Skip to content

Commit 0c0a854

Browse files
nilsbehlenclaude
andcommitted
Add CI: build/test, CodeQL and zizmor workflows
- build.yml: set up JDK 17 + maven cache, run `mvn verify` (now runs the tests). - codeql.yml: CodeQL static analysis for the Java sources. - zizmor.yml: audit the GitHub Actions workflows for security issues, results uploaded to code scanning. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 6efe476 commit 0c0a854

3 files changed

Lines changed: 107 additions & 5 deletions

File tree

.github/workflows/build.yml

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
1+
# Build the project and run the test suite with Maven.
22

33
name: Build
44

@@ -8,13 +8,24 @@ on:
88
pull_request:
99
branches: [ "master" ]
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
build:
13-
1416
runs-on: ubuntu-latest
1517

1618
steps:
17-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@v4
20+
21+
- name: Set up JDK
22+
uses: actions/setup-java@v4
23+
with:
24+
distribution: temurin
25+
java-version: '17'
26+
cache: maven
1827

19-
- name: Build with Maven
20-
run: mvn -B package --file pom.xml
28+
# 'verify' runs the unit tests (surefire) before packaging. Tests run by
29+
# default now; they can be skipped locally with -DskipTests.
30+
- name: Build and test with Maven
31+
run: mvn -B verify --file pom.xml

.github/workflows/codeql.yml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# CodeQL static analysis for the Java sources.
2+
# Results appear under the repository's "Security > Code scanning" tab.
3+
4+
name: CodeQL
5+
6+
on:
7+
push:
8+
branches: [ "master" ]
9+
pull_request:
10+
branches: [ "master" ]
11+
schedule:
12+
# Weekly run so new CodeQL queries are applied to unchanged code too.
13+
- cron: '27 4 * * 1'
14+
15+
permissions:
16+
contents: read
17+
18+
jobs:
19+
analyze:
20+
name: Analyze (java)
21+
runs-on: ubuntu-latest
22+
permissions:
23+
security-events: write
24+
actions: read
25+
contents: read
26+
27+
steps:
28+
- uses: actions/checkout@v4
29+
30+
- name: Initialize CodeQL
31+
uses: github/codeql-action/init@v3
32+
with:
33+
languages: java-kotlin
34+
build-mode: manual
35+
36+
- name: Set up JDK
37+
uses: actions/setup-java@v4
38+
with:
39+
distribution: temurin
40+
java-version: '17'
41+
cache: maven
42+
43+
# Manual build so CodeQL traces the exact compilation. Skip tests to keep the analysis build fast.
44+
- name: Build
45+
run: mvn -B -DskipTests package --file pom.xml
46+
47+
- name: Perform CodeQL Analysis
48+
uses: github/codeql-action/analyze@v3
49+
with:
50+
category: "/language:java-kotlin"

.github/workflows/zizmor.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# zizmor audits the GitHub Actions workflows themselves for security issues
2+
# (injection, excessive permissions, unpinned actions, etc.).
3+
# Results appear under the repository's "Security > Code scanning" tab.
4+
5+
name: zizmor
6+
7+
on:
8+
push:
9+
branches: [ "master" ]
10+
pull_request:
11+
branches: [ "master" ]
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
zizmor:
18+
runs-on: ubuntu-latest
19+
permissions:
20+
security-events: write
21+
contents: read
22+
23+
steps:
24+
- uses: actions/checkout@v4
25+
26+
- name: Install uv
27+
uses: astral-sh/setup-uv@v6
28+
29+
# Audit all workflow files. continue-on-error so findings still get uploaded
30+
# to code scanning instead of aborting before the upload step.
31+
- name: Run zizmor
32+
continue-on-error: true
33+
run: uvx zizmor --format sarif . > zizmor.sarif
34+
env:
35+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36+
37+
- name: Upload SARIF
38+
uses: github/codeql-action/upload-sarif@v3
39+
with:
40+
sarif_file: zizmor.sarif
41+
category: zizmor

0 commit comments

Comments
 (0)