Skip to content

chore(ci): pre-install every CodeQL pack's dependencies in copilot-setup-steps.yml#176

Merged
felickz merged 2 commits into
mainfrom
chore/preinstall-codeql-packs-in-setup-steps
Jul 10, 2026
Merged

chore(ci): pre-install every CodeQL pack's dependencies in copilot-setup-steps.yml#176
felickz merged 2 commits into
mainfrom
chore/preinstall-codeql-packs-in-setup-steps

Conversation

@felickz

@felickz felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Why

copilot-setup-steps.yml (added in #174) deliberately did not pre-run codeql pack install for any language, on the assumption it's "fast enough - a few seconds" for the Copilot coding agent to run itself when it needs it.

That assumption is true once the agent knows to do it - but a real delegated session on #173 (fixing the Python compile error caused by the CodeQL 2.22.4 bump) shows the discovery cost dwarfs the install cost:

  1. Its first codeql query compile --check-only "./python/" failed with:
    ERROR: Pack 'codeql/python-all@4.0.13' was not found in the pack download cache. Run 'codeql pack install' to download the dependencies.
    
  2. Instead of immediately reaching for codeql pack install, it spent ~3 of its ~10 total minutes investigating why the library file was "missing" - checking ~/.codeql/packages/ (empty, since nothing was installed yet), then running a whole-filesystem find / -name "CryptoAlgorithmNames*" (35s) trying to locate it.
  3. Only at turn 37 did it run codeql pack install python/src/ (which took ~1.5s) - and immediately found + fixed the real one-line bug one turn later.

So roughly a third of the job was burned re-discovering a prerequisite step that a fixed setup step can just do once, up front, for free.

What this changes

Adds an "Install CodeQL pack dependencies" step that pre-installs every pack's dependencies (src/lib/ext/ext-library-sources/test, across all 7 languages - 28 directories today) before the agent starts working.

  • Reuses the exact find qlpack.yml + exclude pattern already established in update-codeql-version.yml's codeql pack upgrade loop, for consistency:
    • excludes ql/hotspots (standalone tool, not a real GHCR-resolvable pack)
    • excludes codeql_home (vendored CLI packs)
    • excludes codeql/ and */.codeql (the test-stubs clone + CodeQL's own build caches)
  • Installs every pack rather than guessing which language the agent will be asked to fix - the setup step can't know that ahead of time, and the per-pack install cost is only a couple seconds, trivial next to the minutes it can save.
  • Removes the now-stale trailing comment explaining why pack install was deliberately skipped, since that's no longer the design.

Verification

  • python -c "import yaml; yaml.safe_load(...)" - YAML parses cleanly.
  • Locally reproduced the find+exclude pattern against the real repo tree: correctly discovers all 28 real pack dirs (cpp/csharp/go/java/javascript/python/ruby × src/lib/ext/ext-library-sources/test as applicable) and correctly excludes ql/hotspots.
  • This workflow only runs in Copilot's coding-agent environment (plus CI validation on changes to the file itself, per its on: triggers) - the real end-to-end test is the next delegated Copilot session that needs to compile/test a pack.

Related

…tup-steps.yml

copilot-setup-steps.yml previously left `codeql pack install` for the Copilot
coding agent to run itself, on the assumption it's "fast enough" for the agent
to do inline when it needs it (a few seconds). That's true once the agent
knows to do it - but a real session on PR #173 (fixing the Python compile
error from the CodeQL 2.22.4 bump) shows the discovery cost dwarfs the install
cost:

- The agent's first `codeql query compile --check-only "./python/"` failed
  with "Pack 'codeql/python-all@4.0.13' was not found in the pack download
  cache. Run 'codeql pack install' to download the dependencies."
- Instead of immediately running that, it spent ~3 of its ~10 total minutes
  investigating why the library file was "missing" - checking
  ~/.codeql/packages/ (empty, since nothing was installed yet), and running a
  whole-filesystem `find / -name "CryptoAlgorithmNames*"` (35s) - before
  finally running `codeql pack install python/src/` at turn 37 and
  immediately finding/fixing the real one-line bug one turn later.

This adds an "Install CodeQL pack dependencies" step that pre-installs every
pack (src/lib/ext/ext-library-sources/test, across all 7 languages - 28
directories today) using the same qlpack.yml discovery + exclude pattern
already established in update-codeql-version.yml's `codeql pack upgrade`
loop (skip ql/hotspots, codeql_home, codeql/, */.codeql). We install every
pack rather than guessing which language the agent will be asked to fix,
since the setup step can't know that ahead of time and the per-pack cost is
only a few seconds.

Removes the now-stale trailing comment explaining why pack install was
deliberately skipped, since that's no longer the design.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 22:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Copilot coding-agent bootstrap workflow to proactively install CodeQL pack dependencies up front, reducing wasted agent time spent “discovering” that codeql pack install is required before compiling/testing packs.

Changes:

  • Add a new “Install CodeQL pack dependencies” step that finds all qlpack.yml directories (with existing exclude rules) and runs codeql pack install for each.
  • Remove the prior comment explaining why pack installs were intentionally skipped.
Show a summary per file
File Description
.github/workflows/copilot-setup-steps.yml Pre-installs CodeQL pack dependencies in the Copilot setup workflow to avoid agent-run compilation failures and investigation overhead.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread .github/workflows/copilot-setup-steps.yml
Matches the established convention in ci.yml and update-codeql-version.yml,
both of which grant packages: read to jobs running codeql pack install/
upgrade. The new pre-install step added in this PR succeeded in its own CI
validation run without this permission (the standard codeql/* library packs
are publicly readable from GHCR), but ci.yml runs 7 languages in parallel
and could plausibly hit anonymous GHCR rate limits under that concurrency
where our sequential single-job run wouldn't - so granting this defensively
costs nothing and keeps the workflow consistent with the rest of the repo.

Addresses review feedback: #176 (comment)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@felickz felickz merged commit 841e503 into main Jul 10, 2026
21 checks passed
@felickz felickz deleted the chore/preinstall-codeql-packs-in-setup-steps branch July 10, 2026 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants