Merge releases/v2 into releases/v1

.github/update-release-branch.py

@@ -292,7 +292,7 @@ def main():
     conflicted_files = run_git('diff', '--name-only', '--diff-filter', 'U').splitlines()
     if len(conflicted_files) > 0:
       run_git('add', '.')
-    run_git('commit', '--no-edit')
+      run_git('commit', '--no-edit')
 
     # Migrate the package version number from a v2 version number to a v1 version number
     print(f'Setting version number to {version}')

.github/workflows/script/update-required-checks.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Update the required checks based on the current branch.
+# Typically, this will be main.
+
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "Failed: No GitHub token found. This script requires admin access to `github/codeql-action`."
+  exit 1
+fi
+
+if [ "$#" -eq 1 ]; then
+  # If we were passed an argument, pass it as a query to fzf
+  GITHUB_SHA="$@"
+elif [ "$#" -gt 1 ]; then
+  echo "Usage: $0 [SHA]"
+  echo "Update the required checks based on the SHA, or main."
+elif [ -z "$GITHUB_SHA" ]; then
+  # If we don't have a SHA, use main
+  GITHUB_SHA="$(git rev-parse main)"
+fi
+
+echo "Getting checks for $GITHUB_SHA"
+
+# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | sort')"
+
+echo "$CHECKS" | jq
+
+echo "{\"contexts\": ${CHECKS}}" > checks.json
+
+for BRANCH in main releases/v2 releases/v1; do
+  echo "Updating $BRANCH"
+  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
+done
+
+rm checks.json

CHANGELOG.md

@@ -1,5 +1,10 @@
 # CodeQL Action Changelog
 
+## 1.1.10 - 10 May 2022
+
+- Update default CodeQL bundle version to 2.9.5. [#1056](https://github.com/github/codeql-action/pull/1056)
+- When `wait-for-processing` is enabled, the workflow will now fail if there were any errors that occurred during processing of the analysis results.
+
 ## 1.1.9 - 27 Apr 2022
 
 - Add `working-directory` input to the `autobuild` action. [#1024](https://github.com/github/codeql-action/pull/1024)

CONTRIBUTING.md

@@ -80,22 +80,23 @@ Here are a few things you can do that will increase the likelihood of your pull
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. Managing these PR checks manually is time consuming and complex. Here is a semi-automated approach.
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. You can regenerate the checks automatically by running the [Update required checks](.github/workflows/update-required-checks.yml) workflow.
 
-To regenerate the PR jobs for the action:
+Or you can use this semi-automated approach:
 
-1. From a terminal, run the following commands (replace `SHA` with the sha of the commit whose checks you want to use, typically this should be the latest from `main`):
+1. In a terminal check out the `SHA` whose checks you want to use as the base. Typically, this will be `main`. 
+2. From a terminal, run the following commands:
 
     ```sh
-    SHA= ####
+    SHA="$(git rev-parse HEAD)"
     CHECKS="$(gh api repos/github/codeql-action/commits/${SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "Update dependencies" or . == "Update Supported Enterprise Server Versions" | not)]')"
     echo "{\"contexts\": ${CHECKS}}" > checks.json
     gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json
     gh api -X "PATCH" repos/github/codeql-action/branches/releases/v2/protection/required_status_checks --input checks.json
     gh api -X "PATCH" repos/github/codeql-action/branches/releases/v1/protection/required_status_checks --input checks.json
     ````
 
-2. Go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules have been updated.
+3. Go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules have been updated.
 
 ## Resources