Merge branch 'main' into mbaluda/xsrf-tests

Author: mbaluda

.github/workflows/release-codeql.yml

@@ -43,19 +43,6 @@ jobs:
       release_name: ${{ steps.version.outputs.release_name }}
       version: ${{ steps.version.outputs.version }}
 
-    env:
-      PUBLISHABLE_PACKS_LIST: |
-        javascript/frameworks/cap/src
-        javascript/frameworks/cap/ext
-        javascript/frameworks/cap/lib
-        javascript/frameworks/ui5/src
-        javascript/frameworks/ui5/ext
-        javascript/frameworks/ui5/lib
-        javascript/frameworks/xsjs/src
-        javascript/frameworks/xsjs/ext
-        javascript/frameworks/xsjs/lib
-        javascript/heuristic-models/ext
-
     steps:
       - name: CodeQL - Validate and parse version
         id: version
@@ -91,9 +78,7 @@ jobs:
 
       - name: CodeQL - Install pack dependencies
         shell: bash
-        run: |
-          chmod +x ./scripts/install-packs.sh
-          ./scripts/install-packs.sh
+        run: ./scripts/install-packs.sh
 
       - name: CodeQL - Validate version consistency
         run: |
@@ -106,50 +91,14 @@ jobs:
         if: inputs.publish_codeql_packs
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Read the shared pack list from the job-level environment variable.
-          mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"
-
-          echo "Publishing CodeQL packs..."
-          for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
-            if [ -d "${pack_dir}" ]; then
-              pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
-              echo "📦 Publishing ${pack_name} from ${pack_dir}..."
-              echo "${GITHUB_TOKEN}" | codeql pack publish --github-auth-stdin --threads=-1 -- "${pack_dir}"
-              echo "✅ Published ${pack_name}"
-            else
-              echo "⚠️ Skipping: ${pack_dir} not found"
-            fi
-          done
+        run: ./scripts/publish-packs.sh "${{ steps.version.outputs.release_name }}"
 
       - name: CodeQL - Skip pack publishing
         if: '!inputs.publish_codeql_packs'
         run: echo "⏭️ CodeQL pack publishing disabled via workflow input"
 
       - name: CodeQL - Bundle CodeQL packs
-        run: |
-          mkdir -p dist-packs
-
-          # Bundle all publishable packs
-          # Read the pack list from the environment into a Bash array.
-          # Each line in PUBLISHABLE_PACKS_LIST becomes one element.
-          mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"
-
-          echo "Bundling CodeQL packs..."
-          for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
-            if [ -d "${pack_dir}" ]; then
-              pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
-              # Convert pack name to filename: advanced-security/foo -> foo
-              bundle_name="${pack_name#advanced-security/}"
-              output="dist-packs/${bundle_name}.tar.gz"
-              echo "📦 Bundling ${pack_name} -> ${output}..."
-              codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
-              echo "✅ Bundled ${bundle_name}"
-            fi
-          done
-          echo ""
-          echo "Bundled packs:"
-          ls -lh dist-packs/
+        run: ./scripts/bundle-packs.sh --output-dir dist-packs
 
       - name: CodeQL - Upload pack artifacts
         uses: actions/upload-artifact@v6

.github/workflows/release.yml

@@ -24,6 +24,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: release-${{ github.event.inputs.version || github.ref_name }}
+  cancel-in-progress: true
+
 jobs:
   # ─────────────────────────────────────────────────────────────────────────────
   # Step 1: Determine the release version

.github/workflows/update-codeql.yml

@@ -15,8 +15,7 @@ jobs:
   #
   # Compares the current CodeQL CLI version in qlt.conf.json against the latest
   # release from github/codeql-cli-binaries. If a newer version is available,
-  # downstream jobs orchestrate a full release using the same child workflows
-  # as release.yml, guarded by environment approval gates.
+  # downstream jobs orchestrate the update and PR creation.
   # ─────────────────────────────────────────────────────────────────────────────
   detect-update:
     name: Detect CodeQL CLI Update
@@ -38,8 +37,21 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           echo "Checking latest CodeQL CLI version..."
+
+          # Read current version from qlt.conf.json
           current_version=$(jq -r .CodeQLCLI qlt.conf.json)
+
+          # Get latest release from codeql-cli-binaries
           latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')
+
+          # Validate that we found a latest release
+          if [ -z "${latest_tag}" ]; then
+            echo "❌ Error: Could not determine latest CodeQL CLI version from github/codeql-cli-binaries" >&2
+            echo "No release marked as 'latest' was found. This may indicate an API issue or repository change." >&2
+            echo "update_needed=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
           latest_clean="${latest_tag#v}"
 
           echo "Current CodeQL CLI version: ${current_version}"
@@ -63,91 +75,115 @@ jobs:
           if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then
             echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
-            echo "Initiating release pipeline for \`v${{ steps.check-version.outputs.latest_version }}\`..." >> $GITHUB_STEP_SUMMARY
+            echo "Initiating update pipeline for \`${{ steps.check-version.outputs.version }}\`..." >> $GITHUB_STEP_SUMMARY
           else
-            echo "ℹ️ CodeQL CLI is already up-to-date. No release needed." >> $GITHUB_STEP_SUMMARY
+            echo "ℹ️ CodeQL CLI is already up-to-date. No changes needed." >> $GITHUB_STEP_SUMMARY
           fi
 
   # ─────────────────────────────────────────────────────────────────────────────
-  # Step 2: Create release tag
+  # Step 2: Update version, test, and create PR
   #
-  # Calls the same release-tag workflow used by release.yml. This ensures the
-  # version update, CodeQL installation, pack lock upgrade, unit tests, and tag
-  # creation all follow the same validated process.
+  # Updates all version-bearing files (qlt.conf.json, qlpack.yml files),
+  # installs CodeQL, upgrades pack lock files, compiles CDS files, runs unit
+  # tests, and creates a pull request with the changes.
   #
-  # The release-tag environment approval gate provides human-in-the-loop review
-  # before any changes are committed.
+  # This does NOT trigger the release pipeline. Merging the PR and creating a
+  # release tag is a separate, human-initiated step via release.yml.
   # ─────────────────────────────────────────────────────────────────────────────
-  ensure-tag:
-    name: Ensure Release Tag
+  create-pr:
+    name: Create Update Pull Request
     needs: detect-update
     if: needs.detect-update.outputs.update_needed == 'true'
-    permissions:
-      contents: write
-    uses: ./.github/workflows/release-tag.yml
-    with:
-      version: ${{ needs.detect-update.outputs.version }}
-
-  # ─────────────────────────────────────────────────────────────────────────────
-  # Step 3: Publish and bundle CodeQL packs
-  #
-  # Calls the same release-codeql workflow used by release.yml. Publishes packs
-  # to GHCR and bundles them as artifacts for the GitHub Release.
-  # ─────────────────────────────────────────────────────────────────────────────
-  publish-codeql:
-    name: Publish CodeQL Packs
-    needs: [detect-update, ensure-tag]
-    if: needs.detect-update.outputs.update_needed == 'true'
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/release-codeql.yml
-    with:
-      publish_codeql_packs: true
-      version: ${{ needs.detect-update.outputs.version }}
-
-  # ─────────────────────────────────────────────────────────────────────────────
-  # Step 4: Create GitHub Release
-  #
-  # Downloads the CodeQL pack bundles and creates the GitHub Release with
-  # auto-generated release notes and attached pack artifacts.
-  # ─────────────────────────────────────────────────────────────────────────────
-  create-release:
-    name: Create GitHub Release
-    needs: [detect-update, ensure-tag, publish-codeql]
-    if: >-
-      always() && !failure() && !cancelled()
-      && needs.detect-update.outputs.update_needed == 'true'
     runs-on: ubuntu-latest
 
     permissions:
       contents: write
+      pull-requests: write
 
     steps:
-      - name: Release - Download CodeQL pack artifacts
-        uses: actions/download-artifact@v7
-        with:
-          name: codeql-pack-bundles-${{ needs.detect-update.outputs.version }}
-          path: dist-packs
+      - name: Update - Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Update - Update version in all files
+        run: |
+          LATEST="${{ needs.detect-update.outputs.latest_version }}"
+          echo "Updating all version-bearing files to ${LATEST}..."
+          ./scripts/update-release-version.sh "${LATEST}"
 
-      - name: Release - Create GitHub Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      - name: Update - Install CodeQL via GitHub CLI
+        env:
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          CODEQL_VERSION="${{ needs.detect-update.outputs.latest_version }}"
+          echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..."
+          gh extension install github/gh-codeql
+          gh codeql set-version "${CODEQL_VERSION}"
+          STUB_DIR="$HOME/.local/bin"
+          mkdir -p "${STUB_DIR}"
+          gh codeql install-stub "${STUB_DIR}/"
+          echo "${STUB_DIR}" >> "$GITHUB_PATH"
+          export PATH="${STUB_DIR}:${PATH}"
+          echo "CodeQL version: $(codeql version --format=terse)"
+
+      - name: Update - Upgrade CodeQL pack lock files
+        run: ./scripts/upgrade-packs.sh
+
+      - name: Update - Setup Node.js for CDS compilation
+        uses: actions/setup-node@v6
         with:
-          files: |
-            dist-packs/*.tar.gz
-          generate_release_notes: true
-          tag_name: ${{ needs.detect-update.outputs.version }}
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: 'extractors/cds/tools/package-lock.json'
 
-      - name: Release - Summary
+      - name: Update - Compile CAP CDS files
+        run: ./extractors/cds/tools/workflow/cds-compilation-for-actions.sh
+
+      - name: Update - Run CodeQL unit tests
+        env:
+          LGTM_INDEX_XML_MODE: all
+          LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
+        shell: bash
+        run: |
+          echo "Running CodeQL unit tests to validate update..."
+          codeql test run \
+            --threads=0 \
+            --strict-test-discovery \
+            --additional-packs="${GITHUB_WORKSPACE}" \
+            -- javascript/
+
+      - name: Update - Create Pull Request
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
+        with:
+          title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
+          body: |
+            This PR upgrades the CodeQL CLI version to ${{ needs.detect-update.outputs.version }}.
+
+            **Changes made:**
+            - Updated `qlt.conf.json` (CodeQLCLI, CodeQLStandardLibrary, CodeQLCLIBundle) to `${{ needs.detect-update.outputs.latest_version }}`
+            - Updated all version-bearing qlpack.yml files to `${{ needs.detect-update.outputs.latest_version }}`
+            - Upgraded CodeQL pack lock files
+            - Compiled CAP CDS files
+            - CodeQL unit tests passed ✅
+
+            **To complete the release**, merge this PR and then trigger the release workflow
+            via `workflow_dispatch` on `release.yml` with version `${{ needs.detect-update.outputs.version }}`.
+          commit-message: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
+          delete-branch: true
+          branch: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'
+
+      - name: Update - Summary
         run: |
           VERSION="${{ needs.detect-update.outputs.version }}"
-          RELEASE_NAME="${{ needs.detect-update.outputs.latest_version }}"
-          echo "## Automated Release Summary" >> $GITHUB_STEP_SUMMARY
+          CURRENT="${{ needs.detect-update.outputs.current_version }}"
+          LATEST="${{ needs.detect-update.outputs.latest_version }}"
+          echo "## CodeQL CLI Update Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Triggered by CodeQL CLI update: ${CURRENT} → ${LATEST}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Triggered by CodeQL CLI update: ${{ needs.detect-update.outputs.current_version }} → ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
+          echo "| Property | Old Value | New Value |" >> $GITHUB_STEP_SUMMARY
+          echo "| -------- | --------- | --------- |" >> $GITHUB_STEP_SUMMARY
+          echo "| qlt.conf.json CodeQLCLI | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY
+          echo "| qlpack.yml versions | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
-          echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
-          echo "| Tag | ✅ ${VERSION} |" >> $GITHUB_STEP_SUMMARY
-          echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
-          echo "| GitHub Release | ✅ Created |" >> $GITHUB_STEP_SUMMARY
+          echo "A pull request has been created with these changes." >> $GITHUB_STEP_SUMMARY

README.md

@@ -12,7 +12,10 @@ This repository contains [CodeQL](https://codeql.github.com/) models and queries
 
 - [advanced-security/javascript-sap-cap-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-cap-queries)
 - [advanced-security/javascript-sap-ui5-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-ui5-queries)
-- [advanced-security/javascript-sap-async-xsjs-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-async-xsjs-queries)
+- [advanced-security/javascript-sap-xsjs-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-xsjs-queries)
+- [advanced-security/javascript-sap-cap-models](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-cap-models)
+- [advanced-security/javascript-sap-ui5-models](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-ui5-models)
+- [advanced-security/javascript-sap-xsjs-models](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-xsjs-models)
 
 ## Usage
 
@@ -65,6 +68,9 @@ packs:
     - advanced-security/javascript-sap-xsjs-queries:codeql-suites/javascript-security-extended.qls
     - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls
     - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls
+    - advanced-security/javascript-sap-xsjs-models
+    - advanced-security/javascript-sap-cap-models
+    - advanced-security/javascript-sap-ui5-models
 
 paths-ignore:
   - "**/node_modules"
@@ -105,6 +111,9 @@ codeql database analyze <DB_NAME> --format=sarif-latest --output=<OUTPUT_FILE> \
   --download advanced-security/javascript-sap-cap-queries \
              advanced-security/javascript-sap-ui5-queries \
              advanced-security/javascript-sap-xsjs-queries
+  --model-packs=advanced-security/javascript-sap-cap-models
+  --model-packs= advanced-security/javascript-sap-ui5-models
+  --model-packs=advanced-security/javascript-sap-xsjs-models
 ```
 
 ### Example `codeql database create` with CDS Extractor Invocation

extractors/cds/tools/cds-extractor.ts

@@ -3,6 +3,7 @@ import { join } from 'path';
 import { sync as globSync } from 'glob';
 
 import { orchestrateCompilation } from './src/cds/compiler';
+import { orchestrateCdsIndexer } from './src/cds/indexer';
 import { buildCdsProjectDependencyGraph, type CdsDependencyGraph } from './src/cds/parser';
 import { handleEarlyExit, runJavaScriptExtractionWithMarker } from './src/codeql';
 import {
@@ -206,6 +207,23 @@ if (projectCacheDirMap.size === 0) {
   );
 }
 
+// Run cds-indexer for projects that use it (before compilation)
+logPerformanceTrackingStart('CDS Indexer');
+const cdsIndexerSummary = orchestrateCdsIndexer(
+  dependencyGraph,
+  sourceRoot,
+  projectCacheDirMap,
+  codeqlExePath,
+);
+logPerformanceTrackingStop('CDS Indexer');
+
+if (cdsIndexerSummary.projectsRequiringIndexer > 0) {
+  logPerformanceMilestone(
+    'CDS indexer completed',
+    `${cdsIndexerSummary.successfulRuns} succeeded, ${cdsIndexerSummary.failedRuns} failed`,
+  );
+}
+
 // Collect all CDS files to process
 const cdsFilePathsToProcess: string[] = [];
 for (const project of dependencyGraph.projects.values()) {