Cache CLI version information across Actions steps

[henrymercer]

Persist CLI version information across Actions steps to avoid calling codeql version in each step. This saves 3 to 6 calls (and associated JVM startups) in a typical analysis job.

We use the path to the CodeQL CLI as a cache key. This is robust to setting up a different CLI with init or setup-codeql in the same job, but if a user hotswaps the CLI with a different mechanism and keeps the path the same, we are going to have the wrong version information. That seems like a rare enough case to be acceptable, but if we care about this, we could introduce more data into the cache key (at the cost of some performance).

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.
• Third-party analyses - The changes affect the upload-sarif action.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR persists CodeQL CLI version information across GitHub Actions steps (via an exported env var) so later steps can reuse it instead of repeatedly invoking codeql version, reducing JVM startups and CLI calls.

Changes:

• Persist { cmd, version } into CODEQL_ACTION_CLI_VERSION_INFO when first computing the CLI version.
• Teach getVersion() to reuse the persisted version info keyed by CLI path.
• Avoid re-running the CLI for printVersion() by logging the cached getVersion() result.

Show a summary per file

File	Description
src/util.ts	Adds persistence of version info via env var and enables cross-step reuse.
src/util.test.ts	Adds unit tests for reusing/ignoring persisted version info.
src/environment.ts	Introduces EnvVar.CODEQL_VERSION_INFO for cross-step persistence.
src/codeql.ts	Switches version lookup/printing to reuse cached/persisted version info.
lib/entry-points.js	Generated build output updated to reflect the TypeScript changes.

Copilot's findings

• Files reviewed: 4/5 changed files
• Comments generated: 3

[mario-campos]

Some minor nits, but overall LGTM!

[mario-campos]

Nit: I think this would be a bit more readable as a type predicate:

Suggested change

	typeof persisted?.version?.version !== "string" ||
	isPersistedVersionInfo(persisted) ||

Where isPersistedVersionInfo is defined as:

function isPersistedVersionInfo(x: unknown): x is PersistedVersionInfo {
  return typeof (x as any)?.version?.version === "string" &&
         typeof (x as any)?.cmd === "string";
}

[mario-campos]

There's a hypothetical "risk" here that a subsequent step/process may be inefficiently and repeatedly parsing the CODEQL_VERSION_INFO environment variable if the process calls getVersion() more than once.

The reason being that when getCachedCodeQlVersion() parses CODEQL_VERSION_INFO it does not store that result in the local variable cachedCodeQlVersion. That variable is only assigned when result === undefined—i.e.cachedCodeQlVersion is undefined and CODEQL_VERSION_INFO is unset/invalid—which is the first time that getVersion() is ever called.

Of course, this is all hypothetical because I don't think getVersion() is called more than once in the same step/process. And, it's probably a small penalty because it probably wouldn't take much time to parse the output of codeql version. But, the possibility would exist.

One option could be to always call cacheCodeQlVersion(...) just before returning from getVersion():

if (result === undefined) {
   ...
}
util.cacheCodeQlVersion(cmd, result);
return result;