Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: Add CodeQL support #35

Merged
merged 6 commits into from
Mar 25, 2024
Merged

CI: Add CodeQL support #35

merged 6 commits into from
Mar 25, 2024

Conversation

SakuraIsayeki
Copy link
Member

No description provided.

This commit adds a new CodeQL workflow for analyzing the code. The workflow is triggered on push to the "main" and "develop" branches, as well as on pull requests targeting those branches. Additionally, it runs on a schedule every Monday and Friday at 5:00 AM UTC.

The workflow consists of two jobs: "analyze" and "autobuild". The "analyze" job runs on either macOS or Ubuntu depending on the language being analyzed (either C# or JavaScript/TypeScript). It has permissions to write security events and read actions and contents in private repositories. The job uses a matrix strategy to analyze code written in either C# or JavaScript/TypeScript.

The steps in the "analyze" job include checking out the repository, initializing CodeQL tools for scanning, autobuilding any compiled languages, and performing CodeQL analysis using predefined queries based on the selected language.

This new workflow will help ensure code quality and identify potential vulnerabilities in the codebase.
This commit adds the nbgv versioning tool to the build process. The `fetch-depth` option is set to 0 in order to avoid a shallow clone, allowing nbgv to work properly.
The Nodsoft.Markdig.SyntaxHighlighting package version has been updated from 1.0.8 to 1.0.12 in the Nodsoft.MoltenObsidian.csproj file. This update ensures compatibility with the latest features and improvements provided by the new package version.
The commit fixes the codeql.yml file by adding manual build steps for the "build" job. The changes include specifying the dotnet version, project file, configuration, artifact name, and enabling the use of nbgv. Additionally, the commit updates the "analyze" job by including a step to import build artifacts using actions/download-artifact@v4.
The commit message reflects the changes made to the `.github/workflows/codeql.yml` file. The build step has been removed and its contents have been moved inline with the analyze job. Additionally, a new step has been added to restore dependencies before initializing CodeQL.
@SakuraIsayeki SakuraIsayeki self-assigned this Mar 25, 2024
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@SakuraIsayeki SakuraIsayeki added the enhancement New feature or request label Mar 25, 2024
@SakuraIsayeki SakuraIsayeki merged commit d37eaa8 into main Mar 25, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant