Merge branch 'main' into rp/fix-m3-4-1

Author: lcartey

.github/actions/check-permissions/action.yml

@@ -0,0 +1,49 @@
+name: Check current actor permissions
+description: |
+  Checks whether the current actor has the specified permssions
+inputs:
+  minimum-permission:
+    description: |
+      The minimum required permission. One of: read, write, admin
+    required: true
+outputs:
+  has-permission:
+    description: "Whether the actor had the minimum required permission"
+    value: ${{ steps.check-permission.outputs.has-permission }}
+
+runs:
+  using: composite
+  steps:
+  - uses: actions/github-script@v7
+    id: check-permission
+    env:
+      INPUT_MINIMUM-PERMISSION: ${{ inputs.minimum-permission }}
+    with:
+      script: |
+        // Valid permissions are none, read, write, admin (legacy base permissions)
+        const permissionsRanking = ["none", "read", "write", "admin"];
+
+        // Note: core.getInput doesn't work by default in a composite action - in this case
+        //       it would try to fetch the input to the github-script instead of the action
+        //       itself. Instead, we set the appropriate magic env var with the actions input.
+        //       See: https://github.com/actions/runner/issues/665
+        const minimumPermission = core.getInput('minimum-permission');
+        if (!permissionsRanking.includes(minimumPermission)) {
+          core.setFailed(`Invalid minimum permission: ${minimumPermission}`);
+          return;
+        }
+
+        const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          username: context.actor
+        });
+
+        // Confirm whether the actor permission is at least the selected permission
+        const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : "";
+        core.setOutput('has-permission', hasPermission);
+        if (!hasPermission) {
+          core.info(`Current actor (${context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        } else {
+          core.info(`Current actor (${context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        }

.github/workflows/code-scanning-pack-gen.yml

@@ -103,10 +103,10 @@ jobs:
           codeql query compile --precompile --threads 0 c
 
           cd ..
-          zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/schemas
+          zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
 
       - name: Upload GHAS Query Pack
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-scanning-cpp-query-pack.zip
           path: code-scanning-cpp-query-pack.zip

.github/workflows/dispatch-matrix-check.yml

@@ -1,8 +1,8 @@
-name: 🤖 Run Matrix Check 
+name: 🤖 Run Matrix Check
 
 on:
   pull_request_target:
-    types: [synchronize,opened]
+    types: [synchronize, opened]
     branches:
       - "matrix/**"
   workflow_dispatch:
@@ -11,29 +11,31 @@ jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-    
       - name: Dispatch Matrix Testing Job
-        if: ${{ contains(fromJSON('["jsinglet", "mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine"]'), github.actor) }}
+        if: steps.check-write-permission.outputs.has-permission
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: matrix-test
-          client-payload: '{"pr": "${{ github.event.number  }}"}'
-
+          client-payload: '{"pr": "${{ github.event.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ contains(fromJSON('["jsinglet", "mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine"]'), github.actor) }}
+        if: steps.check-write-permission.outputs.has-permission
         with:
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: '🤖 Beep Boop! Matrix Testing for this PR has been initiated. Please check back later for results. <br><br> :bulb: If you do not hear back from me please check my status! **I will report even if this PR does not contain files eligible for matrix testing.**'
-            })
+            })

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -3,33 +3,22 @@ name: 🤖 Run Matrix Check (On Comment)
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
-
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("jsinglet","mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
-
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Matrix Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -38,7 +27,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/dispatch-release-performance-check.yml

@@ -3,46 +3,36 @@ name: 🏁 Run Release Performance Check
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("jsinglet","mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Performance Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
           repository: github/codeql-coding-standards-release-engineering
           event-type: performance-test
-          client-payload: '{"pr": "${{ github.event.issue.number  }}"}'
-
+          client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: '🏁 Beep Boop! Performance testing for this PR has been initiated. Please check back later for results. Note that the query package generation step must complete before testing  will start so it might be a minute. <br><br> :bulb: If you do not hear back from me please check my status! **I will report even if I fail!**'
-            })
+            })

.github/workflows/generate-html-docs.yml

@@ -35,7 +35,7 @@ jobs:
           python scripts/documentation/generate_iso26262_docs.py coding-standards-html-docs
 
       - name: Upload HTML documentation
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: coding-standards-docs-${{ github.sha }}
           path: coding-standards-html-docs/

.github/workflows/standard_library_upgrade_tests.yml

@@ -143,7 +143,7 @@ jobs:
               }, test_summary_file)
 
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: test-results-${{runner.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library_ident}}
           path: |

c/cert/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cert-c-coding-standards
-version: 2.33.0-dev
+version: 2.35.0-dev
 description: CERT C 2016
 suites: codeql-suites
 license: MIT

c/cert/src/rules/ARR39-C/DoNotAddOrSubtractAScaledIntegerToAPointer.ql

@@ -13,7 +13,7 @@
 
 import cpp
 import codingstandards.c.cert
-import codingstandards.c.Pointers
+import codingstandards.cpp.Pointers
 import codingstandards.cpp.dataflow.TaintTracking
 import ScaledIntegerPointerArithmeticFlow::PathGraph