Skip to content

Commit a8c37b6

Browse files
ci(codeql): enable for github actions (#448)
1 parent 0e0326d commit a8c37b6

13 files changed

+125
-64
lines changed

.github/workflows/ci-docker.yml

Lines changed: 29 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,20 @@
1919
# GitHub runner.
2020

2121
name: CI Docker
22+
permissions:
23+
contents: read
2224

2325
on:
2426
pull_request:
25-
branches: [master]
26-
types: [opened, synchronize, reopened]
27+
branches:
28+
- master
29+
types:
30+
- opened
31+
- synchronize
32+
- reopened
2733
push:
28-
branches: [master]
34+
branches:
35+
- master
2936
workflow_dispatch:
3037

3138
concurrency:
@@ -97,10 +104,9 @@ jobs:
97104
solution: ${{ steps.find_dotnet.outputs.solution }}
98105

99106
setup_release:
100-
if: ${{ needs.check_dockerfiles.outputs.dockerfiles }}
101107
name: Setup Release
102-
needs:
103-
- check_dockerfiles
108+
if: needs.check_dockerfiles.outputs.dockerfiles
109+
needs: check_dockerfiles
104110
outputs:
105111
publish_release: ${{ steps.setup_release.outputs.publish_release }}
106112
release_body: ${{ steps.setup_release.outputs.release_body }}
@@ -121,17 +127,18 @@ jobs:
121127
github_token: ${{ secrets.GITHUB_TOKEN }}
122128

123129
docker:
124-
needs: [check_dockerfiles, setup_release]
125-
if: ${{ needs.check_dockerfiles.outputs.dockerfiles }}
126-
runs-on: ubuntu-22.04
130+
name: Docker${{ matrix.tag }}
131+
if: needs.check_dockerfiles.outputs.dockerfiles
132+
needs:
133+
- check_dockerfiles
134+
- setup_release
127135
permissions:
128136
packages: write
129137
contents: write
138+
runs-on: ubuntu-22.04
130139
strategy:
131140
fail-fast: false
132141
matrix: ${{ fromJson(needs.check_dockerfiles.outputs.matrix) }}
133-
name: Docker${{ matrix.tag }}
134-
135142
steps:
136143
- name: Maximize build space
137144
uses: easimon/maximize-build-space@v10
@@ -256,22 +263,22 @@ jobs:
256263
Docker-buildx${{ matrix.tag }}-
257264
258265
- name: Log in to Docker Hub
259-
if: ${{ needs.setup_release.outputs.publish_release == 'true' }} # PRs do not have access to secrets
266+
if: needs.setup_release.outputs.publish_release == 'true' # PRs do not have access to secrets
260267
uses: docker/login-action@v3
261268
with:
262269
username: ${{ secrets.DOCKER_HUB_USERNAME }}
263270
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
264271

265272
- name: Log in to the Container registry
266-
if: ${{ needs.setup_release.outputs.publish_release == 'true' }} # PRs do not have access to secrets
273+
if: needs.setup_release.outputs.publish_release == 'true' # PRs do not have access to secrets
267274
uses: docker/login-action@v3
268275
with:
269276
registry: ghcr.io
270277
username: ${{ secrets.GH_BOT_NAME }}
271278
password: ${{ secrets.GH_BOT_TOKEN }}
272279

273280
- name: Build artifacts
274-
if: ${{ steps.prepare.outputs.artifacts == 'true' }}
281+
if: steps.prepare.outputs.artifacts == 'true'
275282
id: build_artifacts
276283
uses: docker/build-push-action@v6
277284
with:
@@ -314,7 +321,7 @@ jobs:
314321
no-cache-filters: ${{ steps.prepare.outputs.no_cache_filters }}
315322

316323
- name: Arrange Artifacts
317-
if: ${{ steps.prepare.outputs.artifacts == 'true' }}
324+
if: steps.prepare.outputs.artifacts == 'true'
318325
working-directory: artifacts
319326
run: |
320327
# debug directory
@@ -336,14 +343,16 @@ jobs:
336343
rm -f ./provenance.json
337344
338345
- name: Upload Artifacts
339-
if: ${{ steps.prepare.outputs.artifacts == 'true' }}
346+
if: steps.prepare.outputs.artifacts == 'true'
340347
uses: actions/upload-artifact@v4
341348
with:
342349
name: Docker${{ matrix.tag }}
343350
path: artifacts/
344351

345352
- name: Create/Update GitHub Release
346-
if: ${{ needs.setup_release.outputs.publish_release == 'true' && steps.prepare.outputs.artifacts == 'true' }}
353+
if: >
354+
needs.setup_release.outputs.publish_release == 'true' &&
355+
steps.prepare.outputs.artifacts == 'true'
347356
uses: LizardByte/create-release-action@v2025.102.13208
348357
with:
349358
allowUpdates: true
@@ -356,7 +365,9 @@ jobs:
356365
token: ${{ secrets.GH_BOT_TOKEN }}
357366

358367
- name: Update Docker Hub Description
359-
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
368+
if: >
369+
github.event_name == 'push' &&
370+
github.ref == 'refs/heads/master'
360371
uses: peter-evans/dockerhub-description@v4
361372
with:
362373
username: ${{ secrets.DOCKER_HUB_USERNAME }}

.github/workflows/cla-gist-replicator.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,13 @@
33
# required for CLA Assistant.
44

55
name: CLA gist replicator
6+
permissions:
7+
contents: read
68

79
on:
810
push:
9-
branches: [master]
11+
branches:
12+
- master
1013
paths:
1114
- "cla/**"
1215
workflow_dispatch:
@@ -15,7 +18,6 @@ jobs:
1518
replicate_cla:
1619
name: Replicate CLA
1720
runs-on: ubuntu-latest
18-
1921
strategy: # the action doesn't currently support multiple files
2022
fail-fast: true # false to run all, true to fail entire job if any fail
2123
max-parallel: 1 # let's update files one by one to avoid complications
@@ -24,7 +26,6 @@ jobs:
2426
- file_path: 'cla/CLA'
2527
- file_path: 'cla/CLA-entity'
2628
- file_path: 'cla/metadata'
27-
2829
steps:
2930
- name: Checkout repository
3031
uses: actions/checkout@v4

.github/workflows/codeql.yml

Lines changed: 31 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,16 @@
66
# This workflow will analyze all supported languages in the repository using CodeQL Analysis.
77

88
name: "CodeQL"
9+
permissions:
10+
contents: read
911

1012
on:
1113
push:
12-
branches: ["master"]
14+
branches:
15+
- master
1316
pull_request:
14-
branches: ["master"]
17+
branches:
18+
- master
1519
schedule:
1620
- cron: '00 12 * * 0' # every Sunday at 12:00 UTC
1721

@@ -22,14 +26,17 @@ concurrency:
2226
jobs:
2327
languages:
2428
name: Get language matrix
25-
runs-on: ubuntu-latest
2629
outputs:
2730
matrix: ${{ steps.lang.outputs.result }}
2831
continue: ${{ steps.continue.outputs.result }}
32+
runs-on: ubuntu-latest
2933
steps:
34+
- name: Checkout repository
35+
uses: actions/checkout@v4
36+
3037
- name: Get repo languages
31-
uses: actions/github-script@v7
3238
id: lang
39+
uses: actions/github-script@v7
3340
with:
3441
script: |
3542
// CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']
@@ -54,6 +61,21 @@ jobs:
5461
// Track languages we've already added to avoid duplicates
5562
const addedLanguages = new Set()
5663
64+
// Check if workflow files exist to determine if we should add actions language
65+
const fs = require('fs');
66+
const hasYmlFiles = fs.existsSync('.github/workflows') &&
67+
fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml'));
68+
69+
// Add actions language if workflow files exist
70+
if (hasYmlFiles) {
71+
console.log('Found GitHub Actions workflow files. Adding actions to the matrix.');
72+
matrix['include'].push({
73+
"language": "actions",
74+
"os": "ubuntu-latest",
75+
"name": "actions"
76+
});
77+
}
78+
5779
for (let [key, value] of Object.entries(response.data)) {
5880
// remap language
5981
if (remap_languages[key.toLowerCase()]) {
@@ -94,8 +116,8 @@ jobs:
94116
return matrix
95117
96118
- name: Continue
97-
uses: actions/github-script@v7
98119
id: continue
120+
uses: actions/github-script@v7
99121
with:
100122
script: |
101123
// if matrix['include'] is an empty list return false, otherwise true
@@ -109,24 +131,22 @@ jobs:
109131
110132
analyze:
111133
name: Analyze (${{ matrix.name }})
112-
if: ${{ needs.languages.outputs.continue == 'true' }}
134+
if: needs.languages.outputs.continue == 'true'
113135
defaults:
114136
run:
115137
shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }}
116138
env:
117139
GITHUB_CODEQL_BUILD: true
118-
needs: [languages]
119-
runs-on: ${{ matrix.os || 'ubuntu-latest' }}
120-
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
140+
needs: languages
121141
permissions:
122142
actions: read
123143
contents: read
124144
security-events: write
125-
145+
runs-on: ${{ matrix.os || 'ubuntu-latest' }}
126146
strategy:
127147
fail-fast: false
128148
matrix: ${{ fromJson(needs.languages.outputs.matrix) }}
129-
149+
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
130150
steps:
131151
- name: Maximize build space
132152
if: >-

.github/workflows/common-lint.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,17 @@
66
# Common linting.
77

88
name: common lint
9+
permissions:
10+
contents: read
911

1012
on:
1113
pull_request:
12-
branches: [master]
13-
types: [opened, synchronize, reopened]
14+
branches:
15+
- master
16+
types:
17+
- opened
18+
- synchronize
19+
- reopened
1420

1521
concurrency:
1622
group: "${{ github.workflow }}-${{ github.ref }}"
@@ -263,5 +269,4 @@ jobs:
263269

264270
- name: YAML - log
265271
if: always() && steps.yamllint.outcome == 'failure'
266-
run: |
267-
cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY
272+
run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/global-replicator.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,13 @@
33
# repos.
44

55
name: Global replicator
6+
permissions:
7+
contents: read
68

79
on:
810
push:
9-
branches: [master] # only files that changed in the commit will be replicated, unless using `workflow_dispatch`
11+
branches:
12+
- master # only files that changed in the commit will be replicated, unless using `workflow_dispatch`
1013
workflow_dispatch:
1114
inputs:
1215
repo_name:
@@ -18,18 +21,16 @@ on:
1821

1922
jobs:
2023
replicate:
21-
runs-on: ubuntu-latest
2224
name: Replicate files
2325
env:
2426
BOT_BRANCH_NAME: 'bot/update-files-from-global-repo'
2527
COMMIT_MESSAGE: 'chore: update global workflows'
2628
REPOS_TO_IGNORE: >-
2729
homebrew-core,
2830
winget-pkgs,
29-
Virtual-Gamepad-Emulation-Bus,
3031
Virtual-Gamepad-Emulation-Client,
3132
Virtual-Gamepad-Emulation-dotnet
32-
33+
runs-on: ubuntu-latest
3334
steps:
3435
- name: Checkout repository
3536
uses: actions/checkout@v4

.github/workflows/issues-stale.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
# Manage stale issues and PRs.
77

88
name: Stale Issues / PRs
9+
permissions: {}
910

1011
on:
1112
schedule:
@@ -14,6 +15,7 @@ on:
1415

1516
jobs:
1617
setup-matrix:
18+
name: Setup Matrix
1719
runs-on: ubuntu-latest
1820
outputs:
1921
matrix: ${{ steps.set-matrix.outputs.result }}
@@ -35,8 +37,8 @@ jobs:
3537
return matrix
3638
3739
test-matrix:
38-
if: github.event_name == 'workflow_dispatch'
3940
name: Test Matrix - ${{ matrix.repo }}
41+
if: github.event_name == 'workflow_dispatch'
4042
needs: setup-matrix
4143
runs-on: ubuntu-latest
4244
strategy:
@@ -47,8 +49,8 @@ jobs:
4749
run: echo ${{ matrix.repo }}
4850

4951
stale:
50-
if: github.event_name == 'schedule'
5152
name: Check Stale Issues / PRs
53+
if: github.event_name == 'schedule'
5254
needs: setup-matrix
5355
runs-on: ubuntu-latest
5456
strategy:

.github/workflows/issues.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,17 @@
66
# Label and un-label actions using `../label-actions.yml`.
77

88
name: Issues
9+
permissions: {}
910

1011
on:
1112
issues:
12-
types: [labeled, unlabeled]
13+
types:
14+
- labeled
15+
- unlabeled
1316
discussion:
14-
types: [labeled, unlabeled]
17+
types:
18+
- labeled
19+
- unlabeled
1520

1621
jobs:
1722
label:

.github/workflows/patch_missing_releases.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,15 @@
55
# It was discovered that the releases will re-appear if they are manually "edited".
66

77
name: Patch Missing Releases
8+
permissions: {}
9+
810
on:
911
workflow_dispatch:
1012

1113
jobs:
1214
patch_missing_releases:
1315
name: Patch Missing Releases
1416
runs-on: ubuntu-latest
15-
1617
steps:
1718
- name: Patch
1819
uses: actions/github-script@v7

0 commit comments

Comments
 (0)