Upgrade CodeQL CLI dependency to v2.25.3 (#269)

* Upgrade CodeQL CLI dependency to v2.25.3

* Fix upgrade-packs.sh to actually refresh pack lock files

Previously, codeql pack upgrade was a no-op for packs with pinned
codeql/<lang>-all dependencies because the existing pin already
satisfied the constraint. This left codeql-pack.lock.yml files
unchanged across CLI bumps, even though newer compatible library
pack versions were available.

The fix temporarily rewrites the pinned dependency to a wildcard
before running codeql pack upgrade, then restores the manifest and
pins it to the version resolved into the lock file.

Also regenerates all pack lock files and re-pins manifests against
CodeQL CLI v2.25.3, and refreshes ruby/rust/swift PrintAST/PrintCFG
.expected files for benign output ordering and library behavior
changes introduced by the upgraded codeql/*-all packs.

* Skip update-codeql cron run when upgrade branch already exists

Adds a 'check-existing-branch' job that runs after detect-update and
gates the create-pr job. On scheduled (cron) runs, if the target
'codeql/upgrade-to-vX.Y.Z' branch already exists on origin, the rest
of the pipeline is skipped so peter-evans/create-pull-request does
not force-push over reviewer commits or follow-up fixes (such as
manually-applied lock-file refreshes).

The check is bypassed on workflow_dispatch so a maintainer can
always force a refresh by re-running the workflow manually.

* Refresh rust PrintAST/PrintCFG expected with rust toolchain installed

CI runs query unit tests with install-language-runtimes: true, which
makes rustc/cargo available to the rust extractor and causes println!
and similar macros to be expanded to their stdlib internals
was performed without rust installed locally, so the expected files
captured the collapsed output and did not match CI.

Re-learned with rustc 1.95.0 installed via rustup, matching the CI
runner environment.

* Refresh rust PrintAST/PrintCFG expected to match macro expansion output (#270)

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/beb1ad8c-da44-4beb-8483-c2b6d9e1f2b7

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: enyil <87337678+enyil@users.noreply.github.com>

---------

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Nathan Randall <data-douser@github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: enyil <87337678+enyil@users.noreply.github.com>

Author: 4 people

.codeql-version

@@ -1 +1 @@
-v2.25.2
+v2.25.3

.github/workflows/update-codeql.yml

@@ -102,17 +102,81 @@ jobs:
           fi
 
   # ─────────────────────────────────────────────────────────────────────────────
-  # Step 2: Update version, build, test, and create PR
+  # Step 2: Check whether the upgrade branch already exists
+  #
+  # When this workflow runs on its nightly cron schedule and an upgrade PR has
+  # already been opened for the target version, re-running `create-pr` would
+  # force-push over the existing branch and silently discard any review
+  # commits already made on top of the bot's initial push (e.g., manual fixes
+  # to upgrade-packs.sh output or reviewer follow-ups). This job short-circuits
+  # subsequent work in that case so the existing branch is preserved.
+  #
+  # The branch check is skipped on `workflow_dispatch` so a maintainer can
+  # always re-run the upgrade pipeline on demand to re-create the branch.
+  # ─────────────────────────────────────────────────────────────────────────────
+  check-existing-branch:
+    name: Check for Existing Upgrade Branch
+    needs: detect-update
+    if: needs.detect-update.outputs.update_needed == 'true'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    outputs:
+      branch_exists: ${{ steps.check-branch.outputs.branch_exists }}
+
+    steps:
+      - name: Check - Look up upgrade branch on origin
+        id: check-branch
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then
+            echo "ℹ️ Manual dispatch — skipping existing-branch check."
+            echo "branch_exists=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Checking whether branch '${BRANCH}' exists on ${GITHUB_REPOSITORY}..."
+          if gh api "repos/${GITHUB_REPOSITORY}/branches/${BRANCH}" \
+              --silent > /dev/null 2>&1; then
+            echo "✅ Branch '${BRANCH}' already exists — skipping update to preserve manual edits."
+            echo "branch_exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "ℹ️ Branch '${BRANCH}' does not exist — proceeding with update."
+            echo "branch_exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Check - Summary
+        env:
+          BRANCH: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'
+        run: |
+          echo "## Upgrade Branch Preflight" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.check-branch.outputs.branch_exists }}" = "true" ]; then
+            echo "⏭️ Branch \`${BRANCH}\` already exists — skipping the rest of the pipeline to preserve any manual edits or review commits on it." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Trigger this workflow manually via \`workflow_dispatch\` to force a refresh." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "▶️ Branch \`${BRANCH}\` does not exist — proceeding with the update pipeline." >> $GITHUB_STEP_SUMMARY
+          fi
+
+  # ─────────────────────────────────────────────────────────────────────────────
+  # Step 3: Update version, build, test, and create PR
   #
   # Updates all version-bearing files, installs dependencies, runs the full
   # build-and-test suite, and creates a pull request with the changes.
   # ─────────────────────────────────────────────────────────────────────────────
   create-pr:
     name: Create Update Pull Request
-    needs: detect-update
-    if: needs.detect-update.outputs.update_needed == 'true'
+    needs: [detect-update, check-existing-branch]
+    if: |
+      needs.detect-update.outputs.update_needed == 'true' &&
+      needs.check-existing-branch.outputs.branch_exists != 'true'
     runs-on: ubuntu-latest
-
     permissions:
       contents: write
       pull-requests: write

client/integration-tests/primitives/tools/codeql_bqrs_interpret/sarif_format/after/results.sarif

@@ -1 +1 @@
-{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.25.2","rules":[{"id":"test/query","name":"test/query","shortDescription":{"text":"ExampleQuery1"},"fullDescription":{"text":"Example query for integration testing of the codeql_test_extract MCP server tool."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n","markdown":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n"},"properties":{"tags":["mcp-integration-tests"],"description":"Example query for integration testing of the codeql_test_extract MCP server tool.","id":"test/query","kind":"problem","name":"ExampleQuery1","precision":"medium","problem.severity":"warning"}}]},"extensions":[{"name":"mcp-client-integration-tests-static-javascript-src","semanticVersion":"0.0.1+fe0e7d2a7059ebb6c6075ff8eaea04f382747656","locations":[{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.11+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.31+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"artifacts":[{"location":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}],"results":[{"ruleId":"test/query","ruleIndex":0,"rule":{"id":"test/query","index":0},"message":{"text":"Example test code file found for codeql_test_extract example query."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest"}}]}
+{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.25.3","rules":[{"id":"test/query","name":"test/query","shortDescription":{"text":"ExampleQuery1"},"fullDescription":{"text":"Example query for integration testing of the codeql_test_extract MCP server tool."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n","markdown":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n"},"properties":{"tags":["mcp-integration-tests"],"description":"Example query for integration testing of the codeql_test_extract MCP server tool.","id":"test/query","kind":"problem","name":"ExampleQuery1","precision":"medium","problem.severity":"warning"}}]},"extensions":[{"name":"mcp-client-integration-tests-static-javascript-src","semanticVersion":"0.0.1+fe0e7d2a7059ebb6c6075ff8eaea04f382747656","locations":[{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.11+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.31+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"artifacts":[{"location":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}],"results":[{"ruleId":"test/query","ruleIndex":0,"rule":{"id":"test/query","index":0},"message":{"text":"Example test code file found for codeql_test_extract example query."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest"}}]}

extensions/vscode/package.json

@@ -2,7 +2,7 @@
   "name": "vscode-codeql-development-mcp-server",
   "displayName": "CodeQL Development MCP Server",
   "description": "LLM-assisted development of CodeQL queries, libraries, and tests via #ql-mcp prompts, resources, and tools.",
-  "version": "2.25.2",
+  "version": "2.25.3",
   "publisher": "advanced-security",
   "license": "LicenseRef-CodeQL-Terms",
   "icon": "media/codeql-icon.png",

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server_repo",
-  "version": "2.25.2",
+  "version": "2.25.3",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "private": true,
   "type": "module",

package.json

@@ -201540,7 +201540,7 @@ init_package_paths();
 init_logger();
 import_dotenv.default.config({ path: resolve14(packageRootDir, ".env"), quiet: true });
 var PACKAGE_NAME = "codeql-development-mcp-server";
-var VERSION = "2.25.2";
+var VERSION = "2.25.3";
 async function startServer(mode = "stdio") {
   logger.info(`Starting CodeQL Development MCP McpServer v${VERSION} in ${mode} mode`);
   const codeqlBinary = resolveCodeQLBinary();

server/dist/codeql-development-mcp-server.js

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server",
-  "version": "2.25.2",
+  "version": "2.25.3",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "main": "dist/codeql-development-mcp-server.js",
   "type": "module",

server/dist/codeql-development-mcp-server.js.map

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/actions-all:
-    version: 0.4.32
+    version: 0.4.34
   codeql/concepts:
-    version: 0.0.20
+    version: 0.0.22
   codeql/controlflow:
-    version: 2.0.30
+    version: 2.0.32
   codeql/dataflow:
-    version: 2.1.2
+    version: 2.1.4
   codeql/javascript-all:
-    version: 2.6.26
+    version: 2.6.28
   codeql/mad:
-    version: 1.0.46
+    version: 1.0.48
   codeql/regex:
-    version: 1.0.46
+    version: 1.0.48
   codeql/ssa:
-    version: 2.0.22
+    version: 2.0.24
   codeql/threat-models:
-    version: 1.0.46
+    version: 1.0.48
   codeql/tutorial:
-    version: 1.0.46
+    version: 1.0.48
   codeql/typetracking:
-    version: 2.0.30
+    version: 2.0.32
   codeql/util:
-    version: 2.0.33
+    version: 2.0.35
   codeql/xml:
-    version: 1.0.46
+    version: 1.0.48
   codeql/yaml:
-    version: 1.0.46
+    version: 1.0.48
 compiled: false