chore(ci): pre-install every CodeQL pack's dependencies in copilot-setup-steps.yml#176
Merged
Merged
Conversation
…tup-steps.yml copilot-setup-steps.yml previously left `codeql pack install` for the Copilot coding agent to run itself, on the assumption it's "fast enough" for the agent to do inline when it needs it (a few seconds). That's true once the agent knows to do it - but a real session on PR #173 (fixing the Python compile error from the CodeQL 2.22.4 bump) shows the discovery cost dwarfs the install cost: - The agent's first `codeql query compile --check-only "./python/"` failed with "Pack 'codeql/python-all@4.0.13' was not found in the pack download cache. Run 'codeql pack install' to download the dependencies." - Instead of immediately running that, it spent ~3 of its ~10 total minutes investigating why the library file was "missing" - checking ~/.codeql/packages/ (empty, since nothing was installed yet), and running a whole-filesystem `find / -name "CryptoAlgorithmNames*"` (35s) - before finally running `codeql pack install python/src/` at turn 37 and immediately finding/fixing the real one-line bug one turn later. This adds an "Install CodeQL pack dependencies" step that pre-installs every pack (src/lib/ext/ext-library-sources/test, across all 7 languages - 28 directories today) using the same qlpack.yml discovery + exclude pattern already established in update-codeql-version.yml's `codeql pack upgrade` loop (skip ql/hotspots, codeql_home, codeql/, */.codeql). We install every pack rather than guessing which language the agent will be asked to fix, since the setup step can't know that ahead of time and the per-pack cost is only a few seconds. Removes the now-stale trailing comment explaining why pack install was deliberately skipped, since that's no longer the design. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Copilot coding-agent bootstrap workflow to proactively install CodeQL pack dependencies up front, reducing wasted agent time spent “discovering” that codeql pack install is required before compiling/testing packs.
Changes:
- Add a new “Install CodeQL pack dependencies” step that finds all
qlpack.ymldirectories (with existing exclude rules) and runscodeql pack installfor each. - Remove the prior comment explaining why pack installs were intentionally skipped.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/copilot-setup-steps.yml | Pre-installs CodeQL pack dependencies in the Copilot setup workflow to avoid agent-run compilation failures and investigation overhead. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
- Review effort level: Low
Matches the established convention in ci.yml and update-codeql-version.yml, both of which grant packages: read to jobs running codeql pack install/ upgrade. The new pre-install step added in this PR succeeded in its own CI validation run without this permission (the standard codeql/* library packs are publicly readable from GHCR), but ci.yml runs 7 languages in parallel and could plausibly hit anonymous GHCR rate limits under that concurrency where our sequential single-job run wouldn't - so granting this defensively costs nothing and keeps the workflow consistent with the rest of the repo. Addresses review feedback: #176 (comment) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
copilot-setup-steps.yml(added in #174) deliberately did not pre-runcodeql pack installfor any language, on the assumption it's "fast enough - a few seconds" for the Copilot coding agent to run itself when it needs it.That assumption is true once the agent knows to do it - but a real delegated session on #173 (fixing the Python compile error caused by the CodeQL 2.22.4 bump) shows the discovery cost dwarfs the install cost:
codeql query compile --check-only "./python/"failed with:codeql pack install, it spent ~3 of its ~10 total minutes investigating why the library file was "missing" - checking~/.codeql/packages/(empty, since nothing was installed yet), then running a whole-filesystemfind / -name "CryptoAlgorithmNames*"(35s) trying to locate it.codeql pack install python/src/(which took ~1.5s) - and immediately found + fixed the real one-line bug one turn later.So roughly a third of the job was burned re-discovering a prerequisite step that a fixed setup step can just do once, up front, for free.
What this changes
Adds an "Install CodeQL pack dependencies" step that pre-installs every pack's dependencies (
src/lib/ext/ext-library-sources/test, across all 7 languages - 28 directories today) before the agent starts working.find qlpack.yml+ exclude pattern already established inupdate-codeql-version.yml'scodeql pack upgradeloop, for consistency:ql/hotspots(standalone tool, not a real GHCR-resolvable pack)codeql_home(vendored CLI packs)codeql/and*/.codeql(the test-stubs clone + CodeQL's own build caches)Verification
python -c "import yaml; yaml.safe_load(...)"- YAML parses cleanly.find+exclude pattern against the real repo tree: correctly discovers all 28 real pack dirs (cpp/csharp/go/java/javascript/python/ruby × src/lib/ext/ext-library-sources/test as applicable) and correctly excludesql/hotspots.on:triggers) - the real end-to-end test is the next delegated Copilot session that needs to compile/test a pack.Related
copilot-setup-steps.ymloriginally