CodeQL #249
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CodeQL" | |
| on: | |
| push: | |
| branches: [ master, dev ] | |
| pull_request: | |
| branches: [ master ] | |
| schedule: | |
| - cron: '30 5 * * 1' # Weekly on Monday at 5:30 AM UTC | |
| workflow_dispatch: # Allow manual runs | |
| inputs: | |
| branch: | |
| description: 'Branch to scan' | |
| required: false | |
| default: 'master' | |
| type: choice | |
| options: | |
| - master | |
| - dev | |
| # IMPORTANT: Never set cancel-in-progress to true for security scans! | |
| # CodeQL analysis must complete to ensure: | |
| # - All security vulnerabilities are detected | |
| # - Complete code coverage for security issues | |
| # - Consistent security reporting | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| env: | |
| DOTNET_VERSION: '10.0.x' | |
| DOTNET_NOLOGO: true | |
| DOTNET_CLI_TELEMETRY_OPTOUT: true | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'csharp', 'javascript' ] | |
| include: | |
| - language: 'csharp' | |
| build-mode: 'manual' | |
| - language: 'javascript' | |
| build-mode: 'none' | |
| steps: | |
| - name: Validate branch input | |
| if: github.event_name == 'workflow_dispatch' && github.event.inputs.branch | |
| run: | | |
| ALLOWED_BRANCHES="master dev" | |
| REQUESTED_BRANCH="${{ github.event.inputs.branch }}" | |
| if [[ ! " $ALLOWED_BRANCHES " =~ " $REQUESTED_BRANCH " ]]; then | |
| echo "❌ Error: Branch '$REQUESTED_BRANCH' is not allowed for CodeQL scanning." | |
| echo "Allowed branches: $ALLOWED_BRANCHES" | |
| exit 1 | |
| fi | |
| echo "✅ Branch '$REQUESTED_BRANCH' is valid for scanning" | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.branch || '' }} | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-and-quality | |
| # Force use of latest CodeQL CLI bundle for .NET 9 compatibility | |
| tools: latest | |
| config: | | |
| query-filters: | |
| - exclude: | |
| id: js/unused-local-variable | |
| - exclude: | |
| id: cs/static-field-written-by-instance | |
| # Exclude common C# precision warnings that are usually intentional | |
| - exclude: | |
| id: cs/loss-of-precision | |
| tags: test | |
| # Exclude test-specific collection warnings | |
| - exclude: | |
| id: cs/unused-collection | |
| tags: test | |
| # C# specific build steps | |
| - name: Set up .NET | |
| if: matrix.language == 'csharp' | |
| uses: actions/setup-dotnet@v4 | |
| with: | |
| dotnet-version: ${{ env.DOTNET_VERSION }} | |
| - name: Cache NuGet packages | |
| if: matrix.language == 'csharp' | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.nuget/packages | |
| key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/Directory.Build.props') }} | |
| restore-keys: | | |
| ${{ runner.os }}-nuget- | |
| - name: Restore dependencies | |
| if: matrix.language == 'csharp' | |
| run: dotnet restore | |
| - name: Build | |
| if: matrix.language == 'csharp' | |
| run: | | |
| # Clean build to ensure CodeQL tracks all files | |
| dotnet clean --configuration Release | |
| dotnet build --no-restore --configuration Release | |
| # JavaScript specific setup (if needed) | |
| - name: Setup Node.js | |
| if: matrix.language == 'javascript' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| cache-dependency-path: | | |
| SDKs/Node/package-lock.json | |
| SDKs/Node/Admin/package-lock.json | |
| SDKs/Node/Core/package-lock.json | |
| SDKs/Node/Common/package-lock.json | |
| WebAdmin/package-lock.json | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |