The LGTM_INDEX_INCLUDE and LGTM_INDEX_EXCLUDE properties don't support any form of wildcards. I think you should only put proper paths into these fields. The * symbol is not allowed in paths on Windows, so you might even get an exception.

I just remembered that there is some good documentation about these settings in the javascript autobuilder: https://github.com/github/codeql/blob/bfb734e1d74df1ae810feb7198cb271b767c4b9a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L80

Thanks. Makes sense to me. I'll filter those out of here.

I'd also forgotten that the JS extractor is public so thanks for that link.

I would also check for the special characters mentioned in https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet that are not supported by the underlying project layout implementation. Just report an error telling that these are not allowed, to avoid users getting confused why their perfectly sensible pattern string does not match any files.

This should filter out paths containing any kind of special matching character mentioned in https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet .

For windows I'd also paths containing any the forbidden characters mentioned in https://stackoverflow.com/a/31976060 . Otherwise things will crash at some point with a less friendly error message.

characteres -> characters

You are no longer filtering *, so best to adjust the error message.

I've moved this to analysis-paths.ts and kept it as not containing * because that is checked for separately on all platforms.

I meant for this check to be performed when adding a path to the exclude/include env vars. The paths in those env variables will be interpreted as path strings by the autobuilders and should therefore only contain valid path characters.

However, it should be fine here too as you no longer fail on *.

I've moved this check to when we construct the env vars. After some thought I agree it should be here and the right thing to do is to ignore it. Since the path can't legally exist anyway there should be no effect from not adding it to the include/exclude env vars.

I'd also prefer to not output any kind of error/warning about this because as explained above it shouldn't affect anything as the path legally can't exist anyway.

you might also want to exclude \ . I think excluding windows-style path separators would be helpful to ensure patterns mean the right thing cross platform.

I'd prefer to not do any special handling for \ for now. We can add that in later. This PR is getting complicated enough as it is and I don't understand exactly what you're proposing. I recommend once this PR is in it would be easiest for you to make the change you're suggesting for \/

I suggest not allowing \ symbols at all. I don't know what the project layouts do with windows path separators and a windows user can just write /. I think it is better to be restrictive in what we accept now, and perhaps make things more liberal later if there is any use (which I doubt).

I see the point that windows users can use \ instead, and it's nice to be restrictive in the start. I do note that linux paths can legitimately contain \ characters (although it is rather unlikely) so we would be actively preventing people from using filters with files with those characters.

Ok, I'll just ban them. I don't anticipate many problems if any from file legitimately containing this character, so let's hope it's fine. As you say we can make it less restrictive in the future and that's easier than going the other way.

Paths with either * or ** make no sense in the include/exclude env variables.

Thanks. You're right and this now checks for any instances of *.

I suppose empty paths "" are fine and would be interpreted as ".", but might be good to check this and add a test case for both JS and Python analysis runs with such a path.

I've tested manually and including / seems to be fine.