github
diff --git a/‎lib/codeql.test.js‎
Lines changed: 26 additions & 2 deletions b/‎lib/codeql.test.js‎
Lines changed: 26 additions & 2 deletions
diff --git a/‎lib/codeql.test.js.map‎
Lines changed: 1 addition & 1 deletion b/‎lib/codeql.test.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/setup-codeql.js‎
Lines changed: 8 additions & 7 deletions b/‎lib/setup-codeql.js‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎lib/setup-codeql.js.map‎
Lines changed: 1 addition & 1 deletion b/‎lib/setup-codeql.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/codeql.test.ts‎
Lines changed: 46 additions & 1 deletion b/‎src/codeql.test.ts‎
Lines changed: 46 additions & 1 deletion
diff --git a/‎src/setup-codeql.ts‎
Lines changed: 15 additions & 13 deletions b/‎src/setup-codeql.ts‎
Lines changed: 15 additions & 13 deletions
@@ -87,10 +87,14 @@ test.beforeEach(() => {
 function mockDownloadApi({
   apiDetails = sampleApiDetails,
   isPinned,
+  repo = "github/codeql-action",
+  platformSpecific = true,
   tagName,
 }: {
   apiDetails?: GitHubApiDetails;
   isPinned?: boolean;
+  repo?: string;
+  platformSpecific?: boolean;
   tagName: string;
 }): string {
   const platform =
@@ -102,7 +106,9 @@ function mockDownloadApi({
 
   const baseUrl = apiDetails?.url ?? "https://example.com";
   const relativeUrl = apiDetails
-    ? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
+    ? `/${repo}/releases/download/${tagName}/codeql-bundle${
+        platformSpecific ? `-${platform}` : ""
+      }.tar.gz`
     : `/download/${tagName}/codeql-bundle.tar.gz`;
 
   nock(baseUrl)
@@ -546,6 +552,45 @@ for (const isBundleVersionInUrl of [true, false]) {
   });
 }
 
+test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t) => {
+  await util.withTmpDir(async (tmpDir) => {
+    setupActionsVars(tmpDir, tmpDir);
+
+    mockApiDetails(sampleApiDetails);
+    sinon.stub(actionsUtil, "isRunningLocalAction").returns(true);
+    const releasesApiMock = mockReleaseApi({
+      assetNames: ["cli-version-2.12.2.txt"],
+      tagName: "codeql-bundle-20230203",
+    });
+    mockDownloadApi({
+      repo: "dsp-testing/codeql-cli-nightlies",
+      platformSpecific: false,
+      tagName: "codeql-bundle-20230203",
+    });
+
+    const result = await codeql.setupCodeQL(
+      "https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
+      sampleApiDetails,
+      tmpDir,
+      util.GitHubVariant.DOTCOM,
+      false,
+      SAMPLE_DEFAULT_CLI_VERSION,
+      getRunnerLogger(true),
+      false
+    );
+
+    t.is(result.toolsVersion, "0.0.0-20230203");
+    t.is(result.toolsSource, ToolsSource.Download);
+    t.true(Number.isInteger(result.toolsDownloadDurationMs));
+
+    const cachedVersions = toolcache.findAllVersions("CodeQL");
+    t.is(cachedVersions.length, 1);
+    t.is(cachedVersions[0], "0.0.0-20230203");
+
+    t.false(releasesApiMock.isDone());
+  });
+});
+
 test("getExtraOptions works for explicit paths", (t) => {
   t.deepEqual(codeql.getExtraOptions({}, ["foo"], []), []);
 
 
@@ -663,14 +663,17 @@ export async function downloadCodeQL(
   }
 
   // Try to compute the CLI version for this bundle
-  const cliVersion: string | undefined =
-    maybeCliVersion ||
-    (variant === util.GitHubVariant.DOTCOM &&
-      (await tryFindCliVersionDotcomOnly(
-        `codeql-bundle-${bundleVersion}`,
-        logger
-      ))) ||
-    undefined;
+  if (
+    maybeCliVersion === undefined &&
+    variant === util.GitHubVariant.DOTCOM &&
+    codeqlURL.includes(`/${CODEQL_DEFAULT_ACTION_REPOSITORY}/`)
+  ) {
+    maybeCliVersion = await tryFindCliVersionDotcomOnly(
+      `codeql-bundle-${bundleVersion}`,
+      logger
+    );
+  }
+
   // Include both the CLI version and the bundle version in the toolcache version number. That way
   // if the user requests the same URL again, we can get it from the cache without having to call
   // any of the Releases API.
@@ -680,12 +683,11 @@ export async function downloadCodeQL(
   // CLI release. In principle, it should be enough to just check that the CLI version isn't a
   // pre-release, but the version numbers of CodeQL nightlies have the format `x.y.z+<timestamp>`,
   // and we don't want these nightlies to override stable CLI versions in the toolcache.
-  const toolcacheVersion =
-    cliVersion && cliVersion.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
-      ? `${cliVersion}-${bundleVersion}`
-      : convertToSemVer(bundleVersion, logger);
+  const toolcacheVersion = maybeCliVersion?.match(/^[0-9]+\.[0-9]+\.[0-9]+$/)
+    ? `${maybeCliVersion}-${bundleVersion}`
+    : convertToSemVer(bundleVersion, logger);
   return {
-    toolsVersion: cliVersion || toolcacheVersion,
+    toolsVersion: maybeCliVersion ?? toolcacheVersion,
     codeqlFolder: await toolcache.cacheDir(
       codeqlExtracted,
       "CodeQL",