diff --git a/.github/codeql.pkl b/.github/codeql.pkl new file mode 100644 index 00000000..527f8d0a --- /dev/null +++ b/.github/codeql.pkl @@ -0,0 +1,67 @@ +amends "@gha/Workflow.pkl" + +import "@gha/catalog.pkl" + +on { + push { + branches { + "main" + } + } + pull_request {} + schedule { + // Run at 01:38 on Saturday + new { cron = "38 1 * * 6" } + } +} + +local class CodeQLScan { + language: String + + `build-mode`: String +} + +local scans: Listing = new { + new { + language = "actions" + `build-mode` = "none" + } + new { + language = "java-kotlin" + `build-mode` = "autobuild" + } + new { + language = "javascript-typescript" + `build-mode` = "none" + } +} + +jobs { + for (scan in scans) { + ["analyze-\(scan.language)"] { + name = "Analyze (\(scan.language))" + `runs-on` = "ubuntu-latest" + permissions { + `security-events` = "write" + } + steps { + catalog.`actions/checkout@v6` + new { + name = "Initialize CodeQL" + uses = "github/codeql-action/init@v4" + with { + ["languages"] = scan.language + ["build-mode"] = scan.`build-mode` + } + } + new { + name = "Perform CodeQL Analysis" + uses = "github/codeql-action/analyze@v4" + with { + ["category"] = "/language:\(scan.language)" + } + } + } + } + } +} diff --git a/.github/index.pkl b/.github/index.pkl index fd765764..0810d4a3 100644 --- a/.github/index.pkl +++ b/.github/index.pkl @@ -9,6 +9,7 @@ import "jobs/GithubRelease.pkl" import "jobs/GradleJob.pkl" import "jobs/PklJob.pkl" import "jobs/SimpleGradleJob.pkl" +import "codeql.pkl" triggerDocsBuild = "both" @@ -239,3 +240,8 @@ dependabot { } } } + +workflows { + // add codeql workflow to set of workflows + ["workflows/codeql.yml"] = codeql +} diff --git a/.github/workflows/__lockfile__.yml b/.github/workflows/__lockfile__.yml index 885e3b51..f7fef068 100644 --- a/.github/workflows/__lockfile__.yml +++ b/.github/workflows/__lockfile__.yml @@ -30,6 +30,10 @@ jobs: uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 - name: dawidd6/action-download-artifact@v11 uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11 + - name: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + - name: github/codeql-action/init@v4 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 - name: gradle/actions/dependency-submission@v6 uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6 - name: gradle/actions/setup-gradle@v5 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..2c7acb05 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,63 @@ +# Generated from Workflow.pkl. DO NOT EDIT. +'on': + pull_request: {} + push: + branches: + - main + schedule: + - cron: 38 1 * * 6 +jobs: + analyze-actions: + name: Analyze (actions) + permissions: + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + languages: actions + build-mode: none + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + category: /language:actions + analyze-java-kotlin: + name: Analyze (java-kotlin) + permissions: + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + languages: java-kotlin + build-mode: autobuild + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + category: /language:java-kotlin + analyze-javascript-typescript: + name: Analyze (javascript-typescript) + permissions: + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + languages: javascript-typescript + build-mode: none + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + category: /language:javascript-typescript