From cf9e3414bd1146cf29e56ad0e8e22b9128eabc23 Mon Sep 17 00:00:00 2001 From: Ghost Scripter Date: Mon, 6 Apr 2026 22:20:18 +0530 Subject: [PATCH 1/2] chore(ci): add CodeQL security analysis workflow Enable GitHub CodeQL static analysis for javascript-typescript on push/PR to main and weekly schedule to catch security vulnerabilities automatically. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/codeql.yml | 50 ++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..d5ea1bde --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,50 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Weekly drift scan — Sundays at 04:30 UTC + - cron: '30 4 * * 0' + +permissions: + contents: read + security-events: write + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + language: [javascript-typescript] + # Rust is not yet supported by CodeQL. + # Add more languages here when needed (e.g. python). + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # Use the extended query suite for broader coverage including + # quality, maintainability, and additional security queries. + queries: security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:${{ matrix.language }}' From 03742d9fe95294fee6f68b4e6b02b683d1ca66ee Mon Sep 17 00:00:00 2001 From: Ghost Scripter Date: Mon, 6 Apr 2026 22:44:37 +0530 Subject: [PATCH 2/2] fix(ci): align CodeQL workflow with repo languages and v4 actions - Scan actions, javascript-typescript, and rust (drop unused ruby) - Use build-mode: none for all languages, remove autobuild step - Bump codeql-action to v4, add security-and-quality query suite Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/codeql.yml | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d5ea1bde..adb05a64 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -6,12 +6,14 @@ on: pull_request: branches: [main] schedule: - # Weekly drift scan — Sundays at 04:30 UTC - - cron: '30 4 * * 0' + # Weekly drift scan — Saturdays at 09:37 UTC + - cron: '37 9 * * 6' permissions: contents: read security-events: write + packages: read + actions: read concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }} @@ -25,26 +27,27 @@ jobs: strategy: fail-fast: false matrix: - language: [javascript-typescript] - # Rust is not yet supported by CodeQL. - # Add more languages here when needed (e.g. python). + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + - language: rust + build-mode: none + # Ruby excluded — only a single Homebrew formula file exists. steps: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} - # Use the extended query suite for broader coverage including - # quality, maintainability, and additional security queries. + build-mode: ${{ matrix.build-mode }} queries: security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: '/language:${{ matrix.language }}'