Merge branch 'main' into denisl/goreferenceupdate

Author: denislevin

.bazelversion

@@ -1 +1 @@
-8.0.0
+8.1.1

.github/workflows/microsoft-codeql-pack-publish.yml

@@ -0,0 +1,152 @@
+name: Microsoft CodeQL Pack Publish
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Fail if not on main branch
+      run: |
+        if [ "$GITHUB_REF" != "refs/heads/main" ]; then
+          echo "This workflow can only run on the 'main' branch."
+          exit 1
+        fi
+  codeqlversion:
+    needs: check-branch
+    runs-on: ubuntu-latest
+    outputs:
+      codeql_version: ${{ steps.set_codeql_version.outputs.codeql_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+      - name: Set CodeQL Version
+        id: set_codeql_version
+        run: |
+            git fetch
+            git fetch --tags
+            CURRENT_COMMIT=$(git rev-list -1 HEAD)
+            CURRENT_TAG=$(git describe --tags --abbrev=0 --match 'codeql-cli/v*' $CURRENT_COMMIT)
+            CODEQL_VERSION="${CURRENT_TAG#codeql-cli/}"
+            echo "CODEQL_VERSION=$CODEQL_VERSION" >> $GITHUB_OUTPUT
+  publishlibs:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['powershell']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Lib Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-all"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-all"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
+        DATAEXTENSIONS=$(yq 'select(has("dataExtensions")) | .dataExtensions | {"dataExtensions": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/lib/qlpack.yml" "$LANGUAGE/ql/lib/qlpack.lock"
+
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/lib/qlpack.yml"
+        name: microsoft/$LANGUAGE-all
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - microsoft-all
+        dbscheme: semmlecode.$LANGUAGE.dbscheme
+        extractor: $LANGUAGE
+        library: true
+        upgrades: upgrades
+        $DEPENDENCIES
+        $DATAEXTENSIONS
+        warnOnImplicitThis: true
+        EOF
+
+        # Publish pack
+        cat "$LANGUAGE/ql/lib/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/lib"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+  publish:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['csharp', 'cpp', 'java', 'javascript', 'python', 'ruby', 'go', 'rust', 'swift', 'powershell']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-queries"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-queries"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/src/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/src/qlpack.yml" "$LANGUAGE/ql/src/qlpack.lock"
+
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/src/qlpack.yml"
+        name: microsoft/$LANGUAGE-queries
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - queries
+        $DEPENDENCIES
+        EOF
+
+        # Publish pack
+        cat "$LANGUAGE/ql/src/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/src"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+

.github/workflows/sync-main-tags.yml

@@ -21,6 +21,7 @@ jobs:
           fetch-depth: 0
       - name: Push Tags
         run: |
+          git remote add upstream https://github.com/github/codeql.git
           git fetch upstream --tags --force
           git push --force origin --tags
         env:

.github/workflows/sync-main.yml

@@ -78,7 +78,7 @@ jobs:
                 --label 'autogenerated' \
                 --title 'Sync Main (autogenerated)' \
                 --body "This PR syncs the latest changes from \`codeql-cli/latest\` into \`main\`." \
-                --reviewer 'MathiasVP'
+                --reviewer 'MathiasVP' \
                 --reviewer 'ropwareJB'
             else
               echo "No changes to sync from auto/sync-main-pr to main. Exiting gracefully."

CODEOWNERS

@@ -14,6 +14,9 @@
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
+# Experimental CodeQL cryptography
+**/experimental/quantum/ @github/ps-codeql
+
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers

actions/extractor/tools/autobuild-impl.ps1

@@ -1,27 +1,34 @@
-if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
-    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
-} else {
-    Write-Output 'No path filters set. Using the default filters.'
-    # Note: We're adding the `reusable_workflows` subdirectories to proactively
-    # record workflows that were called cross-repo, check them out locally,
-    # and enable an interprocedural analysis across the workflow files.
-    # These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
-    $DefaultPathFilters = @(
-        'exclude:**/*',
-        'include:.github/workflows/*.yml',
-        'include:.github/workflows/*.yaml',
-        'include:.github/reusable_workflows/**/*.yml',
-        'include:.github/reusable_workflows/**/*.yaml',
-        'include:**/action.yml',
-        'include:**/action.yaml'
-    )
+# Note: We're adding the `reusable_workflows` subdirectories to proactively
+# record workflows that were called cross-repo, check them out locally,
+# and enable an interprocedural analysis across the workflow files.
+# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
+$DefaultPathFilters = @(
+    'exclude:**/*',
+    'include:.github/workflows/*.yml',
+    'include:.github/workflows/*.yaml',
+    'include:.github/reusable_workflows/**/*.yml',
+    'include:.github/reusable_workflows/**/*.yaml',
+    'include:**/action.yml',
+    'include:**/action.yaml'
+)
 
+if ($null -ne $env:LGTM_INDEX_FILTERS) {
+    Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
+    # Begin with the default path inclusions only,
+    # followed by the user-provided filters.
+    # If the user provided `paths`, those patterns override the default inclusions
+    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
+    # If the user provided `paths-ignore`, those patterns are excluded.
+    $PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
+    $env:LGTM_INDEX_FILTERS = $PathFilters
+} else {
+    Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
     $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
 }
 
 # Find the JavaScript extractor directory via `codeql resolve extractor`.
 $CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
 if ($LASTEXITCODE -ne 0) {
     throw 'Failed to resolve JavaScript extractor.'
 }
@@ -40,7 +47,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
 $env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
 $env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
 
-&$JavaScriptAutoBuild
+&"$JavaScriptAutoBuild"
 if ($LASTEXITCODE -ne 0) {
     throw "JavaScript autobuilder failed."
 }

actions/extractor/tools/autobuild.cmd

@@ -1,3 +1,4 @@
 @echo off
 rem All of the work is done in the PowerShell script
-powershell.exe %~dp0autobuild-impl.ps1
+echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
+powershell.exe -File "%~dp0autobuild-impl.ps1"

actions/extractor/tools/autobuild.sh

@@ -17,16 +17,28 @@ include:**/action.yaml
 END
 )
 
-if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
-    echo "Path filters set. Passing them through to the JavaScript extractor."
+if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
+    echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
+    # Begin with the default path inclusions only,
+    # followed by the user-provided filters.
+    # If the user provided `paths`, those patterns override the default inclusions
+    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
+    # If the user provided `paths-ignore`, those patterns are excluded.
+    PATH_FILTERS="$(cat << END
+${DEFAULT_PATH_FILTERS}
+${LGTM_INDEX_FILTERS}
+END
+)"
+    LGTM_INDEX_FILTERS="${PATH_FILTERS}"
+    export LGTM_INDEX_FILTERS
 else
-    echo "No path filters set. Using the default filters."
+    echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
     LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
     export LGTM_INDEX_FILTERS
 fi
 
 # Find the JavaScript extractor directory via `codeql resolve extractor`.
-CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
+CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
 export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
 
 echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
@@ -42,4 +54,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
     CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
     CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
     CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
-    ${JAVASCRIPT_AUTO_BUILD}
+    "${JAVASCRIPT_AUTO_BUILD}"

actions/ql/integration-tests/filters-default/actions.ql

@@ -0,0 +1,5 @@
+import actions
+
+from AstNode n
+where n instanceof Workflow or n instanceof CompositeAction
+select n

actions/ql/integration-tests/filters/actions.default-filters.expected

@@ -0,0 +1,6 @@
+| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
+| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
+| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
+| src/action.yml:1:1:11:32 | name: ' ... action' |
+| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
+| src/included/action.yml:1:1:11:32 | name: ' ... action' |