ci: add SHA-pinned CodeQL advanced-setup workflow#28
Merged
Conversation
Enables CodeQL code scanning (advanced setup) on askalf/amnesia, which has had no code scanning since the old codeql.yml was dropped in the 2026-06-03 history scrub. Scans the SPA render/auth JS (src/amnesia-search.html), the Worker HMAC/session code (worker/src/index.js), and the Actions workflows. - runs-on: ubuntu-latest (NOT the self-hosted prod runner) so fork-PR code never executes on the production box — preserves the ci.yml RCE guard. - languages: actions + javascript-typescript (both free on public repos). - triggers: push + pull_request on main, plus weekly cron '23 6 * * 1' (staggered off the :00 grid). - least-privilege permissions (security-events: write, contents: read, actions: read) + a concurrency guard. - github/codeql-action/* pinned to the v3.37.0 commit SHA 02c5e83432fe5497fd85b873b6c9f16a8578e1d9. - Advanced setup only; code-scanning default setup stays not-configured (the two conflict). CodeQL is intentionally left non-required so a scan hiccup cannot block deploys. Ref: ticket 01KXBEB4YG17C805SKRXG2ZWGD
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
.github/workflows/codeql.yml— a SHA-pinned CodeQL advanced-setup workflow. askalf/amnesia has had no code scanning since the oldcodeql.ymlwas dropped in the 2026-06-03 git-history scrub (last analysis 2026-04-09, now stale/404 on main). Scorecard runs, but that is supply-chain analysis, not code scanning. CodeQL is free on public repos.Scan targets
src/amnesia-search.htmlworker/src/index.jsDesign decisions
runs-on: ubuntu-latest— NOT[self-hosted, amnesia]. CodeQL runs onpull_request(incl. forks on a public repo); keeping it on ephemeral GH-hosted runners preserves the fork-PR RCE guard applied toci.ymlin the 2026-06-09 hardening pass. The deploy workflows (push-to-main only, no fork exposure) stay self-hosted.actions+javascript-typescript(both free on public),build-mode: none.push+pull_requestonmain, plus a weeklyschedulecron'23 6 * * 1'(Mon 06:23 UTC, staggered off the:00grid).security-events: write,contents: read,actions: read(default token tocontents: read).github/codeql-action/{init,analyze}pinned to the v3.37.0 commit02c5e83432fe5497fd85b873b6c9f16a8578e1d9(resolved live from the annotated tag at authoring time; cross-checked two ways).# v3.37.0kept as a trailing comment, matching the repo's existing pin style (seescorecard.yml).actions/checkoutreuses the repo's existing v7.0.0 pin.Test plan
Validate HTML and Scripts, Scorecard, canary) must stay green — this change only adds a new workflow file, no source touched.analyzejob itself runs on this PR; both matrix legs (actions, javascript-typescript) should complete.tool.name == "CodeQL"should appear underrepos/askalf/amnesia/code-scanning/analyses;code-scanning/default-setupstaysnot-configured.Validate HTML and Scriptsis unaffected.Source ticket:
01KXBEB4YG17C805SKRXG2ZWGD