Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge main into releases/v3 #2529

Merged
merged 33 commits into from
Oct 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
6fc72c1
Add basic Rust support for internal testing
Sep 18, 2024
a66a5fe
Bump the npm group with 3 updates
dependabot[bot] Oct 2, 2024
f0c7f1d
Update checked-in dependencies
github-actions[bot] Oct 2, 2024
08bec82
Update default bundle to codeql-bundle-v2.19.1
github-actions[bot] Oct 2, 2024
4beccf7
Add changelog note
github-actions[bot] Oct 2, 2024
868284b
Merge branch 'main' into update-bundle/codeql-bundle-v2.19.1
angelapwen Oct 3, 2024
35de01e
Update supported GitHub Enterprise Server versions
github-actions[bot] Oct 3, 2024
15f615c
Add a deprecation warning for CodeQL <=2.14.5
henrymercer Oct 3, 2024
01007b8
Fix new lines in update supported GHES versions PR
henrymercer Oct 3, 2024
955d001
Extract runGitCommand()
cklin Oct 3, 2024
d64cca4
Rename determineMergeBaseCommitOid()
cklin Oct 3, 2024
495ca58
Update changelog and version after v3.26.11
github-actions[bot] Oct 3, 2024
a83506b
Update checked-in dependencies
github-actions[bot] Oct 3, 2024
15649f6
Mergeback v3.26.11 refs/heads/releases/v3 into main (#2523)
angelapwen Oct 3, 2024
8b33300
Merge pull request #2521 from github/cklin/run-git-command
cklin Oct 3, 2024
873c91c
Update README with detailed information
aeisenberg Aug 7, 2024
c768f67
Clean up README
aeisenberg Aug 9, 2024
3b143d4
Update readme
aeisenberg Oct 3, 2024
bed2a47
Update autobuild/action.yml
aeisenberg Oct 4, 2024
76aafb9
Merge pull request #2520 from github/update-supported-enterprise-serv…
henrymercer Oct 4, 2024
6c8758f
Fix changelog note section
henrymercer Oct 4, 2024
215ff9c
Merge pull request #2525 from github/henrymercer/fix-changelog-section
henrymercer Oct 4, 2024
46d955c
Merge pull request #2415 from aeisenberg/aeisenberg/update-readme-1
aeisenberg Oct 4, 2024
057e1ec
Check zstd is on the path in addition to tar version
henrymercer Oct 4, 2024
64871a8
Merge branch 'main' into update-bundle/codeql-bundle-v2.19.1
angelapwen Oct 4, 2024
1532671
Update default bundle to 2.19.1 (#2519)
angelapwen Oct 4, 2024
8a56dd2
Update to @actions/core 1.11.1
aeisenberg Oct 4, 2024
7cf65a5
Merge pull request #2518 from github/dependabot/npm_and_yarn/npm-8815…
aeisenberg Oct 4, 2024
56d1975
Merge pull request #2489 from github/redsun82/rust
redsun82 Oct 7, 2024
bf2e624
Update src/tar.ts
henrymercer Oct 7, 2024
d65a176
Rebuild
github-actions[bot] Oct 7, 2024
c9a70ff
Merge pull request #2526 from github/henrymercer/check-zstd-on-path
henrymercer Oct 7, 2024
570aecb
Update changelog for v3.26.12
github-actions[bot] Oct 7, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ jobs:
git push origin update-supported-enterprise-server-versions

body="This PR updates the list of supported GitHub Enterprise Server versions, either because a new "
body+="version is about to be feature frozen, or because an old release has been deprecated.\n\n"
body+="version is about to be feature frozen, or because an old release has been deprecated."
body+=$'\n\n'
body+="If an old release has been deprecated, please follow the instructions in CONTRIBUTING.md to "
body+="deprecate the corresponding version of CodeQL."

Expand Down
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,22 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

## 3.26.12 - 07 Oct 2024

- _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. [#2520](https://github.com/github/codeql-action/pull/2520)

- If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.

- Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace `github/codeql-action/*@v3` by `github/codeql-action/*@v3.26.11` and `github/codeql-action/*@v2` by `github/codeql-action/*@v2.26.11` in your code scanning workflow to ensure you continue using this version of the CodeQL Action.

## 3.26.11 - 03 Oct 2024

- _Upcoming breaking change_: Add support for using `actions/download-artifact@v4` to programmatically consume CodeQL Action debug artifacts.

Starting November 30, 2024, GitHub.com customers will [no longer be able to use `actions/download-artifact@v3`](https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/). Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the `CODEQL_ACTION_ARTIFACT_V4_UPGRADE` environment variable to `true` and bump `actions/download-artifact@v3` to `actions/download-artifact@v4` in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to `actions/download-artifact@v3` to `actions/download-artifact@v4` will begin failing then.

This change is currently unavailable for GitHub Enterprise Server customers, as `actions/upload-artifact@v4` and `actions/download-artifact@v4` are not yet compatible with GHES.
- Update default CodeQL bundle version to 2.19.1. [#2519](https://github.com/github/codeql-action/pull/2519)

## 3.26.10 - 30 Sep 2024

Expand Down
42 changes: 40 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,48 @@ We recommend using default setup to configure CodeQL analysis for your repositor

You can also configure advanced setup for a repository to find security vulnerabilities in your code using a highly customizable code scanning configuration. For more information, see "[Configuring advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)" and "[Customizing your advanced setup for code scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)."

### Permissions
### Actions

This repository contains several actions that enable you to analyze code in your repository using CodeQL and upload the analysis to GitHub Code Scanning. Actions in this repository also allow you to upload to GitHub analyses generated by any SARIF-producing SAST tool.

Actions for CodeQL analyses:

- `init`: Sets up CodeQL for analysis. For information about input parameters, see the [init action definition](https://github.com/github/codeql-action/blob/main/init/action.yml).
- `analyze`: Finalizes the CodeQL database, runs the analysis, and uploads the results to Code Scanning. For information about input parameters, see the [analyze action definition](https://github.com/github/codeql-action/blob/main/analyze/action.yml).

Actions for uploading analyses generated by third-party tools:

- `upload-sarif`: Uploads a SARIF file to Code Scanning. If you are using the `analyze` action, there is no reason to use this action as well. For information about input parameters, see the [upload-sarif action definition](https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml).

Actions with special purposes and unlikely to be used directly:

- `autobuild`: Attempts to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead. For information about input parameters, see the [autobuild action definition](https://github.com/github/codeql-action/blob/main/autobuild/action.yml).
- `resolve-environment`: [Experimental] Attempts to infer a build environment suitable for automatic builds. For information about input parameters, see the [resolve-environment action definition](https://github.com/github/codeql-action/blob/main/resolve-environment/action.yml).
- `start-proxy`: [Experimental] Start the HTTP proxy server. Internal use only and will change without notice. For information about input parameters, see the [start-proxy action definition](https://github.com/github/codeql-action/blob/main/start-proxy/action.yml).

### Workflow Permissions

All advanced setup code scanning workflows must have the `security-events: write` permission. Workflows in private repositories must additionally have the `contents: read` permission. For more information, see "[Assigning permissions to jobs](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs)."

### Build Modes

The CodeQL Action supports different build modes for analyzing the source code. The available build modes are:

- `none`: The database will be created without building the source code. Available for all interpreted languages and some compiled languages.
- `autobuild`: The database will be created by attempting to automatically build the source code. Available for all compiled languages.
- `manual`: The database will be created by building the source code using a manually specified build command. To use this build mode, specify manual build steps in your workflow between the `init` and `analyze` steps. Available for all compiled languages.

#### Which build mode should I use?

Interpreted languages must use `none` for the build mode.

For compiled languages:

- `manual` build mode will typically produce the most precise results, but it is more difficult to set up and will cause the analysis to take slightly more time to run.
- `autobuild` build mode is simpler to set up, but will only work for projects with generic build steps that can be guessed by the heuristics of the autobuild scripts. If `autobuild` fails, then you must switch to `manual` or `none`. If `autobuild` succeeds, then the results and run time will be the same as `manual` mode.
- `none` build mode is also simpler to set up and is slightly faster to run, but there is a possibility that some alerts will be missed. This may happen if your repository does any code generation during compilation or if there are any dependencies downloaded from registries that the workflow does not have access to. `none` is not yet supported by C/C++, Swift, Go, or Kotlin.


## Supported versions of the CodeQL Action

The following versions of the CodeQL Action are currently supported:
Expand All @@ -45,7 +83,7 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 | Supports CodeQL Action v3, but did not ship with CodeQL Action v3. For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/#users-of-github-enterprise-server-311)." |
| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 | Does not support CodeQL Action v3. |

CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated.
CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated.

See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).

Expand Down
2 changes: 1 addition & 1 deletion autobuild/action.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: 'CodeQL: Autobuild'
description: 'Attempt to automatically build code'
description: 'Attempt to automatically build the code. Only used for analyzing languages that require a build. Use the `build-mode: autobuild` input in the `init` action instead.'
author: 'GitHub'
inputs:
token:
Expand Down
107 changes: 50 additions & 57 deletions lib/actions-util.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading