From bd640da1fd7b220bb742d494aea9d8850d2833e6 Mon Sep 17 00:00:00 2001 From: askalf <263217947+askalf@users.noreply.github.com> Date: Sun, 12 Jul 2026 15:20:48 +0000 Subject: [PATCH] ci: add SHA-pinned CodeQL advanced-setup workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enables CodeQL code scanning (advanced setup) on askalf/amnesia, which has had no code scanning since the old codeql.yml was dropped in the 2026-06-03 history scrub. Scans the SPA render/auth JS (src/amnesia-search.html), the Worker HMAC/session code (worker/src/index.js), and the Actions workflows. - runs-on: ubuntu-latest (NOT the self-hosted prod runner) so fork-PR code never executes on the production box — preserves the ci.yml RCE guard. - languages: actions + javascript-typescript (both free on public repos). - triggers: push + pull_request on main, plus weekly cron '23 6 * * 1' (staggered off the :00 grid). - least-privilege permissions (security-events: write, contents: read, actions: read) + a concurrency guard. - github/codeql-action/* pinned to the v3.37.0 commit SHA 02c5e83432fe5497fd85b873b6c9f16a8578e1d9. - Advanced setup only; code-scanning default setup stays not-configured (the two conflict). CodeQL is intentionally left non-required so a scan hiccup cannot block deploys. Ref: ticket 01KXBEB4YG17C805SKRXG2ZWGD --- .github/workflows/codeql.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..8562eab --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,61 @@ +# CodeQL — GitHub's semantic code-scanning engine. Advanced setup (this file) +# is the chosen path; code-scanning default setup stays not-configured, since +# the two conflict. Scans the SPA render/auth JS (src/amnesia-search.html), the +# Worker HMAC/session code (worker/src/index.js), and the Actions workflows. +# CodeQL is free on public repos. +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '23 6 * * 1' # weekly, Monday 06:23 UTC (staggered off the :00 grid) + +# Never let two analyses of the same ref pile up; cancel superseded PR runs but +# let push/schedule runs finish so a main-branch result is never dropped. +concurrency: + group: codeql-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # GitHub-hosted, NOT [self-hosted, amnesia]: CodeQL runs on pull_request, + # including from forks (public repo). Running untrusted fork code on the + # self-hosted runner — which lives on the production box — is a remote + # code-exec path. Keep PR-triggered analysis on ephemeral GH runners; only + # the deploy workflows (push to main, no fork exposure) use self-hosted. + runs-on: ubuntu-latest + permissions: + security-events: write # upload the SARIF results to code scanning + contents: read # checkout the source + actions: read # analyze the Actions workflows + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + + steps: + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0 + with: + category: "/language:${{ matrix.language }}"