From ffd40b4a96bf519ca4f0c550b2802c7a59de5335 Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Fri, 4 Apr 2025 14:29:50 +0200 Subject: [PATCH 1/4] Always use the latest major version of CodeQL Action --- .../scripts/build/install-codeql-bundle.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/images/macos/scripts/build/install-codeql-bundle.sh b/images/macos/scripts/build/install-codeql-bundle.sh index 7c179add8..5e8b5862a 100644 --- a/images/macos/scripts/build/install-codeql-bundle.sh +++ b/images/macos/scripts/build/install-codeql-bundle.sh @@ -6,9 +6,23 @@ source ~/utils/utils.sh +# Retrieve the latest major version of the CodeQL Action to use in the base URL for downloading the bundle. +releases=$(curl -s "https://api.github.com/repos/github/codeql-action/releases") + +# Get the release tags starting with v[0-9] and sort them in descending order, then parse the first one to get the major version. +codeql_action_latest_major_version=$(echo "$releases" | + jq -r '.[].tag_name' | + grep -E '^v[0-9]' | + sort -nr | + head -n 1 | + sed -E 's/^v([0-9]+).*/\1/') +if [ -z "$codeql_action_latest_major_version" ]; then + echo "Error: Unable to find the latest major version of the CodeQL Action." + exit 1 +fi + # Retrieve the CLI version of the latest CodeQL bundle. -defaults_json_path=$(download_with_retry https://raw.githubusercontent.com/github/codeql-action/v3/src/defaults.json) -bundle_version=$(jq -r '.cliVersion' $defaults_json_path) +defaults_json_path=$(download_with_retry "https://raw.githubusercontent.com/github/codeql-action/$codeql_action_latest_major_version/src/defaults.json") bundle_tag_name="codeql-bundle-v$bundle_version" echo "Downloading CodeQL bundle $bundle_version..." From 5726c3a45f35430585d898ab236f22ef3626f502 Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Fri, 4 Apr 2025 14:30:44 +0200 Subject: [PATCH 2/4] Refactoring: Properly double-quote variables --- images/macos/scripts/build/install-codeql-bundle.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/images/macos/scripts/build/install-codeql-bundle.sh b/images/macos/scripts/build/install-codeql-bundle.sh index 5e8b5862a..4df220ba5 100644 --- a/images/macos/scripts/build/install-codeql-bundle.sh +++ b/images/macos/scripts/build/install-codeql-bundle.sh @@ -23,6 +23,7 @@ fi # Retrieve the CLI version of the latest CodeQL bundle. defaults_json_path=$(download_with_retry "https://raw.githubusercontent.com/github/codeql-action/$codeql_action_latest_major_version/src/defaults.json") +bundle_version=$(jq -r '.cliVersion' "$defaults_json_path") bundle_tag_name="codeql-bundle-v$bundle_version" echo "Downloading CodeQL bundle $bundle_version..." @@ -31,16 +32,16 @@ echo "Downloading CodeQL bundle $bundle_version..." archive_path=$(download_with_retry "https://github.com/github/codeql-action/releases/download/$bundle_tag_name/codeql-bundle.tar.gz") codeql_toolcache_path=$AGENT_TOOLSDIRECTORY/CodeQL/$bundle_version/x64 -mkdir -p $codeql_toolcache_path +mkdir -p "$codeql_toolcache_path" echo "Unpacking the downloaded CodeQL bundle archive..." -tar -xzf $archive_path -C $codeql_toolcache_path +tar -xzf "$archive_path" -C "$codeql_toolcache_path" # Touch a file to indicate to the CodeQL Action that this bundle shipped with the toolcache. This is # to support overriding the CodeQL version specified in defaults.json on GitHub Enterprise. -touch $codeql_toolcache_path/pinned-version +touch "$codeql_toolcache_path/pinned-version" # Touch a file to indicate to the toolcache that setting up CodeQL is complete. -touch $codeql_toolcache_path.complete +touch "$codeql_toolcache_path.complete" invoke_tests "Common" "CodeQL Bundle" From b945f6e0614da139fc140621a09629f15dedd1c8 Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Mon, 21 Apr 2025 15:16:01 -0700 Subject: [PATCH 3/4] Add missing `v` to CodeQL bundle URL --- images/macos/scripts/build/install-codeql-bundle.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/macos/scripts/build/install-codeql-bundle.sh b/images/macos/scripts/build/install-codeql-bundle.sh index 4df220ba5..18fb2075b 100644 --- a/images/macos/scripts/build/install-codeql-bundle.sh +++ b/images/macos/scripts/build/install-codeql-bundle.sh @@ -22,7 +22,7 @@ if [ -z "$codeql_action_latest_major_version" ]; then fi # Retrieve the CLI version of the latest CodeQL bundle. -defaults_json_path=$(download_with_retry "https://raw.githubusercontent.com/github/codeql-action/$codeql_action_latest_major_version/src/defaults.json") +defaults_json_path=$(download_with_retry "https://raw.githubusercontent.com/github/codeql-action/v$codeql_action_latest_major_version/src/defaults.json") bundle_version=$(jq -r '.cliVersion' "$defaults_json_path") bundle_tag_name="codeql-bundle-v$bundle_version" From 22826037a5ce87e65f37ceef0c4714ad04f18c8c Mon Sep 17 00:00:00 2001 From: Angela P Wen Date: Fri, 25 Apr 2025 11:43:01 -0700 Subject: [PATCH 4/4] Use PAT for API call to prevent throttling --- images/macos/scripts/build/install-codeql-bundle.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/images/macos/scripts/build/install-codeql-bundle.sh b/images/macos/scripts/build/install-codeql-bundle.sh index 18fb2075b..f1d70a121 100644 --- a/images/macos/scripts/build/install-codeql-bundle.sh +++ b/images/macos/scripts/build/install-codeql-bundle.sh @@ -7,7 +7,8 @@ source ~/utils/utils.sh # Retrieve the latest major version of the CodeQL Action to use in the base URL for downloading the bundle. -releases=$(curl -s "https://api.github.com/repos/github/codeql-action/releases") +[ -n "$API_PAT" ] && authString=(-H "Authorization: token ${API_PAT}") +releases=$(curl "${authString[@]}" -s "https://api.github.com/repos/github/codeql-action/releases") # Get the release tags starting with v[0-9] and sort them in descending order, then parse the first one to get the major version. codeql_action_latest_major_version=$(echo "$releases" |