From 3df807292ad75b40f30540b1126508b01bfb9504 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 14:38:33 +0200 Subject: [PATCH 1/8] Only run PR checks on Ubuntu by default --- .github/workflows/__analyze-ref-input.yml | 4 --- .github/workflows/__config-export.yml | 8 ----- .github/workflows/__diagnostics-export.yml | 8 ----- .github/workflows/__init-with-registries.yml | 14 -------- ...ackaging-codescanning-config-inputs-js.yml | 12 ------- .../__packaging-config-inputs-js.yml | 12 ------- .github/workflows/__packaging-config-js.yml | 12 ------- .github/workflows/__packaging-inputs-js.yml | 12 ------- .github/workflows/__quality-queries.yml | 36 ------------------- .../__resolve-environment-action.yml | 12 ------- .github/workflows/__upload-quality-sarif.yml | 4 --- .github/workflows/__upload-ref-sha-input.yml | 4 --- .github/workflows/__with-checkout-path.yml | 4 --- pr-checks/checks/all-platform-bundle.yml | 1 - pr-checks/checks/autobuild-action.yml | 1 + pr-checks/checks/build-mode-autobuild.yml | 1 - pr-checks/checks/build-mode-manual.yml | 1 - pr-checks/checks/build-mode-none.yml | 1 - pr-checks/checks/build-mode-rollback.yml | 1 - pr-checks/checks/cleanup-db-cluster-dir.yml | 1 - pr-checks/checks/config-input.yml | 1 - pr-checks/checks/cpp-deptrace-disabled.yml | 1 - pr-checks/checks/cpp-deptrace-enabled.yml | 1 - .../export-file-baseline-information.yml | 1 + pr-checks/checks/extractor-ram-threads.yml | 1 - ...indirect-tracing-workaround-diagnostic.yml | 1 - ...ect-tracing-workaround-no-file-program.yml | 1 - .../checks/go-indirect-tracing-workaround.yml | 1 - pr-checks/checks/init-with-registries.yml | 2 -- pr-checks/checks/javascript-source-root.yml | 1 - pr-checks/checks/job-run-uuid-sarif.yml | 1 - pr-checks/checks/language-aliases.yml | 1 - pr-checks/checks/overlay-init-fallback.yml | 1 - pr-checks/checks/rubocop-multi-language.yml | 1 - pr-checks/checks/rust.yml | 1 - pr-checks/checks/submit-sarif-failure.yml | 1 - .../checks/test-autobuild-working-dir.yml | 1 - pr-checks/checks/test-local-codeql.yml | 1 - pr-checks/checks/test-proxy.yml | 1 - pr-checks/sync.py | 13 +------ 40 files changed, 3 insertions(+), 179 deletions(-) diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index f2f9f45a58..90571df094 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Analyze: 'ref' and 'sha' from inputs" permissions: contents: read diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 85118c3fad..17677c5e61 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -38,16 +38,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Config export permissions: contents: read diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 1b8618798c..8260646e97 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -38,16 +38,8 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Diagnostic export permissions: contents: read diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index f570a05e0f..3a883b95a3 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Download using registries' permissions: contents: read @@ -117,8 +105,6 @@ jobs: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 0d7d4cf9ed..8fb5150f6a 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input passed to the CLI' permissions: contents: read diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 7067a4d734..b66365abd6 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config and input' permissions: contents: read diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index d6bd2cf7d4..542d67e707 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Config file' permissions: contents: read diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 03a81db686..b0f90bfe40 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,22 +48,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: 'Packaging: Action input' permissions: contents: read diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml index 50f24c61ef..281aedf47e 100644 --- a/.github/workflows/__quality-queries.yml +++ b/.github/workflows/__quality-queries.yml @@ -45,24 +45,6 @@ jobs: - os: ubuntu-latest version: linked analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning - - os: macos-latest - version: linked - analysis-kinds: code-quality - - os: macos-latest - version: linked - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning - - os: windows-latest - version: linked - analysis-kinds: code-quality - - os: windows-latest - version: linked - analysis-kinds: code-scanning,code-quality - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning @@ -72,24 +54,6 @@ jobs: - os: ubuntu-latest version: nightly-latest analysis-kinds: code-scanning,code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: macos-latest - version: nightly-latest - analysis-kinds: code-quality - - os: macos-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning - - os: windows-latest - version: nightly-latest - analysis-kinds: code-quality - - os: windows-latest - version: nightly-latest - analysis-kinds: code-scanning,code-quality name: Quality queries input permissions: contents: read diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index f7ca252762..da2d3c0f92 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Resolve environment permissions: contents: read diff --git a/.github/workflows/__upload-quality-sarif.yml b/.github/workflows/__upload-quality-sarif.yml index 90a1c9ef12..50637c31ba 100644 --- a/.github/workflows/__upload-quality-sarif.yml +++ b/.github/workflows/__upload-quality-sarif.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: 'Upload-sarif: code quality endpoint' permissions: contents: read diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 41036c61a2..a527d7b983 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default name: "Upload-sarif: 'ref' and 'sha' from inputs" permissions: contents: read diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index ea694d7c6f..9296f11946 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -48,10 +48,6 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked name: Use a custom `checkout_path` permissions: contents: read diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index 332f129308..75c75c8b5e 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -1,7 +1,6 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" versions: ["nightly-latest"] -operatingSystems: ["ubuntu"] useAllPlatformBundle: "true" installGo: true steps: diff --git a/pr-checks/checks/autobuild-action.yml b/pr-checks/checks/autobuild-action.yml index ac67a81fef..91ae7834cc 100644 --- a/pr-checks/checks/autobuild-action.yml +++ b/pr-checks/checks/autobuild-action.yml @@ -1,5 +1,6 @@ name: "autobuild-action" description: "Tests that the C# autobuild action works" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["linked"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 7e840d15a2..5a51477882 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -1,6 +1,5 @@ name: "Build mode autobuild" description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] steps: - name: Set up Java test repo configuration diff --git a/pr-checks/checks/build-mode-manual.yml b/pr-checks/checks/build-mode-manual.yml index 64009c2eeb..f1815b7ff0 100644 --- a/pr-checks/checks/build-mode-manual.yml +++ b/pr-checks/checks/build-mode-manual.yml @@ -1,6 +1,5 @@ name: "Build mode manual" description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] installGo: true steps: diff --git a/pr-checks/checks/build-mode-none.yml b/pr-checks/checks/build-mode-none.yml index 4d23614a90..669ea7915e 100644 --- a/pr-checks/checks/build-mode-none.yml +++ b/pr-checks/checks/build-mode-none.yml @@ -1,6 +1,5 @@ name: "Build mode none" description: "An end-to-end integration test of a Java repository built using 'build-mode: none'" -operatingSystems: ["ubuntu"] versions: ["linked", "nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/build-mode-rollback.yml b/pr-checks/checks/build-mode-rollback.yml index 1d935314e2..49bcfdd1f0 100644 --- a/pr-checks/checks/build-mode-rollback.yml +++ b/pr-checks/checks/build-mode-rollback.yml @@ -1,6 +1,5 @@ name: "Build mode rollback" description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled." -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] env: CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true diff --git a/pr-checks/checks/cleanup-db-cluster-dir.yml b/pr-checks/checks/cleanup-db-cluster-dir.yml index 1c181a57e6..d2cacf47eb 100644 --- a/pr-checks/checks/cleanup-db-cluster-dir.yml +++ b/pr-checks/checks/cleanup-db-cluster-dir.yml @@ -1,6 +1,5 @@ name: "Clean up database cluster directory" description: "The database cluster directory is cleaned up if it is not empty." -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Add a file to the database cluster directory diff --git a/pr-checks/checks/config-input.yml b/pr-checks/checks/config-input.yml index 5807e85946..f139ff90e6 100644 --- a/pr-checks/checks/config-input.yml +++ b/pr-checks/checks/config-input.yml @@ -1,7 +1,6 @@ name: "Config input" description: "Tests specifying configuration using the config input" installNode: true -operatingSystems: ["ubuntu"] versions: ["linked"] steps: - name: Copy queries into workspace diff --git a/pr-checks/checks/cpp-deptrace-disabled.yml b/pr-checks/checks/cpp-deptrace-disabled.yml index 1073d0194a..5b6e82726a 100644 --- a/pr-checks/checks/cpp-deptrace-disabled.yml +++ b/pr-checks/checks/cpp-deptrace-disabled.yml @@ -1,6 +1,5 @@ name: "C/C++: disabling autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/cpp-deptrace-enabled.yml b/pr-checks/checks/cpp-deptrace-enabled.yml index f92f29d212..e35910a756 100644 --- a/pr-checks/checks/cpp-deptrace-enabled.yml +++ b/pr-checks/checks/cpp-deptrace-enabled.yml @@ -1,6 +1,5 @@ name: "C/C++: autoinstalling dependencies (Linux)" description: "Checks that running C/C++ autobuild with autoinstalling dependencies works" -operatingSystems: ["ubuntu"] versions: ["linked", "default", "nightly-latest"] env: DOTNET_GENERATE_ASPNET_CERTIFICATE: "false" diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml index 2eb0e6d525..f7698f885e 100644 --- a/pr-checks/checks/export-file-baseline-information.yml +++ b/pr-checks/checks/export-file-baseline-information.yml @@ -1,5 +1,6 @@ name: "Export file baseline information" description: "Tests that file baseline information is exported when the feature is enabled" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] installGo: true env: diff --git a/pr-checks/checks/extractor-ram-threads.yml b/pr-checks/checks/extractor-ram-threads.yml index 435c9f41e6..43638af180 100644 --- a/pr-checks/checks/extractor-ram-threads.yml +++ b/pr-checks/checks/extractor-ram-threads.yml @@ -1,7 +1,6 @@ name: "Extractor ram and threads options test" description: "Tests passing RAM and threads limits to extractors" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml index e7cd79185a..6709401245 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when Go is changed after init step" description: "Checks that we emit a diagnostic if Go is changed after the init step" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml index 3f2fa90b9f..85e21356c4 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround-no-file-program.yml @@ -1,7 +1,6 @@ name: "Go: diagnostic when `file` is not installed" description: "Checks that we emit a diagnostic if the `file` program is not installed" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/go-indirect-tracing-workaround.yml b/pr-checks/checks/go-indirect-tracing-workaround.yml index 5c6690128f..222b964c78 100644 --- a/pr-checks/checks/go-indirect-tracing-workaround.yml +++ b/pr-checks/checks/go-indirect-tracing-workaround.yml @@ -1,7 +1,6 @@ name: "Go: workaround for indirect tracing" description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works" # only Linux is affected -operatingSystems: ["ubuntu"] # pinned to a version which does not support statically linked binaries for indirect tracing versions: ["default"] installGo: true diff --git a/pr-checks/checks/init-with-registries.yml b/pr-checks/checks/init-with-registries.yml index bc45d255aa..cedc62aab0 100644 --- a/pr-checks/checks/init-with-registries.yml +++ b/pr-checks/checks/init-with-registries.yml @@ -62,8 +62,6 @@ steps: fi - name: Verify contents of qlconfig.yml - # yq is not available on windows - if: runner.os != 'Windows' run: | QLCONFIG_PATH=$RUNNER_TEMP/qlconfig.yml cat $QLCONFIG_PATH | yq -e '.registries[] | select(.url == "https://ghcr.io/v2/") | select(.packages == "*/*")' diff --git a/pr-checks/checks/javascript-source-root.yml b/pr-checks/checks/javascript-source-root.yml index 9c933576e1..b06dc7bfa2 100644 --- a/pr-checks/checks/javascript-source-root.yml +++ b/pr-checks/checks/javascript-source-root.yml @@ -1,7 +1,6 @@ name: "Custom source root" description: "Checks that the argument specifying a non-default source root works" versions: ["linked", "default", "nightly-latest"] # This feature is not compatible with old CLIs -operatingSystems: ["ubuntu"] steps: - name: Move codeql-action run: | diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml index 196e321780..9c0f843d40 100644 --- a/pr-checks/checks/job-run-uuid-sarif.yml +++ b/pr-checks/checks/job-run-uuid-sarif.yml @@ -1,6 +1,5 @@ name: "Job run UUID added to SARIF" description: "Tests that the job run UUID is added to the SARIF output" -operatingSystems: ["ubuntu"] versions: ["nightly-latest"] steps: - uses: ./../action/init diff --git a/pr-checks/checks/language-aliases.yml b/pr-checks/checks/language-aliases.yml index 16f5f044f9..b0db1288a3 100644 --- a/pr-checks/checks/language-aliases.yml +++ b/pr-checks/checks/language-aliases.yml @@ -1,7 +1,6 @@ name: "Language aliases" description: "Tests that language aliases are resolved correctly" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/overlay-init-fallback.yml b/pr-checks/checks/overlay-init-fallback.yml index 44d19d79c3..bfcfd27e79 100644 --- a/pr-checks/checks/overlay-init-fallback.yml +++ b/pr-checks/checks/overlay-init-fallback.yml @@ -1,7 +1,6 @@ name: "Overlay database init fallback" description: "Tests that overlay init action succeeds with non-overlay packs" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/rubocop-multi-language.yml b/pr-checks/checks/rubocop-multi-language.yml index b4439a2d39..10819a4619 100644 --- a/pr-checks/checks/rubocop-multi-language.yml +++ b/pr-checks/checks/rubocop-multi-language.yml @@ -1,6 +1,5 @@ name: "RuboCop multi-language" description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF" -operatingSystems: ["ubuntu"] # This check doesn't use CodeQL, so the `version` matrix variable is unused. versions: ["default"] steps: diff --git a/pr-checks/checks/rust.yml b/pr-checks/checks/rust.yml index 67920538d7..c19fc986da 100644 --- a/pr-checks/checks/rust.yml +++ b/pr-checks/checks/rust.yml @@ -8,7 +8,6 @@ versions: - linked - default - nightly-latest -operatingSystems: ["ubuntu"] steps: - uses: ./../action/init with: diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index ba67db39f0..97332e4c94 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -1,7 +1,6 @@ name: Submit SARIF after failure description: Check that a SARIF file is submitted for the workflow run if it fails versions: ["linked", "default", "nightly-latest"] -operatingSystems: ["ubuntu"] env: # Internal-only environment variable used to indicate that the post-init Action diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/test-autobuild-working-dir.yml index eda3677f67..77c1f73c84 100644 --- a/pr-checks/checks/test-autobuild-working-dir.yml +++ b/pr-checks/checks/test-autobuild-working-dir.yml @@ -1,7 +1,6 @@ name: "Autobuild working directory" description: "Tests working-directory input of autobuild action" versions: ["linked"] -operatingSystems: ["ubuntu"] steps: - name: Test setup run: | diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/test-local-codeql.yml index 1e41e5dd3d..c16c2bf503 100644 --- a/pr-checks/checks/test-local-codeql.yml +++ b/pr-checks/checks/test-local-codeql.yml @@ -1,7 +1,6 @@ name: "Local CodeQL bundle" description: "Tests using a CodeQL bundle from a local file rather than a URL" versions: ["linked"] -operatingSystems: ["ubuntu"] installGo: true steps: - name: Fetch latest CodeQL bundle diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/test-proxy.yml index 39efb214e1..1d64125748 100644 --- a/pr-checks/checks/test-proxy.yml +++ b/pr-checks/checks/test-proxy.yml @@ -1,7 +1,6 @@ name: "Proxy test" description: "Tests using a proxy specified by the https_proxy environment variable" versions: ["linked", "nightly-latest"] -operatingSystems: ["ubuntu"] container: image: ubuntu:22.04 container-init-steps: diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 206519cc46..fc756c7883 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -29,12 +29,6 @@ "nightly-latest" ] -def is_os_and_version_excluded(os, version, exclude_params): - for exclude_param in exclude_params: - if exclude_param[0] == os and exclude_param[1] == version: - return True - return False - # When updating the ruamel.yaml version here, update the PR check in # `.github/workflows/pr-checks.yml` too. header = """# Warning: This file is generated automatically, and should not be modified. @@ -78,22 +72,17 @@ def writeHeader(checkStream): if 'inputs' in checkSpecification: workflowInputs = checkSpecification['inputs'] - excludedOsesAndVersions = checkSpecification.get('excludeOsAndVersionCombination', []) for version in checkSpecification.get('versions', defaultTestVersions): if version == "latest": raise ValueError('Did not recognize "version: latest". Did you mean "version: linked"?') runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"] - operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu", "macos", "windows"]) + operatingSystems = checkSpecification.get('operatingSystems', ["ubuntu"]) for operatingSystem in operatingSystems: runnerImagesForOs = [image for image in runnerImages if image.startswith(operatingSystem)] for runnerImage in runnerImagesForOs: - # Skip appending this combination to the matrix if it is explicitly excluded. - if is_os_and_version_excluded(operatingSystem, version, excludedOsesAndVersions): - continue - matrix.append({ 'os': runnerImage, 'version': version From 29a4b8731d5be5fe16b29b85e89d351c547b84d0 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 14:40:02 +0200 Subject: [PATCH 2/8] Run code scanning config tests on Linux only --- .github/workflows/codescanning-config-cli.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 316cb7d13c..eca3902c2c 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -41,16 +41,10 @@ jobs: include: - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - os: ubuntu-latest version: default - - os: macos-latest - version: default - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest # Code-Scanning config not created because environment variable is not set name: Code Scanning Configuration tests From 1b12ed7ea89162bf793ecab8dff3911b47ae8878 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 23 Sep 2025 15:15:15 +0200 Subject: [PATCH 3/8] Run resolve environment PR checks cross-platform --- .github/workflows/__resolve-environment-action.yml | 12 ++++++++++++ pr-checks/checks/resolve-environment-action.yml | 1 + 2 files changed, 13 insertions(+) diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index da2d3c0f92..f7ca252762 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,10 +38,22 @@ jobs: include: - os: ubuntu-latest version: default + - os: macos-latest + version: default + - os: windows-latest + version: default - os: ubuntu-latest version: linked + - os: macos-latest + version: linked + - os: windows-latest + version: linked - os: ubuntu-latest version: nightly-latest + - os: macos-latest + version: nightly-latest + - os: windows-latest + version: nightly-latest name: Resolve environment permissions: contents: read diff --git a/pr-checks/checks/resolve-environment-action.yml b/pr-checks/checks/resolve-environment-action.yml index 9722b72285..ed78e0bdb4 100644 --- a/pr-checks/checks/resolve-environment-action.yml +++ b/pr-checks/checks/resolve-environment-action.yml @@ -1,5 +1,6 @@ name: "Resolve environment" description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["default", "linked", "nightly-latest"] steps: - uses: ./../action/init From 67a00809333bd1a0e6f33b9185ba2b6dee33600e Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:36:35 +0200 Subject: [PATCH 4/8] Test all-platform bundle on all platforms --- .github/workflows/__all-platform-bundle.yml | 4 ++++ pr-checks/checks/all-platform-bundle.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 40d6d81c98..d6762100e8 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -48,6 +48,10 @@ jobs: include: - os: ubuntu-latest version: nightly-latest + - os: macos-latest + version: nightly-latest + - os: windows-latest + version: nightly-latest name: All-platform bundle permissions: contents: read diff --git a/pr-checks/checks/all-platform-bundle.yml b/pr-checks/checks/all-platform-bundle.yml index 75c75c8b5e..3396be22a7 100644 --- a/pr-checks/checks/all-platform-bundle.yml +++ b/pr-checks/checks/all-platform-bundle.yml @@ -1,5 +1,6 @@ name: "All-platform bundle" description: "Tests using an all-platform CodeQL Bundle" +operatingSystems: ["ubuntu", "macos", "windows"] versions: ["nightly-latest"] useAllPlatformBundle: "true" installGo: true From 79bbb1744e64f7d47524ad3ea64f8cdda0087b5c Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:40:19 +0200 Subject: [PATCH 5/8] Remove PR checks that are now duplicated Direct tracing is now enabled by default. --- .../workflows/__autobuild-direct-tracing.yml | 103 ------------------ .github/workflows/__build-mode-autobuild.yml | 33 +++++- pr-checks/checks/autobuild-direct-tracing.yml | 31 ------ pr-checks/checks/build-mode-autobuild.yml | 12 +- 4 files changed, 42 insertions(+), 137 deletions(-) delete mode 100644 .github/workflows/__autobuild-direct-tracing.yml delete mode 100644 pr-checks/checks/autobuild-direct-tracing.yml diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml deleted file mode 100644 index aed873e573..0000000000 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ /dev/null @@ -1,103 +0,0 @@ -# Warning: This file is generated automatically, and should not be modified. -# Instead, please modify the template in the pr-checks directory and run: -# pr-checks/sync.sh -# to regenerate this file. - -name: PR Check - Autobuild direct tracing -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GO111MODULE: auto -on: - push: - branches: - - main - - releases/v* - pull_request: - types: - - opened - - synchronize - - reopened - - ready_for_review - schedule: - - cron: '0 5 * * *' - workflow_dispatch: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' - workflow_call: - inputs: - java-version: - type: string - description: The version of Java to install - required: false - default: '17' -defaults: - run: - shell: bash -concurrency: - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - group: ${{ github.workflow }}-${{ github.ref }} -jobs: - autobuild-direct-tracing: - strategy: - fail-fast: false - matrix: - include: - - os: ubuntu-latest - version: linked - - os: windows-latest - version: linked - - os: ubuntu-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest - name: Autobuild direct tracing - permissions: - contents: read - security-events: read - timeout-minutes: 45 - runs-on: ${{ matrix.os }} - steps: - - name: Check out repository - uses: actions/checkout@v5 - - name: Prepare test - id: prepare-test - uses: ./.github/actions/prepare-test - with: - version: ${{ matrix.version }} - use-all-platform-bundle: 'false' - setup-kotlin: 'true' - - name: Install Java - uses: actions/setup-java@v5 - with: - java-version: ${{ inputs.java-version || '17' }} - distribution: temurin - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: ${{ runner.temp }}/customDbLocation - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze - env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true - CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index e24c170cfa..07e73d1b6d 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -21,9 +21,19 @@ on: schedule: - cron: '0 5 * * *' workflow_dispatch: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' workflow_call: - inputs: {} + inputs: + java-version: + type: string + description: The version of Java to install + required: false + default: '17' defaults: run: shell: bash @@ -37,6 +47,12 @@ jobs: matrix: include: - os: ubuntu-latest + version: linked + - os: windows-latest + version: linked + - os: ubuntu-latest + version: nightly-latest + - os: windows-latest version: nightly-latest name: Build mode autobuild permissions: @@ -54,6 +70,11 @@ jobs: version: ${{ matrix.version }} use-all-platform-bundle: 'false' setup-kotlin: 'true' + - name: Install Java + uses: actions/setup-java@v5 + with: + java-version: ${{ inputs.java-version || '17' }} + distribution: temurin - name: Set up Java test repo configuration run: | mv * .github ../action/tests/multi-language-repo/ @@ -77,6 +98,14 @@ jobs: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze env: CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/autobuild-direct-tracing.yml b/pr-checks/checks/autobuild-direct-tracing.yml deleted file mode 100644 index 1e9d2d9002..0000000000 --- a/pr-checks/checks/autobuild-direct-tracing.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: "Autobuild direct tracing" -description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild', with direct tracing enabled" -operatingSystems: ["ubuntu", "windows"] -versions: ["linked", "nightly-latest"] -installJava: "true" -env: - CODEQL_ACTION_AUTOBUILD_BUILD_MODE_DIRECT_TRACING: true -steps: - - name: Set up Java test repo configuration - run: | - mv * .github ../action/tests/multi-language-repo/ - mv ../action/tests/multi-language-repo/.github/workflows .github - mv ../action/tests/java-repo/* . - - - uses: ./../action/init - id: init - with: - build-mode: autobuild - db-location: "${{ runner.temp }}/customDbLocation" - languages: java - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - name: Check that indirect tracing is disabled - run: | - if [[ ! -z "${CODEQL_RUNNER}" ]]; then - echo "Expected indirect tracing to be disabled, but the" \ - "CODEQL_RUNNER environment variable is set." - exit 1 - fi - - - uses: ./../action/analyze diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 5a51477882..668621490e 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -1,6 +1,8 @@ name: "Build mode autobuild" description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'" -versions: ["nightly-latest"] +operatingSystems: ["ubuntu", "windows"] +versions: ["linked", "nightly-latest"] +installJava: "true" steps: - name: Set up Java test repo configuration run: | @@ -25,4 +27,12 @@ steps: exit 1 fi + - name: Check that indirect tracing is disabled + run: | + if [[ ! -z "${CODEQL_RUNNER}" ]]; then + echo "Expected indirect tracing to be disabled, but the" \ + "CODEQL_RUNNER environment variable is set." + exit 1 + fi + - uses: ./../action/analyze From 8633a151d578ff89ce2a5cc58e0c2c2dfdfc172c Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:45:10 +0200 Subject: [PATCH 6/8] Remove unnecessary "test" prefix from check names --- ...st-autobuild-working-dir.yml => __autobuild-working-dir.yml} | 2 +- .github/workflows/{__test-proxy.yml => __global-proxy.yml} | 2 +- .../workflows/{__test-local-codeql.yml => __local-bundle.yml} | 2 +- ...test-autobuild-working-dir.yml => autobuild-working-dir.yml} | 0 pr-checks/checks/{test-proxy.yml => global-proxy.yml} | 0 pr-checks/checks/{test-local-codeql.yml => local-bundle.yml} | 0 6 files changed, 3 insertions(+), 3 deletions(-) rename .github/workflows/{__test-autobuild-working-dir.yml => __autobuild-working-dir.yml} (98%) rename .github/workflows/{__test-proxy.yml => __global-proxy.yml} (99%) rename .github/workflows/{__test-local-codeql.yml => __local-bundle.yml} (99%) rename pr-checks/checks/{test-autobuild-working-dir.yml => autobuild-working-dir.yml} (100%) rename pr-checks/checks/{test-proxy.yml => global-proxy.yml} (100%) rename pr-checks/checks/{test-local-codeql.yml => local-bundle.yml} (100%) diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__autobuild-working-dir.yml similarity index 98% rename from .github/workflows/__test-autobuild-working-dir.yml rename to .github/workflows/__autobuild-working-dir.yml index 853836cbe9..5b1423d0f7 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__autobuild-working-dir.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-autobuild-working-dir: + autobuild-working-dir: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__global-proxy.yml similarity index 99% rename from .github/workflows/__test-proxy.yml rename to .github/workflows/__global-proxy.yml index 92f3330591..575b84385c 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__global-proxy.yml @@ -31,7 +31,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-proxy: + global-proxy: strategy: fail-fast: false matrix: diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__local-bundle.yml similarity index 99% rename from .github/workflows/__test-local-codeql.yml rename to .github/workflows/__local-bundle.yml index 09e47d922e..00b509f54c 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__local-bundle.yml @@ -41,7 +41,7 @@ concurrency: cancel-in-progress: ${{ github.event_name == 'pull_request' }} group: ${{ github.workflow }}-${{ github.ref }} jobs: - test-local-codeql: + local-bundle: strategy: fail-fast: false matrix: diff --git a/pr-checks/checks/test-autobuild-working-dir.yml b/pr-checks/checks/autobuild-working-dir.yml similarity index 100% rename from pr-checks/checks/test-autobuild-working-dir.yml rename to pr-checks/checks/autobuild-working-dir.yml diff --git a/pr-checks/checks/test-proxy.yml b/pr-checks/checks/global-proxy.yml similarity index 100% rename from pr-checks/checks/test-proxy.yml rename to pr-checks/checks/global-proxy.yml diff --git a/pr-checks/checks/test-local-codeql.yml b/pr-checks/checks/local-bundle.yml similarity index 100% rename from pr-checks/checks/test-local-codeql.yml rename to pr-checks/checks/local-bundle.yml From ba58de7d6180a03bc7550e8149bbc9746327c10e Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 12:51:03 +0200 Subject: [PATCH 7/8] Run resolve environment test against Ubuntu only There isn't really anything platform-specific at the moment. --- .github/workflows/__resolve-environment-action.yml | 12 ------------ pr-checks/checks/resolve-environment-action.yml | 1 - 2 files changed, 13 deletions(-) diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index f7ca252762..da2d3c0f92 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -38,22 +38,10 @@ jobs: include: - os: ubuntu-latest version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - os: ubuntu-latest version: linked - - os: macos-latest - version: linked - - os: windows-latest - version: linked - os: ubuntu-latest version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest name: Resolve environment permissions: contents: read diff --git a/pr-checks/checks/resolve-environment-action.yml b/pr-checks/checks/resolve-environment-action.yml index ed78e0bdb4..9722b72285 100644 --- a/pr-checks/checks/resolve-environment-action.yml +++ b/pr-checks/checks/resolve-environment-action.yml @@ -1,6 +1,5 @@ name: "Resolve environment" description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript" -operatingSystems: ["ubuntu", "macos", "windows"] versions: ["default", "linked", "nightly-latest"] steps: - uses: ./../action/init From 4082f8c39f733490d46a4f6effa3e7caa9d565c2 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Wed, 24 Sep 2025 13:24:00 +0200 Subject: [PATCH 8/8] Install yq --- .github/workflows/__build-mode-autobuild.yml | 5 +++++ pr-checks/checks/build-mode-autobuild.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 07e73d1b6d..9f0997106d 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -89,6 +89,11 @@ jobs: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml" diff --git a/pr-checks/checks/build-mode-autobuild.yml b/pr-checks/checks/build-mode-autobuild.yml index 668621490e..26b8626f22 100644 --- a/pr-checks/checks/build-mode-autobuild.yml +++ b/pr-checks/checks/build-mode-autobuild.yml @@ -18,6 +18,11 @@ steps: languages: java tools: ${{ steps.prepare-test.outputs.tools-url }} + - name: Install yq + if: runner.os == 'Windows' + run: | + choco install yq -y + - name: Validate database build mode run: | metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"