Fix release-codeql.yml workflow conditionals

data-douser · data-douser · commit 8a5abbf64c61 · 2026-02-10T21:06:59.000-07:00
diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml
@@ -70,6 +70,12 @@ jobs:
       - name: CodeQL - Install CodeQL pack dependencies
         run: server/scripts/install-packs.sh
 
+      - name: CodeQL - Validate version consistency
+        run: |
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Validating all version-bearing files match ${RELEASE_NAME}..."
+          ./server/scripts/update-release-version.sh --check "${RELEASE_NAME}"
+
       - name: CodeQL - Publish CodeQL tool query packs
         if: inputs.publish_codeql_packs
         env:
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
@@ -71,6 +71,12 @@ jobs:
       - name: npm - Build server
         run: npm run build -w server
 
+      - name: npm - Validate version consistency
+        run: |
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Validating all version-bearing files match ${RELEASE_NAME}..."
+          ./server/scripts/update-release-version.sh --check "${RELEASE_NAME}"
+
       - name: npm - Publish npm package
         working-directory: server
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ on:
         type: boolean
       publish_codeql_packs:
         default: true
-        description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.'
+        description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist. Packs are always bundled as release artifacts regardless of this setting.'
         required: false
         type: boolean
       publish_npm:
@@ -120,14 +120,15 @@ jobs:
       version: ${{ needs.resolve-version.outputs.version }}
 
   # ─────────────────────────────────────────────────────────────────────────────
-  # Step 3b: Publish and bundle CodeQL packs
+  # Step 3b: Bundle and optionally publish CodeQL packs
   #
-  # Checks out the clean tag, installs CodeQL, and publishes + bundles packs.
+  # Checks out the clean tag, installs CodeQL, and bundles packs for release.
+  # Publishing to GHCR is controlled by the publish_codeql_packs flag; bundling
+  # always runs so that pack artifacts are available for the GitHub Release.
   # Runs in parallel with npm publishing since they are independent.
   # ─────────────────────────────────────────────────────────────────────────────
   publish-codeql:
     name: Publish CodeQL Packs
-    if: needs.resolve-version.outputs.publish_codeql_packs == 'true'
     needs: [resolve-version, ensure-tag]
     permissions:
       contents: read
@@ -142,17 +143,16 @@ jobs:
   #
   # Downloads the clean build artifact (from npm workflow) and pack bundles
   # (from CodeQL workflow), assembles the distribution archive, and creates the
-  # GitHub Release. Only runs for full releases (all publish steps enabled and
-  # create_github_release is true). Partial workflows (e.g., re-publishing only
-  # npm or only CodeQL packs) skip this step.
+  # GitHub Release. Requires npm publishing and create_github_release to be
+  # enabled. CodeQL packs are always bundled as release artifacts regardless of
+  # the publish_codeql_packs flag.
   # ─────────────────────────────────────────────────────────────────────────────
   create-release:
     name: Create GitHub Release
     if: >-
       always() && !failure() && !cancelled()
       && needs.resolve-version.outputs.create_github_release == 'true'
       && needs.resolve-version.outputs.publish_npm == 'true'
-      && needs.resolve-version.outputs.publish_codeql_packs == 'true'
     needs: [resolve-version, ensure-tag, publish-npm, publish-codeql]
     runs-on: ubuntu-latest
 
@@ -232,7 +232,11 @@ jobs:
           echo "| Server build | ✅ Success |" >> $GITHUB_STEP_SUMMARY
           echo "| Version validation | ✅ All files match ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
           echo "| npm publish | ✅ Published to npmjs.org |" >> $GITHUB_STEP_SUMMARY
-          echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ needs.resolve-version.outputs.publish_codeql_packs }}" == "true" ]; then
+            echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "| CodeQL pack publish | ⏭️ Skipped (packs bundled only) |" >> $GITHUB_STEP_SUMMARY
+          fi
           echo "| Distribution archive | ✅ Created |" >> $GITHUB_STEP_SUMMARY
           echo "| GitHub Release | ✅ Created |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
diff --git a/server/scripts/setup-packs.sh b/server/scripts/setup-packs.sh
@@ -41,6 +41,11 @@ EOF
 while [[ $# -gt 0 ]]; do
   case $1 in
     --language)
+      if [[ $# -lt 2 || "$2" =~ ^- ]]; then
+        echo "Error: --language requires a value" >&2
+        usage >&2
+        exit 1
+      fi
       LANGUAGE="$2"
       shift 2
       ;;
@@ -91,9 +96,14 @@ SCRIPT_PATH="${BASH_SOURCE[0]}"
 if command -v realpath &> /dev/null; then
   SCRIPT_PATH="$(realpath "${SCRIPT_PATH}")"
 elif command -v readlink &> /dev/null; then
-  # macOS readlink doesn't support -f, use a loop
+  # macOS readlink doesn't support -f, use a loop to resolve symlinks
   while [ -L "${SCRIPT_PATH}" ]; do
-    SCRIPT_PATH="$(readlink "${SCRIPT_PATH}")"
+    LINK_TARGET="$(readlink "${SCRIPT_PATH}")"
+    # Resolve relative targets against the symlink's directory
+    if [[ "${LINK_TARGET}" != /* ]]; then
+      LINK_TARGET="$(cd "$(dirname "${SCRIPT_PATH}")" && pwd)/${LINK_TARGET}"
+    fi
+    SCRIPT_PATH="${LINK_TARGET}"
   done
 fi
 SCRIPT_DIR="$(cd "$(dirname "${SCRIPT_PATH}")" && pwd)"
diff --git a/server/scripts/update-release-version.sh b/server/scripts/update-release-version.sh
@@ -127,18 +127,30 @@ check_versions() {
 			first_version="${version}"
 		fi
 
+		## .codeql-version stores only the base version (X.Y.Z) even for
+		## prerelease tags. Compare it against the base version of the expected
+		## value or the first version to avoid false mismatches.
+		local effective_expected effective_first
+		if [[ "${file}" == ".codeql-version" ]]; then
+			effective_expected="${expected_version%%-*}"
+			effective_first="${first_version%%-*}"
+		else
+			effective_expected="${expected_version}"
+			effective_first="${first_version}"
+		fi
+
 		if [[ -n "${expected_version}" ]]; then
-			if [[ "${version}" == "${expected_version}" ]]; then
+			if [[ "${version}" == "${effective_expected}" ]]; then
 				echo "  ✅ ${file}: ${version}"
 			else
-				echo "  ❌ ${file}: ${version} (expected ${expected_version})"
+				echo "  ❌ ${file}: ${version} (expected ${effective_expected})"
 				all_consistent=false
 			fi
 		else
-			if [[ "${version}" == "${first_version}" ]]; then
+			if [[ "${version}" == "${effective_first}" ]]; then
 				echo "  ✅ ${file}: ${version}"
 			else
-				echo "  ❌ ${file}: ${version} (differs from ${first_version})"
+				echo "  ❌ ${file}: ${version} (differs from ${effective_first})"
 				all_consistent=false
 			fi
 		fi
