| | --- |
| | title: pack ci |
| | versions: |
| | fpt: '*' |
| | ghec: '*' |
| | ghes: '*' |
| | topics: |
| | - Code Security |
| | - Code scanning |
| | - CodeQL |
| | type: reference |
| | product: '{% data reusables.gated-features.codeql %}' |
| | autogenerated: codeql-cli |
| | intro: |- |
| | Install dependencies for this pack, verifying that the |
| | existing lock file is up to date. |
| | redirect_from: |
| | - /code-security/codeql-cli/manual/pack-ci |
| | --- |
| | |
| | <!-- markdownlint-disable GHD053 --> |
| |
|
| | <!-- markdownlint-disable GHD030 --> |
| |
|
| | <!-- Content after this section is automatically generated --> |
| |
|
| | {% data reusables.codeql-cli.man-pages-version-note %} |
| |
|
| | ## Synopsis |
| |
|
| | ```shell copy |
| | codeql pack ci [--force] <options>... -- <dir> |
| | ``` |
| |
|
| | ## Description |
| |
|
| | Clean install dependencies for this pack, verifying that the existing |
| | lock file is up to date. |
| |
|
| | This command installs the dependencies of the pack, using the versions |
| | specified in the codeql-pack.lock.yml file. If any of the versions |
| | specified in the lock file are incompatible with the version constraints |
| | specified in the qlpack.yml file, or if no lock file is present, this |
| | command fails. |
| |
|
| | This command is similar to `codeql pack install`, except it's meant to |
| | be used in automated environments such as test platforms, continuous |
| | integration, and deployment -- or any situation where you want to make |
| | sure you're doing a clean install of your dependencies. |
| |
|
| | Available since `v2.12.4`. |
| |
|
| | ## Options |
| |
|
| | ### Primary Options |
| |
|
| | #### `<dir>` |
| |
|
| | The root directory of the package. |
| |
|
| | #### `--format=<fmt>` |
| |
|
| | Select output format, either `text` _(default)_ or `json`. |
| |
|
| | #### `-f, --[no-]force` |
| |
|
| | Allow overwriting already existing packs. |
| |
|
| | #### `--[no-]allow-prerelease` |
| |
|
| | Allow packs with pre-release version qualifiers (e.g., |
| | `X.Y.Z-qualifier`) to be used. Without this flag, pre-release packs will |
| | be ignored. |
| |
|
| | Available since `v2.11.3`. |
| |
|
| | #### `--lock-override=<file>` |
| |
|
| | \[Advanced] Specifies an alternate lock file to use as the input to |
| | dependency resolution. |
| |
|
| | #### `--lock-output=<file>` |
| |
|
| | \[Advanced] Specifies an alternate location to save the lock file |
| | generated by dependency resolution. |
| |
|
| | Available since `v2.14.1`. |
| |
|
| | #### `--no-strict-mode` |
| |
|
| | \[Advanced] Turn off strict mode to avoid a warning when resolving |
| | packages from the `--additional-packs` |
| |
|
| | and other locally resolved locations. Packages resolved locally are |
| | never downloaded |
| |
|
| | and will not be added to the package lock. |
| |
|
| | ### Options for resolving QL packs outside of the package registry |
| |
|
| | #### `--search-path=<dir>[:<dir>...]` |
| |
|
| | A list of directories under which QL packs may be found. Each directory |
| | can either be a QL pack (or bundle of packs containing a |
| | `.codeqlmanifest.json` file at the root) or the immediate parent of one |
| | or more such directories. |
| |
|
| | If the path contains more than one directory, their order defines |
| | precedence between them: when a pack name that must be resolved is |
| | matched in more than one of the directory trees, the one given first |
| | wins. |
| |
|
| | Pointing this at a checkout of the open-source CodeQL repository ought |
| | to work when querying one of the languages that live there. |
| |
|
| | If you have checked out the CodeQL repository as a sibling of the |
| | unpacked CodeQL toolchain, you don't need to give this option; such |
| | sibling directories will always be searched for QL packs that cannot be |
| | found otherwise. (If this default does not work, it is strongly |
| | recommended to set up `--search-path` once and for all in a per-user |
| | configuration file). |
| |
|
| | (Note: On Windows the path separator is `;`). |
| |
|
| | #### `--additional-packs=<dir>[:<dir>...]` |
| |
|
| | If this list of directories is given, they will be searched for packs |
| | before the ones in `--search-path`. The order between these doesn't |
| | matter; it is an error if a pack name is found in two different places |
| | through this list. |
| |
|
| | This is useful if you're temporarily developing a new version of a pack |
| | that also appears in the default path. On the other hand, it is _not |
| | recommended_ to override this option in a config file; some internal |
| | actions will add this option on the fly, overriding any configured |
| | value. |
| |
|
| | (Note: On Windows the path separator is `;`). |
| |
|
| | ### Options for configuring the CodeQL package manager |
| |
|
| | #### `--registries-auth-stdin` |
| |
|
| | Authenticate to GitHub Enterprise Server Container registries by passing |
| | a comma-separated list of \<registry\_url>=\<token> pairs. |
| |
|
| | For example, you can pass |
| | `https://containers.GHEHOSTNAME1/v2/=TOKEN1,https://containers.GHEHOSTNAME2/v2/=TOKEN2` |
| | to authenticate to two GitHub Enterprise Server instances. |
| |
|
| | This overrides the CODEQL\_REGISTRIES\_AUTH and GITHUB\_TOKEN environment |
| | variables. If you only need to authenticate to the github.com Container |
| | registry, you can instead authenticate using the simpler |
| | `--github-auth-stdin` option. |
| | |
| | #### `--github-auth-stdin` |
| | |
| | Authenticate to the github.com Container registry by passing a |
| | github.com GitHub Apps token or personal access token via standard |
| | input. |
| | |
| | To authenticate to GitHub Enterprise Server Container registries, pass |
| | `--registries-auth-stdin` or use the CODEQL\_REGISTRIES\_AUTH environment |
| | variable. |
| | |
| | This overrides the GITHUB\_TOKEN environment variable. |
| |
|
| | ### Common options |
| |
|
| | #### `-h, --help` |
| |
|
| | Show this help text. |
| |
|
| | #### `-J=<opt>` |
| |
|
| | \[Advanced] Give option to the JVM running the command. |
| |
|
| | (Beware that options containing spaces will not be handled correctly.) |
| |
|
| | #### `-v, --verbose` |
| |
|
| | Incrementally increase the number of progress messages printed. |
| |
|
| | #### `-q, --quiet` |
| |
|
| | Incrementally decrease the number of progress messages printed. |
| |
|
| | #### `--verbosity=<level>` |
| |
|
| | \[Advanced] Explicitly set the verbosity level to one of errors, |
| | warnings, progress, progress+, progress++, progress+++. Overrides `-v` |
| | and `-q`. |
| |
|
| | #### `--logdir=<dir>` |
| |
|
| | \[Advanced] Write detailed logs to one or more files in the given |
| | directory, with generated names that include timestamps and the name of |
| | the running subcommand. |
| |
|
| | (To write a log file with a name you have full control over, instead |
| | give `--log-to-stderr` and redirect stderr as desired.) |
| |
|
| | #### `--common-caches=<dir>` |
| |
|
| | \[Advanced] Controls the location of cached data on disk that will |
| | persist between several runs of the CLI, such as downloaded QL packs and |
| | compiled query plans. If not set explicitly, this defaults to a |
| | directory named `.codeql` in the user's home directory; it will be |
| | created if it doesn't already exist. |
| |
|
| | Available since `v2.15.2`. |
| |
|
