Merge branch 'main' of https://github.com/bocan/bocan-music #192

Workflow file for this run

	name: CodeQL

	# CodeQL scanning for Swift is a GitHub public preview. It only
	# supports building on macOS runners, and has to see a real build
	# (not autobuild) to gather call-graph information.
	#
	# We reuse the same xcodebuild pipeline as CI and let init/analyze
	# bracket it. Scheduled weekly plus on every PR into main.

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: "0 6 * * 1"

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	analyze:
	name: Analyze (Swift)
	runs-on: macos-26
	timeout-minutes: 45
	permissions:
	security-events: write
	actions: read
	contents: read

	steps:
	- name: Checkout
	uses: actions/checkout@v6

	- name: Select Xcode 26
	run: sudo xcode-select -s /Applications/Xcode_26.5.app

	- name: Cache SPM packages
	uses: actions/cache@v5
	with:
	path: \|
	~/Library/Developer/Xcode/DerivedData/**/SourcePackages
	~/.swiftpm
	key: ${{ runner.os }}-codeql-spm-${{ hashFiles('**/Package.resolved') }}
	restore-keys: \|
	${{ runner.os }}-codeql-spm-

	- name: Install Brewfile dependencies
	run: brew bundle

	- name: Set pkg-config path for FFmpeg and TagLib
	run: \|
	echo "PKG_CONFIG_PATH=/opt/homebrew/opt/ffmpeg/lib/pkgconfig:/opt/homebrew/opt/taglib/lib/pkgconfig" >> $GITHUB_ENV

	- name: Stub Secrets.xcconfig (xcodegen requires it)
	env:
	ACOUSTID_API_KEY: ${{ secrets.ACOUSTID_API_KEY }}
	BOCAN_LASTFM_API_KEY: ${{ secrets.BOCAN_LASTFM_API_KEY }}
	BOCAN_LASTFM_SHARED_SECRET: ${{ secrets.BOCAN_LASTFM_SHARED_SECRET }}
	run: \|
	if [ ! -f Secrets.xcconfig ]; then
	cp Secrets.xcconfig.template Secrets.xcconfig
	fi
	# Inject any optional repo secrets that happen to be set. Missing
	# secrets just leave the template's empty defaults in place.
	if [ -n "$ACOUSTID_API_KEY" ]; then
	sed -i '' "s\|^ACOUSTID_API_KEY = .*\|ACOUSTID_API_KEY = $ACOUSTID_API_KEY\|" Secrets.xcconfig
	fi
	if [ -n "$BOCAN_LASTFM_API_KEY" ]; then
	sed -i '' "s\|^BOCAN_LASTFM_API_KEY = .*\|BOCAN_LASTFM_API_KEY = $BOCAN_LASTFM_API_KEY\|" Secrets.xcconfig
	fi
	if [ -n "$BOCAN_LASTFM_SHARED_SECRET" ]; then
	sed -i '' "s\|^BOCAN_LASTFM_SHARED_SECRET = .*\|BOCAN_LASTFM_SHARED_SECRET = $BOCAN_LASTFM_SHARED_SECRET\|" Secrets.xcconfig
	fi

	- name: Generate Xcode project
	run: xcodegen generate

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: swift
	queries: security-and-quality

	- name: Build (manual)
	run: make build

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: "/language:swift"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge branch 'main' of https://github.com/bocan/bocan-music #192

Workflow file

Merge branch 'main' of https://github.com/bocan/bocan-music #192

Uh oh!

Workflow file for this run