Skip to content

Commit 4fac887

Browse files
michaelnebelmichaelnebel
committed
Pin CodeQL in the publish workflow.
1 parent 8fbaefb commit 4fac887

File tree

1 file changed

+93
-53
lines changed

1 file changed

+93
-53
lines changed

.github/workflows/publish.yml

Lines changed: 93 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,15 @@ name: Publish CodeQL Packs
33
on:
44
push:
55
branches: [main]
6+
# TODO: REMOVE AGAIN AFTER TESTING
7+
pull_request:
8+
branches: [ main ]
69
workflow_dispatch:
710

8-
jobs:
11+
env:
12+
CODEQL_CLI_VERSION: 2.20.1
913

14+
jobs:
1015
queries:
1116
runs-on: ubuntu-latest
1217

@@ -22,28 +27,37 @@ jobs:
2227
steps:
2328
- uses: actions/checkout@v4
2429

25-
- name: Initialize CodeQL
26-
run: |
27-
VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
28-
| sort \
29-
| tail -n 1 \
30-
| tr -d '\n')"
31-
echo "$VERSION/x64/codeql" >> $GITHUB_PATH
32-
33-
- name: "Check and publish codeql-LANG-queries (src) pack"
30+
- name: Check codeql-LANG-queries (src) pack
31+
id: check_version
3432
env:
3533
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3634
run: |
3735
PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]')
3836
CURRENT_VERSION=$(grep version ${{ matrix.language }}/src/qlpack.yml | awk '{print $2}')
3937
40-
echo "Published verion: $PUBLISHED_VERSION"
41-
echo "Local verion: $CURRENT_VERSION"
38+
echo "Published version: $PUBLISHED_VERSION"
39+
echo "Local version: $CURRENT_VERSION"
40+
4241
if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
43-
codeql pack install "${{ matrix.language }}/src"
44-
codeql pack publish "${{ matrix.language }}/src"
42+
echo "publish=true" >> $GITHUB_OUTPUT
4543
fi
4644
45+
- name: Setup CodeQL
46+
if: steps.check_version.outputs.publish == 'true'
47+
uses: ./.github/actions/install-codeql
48+
with:
49+
codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
50+
51+
- name: Publish codeql-LANG-queries (src) pack.
52+
if: steps.check_version.outputs.publish == 'true'
53+
env:
54+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
55+
run: |
56+
echo "Publishing codeql-${{ matrix.language }}-queries."
57+
# TODO COMMENT BACK IN AFTER TESTING
58+
# codeql pack install "${{ matrix.language }}/src"
59+
# codeql pack publish "${{ matrix.language }}/src"
60+
4761
library:
4862
runs-on: ubuntu-latest
4963

@@ -59,28 +73,37 @@ jobs:
5973
steps:
6074
- uses: actions/checkout@v4
6175

62-
- name: Initialize CodeQL
63-
run: |
64-
VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
65-
| sort \
66-
| tail -n 1 \
67-
| tr -d '\n')"
68-
echo "$VERSION/x64/codeql" >> $GITHUB_PATH
69-
70-
- name: "Check and publish codeql-LANG-libs (lib) pack"
76+
- name: Check codeql-LANG-libs (lib) pack
77+
id: check_version
7178
env:
7279
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7380
run: |
7481
PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-libs/versions --jq '.[0].metadata.container.tags[0]')
7582
CURRENT_VERSION=$(grep version ${{ matrix.language }}/lib/qlpack.yml | awk '{print $2}')
7683
77-
echo "Published verion: $PUBLISHED_VERSION"
78-
echo "Local verion: $CURRENT_VERSION"
84+
echo "Published version: $PUBLISHED_VERSION"
85+
echo "Local version: $CURRENT_VERSION"
86+
7987
if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
80-
codeql pack install "${{ matrix.language }}/lib"
81-
codeql pack publish "${{ matrix.language }}/lib"
88+
echo "publish=true" >> $GITHUB_OUTPUT
8289
fi
8390
91+
- name: Setup CodeQL
92+
if: steps.check_version.outputs.publish == 'true'
93+
uses: ./.github/actions/install-codeql
94+
with:
95+
codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
96+
97+
- name: Publish codeql-LANG-libs (lib) pack
98+
if: steps.check_version.outputs.publish == 'true'
99+
env:
100+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
101+
run: |
102+
echo "Publishing codeql-${{ matrix.language }}-libs."
103+
# TODO COMMENT BACK IN AFTER TESTING
104+
# codeql pack install "${{ matrix.language }}/lib"
105+
# codeql pack publish "${{ matrix.language }}/lib"
106+
84107
extensions:
85108
runs-on: ubuntu-latest
86109

@@ -96,28 +119,37 @@ jobs:
96119
steps:
97120
- uses: actions/checkout@v4
98121

99-
- name: Initialize CodeQL
100-
run: |
101-
VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
102-
| sort \
103-
| tail -n 1 \
104-
| tr -d '\n')"
105-
echo "$VERSION/x64/codeql" >> $GITHUB_PATH
106-
107-
- name: Check and publish codeql-LANG-extensions (ext) pack
122+
- name: Check codeql-LANG-extensions (ext) pack
123+
id: check_version
108124
env:
109125
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
110126
run: |
111127
PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-extensions/versions --jq '.[0].metadata.container.tags[0]')
112128
CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext/qlpack.yml | awk '{print $2}')
113129
114-
echo "Published verion: $PUBLISHED_VERSION"
115-
echo "Local verion: $CURRENT_VERSION"
130+
echo "Published version: $PUBLISHED_VERSION"
131+
echo "Local version: $CURRENT_VERSION"
116132
if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
117-
codeql pack install "${{ matrix.language }}/ext"
118-
codeql pack publish "${{ matrix.language }}/ext"
133+
echo "publish=true" >> $GITHUB_OUTPUT
119134
fi
120135
136+
- name: Setup CodeQL
137+
if: steps.check_version.outputs.publish == 'true'
138+
uses: ./.github/actions/install-codeql
139+
with:
140+
codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
141+
142+
- name: Publish codeql-LANG-extensions (ext) pack
143+
if: steps.check_version.outputs.publish == 'true'
144+
env:
145+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
146+
run: |
147+
echo "Publishing codeql-${{ matrix.language }}-extensions."
148+
# TODO COMMENT BACK IN AFTER TESTING
149+
# codeql pack install "${{ matrix.language }}/ext"
150+
# codeql pack publish "${{ matrix.language }}/ext"
151+
152+
121153
library_sources_extensions:
122154
runs-on: ubuntu-latest
123155

@@ -133,24 +165,32 @@ jobs:
133165
steps:
134166
- uses: actions/checkout@v4
135167

136-
- name: Initialize CodeQL
137-
run: |
138-
VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
139-
| sort \
140-
| tail -n 1 \
141-
| tr -d '\n')"
142-
echo "$VERSION/x64/codeql" >> $GITHUB_PATH
143-
144-
- name: Check and publish codeql-LANG-library-sources (ext-library-sources) pack
168+
- name: Check codeql-LANG-library-sources (ext-library-sources) pack
169+
id: check_version
145170
env:
146171
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
147172
run: |
148173
PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-library-sources/versions --jq '.[0].metadata.container.tags[0]')
149174
CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext-library-sources/qlpack.yml | awk '{print $2}')
150175
151-
echo "Published verion: $PUBLISHED_VERSION"
152-
echo "Local verion: $CURRENT_VERSION"
176+
echo "Published version: $PUBLISHED_VERSION"
177+
echo "Local version: $CURRENT_VERSION"
153178
if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
154-
codeql pack install "${{ matrix.language }}/ext-library-sources"
155-
codeql pack publish "${{ matrix.language }}/ext-library-sources"
179+
echo "publish=true" >> $GITHUB_OUTPUT
156180
fi
181+
182+
- name: Setup CodeQL
183+
if: steps.check_version.outputs.publish == 'true'
184+
uses: ./.github/actions/install-codeql
185+
with:
186+
codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
187+
188+
- name: Publish codeql-LANG-library-sources (ext-library-sources) pack
189+
if: steps.check_version.outputs.publish == 'true'
190+
env:
191+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
192+
run: |
193+
echo "Publishing codeql-${{ matrix.language }}-library-sources."
194+
# TODO COMMENT BACK IN AFTER TESTING
195+
# codeql pack install "${{ matrix.language }}/ext-library-sources"
196+
# codeql pack publish "${{ matrix.language }}/ext-library-sources"

0 commit comments

Comments
 (0)