Skip to content

chore: bump pinned CodeQL CLI to v2.23.9 and release v0.4.0#177

Merged
felickz merged 2 commits into
mainfrom
chore/update-codeql-cli-2.23.9
Jul 11, 2026
Merged

chore: bump pinned CodeQL CLI to v2.23.9 and release v0.4.0#177
felickz merged 2 commits into
mainfrom
chore/update-codeql-cli-2.23.9

Conversation

@security-lab-bot

Copy link
Copy Markdown
Contributor

Automated CLI version bump, requested via the "Update CodeQL CLI Version"
workflow (workflow_dispatch, codeql_version: 2.23.9, release_bump: minor).

This PR:

  • Updates .codeqlversion to 2.23.9.

  • Pins every codeql/<lang>-all / codeql/<lang>-queries dependency across all
    qlpack.yml files to the exact version shipped in the official CodeQL Bundle
    for this CLI release (see .github/scripts/pin-codeql-library-versions.sh) -
    this keeps codeql pack upgrade from jumping those libraries to
    registry-latest instead of the version this CLI actually ships/tests against.

  • Runs codeql pack upgrade <dir> for every pack directory to refresh its
    codeql-pack.lock.yml against the new CLI and pinned library versions.

  • Also bumps the repo release version (minor, via the same
    patch-release-me step update-release.yml uses) to 0.4.0,
    propagating it to every pack's own version: field, configs/*.yml
    references, and cross-pack -libs pins.

Merging this PR triggers the real batch publish - publish.yml's
auto-trigger fires on any push to main that changes .release.yml, which this
PR does. No separate "CodeQL Update Release" run is needed. That run's summary
job will create the matching GitHub Release as a full release
(release_prerelease: false).

Remaining steps (see CONTRIBUTING.md's "Updating the pinned CodeQL CLI/library
version" section):

  • Check CI on this PR - fix any compilation/test errors caused by upstream
    API changes. This is usually the hardest part; consider delegating it to a
    Copilot coding agent session pointed at this PR/branch.
  • Update the "Supported CodeQL versions" table in CONTRIBUTING.md.
  • Review and merge - this alone will trigger the real batch publish.

@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@copilot Update: please treat this as ONE combined task, not separate ones. Current failing CI checks on this PR: ruby, python, and csharp (compile-and-test). Please fix all three (and check the PR Checks tab / gh pr checks 177 for the full current list, since java/javascript compile-and-test are still running and may also fail). Do not stop after fixing just one language - verify all compile-and-test jobs pass before finishing.

@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@copilot Update: please treat this as ONE combined task, not separate ones. Current failing CI checks on this PR: ruby, python, and csharp (compile-and-test). Please fix all three (and check the PR Checks tab / gh pr checks 177 for the full current list, since java/javascript compile-and-test are still running and may also fail). Do not stop after fixing just one language - verify all compile-and-test jobs pass before finishing.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Automates the repository-wide CodeQL CLI + standard-library pin refresh to align all community packs with CodeQL CLI 2.23.9, and bumps the community packs release to v0.4.0.

Changes:

  • Bump pinned CodeQL CLI version to 2.23.9.
  • Update per-language pack pins (qlpack.yml) to the bundle-shipped codeql/<lang>-all (and *-queries where used), and refresh all codeql-pack.lock.yml files accordingly.
  • Bump repo and pack versions from 0.3.0 → 0.4.0 (including extension packs where present).
Show a summary per file
File Description
ruby/test/qlpack.yml Update Ruby test pack pins (codeql/ruby-all, codeql/ruby-queries).
ruby/test/codeql-pack.lock.yml Refresh Ruby test lockfile to resolved versions for the new CLI/pins.
ruby/src/qlpack.yml Bump Ruby query pack version to 0.4.0 and update codeql/ruby-all pin.
ruby/src/codeql-pack.lock.yml Refresh Ruby src lockfile to resolved versions for the new CLI/pins.
ruby/lib/qlpack.yml Bump Ruby libs pack version to 0.4.0 and update codeql/ruby-all pin.
ruby/lib/codeql-pack.lock.yml Refresh Ruby lib lockfile to resolved versions for the new CLI/pins.
python/test/qlpack.yml Update Python test pack pins (codeql/python-all, codeql/python-queries).
python/test/codeql-pack.lock.yml Refresh Python test lockfile to resolved versions for the new CLI/pins.
python/src/qlpack.yml Bump Python query pack version to 0.4.0 and update codeql/python-all pin.
python/src/codeql-pack.lock.yml Refresh Python src lockfile to resolved versions for the new CLI/pins.
python/lib/qlpack.yml Bump Python libs pack version to 0.4.0 and update codeql/python-all pin.
python/lib/codeql-pack.lock.yml Refresh Python lib lockfile to resolved versions for the new CLI/pins.
python/ext/qlpack.yml Bump Python extensions pack version to 0.4.0 and update extension target pin.
javascript/test/qlpack.yml Update JavaScript test pack pin (codeql/javascript-all).
javascript/test/codeql-pack.lock.yml Refresh JavaScript test lockfile to resolved versions for the new CLI/pins.
javascript/src/qlpack.yml Bump JavaScript query pack version to 0.4.0 and update codeql/javascript-all pin.
javascript/src/codeql-pack.lock.yml Refresh JavaScript src lockfile to resolved versions for the new CLI/pins.
javascript/lib/qlpack.yml Bump JavaScript libs pack version to 0.4.0 and update codeql/javascript-all pin.
javascript/lib/codeql-pack.lock.yml Refresh JavaScript lib lockfile to resolved versions for the new CLI/pins.
java/test/qlpack.yml Update Java test pack pin (codeql/java-all).
java/test/codeql-pack.lock.yml Refresh Java test lockfile to resolved versions for the new CLI/pins.
java/src/qlpack.yml Bump Java query pack version to 0.4.0 and update codeql/java-all pin.
java/src/codeql-pack.lock.yml Refresh Java src lockfile to resolved versions for the new CLI/pins.
java/lib/qlpack.yml Bump Java libs pack version to 0.4.0 and update codeql/java-all pin.
java/lib/codeql-pack.lock.yml Refresh Java lib lockfile to resolved versions for the new CLI/pins.
java/ext/qlpack.yml Bump Java extensions pack version to 0.4.0 and update extension target pin.
java/ext-library-sources/qlpack.yml Bump Java library-sources extension pack version to 0.4.0 and update extension target pin.
go/test/qlpack.yml Update Go test pack pin (codeql/go-all).
go/test/codeql-pack.lock.yml Refresh Go test lockfile to resolved versions for the new CLI/pins.
go/src/qlpack.yml Bump Go query pack version to 0.4.0 and update codeql/go-all pin.
go/src/codeql-pack.lock.yml Refresh Go src lockfile to resolved versions for the new CLI/pins.
go/lib/qlpack.yml Bump Go libs pack version to 0.4.0 and update codeql/go-all pin.
go/lib/codeql-pack.lock.yml Refresh Go lib lockfile to resolved versions for the new CLI/pins.
go/ext/qlpack.yml Bump Go extensions pack version to 0.4.0 and update extension target pin.
csharp/test/qlpack.yml Update C# test pack pins (codeql/csharp-all, codeql/csharp-queries).
csharp/test/codeql-pack.lock.yml Refresh C# test lockfile to resolved versions for the new CLI/pins.
csharp/src/qlpack.yml Bump C# query pack version to 0.4.0 and update codeql/csharp-* pins.
csharp/src/codeql-pack.lock.yml Refresh C# src lockfile to resolved versions for the new CLI/pins.
csharp/lib/qlpack.yml Bump C# libs pack version to 0.4.0 and update codeql/csharp-all pin.
csharp/lib/codeql-pack.lock.yml Refresh C# lib lockfile to resolved versions for the new CLI/pins.
csharp/ext/qlpack.yml Bump C# extensions pack version to 0.4.0 and update extension target pin.
csharp/ext-library-sources/qlpack.yml Bump C# library-sources extension pack version to 0.4.0 and update extension target pin.
cpp/test/qlpack.yml Update C/C++ test pack pins (codeql/cpp-all, codeql/cpp-queries).
cpp/test/codeql-pack.lock.yml Refresh C/C++ test lockfile to resolved versions for the new CLI/pins.
cpp/src/qlpack.yml Bump C/C++ query pack version to 0.4.0 and update codeql/cpp-* pins.
cpp/src/codeql-pack.lock.yml Refresh C/C++ src lockfile to resolved versions for the new CLI/pins.
cpp/lib/qlpack.yml Bump C/C++ libs pack version to 0.4.0 and update codeql/cpp-all pin.
cpp/lib/codeql-pack.lock.yml Refresh C/C++ lib lockfile to resolved versions for the new CLI/pins.
.release.yml Bump repository release version to 0.4.0 (triggers publish on merge).
.codeqlversion Bump pinned CodeQL CLI version to 2.23.9.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 50/50 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread .codeqlversion
@felickz

felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@copilot Update again: java (compile-and-test) also failed in the original CI run (https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/29129670777/job/86482427827?pr=177) - please also include a fix for java alongside ruby/python/csharp before finishing, to avoid another slow java re-run cycle.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

Copilot AI commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@copilot fix the failing CI (https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/29129670777/job/86482427871?pr=177) for this PR

Pushed 6a5ee1d. It updates the Ruby, Python, and C# queries for the CodeQL 2.23.9 API changes that were breaking CI, and the affected local compiles and tests passed.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 54/54 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread python/lib/ghsl/InsecurelyStoredPassword.qll
@felickz felickz merged commit e7c143a into main Jul 11, 2026
10 checks passed
@felickz felickz deleted the chore/update-codeql-cli-2.23.9 branch July 11, 2026 00:07
felickz added a commit that referenced this pull request Jul 11, 2026
…leases (#178)

The "Supported CodeQL versions" table in CONTRIBUTING.md was hand-maintained
and went stale across the last two CLI bumps in a row (PR #173 and #177 both
skipped the "update the table" checklist item). Meanwhile publish.yml's
summary job already generates an equivalent, strictly better table on every
release: it's per-src/lib, links every cell to the exact upstream and
downstream source, and flags drift with a checkmark/mismatch column - so it
can never go stale the way a hand-typed table can.

- CONTRIBUTING.md: replace the stale table with a pointer to the latest
  GitHub Release (and .codeqlversion directly for just the CLI version).
  Keep the heading (README.md links to its anchor), the pinning-rationale
  WARNING box, and the cpp/csharp upstream-queries-pack explanation - none
  of that is version-specific or stale.
- update-codeql-version.yml: drop the now-obsolete "Update the Supported
  CodeQL versions table in CONTRIBUTING.md" checklist bullet from both
  generated PR-body branches (with/without release_bump).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants