Fixes for multi-workflow release process (#301)

data-douser · Copilot · web-flow · commit d423bf54134f · 2026-02-23T09:07:49.000-07:00
* Address PR review comments

* Apply suggestions from code review

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Deduplicate published packs info in workflows

* fix: release-tag handle mismatched versions

Add validation for existing tags created via GitHub UI without
version updates. When an invalid tag is detected, it is deleted
and recreated with correct versions through the full release flow.

Use detached HEAD for the version commit and push only the tag
ref, avoiding branch protection errors on main.

* Remove qlt from release workflows

* Remove redundant pack install step

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml
@@ -73,26 +73,25 @@ jobs:
         with:
           ref: refs/tags/${{ steps.version.outputs.version }}
 
-      - name: CodeQL - Install QLT
-        id: install-qlt
-        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
-        with:
-          qlt-version: 'latest'
-          add-to-path: true
-
-      - name: CodeQL - Install CodeQL
+      - name: CodeQL - Install CodeQL via GitHub CLI
+        env:
+          GH_TOKEN: ${{ github.token }}
         shell: bash
         run: |
-          echo "Installing CodeQL"
-          qlt codeql run install
-          echo "-----------------------------"
-          echo "CodeQL Home: $QLT_CODEQL_HOME"
-          echo "CodeQL Binary: $QLT_CODEQL_PATH"
+          CODEQL_VERSION=$(jq -r .CodeQLCLI qlt.conf.json)
+          echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..."
+          gh extension install github/gh-codeql
+          gh codeql set-version "${CODEQL_VERSION}"
+          STUB_DIR="$HOME/.local/bin"
+          mkdir -p "${STUB_DIR}"
+          gh codeql install-stub "${STUB_DIR}/"
+          echo "${STUB_DIR}" >> "$GITHUB_PATH"
+          export PATH="${STUB_DIR}:${PATH}"
+          echo "CodeQL version: $(codeql version --format=terse)"
 
       - name: CodeQL - Install pack dependencies
         shell: bash
         run: |
-          export PATH="$(dirname "$QLT_CODEQL_PATH"):$PATH"
           chmod +x ./scripts/install-packs.sh
           ./scripts/install-packs.sh
 
@@ -116,7 +115,7 @@ jobs:
             if [ -d "${pack_dir}" ]; then
               pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
               echo "📦 Publishing ${pack_name} from ${pack_dir}..."
-              $QLT_CODEQL_PATH pack publish --threads=-1 -- "${pack_dir}"
+              echo "${GITHUB_TOKEN}" | codeql pack publish --github-auth-stdin --threads=-1 -- "${pack_dir}"
               echo "✅ Published ${pack_name}"
             else
               echo "⚠️ Skipping: ${pack_dir} not found"
@@ -144,7 +143,7 @@ jobs:
               bundle_name="${pack_name#advanced-security/}"
               output="dist-packs/${bundle_name}.tar.gz"
               echo "📦 Bundling ${pack_name} -> ${output}..."
-              $QLT_CODEQL_PATH pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
+              codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
               echo "✅ Bundled ${bundle_name}"
             fi
           done
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -73,92 +73,118 @@ jobs:
             echo "ℹ️ Tag ${TAG} does not exist yet"
           fi
 
+      - name: Tag - Validate existing tag versions
+        id: validate-existing
+        if: steps.check-tag.outputs.tag_exists == 'true'
+        run: |
+          TAG="${{ steps.version.outputs.version }}"
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Validating versions on existing tag ${TAG}..."
+          git checkout "refs/tags/${TAG}" --quiet
+          chmod +x ./scripts/update-release-version.sh
+          if ./scripts/update-release-version.sh --check "${RELEASE_NAME}"; then
+            echo "✅ Existing tag ${TAG} has correct versions"
+            echo "versions_valid=true" >> $GITHUB_OUTPUT
+          else
+            echo ""
+            echo "⚠️ Existing tag ${TAG} has incorrect versions — will delete and recreate"
+            git checkout - --quiet
+            git tag -d "${TAG}" 2>/dev/null || true
+            git push origin --delete "${TAG}" 2>/dev/null || true
+            echo "versions_valid=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Tag - Determine if tag creation is needed
+        id: needs-creation
+        run: |
+          if [ "${{ steps.check-tag.outputs.tag_exists }}" != "true" ]; then
+            echo "needed=true" >> $GITHUB_OUTPUT
+            echo "ℹ️ Tag does not exist — creation needed"
+          elif [ "${{ steps.validate-existing.outputs.versions_valid }}" != "true" ]; then
+            echo "needed=true" >> $GITHUB_OUTPUT
+            echo "ℹ️ Existing tag had wrong versions — recreation needed"
+          else
+            echo "needed=false" >> $GITHUB_OUTPUT
+            echo "ℹ️ Existing tag is valid — no creation needed"
+          fi
+
       - name: Tag - Update release version
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         run: |
           TAG_VERSION="${{ steps.version.outputs.release_name }}"
           echo "Updating all version-bearing files to '${TAG_VERSION}'..."
           chmod +x ./scripts/update-release-version.sh
           ./scripts/update-release-version.sh "${TAG_VERSION}"
 
-      - name: Tag - Install QLT
-        if: steps.check-tag.outputs.tag_exists != 'true'
-        id: install-qlt
-        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
-        with:
-          qlt-version: 'latest'
-          add-to-path: true
-
-      - name: Tag - Install CodeQL
-        if: steps.check-tag.outputs.tag_exists != 'true'
+      - name: Tag - Install CodeQL via GitHub CLI
+        if: steps.needs-creation.outputs.needed == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
         shell: bash
         run: |
-          echo "Installing CodeQL"
-          qlt codeql run install
-          echo "-----------------------------"
-          echo "CodeQL Home: $QLT_CODEQL_HOME"
-          echo "CodeQL Binary: $QLT_CODEQL_PATH"
+          CODEQL_VERSION=$(jq -r .CodeQLCLI qlt.conf.json)
+          echo "Installing CodeQL CLI ${CODEQL_VERSION} via gh-codeql..."
+          gh extension install github/gh-codeql
+          gh codeql set-version "${CODEQL_VERSION}"
+          STUB_DIR="$HOME/.local/bin"
+          mkdir -p "${STUB_DIR}"
+          gh codeql install-stub "${STUB_DIR}/"
+          echo "${STUB_DIR}" >> "$GITHUB_PATH"
+          export PATH="${STUB_DIR}:${PATH}"
+          echo "CodeQL version: $(codeql version --format=terse)"
 
       - name: Tag - Upgrade CodeQL pack lock files
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         shell: bash
         run: |
           echo "Upgrading CodeQL pack lock files"
           find . -name "qlpack.yml" -type f | sort | while read -r qlpack_file; do
             pack_dir=$(dirname "$qlpack_file")
             echo "Upgrading pack in directory: $pack_dir"
             cd "$pack_dir"
-            $QLT_CODEQL_PATH pack upgrade
+            codeql pack upgrade
             cd - > /dev/null
           done
           echo "Finished upgrading all CodeQL pack lock files"
 
-      - name: Tag - Install QL packs
-        if: steps.check-tag.outputs.tag_exists != 'true'
-        shell: bash
-        run: |
-          export PATH="$(dirname "$QLT_CODEQL_PATH"):$PATH"
-          chmod +x ./scripts/install-packs.sh
-          ./scripts/install-packs.sh
-
       - name: Tag - Setup Node.js for CDS compilation
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         uses: actions/setup-node@v6
         with:
           node-version: '20'
           cache: 'npm'
           cache-dependency-path: 'extractors/cds/tools/package-lock.json'
 
       - name: Tag - Compile CAP CDS files
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         run: |
           chmod +x ./extractors/cds/tools/workflow/cds-compilation-for-actions.sh
           ./extractors/cds/tools/workflow/cds-compilation-for-actions.sh
 
       - name: Tag - Run CodeQL unit tests
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         env:
           LGTM_INDEX_XML_MODE: all
           LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
         shell: bash
         run: |
           echo "Running CodeQL unit tests to validate release..."
-          $QLT_CODEQL_PATH test run \
+          codeql test run \
             --threads=0 \
             --strict-test-discovery \
             --additional-packs="${GITHUB_WORKSPACE}" \
             -- javascript/
 
       - name: Tag - Validate version consistency
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         run: |
           RELEASE_NAME="${{ steps.version.outputs.release_name }}"
           echo "Validating all version-bearing files match ${RELEASE_NAME}..."
           ./scripts/update-release-version.sh --check "${RELEASE_NAME}"
 
       - name: Tag - Commit version changes and create tag
         id: create-tag
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.needs-creation.outputs.needed == 'true'
         run: |
           TAG="${{ steps.version.outputs.version }}"
           RELEASE_NAME="${{ steps.version.outputs.release_name }}"
@@ -167,12 +193,16 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
+          # Detach HEAD so we never push to a protected branch.
+          # The version-update commit will only be reachable via the tag.
+          git checkout --detach HEAD
+
           # Stage version-bearing files and lockfile changes
           git add -A
-          # Ensure generated artifacts (CodeQL, CAP compilation) are not staged for commit
-          git restore --staged .codeql || true
-          git restore --staged '*.qlx' || true
-          git restore --staged 'javascript/frameworks/cap/test/**/model.cds.json' || true
+          # Ensure generated artifacts (CodeQL, CAP compilation) are not staged
+          git restore --staged .codeql 2>/dev/null || true
+          git restore --staged '*.qlx' 2>/dev/null || true
+          git restore --staged 'javascript/frameworks/cap/test/**/model.cds.json' 2>/dev/null || true
 
           # Check if there are changes to commit
           if git diff --cached --quiet; then
@@ -181,26 +211,25 @@ jobs:
           else
             git commit -m "Release ${TAG}: update versions to ${RELEASE_NAME}"
             CURRENT_SHA=$(git rev-parse HEAD)
-            git push origin HEAD
-            echo "✅ Committed version changes at ${CURRENT_SHA:0:8}"
+            echo "✅ Created version commit at ${CURRENT_SHA:0:8}"
           fi
 
-          # Create and push the tag
+          # Push only the tag — never the branch
           git tag -a "${TAG}" -m "Release ${TAG}" "${CURRENT_SHA}"
-          git push origin "${TAG}"
+          git push origin "refs/tags/${TAG}"
           echo "✅ Created and pushed tag ${TAG} at commit ${CURRENT_SHA:0:8}"
           echo "tag_sha=${CURRENT_SHA}" >> $GITHUB_OUTPUT
 
       - name: Tag - Output existing tag SHA
         id: existing-tag
-        if: steps.check-tag.outputs.tag_exists == 'true'
+        if: steps.needs-creation.outputs.needed == 'false'
         run: |
           echo "tag_sha=${{ steps.check-tag.outputs.tag_sha }}" >> $GITHUB_OUTPUT
 
       - name: Tag - Set final tag SHA output
         id: final-sha
         run: |
-          if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
+          if [ "${{ steps.needs-creation.outputs.needed }}" == "false" ]; then
             SHA="${{ steps.check-tag.outputs.tag_sha }}"
           else
             SHA="${{ steps.create-tag.outputs.tag_sha }}"
@@ -212,11 +241,15 @@ jobs:
           TAG="${{ steps.version.outputs.version }}"
           echo "## Release Tag Summary" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
-            echo "ℹ️ Tag \`${TAG}\` already existed at \`${{ steps.check-tag.outputs.tag_sha }}\`" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.needs-creation.outputs.needed }}" == "false" ]; then
+            echo "ℹ️ Tag \`${TAG}\` already existed at \`${{ steps.check-tag.outputs.tag_sha }}\` with correct versions" >> $GITHUB_STEP_SUMMARY
           else
             echo "✅ Created tag \`${TAG}\` at \`${{ steps.create-tag.outputs.tag_sha }}\`" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
+              echo "⚠️ Previous tag had incorrect versions and was replaced" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+            fi
             echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
             echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
             echo "| Version update | ✅ All files updated to ${{ steps.version.outputs.release_name }} |" >> $GITHUB_STEP_SUMMARY
