Merge branch 'main' into split-upload-method

.eslintrc.json

@@ -49,8 +49,7 @@
             "@typescript-eslint/prefer-regexp-exec": "off",
             "@typescript-eslint/require-await": "off",
             "@typescript-eslint/restrict-template-expressions": "off",
-            "func-style": "off",
-            "github/no-then": "off"
+            "func-style": "off"
         }
     }]
 }

.github/workflows/check-expected-release-files.yml

@@ -0,0 +1,22 @@
+name: Check Expected Release Files
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/check-expected-release-files.yml
+      - src/defaults.json
+
+jobs:
+  check-expected-release-files:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout CodeQL Action
+        uses: actions/checkout@v2
+      - name: Check Expected Release Files
+        run: |
+          bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
+          set -x
+          for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz" "codeql-runner-linux" "codeql-runner-macos" "codeql-runner-win.exe"; do
+            curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
+          done

.github/workflows/codeql.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches: [main, v1]
   pull_request:
+    branches: [main, v1]
 
 jobs:
   build:

.github/workflows/integration-testing.yml

@@ -6,7 +6,27 @@ on:
   pull_request:
 
 jobs:
+  # This job and check-node-modules below dupliacte checks from `pr-checks.yml`.
+  # We run them here as well to gate the more expensive checks which wouldn't
+  # even be executing the correct code if these fail.
+  check-js:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Check generated JavaScript
+      run: .github/workflows/script/check-js.sh
+
+  check-node-modules:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Check node modules up to date
+      run: .github/workflows/script/check-node-modules.sh
+
   multi-language-repo_test-autodetect-languages:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -40,6 +60,7 @@ jobs:
         fi
 
   multi-language-repo_test-custom-queries-and-remote-config:
+    needs: [check-js, check-node-modules]
     strategy:
       fail-fast: false
       matrix:
@@ -69,6 +90,7 @@ jobs:
 
   # Currently is not possible to analyze Go in conjunction with other languages in macos
   multi-language-repo_test-go-custom-queries:
+    needs: [check-js, check-node-modules]
     strategy:
       fail-fast: false
       matrix:
@@ -99,6 +121,7 @@ jobs:
         TEST_MODE: true
 
   go-custom-tracing:
+    needs: [check-js, check-node-modules]
     strategy:
       fail-fast: false
       matrix:
@@ -129,7 +152,32 @@ jobs:
       env:
         TEST_MODE: true
 
+  go-custom-tracing-autobuild:
+    needs: [check-js, check-node-modules]
+    # No need to test Go autobuild on multiple OSes since
+    # we're testing Go custom tracing with a manual build on all OSes.
+    runs-on: ubuntu-latest
+    env:
+      CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
+    - uses: ./../action/init
+      with:
+        languages: go
+    - uses: ./../action/autobuild
+    - uses: ./../action/analyze
+      env:
+        TEST_MODE: true
+
   multi-language-repo_rubocop:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -161,6 +209,7 @@ jobs:
         TEST_MODE: true
 
   test-proxy:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
     container:
       image: ubuntu:18.04
@@ -188,6 +237,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-javascript-ubuntu:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -214,6 +264,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-javascript-windows:
+    needs: [check-js, check-node-modules]
     runs-on: windows-latest
 
     steps:
@@ -236,6 +287,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-javascript-macos:
+    needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
     steps:
@@ -258,6 +310,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-ubuntu:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -292,6 +345,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-windows:
+    needs: [check-js, check-node-modules]
     runs-on: windows-latest
 
     steps:
@@ -327,6 +381,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-macos:
+    needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
     steps:
@@ -363,6 +418,7 @@ jobs:
 
 
   runner-analyze-csharp-autobuild-ubuntu:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     steps:
@@ -396,6 +452,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-autobuild-windows:
+    needs: [check-js, check-node-modules]
     runs-on: windows-latest
 
     steps:
@@ -430,6 +487,7 @@ jobs:
         TEST_MODE: true
 
   runner-analyze-csharp-autobuild-macos:
+    needs: [check-js, check-node-modules]
     runs-on: macos-latest
 
     steps:
@@ -464,6 +522,7 @@ jobs:
         TEST_MODE: true
 
   runner-upload-sarif:
+    needs: [check-js, check-node-modules]
     runs-on: ubuntu-latest
 
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}

.github/workflows/pr-checks.yml

@@ -20,53 +20,18 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Check generated JavaScript
-      run: |
-        # Sanity check that repo is clean to start with
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then this workflow needs attention...
-          >&2 echo "Failed: Repo should be clean before testing!"
-          exit 1
-        fi
-        # Wipe the lib directory incase there are extra unnecessary files in there
-        rm -rf lib
-        # Generate the JavaScript files
-        npm run-script build
-        # Check that repo is still clean
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then the PR needs attention
-          >&2 echo "Failed: JavaScript files are not up to date. Run 'npm run-script build' to update"
-          git status
-          exit 1
-        fi
-        echo "Success: JavaScript files are up to date"
+      run: .github/workflows/script/check-js.sh
 
   check-node-modules:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v2
     - name: Check node modules up to date
-      run: |
-        # Sanity check that repo is clean to start with
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then this workflow needs attention...
-          >&2 echo "Failed: Repo should be clean before testing!"
-          exit 1
-        fi
-        # Reinstall modules and then clean to remove absolute paths
-        # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
-        npm ci
-        npm run removeNPMAbsolutePaths
-        # Check that repo is still clean
-        if [ ! -z "$(git status --porcelain)" ]; then
-          # If we get a fail here then the PR needs attention
-          >&2 echo "Failed: node_modules are not up to date. Run 'npm ci' and 'npm run removeNPMAbsolutePaths' to update"
-          git status
-          exit 1
-        fi
-        echo "Success: node_modules are up to date"
+      run: .github/workflows/script/check-node-modules.sh
 
   npm-test:
+    needs: [check-js, check-node-modules]
     strategy:
       matrix:
         os: [ubuntu-latest,macos-latest]

.github/workflows/script/check-js.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eu
+
+# Sanity check that repo is clean to start with
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then this workflow needs attention...
+    >&2 echo "Failed: Repo should be clean before testing!"
+    exit 1
+fi
+# Wipe the lib directory incase there are extra unnecessary files in there
+rm -rf lib
+# Generate the JavaScript files
+npm run-script build
+# Check that repo is still clean
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then the PR needs attention
+    >&2 echo "Failed: JavaScript files are not up to date. Run 'npm run-script build' to update"
+    git status
+    exit 1
+fi
+echo "Success: JavaScript files are up to date"

.github/workflows/script/check-node-modules.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eu
+
+# Sanity check that repo is clean to start with
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then this workflow needs attention...
+    >&2 echo "Failed: Repo should be clean before testing!"
+    exit 1
+fi
+# Reinstall modules and then clean to remove absolute paths
+# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
+npm ci
+npm run removeNPMAbsolutePaths
+# Check that repo is still clean
+if [ ! -z "$(git status --porcelain)" ]; then
+    # If we get a fail here then the PR needs attention
+    >&2 echo "Failed: node_modules are not up to date. Run 'npm ci' and 'npm run removeNPMAbsolutePaths' to update"
+    git status
+    exit 1
+fi
+echo "Success: node_modules are up to date"