Refactor release into separate child workflows with isolated deployment environments#45
Merged
data-douser merged 14 commits intomainfrom Feb 11, 2026
Merged
Conversation
Split the monolithic release.yml into dedicated child workflows (release-tag, release-npm, release-codeql) callable independently via workflow_dispatch. Add environment protection gates to all three publish workflows. Isolate CodeQL pack operations from npm publish to prevent .codeql/ and .qlx contamination. Use npm ci instead of npm install in all workflows except release-tag. Also add .codeql exclusion to server/.npmignore as defense-in-depth.
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
Refactors the GitHub release pipeline by splitting the previous monolithic release job into reusable workflows for tag creation, npm publishing, and CodeQL pack publishing/bundling, with a coordinating release.yml orchestrator to improve maintainability and parallelism.
Changes:
- Reworked
.github/workflows/release.ymlinto a multi-job orchestrator that delegates to reusable workflows. - Added reusable workflows for tag creation (
release-tag.yml), npm publishing (release-npm.yml), and CodeQL pack publish/bundle (release-codeql.yml). - Updated
server/.npmignoreto exclude generated CodeQL pack cache/dependency directories.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
server/.npmignore |
Excludes .codeql directories from npm package output to avoid shipping generated pack caches/deps. |
.github/workflows/release.yml |
Orchestrates the release flow via reusable workflows and assembles final GitHub Release assets from artifacts. |
.github/workflows/release-tag.yml |
Implements tag creation + version update/build/test flow (but has an output wiring issue and risky staging). |
.github/workflows/release-npm.yml |
Publishes the npm package from the tag and uploads a “clean build” artifact for final packaging. |
.github/workflows/release-codeql.yml |
Publishes and bundles CodeQL packs from the tag, uploading bundled pack artifacts for the final release. |
- Rename package to unscoped `codeql-development-mcp-server` - Switch from GitHub Packages to public npmjs.org registry - Use OIDC trusted publishing (no tokens, auto-provenance) - Make release.yml the sole dispatch entry point with configurable publish_npm, publish_codeql_packs, and create_github_release flags - Remove workflow_dispatch from child workflows (release-npm, release-codeql, release-tag) to comply with OIDC validation - Fix release-tag.yml: wire tag_sha output to final-sha step, guard git add -A against staging CodeQL artifacts - Add setup-packs.sh script (shipped in npm package) to install CodeQL pack dependencies from bundled lock files - Update all docs, tests, and SKILL.md references
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
- Handle prerelease versions in release-npm workflow by detecting semver prerelease identifiers and passing --tag to npm publish (e.g., 2.24.1-beta.1 publishes with --tag beta) - Remove ./ prefix from bin paths in server/package.json to eliminate "script name was invalid and removed" warnings - Normalize repository.url to git+https:// format per npm conventions
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
data-douser
temporarily deployed
to
release-npm
GitHub Actions
Inactive
Collaborator
Author
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Contributor
|
@data-douser I've opened a new pull request, #46, to work on those changes. Once the pull request is ready, I'll request review from you. |
6 tasks
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
The npm/npx installation path was broken by two issues: 1. The import.meta.url entry guard used resolve() which does not follow symlinks. Global npm installs create a symlink (e.g. /opt/homebrew/bin/… → node_modules/.../dist/…), so the paths never matched and main() was never called. The server exited silently. Fix: use realpathSync(resolve(…)) to follow symlinks. 2. dotenv v17 prints a banner to stdout by default, which corrupts the MCP stdio JSON-RPC channel. Fix: pass quiet: true to dotenv.config().
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
Updates the user-facing server/README.md to be a useful for external use, where the server/README.md doc is now used as the home paga for published npmjs.com packages for codeql-development-mcp-server.
data-douser
temporarily deployed
to
release-tag
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes
This pull request significantly refactors the release workflow by splitting the monolithic
build-and-releasejob into modular, reusable workflow components. The new structure improves maintainability, clarity, and parallelizes independent release steps. Three new reusable workflows are introduced for tagging, npm publishing, and CodeQL pack publishing, and the main release workflow orchestrates these steps, ensuring proper sequencing and artifact handling.Outline of Changes
Release workflow modularization and orchestration:
.github/workflows/release.ymlto orchestrate the release process using four distinct jobs: resolving the release version, ensuring the tag exists, publishing the npm package, and publishing/bundling CodeQL packs. Each step is now handled by a separate workflow file, improving clarity and maintainability.Reusable workflow creation:
.github/workflows/release-tag.yml: Handles creation and validation of the release tag, updates version-bearing files, runs build and tests, and outputs the tag SHA and release name..github/workflows/release-npm.yml: Handles publishing the npm package to npmjs.org via OIDC trusted publishing, including build steps and artifact uploads..github/workflows/release-codeql.yml: Handles publishing and bundling CodeQL tool query packs, with input controls for publishing, and outputs for downstream jobs.Parallelization and artifact management:
Validation and output improvements:
release_name,version, andtag_sha) for downstream jobs and summary reporting. [1] [2] [3]These changes collectively improve the reliability, modularity, and clarity of the release process.