Merge branch 'github:main' into amammad-python-paramiko

Author: am0o0

.bazelversion

@@ -1 +1 @@
-5.0.0
+6.1.2

.git-blame-ignore-revs

@@ -0,0 +1,21 @@
+# .git-blame-ignore-revs
+# Auto-formatted Java
+730eae952139209fe9fdf598541d608f4c0c0c84
+# Auto-formatted C#
+5ad7ed49dd3de03ec6dcfcb6848758a6a987e11c
+# Auto-formatted C/C++
+ef97e539ec1971494d4bba5cafe82e00bc8217ac
+# Auto-formatted Python
+21d5fa836b3a7d020ba45e8b8168b145a9772131
+# Auto-formatted JavaScript
+8d97fe9ed327a9546ff2eaf515cf0f5214deddd9
+# Auto-formatted Ruby
+a5d229903d2f12d45f2c2c38822f1d0e7504ae7f
+# Auto-formatted Go
+08c658e66bf867090033ea096e244a93d46c0aa7
+# Auto-formatted Swift
+711d7057f79fb7d72fc3b35e010bd018f9009169
+# Auto-formatted shared ql packs
+3640b6d3a8ce9edf8e1d3ed106fe8526cf255bc0
+# Auto-formatted taint tracking files
+159d8e978c51959b380838c080d891b66e763b19

.github/actions/cache-query-compilation/action.yml

@@ -9,7 +9,7 @@ inputs:
 outputs:
   cache-dir:
     description: "The directory where the cache was stored"
-    value: ${{ steps.fill-compilation-dir.outputs.compdir }}
+    value: ${{ steps.output-compilation-dir.outputs.compdir }}
 
 runs:
   using: composite
@@ -27,7 +27,9 @@ runs:
       if: ${{ github.event_name == 'pull_request' }}
       uses: actions/cache/restore@v3
       with:
-        path: '**/.cache'
+        path: |
+          **/.cache
+          ~/.codeql/compile-cache
         key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
         restore-keys: |
           codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
@@ -37,12 +39,22 @@ runs:
       if: ${{ github.event_name != 'pull_request' }}
       uses: actions/cache@v3
       with:
-        path: '**/.cache'
+        path: |
+          **/.cache
+          ~/.codeql/compile-cache
         key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
         restore-keys: | # restore the latest cache if the exact cache is unavailable, to speed up compilation.
           codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-
           codeql-compile-${{ inputs.key }}-main-
+    - name: Output-compilationdir
+      id: output-compilation-dir
+      shell: bash
+      run: |
+        echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
+      env:
+        COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
     - name: Fill compilation cache directory
+      id: fill-compilation-dir
       uses: actions/github-script@v6
       env: 
         COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
@@ -58,6 +70,7 @@ runs:
 
           const fs = require("fs");
           const path = require("path");
+          const os = require("os");
 
           // the first argv is the cache folder to create.
           const COMBINED_CACHE_DIR = process.env.COMBINED_CACHE_DIR;
@@ -97,6 +110,17 @@ runs:
               console.log(`Found .cache dir at ${dir}`);
             }
 
+            const globalCacheDir = path.join(os.homedir(), ".codeql", "compile-cache");
+            if (fs.existsSync(globalCacheDir)) {
+              console.log("Found global home dir: " + globalCacheDir);
+              cacheDirs.push(globalCacheDir);
+            }
+
+            if (cacheDirs.length === 0) {
+              console.log("No cache dirs found");
+              return;
+            }
+
             // mkdir -p ${COMBINED_CACHE_DIR}
             fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
 

.github/workflows/atm-check-query-suite.yml

@@ -8,6 +8,7 @@ on:
       - "*/ql/src/**/*.qll"
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
+      - "*/ql/lib/**/*.yml"
       - "!**/experimental/**"
       - "!ql/**"
       - "!swift/**"

.github/workflows/atm-model-integration-tests.yml

@@ -26,9 +26,8 @@ jobs:
         shell: bash
         run: |
           EXIT_CODE=0
-          # TODO: remove the swift exception from the regex when we fix generated QLdoc
           # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
-          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(swift|shared))[a-z]*/ql/lib' || true; } | sort -u)"
+          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared))[a-z]*/ql/lib' || true; } | sort -u)"
           for pack_dir in ${changed_lib_packs}; do
             lang="${pack_dir%/ql/lib}"
             codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"

.github/workflows/check-change-note.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v8
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

.github/workflows/check-qldoc.yml

@@ -24,14 +24,14 @@ jobs:
         with: 
           key: all-queries
       - name: check formatting
-        run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 codeql query format --check-only
+        run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"

.github/workflows/close-stale.yml

@@ -0,0 +1,50 @@
+# Fast-forwards the branch specified in BRANCH_NAME
+# to the github.ref/sha that this workflow is run on.
+# Used as part of the release process, to ensure
+# external query writers can always access a branch of github/codeql
+# that is compatible with the latest stable release.
+name: Fast-forward tracking branch for selected CodeQL version
+on:
+  workflow_dispatch:
+
+jobs:
+  fast-forward:
+    name: Fast-forward tracking branch for selected CodeQL version
+    runs-on: ubuntu-latest
+    if: github.repository == 'github/codeql'
+    permissions:
+      contents: write
+    env:
+      BRANCH_NAME: 'lgtm.com'
+    steps:
+      - name: Validate chosen branch
+        if: ${{ !startsWith(github.ref_name, 'codeql-cli-') }}
+        shell: bash
+        run: |
+          echo "::error ::The $BRANCH_NAME tracking branch should only be fast-forwarded to the tip of a codeql-cli-* branch, got $GITHUB_REF_NAME instead."
+          exit 1
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Git config
+        shell: bash
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch
+        shell: bash
+        run: |
+          set -x
+          echo "Fetching $BRANCH_NAME"
+          # Explicitly unshallow and fetch to ensure the remote ref is available.
+          git fetch --unshallow origin "$BRANCH_NAME"
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+
+      - name: Fast-forward
+        shell: bash
+        run: |
+          echo "Fast-forwarding $BRANCH_NAME to ${GITHUB_REF}@${GITHUB_SHA}"
+          git merge --ff-only "$GITHUB_SHA"
+          git push origin "$BRANCH_NAME"