Merge releases/v3 into releases/v2

.github/actions/check-sarif/action.yml

@@ -16,5 +16,5 @@ inputs:
       Comma separated list of query ids that should NOT be included in this SARIF file.
 
 runs:
-  using: node16
+  using: 'node20'
   main: index.js

.github/actions/prepare-test/action.yml

@@ -49,7 +49,7 @@ runs:
           echo "tools-url=https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-$version-manual/$artifact_name" >> $GITHUB_OUTPUT
         elif [[ ${{ inputs.version }} == *"stable"* ]]; then
           version=`echo ${{ inputs.version }} | sed -e 's/^.*\-//'`
-          echo "tools-url=https://github.com/github/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
+          echo "tools-url=https://github.com/nickfyson-org/codeql-action/releases/download/codeql-bundle-$version/$artifact_name" >> $GITHUB_OUTPUT
         elif [[ ${{ inputs.version }} == "latest" ]]; then
           echo "tools-url=latest" >> $GITHUB_OUTPUT
         elif [[ ${{ inputs.version }} == "default" ]]; then

.github/pull_request_template.md

@@ -1,5 +1,5 @@
 ### Merge / deployment checklist
 
 - [ ] Confirm this change is backwards compatible with existing workflows.
-- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/main/README.md) has been updated if necessary.
-- [ ] Confirm the [changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.
+- [ ] Confirm the [readme](https://github.com/nickfyson-org/codeql-action/blob/main/README.md) has been updated if necessary.
+- [ ] Confirm the [changelog](https://github.com/nickfyson-org/codeql-action/blob/main/CHANGELOG.md) has been updated if necessary.

.github/update-release-branch.py

@@ -201,7 +201,7 @@ def main():
     '--repository-nwo',
     type=str,
     required=True,
-    help='The nwo of the repository, for example github/codeql-action.'
+    help='The nwo of the repository, for example nickfyson-org/codeql-action.'
   )
   parser.add_argument(
     '--source-branch',
@@ -255,10 +255,13 @@ def main():
     print(f'No commits to merge from {source_branch} to {target_branch}.')
     return
 
+  # define distinct prefix in order to support specific pr checks on backports
+  branch_prefix = 'update' if is_primary_release else 'backport'
+
   # The branch name is based off of the name of branch being merged into
   # and the SHA of the branch being merged from. Thus if the branch already
   # exists we can assume we don't need to recreate it.
-  new_branch_name = f'update-v{version}-{source_branch_short_sha}'
+  new_branch_name = f'{branch_prefix}-v{version}-{source_branch_short_sha}'
   print(f'Branch name is {new_branch_name}.')
 
   # Check if the branch already exists. If so we can abort as this script

.github/workflows/check-expected-release-files.yml

@@ -21,5 +21,5 @@ jobs:
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"
           set -x
           for expected_file in "codeql-bundle.tar.gz" "codeql-bundle-linux64.tar.gz" "codeql-bundle-osx64.tar.gz" "codeql-bundle-win64.tar.gz"; do
-            curl --location --fail --head --request GET "https://github.com/github/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
+            curl --location --fail --head --request GET "https://github.com/nickfyson-org/codeql-action/releases/download/$bundle_version/$expected_file" > /dev/null
           done

.github/workflows/post-release-mergeback.yml

@@ -21,7 +21,7 @@ on:
 jobs:
   merge-back:
     runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
+    if: github.repository == 'nickfyson-org/codeql-action'
     env:
       BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
       HEAD_BRANCH: "${{ github.head_ref || github.ref }}"

.github/workflows/pr-checks.yml

@@ -15,13 +15,39 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
+    strategy:
+      matrix:
+        node-types-version: [16.11, current] # run tests on 16.11 while codeql-action v2 is still supported
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Lint
         run: npm run-script lint
 
+      - name: Update version of @types/node
+        if: matrix.node-types-version != 'current'
+        env:
+          NODE_TYPES_VERSION: ${{ matrix.node-types-version }}
+        run: |
+          # Export `NODE_TYPES_VERSION` so it's available to jq
+          export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}"
+          contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json)
+          echo "${contents}" > package.json
+          # Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies.
+          # However we're not checking in the updated lockfile here, so it's fine to run
+          # `npm install` on Linux.
+          npm install
+
+          if [ ! -z "$(git status --porcelain)" ]; then
+            git config --global user.email "github-actions@github.com"
+            git config --global user.name "github-actions[bot]"
+            # The period in `git add --all .` ensures that we stage deleted files too.
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
+
       - name: Check generated JS
         run: .github/workflows/script/check-js.sh
 
@@ -88,3 +114,50 @@ jobs:
           # we won't be able to find them on Windows.
           npm config set script-shell bash
           npm test
+
+  check-backport-node-versions:
+    if: ${{ github.event.pull_request }}
+    name: Check node version for backports
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      BASE_REF: ${{ github.base_ref }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - id: head-version
+        name: check HEAD node version
+        run: |
+          # NB we are matching the node version string both with and without single quotes
+          NODE_VERSION=$(find . -name "*.yml" -exec grep -oh "using: 'node[0-9][0-9]\|using: node[0-9][0-9]" {} \; | sed -e "s/using: '//g" -e "s/using: //g" | sort | uniq)
+          echo "NODE_VERSION: ${NODE_VERSION}"
+          if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then
+            echo "Error: More than one node version used in actions."
+            exit 1
+          fi
+          echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT
+          echo ""
+          echo "github.head_ref: ${{ github.head_ref }}"
+          echo "github.ref: ${{ github.ref }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "github.base_ref: ${{ env.BASE_REF }}"
+
+      - id: checkout-base
+        name: check out base ref for backport check
+        if: ${{ startsWith(github.head_ref, 'nickfyson-') }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.BASE_REF }}
+
+      - name: compare with node version on base ref for backport check
+        if: steps.checkout-base.outcome == 'success'
+        env:
+          HEAD_VERSION: ${{ steps.head-version.outputs.node_version }}
+        run: |
+          BASE_VERSION=$(find . -name "*.yml" -exec grep -oh "using: 'node[0-9][0-9]\|using: node[0-9][0-9]" {} \; | sed -e "s/using: '//g" -e "s/using: //g" | sort | uniq)
+          echo "HEAD_VERSION: ${HEAD_VERSION}"
+          echo "BASE_VERSION: ${BASE_VERSION}"
+          if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then
+            echo "Error: Cannot change node version in a backport PR."
+            exit 1
+          fi

.github/workflows/rebuild.yml

@@ -21,7 +21,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
-          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
+          gh pr edit --repo nickfyson-org/codeql-action "$PR_NUMBER" \
             --remove-label "Rebuild"
 
       - name: Compile TypeScript
@@ -55,6 +55,6 @@ jobs:
             git push origin "HEAD:$BRANCH"
             echo "Pushed a commit to rebuild the Action." \
               "Please mark the PR as ready for review to trigger PR checks." |
-              gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
-            gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"
+              gh pr comment --body-file - --repo nickfyson-org/codeql-action "$PR_NUMBER"
+            gh pr ready --undo --repo nickfyson-org/codeql-action "$PR_NUMBER"
           fi

.github/workflows/script/update-required-checks.sh

@@ -4,7 +4,7 @@
 
 if ! gh auth status 2>/dev/null; then
   gh auth status
-  echo "Failed: Not authorized. This script requires admin access to github/codeql-action through the gh CLI."
+  echo "Failed: Not authorized. This script requires admin access to nickfyson-org/codeql-action through the gh CLI."
   exit 1
 fi
 
@@ -23,15 +23,15 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+CHECKS="$(gh api repos/nickfyson-org/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 
 echo "{\"contexts\": ${CHECKS}}" > checks.json
 
 for BRANCH in main releases/v2; do
   echo "Updating $BRANCH"
-  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
+  gh api --silent -X "PATCH" "repos/nickfyson-org/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
 done
 
 rm checks.json

.github/workflows/update-dependencies.yml

@@ -8,7 +8,7 @@ jobs:
     name: Update dependencies
     timeout-minutes: 45
     runs-on: macos-latest
-    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
+    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'nickfyson-org/codeql-action')
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -37,6 +37,6 @@ jobs:
           git push origin "HEAD:$BRANCH"
           echo "Pushed a commit to update the checked-in dependencies." \
             "Please mark the PR as ready for review to trigger PR checks." |
-            gh pr comment --body-file - --repo github/codeql-action "${{ github.event.pull_request.number }}"
-          gh pr ready --undo --repo github/codeql-action "${{ github.event.pull_request.number }}"
+            gh pr comment --body-file - --repo nickfyson-org/codeql-action "${{ github.event.pull_request.number }}"
+          gh pr ready --undo --repo nickfyson-org/codeql-action "${{ github.event.pull_request.number }}"
         fi

.github/workflows/update-release-branch.yml

@@ -15,7 +15,7 @@ jobs:
 
   prepare:
     runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql-action'
+    if: github.repository == 'nickfyson-org/codeql-action'
     outputs:
       version: ${{ steps.versions.outputs.version }}
       major_version: ${{ steps.versions.outputs.major_version }}

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -10,7 +10,7 @@ jobs:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: ${{ github.repository == 'github/codeql-action' }}
+    if: ${{ github.repository == 'nickfyson-org/codeql-action' }}
 
     steps:
       - name: Setup Python

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.
 
+## 2.22.10 - 13 Dec 2023
+
+- Update default CodeQL bundle version to 2.15.4. [#2016](https://github.com/github/codeql-action/pull/2016)
+
 ## 2.22.9 - 07 Dec 2023
 
 No user facing changes.

analyze/action.yml

@@ -84,6 +84,6 @@ outputs:
   sarif-id:
     description: The ID of the uploaded SARIF file.
 runs:
-  using: "node16"
+  using: 'node20'
   main: "../lib/analyze-action.js"
   post: "../lib/analyze-action-post.js"

autobuild/action.yml

@@ -13,5 +13,5 @@ inputs:
       $GITHUB_WORKSPACE as its working directory.
     required: false
 runs:
-  using: 'node16'
+  using: 'node20'
   main: '../lib/autobuild-action.js'

init/action.yml

@@ -109,6 +109,6 @@ outputs:
   codeql-path:
     description: The path of the CodeQL binary used for analysis
 runs:
-  using: 'node16'
+  using: 'node20'
   main: '../lib/init-action.js'
   post: '../lib/init-action-post.js'

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.15.3",
-    "cliVersion": "2.15.3",
-    "priorBundleVersion": "codeql-bundle-v2.15.2",
-    "priorCliVersion": "2.15.2"
+    "bundleVersion": "codeql-bundle-v2.15.4",
+    "cliVersion": "2.15.4",
+    "priorBundleVersion": "codeql-bundle-v2.15.3",
+    "priorCliVersion": "2.15.3"
 }