Skip to content

chore: add CodeQL analysis and ShellCheck linting workflow#34

Merged
zouguangxian merged 1 commit intomainfrom
gx/codeql-workflow
Mar 6, 2026
Merged

chore: add CodeQL analysis and ShellCheck linting workflow#34
zouguangxian merged 1 commit intomainfrom
gx/codeql-workflow

Conversation

@zouguangxian
Copy link
Collaborator

@zouguangxian zouguangxian commented Mar 6, 2026

No description provided.

@cursor
Copy link

cursor bot commented Mar 6, 2026
edited
Loading

PR Summary

Medium Risk
CI is updated to run CodeQL with broader triggers and to lint shell scripts, which may newly fail or gate merges due to findings or stricter checks.

Overview
Adds a CodeQL GitHub Actions workflow that runs CodeQL (with security-extended queries) on pushes/PRs/merge-queue to main and dev, with concurrency control, pinned action SHAs, and an all-checks job that fails the workflow if any required job fails.

Introduces a shellcheck job to lint repository shell scripts, and makes small bash-script hygiene tweaks (switch .devcontainer/post-create to bash + newline/formatting, and adjust bootstrap’s ROOT assignment/readonly to satisfy stricter shell tooling).

Written by Cursor Bugbot for commit b29b598. This will update automatically on new commits. Configure here.

@socket-security
Copy link

socket-security bot commented Mar 6, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​ludeeus/​action-shellcheck@​00cae500b08a931fb5698e11e79bfbd38e612a3810010093100100

View full report

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 6, 2026
View reviewed changes
.github/workflows/codeql.yml Outdated
uses: actions/checkout@v4

- name: Run ShellCheck
uses: ludeeus/action-shellcheck@2.0.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'CodeQL' step [Uses Step](1) uses 'ludeeus/action-shellcheck' with ref '2.0.0', not a pinned commit hash
cursor[bot]
cursor bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 3 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

@zouguangxian zouguangxian merged commit 5431982 into main Mar 6, 2026
18 checks passed
@zouguangxian zouguangxian deleted the gx/codeql-workflow branch March 6, 2026 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@shankars99 shankars99 shankars99 approved these changes

@qun-huang qun-huang qun-huang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zouguangxian @shankars99 @qun-huang