Merge remote-tracking branch 'origin/main' into dbartol/actions-analysis

.github/workflows/pr-checks.yml

@@ -13,6 +13,9 @@ jobs:
     name: Check JS
     runs-on: ubuntu-latest
     timeout-minutes: 45
+    permissions:
+      contents: read
+      security-events: write
 
     strategy:
       fail-fast: false

.github/workflows/publish-immutable-action.yml

@@ -0,0 +1,35 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Check release name
+        id: check
+        env:
+          RELEASE_NAME: ${{ github.event.release.name }}
+        run: |
+          echo "Release name: ${{ github.event.release.name }}"
+          if [[ $RELEASE_NAME == v* ]]; then
+            echo "This is a CodeQL Action release. Create an Immutable Action"
+            echo "is-action-release=true" >> $GITHUB_OUTPUT
+          else
+            echo "This is a CodeQL Bundle release. Do not create an Immutable Action"
+            echo "is-action-release=false" >> $GITHUB_OUTPUT
+          fi
+      - name: Checking out
+        if: steps.check.outputs.is-action-release == 'true'
+        uses: actions/checkout@v4
+      - name: Publish
+        if: steps.check.outputs.is-action-release == 'true'
+        id: publish
+        uses: actions/publish-immutable-action@0.0.3

.github/workflows/script/update-required-checks.sh

@@ -27,8 +27,8 @@ fi
 
 echo "Getting checks for $GITHUB_SHA"
 
-# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+# Ignore any checks with "https://", CodeQL, LGTM, Update, and ESLint checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("ESLint") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

CHANGELOG.md

@@ -6,7 +6,13 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 3.27.0 - 22 Oct 2024
+
 - Bump the minimum CodeQL bundle version to 2.14.6. [#2549](https://github.com/github/codeql-action/pull/2549)
+- Fix an issue where the `upload-sarif` Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the `upload-sarif` Action. [#2557](https://github.com/github/codeql-action/pull/2557)
+- Update default CodeQL bundle version to 2.19.2. [#2552](https://github.com/github/codeql-action/pull/2552)
 
 ## 3.26.13 - 14 Oct 2024
 
@@ -22,11 +28,11 @@ No user facing changes.
 
 ## 3.26.11 - 03 Oct 2024
 
-- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts. 
+- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.
 
   Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.
-  
-  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES. 
+
+  This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
 - Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)
 
 ## 3.26.10 - 30 Sep 2024

action.yml

@@ -0,0 +1,11 @@
+name: 'CodeQL: Stub'
+description: "Stub: Don't use this action directly. Read [the documentation](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) instead."
+author: 'GitHub'
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Stub'
+      run: |
+        echo 'This is a stub. Read [the documentation](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) instead.'
+        exit 1
+      shell: bash

init/action.yml

@@ -136,6 +136,10 @@ inputs:
     description: >-
       Explicitly enable or disable TRAP caching rather than respecting the feature flag for it.
     required: false
+  dependency-caching:
+    description: >-
+      Explicitly enable or disable caching of project build dependencies.
+    required: false
 outputs:
   codeql-path:
     description: The path of the CodeQL binary used for analysis