Merge branch 'main' into patch-1

.gitattributes

@@ -1 +1,8 @@
 lib/*.js linguist-generated=true
+
+# Reduce incidence of needless merge conflicts on CHANGELOG.md
+# The man page at
+# https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitattributes.html
+# suggests that this might interleave lines arbitrarily, but empirically
+# it keeps added chunks contiguous
+CHANGELOG.md                merge=union

.github/pull_request_template.md

@@ -1,4 +1,5 @@
 ### Merge / deployment checklist
 
 - [ ] Confirm this change is backwards compatible with existing workflows.
-- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary.
+- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
+- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.

.github/update-release-branch.py

@@ -4,6 +4,16 @@
 import requests
 import subprocess
 import sys
+import json
+import datetime
+import os
+
+EMPTY_CHANGELOG = """
+# CodeQL Action and CodeQL Runner Changelog
+
+## [UNRELEASED]
+
+"""
 
 # The branch being merged from.
 # This is the one that contains day-to-day development work.
@@ -49,32 +59,40 @@ def open_pr(repo, all_commits, short_main_sha, branch_name):
   commits_without_pull_requests = sorted(commits_without_pull_requests, key=lambda c: c.commit.author.date)
 
   # Start constructing the body text
-  body = 'Merging ' + short_main_sha + ' into ' + LATEST_RELEASE_BRANCH
+  body = []
+  body.append('Merging ' + short_main_sha + ' into ' + LATEST_RELEASE_BRANCH)
 
   conductor = get_conductor(repo, pull_requests, commits_without_pull_requests)
-  body += '\n\nConductor for this PR is @' + conductor
+  body.append('')
+  body.append('Conductor for this PR is @' + conductor)
 
   # List all PRs merged
   if len(pull_requests) > 0:
-    body += '\n\nContains the following pull requests:'
+    body.append('')
+    body.append('Contains the following pull requests:')
     for pr in pull_requests:
       merger = get_merger_of_pr(repo, pr)
-      body += '\n- #' + str(pr.number)
-      body += ' - ' + pr.title
-      body += ' (@' + merger + ')'
+      body.append('- #' + str(pr.number) + ' - ' + pr.title +' (@' + merger + ')')
 
   # List all commits not part of a PR
   if len(commits_without_pull_requests) > 0:
-    body += '\n\nContains the following commits not from a pull request:'
+    body.append('')
+    body.append('Contains the following commits not from a pull request:')
     for commit in commits_without_pull_requests:
-      body += '\n- ' + commit.sha
-      body += ' - ' + get_truncated_commit_message(commit)
-      body += ' (@' + commit.author.login + ')'
+      body.append('- ' + commit.sha + ' - ' + get_truncated_commit_message(commit) + ' (@' + commit.author.login + ')')
+
+  body.append('')
+  body.append('Please review the following:')
+  body.append(' - [ ] The CHANGELOG displays the correct version and date.')
+  body.append(' - [ ] The CHANGELOG includes all relevant, user-facing changes since the last release.')
+  body.append(' - [ ] There are no unexpected commits being merged into the ' + LATEST_RELEASE_BRANCH + ' branch.')
+  body.append(' - [ ] The docs team is aware of any documentation changes that need to be released.')
+  body.append(' - [ ] The mergeback PR is merged back into ' + MAIN_BRANCH + ' after this PR is merged.')
 
   title = 'Merge ' + MAIN_BRANCH + ' into ' + LATEST_RELEASE_BRANCH
 
   # Create the pull request
-  pr = repo.create_pull(title=title, body=body, head=branch_name, base=LATEST_RELEASE_BRANCH)
+  pr = repo.create_pull(title=title, body='\n'.join(body), head=branch_name, base=LATEST_RELEASE_BRANCH)
   print('Created PR #' + str(pr.number))
 
   # Assign the conductor
@@ -95,7 +113,7 @@ def get_conductor(repo, pull_requests, other_commits):
 # This will not include any commits that exist on the release branch
 # that aren't on main.
 def get_commit_difference(repo):
-  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + LATEST_RELEASE_BRANCH + '..' + MAIN_BRANCH).strip().split('\n')
+  commits = run_git('log', '--pretty=format:%H', ORIGIN + '/' + LATEST_RELEASE_BRANCH + '..' + ORIGIN + '/' + MAIN_BRANCH).strip().split('\n')
 
   # Convert to full-fledged commit objects
   commits = [repo.get_commit(c) for c in commits]
@@ -135,17 +153,40 @@ def get_pr_for_commit(repo, commit):
 def get_merger_of_pr(repo, pr):
   return repo.get_commit(pr.merge_commit_sha).author.login
 
+def get_current_version():
+  with open('package.json', 'r') as f:
+    return json.load(f)['version']
+
+def get_today_string():
+  today = datetime.datetime.today()
+  return '{:%d %b %Y}'.format(today)
+
+def update_changelog(version):
+  if (os.path.exists('CHANGELOG.md')):
+    content = ''
+    with open('CHANGELOG.md', 'r') as f:
+      content = f.read()
+  else:
+    content = EMPTY_CHANGELOG
+
+  newContent = content.replace('[UNRELEASED]', version + ' - ' + get_today_string(), 1)
+
+  with open('CHANGELOG.md', 'w') as f:
+    f.write(newContent)
+
+
 def main():
   if len(sys.argv) != 3:
     raise Exception('Usage: update-release.branch.py <github token> <repository nwo>')
   github_token = sys.argv[1]
   repository_nwo = sys.argv[2]
 
   repo = Github(github_token).get_repo(repository_nwo)
+  version = get_current_version()
 
   # Print what we intend to go
   print('Considering difference between ' + MAIN_BRANCH + ' and ' + LATEST_RELEASE_BRANCH)
-  short_main_sha = run_git('rev-parse', '--short', MAIN_BRANCH).strip()
+  short_main_sha = run_git('rev-parse', '--short', ORIGIN + '/' + MAIN_BRANCH).strip()
   print('Current head of ' + MAIN_BRANCH + ' is ' + short_main_sha)
 
   # See if there are any commits to merge in
@@ -157,7 +198,7 @@ def main():
   # The branch name is based off of the name of branch being merged into
   # and the SHA of the branch being merged from. Thus if the branch already
   # exists we can assume we don't need to recreate it.
-  new_branch_name = 'update-' + LATEST_RELEASE_BRANCH + '-' + short_main_sha
+  new_branch_name = 'update-v' + version + '-' + short_main_sha
   print('Branch name is ' + new_branch_name)
 
   # Check if the branch already exists. If so we can abort as this script
@@ -168,7 +209,15 @@ def main():
 
   # Create the new branch and push it to the remote
   print('Creating branch ' + new_branch_name)
-  run_git('checkout', '-b', new_branch_name, MAIN_BRANCH)
+  run_git('checkout', '-b', new_branch_name, ORIGIN + '/' + MAIN_BRANCH)
+
+  print('Updating changelog')
+  update_changelog(version)
+
+  # Create a commit that updates the CHANGELOG
+  run_git('add', 'CHANGELOG.md')
+  run_git('commit', '-m', version)
+
   run_git('push', ORIGIN, new_branch_name)
 
   # Open a PR to update the branch

.github/workflows/post-release-mergeback.yml

@@ -0,0 +1,124 @@
+# This workflow runs after a release of the action.
+# It merges any changes from the release back into the
+# main branch. Typically, this is just a single commit
+# that updates the changelog.
+name: Tag release and merge back
+
+on:
+  workflow_dispatch:
+    inputs:
+      baseBranch:
+        description: 'The base branch to merge into'
+        default: main
+        required: false
+
+  push:
+    branches:
+      - v1
+
+  pull_request:
+    paths:
+      - .github/workflows/post-release-mergeback.yml
+
+jobs:
+  merge-back:
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql-action'
+    env:
+      BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
+      HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
+
+    steps:
+      - name: Dump GitHub Event context
+        env:
+          GITHUB_EVENT_CONTEXT: "${{ toJson(github.event) }}"
+        run: echo "$GITHUB_EVENT_CONTEXT"
+
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+
+      - name: Update git config
+        run: |
+          git config --global user.email "github-actions@github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Get version and new branch
+        id: getVersion
+        run: |
+          VERSION="v$(jq '.version' -r 'package.json')"
+          SHORT_SHA="${GITHUB_SHA:0:8}"
+          echo "::set-output name=version::$VERSION"
+          NEW_BRANCH="mergeback/${VERSION}-to-${BASE_BRANCH}-${SHORT_SHA}"
+          echo "::set-output name=newBranch::$NEW_BRANCH"
+
+
+      - name: Dump branches
+        env:
+          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
+        run: |
+          echo "BASE_BRANCH $BASE_BRANCH"
+          echo "HEAD_BRANCH $HEAD_BRANCH"
+          echo "NEW_BRANCH $NEW_BRANCH"
+
+      - name: Create mergeback branch
+        env:
+          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
+        run: |
+          git checkout -b "$NEW_BRANCH"
+
+      - name: Check for tag
+        id: check
+        env:
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+        run: |
+          set +e # don't fail on an errored command
+          git ls-remote --tags origin | grep "$VERSION"
+          EXISTS="$?"
+          if [ "$EXISTS" -ne 0 ]; then
+             echo "::set-output name=exists::true"
+             echo "Tag $TAG exists. Not going to re-release."
+          fi
+
+      # we didn't tag the release during the update-release-branch workflow because the
+      # commit that actually makes it to the release branch is a merge commit,
+      # and not yet known during the first workflow. We tag now because we know the correct commit.
+      - name: Tag release
+        if: steps.check.outputs.exists == 'true'
+        env:
+          VERSION: ${{ steps.getVersion.outputs.version }}
+        run: |
+          git tag -a "$VERSION" -m "$VERSION"
+          git push origin --follow-tags "$VERSION"
+
+      - name: Create mergeback branch
+        if: steps.check.outputs.exists == 'true'
+        env:
+          VERSION: "${{ steps.getVersion.outputs.version }}"
+          NEW_BRANCH: "${{ steps.getVersion.outputs.newBranch }}"
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        run: |
+          set -exu
+          PR_TITLE="Mergeback $VERSION $HEAD_BRANCH into $BASE_BRANCH"
+          PR_BODY="Updates version and changelog."
+
+          # Update the changelog
+          perl -i -pe 's/^/## \[UNRELEASED\]\n\n/ if($.==3)' CHANGELOG.md
+          git add .
+          git commit -m "Update changelog and version after $VERSION"
+          npm version patch
+
+          # when running this workflow on a PR, this is just a test.
+          # so put into draft mode.
+          if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+            DRAFT="--draft"
+          else
+            DRAFT=""
+          fi
+
+          git push origin "$NEW_BRANCH"
+          gh pr create \
+            --head "$NEW_BRANCH" \
+            --base "$BASE_BRANCH" \
+            --title "$PR_TITLE" \
+            --body "$PR_BODY" \
+            "$DRAFT"

.github/workflows/pr-checks.yml

@@ -59,14 +59,16 @@ jobs:
         mv ../action/tests/multi-language-repo/{*,.github} .
         mv ../action/.github/workflows .github
     - uses: ./../action/init
+      with:
+        db-location: "${{ runner.temp }}/customDbLocation"
     - name: Build code
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
       env:
         TEST_MODE: true
     - run: |
-        cd "$RUNNER_TEMP/codeql_databases"
+        cd "$RUNNER_TEMP/customDbLocation"
         # List all directories as there will be precisely one directory per database
         # but there may be other files in this directory such as query suites.
         if [ "$(ls -d */ | wc -l)" != 6 ] || \
@@ -261,6 +263,12 @@ jobs:
     - uses: ./../action/analyze
       env:
         TEST_MODE: true
+    - run: |
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
 
   multi-language-repo_rubocop:
     needs: [check-js, check-node-modules]

.github/workflows/update-release-branch.yml

@@ -22,12 +22,17 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
-        python-version: 3.5
+        python-version: 3.8
 
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install PyGithub==1.51 requests
 
+    - name: Update git config
+      run: |
+        git config --global user.email "github-actions@github.com"
+        git config --global user.name "github-actions[bot]"
+
     - name: Update release branch
       run: python .github/update-release-branch.py ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -7,6 +7,7 @@ on:
 jobs:
   update-supported-enterprise-server-versions:
     runs-on: ubuntu-latest
+    if: ${{ github.repository == 'github/codeql-action' }}
 
     steps:
       - name: Setup Python

CHANGELOG.md

@@ -0,0 +1,7 @@
+# CodeQL Action and CodeQL Runner Changelog
+
+## [UNRELEASED]
+
+- Add this changelog file. [#507](https://github.com/github/codeql-action/pull/507)
+- Improve grouping of analysis logs. Add a new log group containing a summary of metrics and diagnostics, if they were produced by CodeQL builtin queries. [#515](https://github.com/github/codeql-action/pull/515)
+- Add metrics and diagnostics summaries from custom query suites to the analysis summary log group. [#532](https://github.com/github/codeql-action/pull/532) 

README.md

@@ -2,6 +2,8 @@
 
 This action runs GitHub's industry-leading semantic code analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/github/codeql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
+For a list of recent changes, see the CodeQL Action's [changelog](CHANGELOG.md).
+
 ## License
 
 This project is released under the [MIT License](LICENSE).

init/action.yml

@@ -16,6 +16,9 @@ inputs:
   config-file:
     description: Path of the config file to use
     required: false
+  db-location:
+    description: Path where CodeQL databases should be created. If not specified, a temporary directory will be used.
+    required: false
   queries:
     description: Comma-separated list of additional queries to run. By default, this overrides the same setting in a configuration file; prefix with "+" to use both sets of queries.
     required: false

lib/defaults.json

@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20210503"
+    "bundleVersion": "codeql-bundle-20210517"
 }