Skip to content
Update CodeQL CLI Dependencies

Update CodeQL CLI Dependencies #203

Sign in to view logs

Update CodeQL CLI Dependencies

Update CodeQL CLI Dependencies #203

Workflow file for this run

.github/workflows/update-codeql.yml at 3e54dfa
name: Update CodeQL CLI Dependencies
on:
workflow_dispatch:
# Nightly check for new CodeQL CLI releases
schedule:
- cron: '30 0 * * *'
permissions:
contents: read
jobs:
# ─────────────────────────────────────────────────────────────────────────────
# Step 1: Detect new CodeQL CLI version
#
# Compares the current CodeQL CLI version in qlt.conf.json against the latest
# release from github/codeql-cli-binaries. If a newer version is available,
# downstream jobs orchestrate a full release using the same child workflows
# as release.yml, guarded by environment approval gates.
# ─────────────────────────────────────────────────────────────────────────────
detect-update:
name: Detect CodeQL CLI Update
runs-on: ubuntu-latest
outputs:
current_version: ${{ steps.check-version.outputs.current_version }}
latest_version: ${{ steps.check-version.outputs.latest_version }}
update_needed: ${{ steps.check-version.outputs.update_needed }}
version: ${{ steps.check-version.outputs.version }}
steps:
- name: Detect - Checkout repository
uses: actions/checkout@v6
- name: Detect - Check latest CodeQL CLI version
id: check-version
env:
GH_TOKEN: ${{ github.token }}
run: |
echo "Checking latest CodeQL CLI version..."
current_version=$(jq -r .CodeQLCLI qlt.conf.json)
latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')
latest_clean="${latest_tag#v}"
echo "Current CodeQL CLI version: ${current_version}"
echo "Latest CodeQL CLI version: ${latest_clean}"
if [ "${latest_clean}" != "${current_version}" ]; then
echo "✅ Update available: ${current_version} → ${latest_clean}"
echo "update_needed=true" >> $GITHUB_OUTPUT
echo "current_version=${current_version}" >> $GITHUB_OUTPUT
echo "latest_version=${latest_clean}" >> $GITHUB_OUTPUT
echo "version=v${latest_clean}" >> $GITHUB_OUTPUT
else
echo "ℹ️ CodeQL CLI is already up-to-date at version ${current_version}"
echo "update_needed=false" >> $GITHUB_OUTPUT
fi
- name: Detect - Summary
run: |
echo "## CodeQL CLI Update Check" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then
echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Initiating release pipeline for \`v${{ steps.check-version.outputs.latest_version }}\`..." >> $GITHUB_STEP_SUMMARY
else
echo "ℹ️ CodeQL CLI is already up-to-date. No release needed." >> $GITHUB_STEP_SUMMARY
fi
# ─────────────────────────────────────────────────────────────────────────────
# Step 2: Create release tag
#
# Calls the same release-tag workflow used by release.yml. This ensures the
# version update, CodeQL installation, pack lock upgrade, unit tests, and tag
# creation all follow the same validated process.
#
# The release-tag environment approval gate provides human-in-the-loop review
# before any changes are committed.
# ─────────────────────────────────────────────────────────────────────────────
ensure-tag:
name: Ensure Release Tag
needs: detect-update
if: needs.detect-update.outputs.update_needed == 'true'
permissions:
contents: write
uses: ./.github/workflows/release-tag.yml
with:
version: ${{ needs.detect-update.outputs.version }}
# ─────────────────────────────────────────────────────────────────────────────
# Step 3: Publish and bundle CodeQL packs
#
# Calls the same release-codeql workflow used by release.yml. Publishes packs
# to GHCR and bundles them as artifacts for the GitHub Release.
# ─────────────────────────────────────────────────────────────────────────────
publish-codeql:
name: Publish CodeQL Packs
needs: [detect-update, ensure-tag]
if: needs.detect-update.outputs.update_needed == 'true'
permissions:
contents: read
packages: write
uses: ./.github/workflows/release-codeql.yml
with:
publish_codeql_packs: true
version: ${{ needs.detect-update.outputs.version }}
# ─────────────────────────────────────────────────────────────────────────────
# Step 4: Create GitHub Release
#
# Downloads the CodeQL pack bundles and creates the GitHub Release with
# auto-generated release notes and attached pack artifacts.
# ─────────────────────────────────────────────────────────────────────────────
create-release:
name: Create GitHub Release
needs: [detect-update, ensure-tag, publish-codeql]
if: >-
always() && !failure() && !cancelled()
&& needs.detect-update.outputs.update_needed == 'true'
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Release - Download CodeQL pack artifacts
uses: actions/download-artifact@v7
with:
name: codeql-pack-bundles-${{ needs.detect-update.outputs.version }}
path: dist-packs
- name: Release - Create GitHub Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
files: |
dist-packs/*.tar.gz
generate_release_notes: true
tag_name: ${{ needs.detect-update.outputs.version }}
- name: Release - Summary
run: |
VERSION="${{ needs.detect-update.outputs.version }}"
RELEASE_NAME="${{ needs.detect-update.outputs.latest_version }}"
echo "## Automated Release Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Triggered by CodeQL CLI update: ${{ needs.detect-update.outputs.current_version }} → ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
echo "| Tag | ✅ ${VERSION} |" >> $GITHUB_STEP_SUMMARY
echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
echo "| GitHub Release | ✅ Created |" >> $GITHUB_STEP_SUMMARY