From 783315c4c597dd4d335845a333411056cbebd58a Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Mon, 16 Feb 2026 22:11:33 -0700 Subject: [PATCH 1/5] Add nightly CodeQL CLI update workflow Detect new CodeQL CLI releases and create a PR with updated version files, rebuilt dependencies, and passing build/tests. --- .github/workflows/update-codeql.yml | 159 ++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 .github/workflows/update-codeql.yml diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml new file mode 100644 index 00000000..63ecdc03 --- /dev/null +++ b/.github/workflows/update-codeql.yml @@ -0,0 +1,159 @@ +name: Update CodeQL CLI Dependencies + +on: + workflow_dispatch: + # Nightly check for new CodeQL CLI releases + schedule: + - cron: '30 5 * * *' + +permissions: + contents: read + +jobs: + # ───────────────────────────────────────────────────────────────────────────── + # Step 1: Detect new CodeQL CLI version + # + # Compares the current CodeQL CLI version in .codeql-version against the + # latest release from github/codeql-cli-binaries. If a newer version is + # available, downstream jobs orchestrate the update and PR creation. + # ───────────────────────────────────────────────────────────────────────────── + detect-update: + name: Detect CodeQL CLI Update + runs-on: ubuntu-latest + + outputs: + current_version: ${{ steps.check-version.outputs.current_version }} + latest_version: ${{ steps.check-version.outputs.latest_version }} + update_needed: ${{ steps.check-version.outputs.update_needed }} + version: ${{ steps.check-version.outputs.version }} + + steps: + - name: Detect - Checkout repository + uses: actions/checkout@v6 + + - name: Detect - Check latest CodeQL CLI version + id: check-version + env: + GH_TOKEN: ${{ github.token }} + run: | + echo "Checking latest CodeQL CLI version..." + + # Read current version from .codeql-version (stores vX.Y.Z) + current_version_raw=$(cat .codeql-version | tr -d '[:space:]') + current_version="${current_version_raw#v}" + + # Get latest release from codeql-cli-binaries + latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName') + latest_clean="${latest_tag#v}" + + echo "Current CodeQL CLI version: ${current_version}" + echo "Latest CodeQL CLI version: ${latest_clean}" + + if [ "${latest_clean}" != "${current_version}" ]; then + echo "✅ Update available: ${current_version} → ${latest_clean}" + echo "update_needed=true" >> $GITHUB_OUTPUT + echo "current_version=${current_version}" >> $GITHUB_OUTPUT + echo "latest_version=${latest_clean}" >> $GITHUB_OUTPUT + echo "version=v${latest_clean}" >> $GITHUB_OUTPUT + else + echo "ℹ️ CodeQL CLI is already up-to-date at version ${current_version}" + echo "update_needed=false" >> $GITHUB_OUTPUT + fi + + - name: Detect - Summary + run: | + echo "## CodeQL CLI Update Check" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then + echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Initiating update pipeline for \`${{ steps.check-version.outputs.version }}\`..." >> $GITHUB_STEP_SUMMARY + else + echo "ℹ️ CodeQL CLI is already up-to-date. No changes needed." >> $GITHUB_STEP_SUMMARY + fi + + # ───────────────────────────────────────────────────────────────────────────── + # Step 2: Update version, build, test, and create PR + # + # Updates all version-bearing files, installs dependencies, runs the full + # build-and-test suite, and creates a pull request with the changes. + # ───────────────────────────────────────────────────────────────────────────── + create-pr: + name: Create Update Pull Request + needs: detect-update + if: needs.detect-update.outputs.update_needed == 'true' + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + steps: + - name: Update - Checkout repository + uses: actions/checkout@v6 + + - name: Update - Update .codeql-version + run: | + printf "v%s\n" "${{ needs.detect-update.outputs.latest_version }}" > .codeql-version + echo "Updated .codeql-version to ${{ needs.detect-update.outputs.version }}" + + - name: Update - Setup CodeQL environment + uses: ./.github/actions/setup-codeql-environment + with: + add-to-path: true + install-language-runtimes: false + + - name: Update - Setup Node.js + uses: actions/setup-node@v6 + with: + cache: 'npm' + node-version-file: '.node-version' + + - name: Update - Update version in all files + run: | + LATEST="${{ needs.detect-update.outputs.latest_version }}" + echo "Updating all version-bearing files to ${LATEST}..." + ./server/scripts/update-release-version.sh --skip-cli-validation "${LATEST}" + + - name: Update - Install dependencies + run: npm install --include=optional + + - name: Update - Install CodeQL pack dependencies + run: server/scripts/install-packs.sh + + - name: Update - Build and test + run: npm run build-and-test + + - name: Update - Create Pull Request + uses: peter-evans/create-pull-request@v8 + with: + title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' + body: | + This PR upgrades the CodeQL CLI version to ${{ needs.detect-update.outputs.version }}. + + **Changes made:** + - Updated `.codeql-version` to `${{ needs.detect-update.outputs.version }}` + - Updated all version-bearing files (package.json, codeql-pack.yml) to `${{ needs.detect-update.outputs.latest_version }}` + - Regenerated `package-lock.json` + - Installed CodeQL pack dependencies + - Build and tests passed ✅ + commit-message: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' + delete-branch: true + branch: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}' + + - name: Update - Summary + run: | + VERSION="${{ needs.detect-update.outputs.version }}" + CURRENT="${{ needs.detect-update.outputs.current_version }}" + LATEST="${{ needs.detect-update.outputs.latest_version }}" + echo "## CodeQL CLI Update Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Triggered by CodeQL CLI update: ${CURRENT} → ${LATEST}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Property | Old Value | New Value |" >> $GITHUB_STEP_SUMMARY + echo "| -------- | --------- | --------- |" >> $GITHUB_STEP_SUMMARY + echo "| .codeql-version | v${CURRENT} | ${VERSION} |" >> $GITHUB_STEP_SUMMARY + echo "| package.json versions | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY + echo "| codeql-pack.yml versions | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "A pull request has been created with these changes." >> $GITHUB_STEP_SUMMARY From e5f8b192e8a042ed20b8e2ab4243c849b753e417 Mon Sep 17 00:00:00 2001 From: Nathan Randall <70299490+data-douser@users.noreply.github.com> Date: Wed, 18 Feb 2026 19:59:54 -0700 Subject: [PATCH 2/5] Update update-codeql.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> --- .github/workflows/update-codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index 63ecdc03..10d93a30 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -113,7 +113,7 @@ jobs: run: | LATEST="${{ needs.detect-update.outputs.latest_version }}" echo "Updating all version-bearing files to ${LATEST}..." - ./server/scripts/update-release-version.sh --skip-cli-validation "${LATEST}" + ./server/scripts/update-release-version.sh "${LATEST}" - name: Update - Install dependencies run: npm install --include=optional From fc260c13931e2feba5163c10abec70527d6baccb Mon Sep 17 00:00:00 2001 From: Nathan Randall <70299490+data-douser@users.noreply.github.com> Date: Wed, 18 Feb 2026 20:34:00 -0700 Subject: [PATCH 3/5] Update .github/workflows/update-codeql.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> --- .github/workflows/update-codeql.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index 10d93a30..644bea12 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -46,6 +46,11 @@ jobs: latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName') latest_clean="${latest_tag#v}" + if [ -z "${latest_tag}" ]; then + echo "❌ ERROR: Failed to determine latest CodeQL CLI release. 'gh release list' returned no results or no release is marked as latest." >&2 + echo "update_needed=false" >> $GITHUB_OUTPUT + exit 1 + fi echo "Current CodeQL CLI version: ${current_version}" echo "Latest CodeQL CLI version: ${latest_clean}" From 8edf08070b598f1702279ccbe73d2e73fd375a7e Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 18 Feb 2026 20:34:47 -0700 Subject: [PATCH 4/5] Add validation for empty latest_tag in CodeQL update workflow (#60) * Initial plan * Add validation for empty latest_tag in update-codeql workflow Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --- .github/workflows/update-codeql.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index 644bea12..f7457fbf 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -44,6 +44,14 @@ jobs: # Get latest release from codeql-cli-binaries latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName') + + # Validate that we found a latest release + if [ -z "${latest_tag}" ]; then + echo "❌ Error: Could not determine latest CodeQL CLI version from github/codeql-cli-binaries" >&2 + echo "No release marked as 'latest' was found. This may indicate an API issue or repository change." >&2 + exit 1 + fi + latest_clean="${latest_tag#v}" if [ -z "${latest_tag}" ]; then From f4c8e6eed2b7843c251a2985e7cf1039e537763e Mon Sep 17 00:00:00 2001 From: Nathan Randall <70299490+data-douser@users.noreply.github.com> Date: Wed, 18 Feb 2026 20:38:15 -0700 Subject: [PATCH 5/5] Apply suggestion from @data-douser Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> --- .github/workflows/update-codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index f7457fbf..41f68085 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -138,7 +138,7 @@ jobs: run: npm run build-and-test - name: Update - Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 with: title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' body: |