pawwork/.github/workflows/codeql.yml at dev · Astro-Han/pawwork · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# This workflow is a required merge check on `dev`. The exact ruleset
# entry to register is `analyze-js-ts`. PawWork runs user-
# authored skills and accesses the OS keychain; solo-dev code review is
# not a substitute for a JS/TS security scanner. Keep it in its own file
# (not folded into ci.yml) so security failures are legible in isolation.
# Decision recorded in issue #54 (D1).
name: codeql

on:
  push:
    branches: [dev]
  pull_request:
    branches: [dev]
  schedule:
    - cron: "0 2 * * 1"

permissions:
  contents: read
  pull-requests: read
  security-events: write

concurrency:
  group: ${{ github.ref == 'refs/heads/dev' && format('codeql-{0}', github.run_id) || format('codeql-{0}', github.event.pull_request.number || github.ref) }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/dev' }}

jobs:
  changes:
    runs-on: ubuntu-latest
    outputs:
      docs_only: ${{ steps.filter.outputs.docs_only }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6
        if: github.event_name == 'push'
        with:
          fetch-depth: 0
          persist-credentials: false

      - id: docs-paths
        if: github.event_name == 'pull_request' || github.event_name == 'push'
        continue-on-error: true
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # dorny/paths-filter@v4.0.1
        with:
          filters: |
            docs:
              - 'README.md'
              - 'README_CN.md'
              - 'AGENTS.md'
              - 'CONTRIBUTING.md'
              - 'SECURITY.md'
              - 'LICENSE'
              - 'docs/**'
              - 'assets/readme/**'
              - '.github/ISSUE_TEMPLATE/**'
              - '.github/pull_request_template.md'
              - 'packages/**/README.md'
              - 'packages/opencode/specs/**'

      - id: code-paths
        if: github.event_name == 'pull_request' || github.event_name == 'push'
        continue-on-error: true
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # dorny/paths-filter@v4.0.1
        with:
          predicate-quantifier: every
          filters: |
            code:
              - '**'
              - '!README.md'
              - '!README_CN.md'
              - '!AGENTS.md'
              - '!CONTRIBUTING.md'
              - '!SECURITY.md'
              - '!LICENSE'
              - '!docs/**'
              - '!assets/readme/**'
              - '!.github/ISSUE_TEMPLATE/**'
              - '!.github/pull_request_template.md'
              - '!packages/**/README.md'
              - '!packages/opencode/specs/**'

      - id: filter
        if: always()
        env:
          EVENT_NAME: ${{ github.event_name }}
          BEFORE_SHA: ${{ github.event.before }}
          DOCS_OUTCOME: ${{ steps.docs-paths.outcome }}
          CODE_OUTCOME: ${{ steps.code-paths.outcome }}
          DOCS_CHANGED: ${{ steps.docs-paths.outputs.docs }}
          CODE_CHANGED: ${{ steps.code-paths.outputs.code }}
        run: |
          set -euo pipefail

          docs_only=false

          if [ "$EVENT_NAME" != "pull_request" ] && [ "$EVENT_NAME" != "push" ]; then
            echo "docs_only=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          if [ "$EVENT_NAME" = "push" ] && { [ -z "$BEFORE_SHA" ] || [ "$BEFORE_SHA" = "0000000000000000000000000000000000000000" ]; }; then
            echo "docs_only=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          if [ "$DOCS_OUTCOME" != "success" ] || [ "$CODE_OUTCOME" != "success" ]; then
            echo "docs_only=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          if [ "$DOCS_CHANGED" = "true" ] && [ "$CODE_CHANGED" != "true" ]; then
            docs_only=true
          fi

          echo "docs_only=$docs_only" >> "$GITHUB_OUTPUT"

  analyze-js-ts:
    needs: changes
    if: needs.changes.outputs.docs_only != 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # actions/checkout@v6
        with:
          persist-credentials: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # github/codeql-action@v4
        with:
          languages: javascript-typescript

      - name: Analyze with CodeQL
        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # github/codeql-action@v4
        with:
          category: "/language:javascript-typescript"