paybot-sdk/.github/workflows/codeql.yml at 8ce4e0d0032994d1e79235165553e41c6d505f41 · RBKunnela/paybot-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# CodeQL — SAST (Static Application Security Testing) for paybot-sdk
#
# What:    GitHub's CodeQL engine analyzing JavaScript/TypeScript for SQL
#          injection, unsafe regex, hardcoded crypto, taint flows, and other
#          security issues.
# When:    On PRs targeting main, on push to main, and weekly (Monday 06:00 UTC).
# Output:  SARIF results uploaded natively to GitHub Code Scanning (Security tab).
#          Public repo: SARIF upload to Security tab is free (no GHAS needed).
#          Contrast with paybot-core (private personal-account) which required
#          `upload: false` + artifact workaround — see paybot-core PR #3.
# Gate:    Failed scans (any error severity finding) fail the job → PR blocked
#          via branch protection once required_status_checks is updated to
#          include "Analyze (javascript-typescript)" (verbatim from
#          `gh pr checks` after first run).
#
# Reference:
#   - https://docs.github.com/en/code-security/code-scanning
#   - Precedent: paybot-core PR #3 (merged 6dc6f5aa, 2026-05-22)
name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Monday 06:00 UTC — weekly scheduled scan independent of PR activity
    - cron: '0 6 * * 1'

permissions:
  actions: read
  contents: read
  security-events: write

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    timeout-minutes: 360

    strategy:
      fail-fast: false
      matrix:
        language: [javascript-typescript]

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
        with:
          persist-credentials: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57  # v3
        with:
          languages: ${{ matrix.language }}
          queries: security-extended

      - name: Autobuild
        uses: github/codeql-action/autobuild@03e4368ac7daa2bd82b3e85262f3bf87ee112f57  # v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57  # v3
        with:
          category: "/language:${{ matrix.language }}"
          # Public repo: SARIF upload to Security tab is free (no GHAS needed).
          # `upload: true` is the default; declared explicitly for clarity.
          upload: true