-
Notifications
You must be signed in to change notification settings - Fork 4
134 lines (117 loc) · 5.76 KB
/
release-codeql.yml
File metadata and controls
134 lines (117 loc) · 5.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Release CodeQL - Publish and Bundle CodeQL Packs
on:
workflow_call:
inputs:
publish_codeql_packs:
default: true
description: 'Publish CodeQL packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.'
required: false
type: boolean
version:
description: 'Release version tag (e.g., vX.Y.Z or vX.Y.Z-suffix). Must start with "v".'
required: true
type: string
outputs:
release_name:
description: 'The release name without "v" prefix (e.g., X.Y.Z or X.Y.Z-alpha)'
value: ${{ jobs.publish-codeql-packs.outputs.release_name }}
version:
description: 'The full version string with "v" prefix (e.g., vX.Y.Z or vX.Y.Z-alpha)'
value: ${{ jobs.publish-codeql-packs.outputs.version }}
# Note: This workflow is called exclusively via workflow_call from release.yml.
# It does NOT have a workflow_dispatch trigger to keep release.yml as the single
# entry point for all release operations. To re-publish CodeQL packs standalone,
# use workflow_dispatch on release.yml with create_github_release=false.
permissions:
contents: read
jobs:
publish-codeql-packs:
name: Publish and Bundle CodeQL Packs
runs-on: ubuntu-latest
environment: release-codeql
permissions:
contents: read
packages: write
outputs:
release_name: ${{ steps.version.outputs.release_name }}
version: ${{ steps.version.outputs.version }}
steps:
- name: CodeQL - Validate and parse version
id: version
run: |
VERSION="${{ inputs.version }}"
if [[ ! "${VERSION}" =~ ^v ]]; then
echo "::error::Version '${VERSION}' must start with 'v'"
exit 1
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
- name: CodeQL - Checkout tag
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: refs/tags/${{ steps.version.outputs.version }}
- name: CodeQL - Install CodeQL via GitHub CLI
env:
GH_TOKEN: ${{ github.token }}
shell: bash
run: |
CODEQL_VERSION=$(jq -r .CodeQLCLI qlt.conf.json)
echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..."
gh extension install github/gh-codeql
gh codeql set-version "${CODEQL_VERSION}"
STUB_DIR="$HOME/.local/bin"
mkdir -p "${STUB_DIR}"
gh codeql install-stub "${STUB_DIR}/"
echo "${STUB_DIR}" >> "$GITHUB_PATH"
export PATH="${STUB_DIR}:${PATH}"
echo "CodeQL version: $(codeql version --format=terse)"
- name: CodeQL - Install pack dependencies
shell: bash
run: ./scripts/install-packs.sh
- name: CodeQL - Validate version consistency
run: |
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
echo "Validating all version-bearing files match ${RELEASE_NAME}..."
chmod +x ./scripts/update-release-version.sh
./scripts/update-release-version.sh --check "${RELEASE_NAME}"
- name: CodeQL - Publish CodeQL packs
if: inputs.publish_codeql_packs
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./scripts/publish-packs.sh "${{ steps.version.outputs.release_name }}"
- name: CodeQL - Skip pack publishing
if: '!inputs.publish_codeql_packs'
run: echo "⏭️ CodeQL pack publishing disabled via workflow input"
- name: CodeQL - Bundle CodeQL packs
run: ./scripts/bundle-packs.sh --output-dir dist-packs
- name: CodeQL - Upload pack artifacts
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: codeql-pack-bundles-${{ steps.version.outputs.version }}
path: dist-packs/*.tar.gz
- name: CodeQL - Summary
run: |
VERSION="${{ steps.version.outputs.version }}"
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
echo "## CodeQL Packs Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ inputs.publish_codeql_packs }}" == "true" ]; then
echo "✅ Published CodeQL packs to GHCR" >> $GITHUB_STEP_SUMMARY
else
echo "⏭️ CodeQL pack publishing was disabled" >> $GITHUB_STEP_SUMMARY
fi
echo "✅ Bundled CodeQL packs as artifacts" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### CodeQL Packs" >> $GITHUB_STEP_SUMMARY
echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-cap-queries\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-cap-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-cap-all\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-ui5-queries\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-ui5-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-ui5-all\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-xsjs-queries\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-xsjs-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-sap-xsjs-all\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| \`advanced-security/javascript-heuristic-models\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY