name: Generate code scanning query lists # **What it does**: This workflow is currently run manually approximately every two weeks as part # of the release process for the CodeQL CLI. We hope to automate this in the future # When run, this workflow generates updated query lists with data from the codeql # repository, and creates a pull request if there are updates. # **Why we have it**: So we can automate CodeQL query tables and show code scanning users the built in queries. # **Who does it impact**: Anyone making CodeQL query suite changes in `github/codeql`, and wanting to get them published on the docs site. on: workflow_dispatch: inputs: SOURCE_BRANCH: description: 'Branch to pull the source files from in the codeql repo (for example codeql-cli-2.x.x).' type: string required: true default: 'main' pull_request: paths: - .github/workflows/generate-code-scanning-query-lists.yml - src/codeql-queries/scripts/generate-code-scanning-query-list.ts - src/codeql-queries/scripts/generate-code-quality-query-list.ts - .github/actions/install-cocofix/action.yml permissions: contents: write pull-requests: write jobs: generate-security-query-lists: if: github.repository == 'github/docs-internal' runs-on: ubuntu-latest steps: - name: Checkout repository code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: ./.github/actions/node-npm-setup - name: Checkout codeql repo uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: github/codeql path: codeql ref: ${{ inputs.SOURCE_BRANCH || 'main' }} - name: Get the codeql SHA being synced id: codeql shell: bash run: | cd codeql OPENAPI_COMMIT_SHA=$(git rev-parse HEAD) echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA" - name: Download CodeQL CLI # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo uses: ./codeql/.github/actions/fetch-codeql - name: Test CodeQL CLI Download shell: bash run: codeql --version # "Server for running multiple commands while avoiding repeated JVM initialization." # Having started this should speed up the execution of the various # CLI calls of the executable. - name: Start CodeQL CLI server in the background shell: bash run: | codeql execute cli-server & sleep 3 codeql --version - uses: ./.github/actions/install-cocofix with: token: ${{ secrets.DOCS_BOT_PAT_BASE }} - name: Build code scanning security query lists shell: bash run: | for lang in "actions" "cpp" "csharp" "go" "java" "javascript" "python" "ruby" "rust" "swift"; do echo "Generating code scanning query list for $lang" npm run generate-code-scanning-query-list -- \ --verbose \ --codeql-path codeql \ --codeql-dir codeql \ -o data/reusables/code-scanning/codeql-query-tables/$lang.md \ $lang done - name: Upload security query lists uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: security-query-lists path: data/reusables/code-scanning/codeql-query-tables/ generate-quality-query-lists: if: github.repository == 'github/docs-internal' runs-on: ubuntu-latest steps: - name: Checkout repository code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: ./.github/actions/node-npm-setup - name: Checkout codeql repo uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: github/codeql path: codeql ref: ${{ inputs.SOURCE_BRANCH || 'main' }} - name: Get the codeql SHA being synced id: codeql shell: bash run: | cd codeql OPENAPI_COMMIT_SHA=$(git rev-parse HEAD) echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA" - name: Download CodeQL CLI # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo uses: ./codeql/.github/actions/fetch-codeql - name: Test CodeQL CLI Download shell: bash run: codeql --version # "Server for running multiple commands while avoiding repeated JVM initialization." # Having started this should speed up the execution of the various # CLI calls of the executable. - name: Start CodeQL CLI server in the background shell: bash run: | codeql execute cli-server & sleep 3 codeql --version - name: Build code quality query lists shell: bash run: | for lang in "csharp" "go" "java" "javascript" "python" "ruby"; do echo "Generating code quality query list for $lang" npm run generate-code-quality-query-list -- \ --verbose \ --codeql-path codeql \ --codeql-dir codeql \ -o data/reusables/code-quality/codeql-query-tables/$lang.md \ $lang done - name: Upload quality query lists uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: quality-query-lists path: data/reusables/code-quality/codeql-query-tables/ create-pull-request: if: github.repository == 'github/docs-internal' runs-on: ubuntu-latest needs: [generate-security-query-lists, generate-quality-query-lists] steps: - name: Checkout repository code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Checkout codeql repo uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: github/codeql path: codeql ref: ${{ inputs.SOURCE_BRANCH || 'main' }} - name: Get the codeql SHA being synced id: codeql shell: bash run: | cd codeql OPENAPI_COMMIT_SHA=$(git rev-parse HEAD) echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT echo "Copied files from github/codeql repo. Commit SHA: $OPENAPI_COMMIT_SHA" - name: Download security query lists uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: security-query-lists path: data/reusables/code-scanning/codeql-query-tables/ - name: Download quality query lists uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: quality-query-lists path: data/reusables/code-quality/codeql-query-tables/ - name: Insight into diff shell: bash run: | git diff - name: Create pull request env: GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} DRY_RUN: ${{ github.event_name == 'pull_request'}} shell: bash run: | # When we started, we downloaded the CodeQL CLI here in this workflow. # We have no intention of checking that in but we also don't want # `git status ...` to show it as an untracked file. rm -fr ./codeql # If nothing to commit, exit now. It's fine. No orphans. changes=$(git diff --name-only | wc -l) untracked=$(git status --untracked-files --short | wc -l) if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then echo "There are no changes to commit after running the generation and conversion scripts. Exiting..." exit 0 fi git config --global user.name "docs-bot" git config --global user.email "77750099+docs-bot@users.noreply.github.com" branchname=codeql-query-tables-${{ steps.codeql.outputs.OPENAPI_COMMIT_SHA }} # Exit if the branch already exists. Since the actions/checkout fetch-depth is 1, # it doesn't "know" about branches locally, so we need to manually list them. branchExists=$(git ls-remote --heads origin refs/heads/$branchname | wc -l) # When run on a pull_request, we're just testing the tooling. # Exit before it actually pushes the possible changes. if [ "$DRY_RUN" = "true" ]; then echo "Dry-run mode when run in a pull request" echo "See the 'Insight into diff' step for the changes it would create PR about." exit 0 fi if [ $branchExists -ne 0 ]; then echo "Branch $branchname already exists in the remote repository." exit 0 else git checkout -b $branchname fi git add data/reusables/code-scanning/codeql-query-tables git add data/reusables/code-quality/codeql-query-tables git commit -m "Update CodeQL query tables" git push -u origin $branchname echo "Creating pull request..." gh pr create \ --title "Update CodeQL query tables" \ --repo github/docs-internal \ --label "codeql-query-tables,skip FR board,ready-for-doc-review,workflow-generated" \ --body '👋 humans. This PR updates the **CodeQL query table reusables** with the latest changes in preparation for the next **CodeQL CLI** release. (Synced from codeql@${{ steps.codeql.outputs.OPENAPI_COMMIT_SHA }}) No action is required from the first responder for the Docs content team. This PR is automatically added to the Docs content review board. Any writer can review this by checking that the PR looks sensible. If CI does not pass or other problems arise, contact #docs-engineering on slack. When the DRI for the CodeQL CLI release is ready to publish, they will ask us to merge this PR in #docs-content.'