Upgrade codeql CLI and dependencies to v2.24.0 (#31) #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release - CodeQL Development MCP Server | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Release version (e.g., vX.Y.Z). Must start with "v".' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-and-release: | |
| name: Build and Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| steps: | |
| - name: Release - Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| # Explicitly checkout the tag ref to ensure we build the correct commit | |
| # For tag pushes: refs/tags/vX.Y.Z | |
| # For workflow_dispatch: refs/heads/<branch> (will be validated below) | |
| ref: ${{ github.ref }} | |
| - name: Release - Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| cache: 'npm' | |
| node-version-file: '.node-version' | |
| registry-url: 'https://npm.pkg.github.com' | |
| scope: '@advanced-security' | |
| - name: Release - Determine version | |
| id: version | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| VERSION="${{ github.event.inputs.version }}" | |
| else | |
| VERSION="${{ github.ref_name }}" | |
| fi | |
| # Validate version starts with 'v' | |
| if [[ ! "${VERSION}" =~ ^v ]]; then | |
| echo "::error::Version '${VERSION}' must start with 'v'" | |
| exit 1 | |
| fi | |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT | |
| - name: Release - Checkout tag for workflow_dispatch | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| # For workflow_dispatch, we need to checkout the specific tag | |
| TAG="${{ steps.version.outputs.version }}" | |
| if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then | |
| echo "Checking out existing tag: ${TAG}" | |
| git checkout "refs/tags/${TAG}" | |
| else | |
| echo "::error::Tag '${TAG}' does not exist. Create the tag first before running this workflow." | |
| exit 1 | |
| fi | |
| - name: Release - Verify checkout matches expected version | |
| run: | | |
| # Verify we're on the correct commit for the release | |
| CURRENT_SHA=$(git rev-parse HEAD) | |
| TAG="${{ steps.version.outputs.version }}" | |
| if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then | |
| TAG_SHA=$(git rev-parse "refs/tags/${TAG}^{commit}" 2>/dev/null || git rev-parse "refs/tags/${TAG}") | |
| if [ "${CURRENT_SHA}" != "${TAG_SHA}" ]; then | |
| echo "::error::Current checkout (${CURRENT_SHA}) does not match tag ${TAG} (${TAG_SHA})" | |
| exit 1 | |
| fi | |
| echo "✅ Verified: Building from tag ${TAG} at commit ${CURRENT_SHA:0:8}" | |
| else | |
| echo "::warning::Tag ${TAG} not found, building from current checkout at ${CURRENT_SHA:0:8}" | |
| fi | |
| - name: Release - Install dependencies | |
| run: npm ci --include=optional | |
| - name: Release - Build server | |
| run: npm run build -w server | |
| - name: Release - Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| tools: latest | |
| - name: Release - Publish CodeQL tool query packs | |
| if: startsWith(github.ref, 'refs/tags/') | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| LANGUAGES="actions cpp csharp go java javascript python ruby swift" | |
| echo "Publishing CodeQL tool query packs..." | |
| for lang in ${LANGUAGES}; do | |
| PACK_DIR="server/ql/${lang}/tools/src" | |
| if [ -d "${PACK_DIR}" ]; then | |
| echo "📦 Publishing ${PACK_DIR}..." | |
| codeql pack publish --threads=-1 -- "${PACK_DIR}" | |
| echo "✅ Published ${lang} tool query pack" | |
| else | |
| echo "⚠️ Skipping ${lang}: ${PACK_DIR} not found" | |
| fi | |
| done | |
| - name: Release - Publish npm package | |
| if: startsWith(github.ref, 'refs/tags/') | |
| working-directory: server | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "Publishing @advanced-security/codeql-development-mcp-server to GitHub Packages..." | |
| npm publish | |
| echo "✅ Published npm package to GitHub Packages" | |
| - name: Release - Create distribution directory | |
| run: | | |
| mkdir -p dist-package/server | |
| mkdir -p dist-package/docs | |
| # Copy server distributable files | |
| cp -r server/dist dist-package/server/ | |
| cp -r server/ql dist-package/server/ | |
| cp server/package.json dist-package/server/ | |
| # Copy root package-lock.json for npm ci (monorepo lockfile) | |
| cp package-lock.json dist-package/server/ | |
| # Copy root files | |
| cp README.md dist-package/ | |
| cp LICENSE dist-package/ | |
| # Copy documentation | |
| cp -r docs/* dist-package/docs/ | |
| - name: Release - Clean QL test directories from distribution | |
| run: | | |
| # Remove test and examples directories from ql folders (only keep src) | |
| find dist-package/server/ql -type d \( -name "test" -o -name "examples" \) -prune -exec rm -rf {} \; | |
| - name: Release - Install production dependencies | |
| working-directory: dist-package/server | |
| run: npm ci --omit=dev --include=optional | |
| - name: Release - Create archive | |
| run: | | |
| tar -czvf codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz -C dist-package . | |
| - name: Release - Upload artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: codeql-development-mcp-server-${{ steps.version.outputs.version }} | |
| path: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz | |
| - name: Release - Create GitHub Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| with: | |
| files: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz | |
| generate_release_notes: true | |
| - name: Release - Summary | |
| run: | | |
| echo "## Release Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Server built successfully" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ npm package published to GitHub Packages" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ CodeQL tool query packs published to GHCR" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Distribution package created" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Production dependencies installed" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Archive created: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Package Contents" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`server/dist/\` - Bundled JavaScript output" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`server/ql/*/tools/src/\` - CodeQL tool queries" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`server/node_modules/\` - Production dependencies" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`docs/\` - User documentation" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`README.md\` - Project overview" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`LICENSE\` - CodeQL Terms and Conditions" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY | |
| echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY | |
| echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY | |
| for lang in actions cpp csharp go java javascript python ruby swift; do | |
| echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${{ steps.version.outputs.release_name }} |" >> $GITHUB_STEP_SUMMARY | |
| done |