pull-request-semver-bumper/.github/workflows/codeql.yml at main · SAP/pull-request-semver-bumper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# CodeQL Advanced setup for SAP/pull-request-semver-bumper
#
# Scans:
#   - GitHub Actions workflows and action definitions  (language: actions)
#   - TypeScript / JavaScript sources                  (language: javascript-typescript)
#
# Triggers:
#   - push to main          (baseline analysis of merged code)
#   - pull_request on main  (all PRs: same-repo branches and forks)
#   - weekly schedule       (catches new queries / advisories)
#
# pull_request_target is intentionally NOT used. The pull_request event
# fires for fork PRs too, and CodeQL analysis with build-mode: none does
# not require the privileged base-repo token that pull_request_target
# provides. For fork PRs, SARIF upload is skipped (upload: never) — the
# analysis still runs and the job passes/fails on findings, but results
# are not posted to the Code Scanning dashboard.
#
# Security model:
#   - actions/checkout uses persist-credentials: false so no token is
#     available to subsequent steps.
#   - build-mode: none for both languages — CodeQL extracts directly from
#     source; no `npm install`, no `run:` step executes untrusted code.
#   - The CodeQL configuration (paths-ignore, queries) is provided INLINE
#     via the `config:` input rather than read from a file in the working
#     directory. This prevents a contributor from disabling queries or
#     adding broad paths-ignore in their PR to neuter the security gate.

name: "CodeQL Advanced"

on:  # zizmor: ignore[pull-request-target]
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '26 1 * * 3'

# Workflow-level permissions intentionally empty.
# The analyze job declares only what it needs.
permissions: {}

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: read

    strategy:
      fail-fast: false
      matrix:
        include:
          - language: actions
            build-mode: none
          - language: javascript-typescript
            build-mode: none

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          # For pull_request events (including forks), actions/checkout checks out
          # the PR merge commit by default — no explicit ref or repository needed.
          persist-credentials: false

      - name: Resolve SARIF upload mode
        env:
          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
        run: |
          # Fork PRs: skip upload — analysis still runs and gates the PR on findings,
          # but results are not posted to the base repo's Code Scanning dashboard.
          # All other events (same-repo PR, push, schedule): upload as normal.
          if [[ "${{ github.event_name }}" == "pull_request" && \
                "$HEAD_REPO" != "${{ github.repository }}" ]]; then
            echo "CODEQL_UPLOAD=never" >> "$GITHUB_ENV"
          else
            echo "CODEQL_UPLOAD=always" >> "$GITHUB_ENV"
          fi

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}
          # Use the security-and-quality suite to also report quality alerts,
          # which the repo ruleset's `code_quality` rule consumes.
          queries: security-and-quality
          # Inline config (NOT config-file) so a contributor's working-directory
          # version cannot override paths-ignore or disable queries.
          config: |
            paths-ignore:
              # Generated bundles produced by ncc/webpack — analyzing them
              # duplicates alerts already covered by the TS sources.
              - "**/dist/**"
              # Vendored dependencies.
              - "**/node_modules/**"
              # Build artefacts and TypeScript output directories.
              - "**/build/**"
              - "**/out/**"
              - "**/coverage/**"
              # Test fixtures and snapshots.
              - "**/__fixtures__/**"
              - "**/__snapshots__/**"
              - "**/*.snap"
              # Lockfiles.
              - "**/package-lock.json"
              - "**/yarn.lock"
              - "**/pnpm-lock.yaml"

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{ matrix.language }}"
          upload: ${{ env.CODEQL_UPLOAD }}