github · nickfyson · Dec 13, 2023 · Nov 22, 2023 · Dec 7, 2023 · Dec 7, 2023
@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node16
+  using: node20
   main: index.js
@@ -255,10 +255,13 @@ def main():
     print(f'No commits to merge from {source_branch} to {target_branch}.')
     return
 
+  # define distinct prefix in order to support specific pr checks on backports
+  branch_prefix = 'update' if is_primary_release else 'backport'
+
   # The branch name is based off of the name of branch being merged into
   # and the SHA of the branch being merged from. Thus if the branch already
   # exists we can assume we don't need to recreate it.
-  new_branch_name = f'update-v{version}-{source_branch_short_sha}'
+  new_branch_name = f'{branch_prefix}-v{version}-{source_branch_short_sha}'
   print(f'Branch name is {new_branch_name}.')
 
   # Check if the branch already exists. If so we can abort as this script

@@ -39,11 +39,11 @@ jobs:
         uses: ./.github/actions/prepare-test
         with:
           version: latest
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
       - name: Setup Python on MacOS
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         if: |
           matrix.os == 'macos-latest' && (
           matrix.version == 'stable-20220908' ||

@@ -46,11 +46,11 @@ jobs:
         uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ^1.13.1
       - name: Setup Python on MacOS
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         if: |
           matrix.os == 'macos-latest' && (
           matrix.version == 'stable-20220908' ||

@@ -15,13 +15,39 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
+    strategy:
+      matrix:
+        node-types-version: [16.11, current] # run tests on 16.11 while CodeQL Action v2 is still supported
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Lint
         run: npm run-script lint
 
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
+
       - name: Check generated JS
         run: .github/workflows/script/check-js.sh
 
@@ -45,7 +71,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
 
@@ -70,7 +96,7 @@ jobs:
 
     steps:
       - name: Setup Python on MacOS
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         if: |
           matrix.os == 'macos-latest' && (
           matrix.version == 'stable-20220908' ||
@@ -88,3 +114,44 @@ jobs:
           # we won't be able to find them on Windows.
           npm config set script-shell bash
           npm test
+
+  check-node-version:
+    if: ${{ github.event.pull_request }}
+    name: Check Action Node versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - id: head-version
+        name: Verify all Actions use the same Node version
+        run: |
+          NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          echo "NODE_VERSION: ${NODE_VERSION}"
+          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
+            echo "::error::More than one node version used in 'action.yml' files."
+            exit 1
+          fi
+          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
+
+      - id: checkout-base
+        name: 'Backport: Check out base ref'
+        if: ${{ startsWith(github.head_ref, 'backport-') }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.BASE_REF }}
+
+      - name: 'Backport: Verify Node versions unchanged'
+        if: steps.checkout-base.outcome == 'success'
+        env:
+          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
+        run: |
+          BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq)
+          echo "HEAD_VERSION: ${HEAD_VERSION}"
+          echo "BASE_VERSION: ${BASE_VERSION}"
+          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
+            echo "::error::Cannot change the Node version of an Action in a backport PR."
+            exit 1
+          fi
@@ -37,7 +37,7 @@ jobs:
 
     steps:
     - name: Setup Python on MacOS
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       if: |
         matrix.os == 'macos-latest' && (
         matrix.version == 'stable-20220908' ||
@@ -151,7 +151,7 @@ jobs:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
     - uses: actions/checkout@v4
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python_version }}
 

@@ -18,7 +18,7 @@ jobs:
     runs-on: windows-latest
 
     steps:
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: 3.12
 

@@ -31,7 +31,7 @@ jobs:
           npm run build
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
 

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.7"
       - name: Checkout CodeQL Action

@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 3.22.11 - 13 Dec 2023
+
+- [v3+ only] The CodeQL Action now runs on Node.js v20. [#2006](https://github.com/github/codeql-action/pull/2006)
+
 ## 2.22.10 - 12 Dec 2023
 
 - Update default CodeQL bundle version to 2.15.4. [#2016](https://github.com/github/codeql-action/pull/2016)

@@ -84,6 +84,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: "node16"
+  using: node20
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"
@@ -13,5 +13,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: 'node16'
+  using: node20
   main: '../lib/autobuild-action.js'
@@ -109,6 +109,6 @@ outputs:
   codeql-path:
     description: The path of the CodeQL binary used for analysis
 runs:
-  using: 'node16'
+  using: node20
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'