Include base database OIDs when bundling database

[henrymercer]

Include the base database OIDs file when bundling the database since this file is required to compute the set of changed files and perform an overlay analysis.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This pull request adds support for including the base database OIDs file when bundling databases, which is required for computing changed files and performing overlay analysis.

Changes:

• Moved getBaseDatabaseOidsFilePath function from overlay-database-utils.ts to util.ts and made it exported to allow reuse across multiple modules
• Added BundleSupportsIncludeOption feature flag to conditionally enable the new --include option for the codeql database bundle command
• Extended the databaseBundle method signature to accept additional files to include in the bundle, with backward compatibility via feature flag checking

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/util.ts	Added constant for base database OIDs filename, exported getBaseDatabaseOidsFilePath function, and updated bundleDb to copy and include the base database OIDs file in the bundle
src/tools-features.ts	Added BundleSupportsIncludeOption feature flag enum value
src/overlay-database-utils.ts	Removed local getBaseDatabaseOidsFilePath function and imported it from util.ts
src/codeql.ts	Updated databaseBundle method signature to accept tryAlsoIncludeRelativePaths parameter and conditionally pass --include flags to the CLI
package-lock.json	Automated npm lock file updates adding peer dependency markers
lib/*.js	Auto-generated JavaScript files from TypeScript compilation

[esbena]

for reference: we also do this elsewhere

[mbg]

Just a few minor questions, otherwise this looks reasonable.

[mbg]

Does the name start with try because of the feature check? If so, we should probably just call this includeRelativePaths (or extraPathsToInclude).

[henrymercer]

We could do that, and perform the feature check in the caller. I don't have a strong opinion.

[mbg]

No, keep the feature check here. My point was that the feature check is essentially a FF check to stop us from trying to use a feature that is not yet supported by the CLI. Our expectation would be that eventually this will always happen. In general, we don't name things try[...] if they are only used if a FF is enabled that we eventually expect to always be true.

[mbg]

I think this comment could be improved: right now, it is not super obvious what the difference between databasePath here and config.dbLocation is, and why the file has to be copied from the latter to the former.

[mbg]

Thanks! The changes made in response to my comments look good 👍🏻