From dfc14113e3d0fc976e3cdeac8dbeac65f5394a51 Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 28 May 2026 10:42:23 +0100 Subject: [PATCH 01/17] Change waitForProcessing to use exponential backoff --- lib/entry-points.js | 28 +++++++++++++++------------- src/upload-lib.ts | 44 +++++++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 32 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 78a5f058af..3ee58bebb7 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -157473,22 +157473,18 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) { logger.info(`Writing processed SARIF file to ${outputFile}`); fs21.writeFileSync(outputFile, sarifPayload); } -var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3; -var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3; +var STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS = 5 * 1e3; +var STATUS_CHECK_BACKOFF_MULTIPLIER = 2; +var STATUS_CHECK_MAX_TRIES = 5; async function waitForProcessing(repositoryNwo, sarifID, logger, options = { isUnsuccessfulExecution: false }) { logger.startGroup("Waiting for processing to finish"); try { const client = getApiClient(); - const statusCheckingStarted = Date.now(); - while (true) { - if (Date.now() > statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS) { - logger.warning( - "Timed out waiting for analysis to finish processing. Continuing." - ); - break; - } + let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS; + await delay(statusCheckBackoff, { allowProcessExit: false }); + for (let statusCheckCount = 1; statusCheckCount <= STATUS_CHECK_MAX_TRIES; statusCheckCount++) { let response = void 0; try { response = await client.request( @@ -157526,9 +157522,15 @@ ${response.data.errors}`; } else { assertNever(status); } - await delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, { - allowProcessExit: false - }); + if (statusCheckCount === STATUS_CHECK_MAX_TRIES) { + logger.warning( + "Timed out waiting for analysis to finish processing. Continuing." + ); + break; + } else { + statusCheckBackoff *= STATUS_CHECK_BACKOFF_MULTIPLIER; + await delay(statusCheckBackoff, { allowProcessExit: false }); + } } } finally { logger.endGroup(); diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 83331aeed9..005227ea78 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -829,8 +829,10 @@ function dumpSarifFile( fs.writeFileSync(outputFile, sarifPayload); } -const STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1000; -const STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1000; +// Should lead to status checks after 5s, 15s, 35s, 75s, and 155s. +const STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS = 5 * 1000; +const STATUS_CHECK_BACKOFF_MULTIPLIER = 2; +const STATUS_CHECK_MAX_TRIES = 5; type ProcessingStatus = "pending" | "complete" | "failed"; @@ -854,20 +856,15 @@ export async function waitForProcessing( try { const client = api.getApiClient(); - const statusCheckingStarted = Date.now(); - while (true) { - if ( - Date.now() > - statusCheckingStarted + STATUS_CHECK_TIMEOUT_MILLISECONDS - ) { - // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing. - // It's possible the analysis will eventually finish processing, but it's not worth spending more - // Actions time waiting. - logger.warning( - "Timed out waiting for analysis to finish processing. Continuing.", - ); - break; - } + // Do an initial wait because processing will always take a minimum of 2-3 seconds + let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS; + await util.delay(statusCheckBackoff, { allowProcessExit: false }); + + for ( + let statusCheckCount = 1; + statusCheckCount <= STATUS_CHECK_MAX_TRIES; + statusCheckCount++ + ) { let response: OctokitResponse | undefined = undefined; try { response = await client.request( @@ -912,9 +909,18 @@ export async function waitForProcessing( util.assertNever(status); } - await util.delay(STATUS_CHECK_FREQUENCY_MILLISECONDS, { - allowProcessExit: false, - }); + if (statusCheckCount === STATUS_CHECK_MAX_TRIES) { + // If the analysis hasn't finished processing in the allotted time, we continue anyway rather than failing. + // It's possible the analysis will eventually finish processing, but it's not worth spending more + // Actions time waiting. + logger.warning( + "Timed out waiting for analysis to finish processing. Continuing.", + ); + break; + } else { + statusCheckBackoff *= STATUS_CHECK_BACKOFF_MULTIPLIER; + await util.delay(statusCheckBackoff, { allowProcessExit: false }); + } } } finally { logger.endGroup(); From 948a63aed1cfd5c69e66d4c5c9b60ad2b5b23d64 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 1 Jun 2026 15:20:13 +0100 Subject: [PATCH 02/17] Add FF to force JGit-based Git backend --- lib/entry-points.js | 8 ++++++++ src/feature-flags.ts | 10 ++++++++++ src/init-action.ts | 5 +++++ 3 files changed, 23 insertions(+) diff --git a/lib/entry-points.js b/lib/entry-points.js index 0e7010b990..12666b8f4b 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -149396,6 +149396,11 @@ var featureConfig = { legacyApi: true, minimumVersion: void 0 }, + ["force_jgit" /* ForceJGit */]: { + defaultValue: false, + envVar: "CODEQL_ACTION_FORCE_JGIT", + minimumVersion: void 0 + }, ["force_nightly" /* ForceNightly */]: { defaultValue: false, envVar: "CODEQL_ACTION_FORCE_NIGHTLY", @@ -159348,6 +159353,9 @@ exec ${goBinaryPath} "$@"` if (await features.getValue("disable_kotlin_analysis_enabled" /* DisableKotlinAnalysisEnabled */)) { core21.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true"); } + if (await features.getValue("force_jgit" /* ForceJGit */)) { + core21.exportVariable("CODEQL_GIT_BACKEND", "jgit"); + } const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT"; if (await codeQlVersionAtLeast(codeql, "2.20.3") && !await codeQlVersionAtLeast(codeql, "2.20.4")) { core21.exportVariable(kotlinLimitVar, "2.1.20"); diff --git a/src/feature-flags.ts b/src/feature-flags.ts index 6b40d04dab..05a2611426 100644 --- a/src/feature-flags.ts +++ b/src/feature-flags.ts @@ -82,6 +82,11 @@ export enum Feature { DisableJavaBuildlessEnabled = "disable_java_buildless_enabled", DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled", ExportDiagnosticsEnabled = "export_diagnostics_enabled", + /** + * Emergency override that forces the CodeQL CLI to use the JGit-based Git backend instead of its + * default backend selection. + */ + ForceJGit = "force_jgit", ForceNightly = "force_nightly", IgnoreGeneratedFiles = "ignore_generated_files", JavaNetworkDebugging = "java_network_debugging", @@ -224,6 +229,11 @@ export const featureConfig = { legacyApi: true, minimumVersion: undefined, }, + [Feature.ForceJGit]: { + defaultValue: false, + envVar: "CODEQL_ACTION_FORCE_JGIT", + minimumVersion: undefined, + }, [Feature.ForceNightly]: { defaultValue: false, envVar: "CODEQL_ACTION_FORCE_NIGHTLY", diff --git a/src/init-action.ts b/src/init-action.ts index 9d2619b1d1..b7593a51cc 100644 --- a/src/init-action.ts +++ b/src/init-action.ts @@ -614,6 +614,11 @@ async function run(startedAt: Date) { core.exportVariable("CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN", "true"); } + // Emergency override to force the CodeQL CLI back to the JGit-based Git backend. + if (await features.getValue(Feature.ForceJGit)) { + core.exportVariable("CODEQL_GIT_BACKEND", "jgit"); + } + const kotlinLimitVar = "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT"; if ( From d40e417f3c43e66dec164393f3b2b94722865c6f Mon Sep 17 00:00:00 2001 From: Robert Date: Mon, 1 Jun 2026 16:43:42 +0100 Subject: [PATCH 03/17] Only do initial wait when not running tests --- lib/entry-points.js | 4 +++- src/upload-lib.ts | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 3ee58bebb7..1a19e2a491 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -157483,7 +157483,9 @@ async function waitForProcessing(repositoryNwo, sarifID, logger, options = { try { const client = getApiClient(); let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS; - await delay(statusCheckBackoff, { allowProcessExit: false }); + if (process.env["NODE_ENV"] !== "test") { + await delay(statusCheckBackoff, { allowProcessExit: false }); + } for (let statusCheckCount = 1; statusCheckCount <= STATUS_CHECK_MAX_TRIES; statusCheckCount++) { let response = void 0; try { diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 005227ea78..83d1eaffb0 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -858,7 +858,9 @@ export async function waitForProcessing( // Do an initial wait because processing will always take a minimum of 2-3 seconds let statusCheckBackoff = STATUS_CHECK_INITIAL_BACKOFF_MILLISECONDS; - await util.delay(statusCheckBackoff, { allowProcessExit: false }); + if (process.env["NODE_ENV"] !== "test") { + await util.delay(statusCheckBackoff, { allowProcessExit: false }); + } for ( let statusCheckCount = 1; From 25c25b5e09a2b7b21407dae4d901fa0e4778858a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 10:09:22 +0000 Subject: [PATCH 04/17] Update changelog and version after v4.36.1 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba30ae7290..1d7b131449 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. +## [UNRELEASED] + +No user facing changes. + ## 4.36.1 - 02 Jun 2026 No user facing changes. diff --git a/package-lock.json b/package-lock.json index 648cefad07..2b0679b5b2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "codeql", - "version": "4.36.1", + "version": "4.36.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "codeql", - "version": "4.36.1", + "version": "4.36.2", "license": "MIT", "workspaces": [ "pr-checks" diff --git a/package.json b/package.json index f8b937a0bf..18a8f3911d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "codeql", - "version": "4.36.1", + "version": "4.36.2", "private": true, "description": "CodeQL action", "scripts": { From 0ad7c1f95ec5c574792a6371d0ac313f2c260188 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 10:09:37 +0000 Subject: [PATCH 05/17] Rebuild --- lib/entry-points.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index b33d56b17a..3052ae2013 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -148366,7 +148366,7 @@ function getDiffRangesJsonFilePath() { return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME); } function getActionVersion() { - return "4.36.1"; + return "4.36.2"; } function getWorkflowEventName() { return getRequiredEnvParam("GITHUB_EVENT_NAME"); From bab673d0e076c181a206e9adeace53d359f9df0e Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 2 Jun 2026 14:55:09 +0100 Subject: [PATCH 06/17] Cache CLI version information across Actions steps --- lib/entry-points.js | 258 ++++++++++++++++++++++++-------------------- src/codeql.ts | 7 +- src/environment.ts | 6 ++ src/util.test.ts | 23 ++++ src/util.ts | 42 +++++++- 5 files changed, 211 insertions(+), 125 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 3052ae2013..03ee3761a1 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -19179,12 +19179,12 @@ var require_lib = __commonJS({ throw new Error("Client has already been disposed."); } const parsedUrl = new URL(requestUrl); - let info7 = this._prepareRequest(verb, parsedUrl, headers); + let info8 = this._prepareRequest(verb, parsedUrl, headers); const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1; let numTries = 0; let response; do { - response = yield this.requestRaw(info7, data); + response = yield this.requestRaw(info8, data); if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) { let authenticationHandler; for (const handler2 of this.handlers) { @@ -19194,7 +19194,7 @@ var require_lib = __commonJS({ } } if (authenticationHandler) { - return authenticationHandler.handleAuthentication(this, info7, data); + return authenticationHandler.handleAuthentication(this, info8, data); } else { return response; } @@ -19217,8 +19217,8 @@ var require_lib = __commonJS({ } } } - info7 = this._prepareRequest(verb, parsedRedirectUrl, headers); - response = yield this.requestRaw(info7, data); + info8 = this._prepareRequest(verb, parsedRedirectUrl, headers); + response = yield this.requestRaw(info8, data); redirectsRemaining--; } if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) { @@ -19247,7 +19247,7 @@ var require_lib = __commonJS({ * @param info * @param data */ - requestRaw(info7, data) { + requestRaw(info8, data) { return __awaiter2(this, void 0, void 0, function* () { return new Promise((resolve13, reject) => { function callbackForResult(err, res) { @@ -19259,7 +19259,7 @@ var require_lib = __commonJS({ resolve13(res); } } - this.requestRawWithCallback(info7, data, callbackForResult); + this.requestRawWithCallback(info8, data, callbackForResult); }); }); } @@ -19269,12 +19269,12 @@ var require_lib = __commonJS({ * @param data * @param onResult */ - requestRawWithCallback(info7, data, onResult) { + requestRawWithCallback(info8, data, onResult) { if (typeof data === "string") { - if (!info7.options.headers) { - info7.options.headers = {}; + if (!info8.options.headers) { + info8.options.headers = {}; } - info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8"); + info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8"); } let callbackCalled = false; function handleResult(err, res) { @@ -19283,7 +19283,7 @@ var require_lib = __commonJS({ onResult(err, res); } } - const req = info7.httpModule.request(info7.options, (msg) => { + const req = info8.httpModule.request(info8.options, (msg) => { const res = new HttpClientResponse(msg); handleResult(void 0, res); }); @@ -19295,7 +19295,7 @@ var require_lib = __commonJS({ if (socket) { socket.end(); } - handleResult(new Error(`Request timeout: ${info7.options.path}`)); + handleResult(new Error(`Request timeout: ${info8.options.path}`)); }); req.on("error", function(err) { handleResult(err); @@ -19331,27 +19331,27 @@ var require_lib = __commonJS({ return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); } _prepareRequest(method, requestUrl, headers) { - const info7 = {}; - info7.parsedUrl = requestUrl; - const usingSsl = info7.parsedUrl.protocol === "https:"; - info7.httpModule = usingSsl ? https3 : http; + const info8 = {}; + info8.parsedUrl = requestUrl; + const usingSsl = info8.parsedUrl.protocol === "https:"; + info8.httpModule = usingSsl ? https3 : http; const defaultPort = usingSsl ? 443 : 80; - info7.options = {}; - info7.options.host = info7.parsedUrl.hostname; - info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort; - info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || ""); - info7.options.method = method; - info7.options.headers = this._mergeHeaders(headers); + info8.options = {}; + info8.options.host = info8.parsedUrl.hostname; + info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort; + info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || ""); + info8.options.method = method; + info8.options.headers = this._mergeHeaders(headers); if (this.userAgent != null) { - info7.options.headers["user-agent"] = this.userAgent; + info8.options.headers["user-agent"] = this.userAgent; } - info7.options.agent = this._getAgent(info7.parsedUrl); + info8.options.agent = this._getAgent(info8.parsedUrl); if (this.handlers) { for (const handler2 of this.handlers) { - handler2.prepareRequest(info7.options); + handler2.prepareRequest(info8.options); } } - return info7; + return info8; } _mergeHeaders(headers) { if (this.requestOptions && this.requestOptions.headers) { @@ -21406,7 +21406,7 @@ var require_core = __commonJS({ exports2.error = error3; exports2.warning = warning14; exports2.notice = notice; - exports2.info = info7; + exports2.info = info8; exports2.startGroup = startGroup4; exports2.endGroup = endGroup4; exports2.group = group; @@ -21503,7 +21503,7 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``); function notice(message, properties = {}) { (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message); } - function info7(message) { + function info8(message) { process.stdout.write(message + os7.EOL); } function startGroup4(name) { @@ -42402,12 +42402,12 @@ var require_operationHelpers = __commonJS({ if (hasOriginalRequest(request3)) { return getOperationRequestInfo(request3[originalRequestSymbol]); } - let info7 = state_js_1.state.operationRequestMap.get(request3); - if (!info7) { - info7 = {}; - state_js_1.state.operationRequestMap.set(request3, info7); + let info8 = state_js_1.state.operationRequestMap.get(request3); + if (!info8) { + info8 = {}; + state_js_1.state.operationRequestMap.set(request3, info8); } - return info7; + return info8; } } }); @@ -76954,9 +76954,9 @@ var require_reflection_type_check = __commonJS({ var reflection_info_1 = require_reflection_info(); var oneof_1 = require_oneof(); var ReflectionTypeCheck = class { - constructor(info7) { + constructor(info8) { var _a; - this.fields = (_a = info7.fields) !== null && _a !== void 0 ? _a : []; + this.fields = (_a = info8.fields) !== null && _a !== void 0 ? _a : []; } prepare() { if (this.data) @@ -77202,8 +77202,8 @@ var require_reflection_json_reader = __commonJS({ var assert_1 = require_assert(); var reflection_long_convert_1 = require_reflection_long_convert(); var ReflectionJsonReader = class { - constructor(info7) { - this.info = info7; + constructor(info8) { + this.info = info8; } prepare() { var _a; @@ -77499,9 +77499,9 @@ var require_reflection_json_writer = __commonJS({ var reflection_info_1 = require_reflection_info(); var assert_1 = require_assert(); var ReflectionJsonWriter = class { - constructor(info7) { + constructor(info8) { var _a; - this.fields = (_a = info7.fields) !== null && _a !== void 0 ? _a : []; + this.fields = (_a = info8.fields) !== null && _a !== void 0 ? _a : []; } /** * Converts the message to a JSON object, based on the field descriptors. @@ -77754,8 +77754,8 @@ var require_reflection_binary_reader = __commonJS({ var reflection_long_convert_1 = require_reflection_long_convert(); var reflection_scalar_default_1 = require_reflection_scalar_default(); var ReflectionBinaryReader = class { - constructor(info7) { - this.info = info7; + constructor(info8) { + this.info = info8; } prepare() { var _a; @@ -77928,8 +77928,8 @@ var require_reflection_binary_writer = __commonJS({ var assert_1 = require_assert(); var pb_long_1 = require_pb_long(); var ReflectionBinaryWriter = class { - constructor(info7) { - this.info = info7; + constructor(info8) { + this.info = info8; } prepare() { if (!this.fields) { @@ -78179,9 +78179,9 @@ var require_reflection_merge_partial = __commonJS({ "use strict"; Object.defineProperty(exports2, "__esModule", { value: true }); exports2.reflectionMergePartial = void 0; - function reflectionMergePartial(info7, target, source) { + function reflectionMergePartial(info8, target, source) { let fieldValue, input = source, output; - for (let field of info7.fields) { + for (let field of info8.fields) { let name = field.localName; if (field.oneof) { const group = input[field.oneof]; @@ -78250,12 +78250,12 @@ var require_reflection_equals = __commonJS({ Object.defineProperty(exports2, "__esModule", { value: true }); exports2.reflectionEquals = void 0; var reflection_info_1 = require_reflection_info(); - function reflectionEquals(info7, a, b) { + function reflectionEquals(info8, a, b) { if (a === b) return true; if (!a || !b) return false; - for (let field of info7.fields) { + for (let field of info8.fields) { let localName = field.localName; let val_a = field.oneof ? a[field.oneof][localName] : a[localName]; let val_b = field.oneof ? b[field.oneof][localName] : b[localName]; @@ -91275,7 +91275,7 @@ var require_async = __commonJS({ } } var sortBy$1 = awaitify(sortBy, 3); - function timeout(asyncFn, milliseconds, info7) { + function timeout(asyncFn, milliseconds, info8) { var fn = wrapAsync(asyncFn); return initialParams((args, callback) => { var timedOut = false; @@ -91284,8 +91284,8 @@ var require_async = __commonJS({ var name = asyncFn.name || "anonymous"; var error3 = new Error('Callback function "' + name + '" timed out.'); error3.code = "ETIMEDOUT"; - if (info7) { - error3.info = info7; + if (info8) { + error3.info = info8; } timedOut = true; callback(error3); @@ -114681,12 +114681,12 @@ var require_lib4 = __commonJS({ throw new Error("Client has already been disposed."); } const parsedUrl = new URL(requestUrl); - let info7 = this._prepareRequest(verb, parsedUrl, headers); + let info8 = this._prepareRequest(verb, parsedUrl, headers); const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1; let numTries = 0; let response; do { - response = yield this.requestRaw(info7, data); + response = yield this.requestRaw(info8, data); if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) { let authenticationHandler; for (const handler2 of this.handlers) { @@ -114696,7 +114696,7 @@ var require_lib4 = __commonJS({ } } if (authenticationHandler) { - return authenticationHandler.handleAuthentication(this, info7, data); + return authenticationHandler.handleAuthentication(this, info8, data); } else { return response; } @@ -114719,8 +114719,8 @@ var require_lib4 = __commonJS({ } } } - info7 = this._prepareRequest(verb, parsedRedirectUrl, headers); - response = yield this.requestRaw(info7, data); + info8 = this._prepareRequest(verb, parsedRedirectUrl, headers); + response = yield this.requestRaw(info8, data); redirectsRemaining--; } if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) { @@ -114749,7 +114749,7 @@ var require_lib4 = __commonJS({ * @param info * @param data */ - requestRaw(info7, data) { + requestRaw(info8, data) { return __awaiter2(this, void 0, void 0, function* () { return new Promise((resolve13, reject) => { function callbackForResult(err, res) { @@ -114761,7 +114761,7 @@ var require_lib4 = __commonJS({ resolve13(res); } } - this.requestRawWithCallback(info7, data, callbackForResult); + this.requestRawWithCallback(info8, data, callbackForResult); }); }); } @@ -114771,12 +114771,12 @@ var require_lib4 = __commonJS({ * @param data * @param onResult */ - requestRawWithCallback(info7, data, onResult) { + requestRawWithCallback(info8, data, onResult) { if (typeof data === "string") { - if (!info7.options.headers) { - info7.options.headers = {}; + if (!info8.options.headers) { + info8.options.headers = {}; } - info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8"); + info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8"); } let callbackCalled = false; function handleResult(err, res) { @@ -114785,7 +114785,7 @@ var require_lib4 = __commonJS({ onResult(err, res); } } - const req = info7.httpModule.request(info7.options, (msg) => { + const req = info8.httpModule.request(info8.options, (msg) => { const res = new HttpClientResponse(msg); handleResult(void 0, res); }); @@ -114797,7 +114797,7 @@ var require_lib4 = __commonJS({ if (socket) { socket.end(); } - handleResult(new Error(`Request timeout: ${info7.options.path}`)); + handleResult(new Error(`Request timeout: ${info8.options.path}`)); }); req.on("error", function(err) { handleResult(err); @@ -114833,27 +114833,27 @@ var require_lib4 = __commonJS({ return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); } _prepareRequest(method, requestUrl, headers) { - const info7 = {}; - info7.parsedUrl = requestUrl; - const usingSsl = info7.parsedUrl.protocol === "https:"; - info7.httpModule = usingSsl ? https3 : http; + const info8 = {}; + info8.parsedUrl = requestUrl; + const usingSsl = info8.parsedUrl.protocol === "https:"; + info8.httpModule = usingSsl ? https3 : http; const defaultPort = usingSsl ? 443 : 80; - info7.options = {}; - info7.options.host = info7.parsedUrl.hostname; - info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort; - info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || ""); - info7.options.method = method; - info7.options.headers = this._mergeHeaders(headers); + info8.options = {}; + info8.options.host = info8.parsedUrl.hostname; + info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort; + info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || ""); + info8.options.method = method; + info8.options.headers = this._mergeHeaders(headers); if (this.userAgent != null) { - info7.options.headers["user-agent"] = this.userAgent; + info8.options.headers["user-agent"] = this.userAgent; } - info7.options.agent = this._getAgent(info7.parsedUrl); + info8.options.agent = this._getAgent(info8.parsedUrl); if (this.handlers) { for (const handler2 of this.handlers) { - handler2.prepareRequest(info7.options); + handler2.prepareRequest(info8.options); } } - return info7; + return info8; } _mergeHeaders(headers) { if (this.requestOptions && this.requestOptions.headers) { @@ -121241,11 +121241,11 @@ var require_dist_node12 = __commonJS({ } async function wrapRequest2(state, request3, options) { const limiter = new Bottleneck2(); - limiter.on("failed", function(error3, info7) { + limiter.on("failed", function(error3, info8) { const maxRetries = ~~error3.request.request.retries; const after = ~~error3.request.request.retryAfter; - options.request.retryCount = info7.retryCount + 1; - if (maxRetries > info7.retryCount) { + options.request.retryCount = info8.retryCount + 1; + if (maxRetries > info8.retryCount) { return after * state.retryAfterBaseValue; } }); @@ -122453,12 +122453,12 @@ var require_lib5 = __commonJS({ throw new Error("Client has already been disposed."); } const parsedUrl = new URL(requestUrl); - let info7 = this._prepareRequest(verb, parsedUrl, headers); + let info8 = this._prepareRequest(verb, parsedUrl, headers); const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1; let numTries = 0; let response; do { - response = yield this.requestRaw(info7, data); + response = yield this.requestRaw(info8, data); if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) { let authenticationHandler; for (const handler2 of this.handlers) { @@ -122468,7 +122468,7 @@ var require_lib5 = __commonJS({ } } if (authenticationHandler) { - return authenticationHandler.handleAuthentication(this, info7, data); + return authenticationHandler.handleAuthentication(this, info8, data); } else { return response; } @@ -122491,8 +122491,8 @@ var require_lib5 = __commonJS({ } } } - info7 = this._prepareRequest(verb, parsedRedirectUrl, headers); - response = yield this.requestRaw(info7, data); + info8 = this._prepareRequest(verb, parsedRedirectUrl, headers); + response = yield this.requestRaw(info8, data); redirectsRemaining--; } if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) { @@ -122521,7 +122521,7 @@ var require_lib5 = __commonJS({ * @param info * @param data */ - requestRaw(info7, data) { + requestRaw(info8, data) { return __awaiter2(this, void 0, void 0, function* () { return new Promise((resolve13, reject) => { function callbackForResult(err, res) { @@ -122533,7 +122533,7 @@ var require_lib5 = __commonJS({ resolve13(res); } } - this.requestRawWithCallback(info7, data, callbackForResult); + this.requestRawWithCallback(info8, data, callbackForResult); }); }); } @@ -122543,12 +122543,12 @@ var require_lib5 = __commonJS({ * @param data * @param onResult */ - requestRawWithCallback(info7, data, onResult) { + requestRawWithCallback(info8, data, onResult) { if (typeof data === "string") { - if (!info7.options.headers) { - info7.options.headers = {}; + if (!info8.options.headers) { + info8.options.headers = {}; } - info7.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8"); + info8.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8"); } let callbackCalled = false; function handleResult(err, res) { @@ -122557,7 +122557,7 @@ var require_lib5 = __commonJS({ onResult(err, res); } } - const req = info7.httpModule.request(info7.options, (msg) => { + const req = info8.httpModule.request(info8.options, (msg) => { const res = new HttpClientResponse(msg); handleResult(void 0, res); }); @@ -122569,7 +122569,7 @@ var require_lib5 = __commonJS({ if (socket) { socket.end(); } - handleResult(new Error(`Request timeout: ${info7.options.path}`)); + handleResult(new Error(`Request timeout: ${info8.options.path}`)); }); req.on("error", function(err) { handleResult(err); @@ -122605,27 +122605,27 @@ var require_lib5 = __commonJS({ return this._getProxyAgentDispatcher(parsedUrl, proxyUrl); } _prepareRequest(method, requestUrl, headers) { - const info7 = {}; - info7.parsedUrl = requestUrl; - const usingSsl = info7.parsedUrl.protocol === "https:"; - info7.httpModule = usingSsl ? https3 : http; + const info8 = {}; + info8.parsedUrl = requestUrl; + const usingSsl = info8.parsedUrl.protocol === "https:"; + info8.httpModule = usingSsl ? https3 : http; const defaultPort = usingSsl ? 443 : 80; - info7.options = {}; - info7.options.host = info7.parsedUrl.hostname; - info7.options.port = info7.parsedUrl.port ? parseInt(info7.parsedUrl.port) : defaultPort; - info7.options.path = (info7.parsedUrl.pathname || "") + (info7.parsedUrl.search || ""); - info7.options.method = method; - info7.options.headers = this._mergeHeaders(headers); + info8.options = {}; + info8.options.host = info8.parsedUrl.hostname; + info8.options.port = info8.parsedUrl.port ? parseInt(info8.parsedUrl.port) : defaultPort; + info8.options.path = (info8.parsedUrl.pathname || "") + (info8.parsedUrl.search || ""); + info8.options.method = method; + info8.options.headers = this._mergeHeaders(headers); if (this.userAgent != null) { - info7.options.headers["user-agent"] = this.userAgent; + info8.options.headers["user-agent"] = this.userAgent; } - info7.options.agent = this._getAgent(info7.parsedUrl); + info8.options.agent = this._getAgent(info8.parsedUrl); if (this.handlers) { for (const handler2 of this.handlers) { - handler2.prepareRequest(info7.options); + handler2.prepareRequest(info8.options); } } - return info7; + return info8; } _mergeHeaders(headers) { if (this.requestOptions && this.requestOptions.headers) { @@ -124615,10 +124615,10 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``); (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message); } exports2.notice = notice; - function info7(message) { + function info8(message) { process.stdout.write(message + os7.EOL); } - exports2.info = info7; + exports2.info = info8; function startGroup4(name) { (0, command_1.issue)("group", name); } @@ -148062,14 +148062,34 @@ function asHTTPError(arg) { return void 0; } var cachedCodeQlVersion = void 0; -function cacheCodeQlVersion(version) { +function cacheCodeQlVersion(cmd, version) { if (cachedCodeQlVersion !== void 0) { throw new Error("cacheCodeQlVersion() should be called only once"); } cachedCodeQlVersion = version; + core3.exportVariable( + "CODEQL_ACTION_CLI_VERSION_INFO" /* CODEQL_VERSION_INFO */, + JSON.stringify({ cmd, version }) + ); } -function getCachedCodeQlVersion() { - return cachedCodeQlVersion; +function getCachedCodeQlVersion(cmd) { + if (cachedCodeQlVersion !== void 0) { + return cachedCodeQlVersion; + } + const serialized = process.env["CODEQL_ACTION_CLI_VERSION_INFO" /* CODEQL_VERSION_INFO */]; + if (!serialized) { + return void 0; + } + let persisted; + try { + persisted = JSON.parse(serialized); + } catch { + return void 0; + } + if (typeof persisted?.version?.version !== "string" || cmd !== void 0 && persisted.cmd !== cmd) { + return void 0; + } + return persisted.version; } async function codeQlVersionAtLeast(codeql, requiredVersion) { return semver.gte((await codeql.getVersion()).version, requiredVersion); @@ -148669,11 +148689,11 @@ async function errorRequest(state, octokit, error3, options) { } async function wrapRequest(state, octokit, request3, options) { const limiter = new import_light.default(); - limiter.on("failed", function(error3, info7) { + limiter.on("failed", function(error3, info8) { const maxRetries = ~~error3.request.request?.retries; const after = ~~error3.request.request?.retryAfter; - options.request.retryCount = info7.retryCount + 1; - if (maxRetries > info7.retryCount) { + options.request.retryCount = info8.retryCount + 1; + if (maxRetries > info8.retryCount) { return after * state.retryAfterBaseValue; } }); @@ -153873,7 +153893,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { return cmd; }, async getVersion() { - let result = getCachedCodeQlVersion(); + let result = getCachedCodeQlVersion(cmd); if (result === void 0) { const output = await runCli(cmd, ["version", "--format=json"], { noStreamStdout: true @@ -153885,12 +153905,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { `Invalid JSON output from \`version --format=json\`: ${output}` ); } - cacheCodeQlVersion(result); + cacheCodeQlVersion(cmd, result); } return result; }, async printVersion() { - await runCli(cmd, ["version", "--format=json"]); + core11.info(JSON.stringify(await this.getVersion(), null, 2)); }, async supportsFeature(feature) { return isSupportedToolsFeature(await this.getVersion(), feature); diff --git a/src/codeql.ts b/src/codeql.ts index 19f933c39a..afae491a4a 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -523,7 +523,7 @@ async function getCodeQLForCmd( return cmd; }, async getVersion() { - let result = util.getCachedCodeQlVersion(); + let result = util.getCachedCodeQlVersion(cmd); if (result === undefined) { const output = await runCli(cmd, ["version", "--format=json"], { noStreamStdout: true, @@ -535,12 +535,13 @@ async function getCodeQLForCmd( `Invalid JSON output from \`version --format=json\`: ${output}`, ); } - util.cacheCodeQlVersion(result); + util.cacheCodeQlVersion(cmd, result); } return result; }, async printVersion() { - await runCli(cmd, ["version", "--format=json"]); + // Reuse the cached version information rather than invoking the CLI again. + core.info(JSON.stringify(await this.getVersion(), null, 2)); }, async supportsFeature(feature: ToolsFeature) { return isSupportedToolsFeature(await this.getVersion(), feature); diff --git a/src/environment.ts b/src/environment.ts index ed44ddcff2..c3f54ebd27 100644 --- a/src/environment.ts +++ b/src/environment.ts @@ -17,6 +17,12 @@ export enum EnvVar { */ CLI_VERBOSITY = "CODEQL_VERBOSITY", + /** + * `PersistedVersionInfo` for the CodeQL CLI, so later Actions steps can reuse it instead of + * invoking `codeql version` again. + */ + CODEQL_VERSION_INFO = "CODEQL_ACTION_CLI_VERSION_INFO", + /** Whether the CodeQL Action has invoked the Go autobuilder. */ DID_AUTOBUILD_GOLANG = "CODEQL_ACTION_DID_AUTOBUILD_GOLANG", diff --git a/src/util.test.ts b/src/util.test.ts index cca457cbe6..8760b77e21 100644 --- a/src/util.test.ts +++ b/src/util.test.ts @@ -532,3 +532,26 @@ test("Failure.orElse returns the default value for a failure result", (t) => { const result = new util.Failure(new Error("test error")); t.is(result.orElse("default value"), "default value"); }); + +test("getCachedCodeQlVersion reuses a version persisted by an earlier step", (t) => { + process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({ + cmd: "/path/to/codeql", + version: { version: "2.20.0" }, + }); + t.deepEqual(util.getCachedCodeQlVersion("/path/to/codeql"), { + version: "2.20.0", + }); +}); + +test("getCachedCodeQlVersion ignores a persisted version from a different CLI", (t) => { + process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({ + cmd: "/path/to/other-codeql", + version: { version: "2.20.0" }, + }); + t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined); +}); + +test("getCachedCodeQlVersion ignores a malformed persisted value", (t) => { + process.env[EnvVar.CODEQL_VERSION_INFO] = "not valid json"; + t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined); +}); diff --git a/src/util.ts b/src/util.ts index e2331461bd..c9a20b467d 100644 --- a/src/util.ts +++ b/src/util.ts @@ -619,15 +619,51 @@ export function asHTTPError(arg: any): HTTPError | undefined { let cachedCodeQlVersion: undefined | VersionInfo = undefined; -export function cacheCodeQlVersion(version: VersionInfo): void { +/** The persisted version together with the CLI path it was obtained from. */ +interface PersistedVersionInfo { + cmd: string; + version: VersionInfo; +} + +export function cacheCodeQlVersion(cmd: string, version: VersionInfo): void { if (cachedCodeQlVersion !== undefined) { throw new Error("cacheCodeQlVersion() should be called only once"); } cachedCodeQlVersion = version; + // Persist the version so that subsequent Actions steps, which run in separate + // processes, can reuse it rather than invoking `codeql version` again. We + // record the CLI path so that a different step using a different CodeQL bundle + // doesn't pick up a stale version. + core.exportVariable( + EnvVar.CODEQL_VERSION_INFO, + JSON.stringify({ cmd, version }), + ); } -export function getCachedCodeQlVersion(): undefined | VersionInfo { - return cachedCodeQlVersion; +export function getCachedCodeQlVersion(cmd?: string): undefined | VersionInfo { + if (cachedCodeQlVersion !== undefined) { + return cachedCodeQlVersion; + } + // Fall back to the value persisted by an earlier Actions step, if any. This is + // best-effort: any malformed or mismatched value is ignored so that the caller + // invokes `codeql version` instead. + const serialized = process.env[EnvVar.CODEQL_VERSION_INFO]; + if (!serialized) { + return undefined; + } + let persisted: PersistedVersionInfo; + try { + persisted = JSON.parse(serialized) as PersistedVersionInfo; + } catch { + return undefined; + } + if ( + typeof persisted?.version?.version !== "string" || + (cmd !== undefined && persisted.cmd !== cmd) + ) { + return undefined; + } + return persisted.version; } export async function codeQlVersionAtLeast( From 87f4948cb05b8fc27fbcaa1c7da28c28bb2ca1ec Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 3 Jun 2026 17:19:36 +0100 Subject: [PATCH 07/17] Pin first-party Actions --- .github/actions/release-initialise/action.yml | 4 +- .github/workflows/__all-platform-bundle.yml | 6 +-- .github/workflows/__analysis-kinds.yml | 10 ++-- .github/workflows/__analyze-ref-input.yml | 6 +-- .github/workflows/__autobuild-action.yml | 4 +- ...obuild-direct-tracing-with-working-dir.yml | 4 +- .github/workflows/__autobuild-working-dir.yml | 2 +- .github/workflows/__build-mode-autobuild.yml | 4 +- .github/workflows/__build-mode-manual.yml | 6 +-- .github/workflows/__build-mode-none.yml | 2 +- .github/workflows/__build-mode-rollback.yml | 2 +- .github/workflows/__bundle-from-nightly.yml | 2 +- .github/workflows/__bundle-from-toolcache.yml | 6 +-- .github/workflows/__bundle-toolcache.yml | 8 ++-- .github/workflows/__bundle-zstd.yml | 8 ++-- .../workflows/__cleanup-db-cluster-dir.yml | 2 +- .github/workflows/__config-export.yml | 6 +-- .github/workflows/__config-input.yml | 4 +- .github/workflows/__cpp-deptrace-disabled.yml | 2 +- .../__cpp-deptrace-enabled-on-macos.yml | 2 +- .github/workflows/__cpp-deptrace-enabled.yml | 2 +- .github/workflows/__diagnostics-export.yml | 6 +-- .../__export-file-baseline-information.yml | 8 ++-- .github/workflows/__extractor-ram-threads.yml | 2 +- .github/workflows/__global-proxy.yml | 2 +- .github/workflows/__go-custom-queries.yml | 6 +-- ...indirect-tracing-workaround-diagnostic.yml | 8 ++-- ...ect-tracing-workaround-no-file-program.yml | 6 +-- .../__go-indirect-tracing-workaround.yml | 4 +- .../workflows/__go-tracing-autobuilder.yml | 4 +- .../__go-tracing-custom-build-steps.yml | 4 +- .../__go-tracing-legacy-workflow.yml | 4 +- .github/workflows/__init-with-registries.yml | 2 +- .../workflows/__javascript-source-root.yml | 2 +- .github/workflows/__job-run-uuid-sarif.yml | 4 +- .github/workflows/__language-aliases.yml | 2 +- .github/workflows/__local-bundle.yml | 6 +-- .../workflows/__multi-language-autodetect.yml | 8 ++-- .github/workflows/__overlay-init-fallback.yml | 2 +- ...ackaging-codescanning-config-inputs-js.yml | 8 ++-- .../__packaging-config-inputs-js.yml | 8 ++-- .github/workflows/__packaging-config-js.yml | 8 ++-- .github/workflows/__packaging-inputs-js.yml | 8 ++-- .github/workflows/__remote-config.yml | 6 +-- .../__resolve-environment-action.yml | 2 +- .../workflows/__rubocop-multi-language.yml | 2 +- .github/workflows/__ruby.yml | 2 +- .github/workflows/__rust.yml | 2 +- .github/workflows/__split-workflow.yml | 6 +-- .github/workflows/__start-proxy.yml | 2 +- .github/workflows/__submit-sarif-failure.yml | 4 +- .github/workflows/__swift-autobuild.yml | 2 +- .github/workflows/__swift-custom-build.yml | 6 +-- .github/workflows/__unset-environment.yml | 6 +-- .github/workflows/__upload-ref-sha-input.yml | 6 +-- .github/workflows/__upload-sarif.yml | 6 +-- .github/workflows/__with-checkout-path.yml | 8 ++-- .../check-expected-release-files.yml | 2 +- .github/workflows/codeql.yml | 6 +-- .github/workflows/codescanning-config-cli.yml | 4 +- .../debug-artifacts-failure-safe.yml | 8 ++-- .github/workflows/debug-artifacts-safe.yml | 8 ++-- .github/workflows/post-release-mergeback.yml | 8 ++-- .github/workflows/pr-checks.yml | 14 +++--- .github/workflows/prepare-release.yml | 2 +- .../workflows/publish-immutable-action.yml | 4 +- .github/workflows/python312-windows.yml | 4 +- .github/workflows/query-filters.yml | 4 +- .github/workflows/rebuild.yml | 4 +- .github/workflows/rollback-release.yml | 4 +- .github/workflows/test-codeql-bundle-all.yml | 4 +- .github/workflows/update-bundle.yml | 6 +-- .github/workflows/update-release-branch.yml | 6 +-- ...e-supported-enterprise-server-versions.yml | 6 +-- pr-checks/checks/analysis-kinds.yml | 8 ++-- pr-checks/checks/bundle-from-toolcache.yml | 4 +- pr-checks/checks/bundle-toolcache.yml | 6 +-- pr-checks/checks/bundle-zstd.yml | 6 +-- pr-checks/checks/config-export.yml | 4 +- pr-checks/checks/diagnostics-export.yml | 4 +- .../export-file-baseline-information.yml | 2 +- ...indirect-tracing-workaround-diagnostic.yml | 4 +- ...ect-tracing-workaround-no-file-program.yml | 2 +- pr-checks/checks/job-run-uuid-sarif.yml | 2 +- .../checks/multi-language-autodetect.yml | 2 +- pr-checks/checks/submit-sarif-failure.yml | 2 +- pr-checks/checks/with-checkout-path.yml | 2 +- pr-checks/sync.ts | 46 ++++++++++++++++--- 88 files changed, 243 insertions(+), 209 deletions(-) diff --git a/.github/actions/release-initialise/action.yml b/.github/actions/release-initialise/action.yml index b3eda48f6b..057d5a5b6d 100644 --- a/.github/actions/release-initialise/action.yml +++ b/.github/actions/release-initialise/action.yml @@ -16,13 +16,13 @@ runs: shell: bash - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 1be1d63758..648679b7bf 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -74,13 +74,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__analysis-kinds.yml b/.github/workflows/__analysis-kinds.yml index 1e43775fff..504c1fcc6e 100644 --- a/.github/workflows/__analysis-kinds.yml +++ b/.github/workflows/__analysis-kinds.yml @@ -72,7 +72,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -92,7 +92,7 @@ jobs: post-processed-sarif-path: '${{ runner.temp }}/post-processed' - name: Upload SARIF files - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -100,7 +100,7 @@ jobs: retention-days: 7 - name: Upload post-processed SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -110,7 +110,7 @@ jobs: - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' EXPECT_PRESENT: 'false' @@ -118,7 +118,7 @@ jobs: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.quality.sarif' EXPECT_PRESENT: 'true' diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 9ad6c3ec7c..5f4bb4d04a 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 7521614f2c..f8cd1275d7 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -64,9 +64,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Prepare test diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index 8acd90253f..d0a4e7d783 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -66,9 +66,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin diff --git a/.github/workflows/__autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml index c9fb1e9e9c..f9718baf7b 100644 --- a/.github/workflows/__autobuild-working-dir.yml +++ b/.github/workflows/__autobuild-working-dir.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 7619d45936..f22f642e6b 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -66,9 +66,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: ${{ inputs.java-version || '17' }} distribution: temurin diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 93010fe636..515e28223c 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index 5611d23811..4aff835887 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index b4dd4041bb..f7c4d090e6 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__bundle-from-nightly.yml b/.github/workflows/__bundle-from-nightly.yml index a7dc934a0a..5499696453 100644 --- a/.github/workflows/__bundle-from-nightly.yml +++ b/.github/workflows/__bundle-from-nightly.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__bundle-from-toolcache.yml b/.github/workflows/__bundle-from-toolcache.yml index 4c7f21a32b..389981985c 100644 --- a/.github/workflows/__bundle-from-toolcache.yml +++ b/.github/workflows/__bundle-from-toolcache.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -62,7 +62,7 @@ jobs: run: npm install @actions/tool-cache@3 - name: Check toolcache contains CodeQL continue-on-error: true - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -75,7 +75,7 @@ jobs: with: tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/.github/workflows/__bundle-toolcache.yml b/.github/workflows/__bundle-toolcache.yml index 7606475875..7e83829d6a 100644 --- a/.github/workflows/__bundle-toolcache.yml +++ b/.github/workflows/__bundle-toolcache.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -73,7 +73,7 @@ jobs: - name: Install @actions/tool-cache run: npm install @actions/tool-cache@3 - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -92,7 +92,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/.github/workflows/__bundle-zstd.yml b/.github/workflows/__bundle-zstd.yml index 85e0695268..45cf73a0ed 100644 --- a/.github/workflows/__bundle-zstd.yml +++ b/.github/workflows/__bundle-zstd.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -82,13 +82,13 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-zstd-bundle.sarif path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index cc41fea77a..249a1f81b6 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 24549dd186..e359764bdd 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -70,13 +70,13 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' with: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index a2e4dba2c3..2a82e9aa5c 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -50,9 +50,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index c73161cd8a..9e44285198 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index d2cce49369..825d4acd99 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index 0539d4ce60..c4ac54f3db 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index bdf6b0aee1..418517a159 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -81,13 +81,13 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/javascript.sarif' with: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 359461007d..18fcfafe08 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -74,13 +74,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -102,7 +102,7 @@ jobs: with: output: '${{ runner.temp }}/results' - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index eee08de580..a647124bcc 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__global-proxy.yml b/.github/workflows/__global-proxy.yml index 08c4ad64af..df544fb68a 100644 --- a/.github/workflows/__global-proxy.yml +++ b/.github/workflows/__global-proxy.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index cc11dc941d..a595300652 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -72,13 +72,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index e474e1b6f5..2415c7ff8e 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -60,9 +60,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -78,7 +78,7 @@ jobs: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: '1.20' - name: Build code @@ -88,7 +88,7 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/go.sarif' with: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index cc94d3bb8a..38718fba2c 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -60,9 +60,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -89,7 +89,7 @@ jobs: output: '${{ runner.temp }}/results' upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: '${{ runner.temp }}/results/go.sarif' with: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 6c8a24e0c9..754299d3ed 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -60,9 +60,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index f44a512f85..5c96e28f11 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -80,9 +80,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index aae22d8c01..7d3ea3aea0 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -80,9 +80,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index cce0102575..68012f0d4d 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -80,9 +80,9 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index 940784361d..2c55e14e4a 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index dc1a395ce9..31662fc166 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index a10ccd1d1d..c0fa820e52 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -67,7 +67,7 @@ jobs: with: output: '${{ runner.temp }}/results' - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json path: '${{ runner.temp }}/results/javascript.sarif' diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index a4cdb034bf..fe9ebef9c3 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__local-bundle.yml b/.github/workflows/__local-bundle.yml index 50eb333492..a6ab9f523f 100644 --- a/.github/workflows/__local-bundle.yml +++ b/.github/workflows/__local-bundle.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 8115b66ee2..f4849b9903 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -104,13 +104,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -125,7 +125,7 @@ jobs: # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer. # See https://github.com/github/codeql-action/pull/3212 if: matrix.version != 'nightly-latest' && matrix.version != 'linked' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' diff --git a/.github/workflows/__overlay-init-fallback.yml b/.github/workflows/__overlay-init-fallback.yml index 0871e6b44b..554e9defcc 100644 --- a/.github/workflows/__overlay-init-fallback.yml +++ b/.github/workflows/__overlay-init-fallback.yml @@ -52,7 +52,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 94280eeedb..9c7d842293 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 146bc43552..c446c7ff36 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index fddd971f39..e550e493d5 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 64bd575d55..7d3450d04b 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -74,18 +74,18 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 4302583d73..277f9293e9 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -72,13 +72,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 982e4e7152..05125ca107 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 5d11093bbd..e2bd040d51 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 6d326ee887..b8d556e534 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -60,7 +60,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__rust.yml b/.github/workflows/__rust.yml index 1c3d18d16e..91c3d6618e 100644 --- a/.github/workflows/__rust.yml +++ b/.github/workflows/__rust.yml @@ -58,7 +58,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 7dfa812499..64efae65f2 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -80,13 +80,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index 70ec13c96b..7a318b0233 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 2fdfeddfbf..03ea2de232 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -54,7 +54,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -62,7 +62,7 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./init with: languages: javascript diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index cd26309f4e..4962547032 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -50,7 +50,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index efdbde7215..83c06ffd09 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -74,13 +74,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 535362e836..b519e01dd6 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -72,13 +72,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 4e95021495..9a1c91dea9 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -70,13 +70,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml index 547828d072..182adbfdea 100644 --- a/.github/workflows/__upload-sarif.yml +++ b/.github/workflows/__upload-sarif.yml @@ -77,13 +77,13 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index 0d97287577..3d6380462b 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -71,13 +71,13 @@ jobs: steps: # This ensures we don't accidentally use the original checkout for any part of the test. - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: ${{ inputs.dotnet-version || '9.x' }} - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -96,7 +96,7 @@ jobs: rm -rf ./* .github .git # Check out the actions repo again, but at a different location. # choose an arbitrary SHA so that we can later test that the commit_oid is not from main - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 path: x/y/z/some-path diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml index 79ce600711..ee6ad120bc 100644 --- a/.github/workflows/check-expected-release-files.yml +++ b/.github/workflows/check-expected-release-files.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout CodeQL Action - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Check Expected Release Files run: | bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9f14b05bf3..d604bbd80e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -35,7 +35,7 @@ jobs: security-events: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up default CodeQL bundle id: setup-default uses: ./setup-codeql @@ -87,7 +87,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL uses: ./init id: init @@ -124,7 +124,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL uses: ./init with: diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 0da0f4d38f..3a62bd78d3 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -59,10 +59,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml index 5bb53ecbd6..d044d8420a 100644 --- a/.github/workflows/debug-artifacts-failure-safe.yml +++ b/.github/workflows/debug-artifacts-failure-safe.yml @@ -53,17 +53,17 @@ jobs: - name: Dump GitHub event run: cat "${GITHUB_EVENT_PATH}" - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ^1.13.1 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: '9.x' - name: Assert best-effort artifact scan completed @@ -94,7 +94,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download all artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - name: Check expected artifacts exist run: | LANGUAGES="cpp csharp go java javascript python" diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml index 85b037cba6..4699436a11 100644 --- a/.github/workflows/debug-artifacts-safe.yml +++ b/.github/workflows/debug-artifacts-safe.yml @@ -49,17 +49,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ^1.13.1 - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: '9.x' - name: Assert best-effort artifact scan completed @@ -87,7 +87,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download all artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - name: Check expected artifacts exist run: | VERSIONS="stable-v2.20.3 default linked nightly-latest" diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index 7ba78e2295..313a1e3558 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -44,14 +44,14 @@ jobs: GITHUB_CONTEXT: '${{ toJson(github) }}' run: echo "${GITHUB_CONTEXT}" - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # ensure we have all tags and can push commits - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' @@ -134,7 +134,7 @@ jobs: echo "::endgroup::" - name: Generate token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 6b7656150d..195494c185 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -42,10 +42,10 @@ jobs: if: runner.os == 'Windows' run: git config --global core.autocrlf false - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -91,10 +91,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' @@ -155,7 +155,7 @@ jobs: - name: Upload repo size comment if: steps.fetch-base.outcome == 'success' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: repo-size-comment path: ${{ runner.temp }}/repo-size/ @@ -164,7 +164,7 @@ jobs: - name: 'Backport: Check out base ref' id: checkout-base if: ${{ startsWith(github.head_ref, 'backport-') }} - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.base_ref }} @@ -203,7 +203,7 @@ jobs: steps: - name: Download repo size comment - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: repo-size-comment path: repo-size-comment diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index fbddee3d52..915148e277 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -44,7 +44,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs diff --git a/.github/workflows/publish-immutable-action.yml b/.github/workflows/publish-immutable-action.yml index e14bc30bc4..3944a81e6d 100644 --- a/.github/workflows/publish-immutable-action.yml +++ b/.github/workflows/publish-immutable-action.yml @@ -20,8 +20,8 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Publish immutable release id: publish - uses: actions/publish-immutable-action@v0.0.4 + uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4 diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 85901bff81..76a9c4ff26 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -35,11 +35,11 @@ jobs: runs-on: windows-latest steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.12 - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test uses: ./.github/actions/prepare-test diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml index b55ff8af27..3d1f4275cf 100644 --- a/.github/workflows/query-filters.yml +++ b/.github/workflows/query-filters.yml @@ -35,10 +35,10 @@ jobs: contents: read # This permission is needed to allow the GitHub Actions workflow to read the contents of the repository. steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: npm diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index cafc432d98..f1d74dc8f4 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -24,13 +24,13 @@ jobs: pull-requests: write # needed to comment on the PR steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 ref: ${{ env.HEAD_REF }} - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' diff --git a/.github/workflows/rollback-release.yml b/.github/workflows/rollback-release.yml index ba10430f7d..e6a9da61f9 100644 --- a/.github/workflows/rollback-release.yml +++ b/.github/workflows/rollback-release.yml @@ -52,7 +52,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs @@ -136,7 +136,7 @@ jobs: - name: Generate token if: github.event_name == 'workflow_dispatch' - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 03ab6c37b3..c44dafc590 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -43,7 +43,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Prepare test id: prepare-test uses: ./.github/actions/prepare-test @@ -51,7 +51,7 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: true - name: Install .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0 with: dotnet-version: '9.x' - id: init diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 837079481a..94c79bc56e 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -33,7 +33,7 @@ jobs: GITHUB_CONTEXT: '${{ toJson(github) }}' run: echo "$GITHUB_CONTEXT" - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Update git config run: | @@ -41,12 +41,12 @@ jobs: git config --global user.name "github-actions[bot]" - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 cache: 'npm' diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index 40d25e2163..bef7965742 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -38,7 +38,7 @@ jobs: contents: write # needed to push commits pull-requests: write # needed to create pull request steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs - uses: ./.github/actions/release-initialise @@ -94,14 +94,14 @@ jobs: pull-requests: write # needed to create pull request steps: - name: Generate token - uses: actions/create-github-app-token@v3.2.0 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: app-id: ${{ vars.AUTOMATION_APP_ID }} private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Need full history for calculation of diffs token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml index 4cead58f4f..16f6f528c5 100644 --- a/.github/workflows/update-supported-enterprise-server-versions.yml +++ b/.github/workflows/update-supported-enterprise-server-versions.yml @@ -23,13 +23,13 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" - name: Checkout CodeQL Action - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Checkout Enterprise Releases - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: github/enterprise-releases token: ${{ secrets.ENTERPRISE_RELEASE_TOKEN }} diff --git a/pr-checks/checks/analysis-kinds.yml b/pr-checks/checks/analysis-kinds.yml index 7b10f8d792..5b2aaf4aad 100644 --- a/pr-checks/checks/analysis-kinds.yml +++ b/pr-checks/checks/analysis-kinds.yml @@ -46,7 +46,7 @@ steps: post-processed-sarif-path: "${{ runner.temp }}/post-processed" - name: Upload SARIF files - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -54,7 +54,7 @@ steps: retention-days: 7 - name: Upload post-processed SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: | post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }} @@ -64,7 +64,7 @@ steps: - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" EXPECT_PRESENT: "false" @@ -72,7 +72,7 @@ steps: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif" EXPECT_PRESENT: "true" diff --git a/pr-checks/checks/bundle-from-toolcache.yml b/pr-checks/checks/bundle-from-toolcache.yml index 2719ccfb00..0e51e2e12b 100644 --- a/pr-checks/checks/bundle-from-toolcache.yml +++ b/pr-checks/checks/bundle-from-toolcache.yml @@ -7,7 +7,7 @@ steps: run: npm install @actions/tool-cache@3 - name: Check toolcache contains CodeQL continue-on-error: true - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -20,7 +20,7 @@ steps: with: tools: ${{ steps.prepare-test.outputs.tools-url }} - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/pr-checks/checks/bundle-toolcache.yml b/pr-checks/checks/bundle-toolcache.yml index f5315d285a..83d1d7d0b5 100644 --- a/pr-checks/checks/bundle-toolcache.yml +++ b/pr-checks/checks/bundle-toolcache.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -18,7 +18,7 @@ steps: - name: Install @actions/tool-cache run: npm install @actions/tool-cache@3 - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); @@ -37,7 +37,7 @@ steps: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/pr-checks/checks/bundle-zstd.yml b/pr-checks/checks/bundle-zstd.yml index 810f0b0c12..a961af3c36 100644 --- a/pr-checks/checks/bundle-zstd.yml +++ b/pr-checks/checks/bundle-zstd.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const fs = require('fs'); @@ -27,13 +27,13 @@ steps: output: ${{ runner.temp }}/results upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-zstd-bundle.sarif path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/pr-checks/checks/config-export.yml b/pr-checks/checks/config-export.yml index 17dd758453..93c6407355 100644 --- a/pr-checks/checks/config-export.yml +++ b/pr-checks/checks/config-export.yml @@ -14,13 +14,13 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: config-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/diagnostics-export.yml b/pr-checks/checks/diagnostics-export.yml index 811335a7c7..61b9ae5efc 100644 --- a/pr-checks/checks/diagnostics-export.yml +++ b/pr-checks/checks/diagnostics-export.yml @@ -27,13 +27,13 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: diagnostics-export-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index 8f882ef598..c5d5d12dda 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -23,7 +23,7 @@ steps: with: output: "${{ runner.temp }}/results" - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index bd48f1a12c..69f9b47621 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -12,7 +12,7 @@ steps: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.20" - name: Build code @@ -22,7 +22,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 8e3f4234b5..5068df622b 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -23,7 +23,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml index b37821d5a1..dc1dd02d43 100644 --- a/pr-checks/checks/job-run-uuid-sarif.yml +++ b/pr-checks/checks/job-run-uuid-sarif.yml @@ -12,7 +12,7 @@ steps: with: output: "${{ runner.temp }}/results" - name: Upload SARIF - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json path: "${{ runner.temp }}/results/javascript.sarif" diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml index c52dcf9401..fcafe5fb35 100644 --- a/pr-checks/checks/multi-language-autodetect.yml +++ b/pr-checks/checks/multi-language-autodetect.yml @@ -13,7 +13,7 @@ steps: # We need Python 3.13 for older CLI versions because they are not compatible with Python 3.14 or newer. # See https://github.com/github/codeql-action/pull/3212 if: matrix.version != 'nightly-latest' && matrix.version != 'linked' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.13" diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index e776e23c24..2bba971d72 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -21,7 +21,7 @@ permissions: security-events: write # needed to upload the SARIF file steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./init with: languages: javascript diff --git a/pr-checks/checks/with-checkout-path.yml b/pr-checks/checks/with-checkout-path.yml index c53e3b4153..e91066e18e 100644 --- a/pr-checks/checks/with-checkout-path.yml +++ b/pr-checks/checks/with-checkout-path.yml @@ -14,7 +14,7 @@ steps: rm -rf ./* .github .git # Check out the actions repo again, but at a different location. # choose an arbitrary SHA so that we can later test that the commit_oid is not from main - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6 path: x/y/z/some-path diff --git a/pr-checks/sync.ts b/pr-checks/sync.ts index 27b1d92645..4d7ae200a4 100755 --- a/pr-checks/sync.ts +++ b/pr-checks/sync.ts @@ -7,6 +7,16 @@ import * as yaml from "yaml"; import { BuiltInLanguage } from "../src/languages"; +/** + * Returns a `uses` value for `action` pinned to a commit SHA, with the + * human-readable version recorded in a trailing comment. + */ +function pinnedUses(action: string, sha: string, version: string): yaml.Scalar { + const node = new yaml.Scalar(`${action}@${sha}`); + node.comment = ` ${version}`; + return node; +} + /** Known workflow input names. */ enum KnownInputName { GoVersion = "go-version", @@ -192,7 +202,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Node.js", - uses: "actions/setup-node@v6", + uses: pinnedUses( + "actions/setup-node", + "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e", + "v6.4.0", + ), with: { "node-version": defaultLanguageVersions.javascript, cache: "npm", @@ -210,7 +224,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Go", - uses: "actions/setup-go@v6", + uses: pinnedUses( + "actions/setup-go", + "4a3601121dd01d1626a1e23e37211e3254c1c06c", + "v6.4.0", + ), with: { "go-version": `\${{ inputs.go-version || '${defaultLanguageVersions.go}' }}`, // to avoid potentially misleading autobuilder results where we expect it to download @@ -226,7 +244,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Java", - uses: "actions/setup-java@v5", + uses: pinnedUses( + "actions/setup-java", + "be666c2fcd27ec809703dec50e508c2fdc7f6654", + "v5.2.0", + ), with: { "java-version": `\${{ inputs.java-version || '${defaultLanguageVersions.java}' }}`, distribution: "temurin", @@ -240,7 +262,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install Python", - uses: "actions/setup-python@v6", + uses: pinnedUses( + "actions/setup-python", + "a309ff8b426b58ec0e2a45f0f869d46889d02405", + "v6.2.0", + ), with: { "python-version": `\${{ inputs.python-version || '${defaultLanguageVersions.python}' }}`, }, @@ -253,7 +279,11 @@ const languageSetups: LanguageSetups = { steps: [ { name: "Install .NET", - uses: "actions/setup-dotnet@v5", + uses: pinnedUses( + "actions/setup-dotnet", + "9a946fdbd5fb07b82b2f5a4466058b876ab72bb2", + "v5.3.0", + ), with: { "dotnet-version": `\${{ inputs.dotnet-version || '${defaultLanguageVersions.csharp}' }}`, }, @@ -456,7 +486,11 @@ function generateJob( const steps: Step[] = [ { name: "Check out repository", - uses: "actions/checkout@v6", + uses: pinnedUses( + "actions/checkout", + "df4cb1c069e1874edd31b4311f1884172cec0e10", + "v6.0.3", + ), }, ...setupInfo.steps, { From fd3f10809d17ee45d1526bbf47fed6d1d87602bb Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 3 Jun 2026 17:21:10 +0100 Subject: [PATCH 08/17] Update sync-back script This is intended as a workaround until https://github.com/github/codeql-action/pull/3556 is merged. --- pr-checks/sync-back.test.ts | 35 +++++++++++++++++++++++++++++++++++ pr-checks/sync-back.ts | 32 +++++++++++++++++++++++++++----- 2 files changed, 62 insertions(+), 5 deletions(-) diff --git a/pr-checks/sync-back.test.ts b/pr-checks/sync-back.test.ts index 8b46217492..52d4c98f3f 100755 --- a/pr-checks/sync-back.test.ts +++ b/pr-checks/sync-back.test.ts @@ -188,6 +188,41 @@ const steps = [ const result = updateSyncTs(syncTsPath, actionVersions); assert.equal(result, false); }); + + await it("updates SHA-pinned pinnedUses references", () => { + /** Test updating `pinnedUses(...)` references with new SHA and version */ + const syncTsContent = ` +const steps = [ + { + uses: pinnedUses( + "actions/setup-node", + "0000000000000000000000000000000000000000", + "v6.0.0", + ), + }, +]; +`; + + fs.writeFileSync(syncTsPath, syncTsContent); + + const actionVersions = { + "actions/setup-node": "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0", + }; + + const result = updateSyncTs(syncTsPath, actionVersions); + assert.equal(result, true); + + const updatedContent = fs.readFileSync(syncTsPath, "utf8"); + + assert.ok( + updatedContent.includes('"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e"'), + ); + assert.ok(updatedContent.includes('"v6.4.0"')); + assert.ok( + !updatedContent.includes("0000000000000000000000000000000000000000"), + ); + assert.ok(!updatedContent.includes('"v6.0.0"')); + }); }); describe("updateTemplateFiles", async () => { diff --git a/pr-checks/sync-back.ts b/pr-checks/sync-back.ts index 5d7275e812..bb442b2fe1 100755 --- a/pr-checks/sync-back.ts +++ b/pr-checks/sync-back.ts @@ -68,6 +68,10 @@ export function scanGeneratedWorkflows( /** * Update hardcoded action versions in pr-checks/sync.ts * + * Handles both inline `uses: "owner/action@ref"` strings and SHA-pinned + * references expressed via the `pinnedUses("owner/action", "", "version")` + * helper. + * * @param syncTsPath - Path to sync.ts file * @param actionVersions - Map of action names to versions (may include comments) * @returns True if the file was modified, false otherwise @@ -87,18 +91,36 @@ export function updateSyncTs( for (const [actionName, versionWithComment] of Object.entries( actionVersions, )) { - // Extract just the version part (before any comment) for sync.ts - const version = versionWithComment.includes("#") + // Split the scanned value into the ref (e.g. a commit SHA) and the optional + // trailing version comment (e.g. `v6.0.3`). + const ref = versionWithComment.includes("#") ? versionWithComment.split("#")[0].trim() : versionWithComment.trim(); + const versionComment = versionWithComment.includes("#") + ? versionWithComment.split("#")[1].trim() + : ""; + + const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // Look for patterns like uses: "actions/setup-node@v4" // Note that this will break if we store an Action uses reference in a // variable - that's a risk we're happy to take since in that case the // PR checks will just fail. - const escaped = actionName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); - const pattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g"); - content = content.replace(pattern, `$1${actionName}@${version}$2`); + const usesPattern = new RegExp(`(uses:\\s*")${escaped}@(?:[^"]+)(")`, "g"); + content = content.replace(usesPattern, `$1${actionName}@${ref}$2`); + + // Look for SHA-pinned references expressed via the `pinnedUses` helper, e.g. + // `pinnedUses("actions/checkout", "", "v6.0.3")`, updating both the + // pinned ref and the version comment. + const pinnedPattern = new RegExp( + `(pinnedUses\\(\\s*")${escaped}("\\s*,\\s*")[^"]*("\\s*,\\s*")([^"]*)(")`, + "g", + ); + content = content.replace( + pinnedPattern, + (_match, p1, p2, p3, oldVersion, p5) => + `${p1}${actionName}${p2}${ref}${p3}${versionComment || oldVersion}${p5}`, + ); } if (content !== originalContent) { From 5ccef822447dad3d567a5d4908ba25494ca08714 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 3 Jun 2026 18:31:11 +0100 Subject: [PATCH 09/17] Address review comments --- lib/entry-points.js | 13 ++++++-- src/testing-utils.ts | 5 +++ src/util.test.ts | 72 ++++++++++++++++++++++++++++++++------------ src/util.ts | 43 +++++++++++++++++++++++--- 4 files changed, 107 insertions(+), 26 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 03ee3761a1..29a829a23b 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -148062,6 +148062,14 @@ function asHTTPError(arg) { return void 0; } var cachedCodeQlVersion = void 0; +function isVersionInfo(x) { + const candidate = x; + return typeof candidate === "object" && candidate !== null && typeof candidate.version === "string" && (candidate.features === void 0 || typeof candidate.features === "object" && candidate.features !== null) && (candidate.overlayVersion === void 0 || typeof candidate.overlayVersion === "number"); +} +function isPersistedVersionInfo(x) { + const candidate = x; + return typeof candidate === "object" && candidate !== null && typeof candidate.cmd === "string" && isVersionInfo(candidate.version); +} function cacheCodeQlVersion(cmd, version) { if (cachedCodeQlVersion !== void 0) { throw new Error("cacheCodeQlVersion() should be called only once"); @@ -148086,10 +148094,11 @@ function getCachedCodeQlVersion(cmd) { } catch { return void 0; } - if (typeof persisted?.version?.version !== "string" || cmd !== void 0 && persisted.cmd !== cmd) { + if (!isPersistedVersionInfo(persisted) || cmd !== void 0 && persisted.cmd !== cmd) { return void 0; } - return persisted.version; + cachedCodeQlVersion = persisted.version; + return cachedCodeQlVersion; } async function codeQlVersionAtLeast(codeql, requiredVersion) { return semver.gte((await codeql.getVersion()).version, requiredVersion); diff --git a/src/testing-utils.ts b/src/testing-utils.ts index c3e1d51428..1702d6835a 100644 --- a/src/testing-utils.ts +++ b/src/testing-utils.ts @@ -32,6 +32,7 @@ import { GitHubVariant, GitHubVersion, HTTPError, + resetCachedCodeQlVersion, } from "./util"; export const SAMPLE_DOTCOM_API_DETAILS = { @@ -101,6 +102,10 @@ export function setupTests(testFn: TestFn) { // unless the test explicitly sets one up. codeql.setCodeQL({}); + // Reset the in-process CodeQL version cache so that it doesn't leak between + // tests, which each represent a separate Actions step in production. + resetCachedCodeQlVersion(); + // Replace stdout and stderr so we can record output during tests t.context.testOutput = ""; const processStdoutWrite = process.stdout.write.bind(process.stdout); diff --git a/src/util.test.ts b/src/util.test.ts index 8760b77e21..3d27e952af 100644 --- a/src/util.test.ts +++ b/src/util.test.ts @@ -533,25 +533,57 @@ test("Failure.orElse returns the default value for a failure result", (t) => { t.is(result.orElse("default value"), "default value"); }); -test("getCachedCodeQlVersion reuses a version persisted by an earlier step", (t) => { - process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({ - cmd: "/path/to/codeql", - version: { version: "2.20.0" }, - }); - t.deepEqual(util.getCachedCodeQlVersion("/path/to/codeql"), { - version: "2.20.0", - }); -}); +test.serial( + "getCachedCodeQlVersion reuses a version persisted by an earlier step", + (t) => { + process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({ + cmd: "/path/to/codeql", + version: { version: "2.20.0" }, + }); + t.deepEqual(util.getCachedCodeQlVersion("/path/to/codeql"), { + version: "2.20.0", + }); + }, +); -test("getCachedCodeQlVersion ignores a persisted version from a different CLI", (t) => { - process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({ - cmd: "/path/to/other-codeql", - version: { version: "2.20.0" }, - }); - t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined); -}); +test.serial( + "getCachedCodeQlVersion ignores a persisted version from a different CLI", + (t) => { + process.env[EnvVar.CODEQL_VERSION_INFO] = JSON.stringify({ + cmd: "/path/to/other-codeql", + version: { version: "2.20.0" }, + }); + t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined); + }, +); -test("getCachedCodeQlVersion ignores a malformed persisted value", (t) => { - process.env[EnvVar.CODEQL_VERSION_INFO] = "not valid json"; - t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined); -}); +test.serial( + "getCachedCodeQlVersion ignores a malformed persisted value", + (t) => { + process.env[EnvVar.CODEQL_VERSION_INFO] = "not valid json"; + t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined); + }, +); + +test.serial( + "getCachedCodeQlVersion ignores a persisted value with the wrong structure", + (t) => { + for (const value of [ + JSON.stringify({ cmd: "/path/to/codeql" }), + JSON.stringify({ cmd: "/path/to/codeql", version: {} }), + JSON.stringify({ cmd: "/path/to/codeql", version: { version: 2 } }), + JSON.stringify({ version: { version: "2.20.0" } }), + JSON.stringify({ + cmd: "/path/to/codeql", + version: { version: "2.20.0", overlayVersion: "1" }, + }), + JSON.stringify({ + cmd: "/path/to/codeql", + version: { version: "2.20.0", features: "nope" }, + }), + ]) { + process.env[EnvVar.CODEQL_VERSION_INFO] = value; + t.is(util.getCachedCodeQlVersion("/path/to/codeql"), undefined, value); + } + }, +); diff --git a/src/util.ts b/src/util.ts index c9a20b467d..200d68d2c2 100644 --- a/src/util.ts +++ b/src/util.ts @@ -619,12 +619,44 @@ export function asHTTPError(arg: any): HTTPError | undefined { let cachedCodeQlVersion: undefined | VersionInfo = undefined; +/** + * Resets the in-process cache of the CodeQL CLI version. Only for use in tests, + * which exercise multiple "steps" within a single process. + */ +export function resetCachedCodeQlVersion(): void { + cachedCodeQlVersion = undefined; +} + /** The persisted version together with the CLI path it was obtained from. */ interface PersistedVersionInfo { cmd: string; version: VersionInfo; } +function isVersionInfo(x: unknown): x is VersionInfo { + const candidate = x as Partial | null; + return ( + typeof candidate === "object" && + candidate !== null && + typeof candidate.version === "string" && + (candidate.features === undefined || + (typeof candidate.features === "object" && + candidate.features !== null)) && + (candidate.overlayVersion === undefined || + typeof candidate.overlayVersion === "number") + ); +} + +function isPersistedVersionInfo(x: unknown): x is PersistedVersionInfo { + const candidate = x as Partial | null; + return ( + typeof candidate === "object" && + candidate !== null && + typeof candidate.cmd === "string" && + isVersionInfo(candidate.version) + ); +} + export function cacheCodeQlVersion(cmd: string, version: VersionInfo): void { if (cachedCodeQlVersion !== undefined) { throw new Error("cacheCodeQlVersion() should be called only once"); @@ -651,19 +683,22 @@ export function getCachedCodeQlVersion(cmd?: string): undefined | VersionInfo { if (!serialized) { return undefined; } - let persisted: PersistedVersionInfo; + let persisted: unknown; try { - persisted = JSON.parse(serialized) as PersistedVersionInfo; + persisted = JSON.parse(serialized); } catch { return undefined; } if ( - typeof persisted?.version?.version !== "string" || + !isPersistedVersionInfo(persisted) || (cmd !== undefined && persisted.cmd !== cmd) ) { return undefined; } - return persisted.version; + // Memoize the parsed value so that subsequent calls in this process don't + // re-parse the environment variable. + cachedCodeQlVersion = persisted.version; + return cachedCodeQlVersion; } export async function codeQlVersionAtLeast( From dd9e36c0d3a4bfa29e64add03d67961ec3c36c1a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 02:38:09 +0000 Subject: [PATCH 10/17] Bump the npm-minor group across 1 directory with 2 updates Bumps the npm-minor group with 2 updates in the / directory: [semver](https://github.com/npm/node-semver) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `semver` from 7.8.0 to 7.8.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/node-semver/compare/v7.8.0...v7.8.1) Updates `typescript-eslint` from 8.59.4 to 8.60.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor - dependency-name: typescript-eslint dependency-version: 8.60.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor ... Signed-off-by: dependabot[bot] --- package-lock.json | 132 +++++++++++++++++++++++----------------------- package.json | 4 +- 2 files changed, 68 insertions(+), 68 deletions(-) diff --git a/package-lock.json b/package-lock.json index 2b0679b5b2..18253b6b9d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,7 +32,7 @@ "jsonschema": "1.5.0", "long": "^5.3.2", "node-forge": "^1.4.0", - "semver": "^7.8.0", + "semver": "^7.8.1", "uuid": "^14.0.0" }, "devDependencies": { @@ -61,7 +61,7 @@ "nock": "^14.0.15", "sinon": "^22.0.0", "typescript": "^6.0.3", - "typescript-eslint": "^8.59.4" + "typescript-eslint": "^8.60.0" } }, "node_modules/@aashutoshrathi/word-wrap": { @@ -2528,17 +2528,17 @@ "license": "MIT" }, "node_modules/@typescript-eslint/eslint-plugin": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.4.tgz", - "integrity": "sha512-PegsU+XfyJJNjd4+u/k6f9yTyp0lEXXiPopUNobZcIAUJFGICFLN+sP0Rb3JehVmiij1Ph0dFGYqODoRo/2+6A==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.60.0.tgz", + "integrity": "sha512-QYb/sa74/s7OKMbACMjrYnGspj9Hs5YI5aaffSL65UfeBUzVzBJfVo3oWSpbzPurvm7yaCCo2Lk7lVj610HqKw==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/regexpp": "^4.12.2", - "@typescript-eslint/scope-manager": "8.59.4", - "@typescript-eslint/type-utils": "8.59.4", - "@typescript-eslint/utils": "8.59.4", - "@typescript-eslint/visitor-keys": "8.59.4", + "@typescript-eslint/scope-manager": "8.60.0", + "@typescript-eslint/type-utils": "8.60.0", + "@typescript-eslint/utils": "8.60.0", + "@typescript-eslint/visitor-keys": "8.60.0", "ignore": "^7.0.5", "natural-compare": "^1.4.0", "ts-api-utils": "^2.5.0" @@ -2551,7 +2551,7 @@ "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "@typescript-eslint/parser": "^8.59.4", + "@typescript-eslint/parser": "^8.60.0", "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0", "typescript": ">=4.8.4 <6.1.0" } @@ -2567,16 +2567,16 @@ } }, "node_modules/@typescript-eslint/parser": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.4.tgz", - "integrity": "sha512-zORHqO/tuhxY1zWuTvMUqddRxpiFJ72xVfcNoWpqdLjs6lfPbuQBJuW4pk+49/uBMy7Ssr4bzgjiKmmDB1UbZQ==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.60.0.tgz", + "integrity": "sha512-fcqpj/MyK4sxDPcbe7STNPbpQL4RLZOPWuaTmwZYuc+hJKzRf58yRxfhqGpc6PIq9ZyfSBpfHgmUHmHs0KwHwg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/scope-manager": "8.59.4", - "@typescript-eslint/types": "8.59.4", - "@typescript-eslint/typescript-estree": "8.59.4", - "@typescript-eslint/visitor-keys": "8.59.4", + "@typescript-eslint/scope-manager": "8.60.0", + "@typescript-eslint/types": "8.60.0", + "@typescript-eslint/typescript-estree": "8.60.0", + "@typescript-eslint/visitor-keys": "8.60.0", "debug": "^4.4.3" }, "engines": { @@ -2610,14 +2610,14 @@ } }, "node_modules/@typescript-eslint/project-service": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.4.tgz", - "integrity": "sha512-Ly00Vu4oAacfDeHp2Zg85ioNG6l8HG+tN1D7J+xTHSxu9y0awYKJ2zH1rFBn8ZSfuGK+7FxK3Cgl3uAz0aZZLg==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.0.tgz", + "integrity": "sha512-aZu74NNKJeUWqCjDddzdiKaS82dgYgV/vmf+Ui3ZdZejmgfXR/q+pRumgobnQ2cCJTgGTWp4ypiwsuofFubavg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/tsconfig-utils": "^8.59.4", - "@typescript-eslint/types": "^8.59.4", + "@typescript-eslint/tsconfig-utils": "^8.60.0", + "@typescript-eslint/types": "^8.60.0", "debug": "^4.4.3" }, "engines": { @@ -2650,14 +2650,14 @@ } }, "node_modules/@typescript-eslint/scope-manager": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.4.tgz", - "integrity": "sha512-mUeR/3H1WrTAddJrwut8OoPjfauaztMQmRwV5fQTUyNVJCLiUXXe4lGEyYIL2oFDpP7UtgbGJXCt72wT0z2S3Q==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.0.tgz", + "integrity": "sha512-pFzqhllJMs+jghLQWzV00ds39xLzuyqPSev5pd8f4Ir0rtKR3ZLUB4/4dhjOFighWb9larvtfJvqL+4yKDI3Xw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.59.4", - "@typescript-eslint/visitor-keys": "8.59.4" + "@typescript-eslint/types": "8.60.0", + "@typescript-eslint/visitor-keys": "8.60.0" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2668,9 +2668,9 @@ } }, "node_modules/@typescript-eslint/tsconfig-utils": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.4.tgz", - "integrity": "sha512-DLCpnKgD4alVxTBSKulK+gU1KCqOgUXfDRDXh2mZgzokQKa/70ax93I2uVO3m/LLvIAtWZIFoiifudmIqAxpMA==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.0.tgz", + "integrity": "sha512-BZPR3RGYlAXnly6ymAxfkVn5rCbZzQNou0rxv3GfWZ8cTQp+hhVd73khbGLAd8k1TlAPLISH337M+tAgAnaJDQ==", "dev": true, "license": "MIT", "engines": { @@ -2685,15 +2685,15 @@ } }, "node_modules/@typescript-eslint/type-utils": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.4.tgz", - "integrity": "sha512-uonTuPAAKr9XaBGqJ3LjYTh72zy5DyGesljO9gtmk/eFW0W1fRHjnwVYKB35Lm8d5Q5CluEW3gPHjTvZTmgrfA==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.60.0.tgz", + "integrity": "sha512-SX46wEUtitCpq7AN38HkUU/+zvUpdKf7ephtWAFgckH8O7PQIyL5gvrhQgBLuEYgLfuKWOVvWVskMbuFHAz5xg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.59.4", - "@typescript-eslint/typescript-estree": "8.59.4", - "@typescript-eslint/utils": "8.59.4", + "@typescript-eslint/types": "8.60.0", + "@typescript-eslint/typescript-estree": "8.60.0", + "@typescript-eslint/utils": "8.60.0", "debug": "^4.4.3", "ts-api-utils": "^2.5.0" }, @@ -2728,9 +2728,9 @@ } }, "node_modules/@typescript-eslint/types": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.4.tgz", - "integrity": "sha512-F1o7WJcCq+bc8dwcO/YsSEOudAH8RDtaOhM6wcAQhcUsFhnWQl81JKy48q1hoxAU0qrzM89+31GYh1515Zde3Q==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.0.tgz", + "integrity": "sha512-AsE7x2XaAK+CVbeih0Fvbn+r1qHxtpLDJ3XUuFcIinT318T90yHMJC+Zgv+jUuDjQQd06HKwxnDu6sz1IcTilA==", "dev": true, "license": "MIT", "engines": { @@ -2742,16 +2742,16 @@ } }, "node_modules/@typescript-eslint/typescript-estree": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.4.tgz", - "integrity": "sha512-F+RuOmcDXo4+TPdfd/TCLS3m2nw8gE9XXyZLrA3JBfaA5tz9TtdkyD3YJFmPxulyc2cKbEok/CvFE3MgSLWnag==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.0.tgz", + "integrity": "sha512-3AcZNBGMClm6CXDyo8kYvVGT/sx29sS0oBsIb9oZI2gunA4Vm2M3YHzRLPvsUBBsl+yB5FPtltq7gGH0iTlp9g==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/project-service": "8.59.4", - "@typescript-eslint/tsconfig-utils": "8.59.4", - "@typescript-eslint/types": "8.59.4", - "@typescript-eslint/visitor-keys": "8.59.4", + "@typescript-eslint/project-service": "8.60.0", + "@typescript-eslint/tsconfig-utils": "8.60.0", + "@typescript-eslint/types": "8.60.0", + "@typescript-eslint/visitor-keys": "8.60.0", "debug": "^4.4.3", "minimatch": "^10.2.2", "semver": "^7.7.3", @@ -2827,16 +2827,16 @@ } }, "node_modules/@typescript-eslint/utils": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.4.tgz", - "integrity": "sha512-cYXeNAUsG4lJo5dbc1FcKm+JwIWrj1/UpTORsC6tGMjEZ81DYcvIr9/ueikhMa/Y/gDQYGp+YX9/xQrXje5BJw==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.60.0.tgz", + "integrity": "sha512-HtXuPfrHTyBDkameWpl+vJb1Uevu2tznAyahM1Oc4AENidCLTPiZDWIo4GfcxNdC/RcfGcadzzkqbRG87dUrQA==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.9.1", - "@typescript-eslint/scope-manager": "8.59.4", - "@typescript-eslint/types": "8.59.4", - "@typescript-eslint/typescript-estree": "8.59.4" + "@typescript-eslint/scope-manager": "8.60.0", + "@typescript-eslint/types": "8.60.0", + "@typescript-eslint/typescript-estree": "8.60.0" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -2851,13 +2851,13 @@ } }, "node_modules/@typescript-eslint/visitor-keys": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.4.tgz", - "integrity": "sha512-U3gxVaDVnuZKhSspW/MzMxE1kq7zOdc072FcSNoqA1I9p8HyKbBFfEHoWckBAMgNMph4MamwS5iTVzFmrnt8TQ==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.0.tgz", + "integrity": "sha512-9WI52t8ZGLVGrPMBet25yAftqY/n95+zmoUUtJBBQTKDSKUu7OsPTroT2op7U9JatkoRccL0YkWDNMFfC4Sjxg==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.59.4", + "@typescript-eslint/types": "8.60.0", "eslint-visitor-keys": "^5.0.0" }, "engines": { @@ -8311,9 +8311,9 @@ } }, "node_modules/semver": { - "version": "7.8.0", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz", - "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==", + "version": "7.8.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz", + "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==", "license": "ISC", "bin": { "semver": "bin/semver.js" @@ -9292,16 +9292,16 @@ } }, "node_modules/typescript-eslint": { - "version": "8.59.4", - "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.59.4.tgz", - "integrity": "sha512-Rw6+44QNFaXtgHSjPy+Kw8hrJniMYzR85E9yLmOLcfZ91/rz+JXQbDTCmc6ccxMPY6K6PgAq26f0JCBfR7LIPQ==", + "version": "8.60.0", + "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.60.0.tgz", + "integrity": "sha512-9f65qWLZdAW9m1JaxBDUHcqRUfL8bkxxXL7XxEfI+F09q56PkBvIfCjLF3yInsDM/BBmwkqmCQdCZe/RYlIWEw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/eslint-plugin": "8.59.4", - "@typescript-eslint/parser": "8.59.4", - "@typescript-eslint/typescript-estree": "8.59.4", - "@typescript-eslint/utils": "8.59.4" + "@typescript-eslint/eslint-plugin": "8.60.0", + "@typescript-eslint/parser": "8.60.0", + "@typescript-eslint/typescript-estree": "8.60.0", + "@typescript-eslint/utils": "8.60.0" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" diff --git a/package.json b/package.json index 18a8f3911d..ec33e335b0 100644 --- a/package.json +++ b/package.json @@ -40,7 +40,7 @@ "jsonschema": "1.5.0", "long": "^5.3.2", "node-forge": "^1.4.0", - "semver": "^7.8.0", + "semver": "^7.8.1", "uuid": "^14.0.0" }, "devDependencies": { @@ -69,7 +69,7 @@ "nock": "^14.0.15", "sinon": "^22.0.0", "typescript": "^6.0.3", - "typescript-eslint": "^8.59.4" + "typescript-eslint": "^8.60.0" }, "overrides": { "@actions/tool-cache": { From acb38f72652acef3e808cdfb107649fbb883828e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 02:40:00 +0000 Subject: [PATCH 11/17] Rebuild --- lib/entry-points.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 3052ae2013..0a95ccd4a6 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -26853,6 +26853,7 @@ var require_range = __commonJS({ return this.range; } parseRange(range) { + range = range.replace(BUILDSTRIPRE, ""); const memoOpts = (this.options.includePrerelease && FLAG_INCLUDE_PRERELEASE) | (this.options.loose && FLAG_LOOSE); const memoKey = memoOpts + ":" + range; const cached = cache.get(memoKey); @@ -26935,12 +26936,14 @@ var require_range = __commonJS({ var SemVer = require_semver(); var { safeRe: re, + src, t, comparatorTrimReplace, tildeTrimReplace, caretTrimReplace } = require_re(); var { FLAG_INCLUDE_PRERELEASE, FLAG_LOOSE } = require_constants6(); + var BUILDSTRIPRE = new RegExp(src[t.BUILD], "g"); var isNullSet = (c) => c.value === "<0.0.0-0"; var isAny = (c) => c.value === ""; var isSatisfiable = (comparators, options) => { @@ -27696,7 +27699,7 @@ var require_subset = __commonJS({ if (higher === c && higher !== gt) { return false; } - } else if (gt.operator === ">=" && !satisfies2(gt.semver, String(c), options)) { + } else if (gt.operator === ">=" && !c.test(gt.semver)) { return false; } } @@ -27711,7 +27714,7 @@ var require_subset = __commonJS({ if (lower === c && lower !== lt2) { return false; } - } else if (lt2.operator === "<=" && !satisfies2(lt2.semver, String(c), options)) { + } else if (lt2.operator === "<=" && !c.test(lt2.semver)) { return false; } } From 3569f75599df6e63d2b0060a3f9e0eb840b8bc70 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 02:42:04 +0000 Subject: [PATCH 12/17] Bump ruby/setup-ruby Bumps the actions-minor group with 1 update in the /.github/workflows directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/6aaa311d81eba98ae12eaffbcb63296ace0efcde...afeafc3d1ab54a631816aba4c914a0081c12ff2f) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.310.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/__rubocop-multi-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index e2bd040d51..055aae50bc 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Set up Ruby - uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 with: ruby-version: 2.6 - name: Install Code Scanning integration From af7b8f37eab968d30b728d79bf51102393b7012a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 02:43:57 +0000 Subject: [PATCH 13/17] Rebuild --- pr-checks/checks/rubocop-multi-language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index fe67c6e360..35135a545b 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -5,7 +5,7 @@ versions: - default steps: - name: Set up Ruby - uses: ruby/setup-ruby@6aaa311d81eba98ae12eaffbcb63296ace0efcde # v1.307.0 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 with: ruby-version: 2.6 - name: Install Code Scanning integration From 62953c18b35f59e28351d2f1e806925aef8b1e3c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 10:42:59 +0000 Subject: [PATCH 14/17] Update default bundle to codeql-bundle-v2.25.6 --- lib/defaults.json | 8 ++++---- lib/entry-points.js | 4 ++-- src/defaults.json | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/defaults.json b/lib/defaults.json index a57ede64b9..7c82ff2a6e 100644 --- a/lib/defaults.json +++ b/lib/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.25.5", - "cliVersion": "2.25.5", - "priorBundleVersion": "codeql-bundle-v2.25.4", - "priorCliVersion": "2.25.4" + "bundleVersion": "codeql-bundle-v2.25.6", + "cliVersion": "2.25.6", + "priorBundleVersion": "codeql-bundle-v2.25.5", + "priorCliVersion": "2.25.5" } diff --git a/lib/entry-points.js b/lib/entry-points.js index c7edf0c1ec..c34a09bd3f 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -148959,8 +148959,8 @@ function wrapApiConfigurationError(e) { } // src/defaults.json -var bundleVersion = "codeql-bundle-v2.25.5"; -var cliVersion = "2.25.5"; +var bundleVersion = "codeql-bundle-v2.25.6"; +var cliVersion = "2.25.6"; // src/overlay/index.ts var fs4 = __toESM(require("fs")); diff --git a/src/defaults.json b/src/defaults.json index a57ede64b9..7c82ff2a6e 100644 --- a/src/defaults.json +++ b/src/defaults.json @@ -1,6 +1,6 @@ { - "bundleVersion": "codeql-bundle-v2.25.5", - "cliVersion": "2.25.5", - "priorBundleVersion": "codeql-bundle-v2.25.4", - "priorCliVersion": "2.25.4" + "bundleVersion": "codeql-bundle-v2.25.6", + "cliVersion": "2.25.6", + "priorBundleVersion": "codeql-bundle-v2.25.5", + "priorCliVersion": "2.25.5" } From c251bcefa178f7780f62f150002acffe3d07fde9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 10:43:06 +0000 Subject: [PATCH 15/17] Add changelog note --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d7b131449..345ff4963b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## [UNRELEASED] -No user facing changes. +- Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948) ## 4.36.1 - 02 Jun 2026 From 8aeff0ffb7b78582ee0d0e6eebb8140684400d08 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 11:17:27 +0000 Subject: [PATCH 16/17] Update changelog for v4.36.2 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 345ff4963b..8a28d83b1f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. -## [UNRELEASED] +## 4.36.2 - 04 Jun 2026 - Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948) From f521b08cd8f468ab193ea950a589cb2e9c869c6a Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Thu, 4 Jun 2026 15:11:55 +0100 Subject: [PATCH 17/17] Add additional changelog notes --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a28d83b1f..a16b469fad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th ## 4.36.2 - 04 Jun 2026 + - Cache CodeQL CLI version information across Actions steps. [#3943](https://github.com/github/codeql-action/pull/3943) + - Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. [#3937](https://github.com/github/codeql-action/pull/3937) - Update default CodeQL bundle version to [2.25.6](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6). [#3948](https://github.com/github/codeql-action/pull/3948) ## 4.36.1 - 02 Jun 2026