Skip to content

Commit 7dbad99

Browse files
authored
Merge pull request #372 from microsoft/auto/sync-main-pr
CLI Update 2.26.0
2 parents 8d76432 + 4cb6867 commit 7dbad99

2,354 files changed

Lines changed: 110104 additions & 28249 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
name: Update Go version
2+
3+
on:
4+
workflow_dispatch:
5+
schedule:
6+
- cron: "0 3 * * 1" # Run weekly on Mondays at 3 AM UTC (1 = Monday)
7+
8+
permissions:
9+
contents: write
10+
pull-requests: write
11+
12+
jobs:
13+
update-go-version:
14+
name: Check and update Go version
15+
if: github.repository == 'github/codeql'
16+
runs-on: ubuntu-latest
17+
18+
steps:
19+
- name: Checkout repository
20+
uses: actions/checkout@v5
21+
with:
22+
fetch-depth: 0
23+
24+
- name: Set up Git
25+
run: |
26+
git config user.name "github-actions[bot]"
27+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
28+
29+
- name: Fetch latest Go version
30+
id: fetch-version
31+
run: |
32+
LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
33+
34+
if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
35+
echo "Error: Failed to fetch latest Go version from go.dev"
36+
exit 1
37+
fi
38+
39+
echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
40+
echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
41+
42+
# Extract version numbers (e.g., go1.26.0 -> 1.26.0)
43+
LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
44+
echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
45+
46+
# Extract major.minor version (e.g., 1.26.0 -> 1.26)
47+
LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
48+
echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
49+
50+
- name: Check current Go version
51+
id: current-version
52+
run: |
53+
CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
54+
55+
if [ -z "$CURRENT_VERSION" ]; then
56+
echo "Error: Could not extract Go version from MODULE.bazel"
57+
exit 1
58+
fi
59+
60+
echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
61+
echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
62+
63+
# Extract major.minor version
64+
CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
65+
echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
66+
67+
- name: Compare versions
68+
id: compare
69+
run: |
70+
LATEST="${{ steps.fetch-version.outputs.version_num }}"
71+
CURRENT="${{ steps.current-version.outputs.version }}"
72+
73+
echo "Latest: $LATEST"
74+
echo "Current: $CURRENT"
75+
76+
if [ "$LATEST" = "$CURRENT" ]; then
77+
echo "Go version is up to date"
78+
echo "needs_update=false" >> $GITHUB_OUTPUT
79+
else
80+
echo "Go version needs update from $CURRENT to $LATEST"
81+
echo "needs_update=true" >> $GITHUB_OUTPUT
82+
fi
83+
84+
- name: Update Go version in files
85+
if: steps.compare.outputs.needs_update == 'true'
86+
run: |
87+
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
88+
LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
89+
CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
90+
CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
91+
92+
echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
93+
94+
# Escape dots in current version strings for use in sed patterns
95+
CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
96+
CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
97+
98+
# Update MODULE.bazel
99+
sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
100+
if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
101+
echo "Error: Failed to update MODULE.bazel"
102+
exit 1
103+
fi
104+
105+
# Update go/extractor/go.mod
106+
if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
107+
echo "Warning: Failed to update go directive in go.mod"
108+
fi
109+
if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
110+
echo "Warning: Failed to update toolchain in go.mod"
111+
fi
112+
113+
# Update go/extractor/autobuilder/build-environment.go
114+
if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
115+
echo "Warning: Failed to update build-environment.go"
116+
fi
117+
118+
# Update go/actions/test/action.yml
119+
if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
120+
echo "Warning: Failed to update action.yml"
121+
fi
122+
123+
# Show what changed
124+
git diff
125+
126+
- name: Check for changes
127+
id: check-changes
128+
if: steps.compare.outputs.needs_update == 'true'
129+
run: |
130+
if git diff --quiet; then
131+
echo "No changes detected"
132+
echo "has_changes=false" >> $GITHUB_OUTPUT
133+
else
134+
echo "Changes detected"
135+
echo "has_changes=true" >> $GITHUB_OUTPUT
136+
fi
137+
138+
- name: Check for existing PR
139+
if: steps.check-changes.outputs.has_changes == 'true'
140+
id: check-pr
141+
env:
142+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
143+
run: |
144+
BRANCH_NAME="workflow/go-version-update"
145+
PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
146+
147+
if [ -n "$PR_NUMBER" ]; then
148+
echo "Existing PR found: #$PR_NUMBER"
149+
echo "pr_exists=true" >> $GITHUB_OUTPUT
150+
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
151+
else
152+
echo "No existing PR found"
153+
echo "pr_exists=false" >> $GITHUB_OUTPUT
154+
fi
155+
156+
- name: Commit and push changes
157+
if: steps.check-changes.outputs.has_changes == 'true'
158+
run: |
159+
BRANCH_NAME="workflow/go-version-update"
160+
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
161+
LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
162+
163+
# Create or switch to branch
164+
git checkout -B "$BRANCH_NAME"
165+
166+
# Stage and commit changes
167+
git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
168+
git commit -m "Go: Update to $LATEST_VERSION_NUM"
169+
170+
# Push changes
171+
git push --force-with-lease origin "$BRANCH_NAME"
172+
173+
- name: Create or update PR
174+
if: steps.check-changes.outputs.has_changes == 'true'
175+
env:
176+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
177+
run: |
178+
BRANCH_NAME="workflow/go-version-update"
179+
LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
180+
CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
181+
182+
PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
183+
184+
PR_BODY=$(cat <<EOF
185+
This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
186+
187+
Updated files:
188+
- \`MODULE.bazel\` - go_sdk.download version
189+
- \`go/extractor/go.mod\` - go directive and toolchain
190+
- \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
191+
- \`go/actions/test/action.yml\` - default go-test-version
192+
193+
This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
194+
EOF
195+
)
196+
197+
if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
198+
echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
199+
gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
200+
else
201+
echo "Creating new PR"
202+
gh pr create \
203+
--title "$PR_TITLE" \
204+
--body "$PR_BODY" \
205+
--base main \
206+
--head "$BRANCH_NAME" \
207+
--label "Go"
208+
fi

CODEOWNERS

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
* @github/code-scanning-alert-coverage
33

44
# CodeQL language libraries
5-
/actions/ @github/codeql-dynamic
5+
/actions/ @github/code-scanning-alert-coverage
66
/cpp/ @github/codeql-c-analysis
77
/csharp/ @github/codeql-csharp
88
/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
@@ -59,9 +59,5 @@ MODULE.bazel @github/codeql-ci-reviewers
5959
/.github/workflows/rust.yml @github/codeql-rust
6060
/.github/workflows/swift.yml @github/codeql-swift
6161

62-
# Misc
63-
/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
64-
/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
65-
6662
# .devcontainer
6763
/.devcontainer/ @github/codeql-ci-reviewers

MODULE.bazel

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,6 +248,7 @@ use_repo(
248248
"kotlin-compiler-2.2.20-Beta2",
249249
"kotlin-compiler-2.3.0",
250250
"kotlin-compiler-2.3.20",
251+
"kotlin-compiler-2.4.0",
251252
"kotlin-compiler-embeddable-1.8.0",
252253
"kotlin-compiler-embeddable-1.9.0-Beta",
253254
"kotlin-compiler-embeddable-1.9.20-Beta",
@@ -259,6 +260,7 @@ use_repo(
259260
"kotlin-compiler-embeddable-2.2.20-Beta2",
260261
"kotlin-compiler-embeddable-2.3.0",
261262
"kotlin-compiler-embeddable-2.3.20",
263+
"kotlin-compiler-embeddable-2.4.0",
262264
"kotlin-stdlib-1.8.0",
263265
"kotlin-stdlib-1.9.0-Beta",
264266
"kotlin-stdlib-1.9.20-Beta",
@@ -270,10 +272,11 @@ use_repo(
270272
"kotlin-stdlib-2.2.20-Beta2",
271273
"kotlin-stdlib-2.3.0",
272274
"kotlin-stdlib-2.3.20",
275+
"kotlin-stdlib-2.4.0",
273276
)
274277

275278
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
276-
go_sdk.download(version = "1.26.0")
279+
go_sdk.download(version = "1.26.4")
277280

278281
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
279282
go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,15 @@
1+
## 0.4.38
2+
3+
### Bug Fixes
4+
5+
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
6+
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
7+
18
## 0.4.37
29

310
### Minor Analysis Improvements
411

5-
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
12+
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
613

714
## 0.4.36
815

actions/ql/lib/change-notes/released/0.4.37.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22

33
### Minor Analysis Improvements
44

5-
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
5+
* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
## 0.4.38
2+
3+
### Bug Fixes
4+
5+
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
6+
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.4.37
2+
lastReleaseVersion: 0.4.38

actions/ql/lib/codeql/actions/ast/internal/Ast.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1920,3 +1920,5 @@ private YamlMappingLikeNode resolveMatrixAccessPath(
19201920
else result = resolveMatrixAccessPath(newRoot, rest)
19211921
)
19221922
}
1923+
1924+
class Comment = YamlComment;

actions/ql/lib/codeql/actions/ast/internal/Yaml.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,12 @@ private module YamlSig implements LibYaml::InputSig {
5252
class ParseErrorBase extends LocatableBase, @yaml_error {
5353
string getMessage() { yaml_errors(this, result) }
5454
}
55+
56+
class CommentBase extends LocatableBase, @yaml_comment {
57+
string getText() { yaml_comments(this, result, _) }
58+
59+
override string toString() { yaml_comments(this, _, result) }
60+
}
5561
}
5662

5763
import LibYaml::Make<YamlSig>

0 commit comments

Comments
 (0)