chore(deps): update github/codeql-action action to v3.32.2 #1337
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| # TODO: setup CUE linter for file formatting | |
| # TODO: setup YAML linter? | |
| # TODO: test CUE files | |
| on: | |
| workflow_dispatch: {} | |
| push: | |
| branches: [ main, '+.x', beta, alpha ] | |
| pull_request: | |
| branches: [ main, '+.x', beta, alpha ] | |
| schedule: | |
| - cron: '16 5 * * *' # Every day at 05:16 UTC | |
| # Typically for validating maintenance releases prior publishing them | |
| workflow_call: | |
| secrets: | |
| DOCKERHUB_TOKEN: | |
| required: true | |
| permissions: {} | |
| jobs: | |
| build-and-test: | |
| name: Build & Test | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| pull-requests: write # Required to write comments to the PR about security scans results | |
| security-events: write # Required to upload found security gaps | |
| steps: | |
| # Firewall rules: | |
| # -> "*.github.com": Standard interactions with GitHub | |
| # -> "objects.githubusercontent.com": Uploading of security reports | |
| # -> "raw.githubusercontent.com": Retrieve license file when building OCI image | |
| # -> "*.docker.io", "*.docker.com" & "docker-images-prod.*.r2.cloudflarestorage.com": Standard interactions with Docker | |
| # -> "*.alpinelinux.org": Standard interactions with Alpine Linux package repositories | |
| # -> "cdn.fwupd.org": Firmware updates (Alpine) | |
| # -> "api.papermc.io": Dynamic retrieval of the PaperMC server | |
| # -> "piston-data.mojang.com": Downloading of the Mojang server | |
| # -> "api.minecraftservices.com": Downloading Yggdrasil public key for Reobfuscation | |
| - name: Harden runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| *.github.com:443 | |
| *.githubusercontent.com:443 | |
| *.docker.io:443 | |
| *.docker.com:443 | |
| docker-images-prod.*.r2.cloudflarestorage.com | |
| dl-cdn.alpinelinux.org:443 | |
| cdn.fwupd.org:443 | |
| api.papermc.io:443 | |
| piston-data.mojang.com:443 | |
| api.minecraftservices.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| if: github.event.pull_request.head.repo.fork == false | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build | |
| uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # v6.8.0 | |
| with: | |
| source: . | |
| workdir: src/ | |
| targets: test | |
| load: true # Export to Docker - Required for later steps | |
| set: | | |
| *.cache-from=type=gha,timeout=20s | |
| *.cache-to=type=gha,mode=max,timeout=20s | |
| - name: Test | |
| run: src/test/test.sh | |
| - name: Docker Scout | |
| uses: docker/scout-action@aceeb83b88f2ae54376891227858dda7af647183 # v1.18.1 | |
| if: github.event.pull_request.head.repo.fork == false | |
| with: | |
| command: compare, cves | |
| image: 'djaytan/papermc-server:test' | |
| to-latest: true | |
| organization: djaytan | |
| sarif-file: results.sarif | |
| - name: Upload to GitHub's code scanning dashboard | |
| uses: github/codeql-action/upload-sarif@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3.31.11 | |
| if: github.event.pull_request.head.repo.fork == false | |
| with: | |
| sarif_file: results.sarif | |
| # Use a fixed category to ensure consistent configuration across all SARIF uploads. | |
| # | |
| # This prevents the GitHub warning: "Code scanning cannot determine the alerts introduced by this pull request, | |
| # because 1 configuration present on refs/heads/main was not found". | |
| # The warning occurs when different workflows use different categories for SARIF files on the same branch. | |
| # | |
| # Using a single, consistent category (e.g., 'global') ensures all uploads are correctly associated. | |
| # | |
| # Additional details: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit | |
| category: global |