openclaw-windows-node/.github/workflows/codeql.yml at master · openclaw/openclaw-windows-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: CodeQL

on:
  workflow_dispatch:
    inputs:
      profile:
        description: CodeQL profile to run
        required: false
        default: all
        type: choice
        options:
          - all
          - csharp
          - actions
      advanced_setup:
        description: Run advanced CodeQL instead of repository default setup
        required: false
        default: false
        type: boolean
  push:
    paths:
      - ".github/codeql/**"
      - ".github/workflows/**"
      - "src/**"
      - "tests/**"
      - "*.sln"
      - "*.slnx"
      - "*.props"
      - "*.targets"
      - "global.json"
      - "NuGet.Config"
      - "package.json"
      - "package-lock.json"
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    branches: [master, main]
    paths:
      - ".github/codeql/**"
      - ".github/workflows/**"
      - "src/**"
      - "tests/**"
      - "*.sln"
      - "*.slnx"
      - "*.props"
      - "*.targets"
      - "global.json"
      - "NuGet.Config"
      - "package.json"
      - "package-lock.json"
  schedule:
    - cron: "29 6 * * 1"

permissions:
  actions: read
  contents: read
  security-events: write

concurrency:
  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
  advanced-setup:
    name: Advanced setup gate
    runs-on: ubuntu-latest
    outputs:
      enabled: ${{ steps.advanced-setup.outputs.enabled }}
    steps:
      - name: Decide whether to run advanced CodeQL
        id: advanced-setup
        run: |
          if [ "${{ vars.OPENCLAW_CODEQL_ADVANCED_SETUP }}" = "true" ] || { [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ "${{ inputs.advanced_setup }}" = "true" ]; }; then
            echo "enabled=true" >> "$GITHUB_OUTPUT"
            echo "Advanced CodeQL enabled for this run." >> "$GITHUB_STEP_SUMMARY"
          else
            echo "enabled=false" >> "$GITHUB_OUTPUT"
            {
              echo "Advanced CodeQL is disabled for this repository workflow."
              echo "The repository currently uses GitHub CodeQL default setup; default setup and advanced setup cannot upload SARIF for the same repository at the same time."
              echo "If maintainers disable default setup, set OPENCLAW_CODEQL_ADVANCED_SETUP=true or dispatch this workflow with advanced_setup=true."
            } >> "$GITHUB_STEP_SUMMARY"
          fi

  csharp:
    name: C# security
    needs: advanced-setup
    if: ${{ needs.advanced-setup.outputs.enabled == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'csharp') }}
    runs-on: windows-latest
    timeout-minutes: 45
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup .NET 10
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: 10.0.x

      - name: Restore dependencies
        run: dotnet restore

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: csharp
          build-mode: manual
          config-file: ./.github/codeql/codeql-csharp-security.yml

      - name: Build for CodeQL
        run: dotnet build openclaw-windows-node.slnx -c Debug --no-restore

      - name: Analyze
        uses: github/codeql-action/analyze@v4
        with:
          category: "/codeql/csharp"

  actions:
    name: Actions security
    needs: advanced-setup
    if: ${{ needs.advanced-setup.outputs.enabled == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'actions') }}
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: actions
          config-file: ./.github/codeql/codeql-actions-security.yml

      - name: Analyze
        uses: github/codeql-action/analyze@v4
        with:
          category: "/codeql/actions"