From 2f45ab0a650ed95575c2e843bd387acf4475b6a3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 18:02:53 +0000 Subject: [PATCH 1/5] Initial plan From 6164206a075825cb48711de06abbe4842fbfcebe Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 18:08:56 +0000 Subject: [PATCH 2/5] Initial plan: Add CodeQL MCP server as shared agentic workflow Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/mcp-inspector.lock.yml | 6 ++++-- .github/workflows/mergefest.lock.yml | 6 ++++-- .github/workflows/metrics-collector.lock.yml | 3 ++- .github/workflows/notion-issue-summary.lock.yml | 6 ++++-- .github/workflows/org-health-report.lock.yml | 6 ++++-- .github/workflows/pdf-summary.lock.yml | 6 ++++-- .github/workflows/plan.lock.yml | 6 ++++-- .github/workflows/playground-assign-to-agent.lock.yml | 6 ++++-- .../workflows/playground-org-project-update-issue.lock.yml | 6 ++++-- .github/workflows/playground-snapshots-refresh.lock.yml | 6 ++++-- .github/workflows/poem-bot.lock.yml | 6 ++++-- .github/workflows/portfolio-analyst.lock.yml | 6 ++++-- .github/workflows/pr-nitpick-reviewer.lock.yml | 6 ++++-- .github/workflows/python-data-charts.lock.yml | 6 ++++-- .github/workflows/q.lock.yml | 6 ++++-- .github/workflows/release.lock.yml | 6 ++++-- .github/workflows/repo-tree-map.lock.yml | 6 ++++-- .github/workflows/repository-quality-improver.lock.yml | 6 ++++-- .github/workflows/research.lock.yml | 6 ++++-- .github/workflows/security-compliance.lock.yml | 6 ++++-- .github/workflows/security-fix-pr.lock.yml | 6 ++++-- .github/workflows/slide-deck-maintainer.lock.yml | 6 ++++-- .github/workflows/smoke-copilot.lock.yml | 6 ++++-- .github/workflows/stale-repo-identifier.lock.yml | 6 ++++-- .github/workflows/sub-issue-closer.lock.yml | 6 ++++-- .github/workflows/super-linter.lock.yml | 6 ++++-- .github/workflows/technical-doc-writer.lock.yml | 6 ++++-- .github/workflows/terminal-stylist.lock.yml | 6 ++++-- .github/workflows/tidy.lock.yml | 6 ++++-- .github/workflows/ubuntu-image-analyzer.lock.yml | 6 ++++-- .github/workflows/video-analyzer.lock.yml | 6 ++++-- .github/workflows/weekly-issue-summary.lock.yml | 6 ++++-- .github/workflows/workflow-generator.lock.yml | 6 ++++-- .github/workflows/workflow-health-manager.lock.yml | 6 ++++-- 34 files changed, 134 insertions(+), 67 deletions(-) diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index ebcb974418..3a3dc4f84f 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -203,7 +203,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1604,7 +1605,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 9186678d90..ebe2ef14a0 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -167,7 +167,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1315,7 +1316,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 10f8408aef..1774e56cc1 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -145,7 +145,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index e4ce0b2bc1..5fd3615b26 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -148,7 +148,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -922,7 +923,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 8e9f5cfd33..57960748a4 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -188,7 +188,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1837,7 +1838,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index e9fc8d19a3..ffcdb3f310 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -215,7 +215,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1214,7 +1215,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 8aa9b3cf33..72574bb1cc 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -180,7 +180,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1255,7 +1256,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/playground-assign-to-agent.lock.yml b/.github/workflows/playground-assign-to-agent.lock.yml index 5f1fd43b14..2061c3f1d9 100644 --- a/.github/workflows/playground-assign-to-agent.lock.yml +++ b/.github/workflows/playground-assign-to-agent.lock.yml @@ -142,7 +142,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -964,7 +965,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/playground-org-project-update-issue.lock.yml b/.github/workflows/playground-org-project-update-issue.lock.yml index be6dd9e30a..188b7cb1bb 100644 --- a/.github/workflows/playground-org-project-update-issue.lock.yml +++ b/.github/workflows/playground-org-project-update-issue.lock.yml @@ -139,7 +139,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1017,7 +1018,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/playground-snapshots-refresh.lock.yml b/.github/workflows/playground-snapshots-refresh.lock.yml index 5eee6790e5..0b424d0d08 100644 --- a/.github/workflows/playground-snapshots-refresh.lock.yml +++ b/.github/workflows/playground-snapshots-refresh.lock.yml @@ -157,7 +157,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -976,7 +977,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index ee8ac20fdf..b3795507d1 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -194,7 +194,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1630,7 +1631,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 0d4353d498..01563e4ec4 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -209,7 +209,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1800,7 +1801,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index dff055e8ee..69805d2e7b 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -208,7 +208,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1539,7 +1540,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 32f2c18ffb..a964229cae 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -181,7 +181,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -2082,7 +2083,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 14435c61ad..a68068ad60 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -239,7 +239,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1557,7 +1558,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 0690e652c4..cac24075c5 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -153,7 +153,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1091,7 +1092,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 3af2442aa7..e7edb7db4b 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -146,7 +146,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1058,7 +1059,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 57578c3ff0..5b0cf9dcc8 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -160,7 +160,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1565,7 +1566,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index b92ebc2c44..69cb0d8b18 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -149,7 +149,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1016,7 +1017,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 44455e9306..7cf780d09f 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -156,7 +156,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1284,7 +1285,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 840d0624f9..00565eda2b 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -161,7 +161,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1125,7 +1126,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index a1aad0dbe6..90e8a52a40 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -171,7 +171,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1293,7 +1294,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index c48ceccfd1..2ebc9bd029 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -179,7 +179,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1156,7 +1157,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index a394fe949c..0f3dff9149 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -229,7 +229,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1804,7 +1805,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index f48f56d16e..d2ee583d2e 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -140,7 +140,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1102,7 +1103,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index ff686fe3b1..2c65834ae4 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -166,7 +166,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1162,7 +1163,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 75930a3636..7b658aae03 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -178,7 +178,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1704,7 +1705,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 09f665d5d4..1814c7987c 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -138,7 +138,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1072,7 +1073,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index b6185db57a..cc2bbaa848 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -190,7 +190,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1145,7 +1146,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 1a43b99e75..bcf39d1314 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -147,7 +147,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1437,7 +1438,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 1b938217d8..1d449a4027 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -156,7 +156,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1271,7 +1272,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index ef51b99c76..5dd19f98ca 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -161,7 +161,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1611,7 +1612,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 30ab020022..974a13dce9 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -172,7 +172,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1122,7 +1123,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index f3c7b7f66b..08775732c3 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -155,7 +155,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh @@ -1519,7 +1520,8 @@ jobs: curl -fsSL https://raw.githubusercontent.com/github/copilot-cli/main/install.sh -o /tmp/copilot-install.sh # Execute the installer with the specified version - export VERSION=0.0.382 && sudo bash /tmp/copilot-install.sh + # Pass VERSION directly to sudo to ensure it's available to the installer script + sudo VERSION=0.0.382 bash /tmp/copilot-install.sh # Cleanup rm -f /tmp/copilot-install.sh From 2706f91b8428dc07805357aa81d60b5f5b1c9d14 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 18:11:49 +0000 Subject: [PATCH 3/5] Add CodeQL MCP server as shared agentic workflow Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/shared/mcp/codeql.md | 213 +++++++++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 .github/workflows/shared/mcp/codeql.md diff --git a/.github/workflows/shared/mcp/codeql.md b/.github/workflows/shared/mcp/codeql.md new file mode 100644 index 0000000000..7ae435c97d --- /dev/null +++ b/.github/workflows/shared/mcp/codeql.md @@ -0,0 +1,213 @@ +--- +# CodeQL MCP Server +# MCP server that wraps the CodeQL query server for semantic code analysis +# +# Documentation: https://github.com/JordyZomer/codeql-mcp +# +# Prerequisites: +# - CodeQL CLI must be installed +# - CodeQL database must be created for the target repository +# +# Available tools: +# - register_database: Register a CodeQL database given a path +# - evaluate_query: Run a CodeQL query on a given database +# - quick_evaluate: Quick-evaluate a class or predicate in a CodeQL query +# - decode_bqrs: Decode CodeQL results to CSV or JSON format +# - find_class_position: Find position of a class for quick evaluation +# - find_predicate_position: Find position of a predicate for quick evaluation +# +# Setup Requirements: +# 1. CodeQL CLI installed in the workflow environment +# 2. CodeQL database created for the repository +# 3. Python dependencies: fastmcp, httpx +# +# Usage: +# imports: +# - shared/mcp/codeql.md + +mcp-servers: + codeql: + type: http + url: http://localhost:8000 + allowed: ["*"] + +steps: + - name: Install CodeQL CLI + run: | + set -e + echo "Installing CodeQL CLI..." + + # Download and install CodeQL CLI + CODEQL_VERSION="v2.19.3" + CODEQL_URL="https://github.com/github/codeql-cli-binaries/releases/download/${CODEQL_VERSION}/codeql-linux64.zip" + + # Download CodeQL + curl -L -o /tmp/codeql.zip "${CODEQL_URL}" + + # Extract to a known location + sudo unzip -q /tmp/codeql.zip -d /usr/local/ + + # Add to PATH + echo "/usr/local/codeql" >> $GITHUB_PATH + + # Verify installation + /usr/local/codeql/codeql --version + + echo "CodeQL CLI installed successfully" + + - name: Install Python dependencies for CodeQL MCP server + run: | + set -e + echo "Installing Python dependencies for CodeQL MCP server..." + + # Install required Python packages + pip install fastmcp httpx + + echo "Python dependencies installed successfully" + + - name: Clone CodeQL MCP server + run: | + set -e + echo "Cloning CodeQL MCP server repository..." + + # Clone the MCP server repository + git clone https://github.com/JordyZomer/codeql-mcp.git /tmp/codeql-mcp + + echo "CodeQL MCP server cloned successfully" + + - name: Start CodeQL MCP server + run: | + set -e + + # Start the CodeQL MCP server in the background + cd /tmp/codeql-mcp + python3 server.py & + MCP_PID=$! + + # Robust health check with TCP connection test + echo "Waiting for CodeQL MCP server to start (PID: $MCP_PID)..." + for i in {1..30}; do + # Check if process is still running + if ! kill -0 $MCP_PID 2>/dev/null; then + echo "Error: CodeQL MCP server process died unexpectedly" + exit 1 + fi + + # Try to connect to the server port + if timeout 1 bash -c "echo > /dev/tcp/localhost/8000" 2>/dev/null; then + echo "CodeQL MCP server is accepting connections on port 8000" + echo "CodeQL MCP server started successfully with PID $MCP_PID" + exit 0 + fi + + echo "Waiting for server to accept connections... (attempt $i/30)" + sleep 2 + done + + echo "Error: CodeQL MCP server failed to accept connections after 60 seconds" + exit 1 +--- + +## CodeQL MCP Server + +CodeQL is a semantic code analysis engine that helps identify vulnerabilities and code quality issues. This MCP server wraps the CodeQL query server to enable AI agents to interact with CodeQL through structured commands. + +### Available Tools + +The CodeQL MCP server provides the following tools for semantic code analysis: + +1. **register_database** - Register a CodeQL database given a path + - Parameters: `db_path` (string) + - Returns: Confirmation message + - Example: Register a database at `/path/to/database` + +2. **evaluate_query** - Run a full CodeQL query on a database + - Parameters: `query_path` (string), `db_path` (string), `output_path` (string, default: `/tmp/eval.bqrs`) + - Returns: Path to the results file + - Example: Run a security query to find SQL injection vulnerabilities + +3. **quick_evaluate** - Quick-evaluate a specific class or predicate in a CodeQL query + - Parameters: `file` (string), `db` (string), `symbol` (string), `output_path` (string, default: `/tmp/quickeval.bqrs`) + - Returns: Path to the results file + - Example: Evaluate a specific predicate without running the full query + +4. **decode_bqrs** - Decode CodeQL binary results to human-readable format + - Parameters: `bqrs_path` (string), `fmt` (string: "csv" or "json") + - Returns: Decoded results + - Example: Convert query results to JSON for further processing + +5. **find_class_position** - Find the position of a class in a CodeQL file + - Parameters: `file` (string), `name` (string) + - Returns: Object with `start_line`, `start_col`, `end_line`, `end_col` + - Example: Locate a class definition for quick evaluation + +6. **find_predicate_position** - Find the position of a predicate in a CodeQL file + - Parameters: `file` (string), `name` (string) + - Returns: Object with `start_line`, `start_col`, `end_line`, `end_col` + - Example: Locate a predicate definition for quick evaluation + +### Basic Usage + +The MCP server exposes CodeQL functionality through its MCP tools interface. When using CodeQL in your workflow, you can: + +1. **Register databases**: Point CodeQL to the database for your repository +2. **Run queries**: Execute full queries or quick-evaluate specific symbols +3. **Analyze results**: Decode and process query results in CSV or JSON format +4. **Navigate code**: Find positions of classes and predicates in CodeQL files + +### Workflow Example + +```markdown +--- +on: workflow_dispatch +permissions: + security-events: write + contents: read +engine: copilot +imports: + - shared/mcp/codeql.md +--- + +# CodeQL Security Analysis + +Analyze the repository for security vulnerabilities using CodeQL. + +1. Create a CodeQL database for the repository +2. Register the database with the MCP server +3. Run security queries to identify vulnerabilities +4. Decode and analyze the results +5. Generate a security report +``` + +### Creating a CodeQL Database + +Before using the CodeQL MCP server, you need to create a database for your repository: + +```yaml +steps: + - name: Create CodeQL database + run: | + # Create database for the repository + codeql database create /tmp/codeql-db \ + --language= \ + --source-root=${{ github.workspace }} + + # The database is now available at /tmp/codeql-db +``` + +Replace `` with your repository's primary language (e.g., `javascript`, `python`, `java`, `go`, `cpp`, `csharp`, `ruby`). + +### Security Considerations + +- **Database Creation**: CodeQL databases can be large; consider caching them for repeated use +- **Query Selection**: Use official CodeQL security queries from the CodeQL query repository +- **Results Handling**: CodeQL results may contain sensitive information; handle with care +- **Network Access**: The MCP server runs locally (localhost:8000) with no external network access + +### More Information + +- **CodeQL Documentation**: https://codeql.github.com/docs/ +- **CodeQL CLI**: https://github.com/github/codeql-cli-binaries +- **CodeQL MCP Server**: https://github.com/JordyZomer/codeql-mcp +- **Query Writing Guide**: https://codeql.github.com/docs/writing-codeql-queries/ +- **Security Queries**: https://github.com/github/codeql From a8386beb1943769959780d8579d66e33bf1d0a27 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 18:30:34 +0000 Subject: [PATCH 4/5] Move CodeQL MCP documentation to XML comment body - Removed comment header from YAML frontmatter - Moved all documentation to XML comment after frontmatter closing - Follows pattern from jupyter.md - Merged main branch Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/shared/mcp/codeql.md | 57 ++++++++++++++------------ 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/.github/workflows/shared/mcp/codeql.md b/.github/workflows/shared/mcp/codeql.md index 7ae435c97d..9c515bbdb2 100644 --- a/.github/workflows/shared/mcp/codeql.md +++ b/.github/workflows/shared/mcp/codeql.md @@ -1,30 +1,4 @@ --- -# CodeQL MCP Server -# MCP server that wraps the CodeQL query server for semantic code analysis -# -# Documentation: https://github.com/JordyZomer/codeql-mcp -# -# Prerequisites: -# - CodeQL CLI must be installed -# - CodeQL database must be created for the target repository -# -# Available tools: -# - register_database: Register a CodeQL database given a path -# - evaluate_query: Run a CodeQL query on a given database -# - quick_evaluate: Quick-evaluate a class or predicate in a CodeQL query -# - decode_bqrs: Decode CodeQL results to CSV or JSON format -# - find_class_position: Find position of a class for quick evaluation -# - find_predicate_position: Find position of a predicate for quick evaluation -# -# Setup Requirements: -# 1. CodeQL CLI installed in the workflow environment -# 2. CodeQL database created for the repository -# 3. Python dependencies: fastmcp, httpx -# -# Usage: -# imports: -# - shared/mcp/codeql.md - mcp-servers: codeql: type: http @@ -108,6 +82,13 @@ steps: exit 1 --- + From 8ab7bf28b2e96adb0b3168083ddbf53a38d0af5b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 18:38:26 +0000 Subject: [PATCH 5/5] Add CodeQL database caching and update dev workflow for security analysis - Added GitHub Actions cache for CodeQL database with key based on repo and SHA - Added automatic database creation with language detection (Go, JavaScript, Python, Java, Ruby, C#) - Database only created if not found in cache (conditional step) - Updated dev.md workflow to use CodeQL for Go security analysis instead of poem generation - Added imports for shared/mcp/codeql.md in dev workflow - Added security-events permission and create-issue safe output - Updated documentation to reflect automatic database creation and caching Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/dev.lock.yml | 173 +++++++++++++++++++++++-- .github/workflows/dev.md | 49 +++++-- .github/workflows/shared/mcp/codeql.md | 55 +++++++- 3 files changed, 253 insertions(+), 24 deletions(-) diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 8e72366766..248f97ce34 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -19,7 +19,11 @@ # gh aw compile # For more information: https://github.com/githubnext/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # -# Read an issue and post a poem about it +# Find security issues in Go source code using CodeQL +# +# Resolved workflow manifest: +# Imports: +# - shared/mcp/codeql.md name: "Dev" "on": @@ -33,6 +37,7 @@ name: "Dev" permissions: contents: read issues: read + security-events: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -75,6 +80,7 @@ jobs: permissions: contents: read issues: read + security-events: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: @@ -108,6 +114,26 @@ jobs: persist-credentials: false - name: Create gh-aw temp directory run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh + - name: Install CodeQL CLI + run: "set -e\necho \"Installing CodeQL CLI...\"\n\n# Download and install CodeQL CLI\nCODEQL_VERSION=\"v2.19.3\"\nCODEQL_URL=\"https://github.com/github/codeql-cli-binaries/releases/download/${CODEQL_VERSION}/codeql-linux64.zip\"\n\n# Download CodeQL\ncurl -L -o /tmp/codeql.zip \"${CODEQL_URL}\"\n\n# Extract to a known location\nsudo unzip -q /tmp/codeql.zip -d /usr/local/\n\n# Add to PATH\necho \"/usr/local/codeql\" >> $GITHUB_PATH\n\n# Verify installation\n/usr/local/codeql/codeql --version\n\necho \"CodeQL CLI installed successfully\"\n" + - id: cache-codeql-db + name: Restore CodeQL database from cache + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + key: codeql-db-${{ github.repository }}-${{ github.sha }} + path: /tmp/codeql-db + restore-keys: | + codeql-db-${{ github.repository }}- + - if: steps.cache-codeql-db.outputs.cache-hit != 'true' + name: Create CodeQL database + run: "set -e\necho \"Creating CodeQL database...\"\n\n# Detect primary language from repository\n# Default to 'go' if detection fails\nLANGUAGE=\"go\"\n\n# Try to detect language from common files\nif [ -f \"go.mod\" ]; then\n LANGUAGE=\"go\"\nelif [ -f \"package.json\" ]; then\n LANGUAGE=\"javascript\"\nelif [ -f \"requirements.txt\" ] || [ -f \"setup.py\" ]; then\n LANGUAGE=\"python\"\nelif [ -f \"pom.xml\" ] || [ -f \"build.gradle\" ]; then\n LANGUAGE=\"java\"\nelif [ -f \"Gemfile\" ]; then\n LANGUAGE=\"ruby\"\nelif [ -f \"*.csproj\" ]; then\n LANGUAGE=\"csharp\"\nfi\n\necho \"Detected language: $LANGUAGE\"\n\n# Create database for the repository\ncodeql database create /tmp/codeql-db \\\n --language=$LANGUAGE \\\n --source-root=${{ github.workspace }} \\\n --overwrite\n\necho \"CodeQL database created successfully at /tmp/codeql-db\"\n" + - name: Install Python dependencies for CodeQL MCP server + run: "set -e\necho \"Installing Python dependencies for CodeQL MCP server...\"\n\n# Install required Python packages\npip install fastmcp httpx\n\necho \"Python dependencies installed successfully\"\n" + - name: Clone CodeQL MCP server + run: "set -e\necho \"Cloning CodeQL MCP server repository...\"\n\n# Clone the MCP server repository\ngit clone https://github.com/JordyZomer/codeql-mcp.git /tmp/codeql-mcp\n\necho \"CodeQL MCP server cloned successfully\"\n" + - name: Start CodeQL MCP server + run: "set -e\n\n# Start the CodeQL MCP server in the background\ncd /tmp/codeql-mcp\npython3 server.py &\nMCP_PID=$!\n\n# Robust health check with TCP connection test\necho \"Waiting for CodeQL MCP server to start (PID: $MCP_PID)...\"\nfor i in {1..30}; do\n # Check if process is still running\n if ! kill -0 $MCP_PID 2>/dev/null; then\n echo \"Error: CodeQL MCP server process died unexpectedly\"\n exit 1\n fi\n \n # Try to connect to the server port\n if timeout 1 bash -c \"echo > /dev/tcp/localhost/8000\" 2>/dev/null; then\n echo \"CodeQL MCP server is accepting connections on port 8000\"\n echo \"CodeQL MCP server started successfully with PID $MCP_PID\"\n exit 0\n fi\n \n echo \"Waiting for server to accept connections... (attempt $i/30)\"\n sleep 2\ndone\n\necho \"Error: CodeQL MCP server failed to accept connections after 60 seconds\"\nexit 1" + - name: Configure Git credentials env: REPO_NAME: ${{ github.repository }} @@ -168,10 +194,50 @@ jobs: mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs cat > /opt/gh-aw/safeoutputs/config.json << 'EOF' - {"add_comment":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} + {"add_comment":{"max":1},"create_issue":{"max":1},"missing_data":{},"missing_tool":{},"noop":{"max":1}} EOF cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ + { + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[security] \". Labels [security codeql] will be automatically added.", + "inputSchema": { + "additionalProperties": false, + "properties": { + "body": { + "description": "Detailed issue description in Markdown. Do NOT repeat the title as a heading since it already appears as the issue's h1. Include context, reproduction steps, or acceptance criteria as appropriate.", + "type": "string" + }, + "labels": { + "description": "Labels to categorize the issue (e.g., 'bug', 'enhancement'). Labels must exist in the repository.", + "items": { + "type": "string" + }, + "type": "array" + }, + "parent": { + "description": "Parent issue number for creating sub-issues. This is the numeric ID from the GitHub URL (e.g., 42 in github.com/owner/repo/issues/42). Can also be a temporary_id (e.g., 'aw_abc123def456') from a previously created issue in the same workflow run.", + "type": [ + "number", + "string" + ] + }, + "temporary_id": { + "description": "Unique temporary identifier for referencing this issue before it's created. Format: 'aw_' followed by 12 hex characters (e.g., 'aw_abc123def456'). Use '#aw_ID' in body text to reference other issues by their temporary_id; these are replaced with actual issue numbers after creation.", + "type": "string" + }, + "title": { + "description": "Concise issue title summarizing the bug, feature, or task. The title appears as the main heading, so keep it brief and descriptive.", + "type": "string" + } + }, + "required": [ + "title", + "body" + ], + "type": "object" + }, + "name": "create_issue" + }, { "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. CONSTRAINTS: Maximum 1 comment(s) can be added.", "inputSchema": { @@ -283,6 +349,39 @@ jobs: } } }, + "create_issue": { + "defaultMax": 1, + "fields": { + "body": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 65000 + }, + "labels": { + "type": "array", + "itemType": "string", + "itemSanitize": true, + "itemMaxLength": 128 + }, + "parent": { + "issueOrPRNumber": true + }, + "repo": { + "type": "string", + "maxLength": 256 + }, + "temporary_id": { + "type": "string" + }, + "title": { + "required": true, + "type": "string", + "sanitize": true, + "maxLength": 128 + } + } + }, "missing_tool": { "defaultMax": 20, "fields": { @@ -373,21 +472,64 @@ jobs: env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_SAFE_OUTPUTS: ${{ env.GH_AW_SAFE_OUTPUTS }} + GH_AW_GITHUB_EVENT_INPUTS_ISSUE_NUMBER: ${{ github.event.inputs.issue_number }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh cat << 'PROMPT_EOF' > "$GH_AW_PROMPT" - # Read Issue and Post Poem - Read a single issue and post a poem about it as a comment in staged mode. + + # CodeQL Security Analysis for Go Code + + Analyze the Go source code in this repository to find security vulnerabilities using CodeQL. **Requirements:** - 1. Read the issue specified by the `issue_number` input - 2. Understand the issue's title, body, and context - 3. Write a creative poem inspired by the issue content - 4. Post the poem as a comment on the issue using `create_issue_comment` in staged mode - 5. The poem should be relevant, creative, and engaging + 1. Use the CodeQL MCP server to analyze the Go codebase + 2. Register the CodeQL database at `/tmp/codeql-db` with the MCP server using `register_database` + 3. Run security-focused CodeQL queries to identify potential vulnerabilities in the Go code + 4. Focus on common security issues like: + - SQL injection vulnerabilities + - Command injection risks + - Path traversal vulnerabilities + - Insecure cryptographic practices + - Uncontrolled resource consumption + - Unsafe reflection usage + 5. Decode the query results using `decode_bqrs` to get human-readable output + 6. Analyze the findings and create a summary report + 7. If security issues are found, create a new issue with: + - Clear description of each vulnerability + - Location (file and line numbers) + - Severity assessment + - Recommended fixes + 8. Post a comment on issue #__GH_AW_GITHUB_EVENT_INPUTS_ISSUE_NUMBER__ with a summary of the analysis + 9. Use staged mode to preview all outputs before creating them + + **CodeQL Database Location**: `/tmp/codeql-db` + + **Expected Workflow**: + 1. Register the database: `register_database("/tmp/codeql-db")` + 2. Run security queries or evaluate specific security patterns + 3. Decode results to JSON format for analysis + 4. Generate actionable security report + 5. Create issue if vulnerabilities found + 6. Comment on the triggering issue with summary PROMPT_EOF + - name: Substitute placeholders + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_EVENT_INPUTS_ISSUE_NUMBER: ${{ github.event.inputs.issue_number }} + with: + script: | + const substitutePlaceholders = require('/opt/gh-aw/actions/substitute_placeholders.cjs'); + + // Call the substitution function + return await substitutePlaceholders({ + file: process.env.GH_AW_PROMPT, + substitutions: { + GH_AW_GITHUB_EVENT_INPUTS_ISSUE_NUMBER: process.env.GH_AW_GITHUB_EVENT_INPUTS_ISSUE_NUMBER + } + }); - name: Append temporary folder instructions to prompt env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt @@ -406,7 +548,7 @@ jobs: To create or modify GitHub resources (issues, discussions, pull requests, etc.), you MUST call the appropriate safe output tool. Simply writing content will NOT work - the workflow requires actual tool calls. - **Available tools**: add_comment, missing_tool, noop + **Available tools**: add_comment, create_issue, missing_tool, noop **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. @@ -488,6 +630,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt + GH_AW_GITHUB_EVENT_INPUTS_ISSUE_NUMBER: ${{ github.event.inputs.issue_number }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); @@ -501,9 +644,11 @@ jobs: - name: Execute GitHub Copilot CLI id: agentic_execution # Copilot CLI tool arguments (sorted): + # --allow-tool codeql + # --allow-tool codeql(*) # --allow-tool github # --allow-tool safeoutputs - timeout-minutes: 5 + timeout-minutes: 15 run: | set -o pipefail COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)" @@ -511,7 +656,7 @@ jobs: mkdir -p /tmp/gh-aw/ mkdir -p /tmp/gh-aw/agent/ mkdir -p /tmp/gh-aw/sandbox/agent/logs/ - copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} 2>&1 | tee /tmp/gh-aw/agent-stdio.log + copilot --add-dir /tmp/ --add-dir /tmp/gh-aw/ --add-dir /tmp/gh-aw/agent/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-tool codeql --allow-tool 'codeql(*)' --allow-tool github --allow-tool safeoutputs --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$COPILOT_CLI_INSTRUCTION"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"} 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: COPILOT_AGENT_RUNNER_TYPE: STANDALONE COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} @@ -770,7 +915,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: WORKFLOW_NAME: "Dev" - WORKFLOW_DESCRIPTION: "Read an issue and post a poem about it" + WORKFLOW_DESCRIPTION: "Find security issues in Go source code using CodeQL" HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | @@ -935,7 +1080,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_issue\":{\"labels\":[\"security\",\"codeql\"],\"max\":1,\"title_prefix\":\"[security] \"},\"missing_data\":{},\"missing_tool\":{}}" GH_AW_SAFE_OUTPUTS_STAGED: "true" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dev.md b/.github/workflows/dev.md index 1b04203252..b9bc5ed32f 100644 --- a/.github/workflows/dev.md +++ b/.github/workflows/dev.md @@ -7,8 +7,8 @@ on: required: true type: string name: Dev -description: Read an issue and post a poem about it -timeout-minutes: 5 +description: Find security issues in Go source code using CodeQL +timeout-minutes: 15 strict: false sandbox: false engine: copilot @@ -16,6 +16,7 @@ engine: copilot permissions: contents: read issues: read + security-events: read network: allowed: @@ -25,19 +26,49 @@ tools: github: toolsets: [issues] +imports: + - shared/mcp/codeql.md + safe-outputs: staged: true add-comment: max: 1 + create-issue: + title-prefix: "[security] " + labels: [security, codeql] --- -# Read Issue and Post Poem +# CodeQL Security Analysis for Go Code -Read a single issue and post a poem about it as a comment in staged mode. +Analyze the Go source code in this repository to find security vulnerabilities using CodeQL. **Requirements:** -1. Read the issue specified by the `issue_number` input -2. Understand the issue's title, body, and context -3. Write a creative poem inspired by the issue content -4. Post the poem as a comment on the issue using `create_issue_comment` in staged mode -5. The poem should be relevant, creative, and engaging +1. Use the CodeQL MCP server to analyze the Go codebase +2. Register the CodeQL database at `/tmp/codeql-db` with the MCP server using `register_database` +3. Run security-focused CodeQL queries to identify potential vulnerabilities in the Go code +4. Focus on common security issues like: + - SQL injection vulnerabilities + - Command injection risks + - Path traversal vulnerabilities + - Insecure cryptographic practices + - Uncontrolled resource consumption + - Unsafe reflection usage +5. Decode the query results using `decode_bqrs` to get human-readable output +6. Analyze the findings and create a summary report +7. If security issues are found, create a new issue with: + - Clear description of each vulnerability + - Location (file and line numbers) + - Severity assessment + - Recommended fixes +8. Post a comment on issue #${{ github.event.inputs.issue_number }} with a summary of the analysis +9. Use staged mode to preview all outputs before creating them + +**CodeQL Database Location**: `/tmp/codeql-db` + +**Expected Workflow**: +1. Register the database: `register_database("/tmp/codeql-db")` +2. Run security queries or evaluate specific security patterns +3. Decode results to JSON format for analysis +4. Generate actionable security report +5. Create issue if vulnerabilities found +6. Comment on the triggering issue with summary diff --git a/.github/workflows/shared/mcp/codeql.md b/.github/workflows/shared/mcp/codeql.md index 9c515bbdb2..0075c0deb8 100644 --- a/.github/workflows/shared/mcp/codeql.md +++ b/.github/workflows/shared/mcp/codeql.md @@ -29,6 +29,50 @@ steps: echo "CodeQL CLI installed successfully" + - name: Restore CodeQL database from cache + id: cache-codeql-db + uses: actions/cache@v4 + with: + path: /tmp/codeql-db + key: codeql-db-${{ github.repository }}-${{ github.sha }} + restore-keys: | + codeql-db-${{ github.repository }}- + + - name: Create CodeQL database + if: steps.cache-codeql-db.outputs.cache-hit != 'true' + run: | + set -e + echo "Creating CodeQL database..." + + # Detect primary language from repository + # Default to 'go' if detection fails + LANGUAGE="go" + + # Try to detect language from common files + if [ -f "go.mod" ]; then + LANGUAGE="go" + elif [ -f "package.json" ]; then + LANGUAGE="javascript" + elif [ -f "requirements.txt" ] || [ -f "setup.py" ]; then + LANGUAGE="python" + elif [ -f "pom.xml" ] || [ -f "build.gradle" ]; then + LANGUAGE="java" + elif [ -f "Gemfile" ]; then + LANGUAGE="ruby" + elif [ -f "*.csproj" ]; then + LANGUAGE="csharp" + fi + + echo "Detected language: $LANGUAGE" + + # Create database for the repository + codeql database create /tmp/codeql-db \ + --language=$LANGUAGE \ + --source-root=${{ github.workspace }} \ + --overwrite + + echo "CodeQL database created successfully at /tmp/codeql-db" + - name: Install Python dependencies for CodeQL MCP server run: | set -e @@ -162,7 +206,16 @@ Analyze the repository for security vulnerabilities using CodeQL. ### Creating a CodeQL Database -Before using the CodeQL MCP server, you need to create a database for your repository: +The shared MCP configuration automatically handles CodeQL database creation with caching: + +1. **Automatic Language Detection**: Detects the repository's primary language (Go, JavaScript, Python, Java, Ruby, C#) +2. **Database Creation**: Creates a CodeQL database at `/tmp/codeql-db` if not in cache +3. **Caching**: Uses GitHub Actions cache to persist the database across workflow runs +4. **Cache Key**: Uses `codeql-db-{repository}-{sha}` with fallback to previous commits + +The database is automatically created as part of the workflow setup, so you can immediately start using the MCP server tools to query it. + +**Manual Database Creation** (if needed): ```yaml steps: