advanced-security · data-douser · Apr 22, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 22, 2026
@@ -11,13 +11,15 @@ on:
       - .github/workflows/copilot-setup-steps.yml
       - .github/actions/setup-codeql-environment/action.yml
       - qlt.conf.json
+      - scripts/install-codeql-packs.sh
   pull_request:
     branches:
       - main
     paths:
       - .github/workflows/copilot-setup-steps.yml
       - .github/actions/setup-codeql-environment/action.yml
       - qlt.conf.json
+      - scripts/install-codeql-packs.sh
 
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
@@ -31,3 +33,7 @@ jobs:
 
       - name: Copilot Setup - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment
+
+      - name: Copilot Setup - Install CodeQL workspace packs
+        shell: bash
+        run: ./scripts/install-codeql-packs.sh
@@ -34,7 +34,19 @@ Before using this repository template, ensure your GitHub organization/account h
 
 **Note:** The ['copilot-setup-steps' actions workflow](./.github/workflows/copilot-setup-steps.yml) will automatically set up the environment for Copilot Coding Agent (CCA), so local installation is optional and primarily useful for manual development.
 
-### Step 2: Create an Issue for the CodeQL query you want to develop
+### Step 2: Install CodeQL Pack Dependencies
+
+After cloning your new repository, install the CodeQL pack dependencies:
+
+```bash
+./scripts/install-codeql-packs.sh
+```
+
+This uses `codeql pack ls` to discover all packs in the workspace and runs `codeql pack install` for each one, generating `codeql-pack.lock.yml` files and downloading required dependencies locally. You can target a single language with `--language <lang>` (e.g., `--language java`).
+
+> **Note:** The generated `codeql-pack.lock.yml` files should be committed to your repository to ensure reproducible dependency resolution across your team.
+
+### Step 3: Create an Issue for the CodeQL query you want to develop
 
 1. **Navigate to Issues** in your new repository
 2. **Click "New Issue"**
@@ -46,13 +58,13 @@ Before using this repository template, ensure your GitHub organization/account h
    - Specify severity level
 5. **Submit the issue**
 
-### Step 3: Assign Issue to `@copilot`
+### Step 4: Assign Issue to `@copilot`
 
 1. **Assign the issue** to `@copilot` (GitHub's Copilot Coding Agent user)
 2. **Wait for Copilot** to process the issue and create a Pull Request
 3. **Monitor progress** via the `Sessions` and/or comments for the new Pull Request
 
-### Step 4: Review Pull Request created by Copilot Coding Agent
+### Step 5: Review Pull Request created by Copilot Coding Agent
 
 1. **Navigate to the generated Pull Request**
 2. **Review the changes:**

@@ -1,5 +1,5 @@
 name: languages-actions-custom-src
-version: 0.0.1
+version: 0.0.2
 library: false
 dependencies:
   codeql/actions-all: "*"
@@ -1,5 +1,5 @@
 name: languages-actions-custom-test
-version: 0.0.1
+version: 0.0.2
 dependencies:
-  languages-actions-custom-src: "*"
+  languages-actions-custom-src: ${workspace}
 extractor: actions
@@ -1,5 +1,5 @@
 name: languages-actions-tools-src
-version: 0.0.1
+version: 0.0.2
 library: false
 dependencies:
   codeql/actions-all: "*"
@@ -1,9 +1,9 @@
 name: languages-actions-tools-test
-version: 0.0.1
+version: 0.0.2
 dependencies:
   # This test pack does not actually depend upon `codeql/actions-queries`,
   # but we declare the dependency to ensure that the queries from the
   # query pack are downloaded and available locally.
   codeql/actions-queries: "*"
-  languages-actions-tools-src: "*"
+  languages-actions-tools-src: ${workspace}
 extractor: actions
@@ -1,5 +1,5 @@
 name: languages-cpp-custom-src
-version: 0.0.1
+version: 0.0.2
 library: false
 dependencies:
   codeql/cpp-all: "*"
@@ -1,5 +1,5 @@
 name: languages-cpp-custom-test
-version: 0.0.1
+version: 0.0.2
 dependencies:
-  languages-cpp-custom-src: '*'
+  languages-cpp-custom-src: ${workspace}
 extractor: cpp
@@ -1,5 +1,5 @@
 name: languages-cpp-tools-src
-version: 0.0.1
+version: 0.0.2
 library: false
 dependencies:
   codeql/cpp-all: "*"
@@ -1,9 +1,9 @@
 name: languages-cpp-tools-test
-version: 0.0.1
+version: 0.0.2
 dependencies:
   # This test pack does not actually depend upon `codeql/cpp-queries`,
   # but we declare the dependency to ensure that the queries from the
   # query pack are downloaded and available locally.
   codeql/cpp-queries: "*"
-  languages-cpp-tools-src: '*'
+  languages-cpp-tools-src: ${workspace}
 extractor: cpp