Merge branch 'main' into query-overriding

.github/workflows/cli.yml

@@ -0,0 +1,18 @@
+name: "CodeScanning CLI"
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    # Build the CLI
+    - name: Build CLI
+      run: npm run build-cli
+
+    # Upload an empty SARIF file
+    - name: Upload with CLI
+      run: node cli/code-scanning-cli.js upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_API_URL --github-auth ${{ github.token }}

.github/workflows/integration-testing.yml

@@ -22,7 +22,7 @@ jobs:
       env:
         TEST_MODE: true
     - run: |
-        cd "$CODEQL_ACTION_DATABASE_DIR"
+        cd "$RUNNER_TEMP/codeql_databases"
         # List all directories as there will be precisely one directory per database
         # but there may be other files in this directory such as query suites.
         if [ "$(ls -d */ | wc -l)" != 6 ] || \

.gitignore

@@ -0,0 +1,2 @@
+/cli/
+

CONTRIBUTING.md

@@ -26,6 +26,25 @@ This project also includes configuration to run tests from VSCode (with support
 
 To see the effect of your changes and to test them, push your changes in a branch and then look at the [Actions output](https://github.com/github/codeql-action/actions) for that branch.  You can also exercise the code locally by running the automated tests.
 
+### Running the action locally
+
+It is possible to run this action locally via [act](https://github.com/nektos/act) via the following steps:
+
+1. Create a GitHub [Personal Access Token](https://github.com/settings/tokens) (PAT).
+1. Install [act](https://github.com/nektos/act) v0.2.10 or greater.
+1. Add a `.env` file in the root of the project you are running:
+
+  ```bash
+  CODEQL_LOCAL_RUN=true
+
+  # Optional, for better logging
+  GITHUB_JOB=<ANY_JOB_NAME>
+  ```
+
+1. Run `act -j codeql -s GITHUB_TOKEN=<PAT>`
+
+Running locally will generate the CodeQL database and run all the queries, but it will avoid uploading and reporting results to GitHub. Note that this must be done on a repository that _consumes_ this action, not this repository. The use case is to debug failures of this action on specific repositories.
+
 ### Integration tests
 
 As well as the unit tests (see _Common tasks_ above), there are integration tests, defined in `.github/workflows/integration-testing.yml`.  These are run by a CI check.  Depending on the change you’re making, you may want to add a test to this file or extend an existing one.

analyze/action.yml

@@ -19,7 +19,6 @@ inputs:
   threads:
     description: The number of threads to be used by CodeQL.
     required: false
-    default: "1"
   checkout_path:
     description: "The path at which the analyzed repository was checked out. Used to relativeize any absolute paths in the uploaded SARIF file."
     required: false

init/action.yml

@@ -5,7 +5,7 @@ inputs:
   tools:
     description: URL of CodeQL tools
     required: false
-    default: https://github.com/github/codeql-action/releases/download/codeql-bundle-20200630/codeql-bundle.tar.gz
+    # If not specified the Action will check in several places until it finds the CodeQL tools.
   languages:
     description: The languages to be analysed
     required: false