Skip to content

Unpin CodeQL pack dependencies by removing committed lock files#45

Merged
data-douser merged 8 commits intomainfrom
copilot/update-packs-to-latest-versions
Apr 22, 2026
Merged

Unpin CodeQL pack dependencies by removing committed lock files#45
data-douser merged 8 commits intomainfrom
copilot/update-packs-to-latest-versions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 21, 2026
edited
Loading

📝 Query Update

  • Query File: N/A — repository-wide pack configuration change
  • Language: all (actions, cpp, csharp, go, java, javascript, python, ruby)
  • Update Type: dependency unpinning

🎯 Changes

What Changed

  • Deleted all 32 committed codeql-pack.lock.yml files under languages/<lang>/{custom,tools}/{src,test}/.
  • Added codeql-pack.lock.yml to .gitignore so locally generated lock files are not re-committed.
  • No changes to qlpack.yml files — they already declare codeql/*-all (and *-queries) as "*".

Why This Change

Committed lock files pinned packs to old versions (e.g. codeql/java-all 7.7.0), blocking template consumers from using features tied to newer libraries — for example, the barrierModel extensible predicate, which requires codeql/java-all shipped with CodeQL 2.25.2+.

Impact

Consumers of this template generate their own codeql-pack.lock.yml on codeql pack install, resolving against whichever CodeQL CLI they have installed. The template no longer dictates a CodeQL version floor/ceiling.

🔍 Before vs. After

Previous Behavior

codeql-pack.lock.yml checked into the repo pinned every transitive dependency, e.g.:

dependencies:
  codeql/java-all:
    version: 7.7.0

New Behavior

Only qlpack.yml is tracked, with floating versions:

dependencies:
  codeql/java-all: "*"

Lock files are produced locally per consumer and ignored by git.

🧪 Testing

  • New/updated test cases added
  • All tests pass
  • Regression tests validated
  • No unintended side effects

📊 Impact Analysis

  • Compatibility: backward compatible for consumers on a recent CodeQL CLI; consumers on very old CLIs may resolve different (newer) library versions than before
  • Performance: neutral
  • Accuracy: unchanged at the query level; unblocks adoption of newer library features (e.g. sanitizer/validator MaD, barrierModel)

📋 Checklist

  • Query compiles without errors
  • Documentation updated
  • Tests updated with new expectations
  • Metadata updated if needed

🔗 References

Copilot AI linked an issue Apr 21, 2026 that may be closed by this pull request
Update Packs #43
Closed
Copilot AI changed the title [WIP] Remove specific CodeQL versions and update packs Unpin CodeQL pack dependencies by removing committed lock files Apr 21, 2026
Copilot AI requested a review from data-douser April 21, 2026 21:27
data-douser
data-douser reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@data-douser data-douser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Additional changes needed before merge

This PR correctly removes committed codeql-pack.lock.yml files and .gitignores future ones — addressing the core issue of lock files pinning pack versions and causing unnecessary churn. However, two follow-up changes are needed to complete this work (per #43):

1. Add scripts/install-codeql-packs.sh

Without lock files, users need a clear way to install all workspace packs after cloning. A script similar to codeql-development-mcp-server's install-packs.sh should be added that:

  • Uses codeql pack ls --format=json to dynamically discover packs from the workspace
  • Iterates and runs codeql pack install for each pack directory
  • Includes retry logic for network resilience
  • Supports --language <lang> filtering

2. Update qlpack.yml workspace references from "*" to ${workspace}

All 16 test packs use "*" for their intra-workspace dependency on the corresponding src pack. Per the CodeQL docs, ${workspace} is the recommended placeholder — it makes the workspace-local nature explicit and resolves correctly during both development and publishing.

See file-level comments for details.

Comment thread .gitignore Outdated
Comment thread languages/actions/custom/test/codeql-pack.lock.yml
@data-douser
Add install script, ${workspace} refs, bump to v0.0.2
80e9f62 
- Add scripts/install-codeql-packs.sh using codeql pack ls
  for dynamic pack discovery with retry and --language filter
- Use ${workspace} for intra-workspace deps in test packs
- Bump all 32 workspace packs from 0.0.1 to 0.0.2
- Add pack install step to copilot-setup-steps workflow
- Add README Step 2 for post-clone pack installation
- Revert .gitignore: keep lock files in template-derived repos

Resolves review feedback from #45. See also #43.
@data-douser data-douser marked this pull request as ready for review April 22, 2026 16:36
@data-douser data-douser requested review from a team and enyil as code owners April 22, 2026 16:36
@data-douser data-douser requested a review from felickz April 22, 2026 16:37
@data-douser data-douser requested a review from Copilot April 22, 2026 20:30
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the template’s CodeQL pack dependency strategy by removing committed codeql-pack.lock.yml files (to avoid pinning transitive versions) and introducing automation to (re)generate/install pack dependencies locally/on-CI.

Changes:

  • Remove committed codeql-pack.lock.yml files across language workspaces to unpin transitive pack versions.
  • Add a helper script to discover workspace packs and run codeql pack install for each.
  • Update per-language qlpack.yml versions and adjust test-pack dependencies to reference workspace packs.
Show a summary per file
File Description
scripts/install-codeql-packs.sh New script to discover workspace packs and install pack dependencies with retry logic.
resources/cli/codeql/codeql_execute_query-server2.prompt.md Fixes prompt formatting (removes stray fenced block markers; adds spacing).
README.md Adds a setup step instructing users to install CodeQL pack dependencies via the new script.
.github/workflows/copilot-setup-steps.yml Runs pack installation as part of the Copilot setup workflow.
languages/actions/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/actions/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/actions/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/actions/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/actions/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/actions/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/actions/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/actions/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/cpp/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/cpp/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/cpp/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/cpp/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/cpp/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/cpp/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/cpp/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/cpp/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/csharp/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/csharp/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/csharp/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/csharp/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/csharp/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/csharp/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/csharp/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/csharp/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/go/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/go/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/go/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/go/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/go/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/go/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/go/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/go/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/java/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/java/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/java/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/java/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/java/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/java/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/java/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/java/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/javascript/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/javascript/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/javascript/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/javascript/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/javascript/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/javascript/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/javascript/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/javascript/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/python/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/python/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/python/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/python/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/python/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/python/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/python/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/python/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/ruby/tools/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/ruby/tools/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/ruby/tools/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/ruby/tools/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/ruby/custom/test/qlpack.yml Bumps pack version; switches local dependency reference style.
languages/ruby/custom/test/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.
languages/ruby/custom/src/qlpack.yml Bumps pack version to reflect dependency strategy change.
languages/ruby/custom/src/codeql-pack.lock.yml Removes committed lockfile to avoid pinning dependencies.

Copilot's findings

  • Files reviewed: 68/68 changed files
  • Comments generated: 3

Comment thread README.md
Comment thread scripts/install-codeql-packs.sh
Comment thread scripts/install-codeql-packs.sh
@data-douser data-douser requested a review from Copilot April 22, 2026 21:14
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 67/67 changed files
  • Comments generated: 1

Comment thread .github/workflows/copilot-setup-steps.yml
@data-douser data-douser enabled auto-merge April 22, 2026 21:26
@data-douser data-douser added this pull request to the merge queue Apr 22, 2026
Merged via the queue into main with commit df23b56 Apr 22, 2026
11 checks passed
@data-douser data-douser deleted the copilot/update-packs-to-latest-versions branch April 22, 2026 21:26
felickz
felickz reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@felickz felickz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felickz felickz felickz left review comments

@data-douser data-douser data-douser left review comments

Copilot code review Copilot Copilot left review comments

@enyil enyil Awaiting requested review from enyil enyil is a code owner

Assignees

@data-douser data-douser

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update Packs

4 participants

@felickz @data-douser