.github/workflows/update-release-branch.yml

@@ -115,19 +115,21 @@ jobs:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
     steps:
-    - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4
+    - name: Generate token
+      uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4
       id: app-token
       with:
         app-id: ${{ vars.AUTOMATION_APP_ID }}
         private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
-    - uses: actions/checkout@v4
+
+    - name: Checkout
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
+        token: ${{ steps.app-token.outputs.token }}
     - uses: ./.github/actions/release-initialise
 
     - name: Update older release branch
-      env:
-        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
       run: |
         echo SOURCE_BRANCH=${SOURCE_BRANCH}
         echo TARGET_BRANCH=${TARGET_BRANCH}

CHANGELOG.md

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.26.8 - 19 Sep 2024
+
+- Update default CodeQL bundle version to 2.19.0. [#2483](https://github.com/github/codeql-action/pull/2483)
+
 ## 3.26.7 - 13 Sep 2024
 
 - Update default CodeQL bundle version to 2.18.4. [#2471](https://github.com/github/codeql-action/pull/2471)

analyze/action.yml

@@ -74,7 +74,7 @@ inputs:
     required: true
     default: "true"
   token:
-    description: "GitHub token to use for authenticating with this instance of GitHub. The token needs the `security-events: write` permission."
+    description: "GitHub token to use for authenticating with this instance of GitHub. The token must be the built-in GitHub Actions token, and the workflow must have the `security-events: write` permission. Most of the time it is advisable to avoid specifying this input so that the workflow falls back to using the default value."
     required: false
     default: ${{ github.token }}
   matrix:

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.18.4",
-    "cliVersion": "2.18.4",
-    "priorBundleVersion": "codeql-bundle-v2.18.3",
-    "priorCliVersion": "2.18.3"
+    "bundleVersion": "codeql-bundle-v2.19.0",
+    "cliVersion": "2.19.0",
+    "priorBundleVersion": "codeql-bundle-v2.18.4",
+    "priorCliVersion": "2.18.4"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.26.7",
+  "version": "3.26.8",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

src/analyze-action-post.ts

@@ -5,23 +5,25 @@
  */
 import * as core from "@actions/core";
 
-import * as analyzeActionPostHelper from "./analyze-action-post-helper";
 import * as debugArtifacts from "./debug-artifacts";
-import * as uploadSarifActionPostHelper from "./upload-sarif-action-post-helper";
-import { wrapError } from "./util";
+import { EnvVar } from "./environment";
+import { getActionsLogger, withGroup } from "./logging";
+import { getErrorMessage } from "./util";
 
 async function runWrapper() {
   try {
-    await analyzeActionPostHelper.run(debugArtifacts.uploadSarifDebugArtifact);
+    const logger = getActionsLogger();
 
-    // Also run the upload-sarif post action since we're potentially running
-    // the same steps in the analyze action.
-    await uploadSarifActionPostHelper.uploadArtifacts(
-      debugArtifacts.uploadDebugArtifacts,
-    );
+    // Upload SARIF artifacts if we determine that this is a first-party analysis run.
+    // For third-party runs, this artifact will be uploaded in the `upload-sarif-post` step.
+    if (process.env[EnvVar.INIT_ACTION_HAS_RUN] === "true") {
+      await withGroup("Uploading combined SARIF debug artifact", () =>
+        debugArtifacts.uploadCombinedSarifArtifacts(logger),
+      );
+    }
   } catch (error) {
     core.setFailed(
-      `analyze post-action step failed: ${wrapError(error).message}`,
+      `analyze post-action step failed: ${getErrorMessage(error)}`,
     );
   }
 }

src/analyze-action.ts

@@ -230,6 +230,7 @@ async function run() {
 
     const apiDetails = getApiDetails();
     const outputDir = actionsUtil.getRequiredInput("output");
+    core.exportVariable(EnvVar.SARIF_RESULTS_OUTPUT_DIR, outputDir);
     const threads = util.getThreadsFlag(
       actionsUtil.getOptionalInput("threads") || process.env["CODEQL_THREADS"],
       logger,
@@ -416,7 +417,7 @@ async function runWrapper() {
   try {
     await runPromise;
   } catch (error) {
-    core.setFailed(`analyze action failed: ${util.wrapError(error).message}`);
+    core.setFailed(`analyze action failed: ${util.getErrorMessage(error)}`);
   }
   await util.checkForTimeout();
 }

src/analyze.ts

@@ -314,7 +314,7 @@ export async function runQueries(
       statusReport.analyze_failure_language = language;
       throw new CodeQLAnalysisError(
         statusReport,
-        `Error running analysis for ${language}: ${util.wrapError(e).message}`,
+        `Error running analysis for ${language}: ${util.getErrorMessage(e)}`,
         util.wrapError(e),
       );
     }

src/autobuild-action.ts

@@ -24,6 +24,7 @@ import {
   checkActionVersion,
   checkDiskUsage,
   checkGitHubVersionInRange,
+  getErrorMessage,
   initializeEnvironment,
   wrapError,
 } from "./util";
@@ -141,7 +142,7 @@ async function runWrapper() {
   try {
     await run();
   } catch (error) {
-    core.setFailed(`autobuild action failed. ${wrapError(error).message}`);
+    core.setFailed(`autobuild action failed. ${getErrorMessage(error)}`);
   }
 }
 

src/codeql.ts

@@ -31,7 +31,7 @@ import * as setupCodeql from "./setup-codeql";
 import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 import { shouldEnableIndirectTracing } from "./tracer-config";
 import * as util from "./util";
-import { BuildMode, wrapError, cloneObject } from "./util";
+import { BuildMode, cloneObject, getErrorMessage } from "./util";
 
 type Options = Array<string | number | boolean>;
 
@@ -398,7 +398,7 @@ export async function setupCodeQL(
     };
   } catch (e) {
     throw new Error(
-      `Unable to download and extract CodeQL CLI: ${wrapError(e).message}`,
+      `Unable to download and extract CodeQL CLI: ${getErrorMessage(e)}`,
     );
   }
 }
@@ -707,7 +707,7 @@ export async function getCodeQLForCmd(
             e instanceof util.ConfigurationError
               ? util.ConfigurationError
               : Error;
-          throw new ErrorConstructor(`${prefix} ${util.wrapError(e).message}`);
+          throw new ErrorConstructor(`${prefix} ${getErrorMessage(e)}`);
         } else {
           throw e;
         }

src/debug-artifacts.test.ts

@@ -2,15 +2,18 @@ import test from "ava";
 
 import * as debugArtifacts from "./debug-artifacts";
 
-test("sanitizeArifactName", (t) => {
+test("sanitizeArtifactName", (t) => {
   t.deepEqual(
-    debugArtifacts.sanitizeArifactName("hello-world_"),
+    debugArtifacts.sanitizeArtifactName("hello-world_"),
     "hello-world_",
   );
-  t.deepEqual(debugArtifacts.sanitizeArifactName("hello`world`"), "helloworld");
-  t.deepEqual(debugArtifacts.sanitizeArifactName("hello===123"), "hello123");
   t.deepEqual(
-    debugArtifacts.sanitizeArifactName("*m)a&n^y%i££n+v!a:l[i]d"),
+    debugArtifacts.sanitizeArtifactName("hello`world`"),
+    "helloworld",
+  );
+  t.deepEqual(debugArtifacts.sanitizeArtifactName("hello===123"), "hello123");
+  t.deepEqual(
+    debugArtifacts.sanitizeArtifactName("*m)a&n^y%i££n+v!a:l[i]d"),
     "manyinvalid",
   );
 });

src/debug-artifacts.ts

@@ -6,23 +6,223 @@ import * as core from "@actions/core";
 import AdmZip from "adm-zip";
 import del from "del";
 
-import { getRequiredInput } from "./actions-util";
+import { getRequiredInput, getTemporaryDirectory } from "./actions-util";
 import { dbIsFinalized } from "./analyze";
 import { getCodeQL } from "./codeql";
 import { Config } from "./config-utils";
+import { EnvVar } from "./environment";
 import { Language } from "./languages";
-import { Logger } from "./logging";
+import { Logger, withGroup } from "./logging";
 import {
   bundleDb,
   doesDirectoryExist,
   getCodeQLDatabasePath,
+  getErrorMessage,
   listFolder,
 } from "./util";
 
-export function sanitizeArifactName(name: string): string {
+export function sanitizeArtifactName(name: string): string {
   return name.replace(/[^a-zA-Z0-9_\\-]+/g, "");
 }
 
+/**
+ * Upload Actions SARIF artifacts for debugging when CODEQL_ACTION_DEBUG_COMBINED_SARIF
+ * environment variable is set
+ */
+export async function uploadCombinedSarifArtifacts(logger: Logger) {
+  const tempDir = getTemporaryDirectory();
+
+  // Upload Actions SARIF artifacts for debugging when environment variable is set
+  if (process.env["CODEQL_ACTION_DEBUG_COMBINED_SARIF"] === "true") {
+    logger.info(
+      "Uploading available combined SARIF files as Actions debugging artifact...",
+    );
+
+    const baseTempDir = path.resolve(tempDir, "combined-sarif");
+
+    const toUpload: string[] = [];
+
+    if (fs.existsSync(baseTempDir)) {
+      const outputDirs = fs.readdirSync(baseTempDir);
+
+      for (const outputDir of outputDirs) {
+        const sarifFiles = fs
+          .readdirSync(path.resolve(baseTempDir, outputDir))
+          .filter((f) => f.endsWith(".sarif"));
+
+        for (const sarifFile of sarifFiles) {
+          toUpload.push(path.resolve(baseTempDir, outputDir, sarifFile));
+        }
+      }
+    }
+
+    try {
+      await uploadDebugArtifacts(
+        toUpload,
+        baseTempDir,
+        "combined-sarif-artifacts",
+      );
+    } catch (e) {
+      logger.warning(
+        `Failed to upload combined SARIF files as Actions debugging artifact. Reason: ${getErrorMessage(
+          e,
+        )}`,
+      );
+    }
+  }
+}
+
+/**
+ * Try to prepare a SARIF result debug artifact for the given language.
+ *
+ * @return The path to that debug artifact, or undefined if an error occurs.
+ */
+function tryPrepareSarifDebugArtifact(
+  config: Config,
+  language: Language,
+  logger: Logger,
+): string | undefined {
+  try {
+    const analyzeActionOutputDir = process.env[EnvVar.SARIF_RESULTS_OUTPUT_DIR];
+    if (
+      analyzeActionOutputDir !== undefined &&
+      fs.existsSync(analyzeActionOutputDir) &&
+      fs.lstatSync(analyzeActionOutputDir).isDirectory()
+    ) {
+      const sarifFile = path.resolve(
+        analyzeActionOutputDir,
+        `${language}.sarif`,
+      );
+      // Move SARIF to DB location so that they can be uploaded with the same root directory as the other artifacts.
+      if (fs.existsSync(sarifFile)) {
+        const sarifInDbLocation = path.resolve(
+          config.dbLocation,
+          `${language}.sarif`,
+        );
+        fs.copyFileSync(sarifFile, sarifInDbLocation);
+        return sarifInDbLocation;
+      }
+    }
+  } catch (e) {
+    logger.warning(
+      `Failed to find SARIF results path for ${language}. Reason: ${getErrorMessage(
+        e,
+      )}`,
+    );
+  }
+  return undefined;
+}
+
+/**
+ * Try to bundle the database for the given language.
+ *
+ * @return The path to the database bundle, or undefined if an error occurs.
+ */
+async function tryBundleDatabase(
+  config: Config,
+  language: Language,
+  logger: Logger,
+): Promise<string | undefined> {
+  try {
+    if (dbIsFinalized(config, language, logger)) {
+      try {
+        return await createDatabaseBundleCli(config, language);
+      } catch (e) {
+        logger.warning(
+          `Failed to bundle database for ${language} using the CLI. ` +
+            `Falling back to a partial bundle. Reason: ${getErrorMessage(e)}`,
+        );
+      }
+    }
+    return await createPartialDatabaseBundle(config, language);
+  } catch (e) {
+    logger.warning(
+      `Failed to bundle database for ${language}. Reason: ${getErrorMessage(
+        e,
+      )}`,
+    );
+    return undefined;
+  }
+}
+
+/**
+ * Attempt to upload all available debug artifacts.
+ *
+ * Logs and suppresses any errors that occur.
+ */
+export async function tryUploadAllAvailableDebugArtifacts(
+  config: Config,
+  logger: Logger,
+) {
+  const filesToUpload: string[] = [];
+  try {
+    for (const language of config.languages) {
+      await withGroup(`Uploading debug artifacts for ${language}`, async () => {
+        logger.info("Preparing SARIF result debug artifact...");
+        const sarifResultDebugArtifact = tryPrepareSarifDebugArtifact(
+          config,
+          language,
+          logger,
+        );
+        if (sarifResultDebugArtifact) {
+          filesToUpload.push(sarifResultDebugArtifact);
+          logger.info("SARIF result debug artifact ready for upload.");
+        }
+
+        logger.info("Preparing database logs debug artifact...");
+        const databaseDirectory = getCodeQLDatabasePath(config, language);
+        const logsDirectory = path.resolve(databaseDirectory, "log");
+        if (doesDirectoryExist(logsDirectory)) {
+          filesToUpload.push(...listFolder(logsDirectory));
+          logger.info("Database logs debug artifact ready for upload.");
+        }
+
+        // Multilanguage tracing: there are additional logs in the root of the cluster
+        logger.info("Preparing database cluster logs debug artifact...");
+        const multiLanguageTracingLogsDirectory = path.resolve(
+          config.dbLocation,
+          "log",
+        );
+        if (doesDirectoryExist(multiLanguageTracingLogsDirectory)) {
+          filesToUpload.push(...listFolder(multiLanguageTracingLogsDirectory));
+          logger.info("Database cluster logs debug artifact ready for upload.");
+        }
+
+        // Add database bundle
+        logger.info("Preparing database bundle debug artifact...");
+        const databaseBundle = await tryBundleDatabase(
+          config,
+          language,
+          logger,
+        );
+        if (databaseBundle) {
+          filesToUpload.push(databaseBundle);
+          logger.info("Database bundle debug artifact ready for upload.");
+        }
+      });
+    }
+  } catch (e) {
+    logger.warning(
+      `Failed to prepare debug artifacts. Reason: ${getErrorMessage(e)}`,
+    );
+    return;
+  }
+
+  try {
+    await withGroup("Uploading debug artifacts", async () =>
+      uploadDebugArtifacts(
+        filesToUpload,
+        config.dbLocation,
+        config.debugArtifactName,
+      ),
+    );
+  } catch (e) {
+    logger.warning(
+      `Failed to upload debug artifacts. Reason: ${getErrorMessage(e)}`,
+    );
+  }
+}
+
 export async function uploadDebugArtifacts(
   toUpload: string[],
   rootDir: string,
@@ -46,64 +246,15 @@ export async function uploadDebugArtifacts(
     }
   }
 
-  try {
-    await artifact.create().uploadArtifact(
-      sanitizeArifactName(`${artifactName}${suffix}`),
-      toUpload.map((file) => path.normalize(file)),
-      path.normalize(rootDir),
-      {
-        continueOnError: true,
-        // ensure we don't keep the debug artifacts around for too long since they can be large.
-        retentionDays: 7,
-      },
-    );
-  } catch (e) {
-    // A failure to upload debug artifacts should not fail the entire action.
-    core.warning(`Failed to upload debug artifacts: ${e}`);
-  }
-}
-
-export async function uploadSarifDebugArtifact(
-  config: Config,
-  outputDir: string,
-) {
-  if (!doesDirectoryExist(outputDir)) {
-    return;
-  }
-
-  let toUpload: string[] = [];
-  for (const lang of config.languages) {
-    const sarifFile = path.resolve(outputDir, `${lang}.sarif`);
-    if (fs.existsSync(sarifFile)) {
-      toUpload = toUpload.concat(sarifFile);
-    }
-  }
-  await uploadDebugArtifacts(toUpload, outputDir, config.debugArtifactName);
-}
-
-export async function uploadLogsDebugArtifact(config: Config) {
-  let toUpload: string[] = [];
-  for (const language of config.languages) {
-    const databaseDirectory = getCodeQLDatabasePath(config, language);
-    const logsDirectory = path.resolve(databaseDirectory, "log");
-    if (doesDirectoryExist(logsDirectory)) {
-      toUpload = toUpload.concat(listFolder(logsDirectory));
-    }
-  }
-
-  // Multilanguage tracing: there are additional logs in the root of the cluster
-  const multiLanguageTracingLogsDirectory = path.resolve(
-    config.dbLocation,
-    "log",
-  );
-  if (doesDirectoryExist(multiLanguageTracingLogsDirectory)) {
-    toUpload = toUpload.concat(listFolder(multiLanguageTracingLogsDirectory));
-  }
-
-  await uploadDebugArtifacts(
-    toUpload,
-    config.dbLocation,
-    config.debugArtifactName,
+  await artifact.create().uploadArtifact(
+    sanitizeArtifactName(`${artifactName}${suffix}`),
+    toUpload.map((file) => path.normalize(file)),
+    path.normalize(rootDir),
+    {
+      continueOnError: true,
+      // ensure we don't keep the debug artifacts around for too long since they can be large.
+      retentionDays: 7,
+    },
   );
 }
 
@@ -141,7 +292,6 @@ async function createDatabaseBundleCli(
   config: Config,
   language: Language,
 ): Promise<string> {
-  // Otherwise run `codeql database bundle` command.
   const databaseBundlePath = await bundleDb(
     config,
     language,
@@ -150,31 +300,3 @@ async function createDatabaseBundleCli(
   );
   return databaseBundlePath;
 }
-
-export async function uploadDatabaseBundleDebugArtifact(
-  config: Config,
-  logger: Logger,
-) {
-  for (const language of config.languages) {
-    try {
-      let databaseBundlePath: string;
-      if (!dbIsFinalized(config, language, logger)) {
-        databaseBundlePath = await createPartialDatabaseBundle(
-          config,
-          language,
-        );
-      } else {
-        databaseBundlePath = await createDatabaseBundleCli(config, language);
-      }
-      await uploadDebugArtifacts(
-        [databaseBundlePath],
-        config.dbLocation,
-        config.debugArtifactName,
-      );
-    } catch (error) {
-      core.info(
-        `Failed to upload database debug bundle for ${config.debugDatabaseName}-${language}: ${error}`,
-      );
-    }
-  }
-}

src/defaults.json

@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.18.4",
-  "cliVersion": "2.18.4",
-  "priorBundleVersion": "codeql-bundle-v2.18.3",
-  "priorCliVersion": "2.18.3"
+  "bundleVersion": "codeql-bundle-v2.19.0",
+  "cliVersion": "2.19.0",
+  "priorBundleVersion": "codeql-bundle-v2.18.4",
+  "priorCliVersion": "2.18.4"
 }

src/environment.ts

@@ -64,6 +64,9 @@ export enum EnvVar {
 
   ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION",
 
+  /** The value of the `output` input for the analyze action. */
+  SARIF_RESULTS_OUTPUT_DIR = "CODEQL_ACTION_SARIF_RESULTS_OUTPUT_DIR",
+
   /**
    * What percentage of the total amount of RAM over 8 GB that the Action should reserve for the
    * system.

src/init-action-post-helper.test.ts

@@ -35,22 +35,19 @@ test("post: init action with debug mode off", async (t) => {
       packs: [],
     } as unknown as configUtils.Config);
 
-    const uploadDatabaseBundleSpy = sinon.spy();
-    const uploadLogsSpy = sinon.spy();
+    const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
 
     await initActionPostHelper.run(
-      uploadDatabaseBundleSpy,
-      uploadLogsSpy,
+      uploadAllAvailableDebugArtifactsSpy,
       printDebugLogsSpy,
       createTestConfig({ debugMode: false }),
       parseRepositoryNwo("github/codeql-action"),
       createFeatures([]),
       getRunnerLogger(true),
     );
 
-    t.assert(uploadDatabaseBundleSpy.notCalled);
-    t.assert(uploadLogsSpy.notCalled);
+    t.assert(uploadAllAvailableDebugArtifactsSpy.notCalled);
     t.assert(printDebugLogsSpy.notCalled);
   });
 });
@@ -60,22 +57,19 @@ test("post: init action with debug mode on", async (t) => {
     process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
     process.env["RUNNER_TEMP"] = tmpDir;
 
-    const uploadDatabaseBundleSpy = sinon.spy();
-    const uploadLogsSpy = sinon.spy();
+    const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
 
     await initActionPostHelper.run(
-      uploadDatabaseBundleSpy,
-      uploadLogsSpy,
+      uploadAllAvailableDebugArtifactsSpy,
       printDebugLogsSpy,
       createTestConfig({ debugMode: true }),
       parseRepositoryNwo("github/codeql-action"),
       createFeatures([]),
       getRunnerLogger(true),
     );
 
-    t.assert(uploadDatabaseBundleSpy.called);
-    t.assert(uploadLogsSpy.called);
+    t.assert(uploadAllAvailableDebugArtifactsSpy.called);
     t.assert(printDebugLogsSpy.called);
   });
 });

src/init-action-post-helper.ts

@@ -158,11 +158,10 @@ export async function tryUploadSarifIfRunFailed(
 }
 
 export async function run(
-  uploadDatabaseBundleDebugArtifact: (
+  uploadAllAvailableDebugArtifacts: (
     config: Config,
     logger: Logger,
   ) => Promise<void>,
-  uploadLogsDebugArtifact: (config: Config) => Promise<void>,
   printDebugLogs: (config: Config) => Promise<void>,
   config: Config,
   repositoryNwo: RepositoryNwo,
@@ -211,9 +210,7 @@ export async function run(
     logger.info(
       "Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...",
     );
-    await uploadDatabaseBundleDebugArtifact(config, logger);
-    await uploadLogsDebugArtifact(config);
-
+    await uploadAllAvailableDebugArtifacts(config, logger);
     await printDebugLogs(config);
   }
 

src/init-action-post.ts

@@ -64,8 +64,7 @@ async function runWrapper() {
     }
 
     uploadFailedSarifResult = await initActionPostHelper.run(
-      debugArtifacts.uploadDatabaseBundleDebugArtifact,
-      debugArtifacts.uploadLogsDebugArtifact,
+      debugArtifacts.tryUploadAllAvailableDebugArtifacts,
       printDebugLogs,
       config,
       repositoryNwo,

src/init-action.ts

@@ -62,6 +62,7 @@ import {
   wrapError,
   checkActionVersion,
   cloneObject,
+  getErrorMessage,
 } from "./util";
 import { validateWorkflow } from "./workflow";
 
@@ -700,7 +701,7 @@ async function runWrapper() {
   try {
     await run();
   } catch (error) {
-    core.setFailed(`init action failed: ${wrapError(error).message}`);
+    core.setFailed(`init action failed: ${getErrorMessage(error)}`);
   }
   await checkForTimeout();
 }

src/init.ts

@@ -177,17 +177,15 @@ export function cleanupDatabaseClusterDirectory(
       if (isSelfHostedRunner()) {
         throw new util.ConfigurationError(
           `${blurb} This can happen if another process is using the directory or the directory is owned by a different user. ` +
-            `Please clean up the directory manually and rerun the job. Details: ${
-              util.wrapError(e).message
-            }`,
+            `Please clean up the directory manually and rerun the job. Details: ${util.getErrorMessage(
+              e,
+            )}`,
         );
       } else {
         throw new Error(
           `${blurb} This shouldn't typically happen on hosted runners. ` +
             "If you are using an advanced setup, please check your workflow, otherwise we " +
-            `recommend rerunning the job. Details: ${
-              util.wrapError(e).message
-            }`,
+            `recommend rerunning the job. Details: ${util.getErrorMessage(e)}`,
         );
       }
     }

src/logging.ts

@@ -31,3 +31,12 @@ export function getRunnerLogger(debugMode: boolean): Logger {
     endGroup: () => undefined,
   };
 }
+
+export function withGroup<T>(groupName: string, f: () => T): T {
+  core.startGroup(groupName);
+  try {
+    return f();
+  } finally {
+    core.endGroup();
+  }
+}

src/resolve-environment-action.ts

@@ -22,6 +22,7 @@ import {
   checkDiskUsage,
   checkForTimeout,
   checkGitHubVersionInRange,
+  getErrorMessage,
   wrapError,
 } from "./util";
 
@@ -117,9 +118,9 @@ async function runWrapper() {
     await run();
   } catch (error) {
     core.setFailed(
-      `${ActionName.ResolveEnvironment} action failed: ${
-        wrapError(error).message
-      }`,
+      `${ActionName.ResolveEnvironment} action failed: ${getErrorMessage(
+        error,
+      )}`,
     );
   }
   await checkForTimeout();

src/setup-codeql.test.ts

@@ -17,10 +17,10 @@ import {
   setupTests,
 } from "./testing-utils";
 import {
+  getErrorMessage,
   GitHubVariant,
   initializeEnvironment,
   withTmpDir,
-  wrapError,
 } from "./util";
 
 setupTests(test);
@@ -56,7 +56,7 @@ test("convert to semver", (t) => {
       );
       t.deepEqual(parsedVersion, expectedVersion);
     } catch (e) {
-      t.fail(wrapError(e).message);
+      t.fail(getErrorMessage(e));
     }
   }
 });

src/start-proxy-action-post.ts

@@ -8,7 +8,7 @@ import * as core from "@actions/core";
 
 import * as actionsUtil from "./actions-util";
 import * as configUtils from "./config-utils";
-import { wrapError } from "./util";
+import { getErrorMessage } from "./util";
 
 async function runWrapper() {
   try {
@@ -18,7 +18,7 @@ async function runWrapper() {
     }
   } catch (error) {
     core.setFailed(
-      `start-proxy post-action step failed: ${wrapError(error).message}`,
+      `start-proxy post-action step failed: ${getErrorMessage(error)}`,
     );
   }
   const config = await configUtils.getConfig(

src/start-proxy-action.ts

@@ -169,9 +169,7 @@ async function startProxy(
     core.setOutput("proxy_port", port.toString());
     core.setOutput("proxy_ca_certificate", config.ca.cert);
   } catch (error) {
-    core.setFailed(
-      `start-proxy action failed: ${util.wrapError(error).message}`,
-    );
+    core.setFailed(`start-proxy action failed: ${util.getErrorMessage(error)}`);
   }
 }
 

src/status-report.ts

@@ -26,7 +26,7 @@ import {
   DiskUsage,
   assertNever,
   BuildMode,
-  wrapError,
+  getErrorMessage,
 } from "./util";
 
 export enum ActionName {
@@ -440,9 +440,9 @@ export async function sendStatusReport<S extends StatusReportBase>(
     // something else has gone wrong and the request/response will be logged by octokit
     // it's possible this is a transient error and we should continue scanning
     core.warning(
-      `An unexpected error occurred when sending code scanning status report: ${
-        wrapError(e).message
-      }`,
+      `An unexpected error occurred when sending code scanning status report: ${getErrorMessage(
+        e,
+      )}`,
     );
   }
 }

src/testdata/with-invalid-uri.sarif

@@ -8,30 +8,42 @@
           "name": "LGTM.com",
           "organization": "Semmle",
           "version": "1.24.0-SNAPSHOT",
-          "rules": []
+          "rules": [
+            {
+              "id": "js/unused-local-variable",
+              "shortDescription": {
+                "text": "Unused local variable"
+              },
+              "helpUri": "not a valid URI"
+            }
+          ]
         }
       },
-      "results" : [ {
-        "ruleId" : "js/unused-local-variable",
-        "ruleIndex" : 0,
-        "message" : {
-          "text" : "Unused variable foo."
-        },
-        "locations" : [ {
-          "physicalLocation" : {
-            "artifactLocation" : {
-              "uri" : "not a valid URI",
-              "uriBaseId" : "%SRCROOT%",
-              "index" : 0
-            },
-            "region" : {
-              "startLine" : 2,
-              "startColumn" : 7,
-              "endColumn" : 10
+      "results": [
+        {
+          "ruleId": "js/unused-local-variable",
+          "ruleIndex": 0,
+          "message": {
+            "text": "Unused variable foo."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "not a valid URI",
+                  "uriBaseId": "%SRCROOT%",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 2,
+                  "startColumn": 7,
+                  "endColumn": 10
+                }
+              }
             }
-          }
-        } ]
-      } ],
+          ]
+        }
+      ],
       "columnKind": "utf16CodeUnits",
       "properties": {
         "semmle.formatSpecifier": "2.1.0",

src/trap-caching.ts

@@ -11,7 +11,12 @@ import { DocUrl } from "./doc-url";
 import { Feature, FeatureEnablement } from "./feature-flags";
 import { Language } from "./languages";
 import { Logger } from "./logging";
-import { isHTTPError, tryGetFolderBytes, withTimeout, wrapError } from "./util";
+import {
+  getErrorMessage,
+  isHTTPError,
+  tryGetFolderBytes,
+  withTimeout,
+} from "./util";
 
 // This constant should be bumped if we make a breaking change
 // to how the CodeQL Action stores or retrieves the TRAP cache,
@@ -239,7 +244,7 @@ export async function cleanupTrapCaches(
     } else {
       logger.info(`Failed to cleanup TRAP caches, continuing. Details: ${e}`);
     }
-    return { trap_cache_cleanup_error: wrapError(e).message };
+    return { trap_cache_cleanup_error: getErrorMessage(e) };
   }
 }
 

src/upload-lib.test.ts

@@ -317,9 +317,10 @@ test("accept results with invalid artifactLocation.uri value", (t) => {
   const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
   uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
 
-  t.deepEqual(loggedMessages.length, 2);
+  t.deepEqual(loggedMessages.length, 3);
   t.deepEqual(
     loggedMessages[1],
+    "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].tool.driver.rules[0].helpUri'.",
     "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.",
   );
 });

src/upload-lib.ts

@@ -24,12 +24,12 @@ import { ToolsFeature } from "./tools-features";
 import * as util from "./util";
 import {
   ConfigurationError,
+  getErrorMessage,
   getRequiredEnvParam,
   GitHubVariant,
   GitHubVersion,
   SarifFile,
   SarifRun,
-  wrapError,
 } from "./util";
 
 const GENERIC_403_MSG =
@@ -440,7 +440,7 @@ export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
     sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8")) as SarifFile;
   } catch (e) {
     throw new InvalidSarifUploadError(
-      `Invalid SARIF. JSON syntax error: ${wrapError(e).message}`,
+      `Invalid SARIF. JSON syntax error: ${getErrorMessage(e)}`,
     );
   }
   // eslint-disable-next-line @typescript-eslint/no-require-imports
@@ -449,11 +449,20 @@ export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
   const result = new jsonschema.Validator().validate(sarif, schema);
   // Filter errors related to invalid URIs in the artifactLocation field as this
   // is a breaking change. See https://github.com/github/codeql-action/issues/1703
-  const errors = (result.errors || []).filter(
-    (err) => err.argument !== "uri-reference",
+  const warningAttributes = ["uri-reference", "uri"];
+  const errors = (result.errors ?? []).filter(
+    (err) =>
+      !(
+        err.name === "format" &&
+        typeof err.argument === "string" &&
+        warningAttributes.includes(err.argument)
+      ),
   );
-  const warnings = (result.errors || []).filter(
-    (err) => err.argument === "uri-reference",
+  const warnings = (result.errors ?? []).filter(
+    (err) =>
+      err.name === "format" &&
+      typeof err.argument === "string" &&
+      warningAttributes.includes(err.argument),
   );
 
   for (const warning of warnings) {

src/upload-sarif-action-post.ts

@@ -6,17 +6,23 @@
 import * as core from "@actions/core";
 
 import * as debugArtifacts from "./debug-artifacts";
-import * as uploadSarifActionPostHelper from "./upload-sarif-action-post-helper";
-import { wrapError } from "./util";
+import { EnvVar } from "./environment";
+import { getActionsLogger, withGroup } from "./logging";
+import { getErrorMessage } from "./util";
 
 async function runWrapper() {
   try {
-    await uploadSarifActionPostHelper.uploadArtifacts(
-      debugArtifacts.uploadDebugArtifacts,
-    );
+    const logger = getActionsLogger();
+    // Upload SARIF artifacts if we determine that this is a third-party analysis run.
+    // For first-party runs, this artifact will be uploaded in the `analyze-post` step.
+    if (process.env[EnvVar.INIT_ACTION_HAS_RUN] !== "true") {
+      await withGroup("Uploading combined SARIF debug artifact", () =>
+        debugArtifacts.uploadCombinedSarifArtifacts(logger),
+      );
+    }
   } catch (error) {
     core.setFailed(
-      `upload-sarif post-action step failed: ${wrapError(error).message}`,
+      `upload-sarif post-action step failed: ${getErrorMessage(error)}`,
     );
   }
 }

src/upload-sarif-action.ts

@@ -19,6 +19,7 @@ import {
   ConfigurationError,
   checkActionVersion,
   checkDiskUsage,
+  getErrorMessage,
   getRequiredEnvParam,
   initializeEnvironment,
   isInTestMode,
@@ -133,7 +134,7 @@ async function runWrapper() {
     await run();
   } catch (error) {
     core.setFailed(
-      `codeql/upload-sarif action failed: ${wrapError(error).message}`,
+      `codeql/upload-sarif action failed: ${getErrorMessage(error)}`,
     );
   }
 }

src/util.ts

@@ -998,8 +998,14 @@ export function wrapError(error: unknown): Error {
   return error instanceof Error ? error : new Error(String(error));
 }
 
+/**
+ * Returns an appropriate message for the error.
+ *
+ * If the error is an `Error` instance, this returns the error message without
+ * an `Error: ` prefix.
+ */
 export function getErrorMessage(error: unknown): string {
-  return error instanceof Error ? error.toString() : String(error);
+  return error instanceof Error ? error.message : String(error);
 }
 
 export function prettyPrintPack(pack: Pack) {

upload-sarif/action.yml

@@ -20,7 +20,7 @@ inputs:
     description: "The sha of the HEAD of the ref where results will be uploaded. If not provided, the Action will use the GITHUB_SHA environment variable. If provided, the ref input must be provided as well. This input is ignored for pull requests from forks."
     required: false
   token:
-    description: "GitHub token to use for authenticating with this instance of GitHub. The token needs the `security-events: write` permission."
+    description: "GitHub token to use for authenticating with this instance of GitHub. The token must be the built-in GitHub Actions token, and the workflow must have the `security-events: write` permission. Most of the time it is advisable to avoid specifying this input so that the workflow falls back to using the default value."
     required: false
     default: ${{ github.token }}
   matrix: