Update microsoft-codeql-pack-publish.yml

dilanbhalla · web-flow · commit a3c5e48738cc · 2025-04-22T12:45:26.000-07:00
diff --git a/.github/workflows/microsoft-codeql-pack-publish.yml b/.github/workflows/microsoft-codeql-pack-publish.yml
@@ -1,12 +1,16 @@
 name: Microsoft CodeQL Pack Publish
 
 on:
-  push:
-    branches:
-      - dilan/publish-opensource-packs
+  workflow_dispatch:
 
 jobs:
+  check-branch:
+    if: github.ref != 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "This workflow can only run on the 'main' branch." && exit 1
   codeqlversion:
+    needs: check-branch
     runs-on: ubuntu-latest
     outputs:
       codeql_version: ${{ steps.set_codeql_version.outputs.codeql_version }}
@@ -25,6 +29,7 @@ jobs:
             CODEQL_VERSION="${CURRENT_TAG#codeql-cli/}"
             echo "CODEQL_VERSION=$CODEQL_VERSION" >> $GITHUB_OUTPUT
   publishlibs:
+    environment: secure-publish
     needs: codeqlversion
     runs-on: ubuntu-latest
     strategy:
@@ -85,58 +90,59 @@ jobs:
       env:
         LANGUAGE: ${{ matrix.language }}
         GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
-  # publish:
-  #   needs: codeqlversion
-  #   runs-on: ubuntu-latest
-  #   strategy:
-  #     matrix:
-  #       language: ['csharp', 'cpp', 'java', 'javascript', 'python', 'ruby', 'go', 'rust', 'swift', 'powershell']
-  #   steps:
-  #   - name: Checkout repository
-  #     uses: actions/checkout@v4
-  #   - name: Install CodeQL
-  #     shell: bash
-  #     run: |
-  #       gh extension install github/gh-codeql
-  #       gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
-  #       gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
-  #     env:
-  #       GITHUB_TOKEN: ${{ github.token }}
-  #   - name: Publish OS Microsoft CodeQL Pack
-  #     shell: bash
-  #     run: |
-  #       # Download latest qlpack
-  #       gh codeql pack download "microsoft/$LANGUAGE-queries"
-  #       PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-queries"
-  #       VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
-  #       [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+  publish:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['csharp', 'cpp', 'java', 'javascript', 'python', 'ruby', 'go', 'rust', 'swift', 'powershell']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-queries"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-queries"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
 
-  #       # Increment version
-  #       CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
-  #       MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
-  #       MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
-  #       PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
-  #       NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
 
-  #       # Extract dependencies from the existing qlpack.yml before deleting
-  #       DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/src/qlpack.yml" 2>/dev/null)
-  #       rm -f "$LANGUAGE/ql/src/qlpack.yml" "$LANGUAGE/ql/src/qlpack.lock"
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/src/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/src/qlpack.yml" "$LANGUAGE/ql/src/qlpack.lock"
 
-  #       # Create new qlpack.yml with modified content
-  #       cat <<EOF > "$LANGUAGE/ql/src/qlpack.yml"
-  #       name: microsoft/$LANGUAGE-queries
-  #       version: $NEXT_VERSION
-  #       extractor: $LANGUAGE
-  #       groups:
-  #         - $LANGUAGE
-  #         - queries
-  #       $DEPENDENCIES
-  #       EOF
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/src/qlpack.yml"
+        name: microsoft/$LANGUAGE-queries
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - queries
+        $DEPENDENCIES
+        EOF
 
-  #       # Publish pack
-  #       cat "$LANGUAGE/ql/src/qlpack.yml"
-  #       gh codeql pack publish "$LANGUAGE/ql/src"
-  #     env:
-  #       LANGUAGE: ${{ matrix.language }}
-  #       GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+        # Publish pack
+        cat "$LANGUAGE/ql/src/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/src"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
 
