chore: bump pinned CodeQL CLI to v2.24.3 and release v0.5.0#179
Conversation
|
@copilot Heads up - compile-and-test (java) also failed in the original CI run (29135458959/job/86498780617). Please include a fix for it alongside anything else you're already working on, so we don't need a second slow re-run cycle just for this. Log tail from the failed step: |
|
@copilot I dug into the java compile failure myself - it's a clean upstream rename, not a real breaking change, so this should be a one-line fix: Error: �pplyManualModel() cannot be resolved for type ...SummarizedCallable in java/src/library_sources/ExternalAPIs.qll:196. Root cause: codeql/java-all jumped 7.1.3 -> 8.1.1 (major bump) in this CLI update. In the shared FlowSummaryImpl.qll at CLI v2.24.3, the SummarizedCallable.applyManualModel() predicate was renamed to hasManualModel() (same semantics: "Holds if there exists a manual summary that applies to this callable") - see https://github.com/github/codeql/blob/codeql-cli/v2.24.3/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll (search hasManualModel). This actually makes the API consistent with NeutralSummaryCallable.hasManualModel(), which is already called on the very next line (197) of the same file. Fix: in java/src/library_sources/ExternalAPIs.qll line 196, change: api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()).asCallable() orto: api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.hasManualModel()).asCallable() orI grepped the whole java/ directory and this is the only occurrence of �pplyManualModel - no other call sites need updating for this specific rename. Please apply this fix along with anything else failing in CI (check gh pr checks 179 for the current full list, including compile-and-test (java) which may still be settling). |
|
@copilot Found the python compile failure too - same root cause pattern as the java one (and the same pattern PR #177 already fixed once in this repo for a sibling file): Error: Root cause: This is the exact same shape of fix already applied in Fix: add this import to private import LegacyPointsToI checked the rest of |
- java/src/library_sources/ExternalAPIs.qll: rename applyManualModel() to hasManualModel() on SummarizedCallable (method was removed in java-all 8.1.1) - python/lib/ghsl/MassAssignment.qll: replace deprecated Value type and CallNode with DataFlow::MethodCallNode (Value is no longer re-exported from python.qll in python-all 7.0.0) Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
Fixed in commit Two API breakages addressed:
Both queries compile cleanly against CodeQL 2.24.3. |
The Build CodeQL Packs workflow (ci.yml) previously assumed every run had
a PR context (github.event.number). For workflow_dispatch runs this value
is empty, which caused two problems:
1. Unquoted script arguments (pr-compile.sh, pr-suites-packs.sh) meant an
empty github.event.number was dropped entirely by bash word-splitting,
shifting the language argument into position 1 and leaving position 2
unset - crashing immediately under set -u ("unbound variable") before
any query compilation happened.
2. Every step was gated on dorny/paths-filter's src output, which is
PR-diff-based and not meaningful for a manual "verify everything" run.
Fixes:
- Quote the PR-number/language args passed to pr-compile.sh and
pr-suites-packs.sh so an empty value is passed as an explicit empty
string instead of vanishing.
- Add || github.event_name == 'workflow_dispatch' to every
steps.changes.outputs.src == 'true' step condition (12 occurrences
across compile-and-test, extensions, library-sources, and configs jobs)
so a manual dispatch always runs every step regardless of path-filter.
- Give pr-compile.sh, pr-suites-packs.sh, and pr-configs.sh a "full mode"
fallback that activates whenever PR_NUMBER is empty: instead of calling
gh pr view / gh pr comment (which require a PR), each script now
enumerates the relevant files directly from the filesystem (full
--warnings=error compile of the language, find over suites/*.qls,
glob over configs/*.yml) and skips any PR-comment logic. This keeps a
single dual-mode script per concern instead of forking separate
PR/non-PR script files, avoiding future logic drift between the two
paths.
This lets ci.yml be dispatched manually on any branch (including main)
to get a real, full compile-and-test validation without requiring an
open pull request - closing the validation gap that let PR #179 get
merged on the strength of the wrong CI signal.
* ci: support full validation on workflow_dispatch (no PR context)
The Build CodeQL Packs workflow (ci.yml) previously assumed every run had
a PR context (github.event.number). For workflow_dispatch runs this value
is empty, which caused two problems:
1. Unquoted script arguments (pr-compile.sh, pr-suites-packs.sh) meant an
empty github.event.number was dropped entirely by bash word-splitting,
shifting the language argument into position 1 and leaving position 2
unset - crashing immediately under set -u ("unbound variable") before
any query compilation happened.
2. Every step was gated on dorny/paths-filter's src output, which is
PR-diff-based and not meaningful for a manual "verify everything" run.
Fixes:
- Quote the PR-number/language args passed to pr-compile.sh and
pr-suites-packs.sh so an empty value is passed as an explicit empty
string instead of vanishing.
- Add || github.event_name == 'workflow_dispatch' to every
steps.changes.outputs.src == 'true' step condition (12 occurrences
across compile-and-test, extensions, library-sources, and configs jobs)
so a manual dispatch always runs every step regardless of path-filter.
- Give pr-compile.sh, pr-suites-packs.sh, and pr-configs.sh a "full mode"
fallback that activates whenever PR_NUMBER is empty: instead of calling
gh pr view / gh pr comment (which require a PR), each script now
enumerates the relevant files directly from the filesystem (full
--warnings=error compile of the language, find over suites/*.qls,
glob over configs/*.yml) and skips any PR-comment logic. This keeps a
single dual-mode script per concern instead of forking separate
PR/non-PR script files, avoiding future logic drift between the two
paths.
This lets ci.yml be dispatched manually on any branch (including main)
to get a real, full compile-and-test validation without requiring an
open pull request - closing the validation gap that let PR #179 get
merged on the strength of the wrong CI signal.
* fix: pr-suites-packs.sh full-mode must target each pack subdir, not $LANGUAGE
codeql pack install/create requires a directory containing a qlpack.yml
directly. No language has a top-level qlpack.yml (only nested src/, lib/,
ext/, ext-library-sources/) so `codeql pack install "$LANGUAGE"` fails
with "ERROR: The directory is not a qlpack." Loop over the actual pack
subdirectories instead, matching what codeql-workspace.yml's
`**/qlpack.yml` globs actually resolve to.
Caught by dispatching this branch's workflow_dispatch run directly -
cpp/go/ruby all failed identically before this fix.
* fix: soften full-mode compile to not fail on pre-existing warning backlog
publish.yml never runs --warnings=error (only `codeql pack install`/`publish`,
which don't treat warnings as fatal), so full-mode's strict recompile of the
entire language directory was a brand-new, stricter check than what actually
gates real publishing - and it tripped on 5 pre-existing deprecated-API
warnings (getResult, getAUse, SsaVariable) that no PR-mode diff has ever
caught because no PR has ever touched all of them at once.
The plain compile check above already covers the whole language directory
without treating warnings as fatal, so full-mode is done once that passes.
Filed a follow-up issue to clean up the warning backlog and then make
PR-mode itself trigger a full strict compile when a PR touches
.codeqlversion or a codeql-pack.lock.yml, since a dependency/CLI bump can
change behavior across every query, not just the files literally edited.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: felickz <felickz@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Automated CLI version bump, requested via the "Update CodeQL CLI Version"
workflow (
workflow_dispatch,codeql_version: 2.24.3,release_bump: minor).This PR:
Updates
.codeqlversionto2.24.3.Pins every
codeql/<lang>-all/codeql/<lang>-queriesdependency across allqlpack.ymlfiles to the exact version shipped in the official CodeQL Bundlefor this CLI release (see
.github/scripts/pin-codeql-library-versions.sh) -this keeps
codeql pack upgradefrom jumping those libraries toregistry-latest instead of the version this CLI actually ships/tests against.
Runs
codeql pack upgrade <dir>for every pack directory to refresh itscodeql-pack.lock.ymlagainst the new CLI and pinned library versions.Also bumps the repo release version (
minor, via the samepatch-release-mestepupdate-release.ymluses) to0.5.0,propagating it to every pack's own
version:field,configs/*.ymlreferences, and cross-pack
-libspins.Merging this PR triggers the real batch publish -
publish.yml'sauto-trigger fires on any push to
mainthat changes.release.yml, which thisPR does. No separate "CodeQL Update Release" run is needed. That run's
summaryjob will create the matching GitHub Release as a full release
(
release_prerelease: false).Remaining steps (see CONTRIBUTING.md's "Updating the pinned CodeQL CLI/library
version" section):
API changes. This is usually the hardest part; consider delegating it to a
Copilot coding agent session pointed at this PR/branch.