Skip to content

ci: add SHA-pinned CodeQL advanced-setup workflow#28

Merged
askalf merged 1 commit into
mainfrom
ci/codeql-advanced-setup
Jul 12, 2026
Merged

ci: add SHA-pinned CodeQL advanced-setup workflow#28
askalf merged 1 commit into
mainfrom
ci/codeql-advanced-setup

Conversation

@askalf

@askalf askalf commented Jul 12, 2026

Copy link
Copy Markdown
Owner

What

Adds .github/workflows/codeql.yml — a SHA-pinned CodeQL advanced-setup workflow. askalf/amnesia has had no code scanning since the old codeql.yml was dropped in the 2026-06-03 git-history scrub (last analysis 2026-04-09, now stale/404 on main). Scorecard runs, but that is supply-chain analysis, not code scanning. CodeQL is free on public repos.

Scan targets

  • SPA render/auth JS — src/amnesia-search.html
  • Worker HMAC/session code — worker/src/index.js
  • GitHub Actions workflows

Design decisions

  • runs-on: ubuntu-latest — NOT [self-hosted, amnesia]. CodeQL runs on pull_request (incl. forks on a public repo); keeping it on ephemeral GH-hosted runners preserves the fork-PR RCE guard applied to ci.yml in the 2026-06-09 hardening pass. The deploy workflows (push-to-main only, no fork exposure) stay self-hosted.
  • Languages: actions + javascript-typescript (both free on public), build-mode: none.
  • Triggers: push + pull_request on main, plus a weekly schedule cron '23 6 * * 1' (Mon 06:23 UTC, staggered off the :00 grid).
  • Least-privilege permissions: security-events: write, contents: read, actions: read (default token to contents: read).
  • Concurrency guard — cancels superseded PR runs; lets push/schedule runs finish so a main-branch result is never dropped.
  • SHA pins: github/codeql-action/{init,analyze} pinned to the v3.37.0 commit 02c5e83432fe5497fd85b873b6c9f16a8578e1d9 (resolved live from the annotated tag at authoring time; cross-checked two ways). # v3.37.0 kept as a trailing comment, matching the repo's existing pin style (see scorecard.yml). actions/checkout reuses the repo's existing v7.0.0 pin.
  • Advanced setup only — code-scanning default setup stays not-configured (the two conflict).

Test plan

  • PR CI (Validate HTML and Scripts, Scorecard, canary) must stay green — this change only adds a new workflow file, no source touched.
  • The CodeQL analyze job itself runs on this PR; both matrix legs (actions, javascript-typescript) should complete.
  • After merge: a new analysis with tool.name == "CodeQL" should appear under repos/askalf/amnesia/code-scanning/analyses; code-scanning/default-setup stays not-configured.
  • CodeQL is intentionally left non-required so a scan hiccup cannot block the Pages/Worker auto-deploy flow. The existing required check Validate HTML and Scripts is unaffected.

Source ticket: 01KXBEB4YG17C805SKRXG2ZWGD

Enables CodeQL code scanning (advanced setup) on askalf/amnesia, which has had
no code scanning since the old codeql.yml was dropped in the 2026-06-03 history
scrub. Scans the SPA render/auth JS (src/amnesia-search.html), the Worker
HMAC/session code (worker/src/index.js), and the Actions workflows.

- runs-on: ubuntu-latest (NOT the self-hosted prod runner) so fork-PR code
  never executes on the production box — preserves the ci.yml RCE guard.
- languages: actions + javascript-typescript (both free on public repos).
- triggers: push + pull_request on main, plus weekly cron '23 6 * * 1'
  (staggered off the :00 grid).
- least-privilege permissions (security-events: write, contents: read,
  actions: read) + a concurrency guard.
- github/codeql-action/* pinned to the v3.37.0 commit SHA
  02c5e83432fe5497fd85b873b6c9f16a8578e1d9.
- Advanced setup only; code-scanning default setup stays not-configured
  (the two conflict). CodeQL is intentionally left non-required so a scan
  hiccup cannot block deploys.

Ref: ticket 01KXBEB4YG17C805SKRXG2ZWGD
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@askalf
askalf merged commit 88a7426 into main Jul 12, 2026
4 checks passed
@askalf
askalf deleted the ci/codeql-advanced-setup branch July 12, 2026 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants