feat(spa): chrome i18n message-catalog infrastructure (#630) + 1.7.0 #558
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CodeQL static analysis. | |
| # | |
| # Dataflow-based security analysis (Python + TypeScript), surfacing | |
| # findings in the repository's Security tab where external reporters and | |
| # maintainers both look. Free for public repos. It complements the test | |
| # gate in `ci.yml` and the local lint gate (`scripts/lint.sh`): `bandit` / | |
| # `ruff -S` (Python) and `eslint` (frontend) are rule-based; CodeQL adds | |
| # dataflow detection (injection, path traversal, unsafe deserialization) | |
| # those linters can miss. Added in #144 (post-public-flip hardening); | |
| # the test CI gate followed in #452. | |
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Weekly re-scan so a newly-published CodeQL query catches an issue | |
| # in code that hasn't changed since the last push. | |
| - cron: "27 4 * * 1" | |
| # Least-privilege: the analysis only needs to read the code and write | |
| # security events. No write access to contents, packages, or anything | |
| # that could mutate the repo. | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # `python` covers django_admin_react/; `javascript-typescript` | |
| # covers frontend/. Both are first-party code we ship or build. | |
| language: [python, javascript-typescript] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3 | |
| with: | |
| language: ${{ matrix.language }} | |
| # `security-and-quality` is the broadest first-party query | |
| # suite — security findings plus maintainability/correctness. | |
| queries: security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3 | |
| with: | |
| category: "/language:${{ matrix.language }}" |