diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 45407c57b7..658fa0cc9d 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'true' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 5e03f49928..884aaf3582 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index efec3292bb..be988571d9 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__bundle-toolcache.yml b/.github/workflows/__bundle-toolcache.yml index 7d9becc006..9afd8d8e64 100644 --- a/.github/workflows/__bundle-toolcache.yml +++ b/.github/workflows/__bundle-toolcache.yml @@ -53,7 +53,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -63,7 +63,7 @@ jobs: - name: Install @actions/tool-cache run: npm install @actions/tool-cache - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); @@ -82,7 +82,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/.github/workflows/__bundle-zstd.yml b/.github/workflows/__bundle-zstd.yml index 650a8617de..74847326ec 100644 --- a/.github/workflows/__bundle-zstd.yml +++ b/.github/workflows/__bundle-zstd.yml @@ -53,7 +53,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -78,7 +78,7 @@ jobs: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index b3af26b4f2..b050b6dd09 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -74,7 +74,7 @@ jobs: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index 160a61b81f..0c6ff46f0c 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -42,7 +42,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index e07aa5e962..d95c95c4ef 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -86,7 +86,7 @@ jobs: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 86c519d5a8..c53eb10571 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index a8b0658a63..6d75cf9c7c 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -61,7 +61,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 554bf86e15..3e82cfda7b 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -68,7 +68,7 @@ jobs: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: '1.20' - name: Build code @@ -79,7 +79,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/go.sarif with: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index 6af7dce43f..a2f6a38ad8 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false @@ -80,7 +80,7 @@ jobs: output: ${{ runner.temp }}/results upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/go.sarif with: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 5e6b4e8a2a..c6c18a0256 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index f761175d99..9e25fdd334 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -89,7 +89,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index e061360802..7852b849d3 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -89,7 +89,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index f81fd1698d..1b31aa7b8b 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -89,7 +89,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index e5f157881c..2984c596f7 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -89,7 +89,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 185cccbc2d..e401829169 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -68,7 +68,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -82,7 +82,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 810b85df3d..c51cbe2f1b 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -68,7 +68,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -82,7 +82,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index ea96e3149f..f657d1666e 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -68,7 +68,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -82,7 +82,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index e2db4c4431..a9a8687703 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -68,7 +68,7 @@ jobs: - name: Check out repository uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm @@ -82,7 +82,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml index bbd5decf78..755938f5fe 100644 --- a/.github/workflows/__quality-queries.yml +++ b/.github/workflows/__quality-queries.yml @@ -127,7 +127,7 @@ jobs: retention-days: 7 - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif EXPECT_PRESENT: 'false' @@ -135,7 +135,7 @@ jobs: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.quality.sarif EXPECT_PRESENT: 'true' diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 4a3fd0efff..3b9c82845d 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -61,7 +61,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index 869db07457..d4b9e97c5e 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -69,7 +69,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index 8fdb34724f..7c77983a8e 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index 417515dfd2..9b849a9743 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -59,7 +59,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 772ac35b05..0707c2c5b6 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -61,7 +61,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index 2332aff841..48877bc6f5 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index b991e7d36f..2b0e1c57a0 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index 223d376420..67a7a915da 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -63,7 +63,7 @@ jobs: use-all-platform-bundle: 'false' setup-kotlin: 'true' - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version || '>=1.21.0' }} cache: false diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 925e5ce177..afa9ba6ee8 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -57,7 +57,7 @@ jobs: uses: actions/checkout@v5 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml index 6cba089004..5d5ef24acb 100644 --- a/.github/workflows/debug-artifacts-failure-safe.yml +++ b/.github/workflows/debug-artifacts-failure-safe.yml @@ -45,7 +45,7 @@ jobs: uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: ^1.13.1 - uses: ./../action/init diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml index 25a9cecc58..287cbfe232 100644 --- a/.github/workflows/debug-artifacts-safe.yml +++ b/.github/workflows/debug-artifacts-safe.yml @@ -41,7 +41,7 @@ jobs: uses: ./.github/actions/prepare-test with: version: ${{ matrix.version }} - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: ^1.13.1 - uses: ./../action/init diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index 67d7e9493f..bb5f8296e4 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -43,7 +43,7 @@ jobs: - uses: actions/checkout@v5 with: fetch-depth: 0 # ensure we have all tags and can push commits - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 - name: Update git config run: | diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 365b53a945..37140e4e5e 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -25,13 +25,13 @@ jobs: - uses: actions/checkout@v5 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: '20.x' cache: 'npm' - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: 3.11 @@ -51,6 +51,10 @@ jobs: - name: Run unit tests run: npm test + - name: Run pr-checks tests + working-directory: pr-checks + run: python -m unittest discover + - name: Lint if: matrix.os != 'windows-latest' run: npm run lint-ci diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 80944886ba..98ab5667bd 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -22,7 +22,7 @@ jobs: runs-on: windows-latest steps: - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: 3.12 diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml index 1014b4e553..2d2ab3c719 100644 --- a/.github/workflows/query-filters.yml +++ b/.github/workflows/query-filters.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v5 - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: 20.x cache: npm diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index 9ac5e64e0c..c5e69bfd26 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -11,6 +11,10 @@ jobs: runs-on: ubuntu-latest if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch' + env: + HEAD_REF: ${{ github.event.pull_request.head.ref || github.event.ref }} + BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }} + permissions: contents: write # needed to push rebuilt commit pull-requests: write # needed to comment on the PR @@ -19,7 +23,7 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 0 - ref: ${{ github.event.pull_request.head.ref || github.event.ref }} + ref: ${{ env.HEAD_REF }} - name: Remove label if: github.event_name == 'pull_request' @@ -37,8 +41,6 @@ jobs: - name: Merge in changes from base branch id: merge - env: - BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }} run: | git fetch origin "$BASE_BRANCH" @@ -68,13 +70,20 @@ jobs: npm run build - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: 3.11 + - name: Sync back version updates to generated workflows + # Only sync back versions on Dependabot update PRs + if: startsWith(env.HEAD_REF, 'dependabot/') + working-directory: pr-checks + run: | + python3 sync_back.py -v + - name: Generate workflows + working-directory: pr-checks run: | - cd pr-checks python -m pip install --upgrade pip pip install ruamel.yaml==0.17.31 python3 sync.py diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 10f5be738d..8e7ad48d8f 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -37,7 +37,7 @@ jobs: git config --global user.name "github-actions[bot]" - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 with: node-version: '20.x' cache: 'npm' diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml index 5fc3b14b54..e43e40d60c 100644 --- a/.github/workflows/update-proxy-release.yml +++ b/.github/workflows/update-proxy-release.yml @@ -37,7 +37,7 @@ jobs: (gh release view --repo "$GITHUB_REPOSITORY" --json "assets" "$RELEASE_TAG" && echo "Release found.") || exit 1 - name: Install Node - uses: actions/setup-node@v4 + uses: actions/setup-node@v5 - name: Checkout repository uses: actions/checkout@v5 diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml index 80785a826b..35d4ba01f4 100644 --- a/.github/workflows/update-supported-enterprise-server-versions.yml +++ b/.github/workflows/update-supported-enterprise-server-versions.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: "3.13" - name: Checkout CodeQL Action diff --git a/pr-checks/.gitignore b/pr-checks/.gitignore index 0a764a4de3..979f35ea98 100644 --- a/pr-checks/.gitignore +++ b/pr-checks/.gitignore @@ -1 +1,3 @@ env +__pycache__/ +*.pyc diff --git a/pr-checks/__init__.py b/pr-checks/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/pr-checks/checks/bundle-toolcache.yml b/pr-checks/checks/bundle-toolcache.yml index d384cefee5..d3a15fcb41 100644 --- a/pr-checks/checks/bundle-toolcache.yml +++ b/pr-checks/checks/bundle-toolcache.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -18,7 +18,7 @@ steps: - name: Install @actions/tool-cache run: npm install @actions/tool-cache - name: Check toolcache does not contain CodeQL - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); @@ -37,7 +37,7 @@ steps: output: ${{ runner.temp }}/results upload-database: false - name: Check CodeQL is installed within the toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const toolcache = require('@actions/tool-cache'); diff --git a/pr-checks/checks/bundle-zstd.yml b/pr-checks/checks/bundle-zstd.yml index de83d8e923..2ec8b3b8d2 100644 --- a/pr-checks/checks/bundle-zstd.yml +++ b/pr-checks/checks/bundle-zstd.yml @@ -8,7 +8,7 @@ operatingSystems: - windows steps: - name: Remove CodeQL from toolcache - uses: actions/github-script@v7 + uses: actions/github-script@v8 with: script: | const fs = require('fs'); @@ -33,7 +33,7 @@ steps: path: ${{ runner.temp }}/results/javascript.sarif retention-days: 7 - name: Check diagnostic with expected tools URL appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: ${{ runner.temp }}/results/javascript.sarif with: diff --git a/pr-checks/checks/config-export.yml b/pr-checks/checks/config-export.yml index ce94482567..c51ad04e26 100644 --- a/pr-checks/checks/config-export.yml +++ b/pr-checks/checks/config-export.yml @@ -18,7 +18,7 @@ steps: path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check config properties appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/diagnostics-export.yml b/pr-checks/checks/diagnostics-export.yml index c4e4f3d458..dd41b8df9f 100644 --- a/pr-checks/checks/diagnostics-export.yml +++ b/pr-checks/checks/diagnostics-export.yml @@ -32,7 +32,7 @@ steps: path: "${{ runner.temp }}/results/javascript.sarif" retention-days: 7 - name: Check diagnostics appear in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index bfe7afb383..0768bd58a8 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -12,7 +12,7 @@ steps: languages: go tools: ${{ steps.prepare-test.outputs.tools-url }} # Deliberately change Go after the `init` step - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: "1.20" - name: Build code @@ -23,7 +23,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 9db4cad641..4f9e5eed29 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -24,7 +24,7 @@ steps: output: "${{ runner.temp }}/results" upload-database: false - name: Check diagnostic appears in SARIF - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/go.sarif" with: diff --git a/pr-checks/checks/quality-queries.yml b/pr-checks/checks/quality-queries.yml index 9eb578171e..b8420ad209 100644 --- a/pr-checks/checks/quality-queries.yml +++ b/pr-checks/checks/quality-queries.yml @@ -54,7 +54,7 @@ steps: retention-days: 7 - name: Check quality query does not appear in security SARIF if: contains(matrix.analysis-kinds, 'code-scanning') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif" EXPECT_PRESENT: "false" @@ -62,7 +62,7 @@ steps: script: ${{ env.CHECK_SCRIPT }} - name: Check quality query appears in quality SARIF if: contains(matrix.analysis-kinds, 'code-quality') - uses: actions/github-script@v7 + uses: actions/github-script@v8 env: SARIF_PATH: "${{ runner.temp }}/results/javascript.quality.sarif" EXPECT_PRESENT: "true" diff --git a/pr-checks/readme.md b/pr-checks/readme.md index 618a67503d..283ed35993 100644 --- a/pr-checks/readme.md +++ b/pr-checks/readme.md @@ -9,6 +9,6 @@ to one of the files in this directory. 1. Install https://github.com/casey/just by whichever way you prefer. 2. Run `just update-pr-checks` in your terminal. -### If you don't want to intall `just` +### If you don't want to install `just` Manually run each step in the `justfile`. diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 6d23cafab5..e76945cc4c 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -127,7 +127,7 @@ def writeHeader(checkStream): steps.extend([ { 'name': 'Install Node.js', - 'uses': 'actions/setup-node@v4', + 'uses': 'actions/setup-node@v5', 'with': { 'node-version': '20.x', 'cache': 'npm', @@ -165,7 +165,7 @@ def writeHeader(checkStream): steps.append({ 'name': 'Install Go', - 'uses': 'actions/setup-go@v5', + 'uses': 'actions/setup-go@v6', 'with': { 'go-version': '${{ inputs.go-version || \'' + baseGoVersionExpr + '\' }}', # to avoid potentially misleading autobuilder results where we expect it to download diff --git a/pr-checks/sync_back.py b/pr-checks/sync_back.py new file mode 100755 index 0000000000..1474b455e6 --- /dev/null +++ b/pr-checks/sync_back.py @@ -0,0 +1,185 @@ +#!/usr/bin/env python3 +""" +Sync-back script to automatically update action versions in source templates +from the generated workflow files after Dependabot updates. + +This script scans the generated workflow files (.github/workflows/__*.yml) to find +all external action versions used, then updates: +1. Hardcoded action versions in pr-checks/sync.py +2. Action version references in template files in pr-checks/checks/ + +The script automatically detects all actions used in generated workflows and +preserves version comments (e.g., # v1.2.3) when syncing versions. + +This ensures that when Dependabot updates action versions in generated workflows, +those changes are properly synced back to the source templates. Regular workflow +files are updated directly by Dependabot and don't need sync-back. +""" + +import os +import re +import glob +import argparse +import sys +from pathlib import Path +from typing import Dict, List + + +def scan_generated_workflows(workflow_dir: str) -> Dict[str, str]: + """ + Scan generated workflow files to extract the latest action versions. + + Args: + workflow_dir: Path to .github/workflows directory + + Returns: + Dictionary mapping action names to their latest versions (including comments) + """ + action_versions = {} + generated_files = glob.glob(os.path.join(workflow_dir, "__*.yml")) + + for file_path in generated_files: + with open(file_path, 'r') as f: + content = f.read() + + # Find all action uses in the file, including potential comments + # This pattern captures: action_name@version_with_possible_comment + pattern = r'uses:\s+([^/\s]+/[^@\s]+)@([^@\n]+)' + matches = re.findall(pattern, content) + + for action_name, version_with_comment in matches: + # Only track non-local actions (those with / but not starting with ./) + if not action_name.startswith('./'): + # Assume that version numbers are consistent (this should be the case on a Dependabot update PR) + action_versions[action_name] = version_with_comment.rstrip() + + return action_versions + + +def update_sync_py(sync_py_path: str, action_versions: Dict[str, str]) -> bool: + """ + Update hardcoded action versions in pr-checks/sync.py + + Args: + sync_py_path: Path to sync.py file + action_versions: Dictionary of action names to versions (may include comments) + + Returns: + True if file was modified, False otherwise + """ + if not os.path.exists(sync_py_path): + raise FileNotFoundError(f"Could not find {sync_py_path}") + + with open(sync_py_path, 'r') as f: + content = f.read() + + original_content = content + + # Update hardcoded action versions + for action_name, version_with_comment in action_versions.items(): + # Extract just the version part (before any comment) for sync.py + version = version_with_comment.split('#')[0].strip() if '#' in version_with_comment else version_with_comment.strip() + + # Look for patterns like 'uses': 'actions/setup-node@v4' + # Note that this will break if we store an Action uses reference in a + # variable - that's a risk we're happy to take since in that case the + # PR checks will just fail. + pattern = rf"('uses':\s*'){re.escape(action_name)}@(?:[^']+)(')" + replacement = rf"\1{action_name}@{version}\2" + content = re.sub(pattern, replacement, content) + + if content != original_content: + with open(sync_py_path, 'w') as f: + f.write(content) + print(f"Updated {sync_py_path}") + return True + else: + print(f"No changes needed in {sync_py_path}") + return False + + +def update_template_files(checks_dir: str, action_versions: Dict[str, str]) -> List[str]: + """ + Update action versions in template files in pr-checks/checks/ + + Args: + checks_dir: Path to pr-checks/checks directory + action_versions: Dictionary of action names to versions (may include comments) + + Returns: + List of files that were modified + """ + modified_files = [] + template_files = glob.glob(os.path.join(checks_dir, "*.yml")) + + for file_path in template_files: + with open(file_path, 'r') as f: + content = f.read() + + original_content = content + + # Update action versions + for action_name, version_with_comment in action_versions.items(): + # Look for patterns like 'uses: actions/setup-node@v4' or 'uses: actions/setup-node@sha # comment' + pattern = rf"(uses:\s+{re.escape(action_name)})@(?:[^@\n]+)" + replacement = rf"\1@{version_with_comment}" + content = re.sub(pattern, replacement, content) + + if content != original_content: + with open(file_path, 'w') as f: + f.write(content) + modified_files.append(file_path) + print(f"Updated {file_path}") + + return modified_files + + +def main(): + parser = argparse.ArgumentParser(description="Sync action versions from generated workflows back to templates") + parser.add_argument("--verbose", "-v", action="store_true", help="Enable verbose output") + args = parser.parse_args() + + # Get the repository root (assuming script is in pr-checks/) + script_dir = Path(__file__).parent + repo_root = script_dir.parent + + workflow_dir = repo_root / ".github" / "workflows" + checks_dir = script_dir / "checks" + sync_py_path = script_dir / "sync.py" + + print("Scanning generated workflows for latest action versions...") + action_versions = scan_generated_workflows(str(workflow_dir)) + + if args.verbose: + print("Found action versions:") + for action, version in action_versions.items(): + print(f" {action}@{version}") + + if not action_versions: + print("No action versions found in generated workflows") + return 1 + + # Update files + print("\nUpdating source files...") + modified_files = [] + + # Update sync.py + if update_sync_py(str(sync_py_path), action_versions): + modified_files.append(str(sync_py_path)) + + # Update template files + template_modified = update_template_files(str(checks_dir), action_versions) + modified_files.extend(template_modified) + + if modified_files: + print(f"\nSync completed. Modified {len(modified_files)} files:") + for file_path in modified_files: + print(f" {file_path}") + else: + print("\nNo files needed updating - all action versions are already in sync") + + return 0 + + +if __name__ == "__main__": + sys.exit(main()) \ No newline at end of file diff --git a/pr-checks/test_sync_back.py b/pr-checks/test_sync_back.py new file mode 100644 index 0000000000..de2e42d733 --- /dev/null +++ b/pr-checks/test_sync_back.py @@ -0,0 +1,237 @@ +#!/usr/bin/env python3 +""" +Tests for the sync_back.py script +""" + +import os +import shutil +import tempfile +import unittest + +import sync_back + + +class TestSyncBack(unittest.TestCase): + + def setUp(self): + """Set up temporary directories and files for testing""" + self.test_dir = tempfile.mkdtemp() + self.workflow_dir = os.path.join(self.test_dir, ".github", "workflows") + self.checks_dir = os.path.join(self.test_dir, "pr-checks", "checks") + os.makedirs(self.workflow_dir) + os.makedirs(self.checks_dir) + + # Create sync.py file + self.sync_py_path = os.path.join(self.test_dir, "pr-checks", "sync.py") + + def tearDown(self): + """Clean up temporary directories""" + shutil.rmtree(self.test_dir) + + def test_scan_generated_workflows_basic(self): + """Test basic workflow scanning functionality""" + # Create a test generated workflow file + workflow_content = """ +name: Test Workflow +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v5 + - uses: actions/setup-go@v6 + """ + + with open(os.path.join(self.workflow_dir, "__test.yml"), 'w') as f: + f.write(workflow_content) + + result = sync_back.scan_generated_workflows(self.workflow_dir) + + self.assertEqual(result['actions/checkout'], 'v4') + self.assertEqual(result['actions/setup-node'], 'v5') + self.assertEqual(result['actions/setup-go'], 'v6') + + def test_scan_generated_workflows_with_comments(self): + """Test scanning workflows with version comments""" + workflow_content = """ +name: Test Workflow +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0 + - uses: actions/setup-python@v6 # Latest Python + """ + + with open(os.path.join(self.workflow_dir, "__test.yml"), 'w') as f: + f.write(workflow_content) + + result = sync_back.scan_generated_workflows(self.workflow_dir) + + self.assertEqual(result['actions/checkout'], 'v4') + self.assertEqual(result['ruby/setup-ruby'], '44511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0') + self.assertEqual(result['actions/setup-python'], 'v6 # Latest Python') + + def test_scan_generated_workflows_ignores_local_actions(self): + """Test that local actions (starting with ./) are ignored""" + workflow_content = """ +name: Test Workflow +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/local-action + - uses: ./another-local-action@v1 + """ + + with open(os.path.join(self.workflow_dir, "__test.yml"), 'w') as f: + f.write(workflow_content) + + result = sync_back.scan_generated_workflows(self.workflow_dir) + + self.assertEqual(result['actions/checkout'], 'v4') + self.assertNotIn('./.github/actions/local-action', result) + self.assertNotIn('./another-local-action', result) + + + def test_update_sync_py(self): + """Test updating sync.py file""" + sync_py_content = """ +steps = [ + { + 'uses': 'actions/setup-node@v4', + 'with': {'node-version': '16'} + }, + { + 'uses': 'actions/setup-go@v5', + 'with': {'go-version': '1.19'} + } +] + """ + + with open(self.sync_py_path, 'w') as f: + f.write(sync_py_content) + + action_versions = { + 'actions/setup-node': 'v5', + 'actions/setup-go': 'v6' + } + + result = sync_back.update_sync_py(self.sync_py_path, action_versions) + self.assertTrue(result) + + with open(self.sync_py_path, 'r') as f: + updated_content = f.read() + + self.assertIn("'uses': 'actions/setup-node@v5'", updated_content) + self.assertIn("'uses': 'actions/setup-go@v6'", updated_content) + + def test_update_sync_py_with_comments(self): + """Test updating sync.py file when versions have comments""" + sync_py_content = """ +steps = [ + { + 'uses': 'actions/setup-node@v4', + 'with': {'node-version': '16'} + } +] + """ + + with open(self.sync_py_path, 'w') as f: + f.write(sync_py_content) + + action_versions = { + 'actions/setup-node': 'v5 # Latest version' + } + + result = sync_back.update_sync_py(self.sync_py_path, action_versions) + self.assertTrue(result) + + with open(self.sync_py_path, 'r') as f: + updated_content = f.read() + + # sync.py should get the version without comment + self.assertIn("'uses': 'actions/setup-node@v5'", updated_content) + self.assertNotIn("# Latest version", updated_content) + + def test_update_template_files(self): + """Test updating template files""" + template_content = """ +name: Test Template +steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v4 + with: + node-version: 16 + """ + + template_path = os.path.join(self.checks_dir, "test.yml") + with open(template_path, 'w') as f: + f.write(template_content) + + action_versions = { + 'actions/checkout': 'v4', + 'actions/setup-node': 'v5 # Latest' + } + + result = sync_back.update_template_files(self.checks_dir, action_versions) + self.assertEqual(len(result), 1) + self.assertIn(template_path, result) + + with open(template_path, 'r') as f: + updated_content = f.read() + + self.assertIn("uses: actions/checkout@v4", updated_content) + self.assertIn("uses: actions/setup-node@v5 # Latest", updated_content) + + def test_update_template_files_preserves_comments(self): + """Test that updating template files preserves version comments""" + template_content = """ +name: Test Template +steps: + - uses: ruby/setup-ruby@44511735964dcb71245e7e55f72539531f7bc0eb # v1.256.0 + """ + + template_path = os.path.join(self.checks_dir, "test.yml") + with open(template_path, 'w') as f: + f.write(template_content) + + action_versions = { + 'ruby/setup-ruby': '55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0' + } + + result = sync_back.update_template_files(self.checks_dir, action_versions) + self.assertEqual(len(result), 1) + + with open(template_path, 'r') as f: + updated_content = f.read() + + self.assertIn("uses: ruby/setup-ruby@55511735964dcb71245e7e55f72539531f7bc0eb # v1.257.0", updated_content) + + def test_no_changes_needed(self): + """Test that functions return False/empty when no changes are needed""" + # Test sync.py with no changes needed + sync_py_content = """ +steps = [ + { + 'uses': 'actions/setup-node@v5', + 'with': {'node-version': '16'} + } +] + """ + + with open(self.sync_py_path, 'w') as f: + f.write(sync_py_content) + + action_versions = { + 'actions/setup-node': 'v5' + } + + result = sync_back.update_sync_py(self.sync_py_path, action_versions) + self.assertFalse(result) + + +if __name__ == '__main__': + unittest.main()