Fix GitHub History + Upgrade to 2.22.2

.gitattributes

@@ -88,3 +88,8 @@
 # swift prebuilt resources
 /swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
 /swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
+
+# This upgrade script must use windows line-endings to be compatible with old
+# databases.
+/powershell/ql/lib/upgrades/ce269c61feda10a8ca0d16519085f7e55741a694/old.dbscheme eol=crlf
+/powershell/downgrades/802d5b9f407fb0dac894df1c0b4584f2215e1512/semmlecode.powershell.dbscheme eol=crlf

.github/workflows/go-tests.yml

@@ -1,20 +1,9 @@
 name: "Go: Run Tests"
 on:
-  push:
-    paths:
-      - "go/**"
-      - "!go/documentation/**"
-      - "shared/**"
-      - .github/workflows/go-tests.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
   pull_request:
     paths:
       - "go/**"
-      - "!go/documentation/**"      
+      - "!go/documentation/**"
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**

.github/workflows/microsoft-codeql-pack-publish.yml

@@ -0,0 +1,152 @@
+name: Microsoft CodeQL Pack Publish
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Fail if not on main branch
+      run: |
+        if [ "$GITHUB_REF" != "refs/heads/main" ]; then
+          echo "This workflow can only run on the 'main' branch."
+          exit 1
+        fi
+  codeqlversion:
+    needs: check-branch
+    runs-on: ubuntu-latest
+    outputs:
+      codeql_version: ${{ steps.set_codeql_version.outputs.codeql_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+      - name: Set CodeQL Version
+        id: set_codeql_version
+        run: |
+            git fetch
+            git fetch --tags
+            CURRENT_COMMIT=$(git rev-list -1 HEAD)
+            CURRENT_TAG=$(git describe --tags --abbrev=0 --match 'codeql-cli/v*' $CURRENT_COMMIT)
+            CODEQL_VERSION="${CURRENT_TAG#codeql-cli/}"
+            echo "CODEQL_VERSION=$CODEQL_VERSION" >> $GITHUB_OUTPUT
+  publishlibs:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['powershell']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Lib Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-all"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-all"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
+        DATAEXTENSIONS=$(yq 'select(has("dataExtensions")) | .dataExtensions | {"dataExtensions": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/lib/qlpack.yml" "$LANGUAGE/ql/lib/qlpack.lock"
+
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/lib/qlpack.yml"
+        name: microsoft/$LANGUAGE-all
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - microsoft-all
+        dbscheme: semmlecode.$LANGUAGE.dbscheme
+        extractor: $LANGUAGE
+        library: true
+        upgrades: upgrades
+        $DEPENDENCIES
+        $DATAEXTENSIONS
+        warnOnImplicitThis: true
+        EOF
+
+        # Publish pack
+        cat "$LANGUAGE/ql/lib/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/lib"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+  publish:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['csharp', 'cpp', 'java', 'javascript', 'python', 'ruby', 'go', 'rust', 'swift', 'powershell', 'iac']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-queries"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-queries"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/src/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/src/qlpack.yml" "$LANGUAGE/ql/src/qlpack.lock"
+
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/src/qlpack.yml"
+        name: microsoft/$LANGUAGE-queries
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - queries
+        $DEPENDENCIES
+        EOF
+
+        # Publish pack
+        cat "$LANGUAGE/ql/src/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/src"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+

.github/workflows/powershell-pr-check.yml

@@ -0,0 +1,32 @@
+name: PowerShell PR Check
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  powershell-pr-check:
+    name: powershell-pr-check
+    runs-on: windows-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ github.token }}
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: release
+      - name: Install PowerShell
+        run: |
+          $path = Split-Path (Get-Command codeql).Source
+          ./powershell/build-win64.ps1 $path
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 powershell/ql/test

.github/workflows/sync-main-tags.yml

@@ -0,0 +1,28 @@
+name: Sync Main Tags
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  sync-main-tags:
+    name: Sync Main Tags
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql' && github.event.pull_request.merged == true && github.event.pull_request.head.ref == 'auto/sync-main-pr'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Push Tags
+        run: |
+          git remote add upstream https://github.com/github/codeql.git
+          git fetch upstream --tags --force
+          git push --force origin --tags
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}

.github/workflows/sync-main.yml

@@ -0,0 +1,91 @@
+name: Sync Main
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/sync-main.yml
+  schedule:
+    - cron: '55 * * * *'
+
+jobs:
+  sync-main:
+    name: Sync-main
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Git config
+        shell: bash
+        run: |
+          git config user.name "dilanbhalla"
+          git config user.email "[email protected]"
+      - name: Git checkout auto/sync-main-pr
+        shell: bash
+        run: |
+          git fetch origin
+          if git ls-remote --exit-code --heads origin auto/sync-main-pr > /dev/null; then
+            echo "Branch exists remotely. Checking it out."
+            git checkout -B auto/sync-main-pr origin/auto/sync-main-pr
+          else
+            echo "Branch does not exist remotely. Creating from main."
+            git checkout -B auto/sync-main-pr origin/main
+            git push -u origin auto/sync-main-pr
+          fi
+      - name: Sync origin/main
+        shell: bash
+        run: |
+          echo "::group::Sync with main branch"
+          git pull origin auto/sync-main-pr; exitCode=$?; if [ $exitCode -ne 0 ]; then exitCode=0; fi
+          git pull origin main --no-rebase
+          git push --force origin auto/sync-main-pr
+          echo "::endgroup::"
+      - name: Sync upstream/codeql-cli/latest
+        shell: bash
+        run: |
+          echo "::group::Set up remote"
+          git remote add upstream https://github.com/github/codeql.git
+          git fetch upstream --tags --force
+          echo "::endgroup::"
+          echo "::group::Merge codeql-cli/latest"
+          set -x
+          git merge codeql-cli/latest
+          set +x
+          echo "::endgroup::"
+      - name: Push sync branch
+        run: |
+          git push origin auto/sync-main-pr
+        env:
+          GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Create PR if it doesn't exist
+        shell: bash
+        run: |
+          pr_number=$(gh pr list --repo microsoft/codeql --head auto/sync-main-pr --base main --json number --jq '.[0].number')
+          if [ -n "$pr_number" ]; then
+            echo "PR from auto/sync-main-pr to main already exists (PR #$pr_number). Exiting gracefully."
+          else
+            if git fetch origin main auto/sync-main-pr && [ -n "$(git rev-list origin/main..origin/auto/sync-main-pr)" ]; then
+              echo "PR does not exist. Creating one..."
+              gh pr create --repo microsoft/codeql --fill -B main -H auto/sync-main-pr \
+                --label 'autogenerated' \
+                --title 'Sync Main (autogenerated)' \
+                --body "This PR syncs the latest changes from \`codeql-cli/latest\` into \`main\`." \
+                --reviewer 'MathiasVP' \
+                --reviewer 'ropwareJB'
+            else
+              echo "No changes to sync from auto/sync-main-pr to main. Exiting gracefully."
+            fi
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+