Python: Don't install deps by default for all users

CHANGELOG.md

@@ -6,6 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 ## [UNRELEASED]
 
+- We are rolling out a feature in January 2024 that will disable Python dependency installation by default for all users. This improves the speed of analysis while having only a very minor impact on results. You can override this behavior by setting `CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION=false` in your workflow, however we plan to remove this ability in future versions of the CodeQL Action. [#2031](https://github.com/github/codeql-action/pull/2031)
 - The CodeQL Action now requires CodeQL version 2.11.6 or later. For more information, see [the corresponding changelog entry for CodeQL Action version 2.22.7](#2227---16-nov-2023). [#2009](https://github.com/github/codeql-action/pull/2009)
 
 ## 3.22.12 - 22 Dec 2023

src/analyze.ts

@@ -18,6 +18,7 @@ import {
   Feature,
   logCodeScanningConfigInCli,
   useCodeScanningConfigInCli,
+  isPythonDependencyInstallationDisabled,
 } from "./feature-flags";
 import { isScannedLanguage, Language } from "./languages";
 import { Logger } from "./logging";
@@ -104,12 +105,7 @@ async function setupPythonExtractor(
     return;
   }
 
-  if (
-    await features.getValue(
-      Feature.DisablePythonDependencyInstallationEnabled,
-      codeql,
-    )
-  ) {
+  if (await isPythonDependencyInstallationDisabled(codeql, features)) {
     logger.warning(
       "We recommend that you remove the CODEQL_PYTHON environment variable from your workflow. This environment variable was originally used to specify a Python executable that included the dependencies of your Python code, however Python analysis no longer uses these dependencies." +
         "\nIf you used CODEQL_PYTHON to force the version of Python to analyze as, please use CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION instead, such as 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=2.7' or 'CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION=3.11'.",

src/feature-flags.ts

@@ -49,6 +49,7 @@ export enum Feature {
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   DisablePythonDependencyInstallationEnabled = "disable_python_dependency_installation_enabled",
+  PythonDefaultIsToSkipDependencyInstallationEnabled = "python_default_is_to_skip_dependency_installation_enabled",
   EvaluatorFineGrainedParallelismEnabled = "evaluator_fine_grained_parallelism_enabled",
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   QaTelemetryEnabled = "qa_telemetry_enabled",
@@ -103,6 +104,15 @@ export const featureConfig: Record<
     minimumVersion: undefined,
     defaultValue: false,
   },
+  [Feature.PythonDefaultIsToSkipDependencyInstallationEnabled]: {
+    // we can reuse the same environment variable as above. If someone has set it to
+    // `true` in their workflow this means dependencies are not installed, setting it to
+    // `false` means dependencies _will_ be installed. The same semantics are applied
+    // here!
+    envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+    minimumVersion: "2.16.0",
+    defaultValue: false,
+  },
 };
 
 /**
@@ -474,3 +484,19 @@ export async function logCodeScanningConfigInCli(
     );
   }
 }
+
+export async function isPythonDependencyInstallationDisabled(
+  codeql: CodeQL,
+  features: FeatureEnablement,
+): Promise<boolean> {
+  return (
+    (await features.getValue(
+      Feature.DisablePythonDependencyInstallationEnabled,
+      codeql,
+    )) ||
+    (await features.getValue(
+      Feature.PythonDefaultIsToSkipDependencyInstallationEnabled,
+      codeql,
+    ))
+  );
+}

src/init-action.ts

@@ -16,7 +16,11 @@ import { getGitHubVersion } from "./api-client";
 import { CodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
 import { EnvVar } from "./environment";
-import { Feature, Features } from "./feature-flags";
+import {
+  Feature,
+  Features,
+  isPythonDependencyInstallationDisabled,
+} from "./feature-flags";
 import {
   checkInstallPython311,
   initCodeQL,
@@ -293,12 +297,7 @@ async function run() {
       config.languages.includes(Language.python) &&
       getRequiredInput("setup-python-dependencies") === "true"
     ) {
-      if (
-        await features.getValue(
-          Feature.DisablePythonDependencyInstallationEnabled,
-          codeql,
-        )
-      ) {
+      if (await isPythonDependencyInstallationDisabled(codeql, features)) {
         logger.info("Skipping python dependency installation");
       } else {
         try {
@@ -446,16 +445,18 @@ async function run() {
     }
 
     // Disable Python dependency extraction if feature flag set
-    if (
-      await features.getValue(
-        Feature.DisablePythonDependencyInstallationEnabled,
-        codeql,
-      )
-    ) {
+    if (await isPythonDependencyInstallationDisabled(codeql, features)) {
       core.exportVariable(
         "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
         "true",
       );
+    } else {
+      // From 2.16.0 the default for the python extractor is to not perform any library
+      // extraction, so we need to set this flag to enable it.
+      core.exportVariable(
+        "CODEQL_EXTRACTOR_PYTHON_FORCE_ENABLE_LIBRARY_EXTRACTION_UNTIL_2_17_0",
+        "true",
+      );
     }
 
     const sourceRoot = path.resolve(