Skip to content

Feat: Add Automatic weekly CodeQL Pack Updating Job#118

Open
GeekMasher wants to merge 5 commits into
mainfrom
actions/dep-updates
Open

Feat: Add Automatic weekly CodeQL Pack Updating Job#118
GeekMasher wants to merge 5 commits into
mainfrom
actions/dep-updates

Conversation

@GeekMasher

@GeekMasher GeekMasher commented Apr 17, 2025

Copy link
Copy Markdown
Contributor

This pull request introduces a new GitHub Actions workflow to automate updating CodeQL pack dependencies across the repository. The workflow is scheduled to run weekly and can also be triggered manually.

Automation of CodeQL dependency updates:

  • .github/workflows/update-deps.yml: Added a workflow that finds all qlpack.yml files, runs codeql pack upgrade in their directories, and creates a pull request with the updates. The workflow runs every Monday at 14:00 UTC or can be triggered manually, and uses the peter-evans/create-pull-request action to automate PR creation.

Copilot AI review requested due to automatic review settings April 17, 2025 08:50

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request introduces an automated workflow to update CodeQL pack dependencies on a weekly schedule. The key changes include scheduling the update job using a cron expression, setting up and running CodeQL upgrades for all directories containing a qlpack.yml file, and creating a pull request to commit these updates.

Comment thread .github/workflows/update-deps.yml Outdated
Comment thread .github/workflows/update-deps.yml Outdated
GeekMasher and others added 4 commits April 17, 2025 10:12
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
felickz added a commit that referenced this pull request Jul 10, 2026
Adds the two workflows needed to close the gap identified while
reviewing PR #118 (codeql pack upgrade weekly cron):

- detect-codeql-release.yml: weekly (+ workflow_dispatch) tripwire that
  compares .codeqlversion against github/codeql-cli-binaries' latest
  release and keeps a single tracking issue open/updated while behind,
  auto-closing it once caught up. Never opens a PR itself.
- update-codeql-version.yml: workflow_dispatch with a codeql_version
  input. Bumps .codeqlversion, runs codeql pack upgrade <dir> for
  every pack, and opens a PR via the same GitHub App token pattern as
  update-release.yml so CI actually runs on it (a GITHUB_TOKEN-authored
  PR would not trigger downstream workflows).

Together these cover detection + mechanical dependency refresh; fixing
compile/test breakage from upstream API changes and bumping each pack's
own version: still needs a human (or delegated Copilot coding agent) -
documented as a 3-step process in CONTRIBUTING.md.

Rewrites CONTRIBUTING.md's "Updating the pinned CodeQL CLI/library
version" section to describe this new process and adds reference-style
links for both new workflows and codeql-cli-binaries.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Thanks for opening this, @GeekMasher - the weekly codeql pack upgrade idea is exactly right, and it's the seed for a fuller version of this we're landing in #160.

While digging into the release/publish process (see #160's CONTRIBUTING.md rewrite) we ran into a few gaps this PR's current form wouldn't cover on its own:

  • It refreshes dependency locks against whatever CLI .codeqlversion already pins, but doesn't bump .codeqlversion itself - so it never actually picks up a newer CodeQL CLI release.
  • It opens its PR with the default GITHUB_TOKEN, which GitHub doesn't allow to trigger downstream workflows (like CI) on the PR it creates - so the refresh would land unchecked.
  • It doesn't touch any pack's own version: field, so even a merged refresh wouldn't trigger publish.yml.
  • Fixing compile/test breakage from upstream API changes (the hard part - see Update dependencies to packs shipped with 2.21.1 #124) still needs a human or an agent in the loop either way.

#160 adds two workflows that build directly on your approach:

  • detect-codeql-release.yml - a weekly tripwire that opens/updates a tracking issue when a new CodeQL CLI release is available upstream (never auto-PRs).
  • update-codeql-version.yml - workflow_dispatch with a CLI-version input that bumps .codeqlversion, runs codeql pack upgrade <dir> in every pack directory (your loop, basically unchanged), and opens a PR via a scoped GitHub App token so CI actually runs on it.

Once #160 merges, I'll close this one out as superseded - flagging now so you have visibility before that happens. Really appreciate you kicking off this thread, it made the gaps in the process much clearer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants