kbve/.github/workflows/ci-security.yml at main · KBVE/kbve · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: CI - Security (CodeQL)

on:
    push:
        branches:
            - dev
            - main
    pull_request:
        branches:
            - dev
            - main
    schedule:
        - cron: '30 6 * * 1'

concurrency:
    group: ${{ github.workflow }}-${{ github.ref }}
    cancel-in-progress: false

permissions: {}

jobs:
    codeql:
        name: CodeQL Analysis
        runs-on: ubuntu-latest
        timeout-minutes: 45
        permissions:
            security-events: write
            contents: read

        strategy:
            fail-fast: false
            matrix:
                language:
                    - javascript-typescript
                    - python

        steps:
            - name: Checkout
              uses: actions/checkout@v6
              with:
                  submodules: recursive

            - name: Initialize CodeQL
              uses: github/codeql-action/init@v4
              with:
                  languages: ${{ matrix.language }}
                  queries: security-and-quality
                  config: |
                      paths-ignore:
                          - 'apps/mc/pumpkin'
                          - 'apps/irc/ergo'
                          - 'apps/postgres'

            - name: Auto-build
              uses: github/codeql-action/autobuild@v4

            - name: Run CodeQL Analysis
              uses: github/codeql-action/analyze@v4
              with:
                  category: /language:${{ matrix.language }}

    codeql-rust:
        name: CodeQL Rust Analysis
        runs-on: ubuntu-latest
        if: github.event_name == 'schedule'
        timeout-minutes: 120
        permissions:
            security-events: write
            contents: read

        steps:
            - name: Checkout
              uses: actions/checkout@v6
              with:
                  submodules: recursive

            - name: Initialize CodeQL
              uses: github/codeql-action/init@v4
              with:
                  languages: rust
                  queries: security-and-quality
                  config: |
                      paths-ignore:
                          - 'apps/mc/pumpkin'
                          - 'apps/irc/ergo'
                          - 'apps/postgres'

            - name: Auto-build
              uses: github/codeql-action/autobuild@v4

            - name: Run CodeQL Analysis
              uses: github/codeql-action/analyze@v4
              with:
                  category: /language:rust

    dependency-review:
        name: Dependency Review
        runs-on: ubuntu-latest
        if: github.event_name == 'pull_request'
        timeout-minutes: 10
        permissions:
            contents: read
            pull-requests: write

        steps:
            - name: Checkout
              uses: actions/checkout@v6

            - name: Dependency Review
              uses: actions/dependency-review-action@v4
              with:
                  fail-on-severity: high
                  comment-summary-in-pr: always