github
diff --git a/‎lib/analyze.js
Lines changed: 1 addition & 0 deletions b/‎lib/analyze.js
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/analyze.js.map
Lines changed: 1 addition & 1 deletion b/‎lib/analyze.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/codeql.js
Lines changed: 11 additions & 4 deletions b/‎lib/codeql.js
Lines changed: 11 additions & 4 deletions
diff --git a/‎lib/codeql.js.map
Lines changed: 1 addition & 1 deletion b/‎lib/codeql.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/codeql.test.js
Lines changed: 2 additions & 2 deletions b/‎lib/codeql.test.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/codeql.test.js.map
Lines changed: 1 addition & 1 deletion b/‎lib/codeql.test.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/config-utils.js
Lines changed: 18 additions & 13 deletions b/‎lib/config-utils.js
Lines changed: 18 additions & 13 deletions
diff --git a/‎lib/config-utils.js.map
Lines changed: 1 addition & 1 deletion b/‎lib/config-utils.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/feature-flags.js
Lines changed: 1 addition & 1 deletion b/‎lib/feature-flags.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/analyze.ts
Lines changed: 1 addition & 0 deletions b/‎src/analyze.ts
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/codeql.test.ts
Lines changed: 3 additions & 3 deletions b/‎src/codeql.test.ts
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/codeql.ts
Lines changed: 23 additions & 12 deletions b/‎src/codeql.ts
Lines changed: 23 additions & 12 deletions
diff --git a/‎src/config-utils.ts
Lines changed: 29 additions & 24 deletions b/‎src/config-utils.ts
Lines changed: 29 additions & 24 deletions
diff --git a/‎src/feature-flags.ts
Lines changed: 1 addition & 1 deletion b/‎src/feature-flags.ts
Lines changed: 1 addition & 1 deletion
@@ -262,6 +262,7 @@ export async function runQueries(
         logger.endGroup();
         logger.info(analysisSummary);
       } else {
+        // config was generated by the action, so must be interpreted by the action.
         logger.startGroup(`Running queries for ${language}`);
         const querySuitePaths: string[] = [];
         if (queries["builtin"].length > 0) {
 
@@ -15,7 +15,7 @@ import { GitHubApiDetails } from "./api-client";
 import * as codeql from "./codeql";
 import { AugmentationProperties, Config } from "./config-utils";
 import * as defaults from "./defaults.json";
-import { Feature } from "./feature-flags";
+import { Feature, featureConfig } from "./feature-flags";
 import { Language } from "./languages";
 import { getRunnerLogger } from "./logging";
 import { setupTests, setupActionsVars, createFeatures } from "./testing-utils";
@@ -513,7 +513,7 @@ const injectedConfigMacro = test.macro({
       const codeqlObject = await codeql.getCodeQLForTesting();
       sinon
         .stub(codeqlObject, "getVersion")
-        .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
+        .resolves(featureConfig[Feature.CliConfigFileEnabled].minimumVersion);
 
       const thisStubConfig: Config = {
         ...stubConfig,
@@ -826,7 +826,7 @@ test("does not use injected config", async (t: ExecutionContext<unknown>) => {
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon
       .stub(codeqlObject, "getVersion")
-      .resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
+      .resolves(featureConfig[Feature.CliConfigFileEnabled].minimumVersion);
 
     await codeqlObject.databaseInitCluster(
       stubConfig,
 
@@ -9,7 +9,7 @@ import * as yaml from "js-yaml";
 import * as semver from "semver";
 import { v4 as uuidV4 } from "uuid";
 
-import { isRunningLocalAction } from "./actions-util";
+import { getOptionalInput, isRunningLocalAction } from "./actions-util";
 import * as api from "./api-client";
 import { Config } from "./config-utils";
 import * as defaults from "./defaults.json"; // Referenced from codeql-action-sync-tool!
@@ -252,7 +252,6 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
  */
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
-export const CODEQL_VERSION_CONFIG_FILES = "2.10.1";
 const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
 export const CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
 const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
@@ -885,24 +884,35 @@ async function getCodeQLForCmd(
         }
       }
 
+      // A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
+      // Only pass external repository token if a config file is
+      let externalRepositoryToken: string | undefined;
       const configLocation = await generateCodeScanningConfig(
         codeql,
         config,
         featureEnablement
       );
       if (configLocation) {
         extraArgs.push(`--codescanning-config=${configLocation}`);
+        externalRepositoryToken = getOptionalInput("external-repository-token");
+        if (externalRepositoryToken) {
+          extraArgs.push("--external-repository-token-stdin");
+        }
       }
 
-      await runTool(cmd, [
-        "database",
-        "init",
-        "--db-cluster",
-        config.dbLocation,
-        `--source-root=${sourceRoot}`,
-        ...extraArgs,
-        ...getExtraOptionsFromEnv(["database", "init"]),
-      ]);
+      await runTool(
+        cmd,
+        [
+          "database",
+          "init",
+          "--db-cluster",
+          config.dbLocation,
+          `--source-root=${sourceRoot}`,
+          ...extraArgs,
+          ...getExtraOptionsFromEnv(["database", "init"]),
+        ],
+        externalRepositoryToken
+      );
     },
     async runAutobuild(language: Language) {
       const cmdName =
@@ -1335,7 +1345,7 @@ export function getExtraOptions(
  */
 const maxErrorSize = 20_000;
 
-async function runTool(cmd: string, args: string[] = []) {
+async function runTool(cmd: string, args: string[] = [], stdin?: string) {
   let output = "";
   let error = "";
   const exitCode = await new toolrunner.ToolRunner(cmd, args, {
@@ -1354,6 +1364,7 @@ async function runTool(cmd: string, args: string[] = []) {
       },
     },
     ignoreReturnCode: true,
+    input: Buffer.from(stdin || ""),
   }).exec();
   if (exitCode !== 0)
     throw new CommandInvocationError(cmd, args, exitCode, error, output);
 
@@ -582,16 +582,20 @@ async function parseQueryUses(
     );
   }
 
-  // Otherwise, must be a reference to another repo
-  await addRemoteQueries(
-    codeQL,
-    resultMap,
-    queryUses,
-    tempDir,
-    apiDetails,
-    logger,
-    configFile
-  );
+  // Otherwise, must be a reference to another repo.
+  // If config parsing is handled in CLI, then this repo will be downloaded
+  // later by the CLI.
+  if (!(await useCodeScanningConfigInCli(codeQL, featureEnablement))) {
+    await addRemoteQueries(
+      codeQL,
+      resultMap,
+      queryUses,
+      tempDir,
+      apiDetails,
+      logger,
+      configFile
+    );
+  }
   return false;
 }
 
@@ -1724,26 +1728,27 @@ export async function initConfig(
     );
   }
 
-  // The list of queries should not be empty for any language. If it is then
-  // it is a user configuration error.
-  for (const language of config.languages) {
-    const hasBuiltinQueries = config.queries[language]?.builtin.length > 0;
-    const hasCustomQueries = config.queries[language]?.custom.length > 0;
-    const hasPacks = (config.packs[language]?.length || 0) > 0;
-    if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
-      throw new Error(
-        `Did not detect any queries to run for ${language}. ` +
-          "Please make sure that the default queries are enabled, or you are specifying queries to run."
-      );
-    }
-  }
-
   // When using the codescanning config in the CLI, pack downloads
   // happen in the CLI during the `database init` command, so no need
   // to download them here.
   await logCodeScanningConfigInCli(codeQL, featureEnablement, logger);
 
   if (!(await useCodeScanningConfigInCli(codeQL, featureEnablement))) {
+    // The list of queries should not be empty for any language. If it is then
+    // it is a user configuration error.
+    // This check occurs in the CLI when it parses the config file.
+    for (const language of config.languages) {
+      const hasBuiltinQueries = config.queries[language]?.builtin.length > 0;
+      const hasCustomQueries = config.queries[language]?.custom.length > 0;
+      const hasPacks = (config.packs[language]?.length || 0) > 0;
+      if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
+        throw new Error(
+          `Did not detect any queries to run for ${language}. ` +
+            "Please make sure that the default queries are enabled, or you are specifying queries to run."
+        );
+      }
+    }
+
     const registries = parseRegistries(registriesInput);
     await downloadPacks(
       codeQL,
 
@@ -43,7 +43,7 @@ export const featureConfig: Record<
   },
   [Feature.CliConfigFileEnabled]: {
     envVar: "CODEQL_PASS_CONFIG_TO_CLI",
-    minimumVersion: "2.11.1",
+    minimumVersion: "2.11.6",
   },
   [Feature.MlPoweredQueriesEnabled]: {
     envVar: "CODEQL_ML_POWERED_QUERIES",