Skip to content

Upgrade to CodeQL v2.24.2 and fix release-codeql.yml workflow #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
data-douser merged 6 commits into from
Mar 10, 2026
Merged

Upgrade to CodeQL v2.24.2 and fix release-codeql.yml workflow #318

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8571e37
Upgrade CodeQL CLI dependency to v2.24.2
data-douser Mar 4, 2026
f16e152
Use workspace references for workspace-local qlpacks
data-douser Mar 4, 2026
8b33cab
Update required codeql/javascript-all version in packs
data-douser Mar 4, 2026
6000046
Support codeql pack publish --allow-prerelease
data-douser Mar 4, 2026
50c820a
refactor: convert pack bundle & publish to scripts
data-douser Mar 9, 2026
76bd062
Merge branch 'main' into dd/upgrade-to-v2.24.2
data-douser Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 3 additions & 54 deletions .github/workflows/release-codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,19 +43,6 @@ jobs:
release_name: ${{ steps.version.outputs.release_name }}
version: ${{ steps.version.outputs.version }}

env:
PUBLISHABLE_PACKS_LIST: |
javascript/frameworks/cap/src
javascript/frameworks/cap/ext
javascript/frameworks/cap/lib
javascript/frameworks/ui5/src
javascript/frameworks/ui5/ext
javascript/frameworks/ui5/lib
javascript/frameworks/xsjs/src
javascript/frameworks/xsjs/ext
javascript/frameworks/xsjs/lib
javascript/heuristic-models/ext

steps:
- name: CodeQL - Validate and parse version
id: version
Expand Down Expand Up @@ -91,9 +78,7 @@ jobs:

- name: CodeQL - Install pack dependencies
shell: bash
run: |
chmod +x ./scripts/install-packs.sh
./scripts/install-packs.sh
run: ./scripts/install-packs.sh

- name: CodeQL - Validate version consistency
run: |
Expand All @@ -106,50 +91,14 @@ jobs:
if: inputs.publish_codeql_packs
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Read the shared pack list from the job-level environment variable.
mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"

echo "Publishing CodeQL packs..."
for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
if [ -d "${pack_dir}" ]; then
pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
echo "📦 Publishing ${pack_name} from ${pack_dir}..."
echo "${GITHUB_TOKEN}" | codeql pack publish --github-auth-stdin --threads=-1 -- "${pack_dir}"
echo "✅ Published ${pack_name}"
else
echo "⚠️ Skipping: ${pack_dir} not found"
fi
done
run: ./scripts/publish-packs.sh "${{ steps.version.outputs.release_name }}"

- name: CodeQL - Skip pack publishing
if: '!inputs.publish_codeql_packs'
run: echo "⏭️ CodeQL pack publishing disabled via workflow input"

- name: CodeQL - Bundle CodeQL packs
run: |
mkdir -p dist-packs

# Bundle all publishable packs
# Read the pack list from the environment into a Bash array.
# Each line in PUBLISHABLE_PACKS_LIST becomes one element.
mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}"

echo "Bundling CodeQL packs..."
for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do
if [ -d "${pack_dir}" ]; then
pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}')
# Convert pack name to filename: advanced-security/foo -> foo
bundle_name="${pack_name#advanced-security/}"
output="dist-packs/${bundle_name}.tar.gz"
echo "📦 Bundling ${pack_name} -> ${output}..."
codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"
echo "✅ Bundled ${bundle_name}"
fi
done
echo ""
echo "Bundled packs:"
ls -lh dist-packs/
run: ./scripts/bundle-packs.sh --output-dir dist-packs

- name: CodeQL - Upload pack artifacts
uses: actions/upload-artifact@v6
Expand Down
4 changes: 2 additions & 2 deletions javascript/frameworks/cap/ext/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
library: true
name: advanced-security/javascript-sap-cap-models
version: 2.3.0
version: 2.24.2
extensionTargets:
codeql/javascript-all: "^2.4.0"
codeql/javascript-all: "^2.6.22"
26 changes: 13 additions & 13 deletions javascript/frameworks/cap/lib/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,29 @@
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.15
version: 0.0.16
codeql/controlflow:
version: 2.0.25
version: 2.0.26
codeql/dataflow:
version: 2.0.25
version: 2.0.26
codeql/javascript-all:
version: 2.6.21
version: 2.6.22
codeql/mad:
version: 1.0.41
version: 1.0.42
codeql/regex:
version: 1.0.41
version: 1.0.42
codeql/ssa:
version: 2.0.17
version: 2.0.18
codeql/threat-models:
version: 1.0.41
version: 1.0.42
codeql/tutorial:
version: 1.0.41
version: 1.0.42
codeql/typetracking:
version: 2.0.25
version: 2.0.26
codeql/util:
version: 2.0.28
version: 2.0.29
codeql/xml:
version: 1.0.41
version: 1.0.42
codeql/yaml:
version: 1.0.41
version: 1.0.42
compiled: false
4 changes: 2 additions & 2 deletions javascript/frameworks/cap/lib/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
library: true
name: advanced-security/javascript-sap-cap-all
version: 2.3.0
version: 2.24.2
suites: codeql-suites
extractor: javascript
dependencies:
codeql/javascript-all: "^2.4.0"
codeql/javascript-all: "^2.6.22"
26 changes: 13 additions & 13 deletions javascript/frameworks/cap/src/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,29 @@
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.15
version: 0.0.16
codeql/controlflow:
version: 2.0.25
version: 2.0.26
codeql/dataflow:
version: 2.0.25
version: 2.0.26
codeql/javascript-all:
version: 2.6.21
version: 2.6.22
codeql/mad:
version: 1.0.41
version: 1.0.42
codeql/regex:
version: 1.0.41
version: 1.0.42
codeql/ssa:
version: 2.0.17
version: 2.0.18
codeql/threat-models:
version: 1.0.41
version: 1.0.42
codeql/tutorial:
version: 1.0.41
version: 1.0.42
codeql/typetracking:
version: 2.0.25
version: 2.0.26
codeql/util:
version: 2.0.28
version: 2.0.29
codeql/xml:
version: 1.0.41
version: 1.0.42
codeql/yaml:
version: 1.0.41
version: 1.0.42
compiled: false
6 changes: 3 additions & 3 deletions javascript/frameworks/cap/src/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
---
library: false
name: advanced-security/javascript-sap-cap-queries
version: 2.3.0
version: 2.24.2
suites: codeql-suites
extractor: javascript
dependencies:
codeql/javascript-all: "^2.4.0"
advanced-security/javascript-sap-cap-all: "^2.3.0"
codeql/javascript-all: "^2.6.22"
advanced-security/javascript-sap-cap-all: "${workspace}"
default-suite-file: codeql-suites/javascript-code-scanning.qls
26 changes: 13 additions & 13 deletions javascript/frameworks/cap/test/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,29 @@
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.15
version: 0.0.16
codeql/controlflow:
version: 2.0.25
version: 2.0.26
codeql/dataflow:
version: 2.0.25
version: 2.0.26
codeql/javascript-all:
version: 2.6.21
version: 2.6.22
codeql/mad:
version: 1.0.41
version: 1.0.42
codeql/regex:
version: 1.0.41
version: 1.0.42
codeql/ssa:
version: 2.0.17
version: 2.0.18
codeql/threat-models:
version: 1.0.41
version: 1.0.42
codeql/tutorial:
version: 1.0.41
version: 1.0.42
codeql/typetracking:
version: 2.0.25
version: 2.0.26
codeql/util:
version: 2.0.28
version: 2.0.29
codeql/xml:
version: 1.0.41
version: 1.0.42
codeql/yaml:
version: 1.0.41
version: 1.0.42
compiled: false
10 changes: 5 additions & 5 deletions javascript/frameworks/cap/test/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
name: advanced-security/javascript-sap-cap-queries-tests
version: 2.3.0
version: 2.24.2
extractor: javascript
dependencies:
codeql/javascript-all: "^2.4.0"
advanced-security/javascript-sap-cap-queries: "^2.3.0"
advanced-security/javascript-sap-cap-models: "^2.3.0"
advanced-security/javascript-sap-cap-all: "^2.3.0"
codeql/javascript-all: "^2.6.22"
advanced-security/javascript-sap-cap-queries: "${workspace}"
advanced-security/javascript-sap-cap-models: "${workspace}"
advanced-security/javascript-sap-cap-all: "${workspace}"
26 changes: 13 additions & 13 deletions javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,29 @@
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.15
version: 0.0.16
codeql/controlflow:
version: 2.0.25
version: 2.0.26
codeql/dataflow:
version: 2.0.25
version: 2.0.26
codeql/javascript-all:
version: 2.6.21
version: 2.6.22
codeql/mad:
version: 1.0.41
version: 1.0.42
codeql/regex:
version: 1.0.41
version: 1.0.42
codeql/ssa:
version: 2.0.17
version: 2.0.18
codeql/threat-models:
version: 1.0.41
version: 1.0.42
codeql/tutorial:
version: 1.0.41
version: 1.0.42
codeql/typetracking:
version: 2.0.25
version: 2.0.26
codeql/util:
version: 2.0.28
version: 2.0.29
codeql/xml:
version: 1.0.41
version: 1.0.42
codeql/yaml:
version: 1.0.41
version: 1.0.42
compiled: false
6 changes: 3 additions & 3 deletions javascript/frameworks/ui5-webcomponents/test/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: advanced-security/javascript-sap-ui5-webcomponents-for-react-test
version: 2.3.0
version: 2.24.2
extractor: javascript
dependencies:
codeql/javascript-all: "^2.4.0"
advanced-security/javascript-sap-ui5-all: "^2.3.0"
codeql/javascript-all: "^2.6.22"
advanced-security/javascript-sap-ui5-all: "${workspace}"
4 changes: 2 additions & 2 deletions javascript/frameworks/ui5/ext/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
library: true
name: advanced-security/javascript-sap-ui5-models
version: 2.3.0
version: 2.24.2
extensionTargets:
codeql/javascript-all: "^2.4.0"
codeql/javascript-all: "^2.6.22"
dataExtensions:
- "*.model.yml"
26 changes: 13 additions & 13 deletions javascript/frameworks/ui5/lib/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,29 @@
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.15
version: 0.0.16
codeql/controlflow:
version: 2.0.25
version: 2.0.26
codeql/dataflow:
version: 2.0.25
version: 2.0.26
codeql/javascript-all:
version: 2.6.21
version: 2.6.22
codeql/mad:
version: 1.0.41
version: 1.0.42
codeql/regex:
version: 1.0.41
version: 1.0.42
codeql/ssa:
version: 2.0.17
version: 2.0.18
codeql/threat-models:
version: 1.0.41
version: 1.0.42
codeql/tutorial:
version: 1.0.41
version: 1.0.42
codeql/typetracking:
version: 2.0.25
version: 2.0.26
codeql/util:
version: 2.0.28
version: 2.0.29
codeql/xml:
version: 1.0.41
version: 1.0.42
codeql/yaml:
version: 1.0.41
version: 1.0.42
compiled: false
4 changes: 2 additions & 2 deletions javascript/frameworks/ui5/lib/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
library: true
name: advanced-security/javascript-sap-ui5-all
version: 2.3.0
version: 2.24.2
suites: codeql-suites
extractor: javascript
dependencies:
codeql/javascript-all: "^2.4.0"
codeql/javascript-all: "^2.6.22"
Loading
Loading