diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..204e30ea2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,80 @@ +name: "CodeQL - JavaScript (Advanced)" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '0 2 * * 3' # weekly on Wed 02:00 UTC + workflow_dispatch: + +jobs: + analyze: + name: Analyze (CodeQL, Node ${{ matrix.node }}) + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + packages: read + actions: read + + strategy: + fail-fast: false + matrix: + include: + - language: javascript-typescript + node: 18 + build-mode: none + - language: javascript-typescript + node: 20 + build-mode: none + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node }} + cache: 'npm' + + - name: Cache node modules + uses: actions/cache@v4 + with: + path: | + ~/.npm + node_modules + key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-node-${{ matrix.node }}- + + - name: Install dependencies + run: | + if [ -f package-lock.json ]; then + npm ci + else + npm install + fi + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # Use built-in query packs plus extended security rules + queries: security-extended,security-and-quality + + - name: Autobuild (CodeQL) + uses: github/codeql-action/autobuild@v4 + env: + CI: true + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v4 + with: + # Optional: narrow category to help triage results in the dashboard + category: "language:javascript-typescript"