|
| 1 | +name: CodeQL |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: ["main"] |
| 6 | + pull_request: |
| 7 | + branches: ["main"] |
| 8 | + schedule: |
| 9 | + - cron: "0 3 * * 1" # Mondays 03:00 UTC |
| 10 | + workflow_dispatch: |
| 11 | + |
| 12 | +concurrency: |
| 13 | + group: codeql-${{ github.ref }} |
| 14 | + cancel-in-progress: true |
| 15 | + |
| 16 | +permissions: |
| 17 | + actions: read |
| 18 | + contents: read |
| 19 | + security-events: write |
| 20 | + |
| 21 | +env: |
| 22 | + NODE_VERSION: "20" |
| 23 | + PNPM_VERSION: "9" |
| 24 | + |
| 25 | +jobs: |
| 26 | + analyze: |
| 27 | + name: Analyze (${{ matrix.language }}) |
| 28 | + runs-on: ubuntu-latest |
| 29 | + timeout-minutes: 60 |
| 30 | + strategy: |
| 31 | + fail-fast: false |
| 32 | + matrix: |
| 33 | + language: ["javascript-typescript", "rust"] |
| 34 | + |
| 35 | + steps: |
| 36 | + - name: Checkout |
| 37 | + uses: actions/checkout@v4 |
| 38 | + |
| 39 | + - name: Initialize CodeQL |
| 40 | + uses: github/codeql-action/init@v3 |
| 41 | + with: |
| 42 | + languages: ${{ matrix.language }} |
| 43 | + # Use extended queries for better coverage; you can tighten later. |
| 44 | + queries: security-extended |
| 45 | + |
| 46 | + # ----------------------------- |
| 47 | + # Build steps (recommended for better results) |
| 48 | + # CodeQL will attempt autobuild; we also provide explicit builds. |
| 49 | + # ----------------------------- |
| 50 | + |
| 51 | + - name: Setup Node (JS/TS only) |
| 52 | + if: ${{ matrix.language == 'javascript-typescript' }} |
| 53 | + uses: actions/setup-node@v4 |
| 54 | + with: |
| 55 | + node-version: ${{ env.NODE_VERSION }} |
| 56 | + cache: "pnpm" |
| 57 | + |
| 58 | + - name: Setup pnpm (JS/TS only) |
| 59 | + if: ${{ matrix.language == 'javascript-typescript' }} |
| 60 | + uses: pnpm/action-setup@v4 |
| 61 | + with: |
| 62 | + version: ${{ env.PNPM_VERSION }} |
| 63 | + |
| 64 | + - name: Install JS dependencies (JS/TS only) |
| 65 | + if: ${{ matrix.language == 'javascript-typescript' }} |
| 66 | + run: | |
| 67 | + set -euo pipefail |
| 68 | + if [ -f package.json ]; then |
| 69 | + pnpm install --frozen-lockfile || pnpm install |
| 70 | + fi |
| 71 | + if [ -f console/web/package.json ]; then |
| 72 | + (cd console/web && pnpm install --frozen-lockfile || pnpm install) |
| 73 | + fi |
| 74 | + if [ -f console/interface/package.json ]; then |
| 75 | + (cd console/interface && pnpm install --frozen-lockfile || pnpm install) |
| 76 | + fi |
| 77 | + if [ -f sdk/ts/package.json ]; then |
| 78 | + (cd sdk/ts && pnpm install --frozen-lockfile || pnpm install) |
| 79 | + fi |
| 80 | +
|
| 81 | + - name: Build JS/TS (JS/TS only) |
| 82 | + if: ${{ matrix.language == 'javascript-typescript' }} |
| 83 | + run: | |
| 84 | + set -euo pipefail |
| 85 | + # Run builds if scripts exist. Keep failures meaningful. |
| 86 | + if [ -f package.json ] && pnpm -s run | grep -q "^build"; then |
| 87 | + pnpm run build |
| 88 | + fi |
| 89 | + if [ -f console/web/package.json ] && (cd console/web && pnpm -s run | grep -q "^build"); then |
| 90 | + (cd console/web && pnpm run build) |
| 91 | + fi |
| 92 | + if [ -f console/interface/package.json ] && (cd console/interface && pnpm -s run | grep -q "^build"); then |
| 93 | + (cd console/interface && pnpm run build) |
| 94 | + fi |
| 95 | + if [ -f sdk/ts/package.json ] && (cd sdk/ts && pnpm -s run | grep -q "^build"); then |
| 96 | + (cd sdk/ts && pnpm run build) |
| 97 | + fi |
| 98 | +
|
| 99 | + - name: Install Rust toolchain (Rust only) |
| 100 | + if: ${{ matrix.language == 'rust' }} |
| 101 | + uses: dtolnay/rust-toolchain@stable |
| 102 | + |
| 103 | + - name: Cache cargo (Rust only) |
| 104 | + if: ${{ matrix.language == 'rust' }} |
| 105 | + uses: Swatinem/rust-cache@v2 |
| 106 | + with: |
| 107 | + cache-on-failure: true |
| 108 | + |
| 109 | + - name: Build Rust (Rust only) |
| 110 | + if: ${{ matrix.language == 'rust' }} |
| 111 | + run: | |
| 112 | + set -euo pipefail |
| 113 | + # Build key crates for analysis quality. |
| 114 | + cargo build --release --locked --manifest-path crates/signia-core/Cargo.toml |
| 115 | + cargo build --release --locked --manifest-path crates/signia-plugins/Cargo.toml |
| 116 | + cargo build --release --locked --manifest-path crates/signia-store/Cargo.toml |
| 117 | + cargo build --release --locked --manifest-path crates/signia-api/Cargo.toml |
| 118 | + cargo build --release --locked --manifest-path crates/signia-cli/Cargo.toml |
| 119 | + cargo build --release --locked --manifest-path crates/signia-solana-client/Cargo.toml |
| 120 | +
|
| 121 | + # If on-chain program exists, build it as well (Cargo-only). |
| 122 | + if [ -f programs/signia-registry/Cargo.toml ]; then |
| 123 | + cargo build --release --locked --manifest-path programs/signia-registry/Cargo.toml |
| 124 | + fi |
| 125 | +
|
| 126 | + # Autobuild fallback (in case explicit build is insufficient) |
| 127 | + - name: Autobuild |
| 128 | + uses: github/codeql-action/autobuild@v3 |
| 129 | + |
| 130 | + - name: Perform CodeQL Analysis |
| 131 | + uses: github/codeql-action/analyze@v3 |
| 132 | + with: |
| 133 | + category: "/language:${{ matrix.language }}" |
0 commit comments