chore(ci): enable CodeQL and Scorecards (open-edge-platform#789)

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>

Author: AlexanderBarabanov

.github/workflows/backend.yml

@@ -7,6 +7,9 @@ on:
         type: string
         required: true
   workflow_dispatch:
+
+permissions: {} # No permissions by default
+
 jobs:
   component-check:
     name: Backend workflow
@@ -24,7 +27,7 @@ jobs:
       - name: Install dependencies
         uses: ./.github/actions/install-dependencies
         with:
-          uv-cache-dependency-glob: 'application/backend/uv.lock'
+          uv-cache-dependency-glob: "application/backend/uv.lock"
 
       - name: Lint backend
         working-directory: application/backend

.github/workflows/build-images-comment.yml

@@ -122,4 +122,3 @@ jobs:
 
             **Result** :x: The build failed.
             [Check the logs](https://github.com/open-edge-platform/instant-learn/actions/runs/${{ github.run_id }}) for the details.
-

.github/workflows/codeql.yml

@@ -0,0 +1,48 @@
+name: "CodeQL scan"
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  push:
+    branches: ["main", "release/**"]
+  pull_request:
+    branches: ["main", "release/**"]
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # required to publish sarif
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: python
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+          - language: rust
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/collect-license.yml

@@ -2,13 +2,16 @@ name: Collect License Information
 
 on:
   workflow_dispatch:
-permissions:
-  contents: read
+
+permissions: {} # No permissions by default
+
 
 jobs:
   collect-sbom-container-image:
     name: Generate SBOM with Syft
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         ai-device: [cpu, cuda, xpu]
@@ -89,6 +92,8 @@ jobs:
   collect-sbom-library:
     name: Collect Library Licenses
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/collect-source.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Install dependencies
         uses: ./.github/actions/install-dependencies
         with:
-          cleanup-runner: 'true'
+          cleanup-runner: "true"
 
       - name: Build docker image
         working-directory: application
@@ -99,43 +99,43 @@ jobs:
     container:
       image: debian:bookworm-slim@sha256:98f4b71de414932439ac6ac690d7060df1f27161073c5036a7553723881bffbe
     steps:
-    - name: Add apt sources for deb-src
-      shell: bash
-      run: |
-        sed -Ei "s/^Types: deb$/Types: deb deb-src/" /etc/apt/sources.list.d/debian.sources
-        apt-get update
-
-    - name: Find GPL/MPL licensed packages
-      shell: bash
-      env:
-        PACKAGES: ${{ needs.get-unique-names.outputs.unique_package_names_oneline }}
-      run: |
-        OUTPUT_DIR="output"
-        ARCHIVE_NAME="source_code.tar.gz"
-        mkdir -p "$OUTPUT_DIR"
-        cd "$OUTPUT_DIR"
-        # Split comma-separated list into an array
-        IFS=',' read -r -a PACKAGES_ARR <<< "$PACKAGES"
-        # Collect missing packages
-        # Install GNU Parallel for faster downloads
-        apt-get update && apt-get install -y parallel
-
-        # Download sources for GPL/MPL packages in parallel with error handling
-        if [ ${#PACKAGES_ARR[@]} -gt 0 ]; then
-          export OUTPUT_DIR
-          printf "%s\n" "${PACKAGES_ARR[@]}" | parallel --jobs 4 '
-            echo "Downloading source for {}"
-            if ! apt-get source -q --download-only "{}"; then
-              echo "Warning: Source not available for {}" >&2
-            fi
-          '
-        fi
-        cd ..
-        tar -czf "$ARCHIVE_NAME" -C "$OUTPUT_DIR" .
-
-    - name: Upload source code archive
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
-      with:
-        name: source-code-archive
-        path: source_code.tar.gz
-        retention-days: 3
+      - name: Add apt sources for deb-src
+        shell: bash
+        run: |
+          sed -Ei "s/^Types: deb$/Types: deb deb-src/" /etc/apt/sources.list.d/debian.sources
+          apt-get update
+
+      - name: Find GPL/MPL licensed packages
+        shell: bash
+        env:
+          PACKAGES: ${{ needs.get-unique-names.outputs.unique_package_names_oneline }}
+        run: |
+          OUTPUT_DIR="output"
+          ARCHIVE_NAME="source_code.tar.gz"
+          mkdir -p "$OUTPUT_DIR"
+          cd "$OUTPUT_DIR"
+          # Split comma-separated list into an array
+          IFS=',' read -r -a PACKAGES_ARR <<< "$PACKAGES"
+          # Collect missing packages
+          # Install GNU Parallel for faster downloads
+          apt-get update && apt-get install -y parallel
+
+          # Download sources for GPL/MPL packages in parallel with error handling
+          if [ ${#PACKAGES_ARR[@]} -gt 0 ]; then
+            export OUTPUT_DIR
+            printf "%s\n" "${PACKAGES_ARR[@]}" | parallel --jobs 4 '
+              echo "Downloading source for {}"
+              if ! apt-get source -q --download-only "{}"; then
+                echo "Warning: Source not available for {}" >&2
+              fi
+            '
+          fi
+          cd ..
+          tar -czf "$ARCHIVE_NAME" -C "$OUTPUT_DIR" .
+
+      - name: Upload source code archive
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: source-code-archive
+          path: source_code.tar.gz
+          retention-days: 3

.github/workflows/daily.yml

@@ -1,9 +1,11 @@
 name: daily
 on:
   schedule:
-    - cron: '0 0 * * *' # Run every day at midnight UTC
+    - cron: "0 0 * * *" # Run every day at midnight UTC
   workflow_dispatch:
 
+permissions: {} # No permissions by default
+
 jobs:
   build-parameters:
     name: Prepare build parameters

.github/workflows/distrib.yml

@@ -24,6 +24,8 @@ on:
         default: '["cpu","cuda","xpu"]'
         required: false
 
+permissions: {} # No permissions by default
+
 jobs:
   component-check:
     name: Distrib workflow
@@ -54,8 +56,8 @@ jobs:
       - name: Install dependencies
         uses: ./.github/actions/install-dependencies
         with:
-          uv-cache-dependency-glob: 'application/backend/uv.lock'
-          cleanup-runner: 'true'
+          uv-cache-dependency-glob: "application/backend/uv.lock"
+          cleanup-runner: "true"
 
       - name: Build docker image for ${{ matrix.ai-device }}
         working-directory: application

.github/workflows/library.yml

@@ -7,6 +7,9 @@ on:
         type: string
         required: true
   workflow_dispatch:
+
+permissions: {} # No permissions by default
+
 jobs:
   component-check:
     name: Library workflow
@@ -24,7 +27,7 @@ jobs:
       - name: Install dependencies
         uses: ./.github/actions/install-dependencies
         with:
-          uv-cache-dependency-glob: 'library/uv.lock'
+          uv-cache-dependency-glob: "library/uv.lock"
 
       - name: Lint library
         working-directory: library

.github/workflows/main.yml

@@ -94,11 +94,11 @@ jobs:
 
       - uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 #v22.0.0
         with:
-          config: '.github/.markdownlint-cli2.jsonc'
+          config: ".github/.markdownlint-cli2.jsonc"
 
   success:
     name: Status checks
-    needs: [ build-parameters, library, backend, ui, distrib, markdown ]
+    needs: [build-parameters, library, backend, ui, distrib, markdown]
     runs-on: ubuntu-latest
     if: ${{ always() && !cancelled() }}
     env:

.github/workflows/renovate-config-validator.yml

@@ -17,8 +17,7 @@ on:
     paths:
       - ".github/renovate.json5"
 
-permissions:
-  contents: read
+permissions: {} # No permissions by default
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
@@ -27,6 +26,8 @@ concurrency:
 jobs:
   validate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout configuration
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2