From cf1a0771f27560002d59555d1f8638f41ccc3f2f Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sun, 27 Jul 2025 13:28:21 +0200 Subject: [PATCH 1/2] refactor: even also check actions by CodeQL --- .github/workflows/99-codeql-analysis.yml | 42 ++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/.github/workflows/99-codeql-analysis.yml b/.github/workflows/99-codeql-analysis.yml index 9b816cea988d..8e809d6efb84 100644 --- a/.github/workflows/99-codeql-analysis.yml +++ b/.github/workflows/99-codeql-analysis.yml @@ -5,24 +5,62 @@ on: jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-24.04 # Use Ubuntu 24.04 explicitly strategy: fail-fast: false matrix: - language: ["javascript"] + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read steps: - name: ⏬ Checkout repo uses: actions/checkout@v4 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version-file: ".nvmrc" + + - name: Install dependencies + run: npm ci + - name: 🔄 Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - name: 🔨 Autobuild uses: github/codeql-action/autobuild@v3 - name: 🔎 Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 7fbc32643e2f71e6a526a4baf63145136a4fc3ca Mon Sep 17 00:00:00 2001 From: Maximilian Franzke <787658+mfranzke@users.noreply.github.com> Date: Sun, 27 Jul 2025 17:54:32 +0200 Subject: [PATCH 2/2] Update 99-codeql-analysis.yml --- .github/workflows/99-codeql-analysis.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/99-codeql-analysis.yml b/.github/workflows/99-codeql-analysis.yml index 8e809d6efb84..9a67d8e7780a 100644 --- a/.github/workflows/99-codeql-analysis.yml +++ b/.github/workflows/99-codeql-analysis.yml @@ -25,9 +25,6 @@ jobs: # required for all workflows security-events: write - # required to fetch internal or private CodeQL packs - packages: read - steps: - name: ⏬ Checkout repo uses: actions/checkout@v4