Skip to content

fix(workflows): add packages: read permission to update-codeql-version.yml#163

Merged
felickz merged 14 commits into
mainfrom
fix/update-codeql-version-packages-read
Jul 10, 2026
Merged

fix(workflows): add packages: read permission to update-codeql-version.yml#163
felickz merged 14 commits into
mainfrom
fix/update-codeql-version-packages-read

Conversation

@felickz

@felickz felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

What

Adds packages: read to update-codeql-version.yml's job permissions, matching what ci.yml already grants for the same kind of pack resolution.

Why

Hit this live during the first real end-to-end test of the workflow (dispatched with codeql_version: 2.21.4, run 29107018575):

##[group]codeql pack upgrade ./ruby/src
A fatal error occurred: 'codeql/namebinding' not found in the registry 'https://ghcr.io/v2/'.
##[error]Process completed with exit code 2.

The Upgrade every pack's dependencies step runs codeql pack upgrade <dir> for every pack, which resolves codeql/* library dependencies from GHCR. The job's default GITHUB_TOKEN only had contents: read, so it lacked package-registry read access for at least this one library dependency (other codeql/* packages happened to resolve fine, likely already cached/public, until this one didn't).

This is the exact item filed as part 1 of #162 during PR #160's review triage — confirmed here as a real, reproducing bug rather than a theoretical one.

Testing

Will re-dispatch update-codeql-version.yml with codeql_version: 2.21.4 after this merges to confirm the fix resolves the failure end-to-end.

Closes part of #162.

…n.yml

Fixes a live failure hit during the first real end-to-end test of this
workflow (dispatched with codeql_version: 2.21.4): the 'Upgrade every
pack's dependencies' step failed resolving codeql/namebinding ('not
found in the registry') while running codeql pack upgrade on ruby/src.
The job's default GITHUB_TOKEN lacked packages: read, matching what
ci.yml already grants for the same kind of pack resolution. Tracked in
issue #162.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 16:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the update-codeql-version.yml GitHub Actions workflow to grant package registry read access, enabling codeql pack upgrade to resolve codeql/* library dependencies from GHCR during end-to-end runs.

Changes:

  • Add packages: read to the job permissions: in .github/workflows/update-codeql-version.yml to allow authenticated dependency resolution from GHCR.
Show a summary per file
File Description
.github/workflows/update-codeql-version.yml Grants packages: read so codeql pack upgrade can fetch codeql/* dependencies from GHCR during the workflow run.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0
  • Review effort level: Low

felickz added 10 commits July 10, 2026 12:51
…efore upgrade

codeql pack upgrade resolves unconstrained '*' dependencies to the
latest-ever-published registry version, completely independent of the
CLI version pinned in .codeqlversion. This caused e.g. codeql/go-all
to jump to 7.2.0 (registry-latest) instead of 4.2.6 (the version
actually shipped with/tested against CLI 2.21.4), and caused
'codeql/namebinding not found in the registry' fatal errors for other
languages since registry-latest go-all depends on packages not
present at the versions being resolved.

Add .github/scripts/pin-codeql-library-versions.sh, which downloads
the official CodeQL Bundle (github/codeql-action release
codeql-bundle-v<version>) for the target CLI version and rewrites
every codeql/<lang>-all / codeql/<lang>-queries dependency across all
qlpack.yml files from '*' to that exact bundled version, before
codeql pack upgrade runs. Internal githubsecuritylab/* cross-pack
dependencies are left untouched (they intentionally track our own
latest published versions).
ql/hotspots is a standalone local dev tool (see ql/hotspots/README.md
and hotspots.yml), not one of the per-language src/lib/ext packs that
ci.yml/publish.yml operate on. Its codeql/ql: '*' dependency isn't a
real resolvable GHCR package, so it always fails codeql pack upgrade
regardless of CLI version - a pre-existing, unrelated latent bug this
workflow's blanket 'find . -name qlpack.yml' loop was hitting for the
first time now that the codeql/*-all resolution bug is fixed and the
loop can actually reach this directory.
The install-codeql composite action downloads/extracts the CodeQL CLI
into github.workspace/codeql_home, i.e. inside the repository
checkout, but this directory was never gitignored. update-codeql-version.yml
is the first workflow to both install CodeQL AND commit/push changes
(via peter-evans/create-pull-request), and its push was rejected by
GitHub's 100MB file size limit because codeql_home/codeql-linux64.zip
(~474MB) and several 50+MB extractor binaries got staged as untracked
files alongside the real qlpack.yml/lock-file changes.
Explains why codeql/<lang>-all / codeql/<lang>-queries dependencies in
qlpack.yml are now pinned to an exact version (matching the official
CodeQL Bundle for the target CLI release) instead of left as an
unconstrained '*' range: codeql pack upgrade resolves '*' to the
latest-ever-published registry version, independent of .codeqlversion,
which previously let a routine CLI bump silently jump a library several
major versions ahead of anything that CLI actually ships/tests against.

Also documents:
- How the pin values are derived (github/codeql-action bundle release
  listing via tar tzf, not gh-codeql or a web scrape) and why those two
  alternatives were rejected.
- The new pin-codeql-library-versions.sh step in the
  update-codeql-version.yml process (as step 2.1, before codeql pack
  upgrade).
- Why ql/hotspots is excluded from the pack-upgrade loop (standalone
  dev tool, not a real per-language pack, codeql/ql is not a real
  registry/bundle package).
- That this is a go-forward convention: existing qlpack.yml files stay
  unpinned until their next CLI-bump run, not retroactively true today.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 3/4 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread .github/scripts/pin-codeql-library-versions.sh Outdated
Comment thread .github/workflows/update-codeql-version.yml Outdated
Copilot review caught this on PR #163: .github/actions/install-codeql
downloads/extracts the CodeQL CLI into ./codeql_home (inside the repo
checkout), and the bare CLI ships its own small vendored qlpack.yml
packs (codeql/<lang>/downgrades, codeql/legacy-upgrades) that have
nothing to do with this repo's packs.

Confirmed via the live test run (29110858206) log: both the pin script
and the upgrade loop's `find . -name qlpack.yml` picked up and ran
`codeql pack upgrade` against 10 of these vendored packs under
./codeql_home/codeql/*/downgrades and ./codeql_home/codeql/legacy-upgrades,
in addition to this repo's real 47 pack directories. It happened to
succeed silently this time and was invisible in the resulting PR diff
only because codeql_home is now gitignored (fixed in ee26fcc) - but it
was still real wasted work, and a future CLI version's vendored pack
could just as easily hit the same "not found in the registry" failure
mode as ql/hotspots did, for the same underlying reason (a `codeql/*: */
dependency that isn't a real resolvable package).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 3/4 changed files
  • Comments generated: 4
  • Review effort level: Low

Comment thread .github/scripts/pin-codeql-library-versions.sh Outdated
Comment thread .github/workflows/update-codeql-version.yml Outdated
Comment thread CONTRIBUTING.md Outdated
Comment thread CONTRIBUTING.md Outdated
…umps

The pin script previously only matched dependency lines with a literal
'*' value. Once a qlpack.yml dependency got pinned to an exact version
by one run, that regex would never match again on subsequent runs -
meaning every CLI bump after the first would silently fail to re-pin
codeql/* dependencies to the new bundle version, permanently desyncing
.codeqlversion from the actual pins.

Rewrite the match/rewrite logic to match ANY current value for a
recognized codeql/<pkg> dependency (unquoted/quoted '*', or an already-
pinned exact version) and unconditionally overwrite it to the target
bundle version, preserving quote style and trailing comments. Verified
locally against a mock qlpack.yml simulating a post-first-run state: an
existing pinned version and a double-quoted pinned version were both
correctly overwritten to new target versions, while unrelated/unknown
dependencies were left untouched.

Also add the ./codeql/* and */.codeql/* path exclusions to
update-codeql-version.yml's upgrade loop for parity with the pin
script's existing exclusions (defense in depth, per review feedback).

Update CONTRIBUTING.md's two spots describing the pinning step to
reflect this unconditional-overwrite/idempotent behavior instead of
"only rewrites literal *".

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@felickz felickz merged commit aa4b995 into main Jul 10, 2026
19 checks passed
@felickz felickz deleted the fix/update-codeql-version-packages-read branch July 10, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants