CodeQL #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| profile: | |
| description: CodeQL security profile to run | |
| required: false | |
| default: all | |
| type: choice | |
| options: | |
| - all | |
| - security | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths: | |
| - ".github/actions/**" | |
| - ".github/codeql/**" | |
| - ".github/workflows/**" | |
| - "packages/**" | |
| - "src/**" | |
| schedule: | |
| - cron: "0 6 * * *" | |
| concurrency: | |
| group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| security-high: | |
| name: Security High (${{ matrix.category }}) | |
| if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security') }} | |
| runs-on: ${{ matrix.runs_on }} | |
| timeout-minutes: ${{ matrix.timeout_minutes }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: javascript-typescript | |
| category: core-auth-secrets | |
| runs_on: blacksmith-8vcpu-ubuntu-2404 | |
| timeout_minutes: 25 | |
| config_file: ./.github/codeql/codeql-core-auth-secrets-critical-security.yml | |
| - language: javascript-typescript | |
| category: channel-runtime-boundary | |
| runs_on: blacksmith-8vcpu-ubuntu-2404 | |
| timeout_minutes: 25 | |
| config_file: ./.github/codeql/codeql-channel-runtime-boundary-critical-security.yml | |
| - language: javascript-typescript | |
| category: network-ssrf-boundary | |
| runs_on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout_minutes: 25 | |
| config_file: ./.github/codeql/codeql-network-ssrf-boundary-critical-security.yml | |
| - language: javascript-typescript | |
| category: mcp-process-tool-boundary | |
| runs_on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout_minutes: 25 | |
| config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml | |
| - language: javascript-typescript | |
| category: plugin-trust-boundary | |
| runs_on: blacksmith-4vcpu-ubuntu-2404 | |
| timeout_minutes: 25 | |
| config_file: ./.github/codeql/codeql-plugin-trust-boundary-critical-security.yml | |
| - language: actions | |
| category: actions | |
| runs_on: blacksmith-8vcpu-ubuntu-2404 | |
| timeout_minutes: 10 | |
| config_file: ./.github/codeql/codeql-actions-critical-security.yml | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| config-file: ${{ matrix.config_file }} | |
| - name: Analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| category: "/codeql-security-high/${{ matrix.category }}" |