|
| 1 | +name: Release CodeQL - Publish and Bundle CodeQL Packs |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_call: |
| 5 | + inputs: |
| 6 | + publish_codeql_packs: |
| 7 | + default: true |
| 8 | + description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.' |
| 9 | + required: false |
| 10 | + type: boolean |
| 11 | + version: |
| 12 | + description: 'Release version tag (e.g., vX.Y.Z). Must start with "v".' |
| 13 | + required: true |
| 14 | + type: string |
| 15 | + outputs: |
| 16 | + release_name: |
| 17 | + description: 'The release name without "v" prefix (e.g., X.Y.Z)' |
| 18 | + value: ${{ jobs.publish-codeql-packs.outputs.release_name }} |
| 19 | + version: |
| 20 | + description: 'The full version string with "v" prefix (e.g., vX.Y.Z)' |
| 21 | + value: ${{ jobs.publish-codeql-packs.outputs.version }} |
| 22 | + workflow_dispatch: |
| 23 | + inputs: |
| 24 | + publish_codeql_packs: |
| 25 | + default: true |
| 26 | + description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.' |
| 27 | + required: false |
| 28 | + type: boolean |
| 29 | + version: |
| 30 | + description: 'Release version tag (e.g., vX.Y.Z). Must start with "v". Tag must already exist.' |
| 31 | + required: true |
| 32 | + type: string |
| 33 | + |
| 34 | +permissions: |
| 35 | + contents: read |
| 36 | + |
| 37 | +jobs: |
| 38 | + publish-codeql-packs: |
| 39 | + name: Publish and Bundle CodeQL Packs |
| 40 | + runs-on: ubuntu-latest |
| 41 | + |
| 42 | + environment: release-codeql |
| 43 | + |
| 44 | + permissions: |
| 45 | + contents: read |
| 46 | + packages: write |
| 47 | + |
| 48 | + outputs: |
| 49 | + release_name: ${{ steps.version.outputs.release_name }} |
| 50 | + version: ${{ steps.version.outputs.version }} |
| 51 | + |
| 52 | + steps: |
| 53 | + - name: CodeQL - Validate and parse version |
| 54 | + id: version |
| 55 | + run: | |
| 56 | + VERSION="${{ inputs.version }}" |
| 57 | + if [[ ! "${VERSION}" =~ ^v ]]; then |
| 58 | + echo "::error::Version '${VERSION}' must start with 'v'" |
| 59 | + exit 1 |
| 60 | + fi |
| 61 | + echo "version=${VERSION}" >> $GITHUB_OUTPUT |
| 62 | + echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT |
| 63 | +
|
| 64 | + - name: CodeQL - Checkout tag |
| 65 | + uses: actions/checkout@v6 |
| 66 | + with: |
| 67 | + ref: refs/tags/${{ steps.version.outputs.version }} |
| 68 | + |
| 69 | + - name: CodeQL - Setup CodeQL environment |
| 70 | + uses: ./.github/actions/setup-codeql-environment |
| 71 | + with: |
| 72 | + add-to-path: true |
| 73 | + install-language-runtimes: false |
| 74 | + |
| 75 | + - name: CodeQL - Install CodeQL pack dependencies |
| 76 | + run: server/scripts/install-packs.sh |
| 77 | + |
| 78 | + - name: CodeQL - Publish CodeQL tool query packs |
| 79 | + if: inputs.publish_codeql_packs |
| 80 | + env: |
| 81 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 82 | + run: | |
| 83 | + LANGUAGES="actions cpp csharp go java javascript python ruby swift" |
| 84 | + echo "Publishing CodeQL tool query packs..." |
| 85 | + for lang in ${LANGUAGES}; do |
| 86 | + PACK_DIR="server/ql/${lang}/tools/src" |
| 87 | + if [ -d "${PACK_DIR}" ]; then |
| 88 | + echo "📦 Publishing ${PACK_DIR}..." |
| 89 | + codeql pack publish --threads=-1 -- "${PACK_DIR}" |
| 90 | + echo "✅ Published ${lang} tool query pack" |
| 91 | + else |
| 92 | + echo "⚠️ Skipping ${lang}: ${PACK_DIR} not found" |
| 93 | + fi |
| 94 | + done |
| 95 | +
|
| 96 | + - name: CodeQL - Skip CodeQL tool query pack publishing |
| 97 | + if: '!inputs.publish_codeql_packs' |
| 98 | + run: echo "⏭️ CodeQL tool query pack publishing disabled via workflow input" |
| 99 | + |
| 100 | + - name: CodeQL - Bundle CodeQL tool query packs |
| 101 | + run: | |
| 102 | + mkdir -p dist-packs |
| 103 | + LANGUAGES="actions cpp csharp go java javascript python ruby swift" |
| 104 | + echo "Bundling CodeQL tool query packs..." |
| 105 | + for lang in ${LANGUAGES}; do |
| 106 | + PACK_DIR="server/ql/${lang}/tools/src" |
| 107 | + if [ -d "${PACK_DIR}" ]; then |
| 108 | + PACK_NAME="ql-mcp-${lang}-tools-src" |
| 109 | + OUTPUT="dist-packs/${PACK_NAME}.tar.gz" |
| 110 | + echo "📦 Bundling ${PACK_DIR} -> ${OUTPUT}..." |
| 111 | + codeql pack bundle --threads=-1 --output="${OUTPUT}" -- "${PACK_DIR}" |
| 112 | + echo "✅ Bundled ${PACK_NAME}" |
| 113 | + fi |
| 114 | + done |
| 115 | + echo "Bundled packs:" |
| 116 | + ls -lh dist-packs/ |
| 117 | +
|
| 118 | + - name: CodeQL - Upload CodeQL pack artifacts |
| 119 | + uses: actions/upload-artifact@v6 |
| 120 | + with: |
| 121 | + name: codeql-tool-query-packs-${{ steps.version.outputs.version }} |
| 122 | + path: dist-packs/*.tar.gz |
| 123 | + |
| 124 | + - name: CodeQL - Summary |
| 125 | + run: | |
| 126 | + VERSION="${{ steps.version.outputs.version }}" |
| 127 | + RELEASE_NAME="${{ steps.version.outputs.release_name }}" |
| 128 | + echo "## CodeQL Packs Summary" >> $GITHUB_STEP_SUMMARY |
| 129 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 130 | + if [ "${{ inputs.publish_codeql_packs }}" == "true" ]; then |
| 131 | + echo "✅ Published CodeQL tool query packs to GHCR" >> $GITHUB_STEP_SUMMARY |
| 132 | + else |
| 133 | + echo "⏭️ CodeQL tool query pack publishing was disabled" >> $GITHUB_STEP_SUMMARY |
| 134 | + fi |
| 135 | + echo "✅ Bundled CodeQL tool query packs as artifacts" >> $GITHUB_STEP_SUMMARY |
| 136 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 137 | + echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY |
| 138 | + echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY |
| 139 | + echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY |
| 140 | + for lang in actions cpp csharp go java javascript python ruby swift; do |
| 141 | + echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY |
| 142 | + done |
0 commit comments