From 290b34d5dfd896189952af7799c14e04bb6aed67 Mon Sep 17 00:00:00 2001
From: Ana Armas Romero <54946499+anaarmas@users.noreply.github.com>
Date: Mon, 4 May 2020 19:55:51 +0200
Subject: [PATCH 1/4] Note in readme about go analysis in macos-latest

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f61fdee5c..a0fade7a0 100644
--- a/README.md
+++ b/README.md
@@ -137,7 +137,7 @@ env:
 
 to `github/codeql-action/analyze`.
 
-### If you do not use a vendor directory
+#### If you do not use a vendor directory
 
 Dependencies on public repositories should just work. If you have dependencies on private repositories, one option is to use `git config` and a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) to authenticate when downloading dependencies. Add a section like
 
@@ -163,6 +163,10 @@ dotnet build /p:UseSharedCompilation=false
 
 Version 3 does not require the additional flag.
 
+### Analysing Go together with other languages on `macos-latest`
+
+This is currently not possible for Java, C/C++, or C#.
+
 ## License
 
 This project is released under the [MIT License](LICENSE).

From ab918b676bd014a667688f1500e4e1b86ad8cc99 Mon Sep 17 00:00:00 2001
From: Robert Brignull <robertbrignull@gmail.com>
Date: Tue, 5 May 2020 11:59:05 +0100
Subject: [PATCH 2/4] use tmp dir for external queries test

---
 lib/external-queries.js      |  3 ++-
 lib/util.js                  | 10 ++++++++++
 src/external-queries.test.ts | 12 ++++++++----
 src/external-queries.ts      |  3 ++-
 src/util.ts                  | 10 ++++++++++
 5 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/lib/external-queries.js b/lib/external-queries.js
index 253cf2762..90e028938 100644
--- a/lib/external-queries.js
+++ b/lib/external-queries.js
@@ -11,8 +11,9 @@ const core = __importStar(require("@actions/core"));
 const exec = __importStar(require("@actions/exec"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const util = __importStar(require("./util"));
 async function checkoutExternalQueries(config) {
-    const folder = process.env['RUNNER_WORKSPACE'] || '/tmp/codeql-action';
+    const folder = util.getRequiredEnvParam('RUNNER_WORKSPACE');
     for (const externalQuery of config.externalQueries) {
         core.info('Checking out ' + externalQuery.repository);
         const checkoutLocation = path.join(folder, externalQuery.repository);
diff --git a/lib/util.js b/lib/util.js
index d12a91044..a9d79bb41 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -15,6 +15,8 @@ const http = __importStar(require("@actions/http-client"));
 const auth = __importStar(require("@actions/http-client/auth"));
 const octokit = __importStar(require("@octokit/rest"));
 const console_log_level_1 = __importDefault(require("console-log-level"));
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const sharedEnv = __importStar(require("./shared-environment"));
 /**
@@ -280,3 +282,11 @@ function getToolNames(sarifContents) {
     return Object.keys(toolNames);
 }
 exports.getToolNames = getToolNames;
+// Creates a random temporary directory, runs the given body, and then deletes the directory.
+// Mostly intended for use within tests.
+async function withTmpDir(body) {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'codeql-action-'));
+    await body(tmpDir);
+    fs.rmdirSync(tmpDir, { recursive: true });
+}
+exports.withTmpDir = withTmpDir;
diff --git a/src/external-queries.test.ts b/src/external-queries.test.ts
index 088f3a3fe..a79f3f3e5 100644
--- a/src/external-queries.test.ts
+++ b/src/external-queries.test.ts
@@ -3,15 +3,19 @@ import * as path from "path";
 
 import * as configUtils from "./config-utils";
 import * as externalQueries from "./external-queries";
+import * as util from "./util";
 
 test("checkoutExternalQueries", async () => {
     let config = new configUtils.Config();
     config.externalQueries = [
         new configUtils.ExternalQuery("github/codeql-go", "df4c6869212341b601005567381944ed90906b6b"),
     ];
-    await externalQueries.checkoutExternalQueries(config);
 
-    let destination = process.env["RUNNER_WORKSPACE"] || "/tmp/codeql-action/";
-    // COPYRIGHT file existed in df4c6869212341b601005567381944ed90906b6b but not in master
-    expect(fs.existsSync(path.join(destination, "github", "codeql-go", "COPYRIGHT"))).toBeTruthy();
+    await util.withTmpDir(async tmpDir => {
+        process.env["RUNNER_WORKSPACE"] = tmpDir;
+        await externalQueries.checkoutExternalQueries(config);
+
+        // COPYRIGHT file existed in df4c6869212341b601005567381944ed90906b6b but not in master
+        expect(fs.existsSync(path.join(tmpDir, "github", "codeql-go", "COPYRIGHT"))).toBeTruthy();
+    });
 });
diff --git a/src/external-queries.ts b/src/external-queries.ts
index c9724148d..a478f538b 100644
--- a/src/external-queries.ts
+++ b/src/external-queries.ts
@@ -4,9 +4,10 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 import * as configUtils from './config-utils';
+import * as util from './util';
 
 export async function checkoutExternalQueries(config: configUtils.Config) {
-  const folder = process.env['RUNNER_WORKSPACE'] || '/tmp/codeql-action';
+  const folder = util.getRequiredEnvParam('RUNNER_WORKSPACE');
 
   for (const externalQuery of config.externalQueries) {
     core.info('Checking out ' + externalQuery.repository);
diff --git a/src/util.ts b/src/util.ts
index cfdd2419c..d17571d5d 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -3,6 +3,8 @@ import * as http from '@actions/http-client';
 import * as auth from '@actions/http-client/auth';
 import * as octokit from '@octokit/rest';
 import consoleLogLevel from 'console-log-level';
+import * as fs from "fs";
+import * as os from 'os';
 import * as path from 'path';
 
 import * as sharedEnv from './shared-environment';
@@ -313,3 +315,11 @@ export function getToolNames(sarifContents: string): string[] {
 
     return Object.keys(toolNames);
 }
+
+// Creates a random temporary directory, runs the given body, and then deletes the directory.
+// Mostly intended for use within tests.
+export async function withTmpDir(body: (tmpDir: string) => Promise<void>) {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'codeql-action-'));
+    await body(tmpDir);
+    fs.rmdirSync(tmpDir, { recursive: true });
+}

From 4fff14bba4a36c1aee5e81ad2b0a229df30cd4b7 Mon Sep 17 00:00:00 2001
From: Robert <robertbrignull@github.com>
Date: Wed, 6 May 2020 10:55:34 +0100
Subject: [PATCH 3/4] Update README.md

---
 README.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index f61fdee5c..5de83cb3f 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,12 @@
 
 This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
+## License
+
+This project is released under the [MIT License](LICENSE).
+
+The underlying CodeQL CLI, used in this action, is licensed under the [GitHub CodeQL Terms and Conditions](https://securitylab.github.com/tools/codeql/license). As such, this action may be used on open source projects hosted on GitHub, and on  private repositories that are owned by an organisation with GitHub Advanced Security enabled.
+
 ## Usage
 
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
@@ -162,7 +168,3 @@ dotnet build /p:UseSharedCompilation=false
 ```
 
 Version 3 does not require the additional flag.
-
-## License
-
-This project is released under the [MIT License](LICENSE).

From 4c11b3d9bf7b4658602568713bef2078aa498e66 Mon Sep 17 00:00:00 2001
From: Ana Armas Romero <54946499+anaarmas@users.noreply.github.com>
Date: Fri, 8 May 2020 20:16:30 +0200
Subject: [PATCH 4/4] rephrase Go support limitations

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a0fade7a0..c94da7b1d 100644
--- a/README.md
+++ b/README.md
@@ -165,7 +165,7 @@ Version 3 does not require the additional flag.
 
 ### Analysing Go together with other languages on `macos-latest`
 
-This is currently not possible for Java, C/C++, or C#.
+When running on macos it is currently not possible to analyze Go in conjunction with any of Java, C/C++, or C#. Each language can still be analyzed separately.
 
 ## License