Skip to content

Automatically open PR to upgrade CodeQL CLI dependencies #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 13, 2025
Merged

Automatically open PR to upgrade CodeQL CLI dependencies #215

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
339ad84
Add a workflow for updating the CodeQL CLI dependencies
lcartey Aug 13, 2025
3b98293
Enable permissions to create a PR
lcartey Aug 13, 2025
0713aee
Update workflow to support upgrading lock files
lcartey Aug 13, 2025
9192614
Fix whitespace issues
lcartey Aug 13, 2025
11b900d
Add CodeQL to the path
lcartey Aug 13, 2025
6b1502e
Use correct env var
lcartey Aug 13, 2025
6c9cbe7
Update .github/workflows/update-codeql.yml
lcartey Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions .github/workflows/update-codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: "Update the CodeQL CLI dependencies"

on:
workflow_dispatch:
# nightly runs to update the CodeQL CLI dependencies
schedule:
- cron: '30 0 * * *'

permissions:
contents: write
pull-requests: write

jobs:
update-codeql:
name: Update CodeQL CLI dependencies
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Check latest CodeQL CLI version and update qlt.conf.json
id: check-version
run: |
echo "Checking latest CodeQL CLI version"
current_version=$(jq .CodeQLCLI qlt.conf.json -r)
latest_version=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')
echo "Current CodeQL CLI version: $current_version"
echo "Latest CodeQL CLI version: $latest_version"

# Remove 'v' prefix if present for comparison with current version
latest_clean=$(echo "$latest_version" | sed 's/^v//')

if [ "$latest_clean" != "$current_version" ]; then
echo "Updating CodeQL CLI from $current_version to $latest_clean"
echo "update_needed=true" >> $GITHUB_OUTPUT
echo "latest_version=$latest_clean" >> $GITHUB_OUTPUT
echo "latest_version_tag=$latest_version" >> $GITHUB_OUTPUT

# Update qlt.conf.json with all properties
echo "Updating qlt.conf.json with all properties for version $latest_clean"
jq --arg cli_version "$latest_clean" \
--arg std_lib "codeql-cli/$latest_version" \
--arg bundle "codeql-bundle-$latest_version" \
'.CodeQLCLI = $cli_version | .CodeQLStandardLibrary = $std_lib | .CodeQLCLIBundle = $bundle' \
qlt.conf.json > qlt.conf.json.tmp && mv qlt.conf.json.tmp qlt.conf.json

echo "Updated qlt.conf.json contents:"
cat qlt.conf.json
else
echo "CodeQL CLI is already up-to-date at version $current_version."
echo "update_needed=false" >> $GITHUB_OUTPUT
fi

- name: Install QLT
if: steps.check-version.outputs.update_needed == 'true'
id: install-qlt
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
with:
qlt-version: 'latest'
add-to-path: true

- name: Install CodeQL
if: steps.check-version.outputs.update_needed == 'true'
id: install-codeql
shell: bash
run: |
echo "Installing CodeQL"
qlt codeql run install
echo "-----------------------------"
echo "CodeQL Home: $QLT_CODEQL_HOME"
echo "CodeQL Binary: $QLT_CODEQL_PATH"

- name: Upgrade CodeQL pack lock files
if: steps.check-version.outputs.update_needed == 'true'
shell: bash
run: |
echo "Upgrading CodeQL pack lock files"
echo "Finding all directories with qlpack.yml files..."

# Find all directories containing qlpack.yml files
find . -name "qlpack.yml" -type f | while read -r qlpack_file; do
pack_dir=$(dirname "$qlpack_file")
echo "Upgrading pack in directory: $pack_dir"

# Change to the directory and run codeql pack upgrade
cd "$pack_dir"
$QLT_CODEQL_PATH pack upgrade
cd - > /dev/null
done

echo "Finished upgrading all CodeQL pack lock files"

- name: Create Pull Request
if: steps.check-version.outputs.update_needed == 'true'
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
title: "Upgrade CodeQL CLI dependency to ${{ steps.check-version.outputs.latest_version_tag }}"
body: |
This PR upgrades the CodeQL CLI version to ${{ steps.check-version.outputs.latest_version_tag }}.

**Changes made:**
- Updated `CodeQLCLI` to `${{ steps.check-version.outputs.latest_version }}`
- Updated `CodeQLStandardLibrary` to `codeql-cli/${{ steps.check-version.outputs.latest_version_tag }}`
- Updated `CodeQLCLIBundle` to `codeql-bundle-${{ steps.check-version.outputs.latest_version_tag }}`
- Upgraded all CodeQL pack lock files using `codeql pack upgrade`
commit-message: "Upgrade CodeQL CLI dependency to ${{ steps.check-version.outputs.latest_version_tag }}"
delete-branch: true
branch: "codeql/upgrade-to-${{ steps.check-version.outputs.latest_version_tag }}"