Bundle action using esbuild

Remove node_modules from repository to reduce cost to download
repository.

Because node_modules is no longer included:
* If `npm` isn't available (e.g. in a container), install it
* Run `npm install` before performing various tasks

Change pr-checks to not be particularly picky about the generated
content because it will differ between different versions as everything
is bundled together.

Author: jsoref

.github/actions/prepare-test/action.yml

@@ -19,6 +19,12 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: npm install
+      shell: bash
+      run: |
+        if command -v npm >/dev/null 2>/dev/null; then
+          npm ci
+        fi
     - name: Move codeql-action
       shell: bash
       run: |

.github/actions/update-bundle/action.yml

@@ -8,6 +8,10 @@ runs:
       shell: bash
       run: npm install -g ts-node
 
+    - name: Install
+      shell: bash
+      run: npm ci
+
     - name: Run update script
       working-directory: ${{ github.action_path }}
       shell: bash

.github/workflows/pr-checks.yml

@@ -26,6 +26,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install
+        run: npm install
+
       - name: Lint
         id: lint
         run: npm run-script lint-ci
@@ -52,6 +55,16 @@ jobs:
           # `npm install` on Linux.
           npm install
 
+          (
+            echo '*/*-action.js';
+            echo '*/*-action-post.js'
+          ) >> .gitignore
+          for action in $(
+            find * -mindepth 1 -maxdepth 1 -type f -name action.yml
+          ); do
+            git rm -f "$(dirname "$action")"/*-action*.js
+          done
+
           if [ ! -z "$(git status --porcelain)" ]; then
             git config --global user.email "[email protected]"
             git config --global user.name "github-actions[bot]"
@@ -112,6 +125,12 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+      - name: npm install
+        run: |
+          npm ci
+      - name: Build
+        run: |
+          npm run build
       - name: npm test
         run: |
           # Run any commands referenced in package.json using Bash, otherwise

.gitignore

@@ -1,5 +1,7 @@
-# Ignore for example failing-tests.json from AVA
-node_modules/.cache/
+# actions are bundled to make this repository lightweight for consumers
+node_modules/
+# lib is generated by tsc
+lib
 # Java build files
 .gradle/
 *.class
@@ -8,4 +10,4 @@ node_modules/.cache/
 # eslint sarif report
 eslint.sarif
 # for local incremental compilation
-tsconfig.tsbuildinfo
+tsconfig.tsbuildinfo

CHANGELOG.md

@@ -7,6 +7,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 ## [UNRELEASED]
 
 - The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. [#2573](https://github.com/github/codeql-action/pull/2573)
+- The CodeQL Action no longer includes node_modules. This should drammatically decrease the download size/increase download speed for `uses: github/codeql-action@...`.
 
 ## 3.27.0 - 22 Oct 2024
 

analyze/action.yml

@@ -92,5 +92,5 @@ outputs:
     description: The ID of the uploaded SARIF file.
 runs:
   using: node20
-  main: "../lib/analyze-action.js"
-  post: "../lib/analyze-action-post.js"
+  main: "analyze-action.js"
+  post: "analyze-action-post.js"

analyze/analyze-action-post.js

@@ -16,4 +16,4 @@ inputs:
     required: false
 runs:
   using: node20
-  main: '../lib/autobuild-action.js'
+  main: 'autobuild-action.js'

analyze/analyze-action.js

@@ -31,6 +31,8 @@ export default [
       "tests/**/*",
       "eslint.config.mjs",
       ".github/**/*",
+      "*/*-action.js",
+      "*/*-action-post.js",
     ],
   },
   ...fixupConfigRules(

autobuild/action.yml

@@ -147,5 +147,5 @@ outputs:
     description: The version of the CodeQL binary used for analysis
 runs:
   using: node20
-  main: '../lib/init-action.js'
-  post: '../lib/init-action-post.js'
+  main: 'init-action.js'
+  post: 'init-action-post.js'