@@ -82,15 +82,14 @@ cd "${REPO_ROOT}"
8282# # Resolve and pin the latest compatible version of codeql/* upstream
8383# # dependencies in a pack's qlpack.yml.
8484# #
85- # # Strategy: run ` codeql pack upgrade` to resolve the latest compatible
86- # # versions into the lock file, then read resolved versions back and update
87- # # qlpack.yml to pin exact versions. For extension packs (extensionTargets)
88- # # whose lock files have no dependency entries, a temporary pack is used
89- # # to resolve the latest version .
85+ # # Strategy: for each codeql/* dependency, create a temporary pack with a
86+ # # wildcard constraint and run `codeql pack upgrade` to discover the latest
87+ # # compatible version, then update qlpack.yml to pin that exact version.
88+ # # This ensures that even if qlpack.yml already pins an exact version,
89+ # # subsequent runs will still discover newer upstream releases .
9090pin_upstream_deps () {
9191 local pack_dir=" $1 "
9292 local qlpack_yml=" ${pack_dir} /qlpack.yml"
93- local lock_file=" ${pack_dir} /codeql-pack.lock.yml"
9493
9594 if [[ ! -f " ${qlpack_yml} " ]]; then
9695 return
@@ -103,9 +102,20 @@ pin_upstream_deps() {
103102 return
104103 fi
105104
106- # # Run codeql pack upgrade to resolve the latest compatible versions.
107- # # Suppress normal output but keep stderr so failures are diagnosable.
108- codeql pack upgrade -- " ${pack_dir} " > /dev/null
105+ # # Create a single temporary directory for all version resolution and ensure
106+ # # it is removed on exit (success or failure), preserving any existing trap.
107+ local tmp_dir
108+ tmp_dir=$( mktemp -d)
109+ local previous_exit_trap
110+ previous_exit_trap=$( trap -p EXIT | sed -E " s/^trap -- '(.*)' EXIT$/\1/" || true)
111+ if [[ -n " ${previous_exit_trap} " ]]; then
112+ trap ' rm -rf "' " ${tmp_dir} " ' "; ' " ${previous_exit_trap} " EXIT
113+ else
114+ trap ' rm -rf "' " ${tmp_dir} " ' "' EXIT
115+ fi
116+
117+ local extractor
118+ extractor=$( grep -m1 " ^extractor:" " ${qlpack_yml} " | awk ' {print $2}' || echo " javascript" )
109119
110120 while IFS= read -r dep_line; do
111121 # # Extract dep name and current version value
@@ -116,42 +126,25 @@ pin_upstream_deps() {
116126 dep_name=$( echo " ${dep_line} " | sed ' s/^[[:space:]]*"*//; s/"*[[:space:]]*:.*//' )
117127 dep_old_value=$( echo " ${dep_line} " | sed ' s/^[^:]*:[[:space:]]*//' )
118128
119- # # Read the resolved version from the lock file
120- local resolved_version=" "
121- if [[ -f " ${lock_file} " ]]; then
122- resolved_version=$( awk " /${dep_name// \/ / \\ / } :/{getline; print}" " ${lock_file} " \
123- | sed ' s/.*version:[[:space:]]*//' | head -1)
124- fi
125-
126- # # For extension packs (extensionTargets), the lock file has no dependency
127- # # entries. Resolve via a temporary pack with a wildcard dep.
128- if [[ -z " ${resolved_version} " ]]; then
129- local tmp_dir
130- tmp_dir=$( mktemp -d)
131- # # Ensure the temp dir is removed even on early exit (e.g. codeql pack upgrade failure)
132- local previous_exit_trap
133- previous_exit_trap=$( trap -p EXIT | sed -E " s/^trap -- '(.*)' EXIT$/\1/" || true)
134- if [[ -n " ${previous_exit_trap} " ]]; then
135- trap ' rm -rf "' " ${tmp_dir} " ' "; ' " ${previous_exit_trap} " EXIT
136- else
137- trap ' rm -rf "' " ${tmp_dir} " ' "' EXIT
138- fi
139- local extractor
140- extractor=$( grep -m1 " ^extractor:" " ${qlpack_yml} " | awk ' {print $2}' || echo " javascript" )
141- cat > " ${tmp_dir} /qlpack.yml" << TMPEOF
129+ # # Resolve the latest compatible version via a temporary pack with a
130+ # # wildcard constraint. Using a wildcard here (rather than reading from
131+ # # the pack's own lock file) ensures that even when qlpack.yml already
132+ # # pins an exact version, subsequent runs still discover newer upstream
133+ # # releases.
134+ cat > " ${tmp_dir} /qlpack.yml" << TMPEOF
142135name: tmp/resolve-version
143136version: 0.0.1
144137extractor: ${extractor}
145138dependencies:
146139 ${dep_name} : "*"
147140TMPEOF
148- codeql pack upgrade -- " ${tmp_dir} " > /dev/null 2>&1
149- if [[ -f " ${tmp_dir} /codeql-pack.lock.yml " ]] ; then
150- resolved_version= $( awk " / ${dep_name // \/ / \\ / } :/{getline; print} " " ${tmp_dir} /codeql-pack.lock.yml " \
151- | sed ' s/.*version:[[:space:]]*// ' | head -1 )
152- fi
153- rm -rf " ${tmp_dir} "
154- trap - RETURN
141+ rm -f " ${tmp_dir} /codeql-pack.lock.yml "
142+ codeql pack upgrade -- " ${tmp_dir} " > /dev/null
143+
144+ local resolved_version= " "
145+ if [[ -f " ${tmp_dir} /codeql-pack.lock.yml " ]] ; then
146+ resolved_version= $( awk " / ${dep_name // \/ / \\ / } :/{getline; print} " " ${tmp_dir} /codeql-pack.lock.yml " \
147+ | sed ' s/.*version:[[:space:]]*// ' | head -1 )
155148 fi
156149
157150 if [[ -z " ${resolved_version} " ]]; then
@@ -180,6 +173,14 @@ TMPEOF
180173 rm -f " ${qlpack_yml} .bak"
181174 echo " ✅ ${dep_name} : ${dep_old_value} -> ${new_value} "
182175 done <<< " ${dep_lines}"
176+
177+ rm -rf " ${tmp_dir} "
178+ # # Restore the previous EXIT trap
179+ if [[ -n " ${previous_exit_trap} " ]]; then
180+ trap " ${previous_exit_trap} " EXIT
181+ else
182+ trap - EXIT
183+ fi
183184}
184185
185186# # Upgrade a single pack given its qlpack.yml directory
0 commit comments