How do I run experimental queries?

[ross-weir]

Description of the issue

I'm trying to replicate the setup used in this article on using CodeQL to harden Github actions but when specifying the github/codeql/javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql@main query in my workflow I get the following error:

A fatal error occurred: Found broken upgrade script at /home/runner/work/_temp/github/codeql/main/javascript/upgrades/e34b3e16dba5d11961119818c9beeff334f20a90 after 2 steps: No upgrade.properties
  (eventual cause: ResourceError "No upgrade.properties")

Full run: https://github.com/blstrco/test-gh-advnaced-secrets-scanning/runs/3617466899?check_suite_focus=true
Repository: https://github.com/blstrco/test-gh-advnaced-secrets-scanning

My goal is to get CodeQL to detect the expression injection vulnerability in the vuln-action workflow.

I found this section in the documentation about referencing queries:

We don't recommend referencing query suites directly from the github/codeql repository, like github/codeql/cpp/ql/src@main. Such queries may not be compiled with the same version of CodeQL as used for your other queries, which could lead to errors during analysis.

I'm not sure if it's related to this - but how else should we reference query suites? Later on in the documentation this is how queries are referenced:

queries: +security-and-quality,octo-org/python-qlpack/show_ifs.ql@main

Thank you for any help!

[intrigus-lgtm]

I think you have been hit by #6704.
The fix has been merged 4 hours ago so if you just retry the workflow it might work.

[RasmusWL]

Thanks @intrigus-lgtm, I think that should solve the problem for you @ross-weir.

I'm looking into whether we can make it easier to run those GitHub Actions queries, but for now I think that using github/codeql/javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql@main was also the best solution I could come up with.

[ross-weir]

Thank you folks, all working now.

Great, thank you @RasmusWL