Python: Don't install deps by default for all users

Author: RasmusWL

src/analyze.ts

@@ -108,6 +108,10 @@ async function setupPythonExtractor(
     await features.getValue(
       Feature.DisablePythonDependencyInstallationEnabled,
       codeql,
+    ) ||
+    await features.getValue(
+      Feature.PythonDefaultIsToSkipDependencyInstallationEnabled,
+      codeql,
     )
   ) {
     logger.warning(

src/feature-flags.ts

@@ -49,6 +49,8 @@ export enum Feature {
   CppDependencyInstallation = "cpp_dependency_installation_enabled",
   DisableKotlinAnalysisEnabled = "disable_kotlin_analysis_enabled",
   DisablePythonDependencyInstallationEnabled = "disable_python_dependency_installation_enabled",
+  // NOTE: `python_default_is_to_skip_dependency_installation_enabled` is never actually returned by the GitHub API.
+  PythonDefaultIsToSkipDependencyInstallationEnabled = "python_default_is_to_skip_dependency_installation_enabled",
   EvaluatorFineGrainedParallelismEnabled = "evaluator_fine_grained_parallelism_enabled",
   ExportDiagnosticsEnabled = "export_diagnostics_enabled",
   QaTelemetryEnabled = "qa_telemetry_enabled",
@@ -103,6 +105,15 @@ export const featureConfig: Record<
     minimumVersion: undefined,
     defaultValue: false,
   },
+  [Feature.PythonDefaultIsToSkipDependencyInstallationEnabled]: {
+    // we can reuse the same environment variable as above. If someone has set it to
+    // `true` in their workflow this means dependencies are not installed, setting it to
+    // `false` means dependencies _will_ be installed. The same semantics are applied
+    // here!
+    envVar: "CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION",
+    minimumVersion: "2.16.0",
+    defaultValue: true,
+  },
 };
 
 /**

src/init-action.ts

@@ -297,6 +297,10 @@ async function run() {
         await features.getValue(
           Feature.DisablePythonDependencyInstallationEnabled,
           codeql,
+        ) ||
+        await features.getValue(
+          Feature.PythonDefaultIsToSkipDependencyInstallationEnabled,
+          codeql,
         )
       ) {
         logger.info("Skipping python dependency installation");
@@ -450,6 +454,10 @@ async function run() {
       await features.getValue(
         Feature.DisablePythonDependencyInstallationEnabled,
         codeql,
+      ) ||
+      await features.getValue(
+        Feature.PythonDefaultIsToSkipDependencyInstallationEnabled,
+        codeql,
       )
     ) {
       core.exportVariable(