Bundle Actions using esbuild

[henrymercer]

This PR bundles the Action using esbuild.

Reasoning

• Avoid risks of long paths in node_modules, specifically the risk that these paths could exceed MAX_PATH on Windows when checked out.
• Speed up the download of the Action, and every code scanning workflow as a result.

Downsides we should be aware of

• Potential for more merge conflicts
  • Mitigation: I haven't enabled minification which I hope will reduce the likelihood of merge conflicts
  • Mitigation: You can now run the rebuild workflow on PRs even if they have merge conflicts (Enable rebuilding PRs with conflicts #3014)

Risk assessment

For internal use only. Please select the risk level of this change:

• High risk: Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

This is a risky change. Things I've done to minimise the risk:

• Avoid changing the module resolution system — this is tricky and requires us to change a lot of our unit tests.
• Keep the compiled Actions in the same place, so that users invoking them directly do not need to change their paths.
• Keep defaults.json copied over to lib.
• Minimise changes to unit testing setup by preserving the "compile to JS" workflow that's known to work reasonably well with ava.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull Request Overview

This PR introduces bundling of the CodeQL Action using esbuild to replace the previous TypeScript compilation approach. The change aims to reduce download times, speed up workflows, and avoid Windows path length issues by consolidating dependencies into fewer files.

Key Changes:

• Migration from TypeScript compilation to esbuild bundling for JavaScript generation
• Complete replacement of all compiled JavaScript files in the lib directory
• Preservation of the existing module structure and functionality while optimizing the build output

Reviewed Changes

Copilot reviewed 63 out of 23839 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
lib/setup-codeql.test.js	Updated bundled test file for CodeQL setup functionality
lib/setup-codeql.js	Updated bundled implementation file for CodeQL setup and download logic
lib/resolve-environment.js	Updated bundled utility for build environment resolution
lib/repository.js	Updated bundled repository utilities for GitHub repository handling
lib/overlay-database-utils.test.js	Updated bundled test file for overlay database functionality
lib/overlay-database-utils.js	Updated bundled implementation for overlay database caching and management
lib/logging.js	Updated bundled logging utilities for Actions and runner logging
lib/languages.js	Updated bundled language enumeration definitions
lib/init.test.js	Updated bundled test file for initialization functionality
lib/init.js	Updated bundled initialization logic for CodeQL setup
lib/init-action-post-helper.test.js	Updated bundled test file for post-action helper functionality
lib/init-action-post-helper.js	Updated bundled post-action cleanup and SARIF upload logic
lib/git-utils.test.js	Updated bundled test file for Git utilities
lib/git-utils.js	Updated bundled Git operation utilities
lib/fingerprints.test.js	Updated bundled test file for SARIF fingerprinting
lib/fingerprints.js	Updated bundled SARIF fingerprinting implementation
lib/feature-flags.test.js	Updated bundled test file for feature flag functionality

[aeisenberg]

Nice. I haven't tried this locally, but it looks good.

[aeisenberg]

If I have time later, I'll try checking this PR out and making sure the dev flow still works for me.

[aibaars]

Let's use npm ci instead of npm install in the workflows.

[henrymercer]

We'll need to update the set of required checks before merging this PR.

[aibaars]

Let's run npm ci instead of npm install. Also don't forget to update poackage-lock.json`

[navntoft]

Avoid changing the module resolution system — this is tricky and requires us to change a lot of our unit tests.

Note that bundling CJS is less reliable than ESM due to its dynamic nature. ESBuild is designed with ESM in mind, and there has been (at least historically) some gotchas wrt. its CJS bundling.

[henrymercer]

Note that bundling CJS is less reliable than ESM due to its dynamic nature. ESBuild is designed with ESM in mind, and there has been (at least historically) some gotchas wrt. its CJS bundling.

Is there a different bundler you'd recommend for CJS? I chose ESBuild since it's much faster than webpack and we're using it successfully in other projects, but we could explore something else.

[aibaars]

Note that bundling CJS is less reliable than ESM due to its dynamic nature. ESBuild is designed with ESM in mind, and there has been (at least historically) some gotchas wrt. its CJS bundling.

Is there a different bundler you'd recommend for CJS? I chose ESBuild since it's much faster than webpack and we're using it successfully in other projects, but we could explore something else.

It looks like the typescript-action template repo uses rollup, no idea if it is better. https://github.com/actions/typescript-action/blob/main/package.json#L33 . They used to use ncc but switched not to long ago to rollup: actions/typescript-action#969

[henrymercer]

It looks like the typescript-action template repo uses rollup, no idea if it is better. https://github.com/actions/typescript-action/blob/main/package.json#L33 . They used to use ncc but switched not to long ago to rollup: actions/typescript-action#969

I believe rollup was designed for ES modules perhaps more so than esbuild — you need to use a plugin to use it with CommonJS modules.

[navntoft]

It looks like the typescript-action template repo uses rollup, no idea if it is better. actions/typescript-action@main/package.json#L33 . They used to use ncc but switched not to long ago to rollup: actions/typescript-action#969

I believe rollup was designed for ES modules perhaps more so than esbuild — you need to use a plugin to use it with CommonJS modules.

esbuild has been my favourite tool for bundling. It's easy to use, still fairly flexible, and fast. I have only used it for ESM bundling, though. I know that vite has used esbuild for transpilation and rollup for bundling (not sure if still true). Historically webpack has had the best support for CJS bundling, but it is slow and bloated. I haven't kept up on the bundling scene the past 2 years though, so a lot may have happened...

[navntoft]

The esbuild setup looks sound. You will likely want 👀 from somebody else as well as I don't know of the complexities around distributing codeql-action.

As I said, there can be nasty surprises when bundling CJS, so be sure to test various setups.