Merge pull request #44 from github/merge-master-v1

Update v1 branch to latest master

.github/codeql/codeql-config.yml

@@ -1,4 +1,6 @@
-me: "CodeQL config"
+name: "CodeQL config"
 queries: 
   - name: Run custom queries
     uses: ./queries
+paths-ignore:
+  - tests

.github/workflows/codeql.yml

@@ -13,5 +13,6 @@ jobs:
     - uses: actions/checkout@v1
     - uses: ./init
       with:
-       config-file: ./.github/codeql/codeql-config.yml
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config.yml
     - uses: ./analyze

.github/workflows/integration-testing.yml

@@ -3,20 +3,118 @@ name: "Integration Testing"
 on: [push]
 
 jobs:
-  dispatch-events:
-    if: github.event.repository.full_name == 'github/codeql-action'
+  multi-language-repo_test-autodetect-languages:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
+    - uses: ./../action/init
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+
+  multi-language-repo_test-custom-queries:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
+    - uses: ./../action/init
+      with:
+        languages: cpp,csharp,java,javascript,python
+        config-file: ./.github/codeql/custom-queries.yml
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+
+  # Currently is not possible to analyze Go in conjunction with other languages in macos
+  multi-language-repo_test-go-custom-queries:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/setup-go@v2
+      if: ${{ matrix.os ==  'macos-latest' }}
+      with:
+        go-version: '^1.13.1'
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
+    - uses: ./../action/init
+      with:
+        languages: go
+        config-file: ./.github/codeql/custom-queries.yml
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+
+
+  multi-language-repo_rubocop:
     runs-on: ubuntu-latest
+
     steps:
-    - name: Send repository dispatch events
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        shopt -s dotglob
+        mv * ../action/
+        mv ../action/tests/multi-language-repo/* .
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --version 0.2.0 --skip-install
+    - name: Install dependencies
+      run: bundle install
+    - name: Rubocop run
       run: |
-        curl -X POST \
-          -H "Authorization: Bearer ${{ secrets.CODEQL_TESTING_TOKEN }}" \
-          -H "Accept: application/vnd.github.everest-preview+json" \
-          https://api.github.com/repos/Anthophila/amazon-cognito-js-copy/dispatches \
-          -d '{"event_type":"codeql-integration","client_payload": {"sha": "${{ github.sha }}"}}'
-
-        curl -X POST \
-          -H "Authorization: Bearer ${{ secrets.CODEQL_TESTING_TOKEN }}" \
-          -H "Accept: application/vnd.github.everest-preview+json" \
-          https://api.github.com/repos/Anthophila/electron-test-action/dispatches \
-          -d '{"event_type":"codeql-integration","client_payload": {"sha": "${{ github.sha }}"}}'
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+    - uses: ./../action/upload-sarif
+      with:
+        sarif_file: rubocop.sarif
+      env:
+        TEST_MODE: true

.github/workflows/pr-checks.yml

@@ -0,0 +1,71 @@
+name: "PR checks"
+
+on: [push, pull_request]
+
+jobs:
+  tslint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: tslint
+      run: npm run-script lint
+
+  check-js:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Check generated JavaScript
+      run: |
+        # Sanity check that repo is clean to start with
+        if [ ! -z "$(git status --porcelain)" ]; then
+          # If we get a fail here then this workflow needs attention...
+          >&2 echo "Failed: Repo should be clean before testing!"
+          exit 1
+        fi
+        # Generate the JavaScript files
+        npm run-script build
+        # Check that repo is still clean
+        if [ ! -z "$(git status --porcelain)" ]; then
+          # If we get a fail here then the PR needs attention
+          >&2 echo "Failed: JavaScript files are not up to date. Run 'npm run-script build' to update"
+          git status
+          exit 1
+        fi
+        echo "Success: JavaScript files are up to date"
+
+  check-node-modules:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Check node modules up to date
+      run: |
+        # Sanity check that repo is clean to start with
+        if [ ! -z "$(git status --porcelain)" ]; then
+          # If we get a fail here then this workflow needs attention...
+          >&2 echo "Failed: Repo should be clean before testing!"
+          exit 1
+        fi
+
+        # Reinstall modules and then clean to remove absolute paths
+        # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
+        npm ci
+        npm run removeNPMAbsolutePaths
+        # Check that repo is still clean
+        if [ ! -z "$(git status --porcelain)" ]; then
+          # If we get a fail here then the PR needs attention
+          >&2 echo "Failed: node_modules are not up to date. Run 'npm ci' and 'npm run removeNPMAbsolutePaths' to update"
+          git status
+          exit 1
+        fi
+        echo "Success: node_modules are up to date"
+
+  npm-test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: npm run-script test
+      run: npm run-script test

README.md

@@ -2,6 +2,12 @@
 
 This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
+## License
+
+This project is released under the [MIT License](LICENSE).
+
+The underlying CodeQL CLI, used in this action, is licensed under the [GitHub CodeQL Terms and Conditions](https://securitylab.github.com/tools/codeql/license). As such, this action may be used on open source projects hosted on GitHub, and on  private repositories that are owned by an organisation with GitHub Advanced Security enabled.
+
 ## Usage
 
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
@@ -137,7 +143,7 @@ env:
 
 to `github/codeql-action/analyze`.
 
-### If you do not use a vendor directory
+#### If you do not use a vendor directory
 
 Dependencies on public repositories should just work. If you have dependencies on private repositories, one option is to use `git config` and a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) to authenticate when downloading dependencies. Add a section like
 
@@ -163,6 +169,6 @@ dotnet build /p:UseSharedCompilation=false
 
 Version 3 does not require the additional flag.
 
-## License
+### Analysing Go together with other languages on `macos-latest`
 
-This project is released under the [MIT License](LICENSE).
+When running on macos it is currently not possible to analyze Go in conjunction with any of Java, C/C++, or C#. Each language can still be analyzed separately.

analyze/action.yml

@@ -12,6 +12,9 @@ inputs:
     description: Upload the SARIF file
     required: false
     default: true
+  ram:
+    description: Override the amount of memory in MB to be used by CodeQL. By default, almost all the memory of the machine is used.
+    required: false
   token:
     default: ${{ github.token }}
   matrix: