github · mbg · Jun 16, 2026 · Jun 16, 2026 · Jun 23, 2026 · Jun 23, 2026
@@ -0,0 +1,14 @@
+import { Env } from "./environment";
+import { FeatureEnablement } from "./feature-flags";
+import { Logger } from "./logging";
+
+export interface ActionState {
+  /** The logger that is in use. */
+  logger: Logger;
+
+  /** Information about environment variables. */
+  env: Env;
+
+  /** Information about enabled feature flags. */
+  features: FeatureEnablement;
+}
@@ -21,6 +21,28 @@ import {
  */
 declare const __CODEQL_ACTION_VERSION__: string;
 
+/**
+ * Enumerates known GitHub Actions environment variables that we expect
+ * to be set in a GitHub Actions environment.
+ */
+export enum ActionsEnvVars {
+  GITHUB_ACTION_REPOSITORY = "GITHUB_ACTION_REPOSITORY",
+  GITHUB_API_URL = "GITHUB_API_URL",
+  GITHUB_EVENT_NAME = "GITHUB_EVENT_NAME",
+  GITHUB_EVENT_PATH = "GITHUB_EVENT_PATH",
+  GITHUB_JOB = "GITHUB_JOB",
+  GITHUB_REF = "GITHUB_REF",
+  GITHUB_REPOSITORY = "GITHUB_REPOSITORY",
+  GITHUB_RUN_ATTEMPT = "GITHUB_RUN_ATTEMPT",
+  GITHUB_RUN_ID = "GITHUB_RUN_ID",
+  GITHUB_SERVER_URL = "GITHUB_SERVER_URL",
+  GITHUB_SHA = "GITHUB_SHA",
+  GITHUB_WORKFLOW = "GITHUB_WORKFLOW",
+  RUNNER_NAME = "RUNNER_NAME",
+  RUNNER_OS = "RUNNER_OS",
+  RUNNER_TEMP = "RUNNER_TEMP",
+}
+
 /**
  * Abstracts over GitHub Actions functions so that we do not have to stub
  * global functions in tests.
@@ -65,7 +87,7 @@ export function getTemporaryDirectory(): string {
   const value = process.env["CODEQL_ACTION_TEMP"];
   return value !== undefined && value !== ""
     ? value
-    : getRequiredEnvParam("RUNNER_TEMP");
+    : getRequiredEnvParam(ActionsEnvVars.RUNNER_TEMP);
 }
 
 const PR_DIFF_RANGE_JSON_FILENAME = "pr-diff-range.json";
@@ -84,7 +106,7 @@ export function getActionVersion(): string {
  * This will be "dynamic" for default setup workflow runs.
  */
 export function getWorkflowEventName() {
-  return getRequiredEnvParam("GITHUB_EVENT_NAME");
+  return getRequiredEnvParam(ActionsEnvVars.GITHUB_EVENT_NAME);
 }
 
 /**
@@ -104,14 +126,14 @@ export function isRunningLocalAction(): boolean {
  * This can be used to get the Action's name or tell if we're running a local Action.
  */
 function getRelativeScriptPath(): string {
-  const runnerTemp = getRequiredEnvParam("RUNNER_TEMP");
+  const runnerTemp = getRequiredEnvParam(ActionsEnvVars.RUNNER_TEMP);
   const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
   return path.relative(actionsDirectory, __filename);
 }
 
 /** Returns the contents of `GITHUB_EVENT_PATH` as a JSON object. */
 export function getWorkflowEvent(): any {
-  const eventJsonFile = getRequiredEnvParam("GITHUB_EVENT_PATH");
+  const eventJsonFile = getRequiredEnvParam(ActionsEnvVars.GITHUB_EVENT_PATH);
   try {
     return JSON.parse(fs.readFileSync(eventJsonFile, "utf-8"));
   } catch (e) {
@@ -181,16 +203,16 @@ export function getUploadValue(input: string | undefined): UploadKind {
  * Get the workflow run ID.
  */
 export function getWorkflowRunID(): number {
-  const workflowRunIdString = getRequiredEnvParam("GITHUB_RUN_ID");
+  const workflowRunIdString = getRequiredEnvParam(ActionsEnvVars.GITHUB_RUN_ID);
   const workflowRunID = parseInt(workflowRunIdString, 10);
   if (Number.isNaN(workflowRunID)) {
     throw new Error(
-      `GITHUB_RUN_ID must define a non NaN workflow run ID. Current value is ${workflowRunIdString}`,
+      `${ActionsEnvVars.GITHUB_RUN_ID} must define a non NaN workflow run ID. Current value is ${workflowRunIdString}`,
     );
   }
   if (workflowRunID < 0) {
     throw new Error(
-      `GITHUB_RUN_ID must be a non-negative integer. Current value is ${workflowRunIdString}`,
+      `${ActionsEnvVars.GITHUB_RUN_ID} must be a non-negative integer. Current value is ${workflowRunIdString}`,
     );
   }
   return workflowRunID;
@@ -200,16 +222,18 @@ export function getWorkflowRunID(): number {
  * Get the workflow run attempt number.
  */
 export function getWorkflowRunAttempt(): number {
-  const workflowRunAttemptString = getRequiredEnvParam("GITHUB_RUN_ATTEMPT");
+  const workflowRunAttemptString = getRequiredEnvParam(
+    ActionsEnvVars.GITHUB_RUN_ATTEMPT,
+  );
   const workflowRunAttempt = parseInt(workflowRunAttemptString, 10);
   if (Number.isNaN(workflowRunAttempt)) {
     throw new Error(
-      `GITHUB_RUN_ATTEMPT must define a non NaN workflow run attempt. Current value is ${workflowRunAttemptString}`,
+      `${ActionsEnvVars.GITHUB_RUN_ATTEMPT} must define a non NaN workflow run attempt. Current value is ${workflowRunAttemptString}`,
     );
   }
   if (workflowRunAttempt <= 0) {
     throw new Error(
-      `GITHUB_RUN_ATTEMPT must be a positive integer. Current value is ${workflowRunAttemptString}`,
+      `${ActionsEnvVars.GITHUB_RUN_ATTEMPT} must be a positive integer. Current value is ${workflowRunAttemptString}`,
     );
   }
   return workflowRunAttempt;

@@ -2,7 +2,11 @@ import * as core from "@actions/core";
 import * as githubUtils from "@actions/github/lib/utils";
 import * as retry from "@octokit/plugin-retry";
 
-import { getActionVersion, getRequiredInput } from "./actions-util";
+import {
+  ActionsEnvVars,
+  getActionVersion,
+  getRequiredInput,
+} from "./actions-util";
 import { EnvVar } from "./environment";
 import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
@@ -70,8 +74,8 @@ function createApiClientWithDetails(
 export function getApiDetails(): GitHubApiDetails {
   return {
     auth: getRequiredInput("token"),
-    url: getRequiredEnvParam("GITHUB_SERVER_URL"),
-    apiURL: getRequiredEnvParam("GITHUB_API_URL"),
+    url: getRequiredEnvParam(ActionsEnvVars.GITHUB_SERVER_URL),
+    apiURL: getRequiredEnvParam(ActionsEnvVars.GITHUB_API_URL),
   };
 }
 

@@ -424,34 +424,6 @@ test.serial("load input outside of workspace", async (t) => {
   });
 });
 
-test.serial("load non-local input with invalid repo syntax", async (t) => {
-  return await withTmpDir(async (tempDir) => {
-    // no filename given, just a repo
-    const configFile = "octo-org/codeql-config@main";
-
-    try {
-      await configUtils.initConfig(
-        createFeatures([]),
-        createTestInitConfigInputs({
-          configFile,
-          tempDir,
-          workspacePath: tempDir,
-        }),
-      );
-      throw new Error("initConfig did not throw error");
-    } catch (err) {
-      t.deepEqual(
-        err,
-        new ConfigurationError(
-          errorMessages.getConfigFileRepoFormatInvalidMessage(
-            "octo-org/codeql-config@main",
-          ),
-        ),
-      );
-    }
-  });
-});
-
 test.serial("load non-existent input", async (t) => {
   return await withTmpDir(async (tempDir) => {
     const languagesInput = "javascript";

@@ -5,6 +5,7 @@ import { performance } from "perf_hooks";
 import * as core from "@actions/core";
 import * as yaml from "js-yaml";
 
+import { ActionState } from "./action-common";
 import {
   getActionVersion,
   getOptionalInput,
@@ -27,6 +28,7 @@ import {
   parseUserConfig,
   UserConfig,
 } from "./config/db-config";
+import { getRemoteConfig } from "./config/file";
 import {
   addNoLanguageDiagnostic,
   makeTelemetryDiagnostic,
@@ -77,6 +79,7 @@ import {
   Success,
   Failure,
   isHostedRunner,
+  getEnv,
 } from "./util";
 
 /**
@@ -599,12 +602,11 @@ async function downloadCacheWithTime(
 }
 
 async function loadUserConfig(
-  logger: Logger,
+  actionState: ActionState,
   configFile: string,
   workspacePath: string,
   apiDetails: api.GitHubApiCombinedDetails,
   tempDir: string,
-  validateConfig: boolean,
 ): Promise<UserConfig> {
   if (isLocal(configFile)) {
     if (configFile !== userConfigFromActionPath(tempDir)) {
@@ -617,14 +619,12 @@ async function loadUserConfig(
         );
       }
     }
-    return getLocalConfig(logger, configFile, validateConfig);
-  } else {
-    return await getRemoteConfig(
-      logger,
-      configFile,
-      apiDetails,
-      validateConfig,
+    const validateConfig = await actionState.features.getValue(
+      Feature.ValidateDbConfig,
     );
+    return getLocalConfig(actionState.logger, configFile, validateConfig);
+  } else {
+    return await getRemoteConfig(actionState, configFile, apiDetails);
   }
 }
 
@@ -1160,14 +1160,13 @@ export async function initConfig(
     logger.debug("No configuration file was provided");
   } else {
     logger.debug(`Using configuration file: ${inputs.configFile}`);
-    const validateConfig = await features.getValue(Feature.ValidateDbConfig);
+    const actionState: ActionState = { logger, features, env: getEnv() };
     userConfig = await loadUserConfig(
-      logger,
+      actionState,
       inputs.configFile,
       inputs.workspacePath,
       inputs.apiDetails,
       tempDir,
-      validateConfig,
     );
   }
 
@@ -1369,54 +1368,6 @@ function getLocalConfig(
   );
 }
 
-async function getRemoteConfig(
-  logger: Logger,
-  configFile: string,
-  apiDetails: api.GitHubApiCombinedDetails,
-  validateConfig: boolean,
-): Promise<UserConfig> {
-  // retrieve the various parts of the config location, and ensure they're present
-  const format = new RegExp(
-    "(?<owner>[^/]+)/(?<repo>[^/]+)/(?<path>[^@]+)@(?<ref>.*)",
-  );
-  const pieces = format.exec(configFile);
-  // 5 = 4 groups + the whole expression
-  if (pieces?.groups === undefined || pieces.length < 5) {
-    throw new ConfigurationError(
-      errorMessages.getConfigFileRepoFormatInvalidMessage(configFile),
-    );
-  }
-
-  const response = await api
-    .getApiClientWithExternalAuth(apiDetails)
-    .rest.repos.getContent({
-      owner: pieces.groups.owner,
-      repo: pieces.groups.repo,
-      path: pieces.groups.path,
-      ref: pieces.groups.ref,
-    });
-
-  let fileContents: string;
-  if ("content" in response.data && response.data.content !== undefined) {
-    fileContents = response.data.content;
-  } else if (Array.isArray(response.data)) {
-    throw new ConfigurationError(
-      errorMessages.getConfigFileDirectoryGivenMessage(configFile),
-    );
-  } else {
-    throw new ConfigurationError(
-      errorMessages.getConfigFileFormatInvalidMessage(configFile),
-    );
-  }
-
-  return parseUserConfig(
-    logger,
-    configFile,
-    Buffer.from(fileContents, "base64").toString("binary"),
-    validateConfig,
-  );
-}
-
 /**
  * Get the file path where the parsed config will be stored.
  */

@@ -1,9 +1,17 @@
+import { ActionState } from "../action-common";
 import { ActionsEnv } from "../actions-util";
+import * as api from "../api-client";
+import * as errorMessages from "../error-messages";
+import { Feature } from "../feature-flags";
 import {
   RepositoryProperties,
   RepositoryPropertyName,
 } from "../feature-flags/properties";
 import { Logger } from "../logging";
+import { ConfigurationError } from "../util";
+
+import { parseUserConfig, UserConfig } from "./db-config";
+import { parseRemoteFileAddress } from "./remote-file";
 
 /**
  * Gets the value that is configured for the configuration file, if any.
@@ -32,3 +40,52 @@ export function getConfigFileInput(
 
   return undefined;
 }
+
+/**
+ * Attempts to fetch a `UserConfig` from a remote `address`.
+ *
+ * @param actionState The current Action state.
+ * @param configFile The remote address of the configuration file.
+ * @param apiDetails Information about how to connect to the API.
+ *
+ * @returns The `UserConfig`, if it could be fetched and parsed successfully.
+ */
+export async function getRemoteConfig(
+  actionState: ActionState,
+  configFile: string,
+  apiDetails: api.GitHubApiCombinedDetails,
+): Promise<UserConfig> {
+  const address = await parseRemoteFileAddress(actionState, configFile);
+
+  const response = await api
+    .getApiClientWithExternalAuth(apiDetails)
+    .rest.repos.getContent({
+      owner: address.owner,
+      repo: address.repo,
+      path: address.path,
+      ref: address.ref,
+    });
+
+  let fileContents: string;
+  if ("content" in response.data && response.data.content !== undefined) {
+    fileContents = response.data.content;
+  } else if (Array.isArray(response.data)) {
+    throw new ConfigurationError(
+      errorMessages.getConfigFileDirectoryGivenMessage(configFile),
+    );
+  } else {
+    throw new ConfigurationError(
+      errorMessages.getConfigFileFormatInvalidMessage(configFile),
+    );
+  }
+
+  const validateConfig = await actionState.features.getValue(
+    Feature.ValidateDbConfig,
+  );
+  return parseUserConfig(
+    actionState.logger,
+    configFile,
+    Buffer.from(fileContents, "base64").toString("binary"),
+    validateConfig,
+  );
+}