1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: CodeQL
# GitHub's semantic code-scanning (SAST). Results land in the Security tab.
#
# ── RUNNER / COST TRADEOFF ────────────────────────────────────────────────────
# CodeQL is DESIGNED FOR GITHUB-HOSTED runners (the Actions bundle ships the
# CodeQL CLI + query packs; the self-hosted CI VM does not). So this workflow
# uses `ubuntu-latest`, NOT the self-hosted runner.
#
# * While the repo is PRIVATE, GitHub-hosted runs consume Actions minutes.
# * Once the repo is PUBLIC, GitHub-hosted Actions (and code scanning) are
# FREE — this is the intended steady state for the OSS release.
#
# Now the repo is public, GitHub-hosted Actions + code scanning are free, so it
# runs on every PR to `main` (per-PR SAST), on push to `main`, and on a weekly
# schedule. See .github/workflows/README.md.
#
# ── LANGUAGES ─────────────────────────────────────────────────────────────────
# * javascript-typescript — the OAuth sidecar (oauth-sidecar/).
# * rust — DROPPED: CodeQL's Rust extractor (public beta) errored on ALL source
# files here (0 extracted OK / 11 with errors), producing no usable analysis.
# Rust is covered by clippy (-D warnings) + cargo-deny + cargo-audit. Re-add
# the `rust` matrix entry once GitHub GA's a working Rust pack.
# ── TRIGGERS / SCORECARD SAST COVERAGE ────────────────────────────────────────
# Runs on EVERY pull_request targeting `main` (so every merged PR carries a
# CodeQL check-run), on push to `main`, on a weekly deep scan, and manually.
#
# Do NOT add a `paths:`/`paths-ignore:` filter here. OSSF Scorecard's SAST check
# samples recent merged PRs and expects a CodeQL check-run on each — including
# config-only PRs (e.g. a lone Cargo.toml / *.yml change). A path filter would
# skip those, drop the check-run, and regress the Scorecard SAST score. The
# single javascript-typescript leg is cheap (~1 min) and always produces the run.
on:
push:
branches:
pull_request:
branches:
schedule:
- cron: "27 4 * * 1" # Mondays 04:27 UTC — weekly deep scan
workflow_dispatch:
# Least-privilege default for the workflow; the analyze job grants itself the
# security-events: write it needs to upload SARIF.
permissions:
contents: read
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true
jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Code scanning needs GitHub Advanced Security on a PRIVATE repo, so the SARIF
# upload fails while private. Skip until the repo is public (free + enabled then).
if: ${{ github.event.repository.private == false }}
runs-on: ubuntu-latest # GitHub-hosted: free once public; see header note
permissions:
actions: read
contents: read
security-events: write # upload SARIF to the Security tab
strategy:
fail-fast: false
matrix:
language: # rust dropped — see header (extractor beta errors on all files)
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Initialize CodeQL
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
with:
languages: ${{ matrix.language }}
# `security-and-quality` = the broader query suite (security + code
# quality), a good default for a new OSS project.
queries: security-and-quality
# Rust + TypeScript are both no-build (CodeQL extracts from source /
# autobuilds). If the Rust extractor ever needs a real build, replace this
# with an explicit `cargo build` step guarded on matrix.language == rust.
- name: Autobuild
uses: github/codeql-action/autobuild@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
with:
category: "/language:${{ matrix.language }}"