Skip to content

Add feature for forcing the nightly bundle in dynamic workflows#3484

Open
mbg wants to merge 9 commits intomainfrom
mbg/cli/force-nightly
Open

Add feature for forcing the nightly bundle in dynamic workflows#3484
mbg wants to merge 9 commits intomainfrom
mbg/cli/force-nightly

Conversation

@mbg
Copy link
Member

@mbg mbg commented Feb 15, 2026

Adds a Feature which, when enabled, and the workflow was triggered by a dynamic event forces getCodeQLSource to pick the latest, nightly release.

Some drive-by improvements and observations:

  • I added a couple of comments to better document getCodeQLSource.
  • While writing those, I noticed that the !toolsInput.startsWith("http") check would probably cause problems if a file happened to have a path that starts with http. Probably not a very likely problem, but could be tricky to troubleshoot if it happens. We could improve this by performing more explicit checks for http:// and https:// or whether the suspected file exists locally or not. Outside of the scope of this PR though.
  • I added a unit test for tools: nightly which didn't seem to exist.
  • While doing that, I noticed that getNightlyToolsUrl seems to assume that the nightly tag is codeql-bundle- followed by a semver, but this is no longer the case for nightly releases. There's a fallback logic which handles this fine, but we should probably update this to expect the date-based tags.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

  • Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • CCR - The changes impact analyses for Copilot Code Reviews.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg self-assigned this Feb 15, 2026
@github-actions github-actions bot added the size/M Should be of average difficulty to review label Feb 15, 2026
@mbg mbg force-pushed the mbg/cli/force-nightly branch from c4ada50 to a61e3cb Compare February 15, 2026 17:49
@mbg mbg marked this pull request as ready for review February 15, 2026 18:13
@mbg mbg requested a review from a team as a code owner February 15, 2026 18:13
Copilot AI review requested due to automatic review settings February 15, 2026 18:13
Copilot AI reviewed Feb 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds a new ForceNightly feature flag that allows forcing the use of the nightly CodeQL CLI bundle in dynamic workflows (Default Setup, CCR, etc.). The feature flag is restricted to dynamic workflow events or test mode, preventing it from affecting advanced workflows. The PR includes comprehensive unit tests and an end-to-end PR check to validate the functionality.

Changes:

  • Added ForceNightly feature flag to enable nightly CLI for dynamic workflows
  • Enhanced getCodeQLSource with documentation and logic to support forced nightly builds
  • Added unit tests for both tools: nightly and ForceNightly feature flag scenarios
  • Created new PR check workflow to validate the feature in CI

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/feature-flags.ts Adds the ForceNightly feature flag definition with environment variable and default value
src/setup-codeql.ts Implements logic to force nightly CLI when feature flag is enabled in dynamic workflows; adds JSDoc documentation and exports for testing
src/setup-codeql.test.ts Adds comprehensive unit tests for nightly CLI selection via both explicit input and feature flag
pr-checks/checks/bundle-from-nightly.yml Defines PR check template to validate ForceNightly feature works as expected
.github/workflows/__bundle-from-nightly.yml Auto-generated workflow file from the PR check template
lib/*.js Auto-generated JavaScript transpilation of TypeScript source changes (not reviewed per guidelines)

esbena
esbena previously approved these changes Feb 16, 2026
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some superficial logging observability/logging concerns.

@mbg mbg force-pushed the mbg/cli/force-nightly branch from e7c08f9 to e315c6f Compare February 16, 2026 09:29
esbena
esbena approved these changes Feb 16, 2026
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The recent changes LGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@esbena esbena esbena approved these changes

Assignees

@mbg mbg

Labels

size/M Should be of average difficulty to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbg @esbena