refactor: convert pack bundle & publish to scripts

data-douser · data-douser · commit 50c820ad8291 · 2026-03-09T17:02:16.000-06:00
Move the inline pack publishing and bundling logic from the
release-codeql workflow into dedicated scripts:

- scripts/publish-packs.sh: Publishes all CodeQL packs to GHCR with
  pre-release detection, token validation, and dry-run support.
- scripts/bundle-packs.sh: Bundles all CodeQL packs into .tar.gz
  archives with configurable output directory and dry-run support.
diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml
@@ -43,19 +43,6 @@ jobs:
       release_name: ${{ steps.version.outputs.release_name }}
       version: ${{ steps.version.outputs.version }}
 
-    env:
-      PUBLISHABLE_PACKS_LIST: |
-        javascript/frameworks/cap/src
-        javascript/frameworks/cap/ext
-        javascript/frameworks/cap/lib
-        javascript/frameworks/ui5/src
-        javascript/frameworks/ui5/ext
-        javascript/frameworks/ui5/lib
-        javascript/frameworks/xsjs/src
-        javascript/frameworks/xsjs/ext
-        javascript/frameworks/xsjs/lib
-        javascript/heuristic-models/ext
-
     steps:
       - name: CodeQL - Validate and parse version
         id: version
@@ -91,9 +78,7 @@ jobs:
 
       - name: CodeQL - Install pack dependencies
         shell: bash
-        run: |
-          chmod +x ./scripts/install-packs.sh
-          ./scripts/install-packs.sh
+        run: ./scripts/install-packs.sh
 
       - name: CodeQL - Validate version consistency
         run: |
@@ -106,59 +91,14 @@ jobs:
         if: inputs.publish_codeql_packs
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
-
-          # Read the shared pack list from the job-level environment variable.
-          mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"
-
-          # Prerelease versions (containing a hyphen) require --allow-prerelease
-          PRERELEASE_FLAG=""
-          if [[ "${RELEASE_NAME}" == *-* ]]; then
-            PRERELEASE_FLAG="--allow-prerelease"
-            echo "Detected prerelease version — using ${PRERELEASE_FLAG}"
-          fi
-
-          echo "Publishing CodeQL packs..."
-          for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
-            if [ -d "${pack_dir}" ]; then
-              pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
-              echo "📦 Publishing ${pack_name} from ${pack_dir}..."
-              codeql pack publish --threads=-1 ${PRERELEASE_FLAG} -- "${pack_dir}"
-              echo "✅ Published ${pack_name}"
-            else
-              echo "⚠️ Skipping: ${pack_dir} not found"
-            fi
-          done
+        run: ./scripts/publish-packs.sh "${{ steps.version.outputs.release_name }}"
 
       - name: CodeQL - Skip pack publishing
         if: '!inputs.publish_codeql_packs'
         run: echo "⏭️ CodeQL pack publishing disabled via workflow input"
 
       - name: CodeQL - Bundle CodeQL packs
-        run: |
-          mkdir -p dist-packs
-
-          # Bundle all publishable packs
-          # Read the pack list from the environment into a Bash array.
-          # Each line in PUBLISHABLE_PACKS_LIST becomes one element.
-          mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"
-
-          echo "Bundling CodeQL packs..."
-          for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
-            if [ -d "${pack_dir}" ]; then
-              pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
-              # Convert pack name to filename: advanced-security/foo -> foo
-              bundle_name="${pack_name#advanced-security/}"
-              output="dist-packs/${bundle_name}.tar.gz"
-              echo "📦 Bundling ${pack_name} -> ${output}..."
-              codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
-              echo "✅ Bundled ${bundle_name}"
-            fi
-          done
-          echo ""
-          echo "Bundled packs:"
-          ls -lh dist-packs/
+        run: ./scripts/bundle-packs.sh --output-dir dist-packs
 
       - name: CodeQL - Upload pack artifacts
         uses: actions/upload-artifact@v6
diff --git a/scripts/bundle-packs.sh b/scripts/bundle-packs.sh
@@ -0,0 +1,194 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+## bundle-packs.sh
+## Bundle CodeQL packs into distributable .tar.gz archives.
+##
+## This script bundles all publishable CodeQL packs in the codeql-sap-js
+## repository using `codeql pack bundle`, producing .tar.gz files suitable
+## for upload as release artifacts or offline distribution.
+##
+## Requirements:
+##   - The `codeql` CLI must be available on PATH.
+##
+## Usage:
+##   ./scripts/bundle-packs.sh [OPTIONS]
+##   ./scripts/bundle-packs.sh --output-dir dist-packs
+##   ./scripts/bundle-packs.sh --dry-run
+##
+## Options:
+##   --output-dir <dir>  Directory for bundled .tar.gz files (default: dist-packs).
+##   --dry-run           Show what would be bundled without actually bundling.
+##   -h, --help          Show this help message.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+DRY_RUN=false
+OUTPUT_DIR="dist-packs"
+
+## All publishable pack directories relative to repo root.
+## These must match the packs listed in publish-packs.sh.
+PUBLISHABLE_PACKS=(
+  "javascript/frameworks/cap/src"
+  "javascript/frameworks/cap/ext"
+  "javascript/frameworks/cap/lib"
+  "javascript/frameworks/ui5/src"
+  "javascript/frameworks/ui5/ext"
+  "javascript/frameworks/ui5/lib"
+  "javascript/frameworks/xsjs/src"
+  "javascript/frameworks/xsjs/ext"
+  "javascript/frameworks/xsjs/lib"
+  "javascript/heuristic-models/ext"
+)
+
+usage() {
+  cat <<EOF
+Usage: $0 [OPTIONS]
+
+Bundle CodeQL packs into distributable .tar.gz archives.
+
+OPTIONS:
+    --output-dir <dir>  Directory for bundled .tar.gz files (default: dist-packs).
+    --dry-run           Show what would be bundled without actually bundling.
+    -h, --help          Show this help message.
+
+EXAMPLES:
+    ./scripts/bundle-packs.sh
+    ./scripts/bundle-packs.sh --output-dir dist-packs
+    ./scripts/bundle-packs.sh --dry-run
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --output-dir)
+      if [[ $# -lt 2 || "${2-}" == -* ]]; then
+        echo "Error: --output-dir requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      OUTPUT_DIR="$2"
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=true
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Error: Unknown option $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+## ── Diagnostics ──────────────────────────────────────────────────────────────
+
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║  CodeQL Pack Bundler                                        ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+echo "Output dir:    ${OUTPUT_DIR}"
+echo "Dry run:       ${DRY_RUN}"
+echo "Repo root:     ${REPO_ROOT}"
+echo ""
+
+# Verify codeql is available
+if ! command -v codeql &> /dev/null; then
+  echo "Error: 'codeql' CLI not found on PATH." >&2
+  echo "Install CodeQL CLI and ensure it is on your PATH before running this script." >&2
+  exit 1
+fi
+
+echo "CodeQL CLI:    $(command -v codeql)"
+echo "CodeQL version: $(codeql version --format=terse)"
+echo ""
+
+## ── Bundle packs ─────────────────────────────────────────────────────────────
+
+cd "${REPO_ROOT}"
+
+if [[ "${DRY_RUN}" == false ]]; then
+  mkdir -p "${OUTPUT_DIR}"
+fi
+
+BUNDLED=0
+SKIPPED=0
+FAILED=0
+
+echo "Bundling ${#PUBLISHABLE_PACKS[@]} CodeQL packs..."
+echo ""
+
+for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
+  if [[ ! -d "${pack_dir}" ]]; then
+    echo "⚠️  Skipping: ${pack_dir} (directory not found)"
+    SKIPPED=$((SKIPPED + 1))
+    continue
+  fi
+
+  if [[ ! -f "${pack_dir}/qlpack.yml" ]]; then
+    echo "⚠️  Skipping: ${pack_dir} (no qlpack.yml found)"
+    SKIPPED=$((SKIPPED + 1))
+    continue
+  fi
+
+  pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
+  # Convert pack name to filename: advanced-security/foo -> foo
+  bundle_name="${pack_name#advanced-security/}"
+  output="${OUTPUT_DIR}/${bundle_name}.tar.gz"
+
+  echo "────────────────────────────────────────────────────────────────"
+  echo "📦 Pack:      ${pack_name}"
+  echo "   Directory: ${pack_dir}"
+  echo "   Output:    ${output}"
+
+  if [[ "${DRY_RUN}" == true ]]; then
+    echo "   Action:    [DRY RUN] Would bundle with: codeql pack bundle --threads=-1 --output=${output} -- ${pack_dir}"
+    BUNDLED=$((BUNDLED + 1))
+    continue
+  fi
+
+  if codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"; then
+    echo "   ✅ Bundled ${bundle_name}"
+    BUNDLED=$((BUNDLED + 1))
+  else
+    EXIT_CODE=$?
+    echo "   ❌ Failed to bundle ${bundle_name} (exit code: ${EXIT_CODE})" >&2
+    FAILED=$((FAILED + 1))
+  fi
+  echo ""
+done
+
+## ── Summary ──────────────────────────────────────────────────────────────────
+
+echo ""
+echo "════════════════════════════════════════════════════════════════"
+echo "Summary"
+echo "════════════════════════════════════════════════════════════════"
+echo "  Total:   ${#PUBLISHABLE_PACKS[@]}"
+echo "  Bundled: ${BUNDLED}"
+echo "  Skipped: ${SKIPPED}"
+echo "  Failed:  ${FAILED}"
+echo ""
+
+if [[ "${DRY_RUN}" == false && -d "${OUTPUT_DIR}" ]]; then
+  echo "Bundled packs:"
+  ls -lh "${OUTPUT_DIR}/"
+  echo ""
+fi
+
+if [[ "${FAILED}" -gt 0 ]]; then
+  echo "❌ ${FAILED} pack(s) failed to bundle." >&2
+  exit 1
+fi
+
+if [[ "${DRY_RUN}" == true ]]; then
+  echo "✅ Dry run complete. No packs were actually bundled."
+else
+  echo "✅ All CodeQL packs bundled successfully."
+fi
diff --git a/scripts/publish-packs.sh b/scripts/publish-packs.sh
