diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 7042cac9a..d11f74df3 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -129,6 +129,36 @@ Runs code quality checks. 4. `node` - Run Node lint and format checks via `make lint:node` and `make fmt:check:node` 5. `c` - Run C SDK lint and format checks via `make lint:c` and `make fmt:check:c` +### `codeql.yml` + +Runs CodeQL code scanning (advanced setup) across all analyzed languages. + +**Why advanced setup:** CodeQL *default setup* does not analyze pull requests +from forks, so the `code_scanning` ruleset rule ("Require code scanning +results") permanently blocks fork PRs. Advanced setup runs on `pull_request`, +so fork PRs in this public repo are scanned and the gate is satisfiable without +an admin bypass. + +**Bootstrap guard:** GitHub rejects advanced CodeQL uploads while default setup +is enabled. The workflow is dormant until repository variable +`CODEQL_ADVANCED_SETUP_ENABLED` is set to `true`. + +**Triggers:** +- Push to `main` +- Pull requests against `main` (including fork PRs) +- Manual dispatch +- Weekly schedule (Mondays 03:31 UTC) + +**Jobs:** +1. `analyze` - Matrix over `actions`, `c-cpp`, `go`, `javascript-typescript`, `python`, `rust`. All use `build-mode: none` (source-only, no compile) except `go`, which requires `autobuild` (Go's extractor must observe a build). Uses `github/codeql-action@v4`. + +**Activation sequence:** +1. Merge this workflow while `CODEQL_ADVANCED_SETUP_ENABLED` is unset or `false`, so default setup remains the active scanner. +2. Disable CodeQL default setup. +3. Set repository variable `CODEQL_ADVANCED_SETUP_ENABLED=true`. +4. Trigger a new push, pull request update, or manual dispatch and verify CodeQL analysis uploads successfully. +5. Roll back by setting `CODEQL_ADVANCED_SETUP_ENABLED=false` and re-enabling default setup. + ### `e2e-test.yml` Runs VM-based E2E integration tests on an ephemeral AWS EC2 self-hosted runner. diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..24af84a70 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,75 @@ +# CodeQL advanced setup. +# +# Replaces CodeQL "default setup", which does not analyze pull requests from +# forks. Advanced setup runs on `pull_request`, so fork PRs are scanned and the +# "Require code scanning results" ruleset rule can be satisfied without an admin +# bypass. +# +# GitHub rejects advanced CodeQL uploads while default setup is enabled, so keep +# this workflow dormant until repository variable CODEQL_ADVANCED_SETUP_ENABLED +# is set to "true" after default setup is disabled. +# +# Languages use `build-mode: none` (source-only analysis, no compile step) where +# CodeQL supports it. Go does not support `none` — its extractor must observe a +# build — so Go uses `autobuild` (the same mode default setup used successfully +# for this repo). +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + schedule: + # Weekly full scan of the default branch (Mondays 03:31 UTC). + - cron: "31 3 * * 1" + +# Cancel in-progress analysis when a PR is updated. +concurrency: + group: codeql-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + analyze: + if: vars.CODEQL_ADVANCED_SETUP_ENABLED == 'true' + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + # Required to upload code scanning results. + security-events: write + # Required by the CodeQL action to read the repository and Actions runs. + contents: read + actions: read + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: c-cpp + build-mode: none + - language: go + build-mode: autobuild + - language: javascript-typescript + build-mode: none + - language: python + build-mode: none + - language: rust + build-mode: none + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Initialize CodeQL + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + with: + category: "/language:${{ matrix.language }}"