Prep for `v2.24.2` release by data-douser · Pull Request #81 · advanced-security/codeql-development-mcp-server

data-douser · 2026-02-23T19:43:42Z

This pull request introduces several improvements and fixes across the repository, focusing on consistent versioning for VSIX and tarball artifacts, enhanced documentation and workflow robustness, and improved extension packaging logic. The most significant changes are grouped below.

Artifact Versioning and Packaging Improvements:

All VSIX and tarball artifacts now include the version string in their filenames (e.g., codeql-development-mcp-server-vX.Y.Z.vsix), ensuring clarity and preventing confusion between releases. This affects packaging scripts, workflow outputs, and documentation references. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Tarball and bundled pack names now also include the version string for consistency and traceability in both publishing and bundling steps.

Release Workflow Robustness:

The release workflow now uses a concurrency group keyed by version, preventing overlapping releases for the same version.
The release-tag workflow verifies that the version in server/package.json at the tag matches the intended release version. If a mismatch is found, the stale tag is deleted and recreated, ensuring version correctness.
Improved safety in unstaging generated files during release-tag creation by suppressing errors if files are missing.
The CodeQL pack publishing step now correctly handles prerelease versions by passing a flag when needed, ensuring prerelease artifacts are published appropriately.

Documentation and Standards Updates:

The documentation and instructions enforce the requirement for .md documentation files alongside every .ql query, clarify the style for @kind graph queries, and specify when to use COMPLIANT/NON_COMPLIANT annotations. [1] [2]
All references in user and developer documentation have been updated to use the new versioned artifact filenames. [1] [2] [3] [4] [5]

VS Code Extension Logic:

The extension now prefers the bundled server/ directory inside the VSIX for CodeQL pack installation, falling back to the npm-installed package only if necessary. This ensures the packs always match the running server code. [1] [2] [3]

Version Bumps:

The VS Code extension and client package versions have been bumped to 2.24.2-rc3 to reflect the release candidate status. [1] [2]

Minor Internal Improvements:

Minor code cleanup in the extension activation and server management logic. [1] [2]

Add a lightweight version check in the check-tag step that inspects server/package.json at the tagged commit. If the version doesn't match the release name, the stale tag is deleted and recreated with correct versions through the normal update/build/test/tag flow. Also suppress stderr on git restore --staged for paths that may not exist (.codeql, *.qlx).

VSIX install fixes: - Skip npm install entirely when the VSIX bundle is present; the bundle already ships server/dist/, server/ql/, and server/package.json - PackInstaller now prefers bundled qlpacks from the VSIX over the npm-installed copy in globalStorage, fixing version skew between the packs being installed and the server code being run - In the unbundled fallback path (Extension Development Host), compare the npm-installed version against the extension's own version instead of short-circuiting on targetVersion === 'latest' Versioned release artifact filenames: - VSIX: codeql-development-mcp-server-vX.Y.Z.vsix (was unversioned) - CodeQL pack bundles: ql-mcp-<lang>-tools-src-vX.Y.Z.tar.gz (was unversioned) - Update release, build-and-test, and package scripts accordingly - Add *.vsix to .gitignore - Normalize docs to use vX.Y.Z placeholders consistently

* Add .md docs for all tools queries (#78) Add query documentation (.md) for every `server/ql/*/tools/src/*/*.ql` query across all 9 supported languages: PrintAST, PrintCFG, CallGraphFrom, and CallGraphTo. - Add `query-documentation.test.ts` to enforce that every tools query has a matching .md file - Update `server_ql_languages_tools.instructions.md` to require query docs, clarify `@kind graph` vs detection-query guidance, and scope COMPLIANT/NON_COMPLIANT annotations to detection queries only - Remove COMPLIANT/NON_COMPLIANT annotations from existing PrintCFG docs (structural queries, not detection queries) * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> * [UPDATE PRIMITIVE] Consistent `CallGraphFrom`/`CallGraphTo` naming in all language docs (#80) * Initial plan * Use CallGraphFrom and CallGraphTo naming consistently in all docs (no spaces) Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> * Update server/ql/cpp/tools/src/CallGraphFrom/CallGraphFrom.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> --------- Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>

github-actions · 2026-02-23T19:44:08Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
client	2.24.2-rc3	Null	Unknown License
extensions/vscode	2.24.2-rc3	Null	Unknown License
server	2.24.2-rc3	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/client	2.24.2-rc3	Unknown	Unknown
npm/extensions/vscode	2.24.2-rc3	Unknown	Unknown
npm/server	2.24.2-rc3	Unknown	Unknown

Scanned Files

package-lock.json

Copilot

Pull request overview

Prepares the repository for the v2.24.2 release candidate by tightening query documentation requirements, standardizing release artifact naming, and making the VS Code extension prefer the VSIX-bundled server/QL packs (with npm install as a fallback).

Changes:

Add a unit test to enforce .md documentation presence for tools queries under server/ql/*/tools/src/.
Update VS Code extension server/pack resolution to prefer the VSIX-bundled server/ tree, with improved install/activation flow and updated tests.
Standardize release artifact filenames to include versions and bump versions across packages/packs to 2.24.2-rc3.

Reviewed changes

Copilot reviewed 71 out of 73 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
server/test/src/tools/query-documentation.test.ts	Adds filesystem guard ensuring tools queries have adjacent `.md` docs.
server/ql/swift/tools/test/codeql-pack.yml	Bumps Swift tools test pack version to `2.24.2-rc3`.
server/ql/swift/tools/src/codeql-pack.yml	Bumps Swift tools src pack version to `2.24.2-rc3`.
server/ql/swift/tools/src/PrintCFG/PrintCFG.md	Adds Swift PrintCFG query documentation.
server/ql/swift/tools/src/PrintAST/PrintAST.md	Adds Swift PrintAST query documentation.
server/ql/swift/tools/src/CallGraphTo/CallGraphTo.md	Adds Swift CallGraphTo query documentation.
server/ql/swift/tools/src/CallGraphFrom/CallGraphFrom.md	Adds Swift CallGraphFrom query documentation.
server/ql/ruby/tools/test/codeql-pack.yml	Bumps Ruby tools test pack version to `2.24.2-rc3`.
server/ql/ruby/tools/src/codeql-pack.yml	Bumps Ruby tools src pack version to `2.24.2-rc3`.
server/ql/ruby/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/ruby/tools/src/PrintAST/PrintAST.md	Adds Ruby PrintAST query documentation.
server/ql/ruby/tools/src/CallGraphTo/CallGraphTo.md	Adds Ruby CallGraphTo query documentation.
server/ql/ruby/tools/src/CallGraphFrom/CallGraphFrom.md	Adds Ruby CallGraphFrom query documentation.
server/ql/python/tools/test/codeql-pack.yml	Bumps Python tools test pack version to `2.24.2-rc3`.
server/ql/python/tools/src/codeql-pack.yml	Bumps Python tools src pack version to `2.24.2-rc3`.
server/ql/python/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/python/tools/src/PrintAST/PrintAST.md	Adds Python PrintAST query documentation.
server/ql/python/tools/src/CallGraphTo/CallGraphTo.md	Adds Python CallGraphTo query documentation.
server/ql/python/tools/src/CallGraphFrom/CallGraphFrom.md	Adds Python CallGraphFrom query documentation.
server/ql/javascript/tools/test/codeql-pack.yml	Bumps JavaScript tools test pack version to `2.24.2-rc3`.
server/ql/javascript/tools/src/codeql-pack.yml	Bumps JavaScript tools src pack version to `2.24.2-rc3`.
server/ql/javascript/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/javascript/tools/src/PrintAST/PrintAST.md	Adds JavaScript PrintAST query documentation.
server/ql/javascript/tools/src/CallGraphTo/CallGraphTo.md	Adds JavaScript CallGraphTo query documentation.
server/ql/javascript/tools/src/CallGraphFrom/CallGraphFrom.md	Adds JavaScript CallGraphFrom query documentation.
server/ql/java/tools/test/codeql-pack.yml	Bumps Java tools test pack version to `2.24.2-rc3`.
server/ql/java/tools/src/codeql-pack.yml	Bumps Java tools src pack version to `2.24.2-rc3`.
server/ql/java/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/java/tools/src/PrintAST/PrintAST.md	Adds Java PrintAST query documentation.
server/ql/java/tools/src/CallGraphTo/CallGraphTo.md	Adds Java CallGraphTo query documentation.
server/ql/java/tools/src/CallGraphFrom/CallGraphFrom.md	Adds Java CallGraphFrom query documentation.
server/ql/go/tools/test/codeql-pack.yml	Bumps Go tools test pack version to `2.24.2-rc3`.
server/ql/go/tools/src/codeql-pack.yml	Bumps Go tools src pack version to `2.24.2-rc3`.
server/ql/go/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/go/tools/src/PrintAST/PrintAST.md	Adds Go PrintAST query documentation.
server/ql/go/tools/src/CallGraphTo/CallGraphTo.md	Adds Go CallGraphTo query documentation.
server/ql/go/tools/src/CallGraphFrom/CallGraphFrom.md	Adds Go CallGraphFrom query documentation.
server/ql/csharp/tools/test/codeql-pack.yml	Bumps C# tools test pack version to `2.24.2-rc3`.
server/ql/csharp/tools/src/codeql-pack.yml	Bumps C# tools src pack version to `2.24.2-rc3`.
server/ql/csharp/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/csharp/tools/src/PrintAST/PrintAST.md	Adds C# PrintAST query documentation.
server/ql/csharp/tools/src/CallGraphTo/CallGraphTo.md	Adds C# CallGraphTo query documentation.
server/ql/csharp/tools/src/CallGraphFrom/CallGraphFrom.md	Adds C# CallGraphFrom query documentation.
server/ql/cpp/tools/test/codeql-pack.yml	Bumps C++ tools test pack version to `2.24.2-rc3`.
server/ql/cpp/tools/src/codeql-pack.yml	Bumps C++ tools src pack version to `2.24.2-rc3`.
server/ql/cpp/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/cpp/tools/src/PrintAST/PrintAST.md	Adds C++ PrintAST query documentation.
server/ql/cpp/tools/src/CallGraphTo/CallGraphTo.md	Adds C++ CallGraphTo query documentation.
server/ql/cpp/tools/src/CallGraphFrom/CallGraphFrom.md	Adds C++ CallGraphFrom query documentation.
server/ql/actions/tools/test/codeql-pack.yml	Bumps Actions tools test pack version to `2.24.2-rc3`.
server/ql/actions/tools/src/codeql-pack.yml	Bumps Actions tools src pack version to `2.24.2-rc3`.
server/ql/actions/tools/src/PrintCFG/PrintCFG.md	Removes COMPLIANT-style annotations from graph-query docs example.
server/ql/actions/tools/src/PrintAST/PrintAST.md	Adds Actions PrintAST query documentation.
server/package.json	Bumps server package version to `2.24.2-rc3`.
package.json	Bumps root workspace version to `2.24.2-rc3`.
package-lock.json	Updates lockfile versions to `2.24.2-rc3`.
extensions/vscode/test/server/server-manager.test.ts	Expands tests for bundled root detection and version handling.
extensions/vscode/test/server/pack-installer.test.ts	Adds coverage for preferring bundled QL root over npm package root.
extensions/vscode/src/server/server-manager.ts	Prefers VSIX/monorepo server bundle; adds bundle detection and version logic.
extensions/vscode/src/server/pack-installer.ts	Resolves pack roots from bundled server when available, else npm install.
extensions/vscode/src/extension.ts	Simplifies activation flow around server install + pack setup.
extensions/vscode/package.json	Bumps extension version; updates VSIX packaging script to include version in filename.
extensions/vscode/README.md	Updates install instructions for versioned VSIX filenames.
docs/vscode/extension.md	Updates docs for versioned VSIX filenames.
docs/getting-started.md	Updates tarball filename example to `vX.Y.Z`.
client/package.json	Bumps client version to `2.24.2-rc3`.
.gitignore	Ignores `.vsix` artifacts.
.github/workflows/release.yml	Adds concurrency + switches to versioned VSIX artifact name.
.github/workflows/release-vsix.yml	Produces versioned VSIX filenames and updates workflow outputs.
.github/workflows/release-tag.yml	Adds stale-tag verification/removal and improves staging restore robustness.
.github/workflows/release-codeql.yml	Adds prerelease publish flag; bundles packs with versioned tarball names.
.github/workflows/build-and-test-extension.yml	Verifies VSIX packaging using a versioned output filename.
.github/instructions/server_ql_languages_tools.instructions.md	Clarifies/enforces tools query doc/test conventions (esp. `@kind graph`).

Comments suppressed due to low confidence (1)

extensions/vscode/src/server/server-manager.ts:144

effectiveTarget is computed to treat serverVersion: 'latest' as the extension version, but the install call still uses targetVersion. If targetVersion is 'latest' and the installed version differs, this will repeatedly install @latest instead of the intended version. Use effectiveTarget (or compute an install spec) when calling install().

    }

    await this.install({ version: targetVersion });
    return true;

data-douser · 2026-02-23T23:26:48Z

@copilot open a new pull request to apply changes based on the comments in this thread

Copilot · 2026-02-23T23:26:54Z

@data-douser I've opened a new pull request, #82, to work on those changes. Once the pull request is ready, I'll request review from you.

…nts (#82) * Initial plan * Fix getExtensionVersion() and getBundledQlRoot() per review comments Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

Copilot

Pull request overview

Copilot reviewed 71 out of 73 changed files in this pull request and generated 17 comments.

Comments suppressed due to low confidence (1)

extensions/vscode/src/server/server-manager.ts:154

When serverVersion is latest, effectiveTarget is derived from getExtensionVersion(), but the subsequent install still uses version: targetVersion (i.e. latest). If the extension version differs from the npm latest (common for -rc*), this can trigger an npm install on every activation because the installed version will never match effectiveTarget. Consider installing effectiveTarget when it’s a concrete version (and treating unknown as “don’t force upgrades”).

    const targetVersion = config.get<string>('serverVersion', 'latest');

    if (await this.isInstalled()) {
      const current = await this.getInstalledVersion();
      const effectiveTarget =
        targetVersion === 'latest' ? this.getExtensionVersion() : targetVersion;
      if (current === effectiveTarget) {
        this.logger.info(`MCP server package already installed (v${current}).`);
        return false;
      }
      this.logger.info(
        `Installed npm package (v${current}) differs from target (v${effectiveTarget}) — upgrading...`,
      );
    }

    await this.install({ version: targetVersion });
    return true;

Copilot · 2026-02-24T00:28:04Z

@data-douser I've opened a new pull request, #83, to work on those changes. Once the pull request is ready, I'll request review from you.

…fix output format, fix NON_COMPLIANT typo (#83)

data-douser and others added 8 commits February 23, 2026 07:08

Enforce release version and tag consistency

6286915

Release v2.24.2-rc1: update versions to 2.24.2-rc1

1e3f29a

Allow codeql pack prerelease

516c129

Release v2.24.2-rc2: update versions to 2.24.2-rc2

dff4f58

Release v2.24.2-rc3: update versions to 2.24.2-rc3

68c5bcf

data-douser self-assigned this Feb 23, 2026

data-douser added the enhancement New feature or request label Feb 23, 2026

Copilot AI review requested due to automatic review settings February 23, 2026 19:43

data-douser requested review from a team and enyil as code owners February 23, 2026 19:43

github-license-compliance bot found potential problems Feb 23, 2026

View reviewed changes

Comment thread package-lock.json Fixed

Copilot started reviewing on behalf of data-douser February 23, 2026 19:44 View session

Copilot AI reviewed Feb 23, 2026

View reviewed changes

Comment thread extensions/vscode/src/server/server-manager.ts

Comment thread extensions/vscode/src/server/server-manager.ts

data-douser enabled auto-merge (squash) February 23, 2026 20:59

Copilot AI mentioned this pull request Feb 23, 2026

Fix getExtensionVersion() and getBundledQlRoot() per review comments #82

Merged

35 tasks

Copilot AI and others added 2 commits February 23, 2026 17:19

Merge branch 'main' into dd/release-prep/3

a922b54

Copilot AI review requested due to automatic review settings February 24, 2026 00:20

Copilot started reviewing on behalf of data-douser February 24, 2026 00:21 View session

Copilot AI reviewed Feb 24, 2026

View reviewed changes

data-douser commented Feb 24, 2026

View reviewed changes

Comment thread server/ql/cpp/tools/src/CallGraphTo/CallGraphTo.md Outdated

Comment thread server/ql/cpp/tools/src/CallGraphFrom/CallGraphFrom.md Outdated

Copilot AI mentioned this pull request Feb 24, 2026

[UPDATE PRIMITIVE] Fix CallGraph docs: remove IDE integration claim, fix output format, fix NON_COMPLIANT typo #83

Merged

29 tasks

[UPDATE PRIMITIVE] Fix CallGraph docs: remove IDE integration claim, …

da2779d

…fix output format, fix NON_COMPLIANT typo (#83)

data-douser disabled auto-merge February 24, 2026 01:44

data-douser merged commit d519639 into main Feb 24, 2026
26 checks passed

data-douser deleted the dd/release-prep/3 branch February 24, 2026 01:52

Conversation

data-douser commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Feb 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

License Issues

package-lock.json

OpenSSF Scorecard

Scanned Files

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

data-douser commented Feb 23, 2026

Uh oh!

Copilot AI commented Feb 23, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI commented Feb 24, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

data-douser commented Feb 23, 2026 •

edited

Loading

github-actions bot commented Feb 23, 2026 •

edited

Loading