.github/actions/prepare-test/action.yml

@@ -32,14 +32,20 @@ runs:
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          extension="tar.zst"
+        else
+          extension="tar.gz"
+        fi
+
         if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
-          artifact_name="codeql-bundle.tar.gz"
+          artifact_name="codeql-bundle.$extension"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.tar.gz"
+          artifact_name="codeql-bundle-linux64.$extension"
         elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.tar.gz"
+          artifact_name="codeql-bundle-osx64.$extension"
         elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.tar.gz"
+          artifact_name="codeql-bundle-win64.$extension"
         else
           echo "::error::Unrecognized OS $RUNNER_OS"
           exit 1

.github/actions/setup-swift/action.yml

@@ -11,15 +11,15 @@ runs:
       id: get_swift_version
       if: runner.os == 'Linux'
       shell: bash
-      env: 
+      env:
         CODEQL_PATH: ${{ inputs.codeql-path }}
       run: |
         SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
         if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
           VERSION="null"
         else
           VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version. 
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
           if [ $VERSION = "5.7" ]; then
             VERSION="5.7.0"
           elif [ $VERSION = "5.8" ]; then
@@ -29,11 +29,11 @@ runs:
           # setup-swift does not yet support v5.9.1 Remove this when it does.
           elif [ $VERSION = "5.9.1" ]; then
             VERSION="5.9.0"
-          fi 
+          fi
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
 
-    - uses: redsun82/setup-swift@b2b6f77ab14f6a9b136b520dc53ec8eca27d2b99 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
       if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
       with:
         swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/workflows/pr-checks.yml

@@ -24,7 +24,16 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Lint
-        run: npm run-script lint
+        id: lint
+        run: npm run-script lint-ci
+
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v3
+        # Only upload SARIF for the latest version of Node.js
+        if: "always() && matrix.node-types-version == 'current'"
+        with:
+          sarif_file: eslint.sarif
+          category: eslint
 
       - name: Update version of @types/node
         if: matrix.node-types-version != 'current'

.github/workflows/update-release-branch.yml

@@ -104,6 +104,7 @@ jobs:
   backport:
     timeout-minutes: 45
     runs-on: ubuntu-latest
+    environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
     strategy:
@@ -114,17 +115,24 @@ jobs:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
     steps:
+    - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4
+      id: app-token
+      with:
+        app-id: ${{ vars.AUTOMATION_APP_ID }}
+        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
     - uses: ./.github/actions/release-initialise
 
     - name: Update older release branch
+      env:
+        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
       run: |
         echo SOURCE_BRANCH=${SOURCE_BRANCH}
         echo TARGET_BRANCH=${TARGET_BRANCH}
         python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
+          --github-token ${GITHUB_TOKEN} \
           --repository-nwo ${{ github.repository }} \
           --source-branch ${SOURCE_BRANCH} \
           --target-branch ${TARGET_BRANCH} \

.gitignore

@@ -5,3 +5,5 @@ node_modules/.cache/
 *.class
 # macOS
 .DS_Store
+# eslint sarif report
+eslint.sarif

CHANGELOG.md

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.26.7 - 13 Sep 2024
+
+- Update default CodeQL bundle version to 2.18.4. [#2471](https://github.com/github/codeql-action/pull/2471)
+
 ## 3.26.6 - 29 Aug 2024
 
 - Update default CodeQL bundle version to 2.18.3. [#2449](https://github.com/github/codeql-action/pull/2449)

README.md

@@ -33,20 +33,19 @@ To provide the best experience to customers using older versions of GitHub Enter
 
 For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/)."
 
-## Supported versions of the CodeQL Bundle and GitHub Enterprise Server
+## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 
 We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.
 
-| Recommended CodeQL Action | Recommended CodeQL Bundle Version | GitHub Environment |
-|---------|----------|--------------|
-| `v3` | default (do not pass a `tools` input) | GitHub.com |
-| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 |
-| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 |
-| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 |
-| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 |
-| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 |
+| Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
+|-----------------------|-------------------------------|--------------------|-------|
+| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
+| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
+| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
+| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 | Supports CodeQL Action v3, but did not ship with CodeQL Action v3. For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/#users-of-github-enterprise-server-311)." |
+| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 | Does not support CodeQL Action v3. |
 
-CodeQL Action `v2` will stop receiving updates when GHES 3.11 is deprecated.
+CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated. 
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

analyze/action.yml

@@ -19,7 +19,7 @@ inputs:
     # If changing this, make sure to update workflow.ts accordingly.
     default: "always"
   cleanup-level:
-    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
+    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --cache-cleanup flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
     required: false
     default: "brutal"
   ram:

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.18.3",
-    "cliVersion": "2.18.3",
-    "priorBundleVersion": "codeql-bundle-v2.18.2",
-    "priorCliVersion": "2.18.2"
+    "bundleVersion": "codeql-bundle-v2.18.4",
+    "cliVersion": "2.18.4",
+    "priorBundleVersion": "codeql-bundle-v2.18.3",
+    "priorCliVersion": "2.18.3"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.26.6",
+  "version": "3.26.7",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -9,6 +9,7 @@
     "test-debug": "ava src/**.test.ts --serial --verbose --timeout=20m",
     "lint": "eslint --report-unused-disable-directives --max-warnings=0 .",
     "lint-fix": "eslint --report-unused-disable-directives --max-warnings=0 . --fix",
+    "lint-ci": "SARIF_ESLINT_IGNORE_SUPPRESSED=true eslint --report-unused-disable-directives --max-warnings=0 . --format @microsoft/eslint-formatter-sarif --output-file=eslint.sarif",
     "removeNPMAbsolutePaths": "removeNPMAbsolutePaths . --force"
   },
   "ava": {
@@ -34,7 +35,7 @@
     "@schemastore/package": "0.0.10",
     "@types/node-forge": "^1.3.11",
     "@types/uuid": "^10.0.0",
-    "adm-zip": "^0.5.15",
+    "adm-zip": "^0.5.16",
     "check-disk-space": "^3.4.0",
     "console-log-level": "^1.4.1",
     "del": "^6.1.1",
@@ -59,15 +60,16 @@
     "@eslint/compat": "^1.1.1",
     "@eslint/eslintrc": "^3.1.0",
     "@eslint/js": "^9.9.1",
+    "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@types/adm-zip": "^0.5.5",
     "@types/console-log-level": "^1.4.5",
     "@types/get-folder-size": "^2.0.0",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.9.0",
     "@types/semver": "^7.5.8",
     "@types/sinon": "^17.0.3",
-    "@typescript-eslint/eslint-plugin": "^8.2.0",
-    "@typescript-eslint/parser": "^8.2.0",
+    "@typescript-eslint/eslint-plugin": "^8.4.0",
+    "@typescript-eslint/parser": "^8.4.0",
     "ava": "^5.3.1",
     "eslint": "^8.57.0",
     "eslint-import-resolver-typescript": "^3.6.3",

pr-checks/checks/go-tracing-autobuilder.yml

@@ -6,7 +6,7 @@ env:
 steps:
   - uses: actions/setup-go@v5
     with:
-      go-version: "~1.22.0"
+      go-version: "~1.23.0"
       # to avoid potentially misleading autobuilder results where we expect it to download
       # dependencies successfully, but they actually come from a warm cache
       cache: false

pr-checks/checks/go-tracing-custom-build-steps.yml

@@ -4,7 +4,7 @@ operatingSystems: ["ubuntu", "macos"]
 steps:
   - uses: actions/setup-go@v5
     with:
-      go-version: "~1.22.0"
+      go-version: "~1.23.0"
       # to avoid potentially misleading autobuilder results where we expect it to download
       # dependencies successfully, but they actually come from a warm cache
       cache: false

pr-checks/checks/go-tracing-legacy-workflow.yml

@@ -6,7 +6,7 @@ env:
 steps:
   - uses: actions/setup-go@v5
     with:
-      go-version: "~1.22.0"
+      go-version: "~1.23.0"
       # to avoid potentially misleading autobuilder results where we expect it to download
       # dependencies successfully, but they actually come from a warm cache
       cache: false

pr-checks/checks/job-run-uuid-sarif.yml

@@ -0,0 +1,30 @@
+name: "Job run UUID added to SARIF"
+description: "Tests that the job run UUID is added to the SARIF output"
+operatingSystems: ["ubuntu"]
+versions: ["nightly-latest"]
+steps:
+  - uses: ./../action/init
+    id: init
+    with:
+      languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+  - name: Upload SARIF
+    uses: actions/upload-artifact@v3
+    with:
+      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      path: "${{ runner.temp }}/results/javascript.sarif"
+      retention-days: 7
+  - name: Check results
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/results"
+      actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
+      if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
+        echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
+        exit 1
+      else
+        echo "Found job run UUID '$actual'."
+      fi

pr-checks/checks/test-local-codeql.yml

@@ -14,7 +14,7 @@ steps:
     with:
       # Swift is not supported on Ubuntu so we manually exclude it from the list here
       languages: cpp,csharp,go,java,javascript,python,ruby
-      tools: ./codeql-bundle-linux64.tar.gz
+      tools: ./codeql-bundle-linux64.tar.zst
   - name: Build code
     shell: bash
     run: ./build.sh

src/codeql.ts

@@ -327,6 +327,11 @@ export const CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = "2.15.0";
  */
 const CODEQL_VERSION_INCLUDE_QUERY_HELP = "2.15.2";
 
+/**
+ * Versions 2.17.1+ of the CodeQL CLI support the `--cache-cleanup` option.
+ */
+const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
+
 /**
  * Set up CodeQL CLI access.
  *
@@ -368,6 +373,13 @@ export async function setupCodeQL(
       defaultCliVersion,
       logger,
     );
+
+    logger.debug(
+      `Bundle download status report: ${JSON.stringify(
+        toolsDownloadStatusReport,
+      )}`,
+    );
+
     let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
     if (process.platform === "win32") {
       codeqlCmd += ".exe";
@@ -858,6 +870,7 @@ export async function getCodeQLForCmd(
         )}`,
         "--sarif-group-rules-by-pack",
         ...(await getCodeScanningQueryHelpArguments(this)),
+        ...(await getJobRunUuidSarifOptions(this)),
         ...getExtraOptionsFromEnv(["database", "interpret-results"]),
       ];
       if (automationDetailsId !== undefined) {
@@ -966,11 +979,17 @@ export async function getCodeQLForCmd(
       databasePath: string,
       cleanupLevel: string,
     ): Promise<void> {
+      const cacheCleanupFlag = (await util.codeQlVersionAtLeast(
+        this,
+        CODEQL_VERSION_CACHE_CLEANUP,
+      ))
+        ? "--cache-cleanup"
+        : "--mode";
       const codeqlArgs = [
         "database",
         "cleanup",
         databasePath,
-        `--mode=${cleanupLevel}`,
+        `${cacheCleanupFlag}=${cleanupLevel}`,
         ...getExtraOptionsFromEnv(["database", "cleanup"]),
       ];
       await runTool(cmd, codeqlArgs);
@@ -1405,3 +1424,14 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
     "-Dmaven.wagon.http.pool=false",
   ].join(" ");
 }
+
+async function getJobRunUuidSarifOptions(codeql: CodeQL) {
+  const jobRunUuid = process.env[EnvVar.JOB_RUN_UUID];
+
+  return jobRunUuid &&
+    (await codeql.supportsFeature(
+      ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty,
+    ))
+    ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
+    : [];
+}

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.18.3",
-  "cliVersion": "2.18.3",
-  "priorBundleVersion": "codeql-bundle-v2.18.2",
-  "priorCliVersion": "2.18.2"
+  "bundleVersion": "codeql-bundle-v2.18.4",
+  "cliVersion": "2.18.4",
+  "priorBundleVersion": "codeql-bundle-v2.18.3",
+  "priorCliVersion": "2.18.3"
 }

src/init-action.ts

@@ -42,6 +42,7 @@ import {
   getActionsStatus,
   sendStatusReport,
 } from "./status-report";
+import { isZstdAvailable } from "./tar";
 import { ToolsFeature } from "./tools-features";
 import { getTotalCacheSize } from "./trap-caching";
 import {
@@ -375,6 +376,8 @@ async function run() {
   try {
     cleanupDatabaseClusterDirectory(config, logger);
 
+    await logZstdAvailability(config, logger);
+
     // Log CodeQL download telemetry, if appropriate
     if (toolsDownloadStatusReport) {
       addDiagnostic(
@@ -670,6 +673,29 @@ function getTrapCachingEnabled(): boolean {
   return true;
 }
 
+async function logZstdAvailability(config: configUtils.Config, logger: Logger) {
+  // Log zstd availability
+  const zstdAvailableResult = await isZstdAvailable(logger);
+  addDiagnostic(
+    config,
+    // Arbitrarily choose the first language. We could also choose all languages, but that
+    // increases the risk of misinterpreting the data.
+    config.languages[0],
+    makeDiagnostic(
+      "codeql-action/zstd-availability",
+      "Zstandard availability",
+      {
+        attributes: zstdAvailableResult,
+        visibility: {
+          cliSummaryTable: false,
+          statusPage: false,
+          telemetry: true,
+        },
+      },
+    ),
+  );
+}
+
 async function runWrapper() {
   try {
     await run();

src/setup-codeql.test.ts

@@ -154,8 +154,10 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use
   sinon.stub(setupCodeql, "downloadCodeQL").resolves({
     codeqlFolder: "codeql",
     statusReport: {
+      compressionMethod: "gzip",
       downloadDurationMs: 200,
       extractionDurationMs: 300,
+      toolsUrl: "toolsUrl",
     },
     toolsVersion: LINKED_CLI_VERSION.cliVersion,
   });
@@ -200,8 +202,10 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to dow
   sinon.stub(setupCodeql, "downloadCodeQL").resolves({
     codeqlFolder: "codeql",
     statusReport: {
+      compressionMethod: "gzip",
       downloadDurationMs: 200,
       extractionDurationMs: 300,
+      toolsUrl: bundleUrl,
     },
     toolsVersion: expectedVersion,
   });

src/setup-codeql.ts

@@ -17,6 +17,7 @@ import * as api from "./api-client";
 import * as defaults from "./defaults.json";
 import { CodeQLDefaultVersionInfo } from "./feature-flags";
 import { Logger } from "./logging";
+import * as tar from "./tar";
 import * as util from "./util";
 import { isGoodVersion } from "./util";
 
@@ -462,8 +463,10 @@ export async function tryGetFallbackToolcacheVersion(
 }
 
 export interface ToolsDownloadStatusReport {
+  compressionMethod: tar.CompressionMethod;
   downloadDurationMs: number;
   extractionDurationMs: number;
+  toolsUrl: string;
 }
 
 // Exported using `export const` for testing purposes. Specifically, we want to
@@ -505,6 +508,7 @@ export const downloadCodeQL = async function (
     `Downloading CodeQL tools from ${codeqlURL} . This may take a while.`,
   );
 
+  const compressionMethod = tar.inferCompressionMethod(codeqlURL);
   const dest = path.join(tempDir, uuidV4());
   const finalHeaders = Object.assign(
     { "User-Agent": "CodeQL Action" },
@@ -526,7 +530,10 @@ export const downloadCodeQL = async function (
 
   logger.debug("Extracting CodeQL bundle.");
   const extractionStart = performance.now();
-  const extractedBundlePath = await toolcache.extractTar(archivedBundlePath);
+  const extractedBundlePath = await tar.extract(
+    archivedBundlePath,
+    compressionMethod,
+  );
   const extractionDurationMs = Math.round(performance.now() - extractionStart);
   logger.debug(
     `Finished extracting CodeQL bundle to ${extractedBundlePath} (${extractionDurationMs} ms).`,
@@ -544,8 +551,10 @@ export const downloadCodeQL = async function (
     return {
       codeqlFolder: extractedBundlePath,
       statusReport: {
+        compressionMethod,
         downloadDurationMs,
         extractionDurationMs,
+        toolsUrl: sanitizeUrlForStatusReport(codeqlURL),
       },
       toolsVersion: maybeCliVersion ?? "unknown",
     };
@@ -575,8 +584,10 @@ export const downloadCodeQL = async function (
   return {
     codeqlFolder: toolcachedBundlePath,
     statusReport: {
+      compressionMethod,
       downloadDurationMs,
       extractionDurationMs,
+      toolsUrl: sanitizeUrlForStatusReport(codeqlURL),
     },
     toolsVersion: maybeCliVersion ?? toolcacheVersion,
   };
@@ -619,17 +630,16 @@ function getCanonicalToolcacheVersion(
   return cliVersion;
 }
 
+export interface SetupCodeQLResult {
+  codeqlFolder: string;
+  toolsDownloadStatusReport?: ToolsDownloadStatusReport;
+  toolsSource: ToolsSource;
+  toolsVersion: string;
+}
+
 /**
  * Obtains the CodeQL bundle, installs it in the toolcache if appropriate, and extracts it.
  *
- * @param toolsInput
- * @param apiDetails
- * @param tempDir
- * @param variant
- * @param defaultCliVersion
- * @param logger
- * @param checkVersion Whether to check that CodeQL CLI meets the minimum
- *        version requirement. Must be set to true outside tests.
  * @returns the path to the extracted bundle, and the version of the tools
  */
 export async function setupCodeQLBundle(
@@ -639,12 +649,7 @@ export async function setupCodeQLBundle(
   variant: util.GitHubVariant,
   defaultCliVersion: CodeQLDefaultVersionInfo,
   logger: Logger,
-): Promise<{
-  codeqlFolder: string;
-  toolsDownloadStatusReport?: ToolsDownloadStatusReport;
-  toolsSource: ToolsSource;
-  toolsVersion: string;
-}> {
+): Promise<SetupCodeQLResult> {
   const source = await getCodeQLSource(
     toolsInput,
     defaultCliVersion,
@@ -658,10 +663,14 @@ export async function setupCodeQLBundle(
   let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
   let toolsSource: ToolsSource;
   switch (source.sourceType) {
-    case "local":
-      codeqlFolder = await toolcache.extractTar(source.codeqlTarPath);
+    case "local": {
+      const compressionMethod = tar.inferCompressionMethod(
+        source.codeqlTarPath,
+      );
+      codeqlFolder = await tar.extract(source.codeqlTarPath, compressionMethod);
       toolsSource = ToolsSource.Local;
       break;
+    }
     case "toolcache":
       codeqlFolder = source.codeqlFolder;
       logger.debug(`CodeQL found in cache ${codeqlFolder}`);
@@ -705,3 +714,11 @@ async function cleanUpGlob(glob: string, name: string, logger: Logger) {
     logger.warning(`Failed to clean up ${name}: ${e}.`);
   }
 }
+
+function sanitizeUrlForStatusReport(url: string): string {
+  return ["github/codeql-action", "dsp-testing/codeql-cli-nightlies"].some(
+    (repo) => url.startsWith(`https://github.com/${repo}/releases/download/`),
+  )
+    ? url
+    : "sanitized-value";
+}

src/tar.ts

@@ -0,0 +1,103 @@
+import { ToolRunner } from "@actions/exec/lib/toolrunner";
+import * as toolcache from "@actions/tool-cache";
+import { safeWhich } from "@chrisgavin/safe-which";
+
+import { Logger } from "./logging";
+import { assertNever } from "./util";
+
+const MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3";
+const MIN_REQUIRED_GNU_TAR_VERSION = "1.31";
+
+export type TarVersion = {
+  type: "gnu" | "bsd";
+  version: string;
+};
+
+async function getTarVersion(): Promise<TarVersion> {
+  const tar = await safeWhich("tar");
+  let stdout = "";
+  const exitCode = await new ToolRunner(tar, ["--version"], {
+    listeners: {
+      stdout: (data: Buffer) => {
+        stdout += data.toString();
+      },
+    },
+  }).exec();
+  if (exitCode !== 0) {
+    throw new Error("Failed to call tar --version");
+  }
+  // Return whether this is GNU tar or BSD tar, and the version number
+  if (stdout.includes("GNU tar")) {
+    const match = stdout.match(/tar \(GNU tar\) ([0-9.]+)/);
+    if (!match || !match[1]) {
+      throw new Error("Failed to parse output of tar --version.");
+    }
+
+    return { type: "gnu", version: match[1] };
+  } else if (stdout.includes("bsdtar")) {
+    const match = stdout.match(/bsdtar ([0-9.]+)/);
+    if (!match || !match[1]) {
+      throw new Error("Failed to parse output of tar --version.");
+    }
+
+    return { type: "bsd", version: match[1] };
+  } else {
+    throw new Error("Unknown tar version");
+  }
+}
+
+export async function isZstdAvailable(
+  logger: Logger,
+): Promise<{ available: boolean; version?: TarVersion }> {
+  try {
+    const tarVersion = await getTarVersion();
+    const { type, version } = tarVersion;
+    logger.info(`Found ${type} tar version ${version}.`);
+    switch (type) {
+      case "gnu":
+        return {
+          available: version >= MIN_REQUIRED_GNU_TAR_VERSION,
+          version: tarVersion,
+        };
+      case "bsd":
+        return {
+          available: version >= MIN_REQUIRED_BSD_TAR_VERSION,
+          version: tarVersion,
+        };
+      default:
+        assertNever(type);
+    }
+  } catch (e) {
+    logger.error(
+      "Failed to determine tar version, therefore will assume zstd may not be available. " +
+        `The underlying error was: ${e}`,
+    );
+    return { available: false };
+  }
+}
+
+export type CompressionMethod = "gzip" | "zstd";
+
+export async function extract(
+  path: string,
+  compressionMethod: CompressionMethod,
+): Promise<string> {
+  switch (compressionMethod) {
+    case "gzip":
+      // While we could also ask tar to autodetect the compression method,
+      // we defensively keep the gzip call identical as requesting a gzipped
+      // bundle will soon be a fallback option.
+      return await toolcache.extractTar(path);
+    case "zstd":
+      // By specifying only the "x" flag, we ask tar to autodetect the
+      // compression method.
+      return await toolcache.extractTar(path, undefined, "x");
+  }
+}
+
+export function inferCompressionMethod(path: string): CompressionMethod {
+  if (path.endsWith(".tar.gz")) {
+    return "gzip";
+  }
+  return "zstd";
+}

src/tools-features.ts

@@ -3,6 +3,7 @@ import type { VersionInfo } from "./codeql";
 export enum ToolsFeature {
   AnalysisSummaryV2IsDefault = "analysisSummaryV2Default",
   BuildModeOption = "buildModeOption",
+  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
   IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
   InformsAboutUnsupportedPathFilters = "informsAboutUnsupportedPathFilters",
   SetsCodeqlRunnerEnvVar = "setsCodeqlRunnerEnvVar",