ci: add CodeQL Advanced security scanning workflow#387
Conversation
✅ Deploy Preview for hiero-open-source ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR introduces a new CodeQL Advanced security scanning workflow for the hiero-website repository. The workflow runs on pushes and pull requests to ChangesCodeQL Security Scanning
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📋 Issue PlannerBuilt with CodeRabbit's Coding Plans for faster development and fewer bugs. View plan used: ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Up to standards ✅🟢 Issues
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/codeql.yml (1)
5-14: Addworkflow_dispatchtrigger for on-demand CodeQL scans.Other workflows in this repository (e.g.,
ci.yml) already include this trigger. It's useful for incident response or quick validation after query/config tuning without waiting for scheduled runs or pushes.🔧 Suggested update
on: push: branches: ["main"] pull_request: branches: ["main"] paths-ignore: - "**/*.md" schedule: - cron: "28 23 * * *" + workflow_dispatch:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/codeql.yml around lines 5 - 14, Update the CodeQL workflow trigger block to allow manual runs by adding the workflow_dispatch event alongside push, pull_request, and schedule; modify the top-level on: stanza in .github/workflows/codeql.yml (the existing on: block) to include workflow_dispatch so maintainers can trigger CodeQL scans on demand.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/codeql.yml:
- Around line 5-14: Update the CodeQL workflow trigger block to allow manual
runs by adding the workflow_dispatch event alongside push, pull_request, and
schedule; modify the top-level on: stanza in .github/workflows/codeql.yml (the
existing on: block) to include workflow_dispatch so maintainers can trigger
CodeQL scans on demand.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7f0fd07b-7948-4155-981d-cef614006524
📒 Files selected for processing (2)
.github/workflows/codeql.ymldocs/07-github-automation.md
cheese-cakee
changed the title
cheese-cakee
force-pushed
the
issue-386-codeql
branch
from
36fcb44 to
63189f4
Compare
|
The CodeQL check failures are expected until the default CodeQL setup is disabled in repo Settings > Code security. I think someone with permission needs to switch from 'Default' to 'Advanced' (or disable it) since a custom codeql.yml now handles analysis.thankyou. |
|
cc @hiero-ledger/github-maintainers |
|
@hiero-ledger/github-maintainers Please help us unblock this change. |
exploreriii
added
status: awaiting developer revision
and removed
help needed: github maintainers
labels
cheese-cakee
dismissed stale reviews from jwagantall, danielmarv, aceppaluni, and exploreriii
via
6b39f46
cheese-cakee
force-pushed
the
issue-386-codeql
branch
from
118233c to
0013716
Compare
|
ready for review @hiero-ledger/github-maintainers |
aceppaluni
left a comment
aceppaluni
left a comment
There was a problem hiding this comment.
@cheese-cakee This is looking good so far. I believe the reason the workflow is failing is due to the change from using Github action runners to self hosted runners.
To correct this add an additional step after checking out the repository:
- name: Checkout repository
uses: actions/checkout@...
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
@rbarker-dev Could I get your input on this?
|
note if you proceed with above please make sure to use the recent package |
aceppaluni
left a comment
aceppaluni
left a comment
There was a problem hiding this comment.
@cheese-cakee Can you resolve branch conflicts please?
Thank you!
cheese-cakee
force-pushed
the
issue-386-codeql
branch
from
abf5c97 to
2daeb7f
Compare
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql.yml:
- Around line 39-42: The harden-runner action version is inconsistent with other
workflows; locate the workflow step that uses
"step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1"
and update the action reference to the matching version used elsewhere (v2.16.1)
so all workflows use "step-security/harden-runner@v2.16.1" for consistency and
security parity.
In `@content/posts/Hiero_links_of_april_thirteenth.md`:
- Around line 15-16: Update the sentence in the post text that currently reads
"Below are links to some of things that happened this past week." to the
grammatically correct "Below are links to some of the things that happened this
past week." Locate the phrase in
content/posts/Hiero_links_of_april_thirteenth.md and replace "some of things"
with "some of the things" so the published copy reads correctly.
- Around line 27-28: Replace the setext-style heading "Want to be featured on
the Hiero-Website?" (currently followed by the underline `--`) with an ATX-style
heading by prefixing the line with one or more `#` characters (e.g., `# Want to
be featured on the Hiero-Website?`) and remove the underline; update the heading
text formatting as needed (the exact text "Want to be featured on the
Hiero-Website?" identifies the target).
In `@content/posts/hiero_links_of_april_twentieth.md`:
- Around line 14-16: Fix the typos in the post copy: change “happend” to
“happened” and change “some of things” to “some of the things” in the sentence
currently reading "Below are links to some of things that happend this past
week." Also ensure spacing and punctuation remain correct (resulting sentence:
"Below are links to some of the things that happened this past week.").
- Around line 27-28: The heading "Want to be featured on the Hiero-Website?" is
written as a setext-style heading; change it to an ATX heading to satisfy
markdownlint MD003 by replacing the underline with an ATX marker (e.g., prefix
the line with one or more '#' characters such as "# Want to be featured on the
Hiero-Website?") and remove the following underline line so the heading is a
single ATX-style line.
In `@content/posts/hiero_links_of_april_twentyseven.md`:
- Around line 14-16: Update the intro sentence to correct grammar by changing
"some of things" to "some of the things" in the paragraph that begins "This week
featured a lot of new and exciting updates within the Hiero Organization."
Ensure the new sentence reads "Below are links to some of the things that
happened this past week." and keep the surrounding punctuation and emphasis
intact.
- Around line 27-28: Replace the setext-style heading "Want to be featured on
the Hiero-Website?" with an ATX-style heading by prefixing the same text with
one or more # characters (e.g. "# Want to be featured on the Hiero-Website?") so
the line uses ATX heading syntax and removes the underline, ensuring
markdownlint no longer flags the setext style.
In `@content/posts/hip-1137.md`:
- Line 25: Update the user-facing copy in the post's line containing "RPC relays
– nodes providing EVM based interfaces on top of the Hiero network" to hyphenate
the compound adjective by changing "EVM based interfaces" to "EVM-based
interfaces" so the phrase reads "RPC relays – nodes providing EVM-based
interfaces on top of the Hiero network".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: eaa26ad9-d8be-467e-b461-6544443da747
⛔ Files ignored due to path filters (16)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yamlpublic/images/Block_Node_Discoverability.pngis excluded by!**/*.pngpublic/images/Hiero-Logo-Sentx.pngis excluded by!**/*.pngpublic/images/april_thirteen.pngis excluded by!**/*.pngpublic/images/april_twenty.pngis excluded by!**/*.pngpublic/images/april_twentyseven.pngis excluded by!**/*.pngpublic/images/four.JPGis excluded by!**/*.jpgpublic/images/hiero-heka-joins-hiero.pngis excluded by!**/*.pngpublic/images/kampala.pngis excluded by!**/*.pngpublic/images/one.JPGis excluded by!**/*.jpgpublic/images/seven.JPGis excluded by!**/*.jpgpublic/images/six.JPGis excluded by!**/*.jpgpublic/images/two.JPGis excluded by!**/*.jpgsrc/components/Divider/__tests__/__snapshots__/Divider.test.tsx.snapis excluded by!**/*.snapsrc/components/Header/__tests__/__snapshots__/Header.test.tsx.snapis excluded by!**/*.snapsrc/components/WhatIsHieroSection/__tests__/__snapshots__/WhatIsHieroSection.test.tsx.snapis excluded by!**/*.snap
📒 Files selected for processing (26)
.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/pr-formatting.yamlCHANGELOG.mdREADME.mdcontent/_index.mdcontent/posts/Hiero_links_of_april_thirteenth.mdcontent/posts/hiero-heka-joins-hiero.mdcontent/posts/hiero_links_of_april_twentieth.mdcontent/posts/hiero_links_of_april_twentyseven.mdcontent/posts/hip-1137.mdcontent/posts/kampala_hiero_event.mddocs/blogs.mdpackage.jsonsrc/app/blog/[slug]/page.tsxsrc/app/not-found.tsxsrc/app/page.tsxsrc/app/tsc/page.tsxsrc/components/BlogPostList/index.tsxsrc/components/ContributorsGrid/index.tsxsrc/components/Divider/index.tsxsrc/components/Header/index.tsxsrc/components/Menu/index.tsxsrc/components/WhatIsHieroSection/index.tsxsrc/data/homePageData.tssrc/data/repository_stats.json
✅ Files skipped from review due to trivial changes (6)
- CHANGELOG.md
- package.json
- src/data/repository_stats.json
- src/app/tsc/page.tsx
- README.md
- src/data/homePageData.ts
cheese-cakee
force-pushed
the
issue-386-codeql
branch
from
2daeb7f to
f393ab7
Compare
Adds security scanning via GitHub CodeQL to detect vulnerabilities in JavaScript/TypeScript source and GitHub Actions workflows. - Analyzes javascript-typescript and actions with build-mode: none - Uses security-extended query suite for comprehensive coverage - SHA-pinned actions following existing repo conventions - Daily scheduled run at 23:28 UTC plus push/PR triggers - paths-ignore on PRs to skip markdown-only changes Closes hiero-ledger#386 Signed-off-by: cheese-cakee <farzanaman99@gmail.com>
Signed-off-by: cheese-cakee <farzanaman99@gmail.com>
cheese-cakee
force-pushed
the
issue-386-codeql
branch
from
92d8fb9 to
05b6c1e
Compare
aceppaluni
left a comment
aceppaluni
left a comment
There was a problem hiding this comment.
Can you update your branch?
Thank you!
Done ! |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql.yml:
- Around line 26-29: Do not remove or change the workflow-level permissions
block—ensure the YAML keys "permissions", "contents: read", "security-events:
write", and "packages: read" remain present; keep job-level permissions intact
so CodeQL can upload SARIF results (security-events: write is required) and
follow the least-privilege pattern by leaving contents: read at workflow level
and any additional permissions at the job level.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 07edcf43-876c-4ffe-8f73-09d3f9c51758
📒 Files selected for processing (1)
.github/workflows/codeql.yml
|
Hello @aceppaluni, I think my branch is already upto date so wondering if the "update branch" label is appropriate here? |
|
This repository doesn't have a requirement to merge with an updated branch |
|
@hiero-ledger/github-maintainers |
aceppaluni
added
update branch
|
@hiero-ledger/github-maintainers |
7 participants
Description
Adds security scanning via GitHub CodeQL to detect vulnerabilities in JavaScript/TypeScript source and GitHub Actions workflows.
Changes Made
.github/workflows/codeql.yml— CodeQL Advanced workflow with matrix strategy analyzingjavascript-typescriptandactionslanguagesdocs/07-github-automation.md— documented the new workflowRelated Issues
Closes #386
Checklist
Summary by CodeRabbit