From 8da4f63fbdf8d726e903d919ac8cf279911160e3 Mon Sep 17 00:00:00 2001 From: Tatsuro Shibamura Date: Fri, 6 Mar 2026 15:38:13 +0900 Subject: [PATCH 1/4] Refactor CodeQL workflow for improved clarity Updated CodeQL workflow to include autobuild mode and removed unnecessary comments. --- .github/workflows/codeql.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..97e5dd7 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '15 22 * * 2' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: csharp + build-mode: autobuild + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From 52aba2cd46dbdcd183f98578d4d36a099e143a9e Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 16:43:57 +0900 Subject: [PATCH 2/4] Fix CodeQL C# analysis to run on Windows (#312) * Initial plan * Fix CodeQL workflow to use windows-latest for C# analysis Co-authored-by: shibayan <1356444+shibayan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: shibayan <1356444+shibayan@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 97e5dd7..2fda2f0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,7 +11,7 @@ on: jobs: analyze: name: Analyze (${{ matrix.language }}) - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + runs-on: ${{ matrix.os }} permissions: security-events: write packages: read @@ -23,8 +23,10 @@ jobs: include: - language: actions build-mode: none + os: ubuntu-latest - language: csharp build-mode: autobuild + os: windows-latest steps: - name: Checkout repository uses: actions/checkout@v4 From 53ff43fa21f828b527702546c071c48c77310a9a Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 16:44:17 +0900 Subject: [PATCH 3/4] Pin codeql.yml actions to full commit SHAs (#311) * Initial plan * Pin codeql.yml actions to full commit SHAs for supply chain hardening Co-authored-by: shibayan <1356444+shibayan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: shibayan <1356444+shibayan@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2fda2f0..1d9894a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,10 +29,10 @@ jobs: os: windows-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -49,6 +49,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: category: "/language:${{matrix.language}}" From fec14f76e954b5ddd183509123be306b96f75783 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 16:45:36 +0900 Subject: [PATCH 4/4] Fix CodeQL workflow: add setup-dotnet for C# autobuild on Windows (#310) * Initial plan * Add setup-dotnet step to CodeQL workflow for C# autobuild Co-authored-by: shibayan <1356444+shibayan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: shibayan <1356444+shibayan@users.noreply.github.com> Co-authored-by: Tatsuro Shibamura --- .github/workflows/codeql.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1d9894a..f96743a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,9 @@ on: schedule: - cron: '15 22 * * 2' +env: + DOTNET_VERSION: 10.0.x + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -29,7 +32,13 @@ jobs: os: windows-latest steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Use .NET ${{ env.DOTNET_VERSION }} + if: matrix.language == 'csharp' + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} - name: Initialize CodeQL uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6