Skip to content

Commit 79727ce

Browse files
committed
fix: add CodeQL workflow and restrict workflow permissions
- Add custom CodeQL workflow with build-mode: none for java-kotlin to fix compilation failure in default setup - Add explicit permissions (contents: read) to both workflows to resolve CodeQL alert #3 (CWE-275)
1 parent 5673e61 commit 79727ce

2 files changed

Lines changed: 52 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
name: "CodeQL"
2+
3+
on:
4+
push:
5+
branches: [ master ]
6+
pull_request:
7+
branches: [ master ]
8+
schedule:
9+
- cron: '0 6 * * 1' # Monday 6 AM UTC
10+
11+
permissions:
12+
contents: read
13+
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
17+
18+
jobs:
19+
analyze:
20+
name: Analyze (${{ matrix.language }})
21+
runs-on: ${{ (matrix.language == 'csharp' && 'windows-latest') || 'ubuntu-latest' }}
22+
permissions:
23+
security-events: write
24+
25+
strategy:
26+
fail-fast: false
27+
matrix:
28+
include:
29+
- language: actions
30+
build-mode: none
31+
- language: csharp
32+
build-mode: none
33+
- language: java-kotlin
34+
build-mode: none
35+
36+
steps:
37+
- name: Checkout
38+
uses: actions/checkout@v4
39+
40+
- name: Initialize CodeQL
41+
uses: github/codeql-action/init@v3
42+
with:
43+
languages: ${{ matrix.language }}
44+
build-mode: ${{ matrix.build-mode }}
45+
46+
- name: Perform CodeQL Analysis
47+
uses: github/codeql-action/analyze@v3
48+
with:
49+
category: "/language:${{ matrix.language }}"

.github/workflows/main.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
branches:
99
- master
1010

11+
permissions:
12+
contents: read
13+
1114
concurrency:
1215
group: ${{ github.workflow }}-${{ github.ref }}
1316
cancel-in-progress: true

0 commit comments

Comments
 (0)