Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Contributions to this project are released to the public under the project's open source license.
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
Before you start, ensure that you have a recent version of node (16 or higher) installed, along with a recent version of npm (9.2 or higher). You can see which version of node is used by the action in init/action.yml
.
- Transpile the TypeScript to JavaScript:
npm run build
. Note that the JavaScript files are committed to git. - Run tests:
npm run test
. You’ll need to ensure that the JavaScript files are up-to-date first by running the command above. - Run the linter:
npm run lint
.
This project also includes configuration to run tests from VSCode (with support for breakpoints) - open the test file you wish to run and choose "Debug AVA test file" from the Run menu in the Run panel.
You may want to run tsc --watch
from the command line or inside of vscode in order to ensure build artifacts are up to date as you are working.
Because CodeQL Action users consume the code directly from this repository, and there can be no build step during an GitHub Actions run, this repository contains all compiled artifacts and node modules. There is a PR check that will fail if any of the compiled artifacts are not up to date. Compiled artifacts are stored in the lib/
directory. For all day-to-day development purposes, this folder can be ignored.
Only run npm install
if you are explicitly changing the set of dependencies in package.json
. The node_modules
directory should be up to date when you check out, but if for some reason, there is an inconsistency use npm ci && npm run removeNPMAbsolutePaths
to ensure the directory is in a state consistent with the package-lock.json
. Note that due to a macOS-specific dependency, this command should be run on a macOS machine. There is a PR check to ensure the consistency of the node_modules
directory.
To see the effect of your changes and to test them, push your changes in a branch and then look at the Actions output for that branch. You can also exercise the code locally by running the automated tests.
As well as the unit tests (see Common tasks above), there are integration tests, defined in .github/workflows/integration-testing.yml
. These are run by a CI check. Depending on the change you’re making, you may want to add a test to this file or extend an existing one.
- Fork and clone the repository
- Create a new branch:
git checkout -b my-branch-name
- Make your change, add tests, and make sure the tests still pass
- Push to your fork and submit a pull request
- Pat yourself on the back and wait for your pull request to be reviewed and merged.
If you're a GitHub staff member, you can merge your own PR once it's approved; for external contributors, GitHub staff will merge your PR once it's approved.
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Write tests.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a good commit message.
-
The first step of releasing a new version of the
codeql-action
is running the "Update release branch" workflow. This workflow goes through the pull requests that have been merged tomain
since the last release, creates a changelog, then opens a pull request to merge the changes since the last release into thereleases/v3
release branch.You can start a release by triggering this workflow via workflow dispatch.
-
The workflow run will open a pull request titled "Merge main into releases/v3". Follow the steps on the checklist in the pull request. Once you've checked off all but the last two of these, approve the PR and automerge it.
-
When the "Merge main into releases/v3" pull request is merged into the
releases/v3
branch, a mergeback pull request tomain
and a backport pull request toreleases/v2
will both be automatically created. This mergeback pull request incorporates the changelog updates intomain
, tags the release using the merge commit of the "Merge main into releases/v3" pull request, and bumps the patch version of the CodeQL Action. The backport pull request will incorporate the updates intoreleases/v2
. -
Approve the mergeback and backport pull requests and automerge them.
Once the mergeback and backport pull request have been merged, the release is complete.
Since the codeql-action
runs most of its testing through individual Actions workflows, there are over two hundred jobs that need to pass in order for a PR to turn green. You can regenerate the checks automatically by running the update-required-checks.sh script:
- By default, this script retrieves the checks from the latest SHA on
main
, so make sure that yourmain
branch is up to date. - Run the script. If there's a reason to, you can pass in a different SHA as a CLI argument.
- After running, go to the branch protection rules settings page and validate that the rules for
main
,v2
, andv3
have been updated.
Note that any updates to checks need to be backported to the releases/v2
branch, in order to maintain the same set of names for required checks.
We typically deprecate a version of CodeQL when the GitHub Enterprise Server (GHES) version that it first shipped in is deprecated.
- Work out the next minimum version of CodeQL. This is the version that shipped in the version of GHES after the one that has just been deprecated.
- Notify users using the old version of CodeQL about the deprecation.
- Update
CODEQL_NEXT_MINIMUM_VERSION
,GHES_VERSION_MOST_RECENTLY_DEPRECATED
, andGHES_MOST_RECENT_DEPRECATION_DATE
insrc/codeql.ts
to reflect the new minimum version of CodeQL and the GHES version that has just been deprecated. - Add a changelog note announcing the deprecation.
- Example PR: github#1884
- Update
- Release the Action, or wait for the next scheduled release of the Action, then wait at least a week so users have time to see and act on the deprecation warning.
- Remove support for the old version of CodeQL.
- Bump
CODEQL_MINIMUM_VERSION
insrc/codeql.ts
to the new minimum version of CodeQL. - Remove any code that is only needed to support the old version of CodeQL. This is often behind a version guard, so look for instances of version numbers between the old minimum version and the new minimum version in the codebase. A good place to start is the list of version numbers in
src/codeql.ts
. - Update the default set of CodeQL test versions in
pr-checks/sync.py
.- Remove the old minimum version of CodeQL.
- Add the latest patch release for any new CodeQL minor version series that have shipped in GHES.
- Run the script to update the generated PR checks.
- Do the same for PR checks that aren't auto-generated.
- Add a changelog note announcing the new minimum version of CodeQL that is now required.
- Example PR: github#1907
- Bump
We sometimes maintain multiple versions of the CodeQL Action to enable customers on older but still supported versions of GitHub Enterprise Server (GHES) to continue to benefit from the latest CodeQL improvements. To accomplish this, the release process automation listens to updates to the release branch for the newest supported version. When this branch is updated, the release process automatically opens backport PRs to update the release branches for older versions.
We typically deprecate older versions of the Action once all supported GHES versions are compatible with the version of Node.js we are using on main
.
To deprecate an older version of the Action:
- Notify any users who are still pinned to the
vN
tag of the deprecated version of the Action, giving as much notice as is practical.- Add a changelog note announcing the deprecation.
- Implement an Actions warning for customers using the deprecated version.
- Wait for the deprecation period to pass.
- Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
- Make a PR to bump the
OLDEST_SUPPORTED_MAJOR_VERSION
in releases.ini. Once this PR is merged, the release process will no longer backport changes to the deprecated release version.