From 0c574575a4e27b447ae9490fd414d6ebcbbe4d9d Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Tue, 17 Dec 2024 22:09:59 +0100 Subject: [PATCH 1/4] Enable CodeQL scan for GitHub Actions Update the CI configuration to run CodeQL on GitHub Actions in addition to JavaScript. This uses a matrix as suggested in the description of the "languages" input for the `github/codeql-action/init` action. --- .github/workflows/checks.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 6c4ebc43..8b839579 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -60,8 +60,14 @@ jobs: env: WHAT: ${{ matrix.what }} codeql: - name: CodeQL + name: CodeQL (${{ matrix.what }}) runs-on: ubuntu-24.04 + strategy: + fail-fast: false + matrix: + what: + - javascript + - actions permissions: security-events: write # To upload CodeQL results steps: @@ -86,7 +92,7 @@ jobs: uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: config-file: ./.github/codeql.yml - languages: javascript + languages: ${{ matrix.what }} - name: Perform CodeQL analysis uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 odgen: From f9075fa6c97bb230694858be9a6d7904e88e4868 Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Tue, 17 Dec 2024 22:14:49 +0100 Subject: [PATCH 2/4] Bump CodeQL Action to the latest version --- .github/workflows/checks.yml | 4 ++-- .github/workflows/semgrep.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 8b839579..a9596902 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -89,12 +89,12 @@ jobs: with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: config-file: ./.github/codeql.yml languages: ${{ matrix.what }} - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 odgen: name: ODGen runs-on: ubuntu-24.04 diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 246e5dd4..f48c9841 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -24,7 +24,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - name: Upload Semgrep report to GitHub - uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 if: ${{ failure() || success() }} with: sarif_file: semgrep.sarif From 700e3789bfb30a6c67c8d6411c0e0c98af1633e8 Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Tue, 17 Dec 2024 22:16:45 +0100 Subject: [PATCH 3/4] Disable config to see if that works for scanning actions --- .github/workflows/checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a9596902..890d7ccd 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -91,7 +91,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: - config-file: ./.github/codeql.yml + # config-file: ./.github/codeql.yml languages: ${{ matrix.what }} - name: Perform CodeQL analysis uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 From 1c2a90acc3be36c11bee139df6eb0f02bdd6e121 Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Wed, 18 Dec 2024 22:10:36 +0100 Subject: [PATCH 4/4] very ugly but at least we can test it --- .github/workflows/checks.yml | 12 +++++++++--- .github/workflows/semgrep.yml | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 890d7ccd..c8356ab1 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -89,12 +89,18 @@ jobs: with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + if: ${{ matrix.what == 'actions' }} with: - # config-file: ./.github/codeql.yml + languages: ${{ matrix.what }} + - name: Initialize CodeQL + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + if: ${{ matrix.what == 'javascript' }} + with: + config-file: ./.github/codeql.yml languages: ${{ matrix.what }} - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 odgen: name: ODGen runs-on: ubuntu-24.04 diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f48c9841..b9bb06fe 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -24,7 +24,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - name: Upload Semgrep report to GitHub - uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 if: ${{ failure() || success() }} with: sarif_file: semgrep.sarif