chore(deps): bump github/codeql-action from 4.31.0 to 4.31.3 #200
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/ci-main.yml | |
| # Orchestrates the repository CI. Routes work to reusable workflows: | |
| # - ci-precheck.yml (pre-restore guardrails + build info) | |
| # - ci-unit-tests.yml (unit tests + coverage) | |
| # - ci-mutation-tests.yml (mutation tests via Stryker) | |
| # - ci-pack.yml (dotnet pack + upload nupkg artifacts) | |
| # - ci-analyze.yml (CodeQL / .NET analysis) as a separate job | |
| # - ci-upload-coverage.yml (Codecov upload) after coverage artifacts exist | |
| # - ci-release.yml (NuGet + GitHub Release) on version tags (v*.*.*) | |
| # Uses strict default permissions and per-ref concurrency to cancel superseded runs. | |
| name: Main CI | |
| on: | |
| pull_request: | |
| branches: &tracked-branches | |
| - main | |
| - release | |
| - dev | |
| paths-ignore: &paths-ignore | |
| - '**/*.md' | |
| - '**/*.txt' | |
| - '.gitignore' | |
| - '.gitattributes' | |
| - '.github/dependabot.yml' | |
| - '.github/CODEOWNERS' | |
| - 'LICENSE' | |
| - '.act/*' | |
| - '.actrc' | |
| push: | |
| branches: *tracked-branches | |
| tags: | |
| - 'v*.*.*' | |
| paths-ignore: *paths-ignore | |
| workflow_dispatch: | |
| # Concurrency control: | |
| # - For pull requests, cancel any ongoing runs for the same PR; | |
| # - For pushes to a branch, cancel any ongoing runs for the same branch. | |
| # This ensures that only the latest commit is being tested. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| # Set default, read-only permissions for all jobs in this workflow. | |
| # This establishes a secure-by-default baseline, following the principle of least privilege. | |
| # Any job that needs more permissions must explicitly request them, overriding this block. | |
| permissions: | |
| contents: read | |
| jobs: | |
| precheck: | |
| name: 🚪 Precheck | |
| uses: ./.github/workflows/ci-precheck.yml | |
| permissions: | |
| contents: read | |
| checks: write | |
| pull-requests: write | |
| analyze: | |
| name: 🔬 Code Analyze | |
| needs: precheck | |
| uses: ./.github/workflows/ci-analyze.yml | |
| permissions: | |
| contents: read | |
| security-events: write # to upload SARIF to GitHub Security | |
| unit-tests: | |
| name: 🧪 Unit & Coverage | |
| needs: precheck | |
| uses: ./.github/workflows/ci-unit-tests.yml | |
| permissions: | |
| contents: read | |
| checks: write | |
| mutation-tests: | |
| name: 🧬 Mutation Tests | |
| needs: precheck | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| uses: ./.github/workflows/ci-mutation-tests.yml | |
| permissions: | |
| contents: read | |
| checks: write | |
| pack: | |
| name: 📦 Pack | |
| needs: precheck | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| uses: ./.github/workflows/ci-pack.yml | |
| permissions: | |
| contents: read | |
| checks: write | |
| upload-coverage: | |
| name: 🧾 Code Coverage | |
| needs: unit-tests | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| uses: ./.github/workflows/ci-upload-coverage.yml | |
| permissions: | |
| contents: read | |
| checks: write | |
| pull-requests: write | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| release: | |
| name: 🛳️ Release | |
| # Wait for all pipelines. | |
| needs: | |
| - analyze | |
| - unit-tests | |
| - mutation-tests | |
| - pack | |
| # And only if a version tag is assigned. | |
| if: >- | |
| ${{ github.actor != 'dependabot[bot]' | |
| && github.event_name == 'push' | |
| && startsWith(github.ref, 'refs/tags/v') }} | |
| uses: ./.github/workflows/ci-release.yml | |
| permissions: | |
| contents: write | |
| with: | |
| version: ${{ github.ref_name }} | |
| secrets: | |
| NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} |