-
-
Notifications
You must be signed in to change notification settings - Fork 2
135 lines (118 loc) Β· 4.39 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '28 20 * * 1'
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
language: [ 'csharp', 'javascript-typescript' ]
steps:
- name: π‘οΈ Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.azureedge.net:443
*.digicert.com:80
*.github.com:443
*.ws.symantec.com:80
aka.ms:443
github.com:443
api.nuget.org:443
builds.dotnet.microsoft.com:443
cdn.fwupd.org:443
ci.dot.net:443
dc.services.visualstudio.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
s.symcb.com:80
s.symcd.com:80
www.microsoft.com:80
- name: π Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: π§° Setup .NET
uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4.3.0
with:
dotnet-version: |
6.x
8.x
global-json-file: global.json
if: matrix.language == 'csharp'
- name: ποΈ Setup NuGet cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
restore-keys: ${{ runner.os }}-nuget-
if: matrix.language == 'csharp'
- name: π§° Setup Node
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: 20
cache: npm
cache-dependency-path: docs/package-lock.json
if: matrix.language == 'javascript-typescript'
# Initializes the CodeQL tools for scanning.
- name: π οΈ Initialize CodeQL
uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: π₯ Restore dependencies
run: dotnet restore --locked-mode
if: matrix.language == 'csharp'
- name: ποΈ Build
run: dotnet build --no-restore -c Release
if: matrix.language == 'csharp'
- name: π₯ Install dependencies
run: npm ci
working-directory: docs
if: matrix.language == 'javascript-typescript'
- name: ποΈ Build with VitePress
run: npm run docs:build
working-directory: docs
if: matrix.language == 'javascript-typescript'
- name: π Perform CodeQL Analysis
uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
category: "/language:${{matrix.language}}"