Merge pull request #1570 from github/update-v2.2.6-e12a2ecd4

Merge main into releases/v2

.github/codeql/codeql-config.yml

@@ -7,6 +7,7 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
+  - uses: security-experimental
   - uses: security-extended
   - uses: security-and-quality
 paths-ignore:

.github/dependabot.yml

@@ -15,3 +15,7 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+  - package-ecosystem: github-actions
+    directory: "/.github/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    schedule:
+      interval: weekly

.github/setup-swift/action.yml

@@ -26,7 +26,7 @@ runs:
           VERSION="5.7.0"
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
-    - uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
+    - uses: swift-actions/setup-swift@da0e3e04b5e3e15dbc3861bd835ad9f0afe56296 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
       if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
       with:
         swift-version: "${{steps.get_swift_version.outputs.version}}"

.github/workflows/script/check-node-modules.sh

@@ -7,17 +7,9 @@ if [ ! -z "$(git status --porcelain)" ]; then
     >&2 echo "Failed: Repo should be clean before testing!"
     exit 1
 fi
-# When updating this, make sure to update the npm version in
-# `.github/workflows/update-dependencies.yml` too.
-sudo npm install --force -g npm@9.2.0
 
-# clean the npm cache to ensure we don't have any files owned by root
-sudo npm cache clean --force
+"$(dirname "$0")/update-node-modules.sh" check-only
 
-# Reinstall modules and then clean to remove absolute paths
-# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
-npm ci
-npm run removeNPMAbsolutePaths
 # Check that repo is still clean
 if [ ! -z "$(git status --porcelain)" ]; then
     # If we get a fail here then the PR needs attention

.github/workflows/script/update-node-modules.sh

@@ -0,0 +1,18 @@
+if [ "$1" != "update" && "$1" != "check-only" ]; then
+    >&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
+    exit 1
+fi
+
+sudo npm install --force -g npm@9.2.0
+
+# clean the npm cache to ensure we don't have any files owned by root
+sudo npm cache clean --force
+
+if [ "$1" = "update" ]; then
+    npm install
+fi
+
+# Reinstall modules and then clean to remove absolute paths
+# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
+npm ci
+npm run removeNPMAbsolutePaths

.github/workflows/update-dependencies.yml

@@ -27,12 +27,7 @@ jobs:
       run: |
         git fetch origin "$BRANCH" --depth=1
         git checkout "origin/$BRANCH"
-        # When updating this, make sure to update the npm version in
-        # `.github/workflows/script/check-node-modules.sh` too.
-        sudo npm install --force -g npm@9.2.0
-        npm install
-        npm ci
-        npm run removeNPMAbsolutePaths
+        .github/workflows/script/update-node-modules.sh update
         if [ ! -z "$(git status --porcelain)" ]; then
           git config --global user.email "github-actions@github.com"
           git config --global user.name "github-actions[bot]"

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CodeQL Action Changelog
 
+## 2.2.6 - 10 Mar 2023
+
+- Update default CodeQL bundle version to 2.12.4.
+
 ## 2.2.5 - 24 Feb 2023
 
 - Update default CodeQL bundle version to 2.12.3. [#1543](https://github.com/github/codeql-action/pull/1543)