Skip to content
πŸ”¬ CodeQL Analysis

chore(release): deduplicate CHANGELOG headers #29

Sign in to view logs

chore(release): deduplicate CHANGELOG headers

chore(release): deduplicate CHANGELOG headers #29

Workflow file for this run

.github/workflows/codeql.yml at 9e8f3f8
# Copyright (c) 2026 SnowdreamTech. All rights reserved.
# Licensed under the MIT License. See LICENSE file in the project root for full license information.
---
# CodeQL Security Analysis
# Purpose: Performs deep static analysis to detect security vulnerabilities and coding errors.
# Trigger: Push to main, weekly schedule, and manual dispatch.
# Permissions:
# - security-events: write (Required to upload SARIF results to the GitHub Security tab).
# - actions: read (Required to determine workflow run status).
# - contents: read (Required for code analysis).
# Concurrency:
# - group: ${{ github.workflow }}-${{ github.ref }} (Ensures only the latest scan results are processed).
# - cancel-in-progress: true (In-progress scans are superseded by newer commits to save resources).
# Design:
# - Utilizes advanced matrix strategy for multi-language support (Go, Python).
# - Leverages internal CodeQL autobuild for zero-config compilation where possible.
name: "πŸ”¬ CodeQL Analysis"
"on":
push:
branches:
- "main"
- "dev"
pull_request:
branches:
- "main"
- "dev"
- "feat/**"
- "branch/**"
- "feature/**"
- "fix/**"
- "pr/**"
permissions: {}
env:
UNIRTM_LOCKED: 1
jobs:
analyze:
name: "πŸ›‘οΈ Deep Semantic Analysis (${{ matrix.language }})"
runs-on: ubuntu-latest
concurrency:
group: codeql-${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }}
cancel-in-progress: true
permissions:
security-events: write # Required to upload SARIF results to the GitHub Security tab
actions: read # Required to determine workflow run status
contents: read # Required for code analysis
timeout-minutes: 360 # Deep scans on large repos can take significant time
strategy:
fail-fast: false
matrix:
language:
- actions
# Uncomment the following lines when source files exist in the repo:
# - go # Go (*.go) β€” golangci-lint, gofmt
# - python # Python (*.py) β€” ruff, ansible-lint
# - javascript-typescript # JS/TS (*.js, *.ts, *.jsx, *.tsx) β€” eslint
# - c-cpp # C/C++/Obj-C (*.c, *.cpp, *.h) β€” clang-format
# - csharp # C# (*.cs) β€” dotnet format
# - java-kotlin # Java/Kotlin (*.java, *.kt) β€” ktlint
# - ruby # Ruby (*.rb) β€” rubocop
# - swift # Swift (*.swift) β€” swiftformat, swiftlint
steps:
- name: "πŸ”’ Harden Runner"
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
raw.githubusercontent.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
avatars.githubusercontent.com:443
github.com:443
packages.microsoft.com:443
archive.ubuntu.com:80
archive.ubuntu.com:443
security.ubuntu.com:80
security.ubuntu.com:443
ports.ubuntu.com:80
ports.ubuntu.com:443
keyserver.ubuntu.com:80
keyserver.ubuntu.com:443
changelogs.ubuntu.com:80
changelogs.ubuntu.com:443
deb.debian.org:80
deb.debian.org:443
security.debian.org:80
security.debian.org:443
snapshot.debian.org:80
snapshot.debian.org:443
dl.rockylinux.org:443
mirrors.rockylinux.org:443
mirror.centos.org:443
vault.centos.org:443
isv-data.centos.org:443
mirrorlist.centos.org:80
mirrorlist.centos.org:443
cdn.redhat.com:443
cdn-ubi.redhat.com:443
access.redhat.com:443
sso.redhat.com:443
dl-cdn.alpinelinux.org:443
registry.npmjs.org:443
registry.yarnpkg.com:443
pypi.org:443
files.pythonhosted.org:443
proxy.golang.org:443
sum.golang.org:443
index.crates.io:443
static.rust-lang.org:443
packagist.org:443
repo.maven.apache.org:443
golang.org:443
pkg.go.dev:443
dl.google.com:443
rubygems.org:443
registry.terraform.io:443
formulae.brew.sh:443
repo.yarnpkg.com:443
ghcr.io:443
production.cloudflare.docker.com:80
production.cloudflare.docker.com:443
registry-1.docker.io:443
auth.docker.io:443
docker.io:443
quay.io:443
cdn.quay.io:443
docker-images-prod.s3.us-west-2.amazonaws.com:443
docker-images-prod.s3.us-east-1.amazonaws.com:443
docker-images-prod.s3.amazonaws.com:443
s3.amazonaws.com:443
s3.us-west-2.amazonaws.com:443
s3.us-east-1.amazonaws.com:443
osv-vulnerabilities.storage.googleapis.com:443
api.osv.dev:443
get.trivy.dev:443
aquasecurity.github.io:443
tuf-repo-cdn.sigstore.dev:443
oauth2.sigstore.dev:443
rekor.sigstore.dev:443
fulcio.sigstore.dev:443
api.sigstore.dev:443
- name: "πŸ“‚ Checkout Repository Code"
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: "πŸ›‘οΈ Initialize CodeQL Engine"
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
# Sets up the CodeQL database for the specified technical stack (e.g., Python, Go).
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yml
- name: "πŸš€ Bootstrap Target Build"
uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
# Attempts to automatically compile the project to enable full-trace analysis.
- name: "πŸ” Perform Deep Security Analysis"
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
# Executes the semantic queries and generates the final vulnerability report.
category: "/language:${{ matrix.language }}"