Fixes for upgrade-packs & update-release scripts

Author: data-douser

scripts/update-release-version.sh

@@ -258,9 +258,11 @@ update_qlt_config() {
 }
 
 ## Update internal dependency references in a qlpack.yml file
-## e.g., advanced-security/javascript-sap-cap-models: "^2.3.0" -> "^2.4.0"
-## e.g., advanced-security/javascript-sap-cap-models: "^2.3.0" -> "^2.4.0-alpha"
-## and   advanced-security/javascript-heuristic-models: 2.3.0 -> 2.4.0
+## Handles all formats found in the repository:
+##   pack_name: "X.Y.Z"         (quoted exact — most common)
+##   pack_name: "^X.Y.Z"        (quoted caret-prefixed)
+##   "pack_name": "X.Y.Z"       (quoted key and value — heuristic-models)
+##   pack_name: X.Y.Z           (unquoted exact)
 update_internal_deps() {
   local file="$1"
   local old_version="$2"
@@ -271,10 +273,16 @@ update_internal_deps() {
   escaped_old_version=$(printf '%s' "${old_version}" | sed 's/\./\\./g')
 
   for pack_name in "${INTERNAL_PACKS[@]}"; do
-    # Update quoted caret-prefixed versions: "^X.Y.Z"
+    # Update quoted exact versions: pack_name: "X.Y.Z"
+    sed -i.bak "s|${pack_name}: \"${escaped_old_version}\"|${pack_name}: \"${new_version}\"|g" "${file}"
+    rm -f "${file}.bak"
+    # Update quoted exact versions with quoted key: "pack_name": "X.Y.Z"
+    sed -i.bak "s|\"${pack_name}\": \"${escaped_old_version}\"|\"${pack_name}\": \"${new_version}\"|g" "${file}"
+    rm -f "${file}.bak"
+    # Update quoted caret-prefixed versions: pack_name: "^X.Y.Z"
     sed -i.bak "s|${pack_name}: \"\\^${escaped_old_version}\"|${pack_name}: \"^${new_version}\"|g" "${file}"
     rm -f "${file}.bak"
-    # Update unquoted exact versions: X.Y.Z
+    # Update unquoted exact versions: pack_name: X.Y.Z
     sed -i.bak "s|${pack_name}: ${escaped_old_version}$|${pack_name}: ${new_version}|g" "${file}"
     rm -f "${file}.bak"
   done

scripts/upgrade-packs.sh

@@ -4,8 +4,10 @@ set -euo pipefail
 ## upgrade-packs.sh
 ## Upgrade CodeQL pack dependencies for packs in the codeql-sap-js repository.
 ##
-## This script upgrades lock files for both source and test packs, installing
-## the latest compatible version of each dependency (ignoring existing lock files).
+## This script resolves the latest compatible versions of external CodeQL pack
+## dependencies (e.g., codeql/javascript-all), pins qlpack.yml dependency
+## references to those exact versions, and then upgrades lock files for both
+## source and test packs.
 ##
 ## Usage:
 ##   ./scripts/upgrade-packs.sh
@@ -75,6 +77,84 @@ fi
 
 cd "${REPO_ROOT}"
 
+## External CodeQL pack dependencies whose versions should be pinned explicitly.
+## Each entry is a pack name used under the 'dependencies:' key in qlpack.yml files.
+## External CodeQL pack dependencies whose versions should be pinned explicitly.
+## Each entry is a pack name referenced under 'dependencies:' or 'extensionTargets:'
+## in qlpack.yml files.
+EXTERNAL_PACKS=(
+  "codeql/javascript-all"
+  "codeql/javascript-queries"
+)
+
+## Resolve the latest compatible version of an external pack using the CodeQL CLI.
+## Uses 'codeql pack download --format=json' which resolves and caches the latest
+## version compatible with the current CLI.
+resolve_pack_version() {
+  local pack_name="$1"
+  local version
+  version=$(codeql pack download --format=json "${pack_name}" 2>/dev/null \
+    | python3 -c "import sys,json; packs=json.load(sys.stdin)['packs']; print(packs[0]['version'])" 2>/dev/null)
+  if [[ -z "${version}" ]]; then
+    echo "ERROR: Failed to resolve version for ${pack_name}" >&2
+    return 1
+  fi
+  echo "${version}"
+}
+
+## Pin external pack dependency versions in all qlpack.yml files.
+## Updates both 'dependencies:' and 'extensionTargets:' entries to reference
+## the exact resolved version.
+## Handles both unquoted and quoted key formats:
+##   pack_name: "^X.Y.Z"  or  pack_name: "X.Y.Z"  or  "pack_name": "X.Y.Z"
+pin_external_dependency_versions() {
+  echo "Resolving latest compatible versions of external pack dependencies..."
+
+  # Build an associative array of pack_name -> resolved_version
+  declare -A resolved_versions
+  for pack_name in "${EXTERNAL_PACKS[@]}"; do
+    local version
+    version=$(resolve_pack_version "${pack_name}")
+    resolved_versions["${pack_name}"]="${version}"
+    echo "  ${pack_name} -> ${version}"
+  done
+
+  echo ""
+  echo "Pinning external dependency versions in qlpack.yml files..."
+
+  # Find all qlpack.yml files under javascript/ (excluding .codeql pack cache directories)
+  find "${REPO_ROOT}/javascript" -name "qlpack.yml" -not -path "*/.codeql/*" -type f | sort | while read -r qlpack_file; do
+    local rel_path="${qlpack_file#${REPO_ROOT}/}"
+    local changed=false
+
+    for pack_name in "${EXTERNAL_PACKS[@]}"; do
+      local new_version="${resolved_versions[${pack_name}]}"
+
+      # Update any reference to this pack (under dependencies: or extensionTargets:)
+      # Update quoted versions with optional range prefix (^, >, >=): "^X.Y.Z", ">X.Y.Z", "X.Y.Z"
+      if grep -q "${pack_name}" "${qlpack_file}"; then
+        sed -i.bak -E "s|(${pack_name}\"?:[[:space:]]*\")[>^>=]*[0-9]+\.[0-9]+\.[0-9]+\"|\1${new_version}\"|g" "${qlpack_file}"
+        rm -f "${qlpack_file}.bak"
+        # Also handle the quoted-key form: "pack_name": "X.Y.Z"
+        sed -i.bak -E "s|(\"${pack_name}\":[[:space:]]*\")[>^>=]*[0-9]+\.[0-9]+\.[0-9]+\"|\1${new_version}\"|g" "${qlpack_file}"
+        rm -f "${qlpack_file}.bak"
+        changed=true
+      fi
+    done
+
+    if [[ "${changed}" == true ]]; then
+      echo "  ✅ ${rel_path}"
+    fi
+  done
+
+  echo ""
+
+  # Remove existing lock files to force fresh dependency resolution
+  echo "Removing existing codeql-pack.lock.yml files..."
+  find "${REPO_ROOT}/javascript" -name "codeql-pack.lock.yml" -not -path "*/.codeql/*" -type f -exec rm -f {} \;
+  echo ""
+}
+
 ## Upgrade a single pack given its qlpack.yml directory
 upgrade_pack() {
   local pack_dir="$1"
@@ -92,7 +172,8 @@ upgrade_framework() {
   echo "Upgrading packs for: ${framework_path}"
 
   # Find all qlpack.yml files under this framework and upgrade their packs
-  find "${REPO_ROOT}/${framework_path}" -name "qlpack.yml" -type f | sort | while read -r qlpack_file; do
+  # Excludes .codeql/ pack cache directories which contain previously published packs
+  find "${REPO_ROOT}/${framework_path}" -name "qlpack.yml" -not -path "*/.codeql/*" -type f | sort | while read -r qlpack_file; do
     local pack_dir
     pack_dir=$(dirname "${qlpack_file}")
     # Use relative path for cleaner output
@@ -102,6 +183,7 @@ upgrade_framework() {
 }
 
 if [[ -n "${FRAMEWORK}" ]]; then
+  pin_external_dependency_versions
   case "${FRAMEWORK}" in
     heuristic-models)
       upgrade_framework "javascript/heuristic-models"
@@ -114,6 +196,7 @@ if [[ -n "${FRAMEWORK}" ]]; then
       ;;
   esac
 else
+  pin_external_dependency_versions
   echo "Upgrading packs for all frameworks..."
   upgrade_framework "javascript/frameworks/cap"
   upgrade_framework "javascript/frameworks/ui5"