ci: add CodeQL workflow for scanning for security issues (#2510)

Author: fadi-george

.github/codeql/codeql-config.yml

@@ -0,0 +1,2 @@
+paths-ignore:
+  - Examples

.github/workflows/ci.yml

@@ -1,15 +1,24 @@
 name: Build and Test SDK
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   pull_request:
-    branches: "**"
+    branches: ["**"]
 
 env:
-  DIFF_COVERAGE_THRESHOLD: '80'
+  DIFF_COVERAGE_THRESHOLD: "80"
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
 
 jobs:
   build:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: "[Checkout] Repo"
         uses: actions/checkout@v4
@@ -26,35 +35,97 @@ jobs:
       - name: "[Test] SDK Unit Tests"
         working-directory: OneSignalSDK
         run: |
-          ./gradlew testReleaseUnitTest --console=plain --continue
-      - name: "[Coverage] Generate JaCoCo merged XML"
-        working-directory: OneSignalSDK
-        run: |
-          ./gradlew jacocoTestReportAll jacocoMergedReport --console=plain --continue
-      - name: "[Setup] Python"
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.x'
-      - name: "[Diff Coverage] Install diff-cover"
+          ./gradlew testDebugUnitTest --console=plain --continue
+      - name: "[Diff Coverage] Check for bypass"
+        id: coverage_bypass
         run: |
-          python -m pip install --upgrade pip diff-cover
-      - name: "[Diff Coverage] Check and HTML report"
+          # Check if PR has Skip Coverage Check label
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            LABELS="${{ toJson(github.event.pull_request.labels.*.name) }}"
+            if echo "$LABELS" | grep -qiE "Skip Coverage Check|skip-coverage-check"; then
+              echo "bypass=true" >> $GITHUB_OUTPUT
+              echo "reason=PR has 'Skip Coverage Check' label" >> $GITHUB_OUTPUT
+              echo "⚠️ Coverage check will not fail build (PR has 'Skip Coverage Check' label)"
+              echo "   Coverage will still be checked and reported"
+            else
+              echo "bypass=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "bypass=false" >> $GITHUB_OUTPUT
+          fi
+      - name: "[Diff Coverage] Check coverage"
         working-directory: OneSignalSDK
         run: |
-          REPORT=build/reports/jacoco/merged/jacocoMergedReport.xml
-          test -f "$REPORT" || { echo "Merged JaCoCo report not found at $REPORT" >&2; exit 1; }
-          python -m diff_cover.diff_cover_tool "$REPORT" \
-            --compare-branch=origin/main \
-            --fail-under=$DIFF_COVERAGE_THRESHOLD
-          python -m diff_cover.diff_cover_tool "$REPORT" \
-            --compare-branch=origin/main \
-            --html-report diff_coverage.html || true
-      - name: Upload diff coverage HTML
-        if: always()
-        uses: actions/upload-artifact@v4
+          # Use the shared coverage check script for consistency
+          # Generate markdown report for PR comments
+          # If bypassed, still run the check but don't fail the build
+          set +e  # Don't exit on error - we want to generate the report even if coverage fails
+          if [ "${{ steps.coverage_bypass.outputs.bypass }}" = "true" ]; then
+            SKIP_COVERAGE_CHECK=true GENERATE_MARKDOWN=true DIFF_COVERAGE_THRESHOLD=$DIFF_COVERAGE_THRESHOLD ./coverage/checkCoverage.sh
+          else
+            GENERATE_MARKDOWN=true DIFF_COVERAGE_THRESHOLD=$DIFF_COVERAGE_THRESHOLD ./coverage/checkCoverage.sh
+          fi
+          COVERAGE_EXIT_CODE=$?
+          set -e  # Re-enable exit on error
+
+          # Check if markdown report was generated
+          if [ -f "diff_coverage.md" ]; then
+            echo "✅ Coverage report generated"
+          else
+            echo "⚠️ Coverage report not generated"
+          fi
+
+          # Only fail the build if coverage is below threshold AND not bypassed
+          if [ "${{ steps.coverage_bypass.outputs.bypass }}" != "true" ] && [ $COVERAGE_EXIT_CODE -ne 0 ]; then
+            echo "❌ Coverage check failed - build will fail"
+            exit $COVERAGE_EXIT_CODE
+          elif [ "${{ steps.coverage_bypass.outputs.bypass }}" = "true" ]; then
+            echo "⚠️ Coverage check completed (bypassed - build will not fail)"
+            exit 0
+          else
+            echo "✅ Coverage check passed"
+            exit 0
+          fi
+      - name: Comment PR with coverage summary
+        if: always() && github.event_name == 'pull_request'
+        uses: actions/github-script@v7
         with:
-          name: diff-coverage-report
-          path: OneSignalSDK/diff_coverage.html
+          script: |
+            const fs = require('fs');
+            const path = 'OneSignalSDK/diff_coverage.md';
+            if (fs.existsSync(path)) {
+              const content = fs.readFileSync(path, 'utf8');
+              const body = `## 📊 Diff Coverage Report\n\n${content}\n\n📥 [View workflow run](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})`;
+              
+              // Find existing comment
+              const comments = await github.rest.issues.listComments({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+              });
+              
+              const botComment = comments.data.find(comment => 
+                comment.user.type === 'Bot' && comment.body.includes('Diff Coverage Report')
+              );
+              
+              if (botComment) {
+                // Update existing comment
+                await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: body
+                });
+              } else {
+                // Create new comment
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: body
+                });
+              }
+            }
       - name: Unit tests results
         if: failure()
         uses: actions/upload-artifact@v4

.github/workflows/codeql.yml

@@ -0,0 +1,63 @@
+name: "CodeQL"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "27 1 * * 0"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: java-kotlin
+            build-mode: none
+            dependency-caching: true
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      # Add any setup steps before running the `github/codeql-action/init` action.
+      # This includes steps like installing compilers or runtimes (`actions/setup-node`
+      # or others). This is typically only required for manual builds.
+      # - name: Setup runtime (example)
+      #   uses: actions/setup-example@v1
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          dependency-caching: ${{ matrix.dependency-caching }}
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/lint-pr-title.yml

@@ -0,0 +1,14 @@
+# Checks if the PR title follows semantic commit message conventions
+name: Lint PR
+permissions:
+  contents: read
+  pull-requests: write
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize]
+
+jobs:
+  call:
+    uses: OneSignal/sdk-actions/.github/workflows/lint-pr-title.yml@main
+    secrets: inherit