,7 +43,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/update-release.yml

@@ -18,10 +18,20 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+
+      - name: Fetch CodeQL
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          RUNNER_TEMP: ${{ runner.temp }}
+        run: |
+          cd $RUNNER_TEMP
+          gh release download "v${CODEQL_CLI_VERSION}" --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip
+          unzip -q codeql-linux64.zip
+          echo "$RUNNER_TEMP/codeql/" >> $GITHUB_PATH
 
       - name: Install Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.9"
 
@@ -35,27 +45,27 @@ jobs:
         run: |
           python3 scripts/upgrade-codeql-dependencies/upgrade-codeql-dependencies.py --cli-version "$CODEQL_CLI_VERSION"
 
-      - name: Fetch CodeQL
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          RUNNER_TEMP: ${{ runner.temp }}
-        run: |
-          cd $RUNNER_TEMP
-          gh release download "v${CODEQL_CLI_VERSION}" --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip
-          unzip -q codeql-linux64.zip
-
       - name: Update CodeQL formatting based on new CLI version
         env:
           RUNNER_TEMP: ${{ runner.temp }}
         run: |
-          find cpp \( -name '*.ql' -or -name '*.qll' \) -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" $RUNNER_TEMP/codeql/codeql query format --in-place
-          find c \( -name '*.ql' -or -name '*.qll' \) -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" $RUNNER_TEMP/codeql/codeql query format --in-place
+          find cpp \( -name '*.ql' -or -name '*.qll' \) -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" codeql query format --in-place
+          find c \( -name '*.ql' -or -name '*.qll' \) -print0 | xargs -0 --max-procs "$XARGS_MAX_PROCS" codeql query format --in-place
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
-          title: "Upgrading `github/codeql` dependency to ${{ github.event.inputs.codeql_cli_version }}"
-          body: "This PR upgrades the CodeQL CLI version to ${{ github.event.inputs.codeql_cli_version }}."
+          title: "Upgrade `github/codeql` dependency to ${{ github.event.inputs.codeql_cli_version }}"
+          body: |
+            This PR upgrades the CodeQL CLI version to ${{ github.event.inputs.codeql_cli_version }}.
+
+            ## CodeQL dependency upgrade checklist:
+
+            - [ ] Confirm the code has been correctly reformatted according to the new CodeQL CLI.
+            - [ ] Identify any CodeQL compiler warnings and errors, and update queries as required.
+            - [ ] Validate that the `github/codeql` test cases succeed.
+            - [ ] Address any CodeQL test failures in the `github/codeql-coding-standards` repository.
+            - [ ] Validate performance vs pre-upgrade, using /test-performance
           commit-message: "Upgrading `github/codeql` dependency to ${{ github.event.inputs.codeql_cli_version }}"
           delete-branch: true
           branch: "codeql/upgrade-to-${{ github.event.inputs.codeql_cli_version }}"

.github/workflows/upgrade_codeql_dependencies.yml

@@ -56,4 +56,10 @@ jobs:
           find rule_packages/$LANGUAGE -name \*.json -exec basename {} .json \; | xargs python scripts/generate_rules/generate_package_files.py $LANGUAGE
           git diff
           git diff --compact-summary
-          git diff --quiet
+          git diff --quiet
+
+      - name: Validate Amendments
+        env:
+          LANGUAGE: ${{ matrix.language }}
+        run: |
+          python scripts/validate-amendments-csv.py $LANGUAGE