-
Notifications
You must be signed in to change notification settings - Fork 4
191 lines (170 loc) · 7.72 KB
/
release-codeql.yml
File metadata and controls
191 lines (170 loc) · 7.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
name: Release CodeQL - Publish and Bundle CodeQL Packs
on:
workflow_call:
inputs:
publish_codeql_packs:
default: true
description: 'Publish CodeQL packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.'
required: false
type: boolean
version:
description: 'Release version tag (e.g., vX.Y.Z). Must start with "v".'
required: true
type: string
outputs:
release_name:
description: 'The release name without "v" prefix (e.g., X.Y.Z)'
value: ${{ jobs.publish-codeql-packs.outputs.release_name }}
version:
description: 'The full version string with "v" prefix (e.g., vX.Y.Z)'
value: ${{ jobs.publish-codeql-packs.outputs.version }}
# Note: This workflow is called exclusively via workflow_call from release.yml.
# It does NOT have a workflow_dispatch trigger to keep release.yml as the single
# entry point for all release operations. To re-publish CodeQL packs standalone,
# use workflow_dispatch on release.yml with create_github_release=false.
permissions:
contents: read
jobs:
publish-codeql-packs:
name: Publish and Bundle CodeQL Packs
runs-on: ubuntu-latest
environment: release-codeql
permissions:
contents: read
packages: write
outputs:
release_name: ${{ steps.version.outputs.release_name }}
version: ${{ steps.version.outputs.version }}
steps:
- name: CodeQL - Validate and parse version
id: version
run: |
VERSION="${{ inputs.version }}"
if [[ ! "${VERSION}" =~ ^v ]]; then
echo "::error::Version '${VERSION}' must start with 'v'"
exit 1
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
- name: CodeQL - Checkout tag
uses: actions/checkout@v6
with:
ref: refs/tags/${{ steps.version.outputs.version }}
- name: CodeQL - Install QLT
id: install-qlt
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
with:
qlt-version: 'latest'
add-to-path: true
- name: CodeQL - Install CodeQL
shell: bash
run: |
echo "Installing CodeQL"
qlt codeql run install
echo "-----------------------------"
echo "CodeQL Home: $QLT_CODEQL_HOME"
echo "CodeQL Binary: $QLT_CODEQL_PATH"
- name: CodeQL - Install pack dependencies
shell: bash
run: |
qlt query run install-packs
- name: CodeQL - Validate version consistency
run: |
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
echo "Validating all version-bearing files match ${RELEASE_NAME}..."
chmod +x ./scripts/update-release-version.sh
./scripts/update-release-version.sh --check "${RELEASE_NAME}"
- name: CodeQL - Publish CodeQL packs
if: inputs.publish_codeql_packs
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Publishable packs: queries, models (ext), and libraries (lib)
PUBLISHABLE_PACKS=(
"javascript/frameworks/cap/src"
"javascript/frameworks/cap/ext"
"javascript/frameworks/cap/lib"
"javascript/frameworks/ui5/src"
"javascript/frameworks/ui5/ext"
"javascript/frameworks/ui5/lib"
"javascript/frameworks/xsjs/src"
"javascript/frameworks/xsjs/ext"
"javascript/frameworks/xsjs/lib"
"javascript/heuristic-models/ext"
)
echo "Publishing CodeQL packs..."
for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
if [ -d "${pack_dir}" ]; then
pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
echo "📦 Publishing ${pack_name} from ${pack_dir}..."
$QLT_CODEQL_PATH pack publish --threads=-1 -- "${pack_dir}"
echo "✅ Published ${pack_name}"
else
echo "⚠️ Skipping: ${pack_dir} not found"
fi
done
- name: CodeQL - Skip pack publishing
if: '!inputs.publish_codeql_packs'
run: echo "⏭️ CodeQL pack publishing disabled via workflow input"
- name: CodeQL - Bundle CodeQL packs
run: |
mkdir -p dist-packs
# Bundle all publishable packs
PUBLISHABLE_PACKS=(
"javascript/frameworks/cap/src"
"javascript/frameworks/cap/ext"
"javascript/frameworks/cap/lib"
"javascript/frameworks/ui5/src"
"javascript/frameworks/ui5/ext"
"javascript/frameworks/ui5/lib"
"javascript/frameworks/xsjs/src"
"javascript/frameworks/xsjs/ext"
"javascript/frameworks/xsjs/lib"
"javascript/heuristic-models/ext"
)
echo "Bundling CodeQL packs..."
for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
if [ -d "${pack_dir}" ]; then
pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
# Convert pack name to filename: advanced-security/foo -> foo
bundle_name="${pack_name#advanced-security/}"
output="dist-packs/${bundle_name}.tar.gz"
echo "📦 Bundling ${pack_name} -> ${output}..."
$QLT_CODEQL_PATH pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
echo "✅ Bundled ${bundle_name}"
fi
done
echo ""
echo "Bundled packs:"
ls -lh dist-packs/
- name: CodeQL - Upload pack artifacts
uses: actions/upload-artifact@v6
with:
name: codeql-pack-bundles-${{ steps.version.outputs.version }}
path: dist-packs/*.tar.gz
- name: CodeQL - Summary
run: |
VERSION="${{ steps.version.outputs.version }}"
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
echo "## CodeQL Packs Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ inputs.publish_codeql_packs }}" == "true" ]; then
echo "✅ Published CodeQL packs to GHCR" >> $GITHUB_STEP_SUMMARY
else
echo "⏭️ CodeQL pack publishing was disabled" >> $GITHUB_STEP_SUMMARY
fi
echo "✅ Bundled CodeQL packs as artifacts" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### CodeQL Packs" >> $GITHUB_STEP_SUMMARY
echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-cap-queries\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-cap-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-cap-all\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-ui5-queries\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-ui5-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-ui5-all\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-xsjs-queries\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-xsjs-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-xsjs-all\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-heuristic-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY