advanced-security · data-douser · Apr 20, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
@@ -20,6 +20,12 @@ updates:
       ## Ignore all updates for 'zod' as our 'zod' version must match the
       ## version of 'zod' used by the '@modelcontextprotocol/sdk' dependency.
       - dependency-name: 'zod'
+      ## Ignore all updates for '@types/vscode' as its version tracks VS Code
+      ## minor releases and any bump would expose APIs newer than the floor
+      ## declared by 'engines.vscode' in 'extensions/vscode/package.json'.
+      ## Bump this manually together with 'engines.vscode' when raising the
+      ## minimum supported VS Code version.
+      - dependency-name: '@types/vscode'
     versioning-strategy: 'increase'
     groups:
       all-npm-dependencies:

@@ -273,7 +273,6 @@ on:
     branches: ['main']
     paths:
       # Same as above
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -284,12 +283,12 @@ jobs:
     runs-on: {os}-latest  # e.g., macos-latest, windows-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
-      - run: npm ci --workspaces
+      - run: npm ci --workspaces --ignore-scripts
       - uses: ./.github/actions/setup-codeql-environment
         with:
           install-language-runtimes: false

@@ -28,7 +28,6 @@ on:
       - 'server/scripts/extract-test-databases.sh'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 # Prevent duplicate runs from push + PR on the same branch
 concurrency:

@@ -19,7 +19,6 @@ on:
       - 'server/dist/**'
       - 'server/ql/*/tools/src/**'
       - 'server/src/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -40,7 +39,12 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
+
+      ## esbuild's optional platform binary is normally wired up by its postinstall
+      ## script; .npmrc 'ignore-scripts=true' suppresses that, so rebuild here.
+      - name: Rebuild esbuild platform binary
+        run: npm rebuild esbuild --ignore-scripts=false
 
       - name: Build server (dependency)
         run: npm run build -w server

@@ -13,7 +13,6 @@ on:
       - '.github/workflows/build-server.yml'
       - '.node-version'
       - 'server/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -38,9 +37,14 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Build Server - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
         working-directory: .
 
+      ## esbuild's optional platform binary is normally wired up by its postinstall
+      ## script; .npmrc 'ignore-scripts=true' suppresses that, so rebuild here.
+      - name: Build Server - Rebuild esbuild platform binary
+        run: npm rebuild esbuild --ignore-scripts=false
+
       - name: Build Server - Clean previous build
         run: npm run clean
 
@@ -50,7 +54,21 @@ jobs:
       - name: Build Server - Bundle application
         run: npm run bundle
 
+      ## Consumed by dependabot-commit-dist.yml via workflow_run.
+      - name: Build Server - Upload server/dist artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: server-dist
+          path: |
+            server/dist/codeql-development-mcp-server.js
+            server/dist/codeql-development-mcp-server.js.map
+          if-no-files-found: error
+          retention-days: 7
+
+      ## Skipped for Dependabot PRs: dependabot-commit-dist.yml will push the
+      ## rebuilt 'server/dist' back to the PR branch.
       - name: Build Server - Check for uncommitted changes
+        if: github.actor != 'dependabot[bot]'
         run: |
           if [ -n "$(git status --porcelain)" ]; then
             echo "❌ Uncommitted changes detected after build:"

@@ -19,7 +19,6 @@ on:
       - '.node-version'
       - 'client/**'
       - 'server/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -61,7 +60,12 @@ jobs:
         run: choco install jq -y
 
       - name: MCP Integration Tests - Install node dependencies for client and server workspaces
-        run: npm ci --workspace=client && npm ci --workspace=server
+        run: npm ci --workspace=client --ignore-scripts && npm ci --workspace=server --ignore-scripts
+
+      ## esbuild's optional platform binary is normally wired up by its postinstall
+      ## script; .npmrc 'ignore-scripts=true' suppresses that, so rebuild here.
+      - name: MCP Integration Tests - Rebuild esbuild platform binary
+        run: npm rebuild esbuild --ignore-scripts=false
 
       - name: MCP Integration Tests - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment
@@ -168,7 +172,12 @@ jobs:
           node-version-file: '.node-version'
 
       - name: CODEQL_PATH Tests - Install server dependencies
-        run: npm ci --workspace=server
+        run: npm ci --workspace=server --ignore-scripts
+
+      ## esbuild's optional platform binary is normally wired up by its postinstall
+      ## script; .npmrc 'ignore-scripts=true' suppresses that, so rebuild here.
+      - name: CODEQL_PATH Tests - Rebuild esbuild platform binary
+        run: npm rebuild esbuild --ignore-scripts=false
 
       - name: CODEQL_PATH Tests - Build server bundle
         run: npm run bundle -w server

@@ -1,31 +1,26 @@
 name: 'Copilot Setup Steps'
 
 on:
-  # Allow manual testing through the repository's "Actions" tab
-  workflow_dispatch: {}
-  # Automatically run the setup steps when an associated workflow is changed.
   push:
     paths:
       - '.codeql-version'
+      - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/copilot-setup-steps.yml'
       - '.node-version'
-      - '.github/actions/setup-codeql-environment/action.yml'
       - '**/codeql-pack.yml'
       - '**/codeql-pack.lock.yml'
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/qlpack.yml'
   pull_request:
     paths:
       - '.codeql-version'
+      - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/copilot-setup-steps.yml'
       - '.node-version'
-      - '.github/actions/setup-codeql-environment/action.yml'
       - '**/codeql-pack.yml'
       - '**/codeql-pack.lock.yml'
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/qlpack.yml'
 
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
@@ -51,7 +46,12 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Copilot Setup - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
+
+      ## esbuild's optional platform binary is normally wired up by its postinstall
+      ## script; .npmrc 'ignore-scripts=true' suppresses that, so rebuild here.
+      - name: Copilot Setup - Rebuild esbuild platform binary
+        run: npm rebuild esbuild --ignore-scripts=false
 
       - name: Copilot Setup - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

diff --git a/.github/workflows/dependabot-commit-dist.yml b/.github/workflows/dependabot-commit-dist.yml
@@ -0,0 +1,133 @@
+name: Dependabot Commit Dist - CodeQL Development MCP Server
+
+## Auto-rebuild and commit 'server/dist/**' on Dependabot PRs.
+##
+## Two-workflow handoff: 'build-server.yml' rebuilds with no write token
+## (npm ci --ignore-scripts), uploads the 'server-dist' artifact. This
+## workflow runs in the trusted default-branch context, downloads the
+## artifact, and pushes it to the PR branch. No PR-supplied code executes
+## here.
+
+on:
+  workflow_run:
+    workflows: ['Build Server - CodeQL Development MCP Server']
+    types: [completed]
+
+permissions:
+  contents: read
+
+jobs:
+  commit-dist:
+    name: Commit Rebuilt server/dist to Dependabot PR Branch
+    runs-on: ubuntu-latest
+
+    if: >-
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.actor.login == 'dependabot[bot]'
+
+    permissions:
+      contents: write
+      actions: read
+
+    steps:
+      - name: Commit Dist - Validate workflow_run head
+        id: pr
+        env:
+          HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          if [ "${HEAD_REPO}" != "${REPO}" ]; then
+            echo "::error::Refusing to push: head repo '${HEAD_REPO}' != '${REPO}'"
+            exit 1
+          fi
+          if [ -z "${HEAD_BRANCH}" ] || [ -z "${HEAD_SHA}" ]; then
+            echo "::error::Missing head_branch or head_sha"
+            exit 1
+          fi
+          echo "branch=${HEAD_BRANCH}" >> "${GITHUB_OUTPUT}"
+          echo "sha=${HEAD_SHA}" >> "${GITHUB_OUTPUT}"
+
+      - name: Commit Dist - Checkout PR branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ steps.pr.outputs.branch }}
+          persist-credentials: true
+          fetch-depth: 1
+
+      ## Abort if the branch advanced since the build started; the next
+      ## build-server run will re-trigger this workflow.
+      - name: Commit Dist - Verify checkout matches build SHA
+        id: verify
+        env:
+          EXPECTED_SHA: ${{ steps.pr.outputs.sha }}
+        run: |
+          set -euo pipefail
+          ACTUAL_SHA="$(git rev-parse HEAD)"
+          if [ "${ACTUAL_SHA}" != "${EXPECTED_SHA}" ]; then
+            echo "::warning::Branch advanced from ${EXPECTED_SHA} to ${ACTUAL_SHA}; skipping."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "skip=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Commit Dist - Download server-dist artifact
+        if: steps.verify.outputs.skip == 'false'
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: server-dist
+          path: artifact/
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      ## Defence in depth: confirm the artifact contains exactly the two
+      ## expected bundle files before copying into the repo. The upload
+      ## step in 'build-server.yml' preserves the 'server/dist/' prefix
+      ## relative to the workspace root, so files land under that path.
+      - name: Commit Dist - Verify artifact contents
+        if: steps.verify.outputs.skip == 'false'
+        run: |
+          set -euo pipefail
+          for f in server/dist/codeql-development-mcp-server.js \
+                   server/dist/codeql-development-mcp-server.js.map; do
+            if [ ! -f "artifact/${f}" ]; then
+              echo "::error::Missing expected artifact file: ${f}"
+              exit 1
+            fi
+          done
+          UNEXPECTED="$(find artifact -type f \
+            ! -path 'artifact/server/dist/codeql-development-mcp-server.js' \
+            ! -path 'artifact/server/dist/codeql-development-mcp-server.js.map' \
+            -print)"
+          if [ -n "${UNEXPECTED}" ]; then
+            echo "::error::Unexpected files in artifact:"
+            echo "${UNEXPECTED}"
+            exit 1
+          fi
+
+      - name: Commit Dist - Commit and push (if changed)
+        if: steps.verify.outputs.skip == 'false'
+        env:
+          BRANCH: ${{ steps.pr.outputs.branch }}
+        run: |
+          set -euo pipefail
+          cp artifact/server/dist/codeql-development-mcp-server.js server/dist/
+          cp artifact/server/dist/codeql-development-mcp-server.js.map server/dist/
+
+          git config user.name 'dependabot[bot]'
+          git config user.email '49699333+dependabot[bot]@users.noreply.github.com'
+          git add server/dist/codeql-development-mcp-server.js \
+                  server/dist/codeql-development-mcp-server.js.map
+
+          if git diff --cached --quiet; then
+            echo "::notice::server/dist already up to date."
+            exit 0
+          fi
+
+          git commit -m "chore(deps): rebuild server/dist after dependency update
+
+          [dependabot skip]"
+          git push origin "HEAD:${BRANCH}"
@@ -5,7 +5,6 @@ on:
     branches: ['main', 'next']
   push:
     branches: ['main', 'next']
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -26,7 +25,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Lint and Format - Install node dependencies for all workspaces
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Lint and Format - Run eslint
         run: npm run lint

@@ -21,7 +21,6 @@ on:
       - 'server/ql/swift/**'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -42,7 +41,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Query Unit Tests - swift - Install node dependencies for all workspaces
-        run: npm ci --workspaces
+        run: npm ci --workspaces --ignore-scripts
 
       - name: Query Unit Tests - swift - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

@@ -29,7 +29,6 @@ on:
       - 'server/ql/**'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -58,7 +57,7 @@ jobs:
         run: sudo apt-get install -y jq
 
       - name: Query Unit Tests - ${{ matrix.language }} - Install node dependencies for all workspaces
-        run: npm ci --workspaces
+        run: npm ci --workspaces --ignore-scripts
 
       - name: Query Unit Tests - ${{ matrix.language }} - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

@@ -66,7 +66,7 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
 
       - name: npm - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: npm - Build server
         run: npm run build -w server

@@ -112,7 +112,7 @@ jobs:
 
       - name: Tag - Install dependencies
         if: steps.check-tag.outputs.tag_exists != 'true'
-        run: npm install --include=optional
+        run: npm install --include=optional --ignore-scripts
 
       - name: Tag - Install CodeQL pack dependencies
         if: steps.check-tag.outputs.tag_exists != 'true'