Use lockfile when downloading CodeQL distribution

Author: koesie10

extensions/ql-vscode/package-lock.json

@@ -1986,6 +1986,7 @@
     "msw": "^2.2.13",
     "nanoid": "^5.0.7",
     "p-queue": "^8.0.1",
+    "proper-lockfile": "^4.1.2",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "semver": "^7.6.2",
@@ -2040,6 +2041,7 @@
     "@types/js-yaml": "^4.0.6",
     "@types/nanoid": "^3.0.0",
     "@types/node": "20.16.*",
+    "@types/proper-lockfile": "^4.1.4",
     "@types/react": "^18.3.1",
     "@types/react-dom": "^18.3.0",
     "@types/sarif": "^2.1.2",

extensions/ql-vscode/package.json

@@ -1,5 +1,11 @@
 import type { WriteStream } from "fs";
-import { createWriteStream, mkdtemp, pathExists, remove } from "fs-extra";
+import {
+  createWriteStream,
+  mkdtemp,
+  pathExists,
+  remove,
+  writeJson,
+} from "fs-extra";
 import { tmpdir } from "os";
 import { delimiter, dirname, join } from "path";
 import { Range, satisfies } from "semver";
@@ -28,6 +34,7 @@ import { reportUnzipProgress } from "../common/vscode/unzip-progress";
 import type { Release } from "./distribution/release";
 import { ReleasesApiConsumer } from "./distribution/releases-api-consumer";
 import { createTimeoutSignal } from "../common/fetch-stream";
+import { withDistributionUpdateLock } from "./lock";
 
 /**
  * distribution.ts
@@ -350,9 +357,24 @@ class ExtensionSpecificDistributionManager {
     release: Release,
     progressCallback?: ProgressCallback,
   ): Promise<void> {
-    await this.downloadDistribution(release, progressCallback);
-    // Store the installed release within the global extension state.
-    await this.storeInstalledRelease(release);
+    const distributionStatePath = join(
+      this.extensionContext.globalStorageUri.fsPath,
+      ExtensionSpecificDistributionManager._distributionStateFilename,
+    );
+    if (!(await pathExists(distributionStatePath))) {
+      // This may result in a race condition, but when this happens both processes should write the same file.
+      await writeJson(distributionStatePath, {});
+    }
+
+    await withDistributionUpdateLock(
+      // .lock will be appended to this filename
+      distributionStatePath,
+      async () => {
+        await this.downloadDistribution(release, progressCallback);
+        // Store the installed release within the global extension state.
+        await this.storeInstalledRelease(release);
+      },
+    );
   }
 
   private async downloadDistribution(
@@ -615,6 +637,7 @@ class ExtensionSpecificDistributionManager {
     "distributionFolderIndex";
   private static readonly _installedReleaseStateKey = "distributionRelease";
   private static readonly _codeQlExtractedFolderName = "codeql";
+  private static readonly _distributionStateFilename = "distribution.json";
 }
 
 /*

extensions/ql-vscode/src/codeql-cli/distribution.ts

@@ -0,0 +1,22 @@
+import { lock } from "proper-lockfile";
+
+export async function withDistributionUpdateLock(
+  lockFile: string,
+  f: () => Promise<void>,
+) {
+  const release = await lock(lockFile, {
+    stale: 60_000, // 1 minute. We can take the lock longer than this because that's based on the update interval.
+    update: 10_000, // 10 seconds
+    retries: {
+      minTimeout: 10_000,
+      maxTimeout: 60_000,
+      retries: 100,
+    },
+  });
+
+  try {
+    await f();
+  } finally {
+    await release();
+  }
+}