Release - CodeQL Development MCP Server #17
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release - CodeQL Development MCP Server | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| create_github_release: | |
| default: true | |
| description: 'Create GitHub Release with distribution archive and CodeQL pack bundles. Disable to only publish packages without creating a release.' | |
| required: false | |
| type: boolean | |
| publish_codeql_packs: | |
| default: true | |
| description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist. Packs are always bundled as release artifacts regardless of this setting.' | |
| required: false | |
| type: boolean | |
| publish_npm: | |
| default: true | |
| description: 'Publish npm package to npmjs.org via OIDC trusted publishing. Disable for pre-release or re-run scenarios where the npm package already exists.' | |
| required: false | |
| type: boolean | |
| version: | |
| description: 'Release version (e.g., vX.Y.Z). Must start with "v".' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| jobs: | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 1: Determine the release version | |
| # | |
| # Resolves the version from either the tag push event or the workflow_dispatch | |
| # input, and validates the format. This output is consumed by all downstream | |
| # jobs. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| resolve-version: | |
| name: Resolve Release Version | |
| runs-on: ubuntu-latest | |
| outputs: | |
| create_github_release: ${{ steps.resolve.outputs.create_github_release }} | |
| publish_codeql_packs: ${{ steps.resolve.outputs.publish_codeql_packs }} | |
| publish_npm: ${{ steps.resolve.outputs.publish_npm }} | |
| release_name: ${{ steps.resolve.outputs.release_name }} | |
| version: ${{ steps.resolve.outputs.version }} | |
| steps: | |
| - name: Version - Resolve and validate | |
| id: resolve | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| VERSION="${{ github.event.inputs.version }}" | |
| else | |
| VERSION="${{ github.ref_name }}" | |
| fi | |
| # Validate version starts with 'v' | |
| if [[ ! "${VERSION}" =~ ^v ]]; then | |
| echo "::error::Version '${VERSION}' must start with 'v'" | |
| exit 1 | |
| fi | |
| # Resolve publish flags (default true for tag pushes) | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| CREATE_RELEASE="${{ github.event.inputs.create_github_release }}" | |
| PUBLISH_PACKS="${{ github.event.inputs.publish_codeql_packs }}" | |
| PUBLISH_NPM="${{ github.event.inputs.publish_npm }}" | |
| else | |
| CREATE_RELEASE="true" | |
| PUBLISH_PACKS="true" | |
| PUBLISH_NPM="true" | |
| fi | |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT | |
| echo "create_github_release=${CREATE_RELEASE}" >> $GITHUB_OUTPUT | |
| echo "publish_codeql_packs=${PUBLISH_PACKS}" >> $GITHUB_OUTPUT | |
| echo "publish_npm=${PUBLISH_NPM}" >> $GITHUB_OUTPUT | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 2: Ensure the release tag exists | |
| # | |
| # For workflow_dispatch, ensures a properly validated tag exists. For tag push | |
| # events, this is a no-op (tag already exists). The release-tag workflow | |
| # handles version updates, `npm install`, tidy, build, test, and tag creation. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| ensure-tag: | |
| name: Ensure Release Tag | |
| needs: resolve-version | |
| permissions: | |
| contents: write | |
| uses: ./.github/workflows/release-tag.yml | |
| with: | |
| version: ${{ needs.resolve-version.outputs.version }} | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 3a: Build and publish the npm package | |
| # | |
| # Checks out the clean tag (no CodeQL pack artifacts), builds with `npm ci`, | |
| # and publishes to npmjs.org via OIDC trusted publishing. Runs in parallel | |
| # with CodeQL pack publishing since they are independent. | |
| # | |
| # The trusted publisher on npmjs.com is configured with workflow "release.yml" | |
| # and environment "release-npm". The id-token:write permission is required for | |
| # OIDC authentication — no npm tokens are used. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| publish-npm: | |
| name: Publish npm Package | |
| if: needs.resolve-version.outputs.publish_npm == 'true' | |
| needs: [resolve-version, ensure-tag] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| uses: ./.github/workflows/release-npm.yml | |
| with: | |
| version: ${{ needs.resolve-version.outputs.version }} | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 3b: Bundle and optionally publish CodeQL packs | |
| # | |
| # Checks out the clean tag, installs CodeQL, and bundles packs for release. | |
| # Publishing to GHCR is controlled by the publish_codeql_packs flag; bundling | |
| # always runs so that pack artifacts are available for the GitHub Release. | |
| # Runs in parallel with npm publishing since they are independent. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| publish-codeql: | |
| name: Publish CodeQL Packs | |
| needs: [resolve-version, ensure-tag] | |
| permissions: | |
| contents: read | |
| packages: write | |
| uses: ./.github/workflows/release-codeql.yml | |
| with: | |
| publish_codeql_packs: ${{ needs.resolve-version.outputs.publish_codeql_packs == 'true' }} | |
| version: ${{ needs.resolve-version.outputs.version }} | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 4: Create GitHub Release | |
| # | |
| # Downloads the clean build artifact (from npm workflow) and pack bundles | |
| # (from CodeQL workflow), assembles the distribution archive, and creates the | |
| # GitHub Release. Requires npm publishing and create_github_release to be | |
| # enabled. CodeQL packs are always bundled as release artifacts regardless of | |
| # the publish_codeql_packs flag. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| create-release: | |
| name: Create GitHub Release | |
| if: >- | |
| always() && !failure() && !cancelled() | |
| && needs.resolve-version.outputs.create_github_release == 'true' | |
| && needs.resolve-version.outputs.publish_npm == 'true' | |
| needs: [resolve-version, ensure-tag, publish-npm, publish-codeql] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Release - Download release build artifact | |
| uses: actions/download-artifact@v6 | |
| with: | |
| name: release-build-${{ needs.resolve-version.outputs.version }} | |
| - name: Release - Download CodeQL pack artifacts | |
| uses: actions/download-artifact@v6 | |
| with: | |
| name: codeql-tool-query-packs-${{ needs.resolve-version.outputs.version }} | |
| path: dist-packs | |
| - name: Release - Create distribution directory | |
| run: | | |
| mkdir -p dist-package/server | |
| mkdir -p dist-package/docs | |
| # Copy server distributable files | |
| cp -r server/dist dist-package/server/ | |
| cp -r server/ql dist-package/server/ | |
| cp server/package.json dist-package/server/ | |
| # Copy scripts (setup-packs.sh is referenced by the bin field) | |
| mkdir -p dist-package/server/scripts | |
| cp server/scripts/setup-packs.sh dist-package/server/scripts/ | |
| # Copy root files | |
| cp README.md dist-package/ | |
| cp LICENSE dist-package/ | |
| # Copy documentation | |
| cp -r docs/* dist-package/docs/ | |
| - name: Release - Clean QL test directories from distribution | |
| run: | | |
| # Remove test and examples directories from ql folders (only keep src) | |
| find dist-package/server/ql -type d \( -name "test" -o -name "examples" \) -prune -exec rm -rf {} \; | |
| - name: Release - Install production dependencies | |
| working-directory: dist-package/server | |
| run: npm install --omit=dev --include=optional | |
| - name: Release - Create archive | |
| run: | | |
| tar -czvf codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz -C dist-package . | |
| - name: Release - Upload artifact | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }} | |
| path: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz | |
| - name: Release - Create GitHub Release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| with: | |
| files: | | |
| codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz | |
| dist-packs/*.tar.gz | |
| generate_release_notes: true | |
| tag_name: ${{ needs.resolve-version.outputs.version }} | |
| - name: Release - Summary | |
| run: | | |
| VERSION="${{ needs.resolve-version.outputs.version }}" | |
| RELEASE_NAME="${{ needs.resolve-version.outputs.release_name }}" | |
| echo "## Release Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Tag | ✅ ${VERSION} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Server build | ✅ Success |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Version validation | ✅ All files match ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| npm publish | ✅ Published to npmjs.org |" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ needs.resolve-version.outputs.publish_codeql_packs }}" == "true" ]; then | |
| echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "| CodeQL pack publish | ⏭️ Skipped (packs bundled only) |" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| echo "| Distribution archive | ✅ Created |" >> $GITHUB_STEP_SUMMARY | |
| echo "| GitHub Release | ✅ Created |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Package Contents" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`server/dist/\` - Bundled JavaScript output" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`server/ql/*/tools/src/\` - CodeQL tool queries" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`server/node_modules/\` - Production dependencies" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`docs/\` - User documentation" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`README.md\` - Project overview" >> $GITHUB_STEP_SUMMARY | |
| echo "- \`LICENSE\` - CodeQL Terms and Conditions" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY | |
| echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY | |
| echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY | |
| for lang in actions cpp csharp go java javascript python ruby swift; do | |
| echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY | |
| done |