From 98e49a4f1442927b095db1ebfaa41ddac4aed623 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Tue, 9 Sep 2025 18:54:40 +0200 Subject: [PATCH 1/3] chore: remove CodeQL workflow in favor of the advance one References: - https://github.com/NativeScript/nativescript-cli/actions/workflows/codeql-advanced.yml - https://github.com/NativeScript/nativescript-cli/actions/workflows/codeql.yml --- .github/workflows/codeql.yml | 62 ------------------------------------ 1 file changed, 62 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index b3c9454a84..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["javascript", "typescript"] - # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3.30.0 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3.30.0 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3.30.0 - with: - category: "/language:${{matrix.language}}" \ No newline at end of file From 3ddd7a12ec47227582c77d1c9fcd262673ede167 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Tue, 9 Sep 2025 18:55:36 +0200 Subject: [PATCH 2/3] feat: define workflow permissions --- .github/workflows/codeql-advanced.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql-advanced.yml b/.github/workflows/codeql-advanced.yml index fff9451043..bf3cc88bfe 100644 --- a/.github/workflows/codeql-advanced.yml +++ b/.github/workflows/codeql-advanced.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '21 2 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) From 3771ec37a7865456edd1e3abae34094a30eb827d Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Tue, 9 Sep 2025 18:55:54 +0200 Subject: [PATCH 3/3] feat: pin dependencies in workflows --- .github/workflows/codeql-advanced.yml | 6 +++--- .github/workflows/npm_release_cli.yml | 4 ++-- .github/workflows/npm_release_doctor.yml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql-advanced.yml b/.github/workflows/codeql-advanced.yml index bf3cc88bfe..d29a8e16ca 100644 --- a/.github/workflows/codeql-advanced.yml +++ b/.github/workflows/codeql-advanced.yml @@ -60,7 +60,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -98,6 +98,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/npm_release_cli.yml b/.github/workflows/npm_release_cli.yml index b7fc03e487..bb22e449ed 100644 --- a/.github/workflows/npm_release_cli.yml +++ b/.github/workflows/npm_release_cli.yml @@ -24,9 +24,9 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 22.14.0 diff --git a/.github/workflows/npm_release_doctor.yml b/.github/workflows/npm_release_doctor.yml index d054ef2cf9..7992167ebe 100644 --- a/.github/workflows/npm_release_doctor.yml +++ b/.github/workflows/npm_release_doctor.yml @@ -28,7 +28,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup run: npm install