Formalize release automation for certified releases

This introduces an updated release process that follows the necessary steps to create a certified release.
The updated process is based on the PR process by creating a PR for a release with additional compiler compatibility and performance tests that must pass.

When all the tests pass, the process automatically collects the necessary logs and artifacts to construct a certification kit that is attached as a release artifact.

.github/workflows/bump-version.yml

@@ -18,8 +18,10 @@ jobs:
 
         - name: Apply Bump
           shell: bash
+          env:
+            NEW_VERSION: ${{ inputs.new_version }}
           run: |
-            bash ./scripts/bump_version.sh ${{ github.event.inputs.new_version }}
+            bash ./scripts/release/bump-version.sh "$NEW_VERSION"
 
         - name: Create Pull Request
           uses: peter-evans/create-pull-request@v4

.github/workflows/code-scanning-pack-gen.yml

@@ -2,47 +2,48 @@ name: Code Scanning Query Pack Generation
 
 on:
   merge_group:
+    types: [checks_requested]
   pull_request:
     branches:
       - main
-      - "rc/**"
       - next
+      - "rc/**"
 
   push:
     branches:
       - main
-      - "rc/**"
       - next
+      - "rc/**"
 
 env:
   XARGS_MAX_PROCS: 4
 
 jobs:
+
   prepare-code-scanning-pack-matrix:
     name: Prepare CodeQL Code Scanning pack matrix
     runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.export-code-scanning-pack-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
-
+        uses: actions/checkout@v4
       - name: Export Code Scanning pack matrix
         id: export-code-scanning-pack-matrix
         run: |
-          echo "::set-output name=matrix::$(
+          echo "matrix=$(
             jq --compact-output '.supported_environment | {include: .}' supported_codeql_configs.json
-          )"
+          )" >> $GITHUB_OUTPUT
 
   create-code-scanning-pack:
     name: Create Code Scanning pack
     needs: prepare-code-scanning-pack-matrix
-    runs-on: ubuntu-20.04-xl
+    runs-on: ubuntu-latest-xl
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Cache CodeQL
         id: cache-codeql
@@ -65,18 +66,28 @@ jobs:
         with:
           cli_path: ${{ github.workspace }}/codeql_home/codeql
 
+      - name: Determine ref for external help files
+        id: determine-ref
+        run: |
+          if [[ $GITHUB_EVENT_NAME == "pull_request" || $GITHUB_EVENT_NAME == "merge_group" ]]; then
+            echo "EXTERNAL_HELP_REF=$GITHUB_HEAD_REF" >> "$GITHUB_ENV"
+          else
+            echo "EXTERNAL_HELP_REF=$GITHUB_REF" >> "$GITHUB_ENV"
+          fi
+          echo "Using ref $EXTERNAL_HELP_REF for external help files."
+
       - name: Checkout external help files
         continue-on-error: true
         id: checkout-external-help-files
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ssh-key: ${{ secrets.CODEQL_CODING_STANDARDS_HELP_KEY }}
           repository: "github/codeql-coding-standards-help"
-          ref: ${{ github.head_ref }}
+          ref: ${{ env.EXTERNAL_HELP_REF }}
           path: external-help-files
 
       - name: Include external help files
-        if: ${{ steps.checkout-external-help-files.outcome == 'success' }}
+        if: steps.checkout-external-help-files.outcome == 'success'
         run: |
           pushd external-help-files
           find . -name '*.md' -exec rsync -av --relative {} "$GITHUB_WORKSPACE" \;

.github/workflows/codeql_unit_tests.yml

@@ -2,34 +2,37 @@ name: CodeQL Unit Testing
 
 on:
   merge_group:
+    types: [checks_requested]
   push:
     branches:
       - main
-      - "rc/**"
       - next
+      - "rc/**"
   pull_request:
     branches:
-      - "**"
-  workflow_dispatch:
+      - main
+      - next
+      - "rc/**"
 
 jobs:
+
   prepare-unit-test-matrix:
     name: Prepare CodeQL unit test matrix
     runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Export unit test matrix
         id: export-unit-test-matrix
         run: |
           echo "Merging Result:"
           python scripts/create_language_matrix.py
-          echo "::set-output name=matrix::$(
+          echo "matrix=$(
             python scripts/create_language_matrix.py | \
-            jq --compact-output 'map([.+{os: "ubuntu-20.04-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')"
+            jq --compact-output 'map([.+{os: "ubuntu-latest-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}')" >> $GITHUB_OUTPUT
 
   run-test-suites:
     name: Run unit tests
@@ -39,22 +42,22 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON(needs.prepare-unit-test-matrix.outputs.matrix) }}
-        
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install Python
         uses: actions/setup-python@v4
         with:
           python-version: "3.9"
-          
+
       - name: Install Python dependencies
         run: pip install -r scripts/requirements.txt
 
       - name: Cache CodeQL
         id: cache-codeql
-        uses: actions/cache@v2.1.3
+        uses: actions/cache@v3
         with:
           # A list of files, directories, and wildcard patterns to cache and restore
           path: ${{github.workspace}}/codeql_home
@@ -101,7 +104,7 @@ jobs:
 
           def print_error(fmt, *args):
             print(f"::error::{fmt}", *args)
-            
+
           def print_error_and_fail(fmt, *args):
             print_error(fmt, args)
             sys.exit(1)
@@ -148,7 +151,7 @@ jobs:
               file.close()
 
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.language }}-test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -157,11 +160,11 @@ jobs:
 
   validate-test-results:
     name: Validate test results
-    needs: [run-test-suites]
+    needs: run-test-suites
     runs-on: ubuntu-22.04
     steps:
       - name: Collect test results
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
 
       - name: Validate test results
         run: |

.github/workflows/dispatch-matrix-check.yml

@@ -9,12 +9,12 @@ on:
 
 jobs:
   dispatch-matrix-check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
 
       - name: Test Variables
         shell: pwsh
-        run: |          
+        run: |
           Write-Host "Running as: ${{github.actor}}"    
     
       - name: Dispatch Matrix Testing Job

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -11,12 +11,12 @@ on:
 
 jobs:
   dispatch-matrix-check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
 
       - name: Test Variables
         shell: pwsh
-        run: |          
+        run: |
           Write-Host "Running as: ${{github.actor}}"    
 
           $actor = "${{github.actor}}"

.github/workflows/dispatch-release-performance-check.yml

@@ -10,12 +10,12 @@ on:
 
 jobs:
   dispatch-matrix-check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
 
       - name: Test Variables
         shell: pwsh
-        run: |          
+        run: |
           Write-Host "Running as: ${{github.actor}}"    
 
           $actor = "${{github.actor}}"

.github/workflows/extra-rule-validation.yml

@@ -2,6 +2,7 @@ name: ⚙️ Extra Rule Validation
 
 on:
   merge_group:
+    types: [checks_requested]
   push:
     branches:
       - main