Merge pull request #41801 from github/repo-sync

Repo sync

Author: docs-bot

.github/workflows/generate-code-scanning-query-lists.yml

@@ -19,15 +19,16 @@ on:
   pull_request:
     paths:
       - .github/workflows/generate-code-scanning-query-lists.yml
-      - src/code-scanning/scripts/generate-code-scanning-query-list.ts
+      - src/codeql-queries/scripts/generate-code-scanning-query-list.ts
+      - src/codeql-queries/scripts/generate-code-quality-query-list.ts
       - .github/actions/install-cocofix/action.yml
 
 permissions:
   contents: write
   pull-requests: write
 
 jobs:
-  generate-query-lists:
+  generate-security-query-lists:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
     steps:
@@ -45,6 +46,7 @@ jobs:
 
       - name: Get the codeql SHA being synced
         id: codeql
+        shell: bash
         run: |
           cd codeql
           OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
@@ -56,12 +58,14 @@ jobs:
         uses: ./codeql/.github/actions/fetch-codeql
 
       - name: Test CodeQL CLI Download
+        shell: bash
         run: codeql --version
 
       # "Server for running multiple commands while avoiding repeated JVM initialization."
       # Having started this should speed up the execution of the various
       # CLI calls of the executable.
       - name: Start CodeQL CLI server in the background
+        shell: bash
         run: |
           codeql execute cli-server &
           sleep 3
@@ -71,21 +75,8 @@ jobs:
         with:
           token: ${{ secrets.DOCS_BOT_PAT_BASE }}
 
-      - name: Lint the code (eslint)
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          PATH: '$PATH:${{ github.workspace }}/node_modules/.bin'
-        run: |
-          eslint --no-ignore src/code-scanning/scripts/generate-code-scanning-query-list.ts
-
-      - name: Lint the code (tsc)
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          PATH: '$PATH:${{ github.workspace }}/node_modules/.bin'
-        run: |
-          tsc --noEmit --project src/code-scanning/scripts/tsconfig.json
-
-      - name: Build code scanning query list
+      - name: Build code scanning security query lists
+        shell: bash
         run: |
           for lang in "actions" "cpp" "csharp" "go" "java" "javascript" "python" "ruby" "rust" "swift"; do
             echo "Generating code scanning query list for $lang"
@@ -97,14 +88,120 @@ jobs:
               $lang
           done
 
+      - name: Upload security query lists
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: security-query-lists
+          path: data/reusables/code-scanning/codeql-query-tables/
+
+  generate-quality-query-lists:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - uses: ./.github/actions/node-npm-setup
+
+      - name: Checkout codeql repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: github/codeql
+          path: codeql
+          ref: ${{ inputs.SOURCE_BRANCH || 'main' }}
+
+      - name: Get the codeql SHA being synced
+        id: codeql
+        shell: bash
+        run: |
+          cd codeql
+          OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
+          echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA"
+
+      - name: Download CodeQL CLI
+        # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+        uses: ./codeql/.github/actions/fetch-codeql
+
+      - name: Test CodeQL CLI Download
+        shell: bash
+        run: codeql --version
+
+      # "Server for running multiple commands while avoiding repeated JVM initialization."
+      # Having started this should speed up the execution of the various
+      # CLI calls of the executable.
+      - name: Start CodeQL CLI server in the background
+        shell: bash
+        run: |
+          codeql execute cli-server &
+          sleep 3
+          codeql --version
+
+      - name: Build code quality query lists
+        shell: bash
+        run: |
+          for lang in "csharp" "go" "java" "javascript" "python" "ruby"; do
+            echo "Generating code quality query list for $lang"
+            npm run generate-code-quality-query-list -- \
+              --verbose \
+              --codeql-path codeql \
+              --codeql-dir codeql \
+              -o data/reusables/code-quality/codeql-query-tables/$lang.md \
+              $lang
+          done
+
+      - name: Upload quality query lists
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: quality-query-lists
+          path: data/reusables/code-quality/codeql-query-tables/
+
+  create-pull-request:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    needs: [generate-security-query-lists, generate-quality-query-lists]
+    steps:
+      - name: Checkout repository code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Checkout codeql repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: github/codeql
+          path: codeql
+          ref: ${{ inputs.SOURCE_BRANCH || 'main' }}
+
+      - name: Get the codeql SHA being synced
+        id: codeql
+        shell: bash
+        run: |
+          cd codeql
+          OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
+          echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA"
+
+      - name: Download security query lists
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: security-query-lists
+          path: data/reusables/code-scanning/codeql-query-tables/
+
+      - name: Download quality query lists
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: quality-query-lists
+          path: data/reusables/code-quality/codeql-query-tables/
+
       - name: Insight into diff
+        shell: bash
         run: |
           git diff
 
       - name: Create pull request
         env:
           GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
           DRY_RUN: ${{ github.event_name == 'pull_request'}}
+        shell: bash
         run: |
 
           # When we started, we downloaded the CodeQL CLI here in this workflow.
@@ -145,6 +242,7 @@ jobs:
           fi
 
           git add data/reusables/code-scanning/codeql-query-tables
+          git add data/reusables/code-quality/codeql-query-tables
           git commit -m "Update CodeQL query tables"
           git push -u origin $branchname
 
@@ -157,6 +255,6 @@ jobs:
 
 
             No action is required from the first responder for the Docs content team. This PR is automatically added to the Docs content review board. Any writer can review this by checking that the PR looks sensible. If CI does not pass or other problems arise, contact #docs-engineering on slack.
-            
-            
+
+
             When the DRI for the CodeQL CLI release is ready to publish, they will ask us to merge this PR in #docs-content.'

content/code-security/code-quality/reference/codeql-detection.md

@@ -1,6 +1,7 @@
 ---
-title: CodeQL detection of code quality problems
-shortTitle: CodeQL detection
+title: CodeQL-powered analysis for Code Quality
+shortTitle: CodeQL analysis
+allowTitleToDifferFromFilename: true
 intro: 'Information on how CodeQL-powered analysis for {% data variables.product.prodname_code_quality_short %} works, the workflow used, and the status checks reported on pull requests.'
 versions:
   feature: code-quality
@@ -11,11 +12,30 @@ contentType: reference
 
 {% data reusables.code-quality.code-quality-preview-note %}
 
-## {% data variables.product.prodname_codeql %} detection
+## {% data variables.product.prodname_codeql %}-powered analysis
 
-{% data variables.product.prodname_code_quality_short %} performs rule-based analysis of pull requests and your default branch using {% data variables.product.prodname_codeql %}. Each rule is written as a query in {% data variables.product.prodname_codeql %} and then run using {% data variables.product.prodname_actions %}.
+{% data variables.product.prodname_code_quality_short %} uses {% data variables.product.prodname_codeql %} to perform rule-based analysis of pull requests and your default branch.
 
-The rules are continually refined by both {% data variables.product.github %} and open source developers. See [https://github.com/github/codeql](https://github.com/github/codeql).
+* Findings for your **default branch** appear under the "{% data variables.code-quality.all_findings %}" dashboard under your repository's Security tab.
+
+* Findings **on pull requests** appear as comments made by `{% data variables.code-quality.pr_commenter %}`.
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+### Query lists for supported languages
+
+Each {% data variables.product.prodname_code_quality_short %} rule is written as a query in {% data variables.product.prodname_codeql %} and then run using {% data variables.product.prodname_actions %}.
+
+The rules are continually refined by both {% data variables.product.github %} and open source developers.
+
+* [AUTOTITLE](/code-security/code-quality/reference/codeql-queries/csharp-queries)
+* [AUTOTITLE](/code-security/code-quality/reference/codeql-queries/go-queries)
+* [AUTOTITLE](/code-security/code-quality/reference/codeql-queries/java-queries)
+* [AUTOTITLE](/code-security/code-quality/reference/codeql-queries/javascript-queries)
+* [AUTOTITLE](/code-security/code-quality/reference/codeql-queries/python-queries)
+* [AUTOTITLE](/code-security/code-quality/reference/codeql-queries/ruby-queries)
+
+For more information about the {% data variables.product.prodname_codeql %} project, see [https://codeql.github.com/](https://codeql.github.com/).
 
 ## Workflow used for code quality analysis
 

content/code-security/code-quality/reference/codeql-queries/csharp-queries.md

@@ -0,0 +1,20 @@
+---
+title: C# CodeQL queries for Code Quality
+shortTitle: C# queries
+allowTitleToDifferFromFilename: true
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code quality for code written in C#.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+---
+
+{% data variables.product.prodname_code_quality_short %} uses the following {% data variables.product.prodname_codeql %} queries to analyze C# code and detect code quality issues on:
+
+* Your **default branch**, with results shown on the repository's "{% data variables.code-quality.all_findings %}" dashboard
+* **Pull requests**, with findings shown as comments made by `{% data variables.code-quality.pr_commenter %}`
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+{% data reusables.code-quality.codeql-query-tables.csharp %}

content/code-security/code-quality/reference/codeql-queries/go-queries.md

@@ -0,0 +1,19 @@
+---
+title: Go CodeQL queries for Code Quality
+shortTitle: Go queries
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code quality for code written in Go.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+---
+
+{% data variables.product.prodname_code_quality_short %} uses the following {% data variables.product.prodname_codeql %} queries to analyze Go code and detect code quality issues on:
+
+* Your **default branch**, with results shown on the repository's "{% data variables.code-quality.all_findings %}" dashboard
+* **Pull requests**, with findings shown as comments made by `{% data variables.code-quality.pr_commenter %}`
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+{% data reusables.code-quality.codeql-query-tables.go %}

content/code-security/code-quality/reference/codeql-queries/index.md

@@ -0,0 +1,17 @@
+---
+title: Queries for CodeQL detection
+shortTitle: CodeQL queries
+intro: 'Explore the {% data variables.product.prodname_codeql %} queries that {% data variables.product.prodname_code_quality_short %} uses to detect code quality issues in supported languages.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+children:
+  - csharp-queries
+  - go-queries
+  - java-queries
+  - javascript-queries
+  - python-queries
+  - ruby-queries
+---

content/code-security/code-quality/reference/codeql-queries/java-queries.md

@@ -0,0 +1,20 @@
+---
+title: Java CodeQL queries for Code Quality
+shortTitle: Java queries
+allowTitleToDifferFromFilename: true
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code quality for code written in Java.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+---
+
+{% data variables.product.prodname_code_quality_short %} uses the following {% data variables.product.prodname_codeql %} queries to analyze Java code and detect code quality issues on:
+
+* Your **default branch**, with results shown on the repository's "{% data variables.code-quality.all_findings %}" dashboard
+* **Pull requests**, with findings shown as comments made by `{% data variables.code-quality.pr_commenter %}`
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+{% data reusables.code-quality.codeql-query-tables.java %}

content/code-security/code-quality/reference/codeql-queries/javascript-queries.md

@@ -0,0 +1,20 @@
+---
+title: JavaScript CodeQL queries for Code Quality
+shortTitle: JavaScript queries
+allowTitleToDifferFromFilename: true
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code quality for code written in JavaScript.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+---
+
+{% data variables.product.prodname_code_quality_short %} uses the following {% data variables.product.prodname_codeql %} queries to analyze JavaScript code and detect code quality issues on:
+
+* Your **default branch**, with results shown on the repository's "{% data variables.code-quality.all_findings %}" dashboard
+* **Pull requests**, with findings shown as comments made by `{% data variables.code-quality.pr_commenter %}`
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+{% data reusables.code-quality.codeql-query-tables.javascript %}

content/code-security/code-quality/reference/codeql-queries/python-queries.md

@@ -0,0 +1,20 @@
+---
+title: Python CodeQL queries for Code Quality
+shortTitle: Python queries
+allowTitleToDifferFromFilename: true
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code quality for code written in Python.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+---
+
+{% data variables.product.prodname_code_quality_short %} uses the following {% data variables.product.prodname_codeql %} queries to analyze Python code and detect code quality issues on:
+
+* Your **default branch**, with results shown on the repository's "{% data variables.code-quality.all_findings %}" dashboard
+* **Pull requests**, with findings shown as comments made by `{% data variables.code-quality.pr_commenter %}`
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+{% data reusables.code-quality.codeql-query-tables.python %}

content/code-security/code-quality/reference/codeql-queries/ruby-queries.md

@@ -0,0 +1,20 @@
+---
+title: Ruby CodeQL queries for Code Quality
+shortTitle: Ruby queries
+allowTitleToDifferFromFilename: true
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze code quality for code written in Ruby.'
+versions:
+  feature: code-quality
+topics:
+  - Code Quality
+contentType: reference
+---
+
+{% data variables.product.prodname_code_quality_short %} uses the following {% data variables.product.prodname_codeql %} queries to analyze Ruby code and detect code quality issues on:
+
+* Your **default branch**, with results shown on the repository's "{% data variables.code-quality.all_findings %}" dashboard
+* **Pull requests**, with findings shown as comments made by `{% data variables.code-quality.pr_commenter %}`
+
+{% data variables.copilot.copilot_autofix_short %} suggestions are provided for findings where possible.
+
+{% data reusables.code-quality.codeql-query-tables.ruby %}

content/code-security/code-quality/reference/index.md

@@ -10,4 +10,5 @@ contentType: reference
 children:
   - metrics-and-ratings
   - codeql-detection
+  - codeql-queries
 ---