Pin CodeQL in the publish workflow. #116

Workflow file for this run

.github/workflows/publish.yml at 4fac887

	name: Publish CodeQL Packs

	on:
	push:
	branches: [main]
	# TODO: REMOVE AGAIN AFTER TESTING
	pull_request:
	branches: [ main ]
	workflow_dispatch:

	env:
	CODEQL_CLI_VERSION: 2.20.1

	jobs:
	queries:
	runs-on: ubuntu-latest

	permissions:
	contents: read
	packages: write

	strategy:
	fail-fast: false
	matrix:
	language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"]

	steps:
	- uses: actions/checkout@v4

	- name: Check codeql-LANG-queries (src) pack
	id: check_version
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]')
	CURRENT_VERSION=$(grep version ${{ matrix.language }}/src/qlpack.yml \| awk '{print $2}')

	echo "Published version: $PUBLISHED_VERSION"
	echo "Local version: $CURRENT_VERSION"

	if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
	echo "publish=true" >> $GITHUB_OUTPUT
	fi

	- name: Setup CodeQL
	if: steps.check_version.outputs.publish == 'true'
	uses: ./.github/actions/install-codeql
	with:
	codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}

	- name: Publish codeql-LANG-queries (src) pack.
	if: steps.check_version.outputs.publish == 'true'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	echo "Publishing codeql-${{ matrix.language }}-queries."
	# TODO COMMENT BACK IN AFTER TESTING
	# codeql pack install "${{ matrix.language }}/src"
	# codeql pack publish "${{ matrix.language }}/src"

	library:
	runs-on: ubuntu-latest

	permissions:
	contents: read
	packages: write

	strategy:
	fail-fast: false
	matrix:
	language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"]

	steps:
	- uses: actions/checkout@v4

	- name: Check codeql-LANG-libs (lib) pack
	id: check_version
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-libs/versions --jq '.[0].metadata.container.tags[0]')
	CURRENT_VERSION=$(grep version ${{ matrix.language }}/lib/qlpack.yml \| awk '{print $2}')

	echo "Published version: $PUBLISHED_VERSION"
	echo "Local version: $CURRENT_VERSION"

	if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
	echo "publish=true" >> $GITHUB_OUTPUT
	fi

	- name: Setup CodeQL
	if: steps.check_version.outputs.publish == 'true'
	uses: ./.github/actions/install-codeql
	with:
	codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}

	- name: Publish codeql-LANG-libs (lib) pack
	if: steps.check_version.outputs.publish == 'true'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	echo "Publishing codeql-${{ matrix.language }}-libs."
	# TODO COMMENT BACK IN AFTER TESTING
	# codeql pack install "${{ matrix.language }}/lib"
	# codeql pack publish "${{ matrix.language }}/lib"

	extensions:
	runs-on: ubuntu-latest

	permissions:
	contents: read
	packages: write

	strategy:
	fail-fast: false
	matrix:
	language: ["csharp", "java"]

	steps:
	- uses: actions/checkout@v4

	- name: Check codeql-LANG-extensions (ext) pack
	id: check_version
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-extensions/versions --jq '.[0].metadata.container.tags[0]')
	CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext/qlpack.yml \| awk '{print $2}')

	echo "Published version: $PUBLISHED_VERSION"
	echo "Local version: $CURRENT_VERSION"
	if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
	echo "publish=true" >> $GITHUB_OUTPUT
	fi

	- name: Setup CodeQL
	if: steps.check_version.outputs.publish == 'true'
	uses: ./.github/actions/install-codeql
	with:
	codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}

	- name: Publish codeql-LANG-extensions (ext) pack
	if: steps.check_version.outputs.publish == 'true'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	echo "Publishing codeql-${{ matrix.language }}-extensions."
	# TODO COMMENT BACK IN AFTER TESTING
	# codeql pack install "${{ matrix.language }}/ext"
	# codeql pack publish "${{ matrix.language }}/ext"


	library_sources_extensions:
	runs-on: ubuntu-latest

	permissions:
	contents: read
	packages: write

	strategy:
	fail-fast: false
	matrix:
	language: ["csharp", "java"]

	steps:
	- uses: actions/checkout@v4

	- name: Check codeql-LANG-library-sources (ext-library-sources) pack
	id: check_version
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-library-sources/versions --jq '.[0].metadata.container.tags[0]')
	CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext-library-sources/qlpack.yml \| awk '{print $2}')

	echo "Published version: $PUBLISHED_VERSION"
	echo "Local version: $CURRENT_VERSION"
	if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
	echo "publish=true" >> $GITHUB_OUTPUT
	fi

	- name: Setup CodeQL
	if: steps.check_version.outputs.publish == 'true'
	uses: ./.github/actions/install-codeql
	with:
	codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}

	- name: Publish codeql-LANG-library-sources (ext-library-sources) pack
	if: steps.check_version.outputs.publish == 'true'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	echo "Publishing codeql-${{ matrix.language }}-library-sources."
	# TODO COMMENT BACK IN AFTER TESTING
	# codeql pack install "${{ matrix.language }}/ext-library-sources"
	# codeql pack publish "${{ matrix.language }}/ext-library-sources"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin CodeQL in the publish workflow. #116

Workflow file

Pin CodeQL in the publish workflow. #116

Jobs

Run details

Workflow file for this run