feat(ci): Add publishing script and workflow

GeekMasher · GeekMasher · commit c56e77990d3d · 2025-04-14T13:02:22.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,132 @@
+name: Build and Publish Extractor Pack
+
+on:
+  push:
+    branches: ["main"]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release-check:
+    runs-on: ubuntu-latest
+    outputs:
+      release: ${{ steps.get_version.outputs.release }}
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: "Check release version"
+        id: get_version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+
+          pip install yq
+          current_version=$(cat .release.yml | yq -r ".version")
+
+          released_version=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/:owner/:repo/releases/latest | jq -r ".tag_name")
+
+          if [[ "$current_version" == "NA" || "$current_version" == "$released_version" ]]; then
+            echo "No new release found"
+            echo "release=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "New release found"
+            echo "version=$current_version" >> "$GITHUB_OUTPUT"
+            echo "release=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  compile:
+    name: "Compile Extractor Pack for ${{ matrix.os }}"
+    needs: [release-check]
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        # TODO: Add windows-latest
+        os: [ubuntu-latest, macos-latest]
+
+    if: ${{ needs.release-check.outputs.release == 'true' }}
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Set up Rust"
+        uses: dtolnay/rust-toolchain@nightly
+        if: ${{ matrix.os != 'windows-latest' }}
+
+      - name: "Build Extractor"
+        if: ${{ matrix.os != 'windows-latest' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./scripts/create-extractor-pack.sh
+
+      - name: "Upload bundle artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: "extractor-bundle-${{ matrix.os }}"
+          path: "./extractor-pack"
+
+  bundle:
+    name: "Bundle Extractor Pack"
+    runs-on: ubuntu-latest
+    needs: [compile]
+    if: ${{ needs.release-check.outputs.release == 'true' }}
+
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Downloadd all artifacts"
+        uses: actions/download-artifact@v4
+        with:
+          path: "./extractor-pack"
+          merge-multiple: true
+
+      - name: "Publish Extractor Pack"
+        if: github.ref == 'refs/heads/main'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          EXTRACTOR_NAME: "bicep"
+        run: |
+          ./scripts/publish-extractor-pack.sh
+
+  queries:
+    runs-on: ubuntu-latest
+    needs: [release-check]
+    if: ${{ needs.release-check.outputs.release == 'true' }}
+
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        packs: ["lib", "src"]
+
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Check and Publish CodeQL Packs"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PACK_PATH=ql/${{ matrix.packs }}/qlpack.yml
+          CURRENT_VERSION=$(grep version $PACK_PATH | awk '{print $2}')
+          PACK_FULLNAME=$(cat $PACK_PATH | grep "name:" | awk '{print $2}')
+          PACK_NAME=$(echo $PACK_FULLNAME | awk -F '/' '{print $2}')
+
+          PUBLISHED_VERSION=$(gh api /orgs/advanced-security/packages/container/$PACK_NAME/versions --jq '.[0].metadata.container.tags[0]')
+          echo "Packs :: ${CURRENT_VERSION} -> ${PUBLISHED_VERSION}"
+
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            gh extension install github/gh-codeql
+            gh codeql pack install "ql/${{ matrix.packs }}"
+            gh codeql pack publish "ql/${{ matrix.packs }}"
+          fi
diff --git a/scripts/publish-extractor-pack.sh b/scripts/publish-extractor-pack.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+set -e
+
+# Extractor info
+EXTRACTOR_INFO="./codeql-extractor.yml"
+EXTRACTOR_NAME="${EXTRACTOR_NAME:-$(basename $(dirname $EXTRACTOR_INFO))}"
+EXTRACTOR_VERSION=$(grep version $EXTRACTOR_INFO | awk '{print $2}')
+
+LATEST_RELEASE=$(gh release list | head -n 1 | awk '{print $1}' | sed 's/v//')
+
+echo "[+] ${EXTRACTOR_NAME} (${EXTRACTOR_VERSION})"
+echo "[+] Last release: ${LATEST_RELEASE}"
+
+if [ "$LATEST_RELEASE" != "$EXTRACTOR_VERSION" ]; then
+    echo "[+] New Extractor version being released"
+
+    # Check extracrtor-pack
+    if [ ! -d "extractor-pack" ]; then
+        echo "[+] No extractor-pack found"
+        exit 1
+    fi
+
+    # TODO: Add queries to extractor-pack
+    # echo "[+] Add queries to extractor-pack"
+    # codeql pack create --output=./extractor-pack/queries ./ql/src
+
+    # bundle extractor
+    tar czf extractor-$EXTRACTOR_NAME.tar.gz extractor-pack
+
+    export GH_TOKEN=$GITHUB_TOKEN
+
+    ls -ls ./extractor-pack/tools
+
+    # # create release
+    # gh release create "v$EXTRACTOR_VERSION" \
+    #     --notes "$EXTRACTOR_NAME Extractor v$EXTRACTOR_VERSION" \
+    #     extractor-$EXTRACTOR_NAME.tar.gz
+
+else
+    echo "[+] Extractor is up to date"
+fi
