Skip to content

Avoid bundling package.json in JavaScript files#3573

Merged
mbg merged 2 commits intomainfrom
mbg/esbuild/no-package-json
Mar 13, 2026
Merged

Avoid bundling package.json in JavaScript files#3573
mbg merged 2 commits intomainfrom
mbg/esbuild/no-package-json

Conversation

@mbg
Copy link
Member

@mbg mbg commented Mar 12, 2026

Currently, we bundle the entire contents of package.json in our generated JavaScript files. This is because we depend on the "version" property in actions-util.ts.

This PR changes this so that we load package.json in build.mjs, retrieve the version, and use it to define a constant named __CODEQL_ACTION_VERSION__ that's available to the bundled code instead. Therefore, we no longer depend on package.json, and esbuild omits it.

To allow the tests to continue functioning (which don't go through the build process first), an equivalent change for ava now runs ava.setup.mjs before tests which also loads package.json and sets __CODEQL_ACTION_VERSION__ to the version value.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • Other first-party - The changes impact other first-party analyses.
  • Third-party analyses - The changes affect the upload-sarif action.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

mbg added 2 commits March 12, 2026 18:43
@mbg
Move ava config out of package.json
c183dca
@mbg
Avoid bundling package.json
ea70366 
- `package.json` is bundled by `esbuild` because we depend on it in `actions-util.ts`
- That is so we can access the `version` property
- We now use `build.mjs` to define a constant for it instead
- We also set this constant in `ava.setup.mjs` for tests
- This reduces the size of the generated `.js` files and avoids changing them entirely in some cases
@mbg mbg self-assigned this Mar 12, 2026
@mbg mbg requested a review from a team as a code owner March 12, 2026 19:00
Copilot AI review requested due to automatic review settings March 12, 2026 19:00
@github-actions github-actions bot added the size/S Should be easy to review label Mar 12, 2026
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the build and test setup so the bundled JavaScript no longer embeds the full package.json just to access the action version. Instead, the version is injected at build/test time via a __CODEQL_ACTION_VERSION__ constant.

Changes:

  • Replace require("../package.json") usage in src/actions-util.ts with a build-defined __CODEQL_ACTION_VERSION__ constant.
  • Update build.mjs to read package.json and pass the version into esbuild via define.
  • Add AVA config/setup files to preload the version constant for unit tests, and remove the old AVA config block from package.json.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/actions-util.ts Uses __CODEQL_ACTION_VERSION__ instead of requiring package.json at runtime.
build.mjs Loads package.json during build and injects the version via esbuild define.
ava.setup.mjs Preloads a global version value for tests.
ava.config.mjs Moves AVA configuration from package.json into a config file and preloads ava.setup.mjs.
eslint.config.mjs Ignores the new AVA config/setup files (and other non-linted paths).
package.json Removes embedded AVA configuration (now in ava.config.mjs).
lib/analyze-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/analyze-action-post.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/autobuild-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/init-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/init-action-post.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/resolve-environment-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/setup-codeql-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/start-proxy-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/start-proxy-action-post.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/upload-lib.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/upload-sarif-action.js Generated bundle updated to inline the version constant and omit bundling root package.json.
lib/upload-sarif-action-post.js Generated bundle updated to inline the version constant and omit bundling root package.json.

@mbg mbg mentioned this pull request Mar 12, 2026
Merged
redsun82
redsun82 approved these changes Mar 13, 2026
View reviewed changes
Copy link
Contributor

@redsun82 redsun82 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice.

This does make me wonder though: couldn't we completely detach from the version in package.json, fix it to a dummy value, and rely on git tags instead in build.mjs? On the other hand, during release we have in any case to update the changelog, so this wouldn't necessarily simplify the release (by requiring one less PR).

@mbg
Copy link
Member Author

mbg commented Mar 13, 2026

This does make me wonder though: couldn't we completely detach from the version in package.json, fix it to a dummy value, and rely on git tags instead in build.mjs? On the other hand, during release we have in any case to update the changelog, so this wouldn't necessarily simplify the release (by requiring one less PR).

Perhaps, but I think we currently rely on the version field in package.json to decide what the new release tag should be and which is then created by the release process. E.g. if we want to bump the minor version, we manually update package.json for that on main, and then the release automation bases the tag off that. Changing this would require us to make that a workflow input instead (which then becomes harder to get right because the person running the release process would need to know the right version to enter, ...)

@mbg mbg added this pull request to the merge queue Mar 13, 2026
Merged via the queue into main with commit dafe740 Mar 13, 2026
229 checks passed
@mbg mbg deleted the mbg/esbuild/no-package-json branch March 13, 2026 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@redsun82 redsun82 redsun82 approved these changes

Assignees

@mbg mbg

Labels

size/S Should be easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbg @redsun82