From 17f9481917416a26ab3fd555d99008d2a3537742 Mon Sep 17 00:00:00 2001 From: Amos Date: Sat, 16 May 2026 17:58:44 +0800 Subject: [PATCH 1/2] ci(security): supply chain security --- .github/workflows/build.yml | 4 +- .github/workflows/codeql-analysis.yml | 61 +++++++++++++++++++ .../workflows/compile_host_redirect_js.yml | 6 +- .github/workflows/stage.yml | 2 +- .github/workflows/translator_bot.yml | 3 + 5 files changed, 70 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0b4e0aea9a..d09a4d71df 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,7 +76,7 @@ jobs: run: curl -sL https://firebase.tools/ | sed s/latest/v15.2.1/ | bash - name: Build site run: dart run dash_site build - - uses: actions/setup-node@v6 + - uses: actions/setup-node@670825a89dc0abd596e7a3abd0f5e3f6e5faf37c with: node-version: 24 - name: Translated (docs.flutter.cn) @@ -121,7 +121,7 @@ jobs: run: dart pub get - name: Build site run: dart run dash_site build --release - - uses: actions/setup-node@v6 + - uses: actions/setup-node@670825a89dc0abd596e7a3abd0f5e3f6e5faf37c with: node-version: 24 - name: Translated (docs.flutter.cn) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000000..3128a27fe9 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,61 @@ +name: "CodeQL" + +on: + push: + branches: [ main ] + pull_request: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + if: github.repository == 'cfug/flutter.cn' + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e + + # â„šī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # âœī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e diff --git a/.github/workflows/compile_host_redirect_js.yml b/.github/workflows/compile_host_redirect_js.yml index 92ad33a142..bd82dcb4b7 100644 --- a/.github/workflows/compile_host_redirect_js.yml +++ b/.github/workflows/compile_host_redirect_js.yml @@ -22,15 +22,15 @@ jobs: github.repository == 'cfug/flutter.cn' }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/setup-node@670825a89dc0abd596e7a3abd0f5e3f6e5faf37c with: node-version: ${{ env.NODE_VERSION }} - name: Build JS run: bash ./tool/host-redirect/build.sh shell: bash - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 with: token: ${{ secrets.DOCS_REPO_DEPLOY_TOKEN }} base: main diff --git a/.github/workflows/stage.yml b/.github/workflows/stage.yml index d01e4ab228..9a1f4c658b 100644 --- a/.github/workflows/stage.yml +++ b/.github/workflows/stage.yml @@ -28,7 +28,7 @@ jobs: run: dart pub get - name: Build site run: dart run dash_site build --release - - uses: actions/setup-node@v6 + - uses: actions/setup-node@670825a89dc0abd596e7a3abd0f5e3f6e5faf37c with: node-version: 24 - name: Translated (docs.flutter.cn) diff --git a/.github/workflows/translator_bot.yml b/.github/workflows/translator_bot.yml index 44109d28eb..44f43271f2 100644 --- a/.github/workflows/translator_bot.yml +++ b/.github/workflows/translator_bot.yml @@ -4,6 +4,9 @@ on: issue_comment: types: [created] +# Disable permissions for all of the available permissions +permissions: {} + jobs: translator-bot-job: runs-on: ubuntu-latest From cdecf271e3998c1e37a4ed0d2003e21e24a98156 Mon Sep 17 00:00:00 2001 From: Amos Date: Sat, 16 May 2026 19:09:38 +0800 Subject: [PATCH 2/2] ci(security): supply chain security --- .github/workflows/translator_bot.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/translator_bot.yml b/.github/workflows/translator_bot.yml index 44f43271f2..5dd2c499d9 100644 --- a/.github/workflows/translator_bot.yml +++ b/.github/workflows/translator_bot.yml @@ -4,13 +4,14 @@ on: issue_comment: types: [created] -# Disable permissions for all of the available permissions -permissions: {} - jobs: translator-bot-job: runs-on: ubuntu-latest name: translator-bot + permissions: + contents: write + issues: write + pull-requests: write if: | github.repository == 'cfug/flutter.cn' && github.event_name == 'issue_comment' &&