.github/actions/query-filter-test/action.yml

@@ -48,7 +48,6 @@ runs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
-        upload-database: false
         upload: never
       env:
         CODEQL_ACTION_TEST_MODE: "true"

.github/workflows/expected-queries-runs.yml

@@ -37,8 +37,6 @@ jobs:
     - uses: ./../action/analyze
       with:
         output: ${{ runner.temp }}/results
-        upload-database: false
-        upload: never
 
     - name: Check Sarif
       uses: ./../action/.github/actions/check-sarif

.github/workflows/python312-windows.yml

@@ -14,6 +14,8 @@ on:
 
 jobs:
   test-setup-python-scripts:
+    env:
+      CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
     runs-on: windows-latest
 
@@ -37,6 +39,3 @@ jobs:
 
     - name: Analyze
       uses: ./../action/analyze
-      with:
-        upload: false
-        upload-database: false

.github/workflows/test-codeql-bundle-all.yml

@@ -53,7 +53,5 @@ jobs:
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
-      with:
-        upload-database: false
     env:
       CODEQL_ACTION_TEST_MODE: true

CHANGELOG.md

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.25.10 - 13 Jun 2024
+
+- Update default CodeQL bundle version to 2.17.5. [#2327](https://github.com/github/codeql-action/pull/2327)
+
 ## 3.25.9 - 12 Jun 2024
 
 - Avoid failing database creation if the database folder already exists and contains some unexpected files. Requires CodeQL 2.18.0 or higher. [#2330](https://github.com/github/codeql-action/pull/2330)

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.17.4",
-    "cliVersion": "2.17.4",
-    "priorBundleVersion": "codeql-bundle-v2.17.3",
-    "priorCliVersion": "2.17.3"
+    "bundleVersion": "codeql-bundle-v2.17.5",
+    "cliVersion": "2.17.5",
+    "priorBundleVersion": "codeql-bundle-v2.17.4",
+    "priorCliVersion": "2.17.4"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.25.9",
+  "version": "3.25.10",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/all-platform-bundle.yml

@@ -15,5 +15,3 @@ steps:
     shell: bash
     run: ./build.sh
   - uses: ./../action/analyze
-    with:
-      upload-database: false

pr-checks/checks/analyze-ref-input.yml

@@ -12,6 +12,5 @@ steps:
     run: ./build.sh
   - uses: ./../action/analyze
     with:
-      upload-database: false
       ref: 'refs/heads/main'
       sha: '5e235361806c361d4d3f8859e3c897658025a9a2'

pr-checks/checks/autobuild-action.yml

@@ -16,8 +16,6 @@ steps:
       CORECLR_PROFILER: ""
       CORECLR_PROFILER_PATH_64: ""
   - uses: ./../action/analyze
-    with:
-      upload-database: false
   - name: Check database
     shell: bash
     run: |

pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml

@@ -0,0 +1,34 @@
+name: "Autobuild direct tracing (custom working directory)"
+description: >
+  An end-to-end integration test of a Java repository built using 'build-mode: autobuild',
+  with direct tracing enabled and a custom working directory specified as the input to the
+  autobuild Action.
+operatingSystems: ["ubuntu", "windows"]
+versions: ["linked", "nightly-latest"]
+env:
+  CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true
+steps:
+  - name: Test setup
+    shell: bash
+    run: |
+      # Make sure that Gradle build succeeds in autobuild-dir ...
+      cp -a ../action/tests/java-repo autobuild-dir
+      # ... and fails if attempted in the current directory
+      echo > build.gradle
+  - uses: ./../action/init
+    with:
+      build-mode: autobuild
+      languages: java
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - name: Check that indirect tracing is disabled
+    shell: bash
+    run: |
+      if [[ ! -z "${CODEQL_RUNNER}" ]]; then
+        echo "Expected indirect tracing to be disabled, but the" \
+          "CODEQL_RUNNER environment variable is set."
+        exit 1
+      fi
+  - uses: ./../action/autobuild
+    with:
+      working-directory: autobuild-dir
+  - uses: ./../action/analyze

pr-checks/checks/go-custom-queries.yml

@@ -15,5 +15,3 @@ steps:
     shell: bash
     run: ./build.sh
   - uses: ./../action/analyze
-    with:
-      upload-database: false

pr-checks/checks/go-indirect-tracing-workaround.yml

@@ -17,8 +17,6 @@ steps:
     shell: bash
     run: go build main.go
   - uses: ./../action/analyze
-    with:
-      upload-database: false
   - shell: bash
     run: |
       if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then

pr-checks/checks/go-tracing-autobuilder.yml

@@ -16,8 +16,6 @@ steps:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - uses: ./../action/autobuild
   - uses: ./../action/analyze
-    with:
-      upload-database: false
   - shell: bash
     run: |
       if [[ "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" != true ]]; then

pr-checks/checks/go-tracing-custom-build-steps.yml

@@ -16,8 +16,6 @@ steps:
     shell: bash
     run: go build main.go
   - uses: ./../action/analyze
-    with:
-      upload-database: false
   - shell: bash
     run: |
       # Once we start running Bash 4.2 in all environments, we can replace the

pr-checks/checks/go-tracing-legacy-workflow.yml

@@ -15,8 +15,6 @@ steps:
       languages: go
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - uses: ./../action/analyze
-    with:
-      upload-database: false
   - shell: bash
     run: |
       cd "$RUNNER_TEMP/codeql_databases"

pr-checks/checks/javascript-source-root.yml

@@ -15,9 +15,7 @@ steps:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - uses: ./../action/analyze
     with:
-      upload-database: false
       skip-queries: true
-      upload: never
   - name: Assert database exists
     shell: bash
     run: |

pr-checks/checks/test-autobuild-working-dir.yml

@@ -18,8 +18,6 @@ steps:
     with:
       working-directory: autobuild-dir
   - uses: ./../action/analyze
-    with:
-      upload-database: false
   - name: Check database
     shell: bash
     run: |

pr-checks/checks/test-local-codeql.yml

@@ -20,5 +20,3 @@ steps:
     shell: bash
     run: ./build.sh
   - uses: ./../action/analyze
-    with:
-      upload-database: false

pr-checks/checks/test-proxy.yml

@@ -18,5 +18,3 @@ steps:
       languages: javascript
       tools: ${{ steps.prepare-test.outputs.tools-url }}
   - uses: ./../action/analyze
-    with:
-      upload-database: false

pr-checks/checks/upload-ref-sha-input.yml

@@ -10,9 +10,9 @@ steps:
   - name: Build code
     shell: bash
     run: ./build.sh
+  # Generate some SARIF we can upload with the upload-sarif step
   - uses: ./../action/analyze
     with:
-      upload-database: false
       ref: 'refs/heads/main'
       sha: '5e235361806c361d4d3f8859e3c897658025a9a2'
       upload: never

pr-checks/checks/with-checkout-path.yml

@@ -35,14 +35,6 @@ steps:
       checkout_path: x/y/z/some-path/tests/multi-language-repo
       ref: v1.1.0
       sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-      upload: never
-      upload-database: false
-
-  - uses: ./../action/upload-sarif
-    with:
-      ref: v1.1.0
-      sha: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
-      checkout_path: x/y/z/some-path/tests/multi-language-repo
 
   - name: Verify SARIF after upload
     shell: bash

src/codeql.ts

@@ -688,6 +688,8 @@ export async function getCodeQLForCmd(
           "database",
           "trace-command",
           "--use-build-mode",
+          "--working-dir",
+          process.cwd(),
           ...(await getTrapCachingExtractorConfigArgsForLang(config, language)),
           ...getExtractionVerbosityArguments(config.debugMode),
           ...getExtraOptionsFromEnv(["database", "trace-command"]),

src/config-utils.test.ts

@@ -1086,44 +1086,56 @@ const mockRepositoryNwo = parseRepositoryNwo("owner/repo");
   });
 });
 
-test("Build mode not overridden when disable Java buildless feature flag disabled", async (t) => {
-  const messages: LoggedMessage[] = [];
-  const buildMode = await configUtils.parseBuildModeInput(
-    "none",
-    [Language.java],
-    createFeatures([]),
-    getRecordingLogger(messages),
-  );
-  t.is(buildMode, BuildMode.None);
-  t.deepEqual(messages, []);
-});
+for (const { displayName, language, feature } of [
+  {
+    displayName: "Java",
+    language: Language.java,
+    feature: Feature.DisableJavaBuildlessEnabled,
+  },
+  {
+    displayName: "C#",
+    language: Language.csharp,
+    feature: Feature.DisableCsharpBuildless,
+  },
+]) {
+  test(`Build mode not overridden when disable ${displayName} buildless feature flag disabled`, async (t) => {
+    const messages: LoggedMessage[] = [];
+    const buildMode = await configUtils.parseBuildModeInput(
+      "none",
+      [language],
+      createFeatures([]),
+      getRecordingLogger(messages),
+    );
+    t.is(buildMode, BuildMode.None);
+    t.deepEqual(messages, []);
+  });
 
-test("Build mode not overridden for other languages", async (t) => {
-  const messages: LoggedMessage[] = [];
-  const buildMode = await configUtils.parseBuildModeInput(
-    "none",
-    [Language.python],
-    createFeatures([Feature.DisableJavaBuildlessEnabled]),
-    getRecordingLogger(messages),
-  );
-  t.is(buildMode, BuildMode.None);
-  t.deepEqual(messages, []);
-});
+  test(`Build mode not overridden for other languages when disable ${displayName} buildless feature flag enabled`, async (t) => {
+    const messages: LoggedMessage[] = [];
+    const buildMode = await configUtils.parseBuildModeInput(
+      "none",
+      [Language.python],
+      createFeatures([feature]),
+      getRecordingLogger(messages),
+    );
+    t.is(buildMode, BuildMode.None);
+    t.deepEqual(messages, []);
+  });
 
-test("Build mode overridden when analyzing Java and disable Java buildless feature flag enabled", async (t) => {
-  const messages: LoggedMessage[] = [];
-  const buildMode = await configUtils.parseBuildModeInput(
-    "none",
-    [Language.java],
-    createFeatures([Feature.DisableJavaBuildlessEnabled]),
-    getRecordingLogger(messages),
-  );
-  t.is(buildMode, BuildMode.Autobuild);
-  t.deepEqual(messages, [
-    {
-      message:
-        "Scanning Java code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.",
-      type: "warning",
-    },
-  ]);
-});
+  test(`Build mode overridden when analyzing ${displayName} and disable ${displayName} buildless feature flag enabled`, async (t) => {
+    const messages: LoggedMessage[] = [];
+    const buildMode = await configUtils.parseBuildModeInput(
+      "none",
+      [language],
+      createFeatures([feature]),
+      getRecordingLogger(messages),
+    );
+    t.is(buildMode, BuildMode.Autobuild);
+    t.deepEqual(messages, [
+      {
+        message: `Scanning ${displayName} code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.`,
+        type: "warning",
+      },
+    ]);
+  });
+}

src/config-utils.ts

@@ -1108,6 +1108,16 @@ export async function parseBuildModeInput(
     );
   }
 
+  if (
+    languages.includes(Language.csharp) &&
+    (await features.getValue(Feature.DisableCsharpBuildless))
+  ) {
+    logger.warning(
+      "Scanning C# code without a build is temporarily unavailable. Falling back to 'autobuild' build mode.",
+    );
+    return BuildMode.Autobuild;
+  }
+
   if (
     languages.includes(Language.java) &&
     (await features.getValue(Feature.DisableJavaBuildlessEnabled))

src/database-upload.ts

@@ -20,6 +20,11 @@ export async function uploadDatabases(
     return;
   }
 
+  if (util.isInTestMode()) {
+    logger.debug("In test mode. Skipping database upload.");
+    return;
+  }
+
   // Do nothing when not running against github.com
   if (
     config.gitHubVersion.type !== util.GitHubVariant.DOTCOM &&

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.17.4",
-  "cliVersion": "2.17.4",
-  "priorBundleVersion": "codeql-bundle-v2.17.3",
-  "priorCliVersion": "2.17.3"
+  "bundleVersion": "codeql-bundle-v2.17.5",
+  "cliVersion": "2.17.5",
+  "priorBundleVersion": "codeql-bundle-v2.17.4",
+  "priorCliVersion": "2.17.4"
 }

src/feature-flags.ts

@@ -45,10 +45,11 @@ export interface FeatureEnablement {
  * Legacy features should end with `_enabled`.
  */
 export enum Feature {
-  AutobuildDirectTracing = "autobuild_direct_tracing",
+  AutobuildDirectTracing = "autobuild_direct_tracing_v2",
   CleanupTrapCaches = "cleanup_trap_caches",
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   CppTrapCachingEnabled = "cpp_trap_caching_enabled",
+  DisableCsharpBuildless = "disable_csharp_buildless",
   DisableJavaBuildlessEnabled = "disable_java_buildless_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
@@ -109,6 +110,11 @@ export const featureConfig: Record<
     legacyApi: true,
     minimumVersion: "2.16.1",
   },
+  [Feature.DisableCsharpBuildless]: {
+    defaultValue: false,
+    envVar: "CODEQL_ACTION_DISABLE_CSHARP_BUILDLESS",
+    minimumVersion: undefined,
+  },
   [Feature.DisableJavaBuildlessEnabled]: {
     defaultValue: false,
     envVar: "CODEQL_ACTION_DISABLE_JAVA_BUILDLESS",