codeql-action/.github/workflows/update-bundle.yml

name: Update default CodeQL bundle

on:
  release:
    # From https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
    # Note: The prereleased type will not trigger for pre-releases published
    # from draft releases, but the published type will trigger. If you want a
    # workflow to run when stable and pre-releases publish, subscribe to
    # published instead of released and prereleased.
    #
    # From https://github.com/orgs/community/discussions/26281
    # As a work around, in published type workflow,  you could add if condition
    # to filter pre-release attribute.
    types: [published]

jobs:
  update-bundle:
    if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to push commits
      pull-requests: write # needed to create pull requests
    steps:
      - name: Dump environment
        run: env

      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: '${{ toJson(github) }}'
        run: echo "$GITHUB_CONTEXT"

      - uses: actions/checkout@v5

      - name: Update git config
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

      - name: Update bundle
        uses: ./.github/actions/update-bundle

      - name: Rebuild Action
        run: npm run build

      - name: Commit and push changes
        env:
          RELEASE_TAG: "${{ github.event.release.tag_name }}"
        run: |
          git checkout -b "update-bundle/$RELEASE_TAG"
          git commit -am "Update default bundle to $RELEASE_TAG"
          git push --set-upstream origin "update-bundle/$RELEASE_TAG"

      - name: Open pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          cli_version=$(jq -r '.cliVersion' src/defaults.json)
          pr_url=$(gh pr create \
            --title "Update default bundle to $cli_version" \
            --body "This pull request updates the default CodeQL bundle, as used with \`tools: linked\` and on GHES, to $cli_version." \
            --assignee "$GITHUB_ACTOR" \
            --draft \
          )
          echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"

      - name: Create changelog note
        shell: python
        run: |
          import os
          import re

          # Get the PR number from the PR URL.
          pr_number = os.environ['PR_URL'].split('/')[-1]
          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"

          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
          # Use perl to avoid having to escape the newline character.

          with open('CHANGELOG.md', 'r') as f:
              changelog = f.read()

          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')

          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)

          with open('CHANGELOG.md', 'w') as f:
              f.write(changelog)

      - name: Push changelog note
        run: |
          git commit -am "Add changelog note"
          git push