-
Notifications
You must be signed in to change notification settings - Fork 2
253 lines (224 loc) · 10.6 KB
/
release.yml
File metadata and controls
253 lines (224 loc) · 10.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
name: Release - CodeQL Development MCP Server
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
publish_codeql_packs:
default: true
description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.'
required: false
type: boolean
version:
description: 'Release version (e.g., vX.Y.Z). Must start with "v".'
required: true
type: string
permissions:
contents: read
jobs:
build-and-release:
name: Build and Release
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- name: Release - Checkout repository
uses: actions/checkout@v6
with:
# Fetch tags so workflow_dispatch can resolve and checkout the target tag
fetch-tags: true
# Explicitly checkout the tag ref to ensure we build the correct commit
# For tag pushes: refs/tags/vX.Y.Z
# For workflow_dispatch: refs/heads/<branch> (will be validated below)
ref: ${{ github.ref }}
- name: Release - Setup Node.js
uses: actions/setup-node@v6
with:
cache: 'npm'
node-version-file: '.node-version'
registry-url: 'https://npm.pkg.github.com'
scope: '@advanced-security'
- name: Release - Determine version
id: version
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${{ github.ref_name }}"
fi
# Validate version starts with 'v'
if [[ ! "${VERSION}" =~ ^v ]]; then
echo "::error::Version '${VERSION}' must start with 'v'"
exit 1
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
- name: Release - Checkout or create tag for workflow_dispatch
if: github.event_name == 'workflow_dispatch'
run: |
# For workflow_dispatch, we need to checkout the specific tag
TAG="${{ steps.version.outputs.version }}"
if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then
echo "Checking out existing tag: ${TAG}"
git checkout "refs/tags/${TAG}"
else
echo "Tag '${TAG}' does not exist. Creating it now..."
CURRENT_SHA=$(git rev-parse HEAD)
git tag "${TAG}" "${CURRENT_SHA}"
git push origin "${TAG}"
echo "✅ Created and pushed tag: ${TAG} at commit ${CURRENT_SHA:0:8}"
fi
- name: Release - Verify checkout matches expected version
run: |
# Verify we're on the correct commit for the release
CURRENT_SHA=$(git rev-parse HEAD)
TAG="${{ steps.version.outputs.version }}"
if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then
TAG_SHA=$(git rev-parse "refs/tags/${TAG}^{commit}" 2>/dev/null || git rev-parse "refs/tags/${TAG}")
if [ "${CURRENT_SHA}" != "${TAG_SHA}" ]; then
echo "::error::Current checkout (${CURRENT_SHA}) does not match tag ${TAG} (${TAG_SHA})"
exit 1
fi
echo "✅ Verified: Building from tag ${TAG} at commit ${CURRENT_SHA:0:8}"
else
echo "::warning::Tag ${TAG} not found, building from current checkout at ${CURRENT_SHA:0:8}"
fi
- name: Release - Setup CodeQL environment
uses: ./.github/actions/setup-codeql-environment
with:
add-to-path: true
install-language-runtimes: false
- name: Release - Update release version
run: |
TAG_VERSION="${{ steps.version.outputs.release_name }}"
echo "Updating all version-bearing files to '${TAG_VERSION}'..."
./server/scripts/update-release-version.sh "${TAG_VERSION}"
- name: Release - Install dependencies
run: npm install --include=optional
- name: Release - Build server
run: npm run build -w server
- name: Release - Install CodeQL pack dependencies
run: server/scripts/install-packs.sh
- name: Release - Publish CodeQL tool query packs
if: |
(startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch')
&& (github.event_name != 'workflow_dispatch' || inputs.publish_codeql_packs)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
LANGUAGES="actions cpp csharp go java javascript python ruby swift"
echo "Publishing CodeQL tool query packs..."
for lang in ${LANGUAGES}; do
PACK_DIR="server/ql/${lang}/tools/src"
if [ -d "${PACK_DIR}" ]; then
echo "📦 Publishing ${PACK_DIR}..."
codeql pack publish --threads=-1 -- "${PACK_DIR}"
echo "✅ Published ${lang} tool query pack"
else
echo "⚠️ Skipping ${lang}: ${PACK_DIR} not found"
fi
done
- name: Release - Skip CodeQL tool query pack publishing
if: github.event_name == 'workflow_dispatch' && !inputs.publish_codeql_packs
run: echo "⏭️ CodeQL tool query pack publishing disabled via workflow input"
- name: Release - Bundle CodeQL tool query packs
run: |
mkdir -p dist-packs
LANGUAGES="actions cpp csharp go java javascript python ruby swift"
echo "Bundling CodeQL tool query packs..."
for lang in ${LANGUAGES}; do
PACK_DIR="server/ql/${lang}/tools/src"
if [ -d "${PACK_DIR}" ]; then
PACK_NAME="ql-mcp-${lang}-tools-src"
OUTPUT="dist-packs/${PACK_NAME}.tar.gz"
echo "📦 Bundling ${PACK_DIR} -> ${OUTPUT}..."
codeql pack bundle --threads=-1 --output="${OUTPUT}" -- "${PACK_DIR}"
echo "✅ Bundled ${PACK_NAME}"
fi
done
echo "Bundled packs:"
ls -lh dist-packs/
- name: Release - Upload CodeQL pack artifacts
uses: actions/upload-artifact@v6
with:
name: codeql-tool-query-packs-${{ steps.version.outputs.version }}
path: dist-packs/*.tar.gz
- name: Release - Publish npm package
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
working-directory: server
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Publishing @advanced-security/codeql-development-mcp-server to GitHub Packages..."
npm publish
echo "✅ Published npm package to GitHub Packages"
- name: Release - Create distribution directory
run: |
mkdir -p dist-package/server
mkdir -p dist-package/docs
# Copy server distributable files
cp -r server/dist dist-package/server/
cp -r server/ql dist-package/server/
cp server/package.json dist-package/server/
# Copy root files
cp README.md dist-package/
cp LICENSE dist-package/
# Copy documentation
cp -r docs/* dist-package/docs/
- name: Release - Clean QL test directories from distribution
run: |
# Remove test and examples directories from ql folders (only keep src)
find dist-package/server/ql -type d \( -name "test" -o -name "examples" \) -prune -exec rm -rf {} \;
- name: Release - Install production dependencies
working-directory: dist-package/server
run: npm install --omit=dev --include=optional
- name: Release - Create archive
run: |
tar -czvf codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz -C dist-package .
- name: Release - Upload artifact
uses: actions/upload-artifact@v6
with:
name: codeql-development-mcp-server-${{ steps.version.outputs.version }}
path: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz
- name: Release - Create GitHub Release
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
files: |
codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz
dist-packs/*.tar.gz
generate_release_notes: true
tag_name: ${{ steps.version.outputs.version }}
- name: Release - Summary
run: |
echo "## Release Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
echo "| Server build | ✅ Success |" >> $GITHUB_STEP_SUMMARY
echo "| Version validation | ✅ All files match ${{ steps.version.outputs.release_name }} |" >> $GITHUB_STEP_SUMMARY
if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ inputs.publish_codeql_packs }}" != "true" ]]; then
echo "| CodeQL pack publish | ⏭️ Skipped (disabled via input) |" >> $GITHUB_STEP_SUMMARY
else
echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
fi
echo "| npm package | ✅ Published to GitHub Packages |" >> $GITHUB_STEP_SUMMARY
echo "| Distribution archive | ✅ Created |" >> $GITHUB_STEP_SUMMARY
echo "| CodeQL pack bundles | ✅ Bundled |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Package Contents" >> $GITHUB_STEP_SUMMARY
echo "- \`server/dist/\` - Bundled JavaScript output" >> $GITHUB_STEP_SUMMARY
echo "- \`server/ql/*/tools/src/\` - CodeQL tool queries" >> $GITHUB_STEP_SUMMARY
echo "- \`server/node_modules/\` - Production dependencies" >> $GITHUB_STEP_SUMMARY
echo "- \`docs/\` - User documentation" >> $GITHUB_STEP_SUMMARY
echo "- \`README.md\` - Project overview" >> $GITHUB_STEP_SUMMARY
echo "- \`LICENSE\` - CodeQL Terms and Conditions" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY
echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY
for lang in actions cpp csharp go java javascript python ruby swift; do
echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${{ steps.version.outputs.release_name }} |" >> $GITHUB_STEP_SUMMARY
done