Yubico.NET.SDK/.github/workflows/codeql-analysis.yml at 1004f2d2f9917c06a084b64d26c74f37da430f62 · Yubico/Yubico.NET.SDK · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Copyright 2025 Yubico AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# CodeQL static code analysis
name: "Run CodeQL"

on:
  push:
    branches:
      - main
      - 'develop**'
    paths:
      - '**.h'
      - '**.c'
      - '**.cs'
      - '**.csproj'
      - '**.sln'
      - '.github/workflows/*.yml'
  pull_request:
    branches:
      - main
      - 'develop**'
    paths:
      - '**.h'
      - '**.c'
      - '**.cs'
      - '**.csproj'
      - '**.sln'
      - '.github/workflows/*.yml'

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: windows-2022
    # Requires write permission to upload CodeQL security scan results
    permissions:
      security-events: write  # Required for CodeQL to upload scan results
      actions: read           # Required for workflows in private repositories
      contents: read
      packages: read

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false

      # Setup .NET with authenticated NuGet source
      - name: Setup .NET
        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
        with:
          source-url: https://nuget.pkg.github.com/Yubico/index.json
        env:
          NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13  # v4.35.1
        with:
          # Override automatic language detection to only analyze C#
          # C/C++ code in Yubico.NativeShims is built separately (requires CMake/vcpkg)
          languages: 'csharp,actions'

      # Build the project
      - name: Build Yubico.NET.SDK.sln
        run: dotnet build --configuration Release --nologo --verbosity minimal Yubico.NET.SDK.sln
        env:
          NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13  # v4.35.1