-
Notifications
You must be signed in to change notification settings - Fork 2
284 lines (255 loc) · 14.2 KB
/
release.yml
File metadata and controls
284 lines (255 loc) · 14.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
name: Release - CodeQL Development MCP Server
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
create_github_release:
default: true
description: 'Create GitHub Release with distribution archive and CodeQL pack bundles. Disable to only publish packages without creating a release.'
required: false
type: boolean
publish_codeql_packs:
default: true
description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist. Packs are always bundled as release artifacts regardless of this setting.'
required: false
type: boolean
publish_npm:
default: true
description: 'Publish npm package to npmjs.org via OIDC trusted publishing. Disable for pre-release or re-run scenarios where the npm package already exists.'
required: false
type: boolean
version:
description: 'Release version (e.g., vX.Y.Z). Must start with "v".'
required: true
type: string
permissions:
contents: read
concurrency:
group: release-${{ github.event.inputs.version || github.ref_name }}
cancel-in-progress: true
jobs:
# ─────────────────────────────────────────────────────────────────────────────
# Step 1: Determine the release version
#
# Resolves the version from either the tag push event or the workflow_dispatch
# input, and validates the format. This output is consumed by all downstream
# jobs.
# ─────────────────────────────────────────────────────────────────────────────
resolve-version:
name: Resolve Release Version
runs-on: ubuntu-latest
outputs:
create_github_release: ${{ steps.resolve.outputs.create_github_release }}
publish_codeql_packs: ${{ steps.resolve.outputs.publish_codeql_packs }}
publish_npm: ${{ steps.resolve.outputs.publish_npm }}
release_name: ${{ steps.resolve.outputs.release_name }}
version: ${{ steps.resolve.outputs.version }}
steps:
- name: Version - Resolve and validate
id: resolve
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION="${{ github.ref_name }}"
fi
# Validate version starts with 'v'
if [[ ! "${VERSION}" =~ ^v ]]; then
echo "::error::Version '${VERSION}' must start with 'v'"
exit 1
fi
# Resolve publish flags (default true for tag pushes)
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
CREATE_RELEASE="${{ github.event.inputs.create_github_release }}"
PUBLISH_PACKS="${{ github.event.inputs.publish_codeql_packs }}"
PUBLISH_NPM="${{ github.event.inputs.publish_npm }}"
else
CREATE_RELEASE="true"
PUBLISH_PACKS="true"
PUBLISH_NPM="true"
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
echo "create_github_release=${CREATE_RELEASE}" >> $GITHUB_OUTPUT
echo "publish_codeql_packs=${PUBLISH_PACKS}" >> $GITHUB_OUTPUT
echo "publish_npm=${PUBLISH_NPM}" >> $GITHUB_OUTPUT
# ─────────────────────────────────────────────────────────────────────────────
# Step 2: Ensure the release tag exists
#
# For workflow_dispatch, ensures a properly validated tag exists. For tag push
# events, this is a no-op (tag already exists). The release-tag workflow
# handles version updates, `npm install`, tidy, build, test, and tag creation.
# ─────────────────────────────────────────────────────────────────────────────
ensure-tag:
name: Ensure Release Tag
needs: resolve-version
permissions:
contents: write
uses: ./.github/workflows/release-tag.yml
with:
version: ${{ needs.resolve-version.outputs.version }}
# ─────────────────────────────────────────────────────────────────────────────
# Step 3a: Build and publish the npm package
#
# Checks out the clean tag (no CodeQL pack artifacts), builds with `npm ci`,
# and publishes to npmjs.org via OIDC trusted publishing. Runs in parallel
# with CodeQL pack publishing since they are independent.
#
# The trusted publisher on npmjs.com is configured with workflow "release.yml"
# and environment "release-npm". The id-token:write permission is required for
# OIDC authentication — no npm tokens are used.
# ─────────────────────────────────────────────────────────────────────────────
publish-npm:
name: Publish npm Package
if: needs.resolve-version.outputs.publish_npm == 'true'
needs: [resolve-version, ensure-tag]
permissions:
contents: read
id-token: write
uses: ./.github/workflows/release-npm.yml
with:
version: ${{ needs.resolve-version.outputs.version }}
# ─────────────────────────────────────────────────────────────────────────────
# Step 3b: Bundle and optionally publish CodeQL packs
#
# Checks out the clean tag, installs CodeQL, and bundles packs for release.
# Publishing to GHCR is controlled by the publish_codeql_packs flag; bundling
# always runs so that pack artifacts are available for the GitHub Release.
# Runs in parallel with npm publishing since they are independent.
# ─────────────────────────────────────────────────────────────────────────────
publish-codeql:
name: Publish CodeQL Packs
needs: [resolve-version, ensure-tag]
permissions:
contents: read
packages: write
uses: ./.github/workflows/release-codeql.yml
with:
publish_codeql_packs: ${{ needs.resolve-version.outputs.publish_codeql_packs == 'true' }}
version: ${{ needs.resolve-version.outputs.version }}
# ─────────────────────────────────────────────────────────────────────────────
# Step 3c: Build the VS Code extension VSIX
#
# Checks out the clean tag, builds the server and extension (including the
# bundled MCP server), and packages the self-contained VSIX. Runs in parallel
# with npm/CodeQL publishing since it only needs the tag.
# ─────────────────────────────────────────────────────────────────────────────
build-vsix:
name: Build VSIX Extension
needs: [resolve-version, ensure-tag]
permissions:
contents: read
uses: ./.github/workflows/release-vsix.yml
with:
version: ${{ needs.resolve-version.outputs.version }}
# ─────────────────────────────────────────────────────────────────────────────
# Step 4: Create GitHub Release
#
# Downloads the clean build artifact (from npm workflow) and pack bundles
# (from CodeQL workflow), assembles the distribution archive, and creates the
# GitHub Release. Requires npm publishing and create_github_release to be
# enabled. CodeQL packs are always bundled as release artifacts regardless of
# the publish_codeql_packs flag.
# ─────────────────────────────────────────────────────────────────────────────
create-release:
name: Create GitHub Release
if: >-
always() && !failure() && !cancelled()
&& needs.resolve-version.outputs.create_github_release == 'true'
&& needs.resolve-version.outputs.publish_npm == 'true'
needs: [resolve-version, ensure-tag, publish-npm, publish-codeql, build-vsix]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Release - Download release build artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: release-build-${{ needs.resolve-version.outputs.version }}
- name: Release - Download CodeQL pack artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: codeql-tool-query-packs-${{ needs.resolve-version.outputs.version }}
path: dist-packs
- name: Release - Download VSIX artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: codeql-development-mcp-server-vsix-${{ needs.resolve-version.outputs.version }}
path: dist-vsix
- name: Release - Create distribution directory
run: |
mkdir -p dist-package/server
mkdir -p dist-package/docs
# Copy server distributable files
cp -r server/dist dist-package/server/
cp -r server/ql dist-package/server/
cp server/package.json dist-package/server/
# Copy scripts (setup-packs.sh is referenced by the bin field)
mkdir -p dist-package/server/scripts
cp server/scripts/setup-packs.sh dist-package/server/scripts/
# Copy root files
cp README.md dist-package/
cp LICENSE dist-package/
# Copy documentation
cp -r docs/* dist-package/docs/
- name: Release - Clean QL test directories from distribution
run: |
# Remove test and examples directories from ql folders (only keep src)
find dist-package/server/ql -type d \( -name "test" -o -name "examples" \) -prune -exec rm -rf {} \;
- name: Release - Install production dependencies
working-directory: dist-package/server
run: npm install --omit=dev --include=optional
- name: Release - Create archive
run: |
tar -czvf codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz -C dist-package .
- name: Release - Upload artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}
path: codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz
- name: Release - Create GitHub Release
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
with:
files: |
codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.tar.gz
dist-packs/*.tar.gz
dist-vsix/codeql-development-mcp-server-${{ needs.resolve-version.outputs.version }}.vsix
generate_release_notes: true
tag_name: ${{ needs.resolve-version.outputs.version }}
- name: Release - Summary
run: |
VERSION="${{ needs.resolve-version.outputs.version }}"
RELEASE_NAME="${{ needs.resolve-version.outputs.release_name }}"
echo "## Release Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Step | Status |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------ |" >> $GITHUB_STEP_SUMMARY
echo "| Tag | ✅ ${VERSION} |" >> $GITHUB_STEP_SUMMARY
echo "| Server build | ✅ Success |" >> $GITHUB_STEP_SUMMARY
echo "| Version validation | ✅ All files match ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
echo "| npm publish | ✅ Published to npmjs.org |" >> $GITHUB_STEP_SUMMARY
if [ "${{ needs.resolve-version.outputs.publish_codeql_packs }}" == "true" ]; then
echo "| CodeQL pack publish | ✅ Published to GHCR |" >> $GITHUB_STEP_SUMMARY
else
echo "| CodeQL pack publish | ⏭️ Skipped (packs bundled only) |" >> $GITHUB_STEP_SUMMARY
fi
echo "| Distribution archive | ✅ Created |" >> $GITHUB_STEP_SUMMARY
echo "| VSIX extension | ✅ Built |" >> $GITHUB_STEP_SUMMARY
echo "| GitHub Release | ✅ Created |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Package Contents" >> $GITHUB_STEP_SUMMARY
echo "- \`server/dist/\` - Bundled JavaScript output" >> $GITHUB_STEP_SUMMARY
echo "- \`server/ql/*/tools/src/\` - CodeQL tool queries" >> $GITHUB_STEP_SUMMARY
echo "- \`server/node_modules/\` - Production dependencies" >> $GITHUB_STEP_SUMMARY
echo "- \`docs/\` - User documentation" >> $GITHUB_STEP_SUMMARY
echo "- \`README.md\` - Project overview" >> $GITHUB_STEP_SUMMARY
echo "- \`LICENSE\` - CodeQL Terms and Conditions" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY
echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY
echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY
for lang in actions cpp csharp go java javascript python ruby rust swift; do
echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
done