Use Copilot to update scripts to add quality query tables (#58621)

Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: docs-bot <77750099+docs-bot@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Óscar San José <oscarsj@github.com>
2025-12-19 09:57:42 -05:00 · 2025-12-11 16:39:46 +00:00
parent bb7e473a53
commit 18acec3172
27 changed files with 1098 additions and 97 deletions
--- a/.github/workflows/generate-code-scanning-query-lists.yml
+++ b/.github/workflows/generate-code-scanning-query-lists.yml
@@ -19,7 +19,8 @@ on:
  pull_request:
    paths:
      - .github/workflows/generate-code-scanning-query-lists.yml
-      - src/code-scanning/scripts/generate-code-scanning-query-list.ts
+      - src/codeql-queries/scripts/generate-code-scanning-query-list.ts
+      - src/codeql-queries/scripts/generate-code-quality-query-list.ts
      - .github/actions/install-cocofix/action.yml

 permissions:
@@ -27,7 +28,7 @@ permissions:
  pull-requests: write

 jobs:
-  generate-query-lists:
+  generate-security-query-lists:
    if: github.repository == 'github/docs-internal'
    runs-on: ubuntu-latest
    steps:
@@ -45,6 +46,7 @@ jobs:

      - name: Get the codeql SHA being synced
        id: codeql
+        shell: bash
        run: |
          cd codeql
          OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
@@ -56,12 +58,14 @@ jobs:
        uses: ./codeql/.github/actions/fetch-codeql

      - name: Test CodeQL CLI Download
+        shell: bash
        run: codeql --version

      # "Server for running multiple commands while avoiding repeated JVM initialization."
      # Having started this should speed up the execution of the various
      # CLI calls of the executable.
      - name: Start CodeQL CLI server in the background
+        shell: bash
        run: |
          codeql execute cli-server &
          sleep 3
@@ -71,21 +75,8 @@ jobs:
        with:
          token: ${{ secrets.DOCS_BOT_PAT_BASE }}

-      - name: Lint the code (eslint)
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          PATH: '$PATH:${{ github.workspace }}/node_modules/.bin'
-        run: |
-          eslint --no-ignore src/code-scanning/scripts/generate-code-scanning-query-list.ts
-
-      - name: Lint the code (tsc)
-        if: ${{ github.event_name == 'pull_request' }}
-        env:
-          PATH: '$PATH:${{ github.workspace }}/node_modules/.bin'
-        run: |
-          tsc --noEmit --project src/code-scanning/scripts/tsconfig.json
-
-      - name: Build code scanning query list
+      - name: Build code scanning security query lists
+        shell: bash
        run: |
          for lang in "actions" "cpp" "csharp" "go" "java" "javascript" "python" "ruby" "rust" "swift"; do
            echo "Generating code scanning query list for $lang"
@@ -97,7 +88,112 @@ jobs:
              $lang
          done

+      - name: Upload security query lists
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: security-query-lists
+          path: data/reusables/code-scanning/codeql-query-tables/
+
+  generate-quality-query-lists:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - uses: ./.github/actions/node-npm-setup
+
+      - name: Checkout codeql repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: github/codeql
+          path: codeql
+          ref: ${{ inputs.SOURCE_BRANCH || 'main' }}
+
+      - name: Get the codeql SHA being synced
+        id: codeql
+        shell: bash
+        run: |
+          cd codeql
+          OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
+          echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA"
+
+      - name: Download CodeQL CLI
+        # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+        uses: ./codeql/.github/actions/fetch-codeql
+
+      - name: Test CodeQL CLI Download
+        shell: bash
+        run: codeql --version
+
+      # "Server for running multiple commands while avoiding repeated JVM initialization."
+      # Having started this should speed up the execution of the various
+      # CLI calls of the executable.
+      - name: Start CodeQL CLI server in the background
+        shell: bash
+        run: |
+          codeql execute cli-server &
+          sleep 3
+          codeql --version
+
+      - name: Build code quality query lists
+        shell: bash
+        run: |
+          for lang in "csharp" "go" "java" "javascript" "python" "ruby"; do
+            echo "Generating code quality query list for $lang"
+            npm run generate-code-quality-query-list -- \
+              --verbose \
+              --codeql-path codeql \
+              --codeql-dir codeql \
+              -o data/reusables/code-quality/codeql-query-tables/$lang.md \
+              $lang
+          done
+
+      - name: Upload quality query lists
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: quality-query-lists
+          path: data/reusables/code-quality/codeql-query-tables/
+
+  create-pull-request:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    needs: [generate-security-query-lists, generate-quality-query-lists]
+    steps:
+      - name: Checkout repository code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Checkout codeql repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: github/codeql
+          path: codeql
+          ref: ${{ inputs.SOURCE_BRANCH || 'main' }}
+
+      - name: Get the codeql SHA being synced
+        id: codeql
+        shell: bash
+        run: |
+          cd codeql
+          OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
+          echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA"
+
+      - name: Download security query lists
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: security-query-lists
+          path: data/reusables/code-scanning/codeql-query-tables/
+
+      - name: Download quality query lists
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: quality-query-lists
+          path: data/reusables/code-quality/codeql-query-tables/
+
      - name: Insight into diff
+        shell: bash
        run: |
          git diff

@@ -105,6 +201,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
          DRY_RUN: ${{ github.event_name == 'pull_request'}}
+        shell: bash
        run: |

          # When we started, we downloaded the CodeQL CLI here in this workflow.
@@ -145,6 +242,7 @@ jobs:
          fi

          git add data/reusables/code-scanning/codeql-query-tables
+          git add data/reusables/code-quality/codeql-query-tables
          git commit -m "Update CodeQL query tables"
          git push -u origin $branchname

@@ -157,6 +255,6 @@ jobs:


            No action is required from the first responder for the Docs content team. This PR is automatically added to the Docs content review board. Any writer can review this by checking that the PR looks sensible. If CI does not pass or other problems arise, contact #docs-engineering on slack.
-            
-            
+
+
            When the DRI for the CodeQL CLI release is ready to publish, they will ask us to merge this PR in #docs-content.'