Move packs to codeql org

BUILD.bazel

@@ -0,0 +1,20 @@
+load("//misc/bazel:pkg.bzl", "codeql_pack")
+
+package(default_visibility = ["//visibility:public"])
+
+[
+    codeql_pack(
+        name = "-".join(parts),
+        srcs = [
+            "//actions/extractor",
+        ],
+        pack_prefix = "/".join(parts),
+    )
+    for parts in (
+        [
+            "experimental",
+            "actions",
+        ],
+        ["actions"],
+    )
+]

extractor/BUILD.bazel

@@ -0,0 +1,10 @@
+load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix")
+
+codeql_pkg_files(
+    name = "extractor",
+    srcs = [
+        "codeql-extractor.yml",
+    ] + glob(["tools/**"]),
+    strip_prefix = strip_prefix.from_pkg(),
+    visibility = ["//actions:__pkg__"],
+)

extractor/codeql-extractor.yml

@@ -0,0 +1,44 @@
+name: "actions"
+aliases: []
+display_name: "GitHub Actions"
+version: 0.0.1
+column_kind: "utf16"
+unicode_newlines: true
+build_modes:
+  - none
+file_coverage_languages: []
+github_api_languages: []
+scc_languages: []
+file_types:
+  - name: workflow
+    display_name: GitHub Actions workflow files
+    extensions:
+      - .yml
+      - .yaml
+forwarded_extractor_name: javascript
+options:
+  trap:
+    title: TRAP options
+    description: Options about how the extractor handles TRAP files
+    type: object
+    visibility: 3
+    properties:
+      cache:
+        title: TRAP cache options
+        description: Options about how the extractor handles its TRAP cache
+        type: object
+        properties:
+          dir:
+            title: TRAP cache directory
+            description: The directory of the TRAP cache to use
+            type: string
+          bound:
+            title: TRAP cache bound
+            description: A soft limit (in MB) on the size of the TRAP cache
+            type: string
+            pattern: "[0-9]+"
+          write:
+            title: TRAP cache writeable
+            description: Whether to write to the TRAP cache as well as reading it
+            type: string
+            pattern: "(true|TRUE|false|FALSE)"

extractor/tools/autobuild-impl.ps1

@@ -0,0 +1,40 @@
+if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
+    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
+} else {
+    Write-Output 'No path filters set. Using the default filters.'
+    $DefaultPathFilters = @(
+        'exclude:**/*',
+        'include:.github/workflows/**/*.yml',
+        'include:.github/workflows/**/*.yaml',
+        'include:**/action.yml',
+        'include:**/action.yaml'
+    )
+
+    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
+}
+
+# Find the JavaScript extractor directory via `codeql resolve extractor`.
+$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
+if ($LASTEXITCODE -ne 0) {
+    throw 'Failed to resolve JavaScript extractor.'
+}
+
+Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
+
+# Run the JavaScript autobuilder.
+$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
+Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
+
+# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
+
+&$JavaScriptAutoBuild
+if ($LASTEXITCODE -ne 0) {
+    throw "JavaScript autobuilder failed."
+}

extractor/tools/autobuild.cmd

@@ -0,0 +1,3 @@
+@echo off
+rem All of the work is done in the PowerShell script
+powershell.exe %~dp0autobuild-impl.ps1

extractor/tools/autobuild.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -eu
+
+DEFAULT_PATH_FILTERS=$(cat << END
+exclude:**/*
+include:.github/workflows/**/*.yml
+include:.github/workflows/**/*.yaml
+include:**/action.yml
+include:**/action.yaml
+END
+)
+
+if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
+    echo "Path filters set. Passing them through to the JavaScript extractor."
+else
+    echo "No path filters set. Using the default filters."
+    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
+    export LGTM_INDEX_FILTERS
+fi
+
+# Find the JavaScript extractor directory via `codeql resolve extractor`.
+CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
+export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
+
+echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
+
+# Run the JavaScript autobuilder
+JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
+echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
+
+# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
+env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
+    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
+    ${JAVASCRIPT_AUTO_BUILD}

ql/lib/qlpack.yml

@@ -1,16 +1,16 @@
 ---
 library: true
 warnOnImplicitThis: true
-name: github/actions-all
+name: codeql/actions-all
 version: 0.1.85
 dependencies:
   codeql/util: ^1.0.1
   codeql/yaml: ^1.0.1
   codeql/controlflow: ^1.0.1
   codeql/dataflow: ^1.0.1
-extractor: javascript
-dbscheme: semmlecode.javascript.dbscheme
-groups: javascript
+  codeql/javascript-all: ^2.0.2
+extractor: actions
+groups: actions
 dataExtensions:
   - ext/manual/*.model.yml
   - ext/generated/**/*.model.yml

ql/src/codeql-pack.lock.yml

@@ -2,15 +2,25 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 1.0.1
+    version: 1.0.10
   codeql/dataflow:
-    version: 1.0.1
+    version: 1.1.4
+  codeql/javascript-all:
+    version: 2.0.2
+  codeql/mad:
+    version: 1.0.10
+  codeql/regex:
+    version: 1.0.10
   codeql/ssa:
-    version: 1.0.1
+    version: 1.0.10
+  codeql/tutorial:
+    version: 1.0.10
   codeql/typetracking:
-    version: 1.0.1
+    version: 1.0.10
   codeql/util:
-    version: 1.0.1
+    version: 1.0.10
+  codeql/xml:
+    version: 1.0.10
   codeql/yaml:
-    version: 1.0.1
+    version: 1.0.10
 compiled: false

ql/src/qlpack.yml

@@ -1,11 +1,11 @@
 ---
 library: false
-name: github/actions-queries
+name: codeql/actions-queries
 version: 0.1.85
 groups: [actions, queries]
 suites: codeql-suites
-extractor: javascript
+extractor: actions
 defaultSuiteFile: codeql-suites/actions-code-scanning.qls
 dependencies:
-  github/actions-all: ${workspace}
+  codeql/actions-all: ${workspace}
 warnOnImplicitThis: true

ql/test/qlpack.yml

@@ -1,10 +1,10 @@
 ---
-name: github/actions-tests
-groups: [javascript, test]
+name: codeql/actions-tests
+groups: [codeql, test]
 dependencies:
-  github/actions-all: ${workspace}
-  github/actions-queries: ${workspace}
-extractor: javascript
+  codeql/actions-all: ${workspace}
+  codeql/actions-queries: ${workspace}
+extractor: actions
 tests: .
 warnOnImplicitThis: true