Skip to content

Determine CodeQL version from feature flags on GHEC-DR #3351

Merged
henrymercer merged 4 commits intomainfrom
henrymercer/ghec-dr-determine-tools-version-from-ffs
Dec 16, 2025
Merged

Determine CodeQL version from feature flags on GHEC-DR #3351
henrymercer merged 4 commits intomainfrom
henrymercer/ghec-dr-determine-tools-version-from-ffs

Conversation

@henrymercer
Copy link
Contributor

@henrymercer henrymercer commented Dec 10, 2025

This lets us roll back a bad version of CodeQL more quickly in GitHub Enterprise Cloud with data residency.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.

Environments:

  • GHEC-DR

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@henrymercer henrymercer requested a review from a team as a code owner December 10, 2025 17:42
Copilot AI review requested due to automatic review settings December 10, 2025 17:42
@github-actions github-actions bot added the size/M Should be of average difficulty to review label Dec 10, 2025
Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR renames the GitHub variant GHE_DOTCOM to GHEC_DR (GitHub Enterprise Cloud with Data Residency) and enables feature flag support for determining the CodeQL version on GHEC-DR environments. This allows faster rollback of bad CodeQL versions in GHEC-DR by using feature flags, similar to how it works for GitHub.com.

Key Changes

  • Renamed GHE_DOTCOM enum variant to GHEC_DR with string values for better clarity
  • Enabled feature flag support for GHEC-DR to determine CodeQL CLI versions
  • Updated CodeQL source selection logic to be more precise (checking for GHES specifically instead of "not DOTCOM")

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/util.ts Renamed enum variant from GHE_DOTCOM to GHEC_DR and changed enum values from numeric to string literals
src/util.test.ts Updated test cases to use renamed GHEC_DR variant
src/setup-codeql.ts Fixed logic to check for GHES specifically instead of "not DOTCOM", enabling GHEC-DR to use default tooling
src/feature-flags.ts Added supportsFeatureFlags helper function that includes both DOTCOM and GHEC-DR, enabling feature flags for GHEC-DR
src/feature-flags.test.ts Renamed test from "Proxima" to "GHEC-DR" and parameterized tests to cover both DOTCOM and GHEC-DR variants
src/database-upload.ts Updated variant check to use renamed GHEC_DR constant
src/api-client.ts Updated return value to use GHEC_DR when detecting "ghe.com" header
src/api-client.test.ts Updated test to use GHEC_DR variant name
.github/pull_request_template.md Updated documentation to clarify that "Dotcom" environment includes GHEC-DR
lib/**/*.js Auto-generated JavaScript files reflecting TypeScript changes (not reviewed per guidelines)

mbg
mbg previously approved these changes Dec 16, 2025
View reviewed changes
Copy link
Member

@mbg mbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good and make sense to me! I added a couple of very minor style suggestions, but feel free to ignore those.

src/util.ts Outdated
GHE_DOTCOM,
DOTCOM = "GitHub.com",
GHES = "GHES",
GHEC_DR = "GHEC-DR",
Copy link
Member

@mbg mbg Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: Should the string value be spelled out as e.g. GHEC (with Data Residency) or similar?

Copy link
Contributor Author

@henrymercer henrymercer Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 I've expanded this.

src/util.test.ts
Comment on lines 433 to 440
switch (version.type) {
case util.GitHubVariant.DOTCOM:
return "dotcom";
case util.GitHubVariant.GHE_DOTCOM:
return "GHE dotcom";
case util.GitHubVariant.GHEC_DR:
return "GHEC-DR";
case util.GitHubVariant.GHES:
return `GHES ${version.version}`;
default:
Copy link
Member

@mbg mbg Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: How about something like this now that GitHubVariant has string values associated with the elements?

Suggested change
switch (version.type) {
case util.GitHubVariant.DOTCOM:
return "dotcom";
case util.GitHubVariant.GHE_DOTCOM:
return "GHE dotcom";
case util.GitHubVariant.GHEC_DR:
return "GHEC-DR";
case util.GitHubVariant.GHES:
return `GHES ${version.version}`;
default:
switch (version.type) {
case util.GitHubVariant.DOTCOM:
case util.GitHubVariant.GHEC_DR:
return `${version.type}`;
case util.GitHubVariant.GHES:
return `GHES ${version.version}`;
default:

Copy link
Contributor Author

@henrymercer henrymercer Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we're using the full names above, I think it's preferable to keep the abbreviated names here to keep test titles concise.

@henrymercer henrymercer requested a review from mbg December 16, 2025 13:24
@henrymercer henrymercer merged commit c07cc0d into main Dec 16, 2025
241 checks passed
@henrymercer henrymercer deleted the henrymercer/ghec-dr-determine-tools-version-from-ffs branch December 16, 2025 13:42
This was referenced Dec 16, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbg mbg mbg approved these changes

Assignees

No one assigned

Labels

size/M Should be of average difficulty to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henrymercer @mbg