From 3f7f2c7192bb8c316c21e4970e5218dea1c6f158 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Fri, 10 Jul 2026 18:51:00 -0400 Subject: [PATCH 1/2] chore(ci): pre-install every CodeQL pack's dependencies in copilot-setup-steps.yml copilot-setup-steps.yml previously left `codeql pack install` for the Copilot coding agent to run itself, on the assumption it's "fast enough" for the agent to do inline when it needs it (a few seconds). That's true once the agent knows to do it - but a real session on PR #173 (fixing the Python compile error from the CodeQL 2.22.4 bump) shows the discovery cost dwarfs the install cost: - The agent's first `codeql query compile --check-only "./python/"` failed with "Pack 'codeql/python-all@4.0.13' was not found in the pack download cache. Run 'codeql pack install' to download the dependencies." - Instead of immediately running that, it spent ~3 of its ~10 total minutes investigating why the library file was "missing" - checking ~/.codeql/packages/ (empty, since nothing was installed yet), and running a whole-filesystem `find / -name "CryptoAlgorithmNames*"` (35s) - before finally running `codeql pack install python/src/` at turn 37 and immediately finding/fixing the real one-line bug one turn later. This adds an "Install CodeQL pack dependencies" step that pre-installs every pack (src/lib/ext/ext-library-sources/test, across all 7 languages - 28 directories today) using the same qlpack.yml discovery + exclude pattern already established in update-codeql-version.yml's `codeql pack upgrade` loop (skip ql/hotspots, codeql_home, codeql/, */.codeql). We install every pack rather than guessing which language the agent will be asked to fix, since the setup step can't know that ahead of time and the per-pack cost is only a few seconds. Removes the now-stale trailing comment explaining why pack install was deliberately skipped, since that's no longer the design. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 37 +++++++++++++++++++---- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 0b1a44ff..38488645 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -32,6 +32,37 @@ jobs: id: install-codeql uses: ./.github/actions/install-codeql + - name: Install CodeQL pack dependencies + run: | + # Pre-downloads every pack's dependencies (codeql/-all, etc.) into + # the pack download cache so Copilot never hits "Pack '...' was not + # found in the pack download cache. Run 'codeql pack install' to + # download the dependencies." when it runs `codeql query compile` / + # `codeql test run`. + # + # Without this, the agent has to discover on its own that `codeql pack + # install ` is a prerequisite - which it does eventually, but not + # before burning several minutes on dead-end investigation first (e.g. + # a whole-filesystem `find / -name ...` looking for a "missing" library + # that was simply never installed). See the Copilot session on PR #173 + # for a real example: it spent ~3 of its ~10 minutes on that rabbit + # hole before running `codeql pack install` and immediately finding/ + # fixing the real one-line bug. + # + # We install every pack (not just the language the agent will end up + # touching) because we don't know ahead of time which one it'll be + # asked to fix - the extra cost is a few seconds per pack, which is + # trivial next to the minutes it can save. Same exclude list as + # update-codeql-version.yml's `codeql pack upgrade` loop: skip + # ql/hotspots (standalone tool, not a real GHCR-resolvable pack), + # codeql_home (vendored CLI packs), and codeql/ + */.codeql (the test- + # stubs clone below and CodeQL's own per-pack build caches). + for dir in $(find . -name qlpack.yml -not -path "./ql/hotspots/*" -not -path "./codeql_home/*" -not -path "./codeql/*" -not -path "*/.codeql/*" -exec dirname {} \;); do + echo "::group::codeql pack install $dir" + codeql pack install "$dir" + echo "::endgroup::" + done + - name: Clone github/codeql (test stubs) env: GITHUB_TOKEN: ${{ github.token }} @@ -48,9 +79,3 @@ jobs: # resolve, so `codeql test run` can actually compile the test snippets. # `--depth=1`: we only need the tree at that branch tip, not its history. gh repo clone github/codeql -- -b "codeql-cli-${CODEQL_CLI_VERSION}" --depth=1 - - # Deliberately not running `codeql pack install /...` here for every - # language - that's fast enough (a few seconds) for Copilot to run itself for - # whichever specific language pack(s) it's actually fixing, and running it - # for all 7 languages up front would just slow down every session regardless - # of what it's working on. From 30337c349bbde27a32e812f887906bc716dd80b7 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Fri, 10 Jul 2026 18:57:55 -0400 Subject: [PATCH 2/2] chore(ci): grant packages: read to copilot-setup-steps job Matches the established convention in ci.yml and update-codeql-version.yml, both of which grant packages: read to jobs running codeql pack install/ upgrade. The new pre-install step added in this PR succeeded in its own CI validation run without this permission (the standard codeql/* library packs are publicly readable from GHCR), but ci.yml runs 7 languages in parallel and could plausibly hit anonymous GHCR rate limits under that concurrency where our sequential single-job run wouldn't - so granting this defensively costs nothing and keeps the workflow consistent with the rest of the repo. Addresses review feedback: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/pull/176#discussion_r3562407674 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --- .github/workflows/copilot-setup-steps.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 38488645..6cf70abf 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -23,6 +23,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + packages: read # matches ci.yml/update-codeql-version.yml's grant for `codeql pack install`/`upgrade` resolving codeql/* deps from GHCR steps: - name: Checkout