b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
133 lines
4.2 KiB
YAML
133 lines
4.2 KiB
YAML
name: CodeQL
|
|
|
|
# Advanced setup so we can control when analysis runs. The "Require code
|
|
# scanning results" ruleset rule waits for a SARIF upload; if a PR doesn't
|
|
# touch code (locale-only, workflow-only) and the workflow never runs, the
|
|
# check sits pending forever. We always run a job per language and either do
|
|
# the real analysis (when relevant paths changed) or upload an empty SARIF so
|
|
# the check reports cleanly.
|
|
#
|
|
# Parity with the previous default setup:
|
|
# - languages: actions, javascript-typescript
|
|
# (javascript and typescript are subsumed by javascript-typescript)
|
|
# - query suite: default
|
|
# - threat model: remote
|
|
# - schedule: weekly
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
schedule:
|
|
# Weekly run, matches previous default setup cadence.
|
|
- cron: "0 6 * * 1"
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze (${{ matrix.language }})
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
security-events: write
|
|
contents: read
|
|
actions: read
|
|
pull-requests: read # dorny/paths-filter calls the PRs API on pull_request events
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- language: actions
|
|
paths-filter: |
|
|
code:
|
|
- '.github/workflows/**'
|
|
- '.github/actions/**'
|
|
- language: javascript-typescript
|
|
paths-filter: |
|
|
code:
|
|
- '**/*.ts'
|
|
- '**/*.tsx'
|
|
- '**/*.js'
|
|
- '**/*.jsx'
|
|
- '**/*.mjs'
|
|
- '**/*.cjs'
|
|
- '**/package.json'
|
|
- '**/pnpm-lock.yaml'
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
# On push and schedule, always analyze. On pull_request, only analyze
|
|
# when paths relevant to this language changed.
|
|
- name: Detect relevant changes
|
|
id: changes
|
|
if: github.event_name == 'pull_request'
|
|
uses: dorny/paths-filter@7b450fff21473bca461d4b92ce414b9d0420d706 # v4.0.2
|
|
with:
|
|
filters: ${{ matrix.paths-filter }}
|
|
|
|
- name: Decide whether to analyze
|
|
id: decide
|
|
env:
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
CHANGED: ${{ steps.changes.outputs.code }}
|
|
run: |
|
|
if [ "$EVENT_NAME" != "pull_request" ] || [ "$CHANGED" = "true" ]; then
|
|
echo "analyze=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "analyze=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Initialize CodeQL
|
|
if: steps.decide.outputs.analyze == 'true'
|
|
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
|
|
- name: Perform CodeQL analysis
|
|
if: steps.decide.outputs.analyze == 'true'
|
|
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
category: "/language:${{ matrix.language }}"
|
|
|
|
# When skipped, upload an empty SARIF so the "Require code scanning
|
|
# results" rule on the branch ruleset sees a result and passes the PR.
|
|
- name: Write empty SARIF
|
|
if: steps.decide.outputs.analyze != 'true'
|
|
env:
|
|
LANGUAGE: ${{ matrix.language }}
|
|
run: |
|
|
cat > empty.sarif <<EOF
|
|
{
|
|
"version": "2.1.0",
|
|
"\$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
|
"runs": [
|
|
{
|
|
"tool": {
|
|
"driver": {
|
|
"name": "CodeQL",
|
|
"semanticVersion": "0.0.0",
|
|
"rules": []
|
|
}
|
|
},
|
|
"results": [],
|
|
"automationDetails": {
|
|
"id": "/language:${LANGUAGE}/"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
|
|
- name: Upload empty SARIF
|
|
if: steps.decide.outputs.analyze != 'true'
|
|
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
sarif_file: empty.sarif
|
|
category: "/language:${{ matrix.language }}"
|