Convert release-branches.py and update-required-checks.sh to TypeScript

.github/actions/release-branches/action.yml

@@ -22,7 +22,8 @@ runs:
         MAJOR_VERSION: ${{ inputs.major_version }}
         LATEST_TAG: ${{ inputs.latest_tag }}
       run: |
-        python ${{ github.action_path }}/release-branches.py \
+        npm ci
+        npx tsx ./pr-checks/release-branches.ts \
             --major-version "$MAJOR_VERSION" \
             --latest-tag "$LATEST_TAG"
       shell: bash

.github/actions/release-initialise/action.yml

@@ -15,6 +15,12 @@ runs:
       run: echo "$GITHUB_CONTEXT"
       shell: bash
 
+    - name: Set up Node
+      uses: actions/setup-node@v6
+      with:
+        node-version: 20
+        cache: 'npm'
+
     - name: Set up Python
       uses: actions/setup-python@v6
       with:

CONTRIBUTING.md

@@ -69,12 +69,14 @@ Once the mergeback and backport pull request have been merged, the release is co
 
 ## Keeping the PR checks up to date (admin access required)
 
-Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [update-required-checks.sh](.github/workflows/script/update-required-checks.sh) script:
+Since the `codeql-action` runs most of its testing through individual Actions workflows, there are over two hundred required jobs that need to pass in order for a PR to turn green. It would be too tedious to maintain that list manually. You can regenerate the set of required checks automatically by running the [sync-checks.ts](pr-checks/sync-checks.ts) script:
 
-- If you run the script without an argument, it will retrieve the set of workflows that ran for the latest commit on `main`. Make sure that your local `main` branch is up to date before running the script.
-- You can specify a commit SHA as argument to retrieve the set of workflows for that commit instead. You will likely want to use this if you have a PR that removes or adds PR checks.
+- At a minimum, you must provide an argument for the `--token` input. For example, `--token "$(gh auth token)"` to use the same token that `gh` uses. If no token is provided or the token has insufficient permissions, the script will fail.
+- By default, the script performs a dry run and outputs information about the changes it would make to the branch protection rules. To actually apply the changes, specify the `--apply` flag.
+- If you run the script without any other arguments, it will retrieve the set of workflows that ran for the latest commit on `main`.
+- You can specify a different git ref with the `--ref` input. You will likely want to use this if you have a PR that removes or adds PR checks. For example, `--ref "some/branch/name"` to use the HEAD of the `some/branch/name` branch.
 
-After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v3`, and any other currently supported major versions have been updated.
+After running, go to the [branch protection rules settings page](https://github.com/github/codeql-action/settings/branches) and validate that the rules for `main`, `v4`, and any other currently supported major versions have been updated.
 
 Note that any updates to checks on `main` need to be backported to all currently supported major version branches, in order to maintain the same set of names for required checks.
 
@@ -122,7 +124,7 @@ To deprecate an older version of the Action:
    - Implement an Actions warning for customers using the deprecated version.
 1. Wait for the deprecation period to pass.
 1. Upgrade the Actions warning for customers using the deprecated version to a non-fatal error, and mention that this version of the Action is no longer supported.
-1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [releases.ini](.github/releases.ini).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
+1. Make a PR to bump the `OLDEST_SUPPORTED_MAJOR_VERSION` in [config.ts](pr-checks/config.ts).  Once this PR is merged, the release process will no longer backport changes to the deprecated release version.
 
 ## Resources
 

eslint.config.mjs

@@ -7,7 +7,11 @@ import noAsyncForeach from "eslint-plugin-no-async-foreach";
 import jsdoc from "eslint-plugin-jsdoc";
 import tseslint from "typescript-eslint";
 import globals from "globals";
+import path from "path";
+import { fileURLToPath } from "url";
 
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
 const githubFlatConfigs = github.getFlatConfigs();
 
 export default [
@@ -43,7 +47,7 @@ export default [
     plugins: {
       "import-x": importX,
       "no-async-foreach": fixupPluginRules(noAsyncForeach),
-      "jsdoc": jsdoc,
+      jsdoc: jsdoc,
     },
 
     languageOptions: {
@@ -67,7 +71,13 @@ export default [
 
         typescript: {},
       },
-      "import/ignore": ["sinon", "uuid", "@octokit/plugin-retry", "del", "get-folder-size"],
+      "import/ignore": [
+        "sinon",
+        "uuid",
+        "@octokit/plugin-retry",
+        "del",
+        "get-folder-size",
+      ],
       "import-x/resolver-next": [
         createTypeScriptImportResolver(),
         createNodeResolver({
@@ -143,7 +153,7 @@ export default [
           // We don't currently require full JSDoc coverage, so this rule
           // should not error on missing @param annotations.
           disableMissingParamChecks: true,
-        }
+        },
       ],
     },
   },
@@ -162,9 +172,9 @@ export default [
       "@typescript-eslint/no-unused-vars": [
         "error",
         {
-          "args": "all",
-          "argsIgnorePattern": "^_",
-        }
+          args: "all",
+          argsIgnorePattern: "^_",
+        },
       ],
       "func-style": "off",
     },
@@ -183,6 +193,11 @@ export default [
       // The scripts in `pr-checks` are expected to output to the console.
       "no-console": "off",
 
+      "import/no-extraneous-dependencies": [
+        "error",
+        { packageDir: [__dirname, path.resolve(__dirname, "pr-checks")] },
+      ],
+
       "@typescript-eslint/no-floating-promises": [
         "error",
         {