Merge main into releases/v3

.github/actions/prepare-test/action.yml

@@ -32,14 +32,20 @@ runs:
       run: |
         set -e # Fail this Action if `gh release list` fails.
 
+        if [[ ${{ inputs.version }} == "nightly-latest" ]]; then
+          extension="tar.zst"
+        else
+          extension="tar.gz"
+        fi
+
         if [[ ${{ inputs.use-all-platform-bundle }} == "true" ]]; then
-          artifact_name="codeql-bundle.tar.gz"
+          artifact_name="codeql-bundle.$extension"
         elif [[ "$RUNNER_OS" == "Linux" ]]; then
-          artifact_name="codeql-bundle-linux64.tar.gz"
+          artifact_name="codeql-bundle-linux64.$extension"
         elif [[ "$RUNNER_OS" == "macOS" ]]; then
-          artifact_name="codeql-bundle-osx64.tar.gz"
+          artifact_name="codeql-bundle-osx64.$extension"
         elif [[ "$RUNNER_OS" == "Windows" ]]; then
-          artifact_name="codeql-bundle-win64.tar.gz"
+          artifact_name="codeql-bundle-win64.$extension"
         else
           echo "::error::Unrecognized OS $RUNNER_OS"
           exit 1

.github/actions/setup-swift/action.yml

@@ -11,15 +11,15 @@ runs:
       id: get_swift_version
       if: runner.os == 'Linux'
       shell: bash
-      env: 
+      env:
         CODEQL_PATH: ${{ inputs.codeql-path }}
       run: |
         SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
         if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
           VERSION="null"
         else
           VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
-          # Specify 5.x.0, otherwise setup Action will default to latest minor version. 
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
           if [ $VERSION = "5.7" ]; then
             VERSION="5.7.0"
           elif [ $VERSION = "5.8" ]; then
@@ -29,11 +29,11 @@ runs:
           # setup-swift does not yet support v5.9.1 Remove this when it does.
           elif [ $VERSION = "5.9.1" ]; then
             VERSION="5.9.0"
-          fi 
+          fi
         fi
         echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
 
-    - uses: redsun82/setup-swift@b2b6f77ab14f6a9b136b520dc53ec8eca27d2b99 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
       if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
       with:
         swift-version: "${{ steps.get_swift_version.outputs.version }}"

.github/workflows/pr-checks.yml

@@ -24,7 +24,16 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Lint
-        run: npm run-script lint
+        id: lint
+        run: npm run-script lint-ci
+
+      - name: Upload sarif
+        uses: github/codeql-action/upload-sarif@v3
+        # Only upload SARIF for the latest version of Node.js
+        if: "always() && matrix.node-types-version == 'current'"
+        with:
+          sarif_file: eslint.sarif
+          category: eslint
 
       - name: Update version of @types/node
         if: matrix.node-types-version != 'current'

.github/workflows/update-release-branch.yml

@@ -104,6 +104,7 @@ jobs:
   backport:
     timeout-minutes: 45
     runs-on: ubuntu-latest
+    environment: Automation
     needs: [prepare]
     if: ${{ (github.event_name == 'push') && needs.prepare.outputs.backport_target_branches != '[]' }}
     strategy:
@@ -114,17 +115,24 @@ jobs:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
     steps:
+    - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4
+      id: app-token
+      with:
+        app-id: ${{ vars.AUTOMATION_APP_ID }}
+        private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0  # Need full history for calculation of diffs
     - uses: ./.github/actions/release-initialise
 
     - name: Update older release branch
+      env:
+        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
       run: |
         echo SOURCE_BRANCH=${SOURCE_BRANCH}
         echo TARGET_BRANCH=${TARGET_BRANCH}
         python .github/update-release-branch.py \
-          --github-token ${{ secrets.GITHUB_TOKEN }} \
+          --github-token ${GITHUB_TOKEN} \
           --repository-nwo ${{ github.repository }} \
           --source-branch ${SOURCE_BRANCH} \
           --target-branch ${TARGET_BRANCH} \

.gitignore

@@ -5,3 +5,5 @@ node_modules/.cache/
 *.class
 # macOS
 .DS_Store
+# eslint sarif report
+eslint.sarif

CHANGELOG.md

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.26.7 - 13 Sep 2024
+
+- Update default CodeQL bundle version to 2.18.4. [#2471](https://github.com/github/codeql-action/pull/2471)
+
 ## 3.26.6 - 29 Aug 2024
 
 - Update default CodeQL bundle version to 2.18.3. [#2449](https://github.com/github/codeql-action/pull/2449)

README.md

@@ -33,20 +33,19 @@ To provide the best experience to customers using older versions of GitHub Enter
 
 For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/)."
 
-## Supported versions of the CodeQL Bundle and GitHub Enterprise Server
+## Supported versions of the CodeQL Bundle on GitHub Enterprise Server
 
 We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.
 
-| Recommended CodeQL Action | Recommended CodeQL Bundle Version | GitHub Environment |
-|---------|----------|--------------|
-| `v3` | default (do not pass a `tools` input) | GitHub.com |
-| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 |
-| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 |
-| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 |
-| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 |
-| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 |
+| Minimum CodeQL Action | Minimum CodeQL Bundle Version | GitHub Environment | Notes |
+|-----------------------|-------------------------------|--------------------|-------|
+| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 | |
+| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 | |
+| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 | |
+| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 | Supports CodeQL Action v3, but did not ship with CodeQL Action v3. For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/#users-of-github-enterprise-server-311)." |
+| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 | Does not support CodeQL Action v3. |
 
-CodeQL Action `v2` will stop receiving updates when GHES 3.11 is deprecated.
+CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated. 
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 

analyze/action.yml

@@ -19,7 +19,7 @@ inputs:
     # If changing this, make sure to update workflow.ts accordingly.
     default: "always"
   cleanup-level:
-    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --mode flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
+    description: "Level of cleanup to perform on CodeQL databases at the end of the analyze step. This should either be 'none' to skip cleanup, or be a valid argument for the --cache-cleanup flag of the CodeQL CLI command 'codeql database cleanup' as documented at https://codeql.github.com/docs/codeql-cli/manual/database-cleanup"
     required: false
     default: "brutal"
   ram:

lib/defaults.json

@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.18.3",
-    "cliVersion": "2.18.3",
-    "priorBundleVersion": "codeql-bundle-v2.18.2",
-    "priorCliVersion": "2.18.2"
+    "bundleVersion": "codeql-bundle-v2.18.4",
+    "cliVersion": "2.18.4",
+    "priorBundleVersion": "codeql-bundle-v2.18.3",
+    "priorCliVersion": "2.18.3"
 }