mirror of
https://github.com/apple/pkl.git
synced 2026-07-03 19:51:47 +02:00
Enable codeql scanning (#1532)
This enables security vulnerability scanning using CodeQL.
This commit is contained in:
@@ -0,0 +1,67 @@
|
|||||||
|
amends "@gha/Workflow.pkl"
|
||||||
|
|
||||||
|
import "@gha/catalog.pkl"
|
||||||
|
|
||||||
|
on {
|
||||||
|
push {
|
||||||
|
branches {
|
||||||
|
"main"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
pull_request {}
|
||||||
|
schedule {
|
||||||
|
// Run at 01:38 on Saturday
|
||||||
|
new { cron = "38 1 * * 6" }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
local class CodeQLScan {
|
||||||
|
language: String
|
||||||
|
|
||||||
|
`build-mode`: String
|
||||||
|
}
|
||||||
|
|
||||||
|
local scans: Listing<CodeQLScan> = new {
|
||||||
|
new {
|
||||||
|
language = "actions"
|
||||||
|
`build-mode` = "none"
|
||||||
|
}
|
||||||
|
new {
|
||||||
|
language = "java-kotlin"
|
||||||
|
`build-mode` = "autobuild"
|
||||||
|
}
|
||||||
|
new {
|
||||||
|
language = "javascript-typescript"
|
||||||
|
`build-mode` = "none"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
jobs {
|
||||||
|
for (scan in scans) {
|
||||||
|
["analyze-\(scan.language)"] {
|
||||||
|
name = "Analyze (\(scan.language))"
|
||||||
|
`runs-on` = "ubuntu-latest"
|
||||||
|
permissions {
|
||||||
|
`security-events` = "write"
|
||||||
|
}
|
||||||
|
steps {
|
||||||
|
catalog.`actions/checkout@v6`
|
||||||
|
new {
|
||||||
|
name = "Initialize CodeQL"
|
||||||
|
uses = "github/codeql-action/init@v4"
|
||||||
|
with {
|
||||||
|
["languages"] = scan.language
|
||||||
|
["build-mode"] = scan.`build-mode`
|
||||||
|
}
|
||||||
|
}
|
||||||
|
new {
|
||||||
|
name = "Perform CodeQL Analysis"
|
||||||
|
uses = "github/codeql-action/analyze@v4"
|
||||||
|
with {
|
||||||
|
["category"] = "/language:\(scan.language)"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -9,6 +9,7 @@ import "jobs/GithubRelease.pkl"
|
|||||||
import "jobs/GradleJob.pkl"
|
import "jobs/GradleJob.pkl"
|
||||||
import "jobs/PklJob.pkl"
|
import "jobs/PklJob.pkl"
|
||||||
import "jobs/SimpleGradleJob.pkl"
|
import "jobs/SimpleGradleJob.pkl"
|
||||||
|
import "codeql.pkl"
|
||||||
|
|
||||||
triggerDocsBuild = "both"
|
triggerDocsBuild = "both"
|
||||||
|
|
||||||
@@ -239,3 +240,8 @@ dependabot {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
workflows {
|
||||||
|
// add codeql workflow to set of workflows
|
||||||
|
["workflows/codeql.yml"] = codeql
|
||||||
|
}
|
||||||
|
|||||||
Generated
+4
@@ -30,6 +30,10 @@ jobs:
|
|||||||
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
|
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
|
||||||
- name: dawidd6/action-download-artifact@v11
|
- name: dawidd6/action-download-artifact@v11
|
||||||
uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
|
uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
|
||||||
|
- name: github/codeql-action/analyze@v4
|
||||||
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
- name: github/codeql-action/init@v4
|
||||||
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
- name: gradle/actions/dependency-submission@v6
|
- name: gradle/actions/dependency-submission@v6
|
||||||
uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
|
uses: gradle/actions/dependency-submission@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6
|
||||||
- name: gradle/actions/setup-gradle@v5
|
- name: gradle/actions/setup-gradle@v5
|
||||||
|
|||||||
Generated
+63
@@ -0,0 +1,63 @@
|
|||||||
|
# Generated from Workflow.pkl. DO NOT EDIT.
|
||||||
|
'on':
|
||||||
|
pull_request: {}
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
schedule:
|
||||||
|
- cron: 38 1 * * 6
|
||||||
|
jobs:
|
||||||
|
analyze-actions:
|
||||||
|
name: Analyze (actions)
|
||||||
|
permissions:
|
||||||
|
security-events: write
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
- name: Initialize CodeQL
|
||||||
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
with:
|
||||||
|
languages: actions
|
||||||
|
build-mode: none
|
||||||
|
- name: Perform CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
with:
|
||||||
|
category: /language:actions
|
||||||
|
analyze-java-kotlin:
|
||||||
|
name: Analyze (java-kotlin)
|
||||||
|
permissions:
|
||||||
|
security-events: write
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
- name: Initialize CodeQL
|
||||||
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
with:
|
||||||
|
languages: java-kotlin
|
||||||
|
build-mode: autobuild
|
||||||
|
- name: Perform CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
with:
|
||||||
|
category: /language:java-kotlin
|
||||||
|
analyze-javascript-typescript:
|
||||||
|
name: Analyze (javascript-typescript)
|
||||||
|
permissions:
|
||||||
|
security-events: write
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
- name: Initialize CodeQL
|
||||||
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
with:
|
||||||
|
languages: javascript-typescript
|
||||||
|
build-mode: none
|
||||||
|
- name: Perform CodeQL Analysis
|
||||||
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
||||||
|
with:
|
||||||
|
category: /language:javascript-typescript
|
||||||
Reference in New Issue
Block a user