codeql-development-mcp-server/.github/workflows/dependabot-commit-dist.yml at e76f456cdc20ecff4ecb7e2ca1e7ab28ca57828e · advanced-security/codeql-development-mcp-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Dependabot Commit Dist - CodeQL Development MCP Server

## Auto-rebuild and commit 'server/dist/**' on Dependabot PRs.
##
## Two-workflow handoff: 'build-server.yml' rebuilds with no write token
## (npm ci --ignore-scripts), uploads the 'server-dist' artifact. This
## workflow runs in the trusted default-branch context, downloads the
## artifact, and pushes it to the PR branch. No PR-supplied code executes
## here.

on:
  workflow_run:
    workflows: ['Build Server - CodeQL Development MCP Server']
    types: [completed]

permissions:
  contents: read

jobs:
  commit-dist:
    name: Commit Rebuilt server/dist to Dependabot PR Branch
    runs-on: ubuntu-latest

    if: >-
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.actor.login == 'dependabot[bot]'

    permissions:
      contents: write
      actions: read

    steps:
      - name: Commit Dist - Validate workflow_run head
        id: pr
        env:
          HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }}
          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
          REPO: ${{ github.repository }}
        run: |
          set -euo pipefail
          if [ "${HEAD_REPO}" != "${REPO}" ]; then
            echo "::error::Refusing to push: head repo '${HEAD_REPO}' != '${REPO}'"
            exit 1
          fi
          if [ -z "${HEAD_BRANCH}" ] || [ -z "${HEAD_SHA}" ]; then
            echo "::error::Missing head_branch or head_sha"
            exit 1
          fi
          echo "branch=${HEAD_BRANCH}" >> "${GITHUB_OUTPUT}"
          echo "sha=${HEAD_SHA}" >> "${GITHUB_OUTPUT}"

      - name: Commit Dist - Checkout PR branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ steps.pr.outputs.branch }}
          persist-credentials: true
          fetch-depth: 1

      ## Abort if the branch advanced since the build started; the next
      ## build-server run will re-trigger this workflow.
      - name: Commit Dist - Verify checkout matches build SHA
        id: verify
        env:
          EXPECTED_SHA: ${{ steps.pr.outputs.sha }}
        run: |
          set -euo pipefail
          ACTUAL_SHA="$(git rev-parse HEAD)"
          if [ "${ACTUAL_SHA}" != "${EXPECTED_SHA}" ]; then
            echo "::warning::Branch advanced from ${EXPECTED_SHA} to ${ACTUAL_SHA}; skipping."
            echo "skip=true" >> "${GITHUB_OUTPUT}"
          else
            echo "skip=false" >> "${GITHUB_OUTPUT}"
          fi

      - name: Commit Dist - Download server-dist artifact
        if: steps.verify.outputs.skip == 'false'
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: server-dist
          path: artifact/
          run-id: ${{ github.event.workflow_run.id }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

      ## Defence in depth: confirm the artifact contains exactly the two
      ## expected bundle files before copying into the repo.
      - name: Commit Dist - Verify artifact contents
        if: steps.verify.outputs.skip == 'false'
        run: |
          set -euo pipefail
          for f in codeql-development-mcp-server.js codeql-development-mcp-server.js.map; do
            if [ ! -f "artifact/${f}" ]; then
              echo "::error::Missing expected artifact file: ${f}"
              exit 1
            fi
          done
          UNEXPECTED="$(find artifact -type f \
            ! -name 'codeql-development-mcp-server.js' \
            ! -name 'codeql-development-mcp-server.js.map' \
            -print)"
          if [ -n "${UNEXPECTED}" ]; then
            echo "::error::Unexpected files in artifact:"
            echo "${UNEXPECTED}"
            exit 1
          fi

      - name: Commit Dist - Commit and push (if changed)
        if: steps.verify.outputs.skip == 'false'
        env:
          BRANCH: ${{ steps.pr.outputs.branch }}
        run: |
          set -euo pipefail
          cp artifact/codeql-development-mcp-server.js server/dist/
          cp artifact/codeql-development-mcp-server.js.map server/dist/

          git config user.name 'dependabot[bot]'
          git config user.email '49699333+dependabot[bot]@users.noreply.github.com'
          git add server/dist/codeql-development-mcp-server.js \
                  server/dist/codeql-development-mcp-server.js.map

          if git diff --cached --quiet; then
            echo "::notice::server/dist already up to date."
            exit 0
          fi

          git commit -m "chore(deps): rebuild server/dist after dependency update

          [dependabot skip]"
          git push origin "HEAD:${BRANCH}"