CodeQL Critical Quality #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL Critical Quality | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| profile: | |
| description: CodeQL quality profile to run | |
| required: false | |
| default: all | |
| type: choice | |
| options: | |
| - all | |
| - plugin-sdk-package-contract | |
| schedule: | |
| - cron: "30 6 * * *" | |
| concurrency: | |
| group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }} | |
| cancel-in-progress: false | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| core-auth-secrets: | |
| name: Critical Quality (core-auth-secrets) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/core-auth-secrets" | |
| config-boundary: | |
| name: Critical Quality (config-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/config-boundary" | |
| gateway-runtime-boundary: | |
| name: Critical Quality (gateway-runtime-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/gateway-runtime-boundary" | |
| channel-runtime-boundary: | |
| name: Critical Quality (channel-runtime-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/channel-runtime-boundary" | |
| agent-runtime-boundary: | |
| name: Critical Quality (agent-runtime-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/agent-runtime-boundary" | |
| mcp-process-runtime-boundary: | |
| name: Critical Quality (mcp-process-runtime-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/mcp-process-runtime-boundary" | |
| memory-runtime-boundary: | |
| name: Critical Quality (memory-runtime-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/memory-runtime-boundary" | |
| ui-control-plane: | |
| name: Critical Quality (ui-control-plane) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/ui-control-plane" | |
| web-media-runtime-boundary: | |
| name: Critical Quality (web-media-runtime-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/web-media-runtime-boundary" | |
| plugin-boundary: | |
| name: Critical Quality (plugin-boundary) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/plugin-boundary" | |
| plugin-sdk-package-contract: | |
| name: Critical Quality (plugin-sdk-package-contract) | |
| if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-package-contract' }} | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout-minutes: 25 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: javascript-typescript | |
| config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-critical-quality/plugin-sdk-package-contract" |