-
Notifications
You must be signed in to change notification settings - Fork 2
197 lines (172 loc) · 7.85 KB
/
release.yml
File metadata and controls
197 lines (172 loc) · 7.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
name: Release - CodeQL Development MCP Server
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Release version (e.g., vX.Y.Z). Must start with "v".'
required: true
type: string
permissions:
contents: read
jobs:
build-and-release:
name: Build and Release
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- name: Release - Checkout repository
uses: actions/checkout@v6
with:
# Explicitly checkout the tag ref to ensure we build the correct commit
# For tag pushes: refs/tags/vX.Y.Z
# For workflow_dispatch: refs/heads/<branch> (will be validated below)
ref: ${{ github.ref }}
- name: Release - Setup Node.js
uses: actions/setup-node@v6
with:
cache: 'npm'
node-version-file: '.node-version'
registry-url: 'https://npm.pkg.github.com'
scope: '@advanced-security'
- name: Release - Determine version
id: version
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${{ github.ref_name }}"
fi
# Validate version starts with 'v'
if [[ ! "${VERSION}" =~ ^v ]]; then
echo "::error::Version '${VERSION}' must start with 'v'"
exit 1
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
- name: Release - Checkout tag for workflow_dispatch
if: github.event_name == 'workflow_dispatch'
run: |
# For workflow_dispatch, we need to checkout the specific tag
TAG="${{ steps.version.outputs.version }}"
if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then
echo "Checking out existing tag: ${TAG}"
git checkout "refs/tags/${TAG}"
else
echo "::error::Tag '${TAG}' does not exist. Create the tag first before running this workflow."
exit 1
fi
- name: Release - Verify checkout matches expected version
run: |
# Verify we're on the correct commit for the release
CURRENT_SHA=$(git rev-parse HEAD)
TAG="${{ steps.version.outputs.version }}"
if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then
TAG_SHA=$(git rev-parse "refs/tags/${TAG}^{commit}" 2>/dev/null || git rev-parse "refs/tags/${TAG}")
if [ "${CURRENT_SHA}" != "${TAG_SHA}" ]; then
echo "::error::Current checkout (${CURRENT_SHA}) does not match tag ${TAG} (${TAG_SHA})"
exit 1
fi
echo "✅ Verified: Building from tag ${TAG} at commit ${CURRENT_SHA:0:8}"
else
echo "::warning::Tag ${TAG} not found, building from current checkout at ${CURRENT_SHA:0:8}"
fi
- name: Release - Install dependencies
run: npm ci --include=optional
- name: Release - Build server
run: npm run build -w server
- name: Release - Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
tools: latest
- name: Release - Publish CodeQL tool query packs
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
LANGUAGES="actions cpp csharp go java javascript python ruby swift"
echo "Publishing CodeQL tool query packs..."
for lang in ${LANGUAGES}; do
PACK_DIR="server/ql/${lang}/tools/src"
if [ -d "${PACK_DIR}" ]; then
echo "📦 Publishing ${PACK_DIR}..."
codeql pack publish --threads=-1 -- "${PACK_DIR}"
echo "✅ Published ${lang} tool query pack"
else
echo "⚠️ Skipping ${lang}: ${PACK_DIR} not found"
fi
done
- name: Release - Publish npm package
if: startsWith(github.ref, 'refs/tags/')
working-directory: server
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Publishing @advanced-security/codeql-development-mcp-server to GitHub Packages..."
npm publish
echo "✅ Published npm package to GitHub Packages"
- name: Release - Create distribution directory
run: |
mkdir -p dist-package/server
mkdir -p dist-package/docs
# Copy server distributable files
cp -r server/dist dist-package/server/
cp -r server/ql dist-package/server/
cp server/package.json dist-package/server/
# Copy root package-lock.json for npm ci (monorepo lockfile)
cp package-lock.json dist-package/server/
# Copy root files
cp README.md dist-package/
cp LICENSE dist-package/
# Copy documentation
cp -r docs/* dist-package/docs/
- name: Release - Clean QL test directories from distribution
run: |
# Remove test and examples directories from ql folders (only keep src)
find dist-package/server/ql -type d \( -name "test" -o -name "examples" \) -prune -exec rm -rf {} \;
- name: Release - Install production dependencies
working-directory: dist-package/server
run: npm ci --omit=dev --include=optional
- name: Release - Create archive
run: |
tar -czvf codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz -C dist-package .
- name: Release - Upload artifact
uses: actions/upload-artifact@v6
with:
name: codeql-development-mcp-server-${{ steps.version.outputs.version }}
path: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz
- name: Release - Create GitHub Release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
files: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz
generate_release_notes: true
- name: Release - Summary
run: |
echo "## Release Summary" >> $GITHUB_STEP_SUMMARY
echo "✅ Server built successfully" >> $GITHUB_STEP_SUMMARY
echo "✅ npm package published to GitHub Packages" >> $GITHUB_STEP_SUMMARY
echo "✅ CodeQL tool query packs published to GHCR" >> $GITHUB_STEP_SUMMARY
echo "✅ Distribution package created" >> $GITHUB_STEP_SUMMARY
echo "✅ Production dependencies installed" >> $GITHUB_STEP_SUMMARY
echo "✅ Archive created: codeql-development-mcp-server-${{ steps.version.outputs.version }}.tar.gz" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Package Contents" >> $GITHUB_STEP_SUMMARY
echo "- \`server/dist/\` - Bundled JavaScript output" >> $GITHUB_STEP_SUMMARY
echo "- \`server/ql/*/tools/src/\` - CodeQL tool queries" >> $GITHUB_STEP_SUMMARY
echo "- \`server/node_modules/\` - Production dependencies" >> $GITHUB_STEP_SUMMARY
echo "- \`docs/\` - User documentation" >> $GITHUB_STEP_SUMMARY
echo "- \`README.md\` - Project overview" >> $GITHUB_STEP_SUMMARY
echo "- \`LICENSE\` - CodeQL Terms and Conditions" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY
echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY
for lang in actions cpp csharp go java javascript python ruby swift; do
echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${{ steps.version.outputs.release_name }} |" >> $GITHUB_STEP_SUMMARY
done