Update CodeQL CLI Dependencies #41

Workflow file for this run

.github/workflows/update-codeql.yml at eb1f1c3

	name: Update CodeQL CLI Dependencies

	on:
	workflow_dispatch:
	inputs:
	target_version:
	description: 'Target CodeQL CLI version (e.g. vX.Y.Z). Leave empty to use the latest available CodeQL CLI release.'
	required: false
	type: string
	# Nightly check for new CodeQL CLI releases
	schedule:
	- cron: '30 5 * * *'

	permissions:
	contents: read

	jobs:
	# ─────────────────────────────────────────────────────────────────────────────
	# Step 1: Detect new CodeQL CLI version
	#
	# Compares the current CodeQL CLI version in .codeql-version against the
	# latest release from github/codeql-cli-binaries. If a newer version is
	# available, downstream jobs orchestrate the update and PR creation.
	# ─────────────────────────────────────────────────────────────────────────────
	detect-update:
	name: Detect CodeQL CLI Update
	runs-on: ubuntu-latest

	outputs:
	current_version: ${{ steps.check-version.outputs.current_version }}
	latest_version: ${{ steps.check-version.outputs.latest_version }}
	update_needed: ${{ steps.check-version.outputs.update_needed }}
	version: ${{ steps.check-version.outputs.version }}

	steps:
	- name: Detect - Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Detect - Check latest CodeQL CLI version
	id: check-version
	env:
	GH_TOKEN: ${{ github.token }}
	TARGET_VERSION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.target_version \|\| '' }}
	run: \|
	echo "Checking latest CodeQL CLI version..."

	# Read current version from .codeql-version (stores vX.Y.Z)
	current_version_raw=$(cat .codeql-version \| tr -d '[:space:]')
	current_version="${current_version_raw#v}"

	# Trim whitespace from target version input
	TARGET_VERSION=$(echo "${TARGET_VERSION}" \| tr -d '[:space:]')

	if [ -n "${TARGET_VERSION}" ]; then
	# Use the manually specified target version
	latest_clean="${TARGET_VERSION#v}"
	echo "Using manually specified target version: ${latest_clean}"

	# Validate the target version exists as a release
	if ! gh release view "v${latest_clean}" --repo github/codeql-cli-binaries --json tagName > /dev/null 2>&1; then
	echo "❌ Error: Target version v${latest_clean} does not exist in github/codeql-cli-binaries releases" >&2
	exit 1
	fi
	else
	# Get latest release from codeql-cli-binaries
	latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] \| select(.isLatest == true) \| .tagName')

	# Validate that we found a latest release
	if [ -z "${latest_tag}" ]; then
	echo "❌ Error: Could not determine latest CodeQL CLI version from github/codeql-cli-binaries" >&2
	echo "No release marked as 'latest' was found. This may indicate an API issue or repository change." >&2
	exit 1
	fi

	latest_clean="${latest_tag#v}"
	fi

	echo "Current CodeQL CLI version: ${current_version}"
	echo "Target CodeQL CLI version: ${latest_clean}"

	if [ "${latest_clean}" != "${current_version}" ]; then
	echo "✅ Update available: ${current_version} → ${latest_clean}"
	echo "update_needed=true" >> $GITHUB_OUTPUT
	echo "current_version=${current_version}" >> $GITHUB_OUTPUT
	echo "latest_version=${latest_clean}" >> $GITHUB_OUTPUT
	echo "version=v${latest_clean}" >> $GITHUB_OUTPUT
	else
	echo "ℹ️ CodeQL CLI is already up-to-date at version ${current_version}"
	echo "update_needed=false" >> $GITHUB_OUTPUT
	fi

	- name: Detect - Summary
	run: \|
	echo "## CodeQL CLI Update Check" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	if [ "${{ steps.check-version.outputs.update_needed }}" == "true" ]; then
	echo "✅ Update available: ${{ steps.check-version.outputs.current_version }} → ${{ steps.check-version.outputs.latest_version }}" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Initiating update pipeline for \`${{ steps.check-version.outputs.version }}\`..." >> $GITHUB_STEP_SUMMARY
	else
	echo "ℹ️ CodeQL CLI is already up-to-date. No changes needed." >> $GITHUB_STEP_SUMMARY
	fi

	# ─────────────────────────────────────────────────────────────────────────────
	# Step 2: Update version, build, test, and create PR
	#
	# Updates all version-bearing files, installs dependencies, runs the full
	# build-and-test suite, and creates a pull request with the changes.
	# ─────────────────────────────────────────────────────────────────────────────
	create-pr:
	name: Create Update Pull Request
	needs: detect-update
	if: needs.detect-update.outputs.update_needed == 'true'
	runs-on: ubuntu-latest

	permissions:
	contents: write
	pull-requests: write

	steps:
	- name: Update - Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Update - Update .codeql-version
	run: \|
	printf "v%s\n" "${{ needs.detect-update.outputs.latest_version }}" > .codeql-version
	echo "Updated .codeql-version to ${{ needs.detect-update.outputs.version }}"

	- name: Update - Setup CodeQL environment
	uses: ./.github/actions/setup-codeql-environment
	with:
	add-to-path: true
	install-language-runtimes: false

	- name: Update - Setup Node.js
	uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
	with:
	cache: 'npm'
	node-version-file: '.node-version'

	- name: Update - Update version in all files
	run: \|
	LATEST="${{ needs.detect-update.outputs.latest_version }}"
	echo "Updating all version-bearing files to ${LATEST}..."
	./server/scripts/update-release-version.sh "${LATEST}"

	- name: Update - Install dependencies
	run: npm install --include=optional

	- name: Update - Upgrade CodeQL pack dependencies
	run: server/scripts/upgrade-packs.sh

	- name: Update - Install xvfb and VS Code dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y xvfb libgbm1 libgtk-3-0 libxshmfence1
	sudo apt-get install -y libasound2t64 \|\| sudo apt-get install -y libasound2

	- name: Update - Build and test
	run: xvfb-run -a npm run build-and-test

	- name: Update - Create Pull Request
	uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
	with:
	title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
	body: \|
	This PR upgrades the CodeQL CLI version to ${{ needs.detect-update.outputs.version }}.

	Changes made:
	- Updated `.codeql-version` to `${{ needs.detect-update.outputs.version }}`
	- Updated all version-bearing files (package.json, extensions/vscode/package.json, codeql-pack.yml) to `${{ needs.detect-update.outputs.latest_version }}`
	- Regenerated `package-lock.json`
	- Upgraded CodeQL pack lock files
	- Build and tests passed ✅
	commit-message: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}'
	delete-branch: true
	branch: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'

	- name: Update - Summary
	run: \|
	VERSION="${{ needs.detect-update.outputs.version }}"
	CURRENT="${{ needs.detect-update.outputs.current_version }}"
	LATEST="${{ needs.detect-update.outputs.latest_version }}"
	echo "## CodeQL CLI Update Summary" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Triggered by CodeQL CLI update: ${CURRENT} → ${LATEST}" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "\| Property \| Old Value \| New Value \|" >> $GITHUB_STEP_SUMMARY
	echo "\| -------- \| --------- \| --------- \|" >> $GITHUB_STEP_SUMMARY
	echo "\| .codeql-version \| v${CURRENT} \| ${VERSION} \|" >> $GITHUB_STEP_SUMMARY
	echo "\| package.json versions \| ${CURRENT} \| ${LATEST} \|" >> $GITHUB_STEP_SUMMARY
	echo "\| extensions/vscode/package.json \| ${CURRENT} \| ${LATEST} \|" >> $GITHUB_STEP_SUMMARY
	echo "\| codeql-pack.yml versions \| ${CURRENT} \| ${LATEST} \|" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "A pull request has been created with these changes." >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update CodeQL CLI Dependencies #41

Workflow file

Update CodeQL CLI Dependencies #41

Uh oh!

Workflow file for this run