Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable automation of the CodeQL CLI upgrade process #731

Merged
merged 9 commits into from
Oct 4, 2024
Merged

Enable automation of the CodeQL CLI upgrade process #731

merged 9 commits into from
Oct 4, 2024

Conversation

lcartey
Copy link
Collaborator

@lcartey lcartey commented Oct 3, 2024
edited by nicolaswill
Loading

Description

This PR fully implements the automation for updating the CodeQL CLI dependencies:

  • The upgrade_codeql_dependencies.py is improved to:
    • Update the qlpack.yml files in the repository to the version of the codeql/cpp-all dependency correlated with the CodeQL CLI version specified.
    • Run the CodeQL CLI to update the codeql-pack.lock.yml files with the new dependencies.
  • The upgrade_codeql_dependencies.yml workflow is improved to:
    • Provide the CodeQL CLI on the path when running the upgrade_codeql_dependencies.py script.
    • Provide an improved PR body message with appropriate checklist for a CodeQL CLI upgrade.
  • The development_handbook.md is improved to:
    • No longer refer to the removed GHES version.
    • Streamline the PR body description, and match it to the one used by the workflow.
    • Reference the workflow as an option for automated generation when upgrading to a specified CodeQL CLI version with matching github/codeql tag and CodeQL CLI bundle version.

Change request type

  • Release or process automation (GitHub workflows, internal scripts)
  • Internal documentation
  • External documentation
  • Query files (.ql, .qll, .qls or unit tests)
  • External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

  • No rules added
  • Queries have been added for the following rules:
    • rule number here
  • Queries have been modified for the following rules:
    • rule number here

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

  • The structure or layout of the release artifacts.
  • The evaluation performance (memory, execution time) of an existing query.
  • The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

  • Yes
  • No

🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.

  • Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

  • Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

Reviewer

  • Have all the relevant rule package description files been checked in?
  • Have you verified that the metadata properties of each new query is set appropriately?
  • Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
  • Are the alert messages properly formatted and consistent with the style guide?
  • Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
    As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
  • Does the query have an appropriate level of in-query comments/documentation?
  • Have you considered/identified possible edge cases?
  • Does the query not reinvent features in the standard library?
  • Can the query be simplified further (not golfed!)

lcartey added 5 commits October 3, 2024 23:31
@lcartey
Upgrade CodeQL dependencies now updates qlpack.yml files
8cfa9cf 
The appropriate version of the `codeql/cpp-all` pack is identified
by querying the qlpack.yml of the tag for the CodeQL version on
github/codeql. This is then applied to all relevant qlpack.yml
files in the repo, then codeql pack upgrade is used to update the
lock files.
@lcartey
Upgrade workflow now provides codeql binary on path
4b13ea4 
This enables the python script to update the lock files
@lcartey
Update upgrade documentation
1fe51d5 
Improve the documentation and automatic commit message for
upgrades.
@lcartey
Developer handbook: improve upgrade documentation
8bd60fb 
 - Remove reference to GHES, which is no longer required.
 - Clarify use of the automatic workflow vs. manual workflow
@lcartey
Upgrade CodeQL - ensure minimal changes to qlpacks.yml
6e89bb1 
Ensure the qlpack.yml files are written out in the same order they
were read.
@lcartey
Upgrade GitHub Actions versions
6278a09 
Upgrade to versions which use a more recent node.
@lcartey
Copy link
Collaborator Author

lcartey commented Oct 4, 2024

This has been tested here:
#733
And here:
#734

@lcartey
Upgrade all qlpacks
7cc5b57 
Otherwise the lock files may not be updated for packs which
transitively depend on codeql/cpp-all
@lcartey lcartey enabled auto-merge October 4, 2024 13:24
@lcartey lcartey added this pull request to the merge queue Oct 4, 2024
Merged via the queue into main with commit de553c1 Oct 4, 2024
24 checks passed
@lcartey lcartey deleted the lcartey/improve-upgrade-codeql-dependencies branch October 4, 2024 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolaswill nicolaswill nicolaswill approved these changes

@knewbury01 knewbury01 Awaiting requested review from knewbury01

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lcartey @nicolaswill