-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump the minimum supported version of CodeQL to 2.15.5 #2655
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 7 out of 13 changed files in this pull request and generated no comments.
Files not reviewed (6)
- package.json: Language not supported
- pr-checks/sync.py: Evaluated as low risk
- .github/workflows/debug-artifacts.yml: Evaluated as low risk
- src/codeql.ts: Evaluated as low risk
- .github/workflows/__go-tracing-autobuilder.yml: Evaluated as low risk
- .github/workflows/__go-tracing-custom-build-steps.yml: Evaluated as low risk
Comments suppressed due to low confidence (1)
.github/workflows/__multi-language-autodetect.yml:91
- The conditional logic here is incorrect. It should include macOS as well, otherwise it will exclude languages for macOS runners.
languages: ${{ runner.os == 'Linux' && 'cpp,csharp,go,java,javascript,python,ruby' || '' }}
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
c441453
to
5f0a4d3
Compare
@mbg, there are three workflows that are failing now that I'm deprecating 2.14.6. It looks like you created these workflows and hard-coded 2.14.6. Is there another, non-deprecated version we can use? Is it the case that now that 2.14.6 is deprecated, we can remove the workaround? |
I think intention with pinning that version was that we would fix/improve the tracer not long after, and so would no longer need the workaround then. However, that never happened, so the workaround is still needed to this day (AFAIK). That means we can either:
|
OK. Thanks. I'll pin it to 2.20.0. |
14348c5
to
beed6ff
Compare
Actually, if I pin to |
@@ -28,7 +28,7 @@ jobs: | |||
matrix: | |||
include: | |||
- os: ubuntu-latest | |||
version: stable-v2.14.6 | |||
version: default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this not update as stable-v2.19.4
like files below ? Diff in files .github/workflows/__go-tracing-autobuilder.yml
and beyond do not mention default
as version. Not sure if this is just setup differently for different workflows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe your comment here is linked to my Q -- but I am not sure I fully understand the reasoning though. Do we follow some guide/playbook for these upgrades?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. These tests are for a particular workaround in the CLI and action for indirect tracing of go code. I'm actually not sure what this is. It's something that @mbg
implemented. It's testing that if we're using a version of go that supports statically linked binaries, we can still build a database even though the CodeQL go tracer does not support statically linked binaries. If we ever do implement this in the go tracer, then these tests will start to fail.
I moved from a fixed version to default
so that we won't need to update these tests again in the future.
We only need to test a single version since this is a mechanism that is in the action, and independent of the codeql version.
Look at the "Deprecating a CodeQL version" section of CONTRIBUTING.md for more information around how this deprecation works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Versions for the other workflows are handled by the sync.py
script.
@@ -28,7 +28,7 @@ jobs: | |||
matrix: | |||
include: | |||
- os: ubuntu-latest | |||
version: stable-v2.14.6 | |||
version: default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment as above
@@ -28,7 +28,7 @@ jobs: | |||
matrix: | |||
include: | |||
- os: ubuntu-latest | |||
version: stable-v2.14.6 | |||
version: default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment as above
|
||
CodeQL Action v2 will stop receiving updates when GHES 3.11 is deprecated. | ||
CodeQL Action v2 has stopped receiving updates now that GHES 3.11 is deprecated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be part of changelog update?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I jumped the gun on this change by just a little since v2 is not yet officially deprecated. This is something @angelapwen
will be working on shortly. GHES 3.11 is getting deprecated on December 19.
I made the change since I thought it would be confusing to remove the line about GFHES 3.11 and keep the line about v2 unchanged.
The last update to the v2 branch should only go in the v2 branch, so I won't put it the changelog on the main branch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me, but we want to make sure that we don't merge before Dec 19, right?
I will make a release on December 19. It's probably fine to merge this PR before then. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:merge-it:
Merge / deployment checklist