Skip to content

[macOS] Always use the latest major version of CodeQL Action #11946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paveliak merged 4 commits into from
May 1, 2025
Merged

[macOS] Always use the latest major version of CodeQL Action #11946

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ffd40b4
Always use the latest major version of CodeQL Action
angelapwen Apr 4, 2025
5726c3a
Refactoring: Properly double-quote variables
angelapwen Apr 4, 2025
b945f6e
Add missing `v` to CodeQL bundle URL
angelapwen Apr 21, 2025
2282603
Use PAT for API call to prevent throttling
angelapwen Apr 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions images/macos/scripts/build/install-codeql-bundle.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,25 @@

source ~/utils/utils.sh

# Retrieve the latest major version of the CodeQL Action to use in the base URL for downloading the bundle.
[ -n "$API_PAT" ] && authString=(-H "Authorization: token ${API_PAT}")
releases=$(curl "${authString[@]}" -s "https://api.github.com/repos/github/codeql-action/releases")

# Get the release tags starting with v[0-9] and sort them in descending order, then parse the first one to get the major version.
codeql_action_latest_major_version=$(echo "$releases" |
Copy link
Contributor

@paveliak paveliak Apr 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unconditionally updating to the next major version poses compatibility risks because major versions often bring breaking changes that need to be weighed in before putting them into the image. Can we leverage toolset-XY.json for specifying CodeQL version so we can have a control over it?

Copy link
Contributor Author

@angelapwen angelapwen Apr 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick clarification: we only parse the latest major version of the Action in this line in order to populate the URL in the following lines, so that we can download the correct patch version of the CodeQL bundle.

To address the larger concern, we currently run a series of CodeQL-specific canary test workflows during image rollouts (internal repo but I'm sure you know which one I'm talking about 😸). These workflows test the latest patch versions of the CodeQL Action & CodeQL CLI and serve to make sure that changes in CodeQL are not breaking the image; and also that other changes in the image are not breaking CodeQL.

jq -r '.[].tag_name' |
grep -E '^v[0-9]' |
sort -nr |
head -n 1 |
sed -E 's/^v([0-9]+).*/\1/')
if [ -z "$codeql_action_latest_major_version" ]; then
echo "Error: Unable to find the latest major version of the CodeQL Action."
exit 1
fi

# Retrieve the CLI version of the latest CodeQL bundle.
defaults_json_path=$(download_with_retry https://raw.githubusercontent.com/github/codeql-action/v3/src/defaults.json)
bundle_version=$(jq -r '.cliVersion' $defaults_json_path)
defaults_json_path=$(download_with_retry "https://raw.githubusercontent.com/github/codeql-action/v$codeql_action_latest_major_version/src/defaults.json")
bundle_version=$(jq -r '.cliVersion' "$defaults_json_path")
bundle_tag_name="codeql-bundle-v$bundle_version"

echo "Downloading CodeQL bundle $bundle_version..."
Expand All @@ -17,16 +33,16 @@ echo "Downloading CodeQL bundle $bundle_version..."
archive_path=$(download_with_retry "https://github.com/github/codeql-action/releases/download/$bundle_tag_name/codeql-bundle.tar.gz")

codeql_toolcache_path=$AGENT_TOOLSDIRECTORY/CodeQL/$bundle_version/x64
mkdir -p $codeql_toolcache_path
mkdir -p "$codeql_toolcache_path"

echo "Unpacking the downloaded CodeQL bundle archive..."
tar -xzf $archive_path -C $codeql_toolcache_path
tar -xzf "$archive_path" -C "$codeql_toolcache_path"

# Touch a file to indicate to the CodeQL Action that this bundle shipped with the toolcache. This is
# to support overriding the CodeQL version specified in defaults.json on GitHub Enterprise.
touch $codeql_toolcache_path/pinned-version
touch "$codeql_toolcache_path/pinned-version"

# Touch a file to indicate to the toolcache that setting up CodeQL is complete.
touch $codeql_toolcache_path.complete
touch "$codeql_toolcache_path.complete"

invoke_tests "Common" "CodeQL Bundle"