From a337b4296639abab984867c26c920d28fefb950b Mon Sep 17 00:00:00 2001 From: fantonangeli Date: Wed, 29 Apr 2026 11:38:42 +0200 Subject: [PATCH 1/4] Created CodeQL wf Signed-off-by: fantonangeli --- .github/workflows/ci_codeql.yml | 53 +++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/ci_codeql.yml diff --git a/.github/workflows/ci_codeql.yml b/.github/workflows/ci_codeql.yml new file mode 100644 index 0000000..2673f21 --- /dev/null +++ b/.github/workflows/ci_codeql.yml @@ -0,0 +1,53 @@ +# +# Copyright 2021-Present The Serverless Workflow Specification Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: "CI :: CodeQL" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Run weekly on Monday at 12:00 UTC. + - cron: "0 12 * * 1" + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + language: ["javascript-typescript", "actions"] + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 From 2cd2fba29c0386ceccc76064138db91c10772caa Mon Sep 17 00:00:00 2001 From: fantonangeli Date: Thu, 30 Apr 2026 09:59:16 +0200 Subject: [PATCH 2/4] Trigger CodeQL scan Signed-off-by: fantonangeli From ba2e7759c21b995149749e28c136acd35e0c2e75 Mon Sep 17 00:00:00 2001 From: fantonangeli Date: Thu, 30 Apr 2026 10:44:46 +0200 Subject: [PATCH 3/4] Add security-extended Signed-off-by: fantonangeli --- .github/workflows/ci_codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci_codeql.yml b/.github/workflows/ci_codeql.yml index 2673f21..d81fa8b 100644 --- a/.github/workflows/ci_codeql.yml +++ b/.github/workflows/ci_codeql.yml @@ -48,6 +48,7 @@ jobs: uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} + queries: security-extended - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 725829bad77644ef0795f35acafe311c7effa154 Mon Sep 17 00:00:00 2001 From: fantonangeli Date: Thu, 30 Apr 2026 11:27:21 +0200 Subject: [PATCH 4/4] Fix CodeQL warnings: Workflow does not contain permissions Signed-off-by: fantonangeli --- .github/workflows/ci_check_license_headers.yaml | 3 +++ .github/workflows/sync-issues-to-project.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci_check_license_headers.yaml b/.github/workflows/ci_check_license_headers.yaml index b667267..571efd4 100644 --- a/.github/workflows/ci_check_license_headers.yaml +++ b/.github/workflows/ci_check_license_headers.yaml @@ -23,6 +23,9 @@ on: branches: ["**"] types: [opened, reopened, ready_for_review, synchronize] +permissions: + contents: read + env: APACHE_RAT_VERSION: 0.17 diff --git a/.github/workflows/sync-issues-to-project.yml b/.github/workflows/sync-issues-to-project.yml index e1f3894..b6dcfd8 100644 --- a/.github/workflows/sync-issues-to-project.yml +++ b/.github/workflows/sync-issues-to-project.yml @@ -21,6 +21,9 @@ on: types: [opened, closed] workflow_dispatch: +permissions: + contents: read + jobs: sync: runs-on: ubuntu-latest