Add CodeQL standard gha workflow (#56)

httpdss · web-flow · commit 4a0dfaa3d775 · 2025-06-28T19:07:56.000-03:00
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -4,7 +4,6 @@
   "features": {
     "ghcr.io/devcontainers/features/python:1": {},
     "ghcr.io/gvatsal60/dev-container-features/pre-commit": {},
-    "ghcr.io/eitsupi/devcontainer-features/go-task:latest": {}
   },
   "postCreateCommand": "bash ./scripts/devcontainer_start.sh",
   "customizations": {
@@ -20,7 +19,8 @@
         "editorconfig.editorconfig",
         "davidanson.vscode-markdownlint",
         "foxundermoon.shell-format",
-        "gruntfuggly.todo-tree"
+        "gruntfuggly.todo-tree",
+        "harrydowning.yaml-embedded-languages"
       ],
       "settings": {
         "editor.formatOnSave": true,
diff --git a/struct_module/contribs/github/workflows/codeql.yaml b/struct_module/contribs/github/workflows/codeql.yaml
@@ -0,0 +1,88 @@
+files:
+  - .github/workflows/z-codeql.yaml:
+      content: | # yaml
+        # For most projects, this workflow file will not need changing; you simply need
+        # to commit it to your repository.
+        #
+        # You may wish to alter this file to override the set of languages analyzed,
+        # or to provide custom queries or build logic.
+        #
+        # ******** NOTE ********
+        # We have attempted to detect the languages in your repository. Please check
+        # the `language` matrix defined below to confirm you have the correct set of
+        # supported CodeQL languages.
+        #
+        name: 'CodeQL'
+
+        on:
+          push:
+            branches: ['develop', 'master', 'release**']
+            # paths-ignore:
+            #   - '**/__mockData__'
+          pull_request:
+            # The branches below must be a subset of the branches above
+            branches: ['develop', 'release**']
+            # paths-ignore:
+            #   - '**/__mockData__'
+          schedule:
+            - cron: '42 10 * * 1'
+
+        jobs:
+          analyze:
+            name: Analyze
+            # Runner size impacts CodeQL analysis time. To learn more, please see:
+            #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+            #   - https://gh.io/supported-runners-and-hardware-resources
+            #   - https://gh.io/using-larger-runners
+            # Consider using larger runners for possible analysis time improvements.
+            runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+            timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+            permissions:
+              actions: read
+              contents: read
+              security-events: write
+
+            strategy:
+              fail-fast: false
+              matrix:
+                language: ['javascript']
+                # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+                # Use only 'java' to analyze code written in Java, Kotlin or both
+                # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+                # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+            steps:
+              - name: Checkout repository
+                uses: actions/checkout@{{@ "actions/checkout" | latest_release @}}
+
+              # Initializes the CodeQL tools for scanning.
+              - name: Initialize CodeQL
+                uses: github/codeql-action/init@{{@ "github/codeql-action" | latest_release @}}
+                with:
+                  languages: ${{ matrix.language }}
+                  # If you wish to specify custom queries, you can do so here or in a config file.
+                  # By default, queries listed here will override any specified in a config file.
+                  # Prefix the list here with '+' to use these queries and those in the config file.
+
+                  # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+                  # queries: security-extended,security-and-quality
+
+              # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+              # If this step fails, then you should remove it and run the build manually (see below)
+              - name: Autobuild
+                uses: github/codeql-action/autobuild@{{@ "github/codeql-action" | latest_release @}}
+
+              # ℹ️ Command-line programs to run using the OS shell.
+              # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+              #   If the Autobuild fails above, remove it and uncomment the following three lines.
+              #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+              # - run: |
+              #     echo 'Run, Build Application using script'
+              #     ./location_of_script_within_repo/buildscript.sh
+
+              - name: Perform CodeQL Analysis
+                uses: github/codeql-action/analyze@{{@ "github/codeql-action" | latest_release @}}
+                with:
+                  category: '/language:${{matrix.language}}'
