Skip to content

Add github-codeql-tools repository property for tools input#3766

Open
Copilot wants to merge 2 commits intomainfrom
copilot/add-tools-input-source-repository
Open

Add github-codeql-tools repository property for tools input#3766
Copilot wants to merge 2 commits intomainfrom
copilot/add-tools-input-source-repository

Conversation

Copy link
Contributor

Copilot AI commented Mar 23, 2026
edited
Loading

Large organizations downloading a pinned CodeQL CLI version on every analysis run can hit rate limits. This adds a github-codeql-tools repository property that lets org admins set the tools source at org level, avoiding per-run downloads.

What changes

New repository property: github-codeql-tools

  • Org admins can set this on their repositories (e.g., github-codeql-tools: toolcache)
  • When set, it acts as a default tools input — explicit workflow-level tools input always takes precedence
  • toolcache value works without requiring the AllowToolcacheInput feature flag or a dynamic workflow trigger, since the org admin is explicitly opting in

Implementation

  • Added RepositoryPropertyName.TOOLS = "github-codeql-tools" to the existing property enum/type system in src/feature-flags/properties.ts
  • Threaded a toolsInputFromRepositoryProperty flag through the call chain: initCodeQLsetupCodeQLsetupCodeQLBundlegetCodeQLSource
  • In getCodeQLSource, toolcache with this flag set bypasses the feature-flag/dynamic-workflow guard and emits distinct log messages referencing the repository property name rather than tools: toolcache
  • init-action.ts resolves the effective tools input: workflow input wins; property is used only when no explicit input is given

Risk assessment

High risk: Not fully under a feature flag — the new code path activates when the repository property is set.

Which use cases does this change impact?

Workflow types:

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

The repository property must be explicitly set by an org admin; no existing workflows are affected unless they set github-codeql-tools.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

Copilot AI changed the title [WIP] Add repository property for tools input in CodeQL Action Add github-codeql-tools repository property for tools input Mar 23, 2026
Copilot AI requested a review from oscarsj March 23, 2026 17:31
@github-actions github-actions bot added the size/M Should be of average difficulty to review label Mar 24, 2026
@oscarsj oscarsj force-pushed the copilot/add-tools-input-source-repository branch from 5c6b9e8 to e74c1ee Compare March 24, 2026 17:42
@oscarsj oscarsj requested a review from mbg March 24, 2026 17:58
@oscarsj oscarsj marked this pull request as ready for review March 24, 2026 18:01
@oscarsj oscarsj requested a review from a team as a code owner March 24, 2026 18:01
Copilot AI review requested due to automatic review settings March 24, 2026 18:01
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new org-managed repository property (github-codeql-tools) that can supply a default tools input value (when the workflow doesn’t set one), enabling organizations to opt into using the toolcache without per-run CLI downloads.

Changes:

  • Introduces RepositoryPropertyName.TOOLS = "github-codeql-tools" and parses it from the repository properties API.
  • Resolves an effective tools input in init-action (workflow input wins; otherwise fall back to repository property) and threads an origin flag through to CodeQL setup.
  • Allows tools=toolcache to bypass the existing feature-flag/dynamic-workflow restriction when the value came from the repository property, with targeted log messages and unit tests.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/feature-flags/properties.ts Adds the new repository property name and parser typing for github-codeql-tools.
src/feature-flags/properties.test.ts Tests loading/parsing of the new github-codeql-tools property.
src/init-action.ts Resolves effective tools input (workflow vs repository property) and passes origin flag into initCodeQL.
src/init.ts Threads toolsInputFromRepositoryProperty into setupCodeQL.
src/codeql.ts Threads toolsInputFromRepositoryProperty into setupCodeQLBundle.
src/setup-codeql.ts Adds toolsInputFromRepositoryProperty parameter and uses it to allow toolcache without FF/dynamic checks.
src/setup-codeql.test.ts Adds tests for toolcache behavior when enabled via repository property (including empty toolcache fallback).
lib/* Generated JS output corresponding to the TS changes (not reviewed).

src/init-action.ts
Comment on lines +302 to +310
// Determine the effective tools input.
// The explicit `tools` workflow input takes precedence. If none is provided,
// fall back to the 'github-codeql-tools' repository property (if set).
const toolsWorkflowInput = getOptionalInput("tools");
const toolsPropertyValue: string | undefined =
repositoryPropertiesResult.orElse({})[RepositoryPropertyName.TOOLS];
const effectiveToolsInput = toolsWorkflowInput ?? toolsPropertyValue;
const toolsInputFromRepositoryProperty =
toolsWorkflowInput === undefined && toolsPropertyValue !== undefined;
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

effectiveToolsInput correctly falls back to the repository property, but later status reporting still uses getOptionalInput("tools") (see tools_input field earlier in this file). When github-codeql-tools is set, telemetry/status reports will show an empty tools_input, which makes it hard to debug or measure adoption. Consider reporting the resolved/effective tools value and/or explicitly recording whether it came from workflow input vs repository property.

Copilot uses AI. Check for mistakes.
src/init-action.ts
Comment on lines +302 to +310
// Determine the effective tools input.
// The explicit `tools` workflow input takes precedence. If none is provided,
// fall back to the 'github-codeql-tools' repository property (if set).
const toolsWorkflowInput = getOptionalInput("tools");
const toolsPropertyValue: string | undefined =
repositoryPropertiesResult.orElse({})[RepositoryPropertyName.TOOLS];
const effectiveToolsInput = toolsWorkflowInput ?? toolsPropertyValue;
const toolsInputFromRepositoryProperty =
toolsWorkflowInput === undefined && toolsPropertyValue !== undefined;
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says the github-codeql-tools repository property acts as a default for the tools input (with workflow input taking precedence). In this change it’s only resolved in init-action.ts; setup-codeql-action.ts still uses only the workflow input and never loads repository properties, so users of that action won’t get the org-level default behavior. Either extend the same resolution logic to setup-codeql-action (and any other entrypoints that accept tools) or clarify/adjust the PR description/docs to match the actual scope.

Copilot uses AI. Check for mistakes.
src/setup-codeql.ts
Comment on lines 281 to 290
export async function getCodeQLSource(
toolsInput: string | undefined,
defaultCliVersion: CodeQLDefaultVersionInfo,
apiDetails: api.GitHubApiDetails,
variant: util.GitHubVariant,
tarSupportsZstd: boolean,
features: FeatureEnablement,
logger: Logger,
toolsInputFromRepositoryProperty = false,
): Promise<CodeQLToolsSource> {
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

toolsInputFromRepositoryProperty is introduced on getCodeQLSource, but it’s only used to special-case the toolcache guard + log messages. If the repository property is ever used for other tools values (e.g. linked, nightly, or a URL), the current logs in other branches still say they were requested by 'tools: …', which can be misleading when no workflow input was provided. Consider generalizing this to an “tools input origin” (workflow vs repo property) and using it consistently in all user-facing log messages about requested tools.

Copilot uses AI. Check for mistakes.
src/setup-codeql.ts
Comment on lines +417 to +420
if (toolsInputFromRepositoryProperty) {
logger.info(
`Attempting to use the latest CodeQL CLI version in the toolcache, as requested by the 'github-codeql-tools' repository property.`,
);
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The repository property name is hard-coded in these log messages ('github-codeql-tools'). To avoid drift if the property name ever changes and to keep usage consistent with the rest of the repo-properties system, consider referencing RepositoryPropertyName.TOOLS (or a shared constant) instead of duplicating the string literal in multiple places (including tests).

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbg mbg Awaiting requested review from mbg

+1 more reviewer

@oscarsj oscarsj oscarsj approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@oscarsj oscarsj

Copilot code review Copilot

Labels

size/M Should be of average difficulty to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oscarsj