Upgrade to CodeQL v2.24.2 and fix release-codeql.yml workflow (#318)

* Upgrade CodeQL CLI dependency to v2.24.2

* Use workspace references for workspace-local qlpacks

* Update required codeql/javascript-all version in packs

Updates the required minimum version of "codeql/javascript-all"
pack dependency to improve consistency across qlpack definitions
while better reflecting the actual version of the dependency that
actually gets installed for the current CodeQL CLI version.

* Support codeql pack publish --allow-prerelease

* refactor: convert pack bundle & publish to scripts

Move the inline pack publishing and bundling logic from the
release-codeql workflow into dedicated scripts:

- scripts/publish-packs.sh: Publishes all CodeQL packs to GHCR with
  pre-release detection, token validation, and dry-run support.
- scripts/bundle-packs.sh: Bundles all CodeQL packs into .tar.gz
  archives with configurable output directory and dry-run support.

Author: data-douser

.github/workflows/release-codeql.yml

@@ -43,19 +43,6 @@ jobs:
       release_name: ${{ steps.version.outputs.release_name }}
       version: ${{ steps.version.outputs.version }}
 
-    env:
-      PUBLISHABLE_PACKS_LIST: |
-        javascript/frameworks/cap/src
-        javascript/frameworks/cap/ext
-        javascript/frameworks/cap/lib
-        javascript/frameworks/ui5/src
-        javascript/frameworks/ui5/ext
-        javascript/frameworks/ui5/lib
-        javascript/frameworks/xsjs/src
-        javascript/frameworks/xsjs/ext
-        javascript/frameworks/xsjs/lib
-        javascript/heuristic-models/ext
-
     steps:
       - name: CodeQL - Validate and parse version
         id: version
@@ -91,9 +78,7 @@ jobs:
 
       - name: CodeQL - Install pack dependencies
         shell: bash
-        run: |
-          chmod +x ./scripts/install-packs.sh
-          ./scripts/install-packs.sh
+        run: ./scripts/install-packs.sh
 
       - name: CodeQL - Validate version consistency
         run: |
@@ -106,50 +91,14 @@ jobs:
         if: inputs.publish_codeql_packs
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # Read the shared pack list from the job-level environment variable.
-          mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"
-
-          echo "Publishing CodeQL packs..."
-          for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
-            if [ -d "${pack_dir}" ]; then
-              pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
-              echo "📦 Publishing ${pack_name} from ${pack_dir}..."
-              echo "${GITHUB_TOKEN}" | codeql pack publish --github-auth-stdin --threads=-1 -- "${pack_dir}"
-              echo "✅ Published ${pack_name}"
-            else
-              echo "⚠️ Skipping: ${pack_dir} not found"
-            fi
-          done
+        run: ./scripts/publish-packs.sh "${{ steps.version.outputs.release_name }}"
 
       - name: CodeQL - Skip pack publishing
         if: '!inputs.publish_codeql_packs'
         run: echo "⏭️ CodeQL pack publishing disabled via workflow input"
 
       - name: CodeQL - Bundle CodeQL packs
-        run: |
-          mkdir -p dist-packs
-
-          # Bundle all publishable packs
-          # Read the pack list from the environment into a Bash array.
-          # Each line in PUBLISHABLE_PACKS_LIST becomes one element.
-          mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"
-
-          echo "Bundling CodeQL packs..."
-          for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
-            if [ -d "${pack_dir}" ]; then
-              pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
-              # Convert pack name to filename: advanced-security/foo -> foo
-              bundle_name="${pack_name#advanced-security/}"
-              output="dist-packs/${bundle_name}.tar.gz"
-              echo "📦 Bundling ${pack_name} -> ${output}..."
-              codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
-              echo "✅ Bundled ${bundle_name}"
-            fi
-          done
-          echo ""
-          echo "Bundled packs:"
-          ls -lh dist-packs/
+        run: ./scripts/bundle-packs.sh --output-dir dist-packs
 
       - name: CodeQL - Upload pack artifacts
         uses: actions/upload-artifact@v6

javascript/frameworks/cap/ext/qlpack.yml

@@ -1,6 +1,6 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-models
-version: 2.3.0
+version: 2.24.2
 extensionTargets:
-  codeql/javascript-all: "^2.4.0"
+  codeql/javascript-all: "^2.6.22"

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.16
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/javascript-all:
-    version: 2.6.21
+    version: 2.6.22
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.42
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.42
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.18
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.42
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.42
   codeql/typetracking:
-    version: 2.0.25
+    version: 2.0.26
   codeql/util:
-    version: 2.0.28
+    version: 2.0.29
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.42
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.42
 compiled: false

javascript/frameworks/cap/lib/qlpack.yml

@@ -1,8 +1,8 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-all
-version: 2.3.0
+version: 2.24.2
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.4.0"
+  codeql/javascript-all: "^2.6.22"

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.16
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/javascript-all:
-    version: 2.6.21
+    version: 2.6.22
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.42
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.42
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.18
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.42
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.42
   codeql/typetracking:
-    version: 2.0.25
+    version: 2.0.26
   codeql/util:
-    version: 2.0.28
+    version: 2.0.29
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.42
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.42
 compiled: false

javascript/frameworks/cap/src/qlpack.yml

@@ -1,10 +1,10 @@
 ---
 library: false
 name: advanced-security/javascript-sap-cap-queries
-version: 2.3.0
+version: 2.24.2
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.4.0"
-  advanced-security/javascript-sap-cap-all: "^2.3.0"
+  codeql/javascript-all: "^2.6.22"
+  advanced-security/javascript-sap-cap-all: "${workspace}"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/test/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.16
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/javascript-all:
-    version: 2.6.21
+    version: 2.6.22
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.42
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.42
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.18
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.42
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.42
   codeql/typetracking:
-    version: 2.0.25
+    version: 2.0.26
   codeql/util:
-    version: 2.0.28
+    version: 2.0.29
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.42
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.42
 compiled: false

javascript/frameworks/cap/test/qlpack.yml

@@ -1,9 +1,9 @@
 ---
 name: advanced-security/javascript-sap-cap-queries-tests
-version: 2.3.0
+version: 2.24.2
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.4.0"
-  advanced-security/javascript-sap-cap-queries: "^2.3.0"
-  advanced-security/javascript-sap-cap-models: "^2.3.0"
-  advanced-security/javascript-sap-cap-all: "^2.3.0"
+  codeql/javascript-all: "^2.6.22"
+  advanced-security/javascript-sap-cap-queries: "${workspace}"
+  advanced-security/javascript-sap-cap-models: "${workspace}"
+  advanced-security/javascript-sap-cap-all: "${workspace}"

javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.16
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.0.26
   codeql/javascript-all:
-    version: 2.6.21
+    version: 2.6.22
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.42
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.42
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.18
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.42
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.42
   codeql/typetracking:
-    version: 2.0.25
+    version: 2.0.26
   codeql/util:
-    version: 2.0.28
+    version: 2.0.29
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.42
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.42
 compiled: false

javascript/frameworks/ui5-webcomponents/test/qlpack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/javascript-sap-ui5-webcomponents-for-react-test
-version: 2.3.0
+version: 2.24.2
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.4.0"
-  advanced-security/javascript-sap-ui5-all: "^2.3.0"
+  codeql/javascript-all: "^2.6.22"
+  advanced-security/javascript-sap-ui5-all: "${workspace}"