.git-blame-ignore-revs

@@ -0,0 +1,5 @@
+# Run this command to always ignore formatting commits in `git blame`
+# git config blame.ignoreRevsFile .git-blame-ignore-revs
+
+# Formatted all code using Prettier instead of tsfmt
+ebcdf8ad0bb5bcb3efa679211709671716b892ba

.gitattributes

@@ -18,4 +18,11 @@ yarn.lock                    merge=binary
 # https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitattributes.html
 # suggests that this might interleave lines arbitrarily, but empirically
 # it keeps added chunks contiguous
-CHANGELOG.md                merge=union
+CHANGELOG.md                merge=union
+
+# Mark some JSON files containing test data as generated so they are not included
+# as part of diffs or language statistics.
+extensions/ql-vscode/src/stories/variant-analysis/data/*.json     linguist-generated
+
+# Always use LF line endings, also on Windows
+* text=auto eol=lf

.github/actions/create-pr/action.yml

@@ -0,0 +1,82 @@
+name: Create a PR if one doesn't exists
+description: >
+  Creates a commit with the current changes to the repo, and opens a PR for that commit. If
+  any PR with the same title exists, then this action is marked as succeeded.
+inputs:
+  commit-message:
+    description: >
+      The message for the commit to be created.
+    required: true
+
+  title:
+    description: >
+      The title of the PR. If empty, the title and body will be determined from the commit message.
+    default: ''
+    required: false
+
+  body:
+    description: >
+      The body (description) of the PR. The `title` input must be specified in order for this input to be used.
+    default: ''
+    required: false
+
+  head-branch:
+    description: >
+      The name of the branch to hold the new commit. If an existing open PR with the same head
+      branch exists, the new branch will be force-pushed to that PR instead of creating a new PR.
+    required: true
+
+  base-branch:
+    description: >
+      The base branch to target with the new PR.
+    required: true
+
+  token:
+    description: |
+      The GitHub token to use. It must have enough privileges to
+      make API calls to create and close pull requests.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Update git config
+      shell: bash
+      run: |
+        git config --global user.email "github-actions@github.com"
+        git config --global user.name "github-actions[bot]"
+    - name: Commit, Push and Open PR
+      shell: bash
+      env:
+        COMMIT_MESSAGE: ${{ inputs.commit-message }}
+        HEAD_BRANCH: ${{ inputs.head-branch }}
+        BASE_BRANCH: ${{ inputs.base-branch }}
+        GH_TOKEN: ${{ inputs.token }}
+        TITLE: ${{ inputs.title }}
+        BODY: ${{ inputs.body }}
+      run: |
+        set -exu
+        if ! [[ $(git diff --stat) != '' ]]; then
+          exit 0 # exit early
+        fi
+        # stage changes in the working tree
+        git add .
+        git commit -m "$COMMIT_MESSAGE"
+        git checkout -b "$HEAD_BRANCH"
+        # CAUTION: gits history changes with the following
+        git push --force origin "$HEAD_BRANCH"
+        PR_JSON=$(gh pr list --state open --json number --head "$HEAD_BRANCH")
+        if [[ $? -ne 0 ]]; then
+          echo "Failed to fetch existing PRs."
+          exit 1
+        fi
+        PR_NUMBERS=$(echo $PR_JSON | jq '. | length')
+        if [[ $PR_NUMBERS -ne 0 ]]; then 
+          echo "Found existing open PR: $PR_NUMBERS"
+          exit 0
+        fi
+        gh pr create --head "$HEAD_BRANCH" --base "$BASE_BRANCH" --title "$TITLE" --body "$BODY" --assignee ${{ github.actor }} --draft
+        if [[ $? -ne 0 ]]; then
+          echo "Failed to create new PR."
+          exit 1
+        fi

.github/codeql/codeql-config.yml

@@ -2,10 +2,14 @@ name: "CodeQL config"
 queries:
   - name: Run standard queries
     uses: security-and-quality
+  - name: Experimental queries
+    uses: security-experimental
   - name: Run custom javascript queries
     uses: ./.github/codeql/queries
 paths:
   - ./extensions/ql-vscode
+  - ./.github/workflows
+  - ./.github/actions
 paths-ignore:
   - '**/node_modules'
   - '**/build'

.github/codeql/queries/ProgressBar.qll

@@ -0,0 +1,16 @@
+import javascript
+
+class WithProgressCall extends CallExpr {
+  WithProgressCall() { this.getCalleeName() = "withProgress" }
+
+  predicate usesToken() { exists(this.getTokenParameter()) }
+
+  Parameter getTokenParameter() { result = this.getArgument(0).(Function).getParameter(1) }
+
+  Property getCancellableProperty() { result = this.getArgument(1).(ObjectExpr).getPropertyByName("cancellable") }
+
+  predicate isCancellable() {
+    this.getCancellableProperty().getInit().(BooleanLiteral).getBoolValue() =
+      true
+  }
+}

.github/codeql/queries/assert-no-vscode-dependency.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Unwanted dependency on vscode API
+ * @kind path-problem
+ * @problem.severity error
+ * @id vscode-codeql/assert-no-vscode-dependency
+ * @description The modules stored under `common` should not have dependencies on the VS Code API
+ */
+
+import javascript
+
+class VSCodeImport extends ImportDeclaration {
+  VSCodeImport() { this.getImportedPath().getValue() = "vscode" }
+}
+
+class CommonFile extends File {
+  CommonFile() {
+    this.getRelativePath().regexpMatch(".*/src/common/.*") and
+    not this.getRelativePath().regexpMatch(".*/vscode/.*")
+  }
+}
+
+Import getANonTypeOnlyImport(Module m) {
+  result = m.getAnImport() and not result.(ImportDeclaration).isTypeOnly()
+}
+
+query predicate edges(AstNode a, AstNode b) {
+  getANonTypeOnlyImport(a) = b or
+  a.(Import).getImportedModule() = b
+}
+
+from Module m, VSCodeImport v
+where
+  m.getFile() instanceof CommonFile and
+  edges+(m, v)
+select m, m, v,
+  "This module is in the 'common' directory but has a transitive dependency on the vscode API imported $@",
+  v, "here"

.github/codeql/queries/progress-not-cancellable.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Using token for non-cancellable progress bar
+ * @kind problem
+ * @problem.severity warning
+ * @id vscode-codeql/progress-not-cancellable
+ * @description If we call `withProgress` without `cancellable: true` then the
+ * token that is given to us should be ignored because it won't ever be cancelled.
+ * This makes the code more confusing as it tries to account for cases that can't
+ * happen. The fix is to either not use the token or make the progress bar cancellable.
+ */
+
+import javascript
+import ProgressBar
+
+from WithProgressCall t
+where not t.isCancellable() and t.usesToken()
+select t,
+  "The $@ should not be used when the progress bar is not cancellable. Either stop using the $@ or mark the progress bar as cancellable.",
+  t.getTokenParameter(), t.getTokenParameter().getName(), t.getTokenParameter(),
+  t.getTokenParameter().getName()

.github/codeql/queries/qlpack.yml

@@ -1,3 +1,4 @@
 name: vscode-codeql-custom-queries-javascript
 version: 0.0.0
-libraryPathDependencies: codeql-javascript
+dependencies:
+  codeql/javascript-queries: "*"

.github/codeql/queries/token-not-used.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Don't ignore the token for a cancellable progress bar
+ * @kind problem
+ * @problem.severity warning
+ * @id vscode-codeql/token-not-used
+ * @description If we call `withProgress` with `cancellable: true` but then
+ * ignore the token that is given to us, it will lead to a poor user experience
+ * because the progress bar will appear to be canceled but it will not actually
+ * affect the background process. Either check the token and respect when it
+ * has been cancelled, or mark the progress bar as not cancellable.
+ */
+
+import javascript
+import ProgressBar
+
+from WithProgressCall t
+where t.isCancellable() and not t.usesToken()
+select t, "This progress bar is $@ but the token is not used. Either use the token or mark the progress bar as not cancellable.", t.getCancellableProperty(), "cancellable"