refactor: always use wildcard temp pack to resolve codeql/* dep versions

Copilot · data-douser · web-flow · commit 64f20977adbd · 2026-03-29T23:08:31.000Z
Agent-Logs-Url: https://github.com/advanced-security/codeql-sap-js/sessions/5bb4a9b4-72b9-420c-ab96-8e2073e7cf10 Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
diff --git a/scripts/upgrade-packs.sh b/scripts/upgrade-packs.sh
@@ -82,15 +82,14 @@ cd "${REPO_ROOT}"
 ## Resolve and pin the latest compatible version of codeql/* upstream
 ## dependencies in a pack's qlpack.yml.
 ##
-## Strategy: run `codeql pack upgrade` to resolve the latest compatible
-## versions into the lock file, then read resolved versions back and update
-## qlpack.yml to pin exact versions. For extension packs (extensionTargets)
-## whose lock files have no dependency entries, a temporary pack is used
-## to resolve the latest version.
+## Strategy: for each codeql/* dependency, create a temporary pack with a
+## wildcard constraint and run `codeql pack upgrade` to discover the latest
+## compatible version, then update qlpack.yml to pin that exact version.
+## This ensures that even if qlpack.yml already pins an exact version,
+## subsequent runs will still discover newer upstream releases.
 pin_upstream_deps() {
   local pack_dir="$1"
   local qlpack_yml="${pack_dir}/qlpack.yml"
-  local lock_file="${pack_dir}/codeql-pack.lock.yml"
 
   if [[ ! -f "${qlpack_yml}" ]]; then
     return
@@ -103,9 +102,20 @@ pin_upstream_deps() {
     return
   fi
 
-  ## Run codeql pack upgrade to resolve the latest compatible versions.
-  ## Suppress normal output but keep stderr so failures are diagnosable.
-  codeql pack upgrade -- "${pack_dir}" >/dev/null
+  ## Create a single temporary directory for all version resolution and ensure
+  ## it is removed on exit (success or failure), preserving any existing trap.
+  local tmp_dir
+  tmp_dir=$(mktemp -d)
+  local previous_exit_trap
+  previous_exit_trap=$(trap -p EXIT | sed -E "s/^trap -- '(.*)' EXIT$/\1/" || true)
+  if [[ -n "${previous_exit_trap}" ]]; then
+    trap 'rm -rf "'"${tmp_dir}"'"; '"${previous_exit_trap}" EXIT
+  else
+    trap 'rm -rf "'"${tmp_dir}"'"' EXIT
+  fi
+
+  local extractor
+  extractor=$(grep -m1 "^extractor:" "${qlpack_yml}" | awk '{print $2}' || echo "javascript")
 
   while IFS= read -r dep_line; do
     ## Extract dep name and current version value
@@ -116,42 +126,25 @@ pin_upstream_deps() {
     dep_name=$(echo "${dep_line}" | sed 's/^[[:space:]]*"*//; s/"*[[:space:]]*:.*//')
     dep_old_value=$(echo "${dep_line}" | sed 's/^[^:]*:[[:space:]]*//')
 
-    ## Read the resolved version from the lock file
-    local resolved_version=""
-    if [[ -f "${lock_file}" ]]; then
-      resolved_version=$(awk "/${dep_name//\//\\/}:/{getline; print}" "${lock_file}" \
-        | sed 's/.*version:[[:space:]]*//' | head -1)
-    fi
-
-    ## For extension packs (extensionTargets), the lock file has no dependency
-    ## entries. Resolve via a temporary pack with a wildcard dep.
-    if [[ -z "${resolved_version}" ]]; then
-      local tmp_dir
-      tmp_dir=$(mktemp -d)
-      ## Ensure the temp dir is removed even on early exit (e.g. codeql pack upgrade failure)
-      local previous_exit_trap
-      previous_exit_trap=$(trap -p EXIT | sed -E "s/^trap -- '(.*)' EXIT$/\1/" || true)
-      if [[ -n "${previous_exit_trap}" ]]; then
-        trap 'rm -rf "'"${tmp_dir}"'"; '"${previous_exit_trap}" EXIT
-      else
-        trap 'rm -rf "'"${tmp_dir}"'"' EXIT
-      fi
-      local extractor
-      extractor=$(grep -m1 "^extractor:" "${qlpack_yml}" | awk '{print $2}' || echo "javascript")
-      cat > "${tmp_dir}/qlpack.yml" <<TMPEOF
+    ## Resolve the latest compatible version via a temporary pack with a
+    ## wildcard constraint. Using a wildcard here (rather than reading from
+    ## the pack's own lock file) ensures that even when qlpack.yml already
+    ## pins an exact version, subsequent runs still discover newer upstream
+    ## releases.
+    cat > "${tmp_dir}/qlpack.yml" <<TMPEOF
 name: tmp/resolve-version
 version: 0.0.1
 extractor: ${extractor}
 dependencies:
   ${dep_name}: "*"
 TMPEOF
-      codeql pack upgrade -- "${tmp_dir}" >/dev/null 2>&1
-      if [[ -f "${tmp_dir}/codeql-pack.lock.yml" ]]; then
-        resolved_version=$(awk "/${dep_name//\//\\/}:/{getline; print}" "${tmp_dir}/codeql-pack.lock.yml" \
-          | sed 's/.*version:[[:space:]]*//' | head -1)
-      fi
-      rm -rf "${tmp_dir}"
-      trap - RETURN
+    rm -f "${tmp_dir}/codeql-pack.lock.yml"
+    codeql pack upgrade -- "${tmp_dir}" >/dev/null
+
+    local resolved_version=""
+    if [[ -f "${tmp_dir}/codeql-pack.lock.yml" ]]; then
+      resolved_version=$(awk "/${dep_name//\//\\/}:/{getline; print}" "${tmp_dir}/codeql-pack.lock.yml" \
+        | sed 's/.*version:[[:space:]]*//' | head -1)
     fi
 
     if [[ -z "${resolved_version}" ]]; then
@@ -180,6 +173,14 @@ TMPEOF
     rm -f "${qlpack_yml}.bak"
     echo "  ✅ ${dep_name}: ${dep_old_value} -> ${new_value}"
   done <<< "${dep_lines}"
+
+  rm -rf "${tmp_dir}"
+  ## Restore the previous EXIT trap
+  if [[ -n "${previous_exit_trap}" ]]; then
+    trap "${previous_exit_trap}" EXIT
+  else
+    trap - EXIT
+  fi
 }
 
 ## Upgrade a single pack given its qlpack.yml directory
