fix(workflows): add packages: read permission to update-codeql-version.yml#163
Merged
Conversation
…n.yml
Fixes a live failure hit during the first real end-to-end test of this
workflow (dispatched with codeql_version: 2.21.4): the 'Upgrade every
pack's dependencies' step failed resolving codeql/namebinding ('not
found in the registry') while running codeql pack upgrade on ruby/src.
The job's default GITHUB_TOKEN lacked packages: read, matching what
ci.yml already grants for the same kind of pack resolution. Tracked in
issue #162.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the update-codeql-version.yml GitHub Actions workflow to grant package registry read access, enabling codeql pack upgrade to resolve codeql/* library dependencies from GHCR during end-to-end runs.
Changes:
- Add
packages: readto the jobpermissions:in.github/workflows/update-codeql-version.ymlto allow authenticated dependency resolution from GHCR.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-codeql-version.yml | Grants packages: read so codeql pack upgrade can fetch codeql/* dependencies from GHCR during the workflow run. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 0
- Review effort level: Low
…efore upgrade codeql pack upgrade resolves unconstrained '*' dependencies to the latest-ever-published registry version, completely independent of the CLI version pinned in .codeqlversion. This caused e.g. codeql/go-all to jump to 7.2.0 (registry-latest) instead of 4.2.6 (the version actually shipped with/tested against CLI 2.21.4), and caused 'codeql/namebinding not found in the registry' fatal errors for other languages since registry-latest go-all depends on packages not present at the versions being resolved. Add .github/scripts/pin-codeql-library-versions.sh, which downloads the official CodeQL Bundle (github/codeql-action release codeql-bundle-v<version>) for the target CLI version and rewrites every codeql/<lang>-all / codeql/<lang>-queries dependency across all qlpack.yml files from '*' to that exact bundled version, before codeql pack upgrade runs. Internal githubsecuritylab/* cross-pack dependencies are left untouched (they intentionally track our own latest published versions).
ql/hotspots is a standalone local dev tool (see ql/hotspots/README.md and hotspots.yml), not one of the per-language src/lib/ext packs that ci.yml/publish.yml operate on. Its codeql/ql: '*' dependency isn't a real resolvable GHCR package, so it always fails codeql pack upgrade regardless of CLI version - a pre-existing, unrelated latent bug this workflow's blanket 'find . -name qlpack.yml' loop was hitting for the first time now that the codeql/*-all resolution bug is fixed and the loop can actually reach this directory.
The install-codeql composite action downloads/extracts the CodeQL CLI into github.workspace/codeql_home, i.e. inside the repository checkout, but this directory was never gitignored. update-codeql-version.yml is the first workflow to both install CodeQL AND commit/push changes (via peter-evans/create-pull-request), and its push was rejected by GitHub's 100MB file size limit because codeql_home/codeql-linux64.zip (~474MB) and several 50+MB extractor binaries got staged as untracked files alongside the real qlpack.yml/lock-file changes.
4 tasks
Explains why codeql/<lang>-all / codeql/<lang>-queries dependencies in qlpack.yml are now pinned to an exact version (matching the official CodeQL Bundle for the target CLI release) instead of left as an unconstrained '*' range: codeql pack upgrade resolves '*' to the latest-ever-published registry version, independent of .codeqlversion, which previously let a routine CLI bump silently jump a library several major versions ahead of anything that CLI actually ships/tests against. Also documents: - How the pin values are derived (github/codeql-action bundle release listing via tar tzf, not gh-codeql or a web scrape) and why those two alternatives were rejected. - The new pin-codeql-library-versions.sh step in the update-codeql-version.yml process (as step 2.1, before codeql pack upgrade). - Why ql/hotspots is excluded from the pack-upgrade loop (standalone dev tool, not a real per-language pack, codeql/ql is not a real registry/bundle package). - That this is a go-forward convention: existing qlpack.yml files stay unpinned until their next CLI-bump run, not retroactively true today.
Copilot review caught this on PR #163: .github/actions/install-codeql downloads/extracts the CodeQL CLI into ./codeql_home (inside the repo checkout), and the bare CLI ships its own small vendored qlpack.yml packs (codeql/<lang>/downgrades, codeql/legacy-upgrades) that have nothing to do with this repo's packs. Confirmed via the live test run (29110858206) log: both the pin script and the upgrade loop's `find . -name qlpack.yml` picked up and ran `codeql pack upgrade` against 10 of these vendored packs under ./codeql_home/codeql/*/downgrades and ./codeql_home/codeql/legacy-upgrades, in addition to this repo's real 47 pack directories. It happened to succeed silently this time and was invisible in the resulting PR diff only because codeql_home is now gitignored (fixed in ee26fcc) - but it was still real wasted work, and a future CLI version's vendored pack could just as easily hit the same "not found in the registry" failure mode as ql/hotspots did, for the same underlying reason (a `codeql/*: */ dependency that isn't a real resolvable package).
4 tasks
…umps The pin script previously only matched dependency lines with a literal '*' value. Once a qlpack.yml dependency got pinned to an exact version by one run, that regex would never match again on subsequent runs - meaning every CLI bump after the first would silently fail to re-pin codeql/* dependencies to the new bundle version, permanently desyncing .codeqlversion from the actual pins. Rewrite the match/rewrite logic to match ANY current value for a recognized codeql/<pkg> dependency (unquoted/quoted '*', or an already- pinned exact version) and unconditionally overwrite it to the target bundle version, preserving quote style and trailing comments. Verified locally against a mock qlpack.yml simulating a post-first-run state: an existing pinned version and a double-quoted pinned version were both correctly overwritten to new target versions, while unrelated/unknown dependencies were left untouched. Also add the ./codeql/* and */.codeql/* path exclusions to update-codeql-version.yml's upgrade loop for parity with the pin script's existing exclusions (defense in depth, per review feedback). Update CONTRIBUTING.md's two spots describing the pinning step to reflect this unconditional-overwrite/idempotent behavior instead of "only rewrites literal *". Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
packages: readtoupdate-codeql-version.yml's job permissions, matching whatci.ymlalready grants for the same kind of pack resolution.Why
Hit this live during the first real end-to-end test of the workflow (dispatched with
codeql_version: 2.21.4, run 29107018575):The
Upgrade every pack's dependenciesstep runscodeql pack upgrade <dir>for every pack, which resolvescodeql/*library dependencies from GHCR. The job's defaultGITHUB_TOKENonly hadcontents: read, so it lacked package-registry read access for at least this one library dependency (othercodeql/*packages happened to resolve fine, likely already cached/public, until this one didn't).This is the exact item filed as part 1 of #162 during PR #160's review triage — confirmed here as a real, reproducing bug rather than a theoretical one.
Testing
Will re-dispatch
update-codeql-version.ymlwithcodeql_version: 2.21.4after this merges to confirm the fix resolves the failure end-to-end.Closes part of #162.