codeql-sap-js/.github/workflows/update-codeql.yml at 9bf2f04621d4e300ae641a01f825dfb8757e4d22 · advanced-security/codeql-sap-js · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Update CodeQL CLI Dependencies

on:
  workflow_dispatch:
  # Nightly check for new CodeQL CLI releases
  schedule:
    - cron: '30 0 * * *'

permissions:
  contents: read

jobs:
  # ─────────────────────────────────────────────────────────────────────────────
  # Step 1: Detect new CodeQL CLI version
  #
  # Compares the current CodeQL CLI version in qlt.conf.json against the latest
  # release from github/codeql-cli-binaries. If a newer version is available,
  # downstream jobs orchestrate a full release using the same child workflows
  # as release.yml, guarded by environment approval gates.
  # ─────────────────────────────────────────────────────────────────────────────
  detect-update:
    name: Detect CodeQL CLI Update
    runs-on: ubuntu-latest

    outputs:
      current_version: ${{ steps.check-version.outputs.current_version }}
      latest_version: ${{ steps.check-version.outputs.latest_version }}
      update_needed: ${{ steps.check-version.outputs.update_needed }}
      version: ${{ steps.check-version.outputs.version }}

    steps:
      - name: Detect - Checkout repository
        uses: actions/checkout@v6

      - name: Detect - Check latest CodeQL CLI version
        id: check-version
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          echo "Checking latest CodeQL CLI version..."
          current_version=$(jq -r .CodeQLCLI qlt.conf.json)
          latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')
          latest_clean="${latest_tag#v}"

          echo "Current CodeQL CLI version: ${current_version}"
          echo "Latest CodeQL CLI version: ${latest_clean}"

          if [ "${latest_clean}" != "${current_version}" ]; then
            echo "✅ Update available: ${current_version} → ${latest_clean}"
            echo "update_needed=true" >> $GITHUB_OUTPUT
            echo "current_version=${current_version}" >> $GITHUB_OUTPUT
            echo "latest_version=${latest_clean}" >> $GITHUB_OUTPUT
            echo "version=v${latest_clean}" >> $GITHUB_OUTPUT
          else
            echo "ℹ️ CodeQL CLI is already up-to-date at version ${current_version}"
            echo "update_needed=false" >> $GITHUB_OUTPUT
          fi

      - name: Detect - Summary
        run: |
          echo "## CodeQL CLI Update Check" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then
            echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "Initiating release pipeline for \`v${{ steps.check-version.outputs.latest_version }}\`..." >> $GITHUB_STEP_SUMMARY
          else
            echo "ℹ️ CodeQL CLI is already up-to-date. No release needed." >> $GITHUB_STEP_SUMMARY
          fi

  # ─────────────────────────────────────────────────────────────────────────────
  # Step 2: Create release tag
  #
  # Calls the same release-tag workflow used by release.yml. This ensures the
  # version update, CodeQL installation, pack lock upgrade, unit tests, and tag
  # creation all follow the same validated process.
  #
  # The release-tag environment approval gate provides human-in-the-loop review
  # before any changes are committed.
  # ─────────────────────────────────────────────────────────────────────────────
  ensure-tag:
    name: Ensure Release Tag
    needs: detect-update
    if: needs.detect-update.outputs.update_needed == 'true'
    permissions:
      contents: write
    uses: ./.github/workflows/release-tag.yml
    with:
      version: ${{ needs.detect-update.outputs.version }}

  # ─────────────────────────────────────────────────────────────────────────────
  # Step 3: Publish and bundle CodeQL packs
  #
  # Calls the same release-codeql workflow used by release.yml. Publishes packs
  # to GHCR and bundles them as artifacts for the GitHub Release.
  # ─────────────────────────────────────────────────────────────────────────────
  publish-codeql:
    name: Publish CodeQL Packs
    needs: [detect-update, ensure-tag]
    if: needs.detect-update.outputs.update_needed == 'true'
    permissions:
      contents: read
      packages: write
    uses: ./.github/workflows/release-codeql.yml
    with:
      publish_codeql_packs: true
      version: ${{ needs.detect-update.outputs.version }}

  # ─────────────────────────────────────────────────────────────────────────────
  # Step 4: Create GitHub Release
  #
  # Downloads the CodeQL pack bundles and creates the GitHub Release with
  # auto-generated release notes and attached pack artifacts.
  # ─────────────────────────────────────────────────────────────────────────────
  create-release:
    name: Create GitHub Release
    needs: [detect-update, ensure-tag, publish-codeql]
    if: >-
      always() && !failure() && !cancelled()
      && needs.detect-update.outputs.update_needed == 'true'
    runs-on: ubuntu-latest

    permissions:
      contents: write

    steps:
      - name: Release - Download CodeQL pack artifacts
        uses: actions/download-artifact@v7
        with:
          name: codeql-pack-bundles-${{ needs.detect-update.outputs.version }}
          path: dist-packs

      - name: Release - Create GitHub Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          files: |
            dist-packs/*.tar.gz
          generate_release_notes: true
          tag_name: ${{ needs.detect-update.outputs.version }}

      - name: Release - Summary
        run: |
          VERSION="${{ needs.detect-update.outputs.version }}"
          RELEASE_NAME="${{ needs.detect-update.outputs.latest_version }}"
          echo "## Automated Release Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Triggered by CodeQL CLI update: ${{ needs.detect-update.outputs.current_version }} → ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
          echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
          echo "| Tag | ✅ ${VERSION} |" >> $GITHUB_STEP_SUMMARY
          echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
          echo "| GitHub Release | ✅ Created |" >> $GITHUB_STEP_SUMMARY