fix: stabilize CI smoke and local-auth gates (#2850) #2589
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL Light | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| profile: | |
| description: CodeQL light profile to run | |
| required: false | |
| default: all | |
| type: choice | |
| options: | |
| - all | |
| - backend-api | |
| - frontend-publish | |
| - cli-package | |
| - repository-automation | |
| - actions | |
| push: | |
| branches: [main] | |
| paths: | |
| - ".github/codeql/**" | |
| - ".github/workflows/**" | |
| - "convex/**" | |
| - "packages/clawhub/**" | |
| - "packages/schema/**" | |
| - "scripts/**" | |
| - "src/**" | |
| - "bun.lock" | |
| - "package.json" | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths: | |
| - ".github/codeql/**" | |
| - ".github/workflows/**" | |
| - "convex/**" | |
| - "packages/clawhub/**" | |
| - "packages/schema/**" | |
| - "scripts/**" | |
| - "src/**" | |
| - "bun.lock" | |
| - "package.json" | |
| schedule: | |
| - cron: "17 7 * * *" | |
| concurrency: | |
| group: codeql-light-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.category }}) | |
| if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: javascript-typescript | |
| category: backend-api | |
| config_file: ./.github/codeql/codeql-backend-api-security.yml | |
| - language: javascript-typescript | |
| category: frontend-publish | |
| config_file: ./.github/codeql/codeql-frontend-publish-security.yml | |
| - language: javascript-typescript | |
| category: cli-package | |
| config_file: ./.github/codeql/codeql-cli-package-security.yml | |
| - language: javascript-typescript | |
| category: repository-automation | |
| config_file: ./.github/codeql/codeql-repository-automation-security.yml | |
| - language: actions | |
| category: actions | |
| config_file: ./.github/codeql/codeql-actions-security.yml | |
| steps: | |
| - name: Checkout | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == matrix.category }} | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == matrix.category }} | |
| uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| config-file: ${{ matrix.config_file }} | |
| - name: Analyze | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == matrix.category }} | |
| uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| category: "/codeql-light/${{ matrix.category }}" |