From 4fac88769e9cd72fd48a64ef5961d146c63bc3cc Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 21 Jan 2025 10:11:03 +0100 Subject: [PATCH 1/2] Pin CodeQL in the publish workflow. --- .github/workflows/publish.yml | 146 ++++++++++++++++++++++------------ 1 file changed, 93 insertions(+), 53 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 67e292ba..f315e129 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,10 +3,15 @@ name: Publish CodeQL Packs on: push: branches: [main] + # TODO: REMOVE AGAIN AFTER TESTING + pull_request: + branches: [ main ] workflow_dispatch: -jobs: +env: + CODEQL_CLI_VERSION: 2.20.1 +jobs: queries: runs-on: ubuntu-latest @@ -22,28 +27,37 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Initialize CodeQL - run: | - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - echo "$VERSION/x64/codeql" >> $GITHUB_PATH - - - name: "Check and publish codeql-LANG-queries (src) pack" + - name: Check codeql-LANG-queries (src) pack + id: check_version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]') CURRENT_VERSION=$(grep version ${{ matrix.language }}/src/qlpack.yml | awk '{print $2}') - echo "Published verion: $PUBLISHED_VERSION" - echo "Local verion: $CURRENT_VERSION" + echo "Published version: $PUBLISHED_VERSION" + echo "Local version: $CURRENT_VERSION" + if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then - codeql pack install "${{ matrix.language }}/src" - codeql pack publish "${{ matrix.language }}/src" + echo "publish=true" >> $GITHUB_OUTPUT fi + - name: Setup CodeQL + if: steps.check_version.outputs.publish == 'true' + uses: ./.github/actions/install-codeql + with: + codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }} + + - name: Publish codeql-LANG-queries (src) pack. + if: steps.check_version.outputs.publish == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "Publishing codeql-${{ matrix.language }}-queries." + # TODO COMMENT BACK IN AFTER TESTING + # codeql pack install "${{ matrix.language }}/src" + # codeql pack publish "${{ matrix.language }}/src" + library: runs-on: ubuntu-latest @@ -59,28 +73,37 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Initialize CodeQL - run: | - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - echo "$VERSION/x64/codeql" >> $GITHUB_PATH - - - name: "Check and publish codeql-LANG-libs (lib) pack" + - name: Check codeql-LANG-libs (lib) pack + id: check_version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-libs/versions --jq '.[0].metadata.container.tags[0]') CURRENT_VERSION=$(grep version ${{ matrix.language }}/lib/qlpack.yml | awk '{print $2}') - echo "Published verion: $PUBLISHED_VERSION" - echo "Local verion: $CURRENT_VERSION" + echo "Published version: $PUBLISHED_VERSION" + echo "Local version: $CURRENT_VERSION" + if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then - codeql pack install "${{ matrix.language }}/lib" - codeql pack publish "${{ matrix.language }}/lib" + echo "publish=true" >> $GITHUB_OUTPUT fi + - name: Setup CodeQL + if: steps.check_version.outputs.publish == 'true' + uses: ./.github/actions/install-codeql + with: + codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }} + + - name: Publish codeql-LANG-libs (lib) pack + if: steps.check_version.outputs.publish == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "Publishing codeql-${{ matrix.language }}-libs." + # TODO COMMENT BACK IN AFTER TESTING + # codeql pack install "${{ matrix.language }}/lib" + # codeql pack publish "${{ matrix.language }}/lib" + extensions: runs-on: ubuntu-latest @@ -96,28 +119,37 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Initialize CodeQL - run: | - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - echo "$VERSION/x64/codeql" >> $GITHUB_PATH - - - name: Check and publish codeql-LANG-extensions (ext) pack + - name: Check codeql-LANG-extensions (ext) pack + id: check_version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-extensions/versions --jq '.[0].metadata.container.tags[0]') CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext/qlpack.yml | awk '{print $2}') - echo "Published verion: $PUBLISHED_VERSION" - echo "Local verion: $CURRENT_VERSION" + echo "Published version: $PUBLISHED_VERSION" + echo "Local version: $CURRENT_VERSION" if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then - codeql pack install "${{ matrix.language }}/ext" - codeql pack publish "${{ matrix.language }}/ext" + echo "publish=true" >> $GITHUB_OUTPUT fi + - name: Setup CodeQL + if: steps.check_version.outputs.publish == 'true' + uses: ./.github/actions/install-codeql + with: + codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }} + + - name: Publish codeql-LANG-extensions (ext) pack + if: steps.check_version.outputs.publish == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "Publishing codeql-${{ matrix.language }}-extensions." + # TODO COMMENT BACK IN AFTER TESTING + # codeql pack install "${{ matrix.language }}/ext" + # codeql pack publish "${{ matrix.language }}/ext" + + library_sources_extensions: runs-on: ubuntu-latest @@ -133,24 +165,32 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Initialize CodeQL - run: | - VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \ - | sort \ - | tail -n 1 \ - | tr -d '\n')" - echo "$VERSION/x64/codeql" >> $GITHUB_PATH - - - name: Check and publish codeql-LANG-library-sources (ext-library-sources) pack + - name: Check codeql-LANG-library-sources (ext-library-sources) pack + id: check_version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-library-sources/versions --jq '.[0].metadata.container.tags[0]') CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext-library-sources/qlpack.yml | awk '{print $2}') - echo "Published verion: $PUBLISHED_VERSION" - echo "Local verion: $CURRENT_VERSION" + echo "Published version: $PUBLISHED_VERSION" + echo "Local version: $CURRENT_VERSION" if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then - codeql pack install "${{ matrix.language }}/ext-library-sources" - codeql pack publish "${{ matrix.language }}/ext-library-sources" + echo "publish=true" >> $GITHUB_OUTPUT fi + + - name: Setup CodeQL + if: steps.check_version.outputs.publish == 'true' + uses: ./.github/actions/install-codeql + with: + codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }} + + - name: Publish codeql-LANG-library-sources (ext-library-sources) pack + if: steps.check_version.outputs.publish == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "Publishing codeql-${{ matrix.language }}-library-sources." + # TODO COMMENT BACK IN AFTER TESTING + # codeql pack install "${{ matrix.language }}/ext-library-sources" + # codeql pack publish "${{ matrix.language }}/ext-library-sources" From 7d70d94be062ace79583d176089efb5746242946 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 21 Jan 2025 10:32:45 +0100 Subject: [PATCH 2/2] Removing workflow debug stuff. --- .github/workflows/publish.yml | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f315e129..0b4dd7e5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,9 +3,6 @@ name: Publish CodeQL Packs on: push: branches: [main] - # TODO: REMOVE AGAIN AFTER TESTING - pull_request: - branches: [ main ] workflow_dispatch: env: @@ -54,9 +51,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Publishing codeql-${{ matrix.language }}-queries." - # TODO COMMENT BACK IN AFTER TESTING - # codeql pack install "${{ matrix.language }}/src" - # codeql pack publish "${{ matrix.language }}/src" + codeql pack install "${{ matrix.language }}/src" + codeql pack publish "${{ matrix.language }}/src" library: runs-on: ubuntu-latest @@ -100,9 +96,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Publishing codeql-${{ matrix.language }}-libs." - # TODO COMMENT BACK IN AFTER TESTING - # codeql pack install "${{ matrix.language }}/lib" - # codeql pack publish "${{ matrix.language }}/lib" + codeql pack install "${{ matrix.language }}/lib" + codeql pack publish "${{ matrix.language }}/lib" extensions: runs-on: ubuntu-latest @@ -145,9 +140,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Publishing codeql-${{ matrix.language }}-extensions." - # TODO COMMENT BACK IN AFTER TESTING - # codeql pack install "${{ matrix.language }}/ext" - # codeql pack publish "${{ matrix.language }}/ext" + codeql pack install "${{ matrix.language }}/ext" + codeql pack publish "${{ matrix.language }}/ext" library_sources_extensions: @@ -191,6 +185,5 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Publishing codeql-${{ matrix.language }}-library-sources." - # TODO COMMENT BACK IN AFTER TESTING - # codeql pack install "${{ matrix.language }}/ext-library-sources" - # codeql pack publish "${{ matrix.language }}/ext-library-sources" + codeql pack install "${{ matrix.language }}/ext-library-sources" + codeql pack publish "${{ matrix.language }}/ext-library-sources"