Merge main into v1

.github/workflows/check-expected-release-files.yml

@@ -20,6 +20,6 @@ jobs:
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
           set -x
-          for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz" "codeql-runner-linux" "codeql-runner-macos" "codeql-runner-win.exe"; do
+          for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
             curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
           done

.github/workflows/pr-checks.yml

@@ -13,6 +13,7 @@ jobs:
   lint-js:
     name: Lint
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2
@@ -21,6 +22,7 @@ jobs:
 
   check-js:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2
@@ -30,6 +32,7 @@ jobs:
   check-node-modules:
     name: Check modules up to date
     runs-on: macos-latest
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2
@@ -39,6 +42,7 @@ jobs:
   verify-pr-checks:
     name: Verify PR checks up to date
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2
@@ -60,6 +64,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2
@@ -69,6 +74,7 @@ jobs:
   runner-analyze-javascript-ubuntu:
     name: Runner ubuntu JS analyze
     needs: [check-js, check-node-modules]
+    timeout-minutes: 30
     runs-on: ubuntu-latest
 
     steps:
@@ -97,6 +103,7 @@ jobs:
   runner-analyze-javascript-windows:
     name: Runner windows JS analyze
     needs: [check-js, check-node-modules]
+    timeout-minutes: 30
     runs-on: windows-latest
 
     steps:
@@ -121,6 +128,7 @@ jobs:
   runner-analyze-javascript-macos:
     name: Runner macos JS analyze
     needs: [check-js, check-node-modules]
+    timeout-minutes: 30
     runs-on: macos-latest
 
     steps:
@@ -145,6 +153,7 @@ jobs:
   runner-analyze-csharp-ubuntu:
     name: Runner ubuntu C# analyze
     needs: [check-js, check-node-modules]
+    timeout-minutes: 30
     runs-on: ubuntu-latest
 
     steps:
@@ -184,6 +193,7 @@ jobs:
     needs: [check-js, check-node-modules]
     # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
     # `windows-latest`.
+    timeout-minutes: 30
     runs-on: windows-2019
 
     steps:
@@ -228,6 +238,7 @@ jobs:
 
   runner-analyze-csharp-macos:
     name: Runner macos C# analyze
+    timeout-minutes: 30
     needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
@@ -266,6 +277,7 @@ jobs:
 
   runner-analyze-csharp-autobuild-ubuntu:
     name: Runner ubuntu autobuild C# analyze
+    timeout-minutes: 30
     needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
@@ -301,6 +313,7 @@ jobs:
           TEST_MODE: true
 
   runner-analyze-csharp-autobuild-windows:
+    timeout-minutes: 30
     name: Runner windows autobuild C# analyze
     needs: [check-js, check-node-modules]
     # Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
@@ -343,6 +356,7 @@ jobs:
     name: Runner macos autobuild C# analyze
     needs: [check-js, check-node-modules]
     runs-on: macos-latest
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2
@@ -380,6 +394,7 @@ jobs:
     name: Runner upload sarif
     needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
 
@@ -402,6 +417,7 @@ jobs:
     name: Runner ubuntu extractor RAM and threads options
     needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - uses: actions/checkout@v2

.github/workflows/python-deps.yml

@@ -10,6 +10,7 @@ on:
 
 jobs:
   test-setup-python-scripts:
+    timeout-minutes: 30
     runs-on: ${{ matrix.os }}
     strategy:
         fail-fast: false

.github/workflows/release-runner.yml

@@ -9,6 +9,7 @@ on:
 
 jobs:
   release-runner:
+    timeout-minutes: 30
     runs-on: ubuntu-latest
     env:
       RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"

.github/workflows/split.yml

@@ -26,6 +26,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     env:
       CLI_RELEASE: "${{ github.event.inputs.cli-release }}"
       RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"

.github/workflows/update-dependencies.yml

@@ -6,6 +6,7 @@ on:
 jobs:
   update:
     name: Update dependencies
+    timeout-minutes: 30
     runs-on: macos-latest
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
     steps:

.github/workflows/update-release-branch.yml

@@ -9,6 +9,7 @@ on:
 
 jobs:
   update:
+    timeout-minutes: 30
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'github/codeql-action' }}
     steps:

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -6,6 +6,8 @@ on:
 
 jobs:
   update-supported-enterprise-server-versions:
+    name: Update Supported Enterprise Server Versions
+    timeout-minutes: 30
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'github/codeql-action' }}
 

CHANGELOG.md

@@ -1,4 +1,12 @@
-# CodeQL Action and CodeQL Runner Changelog
+# CodeQL Action Changelog
+
+## 1.1.5 - 15 Mar 2022
+
+- Update default CodeQL bundle version to 2.8.3.
+- The CodeQL runner is now deprecated and no longer being released. For more information, see [CodeQL runner deprecation](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/).
+- Fix two bugs that cause action failures with GHES 3.3 or earlier. [#978](https://github.com/github/codeql-action/pull/978)
+  - Fix `not a permitted key` invalid requests with GHES 3.1 or earlier
+  - Fix `RUNNER_ARCH environment variable must be set` errors with GHES 3.3 or earlier
 
 ## 1.1.4 - 07 Mar 2022
 

CONTRIBUTING.md

@@ -63,7 +63,7 @@ Here are a few things you can do that will increase the likelihood of your pull
 1. The first step of releasing a new version of the `codeql-action` is running the "Update release branch" workflow.
     This workflow goes through the pull requests that have been merged to `main` since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into the `v1` release branch.
 
-    A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml). 
+    A release is automatically started every Monday via a scheduled run of this workflow, however you can start a release manually by triggering a run via [workflow dispatch](https://github.com/github/codeql-action/actions/workflows/update-release-branch.yml).
 1. The workflow run will open a pull request titled "Merge main into v1". Mark the pull request as [ready for review](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review) to trigger the PR checks.
 1. Review the checklist items in the pull request description.
     Once you've checked off all but the last of these, approve the PR and automerge it.
@@ -72,6 +72,25 @@ Here are a few things you can do that will increase the likelihood of your pull
 
     Approve the mergeback PR and automerge it. Once the mergeback has been merged into main, the release is complete.
 
+## Keeping the PR checks up to date (admin access required)
+
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. Managing these PR checks manually is time consuming and complex. Here is a semi-automated approach.
+
+To regenerate the PR jobs for the action:
+
+1. From a terminal, run the following commands (replace `SHA` with the sha of the commit whose checks you want to use, typically this should be the latest from `main`):
+
+    ```sh
+    SHA= ####
+    CHECKS="$(gh api repos/github/codeql-action/commits/${SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or . == "Update dependencies" or . == "Update Supported Enterprise Server Versions" | not)]')"
+    echo "{\"contexts\": ${CHECKS}}" > checks.json
+    gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json
+    gh api -X "PATCH" repos/github/codeql-action/branches/v1/protection/required_status_checks --input checks.json
+    ````
+
+2. Go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules have been updated.
+
+
 ## Resources
 
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)