-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable a controlled switchover between CodeQL releases #1475
Conversation
fa0e8d6
to
a9eb86f
Compare
a9eb86f
to
e8c12e1
Compare
I've added some things we need to do before merging this to the PR description, but I think this is ready for an initial look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looked through commit-by-commit and everything makes sense to me. Just a few comments for now, will take another 👀 tomorrow!
In the future we might convert the file to JSON with comments, or add this note to a JSON schema.
This gives us an easy cache hit when requesting the same tools URL.
Could we add a json file in this repo that has mappings from bundle release number to version number or URL? This would be helpful in general for our users since there's no easy way for them to figure out this mapping right now without downloading and running This could go in |
👍 on new additions. CI failure is due to known Swift autobuild hang and I've rerun. |
I have a slight preference for keeping the GitHub Releases the source of truth:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the complexity of this change and the fact that the actions changelog is not very visible to users, are you considering adding this to a changelog post?
I think a changelog post would be a good idea. Will discuss with Alona once we've agreed on a good Action changelog note. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✅ from me on the code changes, but I believe there is still ongoing discussion about the inclusion of the section for advanced users in the changelog note.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving but looks like merge conflicts need to be resolved 😄
Hmm since we already have merge conflicts here, it might make sense to get #1492 in first and then rebase on that, as I expect the TypeScript update will probably create some more conflicts. |
TypeScript PR is failing on Windows, so let's do this PR first instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the PR checks are failing with parsing SARIF on Windows but it should be unrelated to this PR 🤔
This PR adds functionality that we will use to enable a controlled switchover between CodeQL releases. Specifically, we would like to ensure that each repository running CodeQL transitions from the previous CodeQL release to the new CodeQL release once. We want to avoid repositories flip-flopping between CodeQL releases during the rollout of a new CodeQL release, specifically during the Actions runner image update process, as this creates alert churn.
To do this, we decide the default version of CodeQL on Dotcom using feature flags rather than by using what's in the toolcache. Specifically, we look at all the
default_codeql_version_x_enabled
feature flags and pick the latest enabled version.One niggle with this approach is that if the CLI version we need isn't in the toolcache, there isn't yet a nice way to find the CodeQL Bundle release corresponding to that CLI version. In the medium term, we'll consider tagging each CodeQL bundle release with a CLI version number, for instance
codeql-bundle-v2.12.0
. In the meantime, we add a special asset to the releasecli-version-2.12.0.txt
specifying the version number. The contents of this asset don't matter, since we don't want to have to download anything.GHES behaviour is unchanged: we account for the new toolcache format, but we continue to use the CodeQL bundle release specified within the Action (in
defaults.json
) by default. We also continue to allow CodeQL bundles that have been baked into Actions runner images to override the version indefaults.json
.Commit-by-commit-review recommended.
TODO before merging
Merge / deployment checklist