Update CodeQL CLI Dependencies #231
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update CodeQL CLI Dependencies | |
| on: | |
| workflow_dispatch: | |
| # Nightly check for new CodeQL CLI releases | |
| schedule: | |
| - cron: '30 0 * * *' | |
| permissions: | |
| contents: read | |
| jobs: | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 1: Detect new CodeQL CLI version | |
| # | |
| # Compares the current CodeQL CLI version in qlt.conf.json against the latest | |
| # release from github/codeql-cli-binaries. If a newer version is available, | |
| # downstream jobs orchestrate the update and PR creation. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| detect-update: | |
| name: Detect CodeQL CLI Update | |
| runs-on: ubuntu-latest | |
| outputs: | |
| current_version: ${{ steps.check-version.outputs.current_version }} | |
| latest_version: ${{ steps.check-version.outputs.latest_version }} | |
| update_needed: ${{ steps.check-version.outputs.update_needed }} | |
| version: ${{ steps.check-version.outputs.version }} | |
| steps: | |
| - name: Detect - Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Detect - Check latest CodeQL CLI version | |
| id: check-version | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| echo "Checking latest CodeQL CLI version..." | |
| # Read current version from qlt.conf.json | |
| current_version=$(jq -r .CodeQLCLI qlt.conf.json) | |
| # Get latest release from codeql-cli-binaries | |
| latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName') | |
| # Validate that we found a latest release | |
| if [ -z "${latest_tag}" ]; then | |
| echo "❌ Error: Could not determine latest CodeQL CLI version from github/codeql-cli-binaries" >&2 | |
| echo "No release marked as 'latest' was found. This may indicate an API issue or repository change." >&2 | |
| echo "update_needed=false" >> $GITHUB_OUTPUT | |
| exit 1 | |
| fi | |
| latest_clean="${latest_tag#v}" | |
| echo "Current CodeQL CLI version: ${current_version}" | |
| echo "Latest CodeQL CLI version: ${latest_clean}" | |
| if [ "${latest_clean}" != "${current_version}" ]; then | |
| echo "✅ Update available: ${current_version} → ${latest_clean}" | |
| echo "update_needed=true" >> $GITHUB_OUTPUT | |
| echo "current_version=${current_version}" >> $GITHUB_OUTPUT | |
| echo "latest_version=${latest_clean}" >> $GITHUB_OUTPUT | |
| echo "version=v${latest_clean}" >> $GITHUB_OUTPUT | |
| else | |
| echo "ℹ️ CodeQL CLI is already up-to-date at version ${current_version}" | |
| echo "update_needed=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Detect - Summary | |
| run: | | |
| echo "## CodeQL CLI Update Check" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then | |
| echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Initiating update pipeline for \`${{ steps.check-version.outputs.version }}\`..." >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "ℹ️ CodeQL CLI is already up-to-date. No changes needed." >> $GITHUB_STEP_SUMMARY | |
| fi | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Step 2: Update version, test, and create PR | |
| # | |
| # Updates all version-bearing files (qlt.conf.json, qlpack.yml files), | |
| # installs CodeQL, upgrades pack lock files, compiles CDS files, runs unit | |
| # tests, and creates a pull request with the changes. | |
| # | |
| # This does NOT trigger the release pipeline. Merging the PR and creating a | |
| # release tag is a separate, human-initiated step via release.yml. | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| create-pr: | |
| name: Create Update Pull Request | |
| needs: detect-update | |
| if: needs.detect-update.outputs.update_needed == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Update - Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Update - Update version in all files | |
| run: | | |
| LATEST="${{ needs.detect-update.outputs.latest_version }}" | |
| echo "Updating all version-bearing files to ${LATEST}..." | |
| ./scripts/update-release-version.sh "${LATEST}" | |
| - name: Update - Install CodeQL via GitHub CLI | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| shell: bash | |
| run: | | |
| CODEQL_VERSION="${{ needs.detect-update.outputs.latest_version }}" | |
| echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..." | |
| gh extension install github/gh-codeql | |
| gh codeql set-version "${CODEQL_VERSION}" | |
| STUB_DIR="$HOME/.local/bin" | |
| mkdir -p "${STUB_DIR}" | |
| gh codeql install-stub "${STUB_DIR}/" | |
| echo "${STUB_DIR}" >> "$GITHUB_PATH" | |
| export PATH="${STUB_DIR}:${PATH}" | |
| echo "CodeQL version: $(codeql version --format=terse)" | |
| - name: Update - Upgrade CodeQL pack lock files | |
| run: ./scripts/upgrade-packs.sh | |
| - name: Update - Setup Node.js for CDS compilation | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: 'extractors/cds/tools/package-lock.json' | |
| - name: Update - Compile CAP CDS files | |
| run: ./extractors/cds/tools/workflow/cds-compilation-for-actions.sh | |
| - name: Update - Run CodeQL unit tests | |
| env: | |
| LGTM_INDEX_XML_MODE: all | |
| LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON" | |
| shell: bash | |
| run: | | |
| echo "Running CodeQL unit tests to validate update..." | |
| codeql test run \ | |
| --threads=0 \ | |
| --strict-test-discovery \ | |
| --additional-packs="${GITHUB_WORKSPACE}" \ | |
| -- javascript/ | |
| - name: Update - Create Pull Request | |
| uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 | |
| with: | |
| title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' | |
| body: | | |
| This PR upgrades the CodeQL CLI version to ${{ needs.detect-update.outputs.version }}. | |
| **Changes made:** | |
| - Updated `qlt.conf.json` (CodeQLCLI, CodeQLStandardLibrary, CodeQLCLIBundle) to `${{ needs.detect-update.outputs.latest_version }}` | |
| - Updated all version-bearing qlpack.yml files to `${{ needs.detect-update.outputs.latest_version }}` | |
| - Upgraded CodeQL pack lock files | |
| - Compiled CAP CDS files | |
| - CodeQL unit tests passed ✅ | |
| **To complete the release**, merge this PR and then trigger the release workflow | |
| via `workflow_dispatch` on `release.yml` with version `${{ needs.detect-update.outputs.version }}`. | |
| commit-message: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' | |
| delete-branch: true | |
| branch: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}' | |
| - name: Update - Summary | |
| run: | | |
| VERSION="${{ needs.detect-update.outputs.version }}" | |
| CURRENT="${{ needs.detect-update.outputs.current_version }}" | |
| LATEST="${{ needs.detect-update.outputs.latest_version }}" | |
| echo "## CodeQL CLI Update Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Triggered by CodeQL CLI update: ${CURRENT} → ${LATEST}" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Property | Old Value | New Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "| -------- | --------- | --------- |" >> $GITHUB_STEP_SUMMARY | |
| echo "| qlt.conf.json CodeQLCLI | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| qlpack.yml versions | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "A pull request has been created with these changes." >> $GITHUB_STEP_SUMMARY |