Unpin CodeQL pack dependencies by removing committed lock files (#45)

* Initial plan

* Remove pinned codeql-pack.lock.yml files and ignore future ones

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-template/sessions/a6282c16-1661-4d3b-b8ae-3a50f516d757

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Add install script, ${workspace} refs, bump to v0.0.2

- Add scripts/install-codeql-packs.sh using codeql pack ls
  for dynamic pack discovery with retry and --language filter
- Use ${workspace} for intra-workspace deps in test packs
- Bump all 32 workspace packs from 0.0.1 to 0.0.2
- Add pack install step to copilot-setup-steps workflow
- Add README Step 2 for post-clone pack installation
- Revert .gitignore: keep lock files in template-derived repos

Resolves review feedback from #45. See also #43.

* Fixes for prompt tidy/lint

* Fixes for install-codeql-packs.sh

* Update copilot-setup-steps workflow "on:{push,pull_request}paths"

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Nathan Randall <data-douser@github.com>

Author: Copilot

.github/workflows/copilot-setup-steps.yml

@@ -11,13 +11,15 @@ on:
       - .github/workflows/copilot-setup-steps.yml
       - .github/actions/setup-codeql-environment/action.yml
       - qlt.conf.json
+      - scripts/install-codeql-packs.sh
   pull_request:
     branches:
       - main
     paths:
       - .github/workflows/copilot-setup-steps.yml
       - .github/actions/setup-codeql-environment/action.yml
       - qlt.conf.json
+      - scripts/install-codeql-packs.sh
 
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
@@ -31,3 +33,7 @@ jobs:
 
       - name: Copilot Setup - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment
+
+      - name: Copilot Setup - Install CodeQL workspace packs
+        shell: bash
+        run: ./scripts/install-codeql-packs.sh

README.md

@@ -34,7 +34,19 @@ Before using this repository template, ensure your GitHub organization/account h
 
 **Note:** The ['copilot-setup-steps' actions workflow](./.github/workflows/copilot-setup-steps.yml) will automatically set up the environment for Copilot Coding Agent (CCA), so local installation is optional and primarily useful for manual development.
 
-### Step 2: Create an Issue for the CodeQL query you want to develop
+### Step 2: Install CodeQL Pack Dependencies
+
+After cloning your new repository, install the CodeQL pack dependencies:
+
+```bash
+./scripts/install-codeql-packs.sh
+```
+
+This uses `codeql pack ls` to discover all packs in the workspace and runs `codeql pack install` for each one, generating `codeql-pack.lock.yml` files and downloading required dependencies locally. You can target a single language with `--language <lang>` (e.g., `--language java`).
+
+> **Note:** The generated `codeql-pack.lock.yml` files should be committed to your repository to ensure reproducible dependency resolution across your team.
+
+### Step 3: Create an Issue for the CodeQL query you want to develop
 
 1. **Navigate to Issues** in your new repository
 2. **Click "New Issue"**
@@ -46,13 +58,13 @@ Before using this repository template, ensure your GitHub organization/account h
    - Specify severity level
 5. **Submit the issue**
 
-### Step 3: Assign Issue to `@copilot`
+### Step 4: Assign Issue to `@copilot`
 
 1. **Assign the issue** to `@copilot` (GitHub's Copilot Coding Agent user)
 2. **Wait for Copilot** to process the issue and create a Pull Request
 3. **Monitor progress** via the `Sessions` and/or comments for the new Pull Request
 
-### Step 4: Review Pull Request created by Copilot Coding Agent
+### Step 5: Review Pull Request created by Copilot Coding Agent
 
 1. **Navigate to the generated Pull Request**
 2. **Review the changes:**

languages/actions/custom/src/codeql-pack.lock.yml

@@ -1,5 +1,5 @@
 name: languages-actions-custom-src
-version: 0.0.1
+version: 0.0.2
 library: false
 dependencies:
   codeql/actions-all: "*"

languages/actions/custom/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: languages-actions-custom-test
-version: 0.0.1
+version: 0.0.2
 dependencies:
-  languages-actions-custom-src: "*"
+  languages-actions-custom-src: ${workspace}
 extractor: actions

languages/actions/custom/test/codeql-pack.lock.yml

@@ -1,5 +1,5 @@
 name: languages-actions-tools-src
-version: 0.0.1
+version: 0.0.2
 library: false
 dependencies:
   codeql/actions-all: "*"

languages/actions/custom/test/qlpack.yml

@@ -1,9 +1,9 @@
 name: languages-actions-tools-test
-version: 0.0.1
+version: 0.0.2
 dependencies:
   # This test pack does not actually depend upon `codeql/actions-queries`,
   # but we declare the dependency to ensure that the queries from the
   # query pack are downloaded and available locally.
   codeql/actions-queries: "*"
-  languages-actions-tools-src: "*"
+  languages-actions-tools-src: ${workspace}
 extractor: actions