Skip to content

Commit 1549a27

Browse files
data-douserdata-douser
authored
Merge branch 'main' into knewbury01/change-dependency-structure-mad
2 parents ac39245 + d423bf5 commit 1549a27

2 files changed

Lines changed: 92 additions & 60 deletions

File tree

.github/workflows/release-codeql.yml

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -73,26 +73,25 @@ jobs:
7373
with:
7474
ref: refs/tags/${{ steps.version.outputs.version }}
7575

76-
- name: CodeQL - Install QLT
77-
id: install-qlt
78-
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
79-
with:
80-
qlt-version: 'latest'
81-
add-to-path: true
82-
83-
- name: CodeQL - Install CodeQL
76+
- name: CodeQL - Install CodeQL via GitHub CLI
77+
env:
78+
GH_TOKEN: ${{ github.token }}
8479
shell: bash
8580
run: |
86-
echo "Installing CodeQL"
87-
qlt codeql run install
88-
echo "-----------------------------"
89-
echo "CodeQL Home: $QLT_CODEQL_HOME"
90-
echo "CodeQL Binary: $QLT_CODEQL_PATH"
81+
CODEQL_VERSION=$(jq -r .CodeQLCLI qlt.conf.json)
82+
echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..."
83+
gh extension install github/gh-codeql
84+
gh codeql set-version "${CODEQL_VERSION}"
85+
STUB_DIR="$HOME/.local/bin"
86+
mkdir -p "${STUB_DIR}"
87+
gh codeql install-stub "${STUB_DIR}/"
88+
echo "${STUB_DIR}" >> "$GITHUB_PATH"
89+
export PATH="${STUB_DIR}:${PATH}"
90+
echo "CodeQL version: $(codeql version --format=terse)"
9191
9292
- name: CodeQL - Install pack dependencies
9393
shell: bash
9494
run: |
95-
export PATH="$(dirname "$QLT_CODEQL_PATH"):$PATH"
9695
chmod +x ./scripts/install-packs.sh
9796
./scripts/install-packs.sh
9897
@@ -116,7 +115,7 @@ jobs:
116115
if [ -d "${pack_dir}" ]; then
117116
pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
118117
echo "📦 Publishing ${pack_name} from ${pack_dir}..."
119-
$QLT_CODEQL_PATH pack publish --threads=-1 -- "${pack_dir}"
118+
echo "${GITHUB_TOKEN}" | codeql pack publish --github-auth-stdin --threads=-1 -- "${pack_dir}"
120119
echo "✅ Published ${pack_name}"
121120
else
122121
echo "⚠️ Skipping: ${pack_dir} not found"
@@ -144,7 +143,7 @@ jobs:
144143
bundle_name="${pack_name#advanced-security/}"
145144
output="dist-packs/${bundle_name}.tar.gz"
146145
echo "📦 Bundling ${pack_name} -> ${output}..."
147-
$QLT_CODEQL_PATH pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
146+
codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
148147
echo "✅ Bundled ${bundle_name}"
149148
fi
150149
done

.github/workflows/release-tag.yml

Lines changed: 77 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -73,92 +73,118 @@ jobs:
7373
echo "ℹ️ Tag ${TAG} does not exist yet"
7474
fi
7575
76+
- name: Tag - Validate existing tag versions
77+
id: validate-existing
78+
if: steps.check-tag.outputs.tag_exists == 'true'
79+
run: |
80+
TAG="${{ steps.version.outputs.version }}"
81+
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
82+
echo "Validating versions on existing tag ${TAG}..."
83+
git checkout "refs/tags/${TAG}" --quiet
84+
chmod +x ./scripts/update-release-version.sh
85+
if ./scripts/update-release-version.sh --check "${RELEASE_NAME}"; then
86+
echo "✅ Existing tag ${TAG} has correct versions"
87+
echo "versions_valid=true" >> $GITHUB_OUTPUT
88+
else
89+
echo ""
90+
echo "⚠️ Existing tag ${TAG} has incorrect versions — will delete and recreate"
91+
git checkout - --quiet
92+
git tag -d "${TAG}" 2>/dev/null || true
93+
git push origin --delete "${TAG}" 2>/dev/null || true
94+
echo "versions_valid=false" >> $GITHUB_OUTPUT
95+
fi
96+
97+
- name: Tag - Determine if tag creation is needed
98+
id: needs-creation
99+
run: |
100+
if [ "${{ steps.check-tag.outputs.tag_exists }}" != "true" ]; then
101+
echo "needed=true" >> $GITHUB_OUTPUT
102+
echo "ℹ️ Tag does not exist — creation needed"
103+
elif [ "${{ steps.validate-existing.outputs.versions_valid }}" != "true" ]; then
104+
echo "needed=true" >> $GITHUB_OUTPUT
105+
echo "ℹ️ Existing tag had wrong versions — recreation needed"
106+
else
107+
echo "needed=false" >> $GITHUB_OUTPUT
108+
echo "ℹ️ Existing tag is valid — no creation needed"
109+
fi
110+
76111
- name: Tag - Update release version
77-
if: steps.check-tag.outputs.tag_exists != 'true'
112+
if: steps.needs-creation.outputs.needed == 'true'
78113
run: |
79114
TAG_VERSION="${{ steps.version.outputs.release_name }}"
80115
echo "Updating all version-bearing files to '${TAG_VERSION}'..."
81116
chmod +x ./scripts/update-release-version.sh
82117
./scripts/update-release-version.sh "${TAG_VERSION}"
83118
84-
- name: Tag - Install QLT
85-
if: steps.check-tag.outputs.tag_exists != 'true'
86-
id: install-qlt
87-
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
88-
with:
89-
qlt-version: 'latest'
90-
add-to-path: true
91-
92-
- name: Tag - Install CodeQL
93-
if: steps.check-tag.outputs.tag_exists != 'true'
119+
- name: Tag - Install CodeQL via GitHub CLI
120+
if: steps.needs-creation.outputs.needed == 'true'
121+
env:
122+
GH_TOKEN: ${{ github.token }}
94123
shell: bash
95124
run: |
96-
echo "Installing CodeQL"
97-
qlt codeql run install
98-
echo "-----------------------------"
99-
echo "CodeQL Home: $QLT_CODEQL_HOME"
100-
echo "CodeQL Binary: $QLT_CODEQL_PATH"
125+
CODEQL_VERSION=$(jq -r .CodeQLCLI qlt.conf.json)
126+
echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..."
127+
gh extension install github/gh-codeql
128+
gh codeql set-version "${CODEQL_VERSION}"
129+
STUB_DIR="$HOME/.local/bin"
130+
mkdir -p "${STUB_DIR}"
131+
gh codeql install-stub "${STUB_DIR}/"
132+
echo "${STUB_DIR}" >> "$GITHUB_PATH"
133+
export PATH="${STUB_DIR}:${PATH}"
134+
echo "CodeQL version: $(codeql version --format=terse)"
101135
102136
- name: Tag - Upgrade CodeQL pack lock files
103-
if: steps.check-tag.outputs.tag_exists != 'true'
137+
if: steps.needs-creation.outputs.needed == 'true'
104138
shell: bash
105139
run: |
106140
echo "Upgrading CodeQL pack lock files"
107141
find . -name "qlpack.yml" -type f | sort | while read -r qlpack_file; do
108142
pack_dir=$(dirname "$qlpack_file")
109143
echo "Upgrading pack in directory: $pack_dir"
110144
cd "$pack_dir"
111-
$QLT_CODEQL_PATH pack upgrade
145+
codeql pack upgrade
112146
cd - > /dev/null
113147
done
114148
echo "Finished upgrading all CodeQL pack lock files"
115149
116-
- name: Tag - Install QL packs
117-
if: steps.check-tag.outputs.tag_exists != 'true'
118-
shell: bash
119-
run: |
120-
export PATH="$(dirname "$QLT_CODEQL_PATH"):$PATH"
121-
chmod +x ./scripts/install-packs.sh
122-
./scripts/install-packs.sh
123-
124150
- name: Tag - Setup Node.js for CDS compilation
125-
if: steps.check-tag.outputs.tag_exists != 'true'
151+
if: steps.needs-creation.outputs.needed == 'true'
126152
uses: actions/setup-node@v6
127153
with:
128154
node-version: '20'
129155
cache: 'npm'
130156
cache-dependency-path: 'extractors/cds/tools/package-lock.json'
131157

132158
- name: Tag - Compile CAP CDS files
133-
if: steps.check-tag.outputs.tag_exists != 'true'
159+
if: steps.needs-creation.outputs.needed == 'true'
134160
run: |
135161
chmod +x ./extractors/cds/tools/workflow/cds-compilation-for-actions.sh
136162
./extractors/cds/tools/workflow/cds-compilation-for-actions.sh
137163
138164
- name: Tag - Run CodeQL unit tests
139-
if: steps.check-tag.outputs.tag_exists != 'true'
165+
if: steps.needs-creation.outputs.needed == 'true'
140166
env:
141167
LGTM_INDEX_XML_MODE: all
142168
LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
143169
shell: bash
144170
run: |
145171
echo "Running CodeQL unit tests to validate release..."
146-
$QLT_CODEQL_PATH test run \
172+
codeql test run \
147173
--threads=0 \
148174
--strict-test-discovery \
149175
--additional-packs="${GITHUB_WORKSPACE}" \
150176
-- javascript/
151177
152178
- name: Tag - Validate version consistency
153-
if: steps.check-tag.outputs.tag_exists != 'true'
179+
if: steps.needs-creation.outputs.needed == 'true'
154180
run: |
155181
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
156182
echo "Validating all version-bearing files match ${RELEASE_NAME}..."
157183
./scripts/update-release-version.sh --check "${RELEASE_NAME}"
158184
159185
- name: Tag - Commit version changes and create tag
160186
id: create-tag
161-
if: steps.check-tag.outputs.tag_exists != 'true'
187+
if: steps.needs-creation.outputs.needed == 'true'
162188
run: |
163189
TAG="${{ steps.version.outputs.version }}"
164190
RELEASE_NAME="${{ steps.version.outputs.release_name }}"
@@ -167,12 +193,16 @@ jobs:
167193
git config user.name "github-actions[bot]"
168194
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
169195
196+
# Detach HEAD so we never push to a protected branch.
197+
# The version-update commit will only be reachable via the tag.
198+
git checkout --detach HEAD
199+
170200
# Stage version-bearing files and lockfile changes
171201
git add -A
172-
# Ensure generated artifacts (CodeQL, CAP compilation) are not staged for commit
173-
git restore --staged .codeql || true
174-
git restore --staged '*.qlx' || true
175-
git restore --staged 'javascript/frameworks/cap/test/**/model.cds.json' || true
202+
# Ensure generated artifacts (CodeQL, CAP compilation) are not staged
203+
git restore --staged .codeql 2>/dev/null || true
204+
git restore --staged '*.qlx' 2>/dev/null || true
205+
git restore --staged 'javascript/frameworks/cap/test/**/model.cds.json' 2>/dev/null || true
176206
177207
# Check if there are changes to commit
178208
if git diff --cached --quiet; then
@@ -181,26 +211,25 @@ jobs:
181211
else
182212
git commit -m "Release ${TAG}: update versions to ${RELEASE_NAME}"
183213
CURRENT_SHA=$(git rev-parse HEAD)
184-
git push origin HEAD
185-
echo "✅ Committed version changes at ${CURRENT_SHA:0:8}"
214+
echo "✅ Created version commit at ${CURRENT_SHA:0:8}"
186215
fi
187216
188-
# Create and push the tag
217+
# Push only the tag — never the branch
189218
git tag -a "${TAG}" -m "Release ${TAG}" "${CURRENT_SHA}"
190-
git push origin "${TAG}"
219+
git push origin "refs/tags/${TAG}"
191220
echo "✅ Created and pushed tag ${TAG} at commit ${CURRENT_SHA:0:8}"
192221
echo "tag_sha=${CURRENT_SHA}" >> $GITHUB_OUTPUT
193222
194223
- name: Tag - Output existing tag SHA
195224
id: existing-tag
196-
if: steps.check-tag.outputs.tag_exists == 'true'
225+
if: steps.needs-creation.outputs.needed == 'false'
197226
run: |
198227
echo "tag_sha=${{ steps.check-tag.outputs.tag_sha }}" >> $GITHUB_OUTPUT
199228
200229
- name: Tag - Set final tag SHA output
201230
id: final-sha
202231
run: |
203-
if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
232+
if [ "${{ steps.needs-creation.outputs.needed }}" == "false" ]; then
204233
SHA="${{ steps.check-tag.outputs.tag_sha }}"
205234
else
206235
SHA="${{ steps.create-tag.outputs.tag_sha }}"
@@ -212,11 +241,15 @@ jobs:
212241
TAG="${{ steps.version.outputs.version }}"
213242
echo "## Release Tag Summary" >> $GITHUB_STEP_SUMMARY
214243
echo "" >> $GITHUB_STEP_SUMMARY
215-
if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
216-
echo "ℹ️ Tag \`${TAG}\` already existed at \`${{ steps.check-tag.outputs.tag_sha }}\`" >> $GITHUB_STEP_SUMMARY
244+
if [ "${{ steps.needs-creation.outputs.needed }}" == "false" ]; then
245+
echo "ℹ️ Tag \`${TAG}\` already existed at \`${{ steps.check-tag.outputs.tag_sha }}\` with correct versions" >> $GITHUB_STEP_SUMMARY
217246
else
218247
echo "✅ Created tag \`${TAG}\` at \`${{ steps.create-tag.outputs.tag_sha }}\`" >> $GITHUB_STEP_SUMMARY
219248
echo "" >> $GITHUB_STEP_SUMMARY
249+
if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
250+
echo "⚠️ Previous tag had incorrect versions and was replaced" >> $GITHUB_STEP_SUMMARY
251+
echo "" >> $GITHUB_STEP_SUMMARY
252+
fi
220253
echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
221254
echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
222255
echo "| Version update | ✅ All files updated to ${{ steps.version.outputs.release_name }} |" >> $GITHUB_STEP_SUMMARY

0 commit comments

Comments
 (0)