codeql-development-mcp-server/.github/workflows/update-codeql.yml at main · advanced-security/codeql-development-mcp-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
name: Update CodeQL CLI Dependencies

on:
  workflow_dispatch:
    inputs:
      target_version:
        description: 'Target CodeQL CLI version (e.g. vX.Y.Z). Leave empty to use the latest available CodeQL CLI release.'
        required: false
        type: string
  # Nightly check for new CodeQL CLI releases
  schedule:
    - cron: '30 5 * * *'

permissions:
  contents: read

jobs:
  # ─────────────────────────────────────────────────────────────────────────────
  # Step 1: Detect new CodeQL CLI version
  #
  # Compares the current CodeQL CLI version in .codeql-version against the
  # latest release from github/codeql-cli-binaries. If a newer version is
  # available, downstream jobs orchestrate the update and PR creation.
  # ─────────────────────────────────────────────────────────────────────────────
  detect-update:
    name: Detect CodeQL CLI Update
    runs-on: ubuntu-latest

    outputs:
      current_version: ${{ steps.check-version.outputs.current_version }}
      latest_version: ${{ steps.check-version.outputs.latest_version }}
      update_needed: ${{ steps.check-version.outputs.update_needed }}
      version: ${{ steps.check-version.outputs.version }}

    steps:
      - name: Detect - Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Detect - Check latest CodeQL CLI version
        id: check-version
        env:
          GH_TOKEN: ${{ github.token }}
          TARGET_VERSION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.target_version || '' }}
        run: |
          echo "Checking latest CodeQL CLI version..."

          # Read current version from .codeql-version (stores vX.Y.Z)
          current_version_raw=$(cat .codeql-version | tr -d '[:space:]')
          current_version="${current_version_raw#v}"

          # Trim whitespace from target version input
          TARGET_VERSION=$(echo "${TARGET_VERSION}" | tr -d '[:space:]')

          if [ -n "${TARGET_VERSION}" ]; then
            # Use the manually specified target version
            latest_clean="${TARGET_VERSION#v}"
            echo "Using manually specified target version: ${latest_clean}"

            # Validate the target version exists as a release
            if ! gh release view "v${latest_clean}" --repo github/codeql-cli-binaries --json tagName > /dev/null 2>&1; then
              echo "❌ Error: Target version v${latest_clean} does not exist in github/codeql-cli-binaries releases" >&2
              exit 1
            fi
          else
            # Get latest release from codeql-cli-binaries
            latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')

            # Validate that we found a latest release
            if [ -z "${latest_tag}" ]; then
              echo "❌ Error: Could not determine latest CodeQL CLI version from github/codeql-cli-binaries" >&2
              echo "No release marked as 'latest' was found. This may indicate an API issue or repository change." >&2
              exit 1
            fi

            latest_clean="${latest_tag#v}"
          fi

          echo "Current CodeQL CLI version: ${current_version}"
          echo "Target CodeQL CLI version: ${latest_clean}"

          if [ "${latest_clean}" != "${current_version}" ]; then
            echo "✅ Update available: ${current_version} → ${latest_clean}"
            echo "update_needed=true" >> $GITHUB_OUTPUT
            echo "current_version=${current_version}" >> $GITHUB_OUTPUT
            echo "latest_version=${latest_clean}" >> $GITHUB_OUTPUT
            echo "version=v${latest_clean}" >> $GITHUB_OUTPUT
          else
            echo "ℹ️ CodeQL CLI is already up-to-date at version ${current_version}"
            echo "update_needed=false" >> $GITHUB_OUTPUT
          fi

      - name: Detect - Summary
        run: |
          echo "## CodeQL CLI Update Check" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then
            echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "Initiating update pipeline for \`${{ steps.check-version.outputs.version }}\`..." >> $GITHUB_STEP_SUMMARY
          else
            echo "ℹ️ CodeQL CLI is already up-to-date. No changes needed." >> $GITHUB_STEP_SUMMARY
          fi

  # ─────────────────────────────────────────────────────────────────────────────
  # Step 2: Update version, build, test, and create PR
  #
  # Updates all version-bearing files, installs dependencies, runs the full
  # build-and-test suite, and creates a pull request with the changes.
  # ─────────────────────────────────────────────────────────────────────────────
  create-pr:
    name: Create Update Pull Request
    needs: detect-update
    if: needs.detect-update.outputs.update_needed == 'true'
    runs-on: ubuntu-latest

    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Update - Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Update - Update .codeql-version
        run: |
          printf "v%s\n" "${{ needs.detect-update.outputs.latest_version }}" > .codeql-version
          echo "Updated .codeql-version to ${{ needs.detect-update.outputs.version }}"

      - name: Update - Setup CodeQL environment
        uses: ./.github/actions/setup-codeql-environment
        with:
          add-to-path: true
          install-language-runtimes: false

      - name: Update - Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          cache: 'npm'
          node-version-file: '.node-version'

      - name: Update - Update version in all files
        run: |
          LATEST="${{ needs.detect-update.outputs.latest_version }}"
          echo "Updating all version-bearing files to ${LATEST}..."
          ./server/scripts/update-release-version.sh "${LATEST}"

      - name: Update - Install dependencies
        run: npm install --include=optional

      - name: Update - Upgrade CodeQL pack dependencies
        run: server/scripts/upgrade-packs.sh

      - name: Update - Install xvfb and VS Code dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y xvfb libgbm1 libgtk-3-0 libxshmfence1
          sudo apt-get install -y libasound2t64 || sudo apt-get install -y libasound2

      - name: Update - Build and test
        run: xvfb-run -a npm run build-and-test

      - name: Update - Create Pull Request
        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
          body: |
            This PR upgrades the CodeQL CLI version to ${{ needs.detect-update.outputs.version }}.

            **Changes made:**
            - Updated `.codeql-version` to `${{ needs.detect-update.outputs.version }}`
            - Updated all version-bearing files (package.json, extensions/vscode/package.json, codeql-pack.yml) to `${{ needs.detect-update.outputs.latest_version }}`
            - Regenerated `package-lock.json`
            - Upgraded CodeQL pack lock files
            - Build and tests passed ✅
          commit-message: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
          delete-branch: true
          branch: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'

      - name: Update - Summary
        run: |
          VERSION="${{ needs.detect-update.outputs.version }}"
          CURRENT="${{ needs.detect-update.outputs.current_version }}"
          LATEST="${{ needs.detect-update.outputs.latest_version }}"
          echo "## CodeQL CLI Update Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Triggered by CodeQL CLI update: ${CURRENT} → ${LATEST}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Property | Old Value | New Value |" >> $GITHUB_STEP_SUMMARY
          echo "| -------- | --------- | --------- |" >> $GITHUB_STEP_SUMMARY
          echo "| .codeql-version | v${CURRENT} | ${VERSION} |" >> $GITHUB_STEP_SUMMARY
          echo "| package.json versions | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY
          echo "| extensions/vscode/package.json | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY
          echo "| codeql-pack.yml versions | ${CURRENT} | ${LATEST} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "A pull request has been created with these changes." >> $GITHUB_STEP_SUMMARY