From 0d16d70d874517fa82d61eb7fbc7f6ccf5ea4c1e Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Wed, 27 Jul 2022 12:31:35 -0700 Subject: [PATCH 1/9] CI: Add path filters to python-deps workflow No need to run this workflow on all PRs, only those that change the Python dependency installation mechanism. --- .github/workflows/python-deps.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/python-deps.yml b/.github/workflows/python-deps.yml index 28efa81053..ae4f8bc427 100644 --- a/.github/workflows/python-deps.yml +++ b/.github/workflows/python-deps.yml @@ -7,6 +7,13 @@ on: # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened # by other workflows. types: [opened, synchronize, reopened, ready_for_review] + paths: + # Changes to this workflow. + - '.github/workflows/python-deps.yml' + # Changes to the Python package installation scripts and their tests. + - 'python-setup/**' + # Changes to the default CodeQL bundle version. + - '**/defaults.json' jobs: test-setup-python-scripts: From bf24993f0c23fbdd8dcabc3a8141f3dec5103134 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Wed, 27 Jul 2022 13:22:10 -0700 Subject: [PATCH 2/9] CI: Add scheduled and manual triggers to python-deps workflow --- .github/workflows/python-deps.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/python-deps.yml b/.github/workflows/python-deps.yml index ae4f8bc427..4a9ecbac0d 100644 --- a/.github/workflows/python-deps.yml +++ b/.github/workflows/python-deps.yml @@ -14,6 +14,10 @@ on: - 'python-setup/**' # Changes to the default CodeQL bundle version. - '**/defaults.json' + schedule: + # Weekly on Monday. + - cron: '0 0 * * 1' + workflow_dispatch: jobs: test-setup-python-scripts: From 507d4b7b3181750a270b0130c28e66a4bc6d9402 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 28 Jul 2022 17:47:32 +0000 Subject: [PATCH 3/9] Update changelog and version after v2.1.17 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e162524bb7..631462b5d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CodeQL Action Changelog +## [UNRELEASED] + +No user facing changes. + ## 2.1.17 - 28 Jul 2022 - Update default CodeQL bundle version to 2.10.1. [#1143](https://github.com/github/codeql-action/pull/1143) diff --git a/package-lock.json b/package-lock.json index d169a816bb..0ef48a9b02 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "2.1.17", + "version": "2.1.18", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "codeql", - "version": "2.1.17", + "version": "2.1.18", "license": "MIT", "dependencies": { "@actions/artifact": "^1.0.0", diff --git a/package.json b/package.json index 80036aad9f..1692493b4c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "2.1.17", + "version": "2.1.18", "private": true, "description": "CodeQL action", "scripts": { From 351171d4e95d578e03b229f0584e21e938ea130b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 28 Jul 2022 18:39:20 +0000 Subject: [PATCH 4/9] Update checked-in dependencies --- node_modules/.package-lock.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index eaa33ca13e..0475626e49 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "2.1.17", + "version": "2.1.18", "lockfileVersion": 2, "requires": true, "packages": { From 992d0116661afe47ed4260002dae42ab05ebe083 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Thu, 28 Jul 2022 15:36:04 -0700 Subject: [PATCH 5/9] CI: Combine JS lint and JS check jobs Reduce the number of concurrent jobs. This will require a branch protection rule update, renaming `check-js` to Check JS` and removing `Lint`. --- .github/workflows/pr-checks.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index b36fdb8000..a7a754b9e4 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -10,17 +10,8 @@ on: workflow_dispatch: jobs: - lint-js: - name: Lint - runs-on: ubuntu-latest - timeout-minutes: 45 - - steps: - - uses: actions/checkout@v3 - - name: Run Lint - run: npm run-script lint - check-js: + name: Check JS runs-on: ubuntu-latest timeout-minutes: 45 @@ -30,7 +21,11 @@ jobs: node-types-version: [12.12, current] steps: - - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v3 + + - name: Lint + run: npm run-script lint - name: Update version of @types/node if: matrix.node-types-version != 'current' From ceea66834a225250507757c9e09b9716bdac3fb8 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Thu, 28 Jul 2022 16:00:41 -0700 Subject: [PATCH 6/9] CI: Move Runner checks into their own workflow Refactor the PR checks workflow into two workflows: PR checks and Runner checks. This does not change the actual check jobs that are run. It also does not change the expected check names (which rely only on the job name, not the workflow name). This makes it easier to inspect workflow run summaries in the UI and to separately retry subsets of failed jobs in case of flakiness. In future we will clean up the Runner checks, since this is a deprecated component. --- .github/workflows/pr-checks.yml | 387 +-------------------------- .github/workflows/runner-checks.yml | 393 ++++++++++++++++++++++++++++ 2 files changed, 394 insertions(+), 386 deletions(-) create mode 100644 .github/workflows/runner-checks.yml diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index a7a754b9e4..fb5b615b1c 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -1,4 +1,4 @@ -name: PR Checks (Basic Checks and Runner) +name: PR Checks on: push: @@ -97,388 +97,3 @@ jobs: # we won't be able to find them on Windows. npm config set script-shell bash npm test - - runner-analyze-javascript-ubuntu: - name: Runner ubuntu JS analyze - needs: [check-js, check-node-modules] - timeout-minutes: 45 - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build runner - run: | - cd runner - npm install - npm run build-runner - - - name: Run init - run: | - # Pass --config-file here, but not for other jobs in this workflow. - # This means we're testing the config file parsing in the runner - # but not slowing down all jobs unnecessarily as it doesn't add much - # testing the parsing on different operating systems and languages. - runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Run analyze - run: | - runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-javascript-windows: - name: Runner windows JS analyze - needs: [check-js, check-node-modules] - timeout-minutes: 45 - runs-on: windows-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build runner - run: | - cd runner - npm install - npm run build-runner - - - name: Run init - run: | - runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages javascript --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Run analyze - run: | - runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-javascript-macos: - name: Runner macos JS analyze - needs: [check-js, check-node-modules] - timeout-minutes: 45 - runs-on: macos-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build runner - run: | - cd runner - npm install - npm run build-runner - - - name: Run init - run: | - runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Run analyze - run: | - runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-csharp-ubuntu: - name: Runner ubuntu C# analyze - needs: [check-js, check-node-modules] - timeout-minutes: 45 - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Move codeql-action - shell: bash - run: | - mkdir ../action - mv * .github ../action/ - mv ../action/tests/multi-language-repo/{*,.github} . - mv ../action/.github/workflows .github - - - name: Build runner - run: | - cd ../action/runner - npm install - npm run build-runner - - - name: Run init - run: | - ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Build code - run: | - . ./codeql-runner/codeql-env.sh - $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false - - - name: Run analyze - run: | - ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-csharp-windows: - name: Runner windows C# analyze - needs: [check-js, check-node-modules] - # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of - # `windows-latest`. - timeout-minutes: 45 - runs-on: windows-2019 - - steps: - - uses: actions/checkout@v3 - - - name: Move codeql-action - shell: bash - run: | - mkdir ../action - mv * .github ../action/ - mv ../action/tests/multi-language-repo/{*,.github} . - mv ../action/.github/workflows .github - - - name: Build runner - run: | - cd ../action/runner - npm install - npm run build-runner - - - name: Run init - run: | - ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Build code - shell: powershell - run: | - cat ./codeql-runner/codeql-env.sh | Invoke-Expression - $Env:CODEQL_EXTRACTOR_CSHARP_ROOT = "" # Unset an environment variable to make sure the tracer resists this - & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false - - - name: Upload tracer logs - uses: actions/upload-artifact@v3 - with: - name: tracer-logs - path: ./codeql-runner/compound-build-tracer.log - - - name: Run analyze - run: | - ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-csharp-macos: - name: Runner macos C# analyze - timeout-minutes: 45 - needs: [check-js, check-node-modules] - runs-on: macos-latest - - steps: - - uses: actions/checkout@v3 - - - name: Move codeql-action - shell: bash - run: | - mkdir ../action - mv * .github ../action/ - mv ../action/tests/multi-language-repo/{*,.github} . - mv ../action/.github/workflows .github - - - name: Build runner - run: | - cd ../action/runner - npm install - npm run build-runner - - - name: Run init - run: | - ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Build code - shell: bash - run: | - . ./codeql-runner/codeql-env.sh - $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false - - - name: Run analyze - run: | - ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-csharp-autobuild-ubuntu: - name: Runner ubuntu autobuild C# analyze - timeout-minutes: 45 - needs: [check-js, check-node-modules] - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Move codeql-action - shell: bash - run: | - mkdir ../action - mv * .github ../action/ - mv ../action/tests/multi-language-repo/{*,.github} . - mv ../action/.github/workflows .github - - - name: Build runner - run: | - cd ../action/runner - npm install - npm run build-runner - - - name: Run init - run: | - ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Build code - run: | - ../action/runner/dist/codeql-runner-linux autobuild - - - name: Run analyze - run: | - ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-csharp-autobuild-windows: - timeout-minutes: 45 - name: Runner windows autobuild C# analyze - needs: [check-js, check-node-modules] - # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of - # `windows-latest`. - runs-on: windows-2019 - - steps: - - uses: actions/checkout@v3 - - - name: Move codeql-action - shell: bash - run: | - mkdir ../action - mv * .github ../action/ - mv ../action/tests/multi-language-repo/{*,.github} . - mv ../action/.github/workflows .github - - - name: Build runner - run: | - cd ../action/runner - npm install - npm run build-runner - - - name: Run init - run: | - ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Build code - shell: powershell - run: | - ../action/runner/dist/codeql-runner-win.exe autobuild - - - name: Run analyze - run: | - ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-analyze-csharp-autobuild-macos: - name: Runner macos autobuild C# analyze - needs: [check-js, check-node-modules] - runs-on: macos-latest - timeout-minutes: 45 - - steps: - - uses: actions/checkout@v3 - - - name: Move codeql-action - shell: bash - run: | - mkdir ../action - mv * .github ../action/ - mv ../action/tests/multi-language-repo/{*,.github} . - mv ../action/.github/workflows .github - - - name: Build runner - run: | - cd ../action/runner - npm install - npm run build-runner - - - name: Run init - run: | - ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Build code - shell: bash - run: | - . codeql-runner/codeql-env.sh - CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')" - echo "$CODEQL_RUNNER" - $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild - - - name: Run analyze - run: | - ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - env: - TEST_MODE: true - - runner-upload-sarif: - name: Runner upload sarif - needs: [check-js, check-node-modules] - runs-on: ubuntu-latest - timeout-minutes: 45 - - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} - - steps: - - uses: actions/checkout@v3 - - - name: Build runner - run: | - cd runner - npm install - npm run build-runner - - - name: Upload with runner - run: | - # Deliberately don't use TEST_MODE here. This is specifically testing - # the compatibility with the API. - runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - runner-extractor-ram-threads-options: - name: Runner ubuntu extractor RAM and threads options - needs: [check-js, check-node-modules] - runs-on: ubuntu-latest - timeout-minutes: 45 - - steps: - - uses: actions/checkout@v3 - - - name: Build runner - run: | - cd runner - npm install - npm run build-runner - - - name: Run init - run: | - runner/dist/codeql-runner-linux init --ram=230 --threads=1 --repository $GITHUB_REPOSITORY --languages java --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} - - - name: Assert Results - shell: bash - run: | - . ./codeql-runner/codeql-env.sh - if [ "${CODEQL_RAM}" != "230" ]; then - echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230" - exit 1 - fi - if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then - echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230" - exit 1 - fi - if [ "${CODEQL_THREADS}" != "1" ]; then - echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1" - exit 1 - fi - if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then - echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1" - exit 1 - fi diff --git a/.github/workflows/runner-checks.yml b/.github/workflows/runner-checks.yml new file mode 100644 index 0000000000..7fd3cfde8f --- /dev/null +++ b/.github/workflows/runner-checks.yml @@ -0,0 +1,393 @@ +name: CodeQL Runner Checks + +on: + push: + branches: [main, releases/v1, releases/v2] + pull_request: + # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened + # by other workflows. + types: [opened, synchronize, reopened, ready_for_review] + workflow_dispatch: + +jobs: + runner-analyze-javascript-ubuntu: + name: Runner ubuntu JS analyze + + timeout-minutes: 45 + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Build runner + run: | + cd runner + npm install + npm run build-runner + + - name: Run init + run: | + # Pass --config-file here, but not for other jobs in this workflow. + # This means we're testing the config file parsing in the runner + # but not slowing down all jobs unnecessarily as it doesn't add much + # testing the parsing on different operating systems and languages. + runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Run analyze + run: | + runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-javascript-windows: + name: Runner windows JS analyze + timeout-minutes: 45 + runs-on: windows-latest + + steps: + - uses: actions/checkout@v3 + + - name: Build runner + run: | + cd runner + npm install + npm run build-runner + + - name: Run init + run: | + runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages javascript --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Run analyze + run: | + runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-javascript-macos: + name: Runner macos JS analyze + timeout-minutes: 45 + runs-on: macos-latest + + steps: + - uses: actions/checkout@v3 + + - name: Build runner + run: | + cd runner + npm install + npm run build-runner + + - name: Run init + run: | + runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages javascript --config-file ./.github/codeql/codeql-config.yml --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Run analyze + run: | + runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-csharp-ubuntu: + name: Runner ubuntu C# analyze + timeout-minutes: 45 + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Move codeql-action + shell: bash + run: | + mkdir ../action + mv * .github ../action/ + mv ../action/tests/multi-language-repo/{*,.github} . + mv ../action/.github/workflows .github + + - name: Build runner + run: | + cd ../action/runner + npm install + npm run build-runner + + - name: Run init + run: | + ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Build code + run: | + . ./codeql-runner/codeql-env.sh + $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false + + - name: Run analyze + run: | + ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-csharp-windows: + name: Runner windows C# analyze + + # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of + # `windows-latest`. + timeout-minutes: 45 + runs-on: windows-2019 + + steps: + - uses: actions/checkout@v3 + + - name: Move codeql-action + shell: bash + run: | + mkdir ../action + mv * .github ../action/ + mv ../action/tests/multi-language-repo/{*,.github} . + mv ../action/.github/workflows .github + + - name: Build runner + run: | + cd ../action/runner + npm install + npm run build-runner + + - name: Run init + run: | + ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Build code + shell: powershell + run: | + cat ./codeql-runner/codeql-env.sh | Invoke-Expression + $Env:CODEQL_EXTRACTOR_CSHARP_ROOT = "" # Unset an environment variable to make sure the tracer resists this + & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false + + - name: Upload tracer logs + uses: actions/upload-artifact@v3 + with: + name: tracer-logs + path: ./codeql-runner/compound-build-tracer.log + + - name: Run analyze + run: | + ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-csharp-macos: + name: Runner macos C# analyze + timeout-minutes: 45 + + runs-on: macos-latest + + steps: + - uses: actions/checkout@v3 + + - name: Move codeql-action + shell: bash + run: | + mkdir ../action + mv * .github ../action/ + mv ../action/tests/multi-language-repo/{*,.github} . + mv ../action/.github/workflows .github + + - name: Build runner + run: | + cd ../action/runner + npm install + npm run build-runner + + - name: Run init + run: | + ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Build code + shell: bash + run: | + . ./codeql-runner/codeql-env.sh + $CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false + + - name: Run analyze + run: | + ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-csharp-autobuild-ubuntu: + name: Runner ubuntu autobuild C# analyze + timeout-minutes: 45 + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Move codeql-action + shell: bash + run: | + mkdir ../action + mv * .github ../action/ + mv ../action/tests/multi-language-repo/{*,.github} . + mv ../action/.github/workflows .github + + - name: Build runner + run: | + cd ../action/runner + npm install + npm run build-runner + + - name: Run init + run: | + ../action/runner/dist/codeql-runner-linux init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Build code + run: | + ../action/runner/dist/codeql-runner-linux autobuild + + - name: Run analyze + run: | + ../action/runner/dist/codeql-runner-linux analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-csharp-autobuild-windows: + timeout-minutes: 45 + name: Runner windows autobuild C# analyze + + # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of + # `windows-latest`. + runs-on: windows-2019 + + steps: + - uses: actions/checkout@v3 + + - name: Move codeql-action + shell: bash + run: | + mkdir ../action + mv * .github ../action/ + mv ../action/tests/multi-language-repo/{*,.github} . + mv ../action/.github/workflows .github + + - name: Build runner + run: | + cd ../action/runner + npm install + npm run build-runner + + - name: Run init + run: | + ../action/runner/dist/codeql-runner-win.exe init --repository $Env:GITHUB_REPOSITORY --languages csharp --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Build code + shell: powershell + run: | + ../action/runner/dist/codeql-runner-win.exe autobuild + + - name: Run analyze + run: | + ../action/runner/dist/codeql-runner-win.exe analyze --repository $Env:GITHUB_REPOSITORY --commit $Env:GITHUB_SHA --ref $Env:GITHUB_REF --github-url $Env:GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-analyze-csharp-autobuild-macos: + name: Runner macos autobuild C# analyze + + runs-on: macos-latest + timeout-minutes: 45 + + steps: + - uses: actions/checkout@v3 + + - name: Move codeql-action + shell: bash + run: | + mkdir ../action + mv * .github ../action/ + mv ../action/tests/multi-language-repo/{*,.github} . + mv ../action/.github/workflows .github + + - name: Build runner + run: | + cd ../action/runner + npm install + npm run build-runner + + - name: Run init + run: | + ../action/runner/dist/codeql-runner-macos init --repository $GITHUB_REPOSITORY --languages csharp --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Build code + shell: bash + run: | + . codeql-runner/codeql-env.sh + CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')" + echo "$CODEQL_RUNNER" + $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild + + - name: Run analyze + run: | + ../action/runner/dist/codeql-runner-macos analyze --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + env: + TEST_MODE: true + + runner-upload-sarif: + name: Runner upload sarif + + runs-on: ubuntu-latest + timeout-minutes: 45 + + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} + + steps: + - uses: actions/checkout@v3 + + - name: Build runner + run: | + cd runner + npm install + npm run build-runner + + - name: Upload with runner + run: | + # Deliberately don't use TEST_MODE here. This is specifically testing + # the compatibility with the API. + runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + runner-extractor-ram-threads-options: + name: Runner ubuntu extractor RAM and threads options + + runs-on: ubuntu-latest + timeout-minutes: 45 + + steps: + - uses: actions/checkout@v3 + + - name: Build runner + run: | + cd runner + npm install + npm run build-runner + + - name: Run init + run: | + runner/dist/codeql-runner-linux init --ram=230 --threads=1 --repository $GITHUB_REPOSITORY --languages java --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }} + + - name: Assert Results + shell: bash + run: | + . ./codeql-runner/codeql-env.sh + if [ "${CODEQL_RAM}" != "230" ]; then + echo "CODEQL_RAM is '${CODEQL_RAM}' instead of 230" + exit 1 + fi + if [ "${CODEQL_EXTRACTOR_JAVA_RAM}" != "230" ]; then + echo "CODEQL_EXTRACTOR_JAVA_RAM is '${CODEQL_EXTRACTOR_JAVA_RAM}' instead of 230" + exit 1 + fi + if [ "${CODEQL_THREADS}" != "1" ]; then + echo "CODEQL_THREADS is '${CODEQL_THREADS}' instead of 1" + exit 1 + fi + if [ "${CODEQL_EXTRACTOR_JAVA_THREADS}" != "1" ]; then + echo "CODEQL_EXTRACTOR_JAVA_THREADS is '${CODEQL_EXTRACTOR_JAVA_THREADS}' instead of 1" + exit 1 + fi From 2f739fcd04dfc437bd6ebafae18ff748981ac7fc Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Thu, 28 Jul 2022 17:02:52 -0700 Subject: [PATCH 7/9] CI: Combine verify-pr-checks and check-for-conflicts jobs Reduce the number of concurrent jobs by 1. Run these checks in succession instead, as the `check-file-contents` job in the PR checks workflow. --- .github/workflows/check-for-conflicts.yml | 31 ----------------------- .github/workflows/pr-checks.yml | 28 +++++++++++++++++--- 2 files changed, 25 insertions(+), 34 deletions(-) delete mode 100644 .github/workflows/check-for-conflicts.yml diff --git a/.github/workflows/check-for-conflicts.yml b/.github/workflows/check-for-conflicts.yml deleted file mode 100644 index fe96d9ac3b..0000000000 --- a/.github/workflows/check-for-conflicts.yml +++ /dev/null @@ -1,31 +0,0 @@ -# Checks for any conflict markers created by git. This check is primarily intended to validate that -# any merge conflicts in the v2 -> v1 backport PR are fixed before the PR is merged. -name: Check for conflicts - -on: - pull_request: - branches: [main, releases/v1, releases/v2] - # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened - # by other workflows. - types: [opened, synchronize, reopened, ready_for_review] - -jobs: - check-for-conflicts: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Check for conflicts - run: | - # Use `|| true` since grep returns exit code 1 if there are no matches, and we don't want - # this to fail the workflow. - FILES_WITH_CONFLICTS=$(grep --extended-regexp --ignore-case --line-number --recursive \ - '^(<<<<<<<|>>>>>>>)' . || true) - if [[ "${FILES_WITH_CONFLICTS}" ]]; then - echo "Fail: Found merge conflict markers in the following files:" - echo "" - echo "${FILES_WITH_CONFLICTS}" - exit 1 - else - echo "Success: Found no merge conflict markers." - fi diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index fb5b615b1c..a97ef1d405 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -62,21 +62,43 @@ jobs: - name: Check node modules up to date run: .github/workflows/script/check-node-modules.sh - verify-pr-checks: - name: Verify PR checks up to date + check-file-contents: + name: Check file contents runs-on: ubuntu-latest timeout-minutes: 45 steps: - - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v3 + + # Checks for any conflict markers created by git. This check is primarily intended to validate that + # any merge conflicts in the v2 -> v1 backport PR are fixed before the PR is merged. + - name: Check for merge conflicts + run: | + # Use `|| true` since grep returns exit code 1 if there are no matches, and we don't want + # this to fail the workflow. + FILES_WITH_CONFLICTS=$(grep --extended-regexp --ignore-case --line-number --recursive \ + '^(<<<<<<<|>>>>>>>)' . || true) + if [[ "${FILES_WITH_CONFLICTS}" ]]; then + echo "Fail: Found merge conflict markers in the following files:" + echo "" + echo "${FILES_WITH_CONFLICTS}" + exit 1 + else + echo "Success: Found no merge conflict markers." + fi + - name: Set up Python uses: actions/setup-python@v3 with: python-version: 3.8 + - name: Install dependencies run: | python -m pip install --upgrade pip pip install ruamel.yaml + + # Ensure the generated PR check workflows are up to date. - name: Verify PR checks up to date run: .github/workflows/script/verify-pr-checks.sh From a5def177685b5df2521a294f76bb15184554dc93 Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Thu, 28 Jul 2022 13:16:21 -0700 Subject: [PATCH 8/9] Update default CodeQL version to 2.10.2 --- CHANGELOG.md | 2 +- lib/defaults.json | 2 +- src/defaults.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 631462b5d8..cfcb703a17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## [UNRELEASED] -No user facing changes. +- Update default CodeQL bundle version to 2.10.2. [#1156](https://github.com/github/codeql-action/pull/1156) ## 2.1.17 - 28 Jul 2022 diff --git a/lib/defaults.json b/lib/defaults.json index 2dd1a86cf7..13c30cf139 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,3 +1,3 @@ { - "bundleVersion": "codeql-bundle-20220714" + "bundleVersion": "codeql-bundle-20220728" } diff --git a/src/defaults.json b/src/defaults.json index 69211563e0..b04119e141 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,3 +1,3 @@ { - "bundleVersion": "codeql-bundle-20220714" + "bundleVersion": "codeql-bundle-20220728" } From 9dc4e8a2c774fc10b9399511a3c07cff071ef6dd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 3 Aug 2022 16:37:42 +0000 Subject: [PATCH 9/9] Update changelog for v2.1.18 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cfcb703a17..3e44bf12a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # CodeQL Action Changelog -## [UNRELEASED] +## 2.1.18 - 03 Aug 2022 - Update default CodeQL bundle version to 2.10.2. [#1156](https://github.com/github/codeql-action/pull/1156)