Restrict when tools: toolcache can be used

Author: mbg

lib/analyze-action.js

@@ -259,6 +259,8 @@ test("getCodeQLSource correctly returns latest version from toolcache when tools
   const loggedMessages: LoggedMessage[] = [];
   const logger = getRecordingLogger(loggedMessages);
 
+  process.env["GITHUB_EVENT_NAME"] = "dynamic";
+
   const latestToolcacheVersion = "3.2.1";
   const latestVersionPath = "/path/to/latest";
   const testVersions = ["2.3.1", latestToolcacheVersion, "1.2.3"];
@@ -318,6 +320,8 @@ test("getCodeQLSource falls back to downloading the CLI if the toolcache doesn't
   const loggedMessages: LoggedMessage[] = [];
   const logger = getRecordingLogger(loggedMessages);
 
+  process.env["GITHUB_EVENT_NAME"] = "dynamic";
+
   const testVersions = [];
   const findAllVersionsStub = sinon
     .stub(toolcache, "findAllVersions")

lib/init-action-post.js

@@ -7,7 +7,7 @@ import { default as deepEqual } from "fast-deep-equal";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";
 
-import { isRunningLocalAction } from "./actions-util";
+import { isDynamicWorkflow, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import * as defaults from "./defaults.json";
 import {
@@ -351,20 +351,37 @@ export async function getCodeQLSource(
     toolsInput !== undefined &&
     toolsInput === CODEQL_TOOLCACHE_INPUT
   ) {
-    // If `toolsInput === "toolcache"`, try to find the latest version of the CLI that's available in the toolcache
-    // and use that. We perform this check here since we can set `cliVersion` directly and don't want to default to
-    // the linked version.
-    logger.info(
-      `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`,
-    );
-
-    const latestToolcacheVersion = getLatestToolcacheVersion(logger);
-    if (latestToolcacheVersion) {
-      cliVersion = latestToolcacheVersion;
-    } else {
+    let latestToolcacheVersion: string | undefined;
+
+    // We only allow `toolsInput === "toolcache"` for `dynamic` events. In general, using `toolsInput === "toolcache"`
+    // can lead to alert wobble and so it shouldn't be used for an analysis where results are intended to be uploaded.
+    // We also allow this in test mode.
+    const allowToolcacheValue = isDynamicWorkflow() || util.isInTestMode();
+    if (allowToolcacheValue) {
+      // If `toolsInput === "toolcache"`, try to find the latest version of the CLI that's available in the toolcache
+      // and use that. We perform this check here since we can set `cliVersion` directly and don't want to default to
+      // the linked version.
       logger.info(
-        `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`,
+        `Attempting to use the latest CodeQL CLI version in the toolcache, as requested by 'tools: ${toolsInput}'.`,
       );
+
+      latestToolcacheVersion = getLatestToolcacheVersion(logger);
+      if (latestToolcacheVersion) {
+        cliVersion = latestToolcacheVersion;
+      }
+    }
+
+    if (latestToolcacheVersion === undefined) {
+      if (allowToolcacheValue) {
+        logger.info(
+          `Found no CodeQL CLI in the toolcache, ignoring 'tools: ${toolsInput}'...`,
+        );
+      } else {
+        logger.warning(
+          `Ignoring 'tools: ${toolsInput}' because the workflow was not triggered dynamically.`,
+        );
+      }
+
       cliVersion = defaultCliVersion.cliVersion;
       tagName = defaultCliVersion.tagName;
     }