From 37a7a44a915f5d618eb78e606230cc9484146fce Mon Sep 17 00:00:00 2001 From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com> Date: Thu, 24 Apr 2025 19:45:40 -0400 Subject: [PATCH] ci(codeql): enable for github actions --- .github/workflows/ci-docker.yml | 47 ++++++++++++------- .github/workflows/cla-gist-replicator.yml | 7 +-- .github/workflows/codeql.yml | 42 ++++++++++++----- .github/workflows/common-lint.yml | 13 +++-- .github/workflows/global-replicator.yml | 9 ++-- .github/workflows/issues-stale.yml | 6 ++- .github/workflows/issues.yml | 9 +++- .github/workflows/patch_missing_releases.yml | 3 +- .github/workflows/release-notifier.yml | 13 +++-- .../workflows/renovate-config-validator.yml | 14 ++++-- .github/workflows/social-post.yml | 9 ++-- .github/workflows/update-changelog.yml | 8 +++- .github/workflows/update-docs.yml | 9 ++-- 13 files changed, 125 insertions(+), 64 deletions(-) diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index e66a3377..4e7c2393 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -19,13 +19,20 @@ # GitHub runner. name: CI Docker +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened push: - branches: [master] + branches: + - master workflow_dispatch: concurrency: @@ -97,10 +104,9 @@ jobs: solution: ${{ steps.find_dotnet.outputs.solution }} setup_release: - if: ${{ needs.check_dockerfiles.outputs.dockerfiles }} name: Setup Release - needs: - - check_dockerfiles + if: needs.check_dockerfiles.outputs.dockerfiles + needs: check_dockerfiles outputs: publish_release: ${{ steps.setup_release.outputs.publish_release }} release_body: ${{ steps.setup_release.outputs.release_body }} @@ -121,17 +127,18 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} docker: - needs: [check_dockerfiles, setup_release] - if: ${{ needs.check_dockerfiles.outputs.dockerfiles }} - runs-on: ubuntu-22.04 + name: Docker${{ matrix.tag }} + if: needs.check_dockerfiles.outputs.dockerfiles + needs: + - check_dockerfiles + - setup_release permissions: packages: write contents: write + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: ${{ fromJson(needs.check_dockerfiles.outputs.matrix) }} - name: Docker${{ matrix.tag }} - steps: - name: Maximize build space uses: easimon/maximize-build-space@v10 @@ -256,14 +263,14 @@ jobs: Docker-buildx${{ matrix.tag }}- - name: Log in to Docker Hub - if: ${{ needs.setup_release.outputs.publish_release == 'true' }} # PRs do not have access to secrets + if: needs.setup_release.outputs.publish_release == 'true' # PRs do not have access to secrets uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Log in to the Container registry - if: ${{ needs.setup_release.outputs.publish_release == 'true' }} # PRs do not have access to secrets + if: needs.setup_release.outputs.publish_release == 'true' # PRs do not have access to secrets uses: docker/login-action@v3 with: registry: ghcr.io @@ -271,7 +278,7 @@ jobs: password: ${{ secrets.GH_BOT_TOKEN }} - name: Build artifacts - if: ${{ steps.prepare.outputs.artifacts == 'true' }} + if: steps.prepare.outputs.artifacts == 'true' id: build_artifacts uses: docker/build-push-action@v6 with: @@ -314,7 +321,7 @@ jobs: no-cache-filters: ${{ steps.prepare.outputs.no_cache_filters }} - name: Arrange Artifacts - if: ${{ steps.prepare.outputs.artifacts == 'true' }} + if: steps.prepare.outputs.artifacts == 'true' working-directory: artifacts run: | # debug directory @@ -336,14 +343,16 @@ jobs: rm -f ./provenance.json - name: Upload Artifacts - if: ${{ steps.prepare.outputs.artifacts == 'true' }} + if: steps.prepare.outputs.artifacts == 'true' uses: actions/upload-artifact@v4 with: name: Docker${{ matrix.tag }} path: artifacts/ - name: Create/Update GitHub Release - if: ${{ needs.setup_release.outputs.publish_release == 'true' && steps.prepare.outputs.artifacts == 'true' }} + if: > + needs.setup_release.outputs.publish_release == 'true' && + steps.prepare.outputs.artifacts == 'true' uses: LizardByte/create-release-action@v2025.102.13208 with: allowUpdates: true @@ -356,7 +365,9 @@ jobs: token: ${{ secrets.GH_BOT_TOKEN }} - name: Update Docker Hub Description - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + if: > + github.event_name == 'push' && + github.ref == 'refs/heads/master' uses: peter-evans/dockerhub-description@v4 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} diff --git a/.github/workflows/cla-gist-replicator.yml b/.github/workflows/cla-gist-replicator.yml index e16321a9..b8775568 100644 --- a/.github/workflows/cla-gist-replicator.yml +++ b/.github/workflows/cla-gist-replicator.yml @@ -3,10 +3,13 @@ # required for CLA Assistant. name: CLA gist replicator +permissions: + contents: read on: push: - branches: [master] + branches: + - master paths: - "cla/**" workflow_dispatch: @@ -15,7 +18,6 @@ jobs: replicate_cla: name: Replicate CLA runs-on: ubuntu-latest - strategy: # the action doesn't currently support multiple files fail-fast: true # false to run all, true to fail entire job if any fail max-parallel: 1 # let's update files one by one to avoid complications @@ -24,7 +26,6 @@ jobs: - file_path: 'cla/CLA' - file_path: 'cla/CLA-entity' - file_path: 'cla/metadata' - steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4fd5fa25..7fff77bd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -6,12 +6,16 @@ # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" +permissions: + contents: read on: push: - branches: ["master"] + branches: + - master pull_request: - branches: ["master"] + branches: + - master schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC @@ -22,14 +26,17 @@ concurrency: jobs: languages: name: Get language matrix - runs-on: ubuntu-latest outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} + runs-on: ubuntu-latest steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get repo languages - uses: actions/github-script@v7 id: lang + uses: actions/github-script@v7 with: script: | // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] @@ -54,6 +61,21 @@ jobs: // Track languages we've already added to avoid duplicates const addedLanguages = new Set() + // Check if workflow files exist to determine if we should add actions language + const fs = require('fs'); + const hasYmlFiles = fs.existsSync('.github/workflows') && + fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml')); + + // Add actions language if workflow files exist + if (hasYmlFiles) { + console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); + matrix['include'].push({ + "language": "actions", + "os": "ubuntu-latest", + "name": "actions" + }); + } + for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { @@ -94,8 +116,8 @@ jobs: return matrix - name: Continue - uses: actions/github-script@v7 id: continue + uses: actions/github-script@v7 with: script: | // if matrix['include'] is an empty list return false, otherwise true @@ -109,24 +131,22 @@ jobs: analyze: name: Analyze (${{ matrix.name }}) - if: ${{ needs.languages.outputs.continue == 'true' }} + if: needs.languages.outputs.continue == 'true' defaults: run: shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} env: GITHUB_CODEQL_BUILD: true - needs: [languages] - runs-on: ${{ matrix.os || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + needs: languages permissions: actions: read contents: read security-events: write - + runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} - + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} steps: - name: Maximize build space if: >- diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index 10692ad9..77862b88 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -6,11 +6,17 @@ # Common linting. name: common lint +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened concurrency: group: "${{ github.workflow }}-${{ github.ref }}" @@ -263,5 +269,4 @@ jobs: - name: YAML - log if: always() && steps.yamllint.outcome == 'failure' - run: | - cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY + run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/global-replicator.yml b/.github/workflows/global-replicator.yml index 0eeedd8f..9d72d42b 100644 --- a/.github/workflows/global-replicator.yml +++ b/.github/workflows/global-replicator.yml @@ -3,10 +3,13 @@ # repos. name: Global replicator +permissions: + contents: read on: push: - branches: [master] # only files that changed in the commit will be replicated, unless using `workflow_dispatch` + branches: + - master # only files that changed in the commit will be replicated, unless using `workflow_dispatch` workflow_dispatch: inputs: repo_name: @@ -18,7 +21,6 @@ on: jobs: replicate: - runs-on: ubuntu-latest name: Replicate files env: BOT_BRANCH_NAME: 'bot/update-files-from-global-repo' @@ -26,10 +28,9 @@ jobs: REPOS_TO_IGNORE: >- homebrew-core, winget-pkgs, - Virtual-Gamepad-Emulation-Bus, Virtual-Gamepad-Emulation-Client, Virtual-Gamepad-Emulation-dotnet - + runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/issues-stale.yml b/.github/workflows/issues-stale.yml index 2b404ca8..c12606f2 100644 --- a/.github/workflows/issues-stale.yml +++ b/.github/workflows/issues-stale.yml @@ -6,6 +6,7 @@ # Manage stale issues and PRs. name: Stale Issues / PRs +permissions: {} on: schedule: @@ -14,6 +15,7 @@ on: jobs: setup-matrix: + name: Setup Matrix runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.result }} @@ -35,8 +37,8 @@ jobs: return matrix test-matrix: - if: github.event_name == 'workflow_dispatch' name: Test Matrix - ${{ matrix.repo }} + if: github.event_name == 'workflow_dispatch' needs: setup-matrix runs-on: ubuntu-latest strategy: @@ -47,8 +49,8 @@ jobs: run: echo ${{ matrix.repo }} stale: - if: github.event_name == 'schedule' name: Check Stale Issues / PRs + if: github.event_name == 'schedule' needs: setup-matrix runs-on: ubuntu-latest strategy: diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index aec6006c..44edba6e 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -6,12 +6,17 @@ # Label and un-label actions using `../label-actions.yml`. name: Issues +permissions: {} on: issues: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled discussion: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled jobs: label: diff --git a/.github/workflows/patch_missing_releases.yml b/.github/workflows/patch_missing_releases.yml index 58033b26..77be163f 100644 --- a/.github/workflows/patch_missing_releases.yml +++ b/.github/workflows/patch_missing_releases.yml @@ -5,6 +5,8 @@ # It was discovered that the releases will re-appear if they are manually "edited". name: Patch Missing Releases +permissions: {} + on: workflow_dispatch: @@ -12,7 +14,6 @@ jobs: patch_missing_releases: name: Patch Missing Releases runs-on: ubuntu-latest - steps: - name: Patch uses: actions/github-script@v7 diff --git a/.github/workflows/release-notifier.yml b/.github/workflows/release-notifier.yml index 71ac344e..bf3bc19f 100644 --- a/.github/workflows/release-notifier.yml +++ b/.github/workflows/release-notifier.yml @@ -6,6 +6,8 @@ # Create a blog post for a new release and open a PR to the blog repo name: Release Notifications +permissions: + contents: read on: release: @@ -14,8 +16,8 @@ on: jobs: update-blog: - if: >- - github.repository_owner == 'LizardByte' + name: Update blog + if: github.repository_owner == 'LizardByte' runs-on: ubuntu-latest steps: - name: Check topics @@ -41,8 +43,7 @@ jobs: - name: Check if latest GitHub release id: check-release - if: >- - steps.check-label.outputs.hasTopic == 'true' + if: steps.check-label.outputs.hasTopic == 'true' uses: actions/github-script@v7 with: script: | @@ -128,9 +129,7 @@ jobs: steps.check-label.outputs.hasTopic == 'true' && steps.check-release.outputs.isLatestRelease == 'true' run: | - gh \ - pr \ - merge \ + gh pr merge \ --auto \ --delete-branch \ --repo "LizardByte/LizardByte.github.io" \ diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 532d9bea..1d023370 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -6,11 +6,17 @@ # Validate Renovate config files. name: renovate config validator +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened concurrency: group: "${{ github.workflow }}-${{ github.ref }}" @@ -34,11 +40,11 @@ jobs: echo found=${files} >> $GITHUB_OUTPUT - name: Install npm dependencies - if: ${{ steps.find-files.outputs.found != '' }} + if: steps.find-files.outputs.found != '' run: npm install --global renovate - name: renovate config validator - if: ${{ steps.find-files.outputs.found != '' }} + if: steps.find-files.outputs.found != '' run: | # disable error exit code set +e diff --git a/.github/workflows/social-post.yml b/.github/workflows/social-post.yml index ad3af49e..8e4051c8 100644 --- a/.github/workflows/social-post.yml +++ b/.github/workflows/social-post.yml @@ -2,6 +2,7 @@ # Send social media post to various platforms. name: Social Media Post +permissions: {} on: workflow_dispatch: @@ -44,7 +45,7 @@ on: jobs: discord: - if: ${{ inputs.discord }} + if: inputs.discord runs-on: ubuntu-latest steps: - name: discord @@ -61,7 +62,7 @@ jobs: webhook: ${{ secrets.DISCORD_RELEASE_WEBHOOK }} facebook_page: - if: ${{ inputs.facebook_page }} + if: inputs.facebook_page runs-on: ubuntu-latest steps: - name: facebook-post-action @@ -76,7 +77,7 @@ jobs: url: ${{ inputs.url }} reddit: - if: ${{ inputs.reddit }} + if: inputs.reddit runs-on: ubuntu-latest steps: - name: reddit @@ -93,7 +94,7 @@ jobs: comment: ${{ inputs.body }} x: - if: ${{ inputs.x }} + if: inputs.x runs-on: ubuntu-latest steps: - name: x diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml index 3c095fcf..a5c6cefc 100644 --- a/.github/workflows/update-changelog.yml +++ b/.github/workflows/update-changelog.yml @@ -6,10 +6,15 @@ # Update changelog on release events. name: Update changelog +permissions: + contents: read on: release: - types: [created, edited, deleted] + types: + - created + - edited + - deleted workflow_dispatch: concurrency: @@ -18,6 +23,7 @@ concurrency: jobs: update-changelog: + name: Update Changelog if: >- github.event_name == 'workflow_dispatch' || (!github.event.release.prerelease && !github.event.release.draft) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index ba84de86..572cf3a0 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -10,10 +10,14 @@ # Update readthedocs on release events. name: Update docs +permissions: {} on: release: - types: [created, edited, deleted] + types: + - created + - edited + - deleted concurrency: group: "${{ github.workflow }}-${{ github.event.release.tag_name }}" @@ -73,8 +77,7 @@ jobs: - name: Update RTD project # changing the default branch in readthedocs makes "latest" point to that branch/tag # we can also update other properties like description, etc. - if: >- - steps.check.outputs.isLatestRelease == 'true' + if: steps.check.outputs.isLatestRelease == 'true' run: | json_body=$(jq -n \ --arg default_branch "${TAG}" \