ci(codeql): enable for github actions (#448)

Author: ReenigneArcher

.github/workflows/ci-docker.yml

@@ -19,13 +19,20 @@
 #    GitHub runner.
 
 name: CI Docker
+permissions:
+  contents: read
 
 on:
   pull_request:
-    branches: [master]
-    types: [opened, synchronize, reopened]
+    branches:
+      - master
+    types:
+      - opened
+      - synchronize
+      - reopened
   push:
-    branches: [master]
+    branches:
+      - master
   workflow_dispatch:
 
 concurrency:
@@ -97,10 +104,9 @@ jobs:
       solution: ${{ steps.find_dotnet.outputs.solution }}
 
   setup_release:
-    if: ${{ needs.check_dockerfiles.outputs.dockerfiles }}
     name: Setup Release
-    needs:
-      - check_dockerfiles
+    if: needs.check_dockerfiles.outputs.dockerfiles
+    needs: check_dockerfiles
     outputs:
       publish_release: ${{ steps.setup_release.outputs.publish_release }}
       release_body: ${{ steps.setup_release.outputs.release_body }}
@@ -121,17 +127,18 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
   docker:
-    needs: [check_dockerfiles, setup_release]
-    if: ${{ needs.check_dockerfiles.outputs.dockerfiles }}
-    runs-on: ubuntu-22.04
+    name: Docker${{ matrix.tag }}
+    if: needs.check_dockerfiles.outputs.dockerfiles
+    needs:
+      - check_dockerfiles
+      - setup_release
     permissions:
       packages: write
       contents: write
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.check_dockerfiles.outputs.matrix) }}
-    name: Docker${{ matrix.tag }}
-
     steps:
       - name: Maximize build space
         uses: easimon/maximize-build-space@v10
@@ -256,22 +263,22 @@ jobs:
             Docker-buildx${{ matrix.tag }}-
 
       - name: Log in to Docker Hub
-        if: ${{ needs.setup_release.outputs.publish_release == 'true' }}  # PRs do not have access to secrets
+        if: needs.setup_release.outputs.publish_release == 'true'  # PRs do not have access to secrets
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Log in to the Container registry
-        if: ${{ needs.setup_release.outputs.publish_release == 'true' }}  # PRs do not have access to secrets
+        if: needs.setup_release.outputs.publish_release == 'true'  # PRs do not have access to secrets
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_BOT_NAME }}
           password: ${{ secrets.GH_BOT_TOKEN }}
 
       - name: Build artifacts
-        if: ${{ steps.prepare.outputs.artifacts == 'true' }}
+        if: steps.prepare.outputs.artifacts == 'true'
         id: build_artifacts
         uses: docker/build-push-action@v6
         with:
@@ -314,7 +321,7 @@ jobs:
           no-cache-filters: ${{ steps.prepare.outputs.no_cache_filters }}
 
       - name: Arrange Artifacts
-        if: ${{ steps.prepare.outputs.artifacts == 'true' }}
+        if: steps.prepare.outputs.artifacts == 'true'
         working-directory: artifacts
         run: |
           # debug directory
@@ -336,14 +343,16 @@ jobs:
           rm -f ./provenance.json
 
       - name: Upload Artifacts
-        if: ${{ steps.prepare.outputs.artifacts == 'true' }}
+        if: steps.prepare.outputs.artifacts == 'true'
         uses: actions/upload-artifact@v4
         with:
           name: Docker${{ matrix.tag }}
           path: artifacts/
 
       - name: Create/Update GitHub Release
-        if: ${{ needs.setup_release.outputs.publish_release == 'true' && steps.prepare.outputs.artifacts == 'true' }}
+        if: >
+          needs.setup_release.outputs.publish_release == 'true' &&
+          steps.prepare.outputs.artifacts == 'true'
         uses: LizardByte/create-release-action@v2025.102.13208
         with:
           allowUpdates: true
@@ -356,7 +365,9 @@ jobs:
           token: ${{ secrets.GH_BOT_TOKEN }}
 
       - name: Update Docker Hub Description
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        if: >
+          github.event_name == 'push' &&
+          github.ref == 'refs/heads/master'
         uses: peter-evans/dockerhub-description@v4
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}

.github/workflows/cla-gist-replicator.yml

@@ -3,10 +3,13 @@
 # required for CLA Assistant.
 
 name: CLA gist replicator
+permissions:
+  contents: read
 
 on:
   push:
-    branches: [master]
+    branches:
+      - master
     paths:
       - "cla/**"
   workflow_dispatch:
@@ -15,7 +18,6 @@ jobs:
   replicate_cla:
     name: Replicate CLA
     runs-on: ubuntu-latest
-
     strategy:  # the action doesn't currently support multiple files
       fail-fast: true  # false to run all, true to fail entire job if any fail
       max-parallel: 1  # let's update files one by one to avoid complications
@@ -24,7 +26,6 @@ jobs:
           - file_path: 'cla/CLA'
           - file_path: 'cla/CLA-entity'
           - file_path: 'cla/metadata'
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/codeql.yml

@@ -6,12 +6,16 @@
 # This workflow will analyze all supported languages in the repository using CodeQL Analysis.
 
 name: "CodeQL"
+permissions:
+  contents: read
 
 on:
   push:
-    branches: ["master"]
+    branches:
+      - master
   pull_request:
-    branches: ["master"]
+    branches:
+      - master
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -22,14 +26,17 @@ concurrency:
 jobs:
   languages:
     name: Get language matrix
-    runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.lang.outputs.result }}
       continue: ${{ steps.continue.outputs.result }}
+    runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Get repo languages
-        uses: actions/github-script@v7
         id: lang
+        uses: actions/github-script@v7
         with:
           script: |
             // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']
@@ -54,6 +61,21 @@ jobs:
             // Track languages we've already added to avoid duplicates
             const addedLanguages = new Set()
 
+            // Check if workflow files exist to determine if we should add actions language
+            const fs = require('fs');
+            const hasYmlFiles = fs.existsSync('.github/workflows') &&
+            fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml'));
+
+            // Add actions language if workflow files exist
+            if (hasYmlFiles) {
+              console.log('Found GitHub Actions workflow files. Adding actions to the matrix.');
+              matrix['include'].push({
+                "language": "actions",
+                "os": "ubuntu-latest",
+                "name": "actions"
+              });
+            }
+
             for (let [key, value] of Object.entries(response.data)) {
               // remap language
               if (remap_languages[key.toLowerCase()]) {
@@ -94,8 +116,8 @@ jobs:
             return matrix
 
       - name: Continue
-        uses: actions/github-script@v7
         id: continue
+        uses: actions/github-script@v7
         with:
           script: |
             // if matrix['include'] is an empty list return false, otherwise true
@@ -109,24 +131,22 @@ jobs:
 
   analyze:
     name: Analyze (${{ matrix.name }})
-    if: ${{ needs.languages.outputs.continue == 'true' }}
+    if: needs.languages.outputs.continue == 'true'
     defaults:
       run:
         shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }}
     env:
       GITHUB_CODEQL_BUILD: true
-    needs: [languages]
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    needs: languages
     permissions:
       actions: read
       contents: read
       security-events: write
-
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.languages.outputs.matrix) }}
-
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     steps:
       - name: Maximize build space
         if: >-

.github/workflows/common-lint.yml

@@ -6,11 +6,17 @@
 # Common linting.
 
 name: common lint
+permissions:
+  contents: read
 
 on:
   pull_request:
-    branches: [master]
-    types: [opened, synchronize, reopened]
+    branches:
+      - master
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
@@ -263,5 +269,4 @@ jobs:
 
       - name: YAML - log
         if: always() && steps.yamllint.outcome == 'failure'
-        run: |
-          cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY
+        run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/global-replicator.yml

@@ -3,10 +3,13 @@
 # repos.
 
 name: Global replicator
+permissions:
+  contents: read
 
 on:
   push:
-    branches: [master]  # only files that changed in the commit will be replicated, unless using `workflow_dispatch`
+    branches:
+      - master  # only files that changed in the commit will be replicated, unless using `workflow_dispatch`
   workflow_dispatch:
     inputs:
       repo_name:
@@ -18,18 +21,16 @@ on:
 
 jobs:
   replicate:
-    runs-on: ubuntu-latest
     name: Replicate files
     env:
       BOT_BRANCH_NAME: 'bot/update-files-from-global-repo'
       COMMIT_MESSAGE: 'chore: update global workflows'
       REPOS_TO_IGNORE: >-
         homebrew-core,
         winget-pkgs,
-        Virtual-Gamepad-Emulation-Bus,
         Virtual-Gamepad-Emulation-Client,
         Virtual-Gamepad-Emulation-dotnet
-
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/issues-stale.yml

@@ -6,6 +6,7 @@
 # Manage stale issues and PRs.
 
 name: Stale Issues / PRs
+permissions: {}
 
 on:
   schedule:
@@ -14,6 +15,7 @@ on:
 
 jobs:
   setup-matrix:
+    name: Setup Matrix
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.set-matrix.outputs.result }}
@@ -35,8 +37,8 @@ jobs:
             return matrix
 
   test-matrix:
-    if: github.event_name == 'workflow_dispatch'
     name: Test Matrix - ${{ matrix.repo }}
+    if: github.event_name == 'workflow_dispatch'
     needs: setup-matrix
     runs-on: ubuntu-latest
     strategy:
@@ -47,8 +49,8 @@ jobs:
         run: echo ${{ matrix.repo }}
 
   stale:
-    if: github.event_name == 'schedule'
     name: Check Stale Issues / PRs
+    if: github.event_name == 'schedule'
     needs: setup-matrix
     runs-on: ubuntu-latest
     strategy:

.github/workflows/issues.yml

@@ -6,12 +6,17 @@
 # Label and un-label actions using `../label-actions.yml`.
 
 name: Issues
+permissions: {}
 
 on:
   issues:
-    types: [labeled, unlabeled]
+    types:
+      - labeled
+      - unlabeled
   discussion:
-    types: [labeled, unlabeled]
+    types:
+      - labeled
+      - unlabeled
 
 jobs:
   label:

.github/workflows/patch_missing_releases.yml

@@ -5,14 +5,15 @@
 # It was discovered that the releases will re-appear if they are manually "edited".
 
 name: Patch Missing Releases
+permissions: {}
+
 on:
   workflow_dispatch:
 
 jobs:
   patch_missing_releases:
     name: Patch Missing Releases
     runs-on: ubuntu-latest
-
     steps:
       - name: Patch
         uses: actions/github-script@v7