From 833bb91e0fc0176e4ac4f50046d3191d64502c3a Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 12:33:39 +0800 Subject: [PATCH 1/9] Upgrade python Workflows I Upgrade python Workflows in main and push. --- .github/workflows/python.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 1cf5c058cc7..6d2b77f8bab 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -1,21 +1,29 @@ name: Python Checks -on: [pull_request, push] +on: + pull_request: + types: [opened, synchronize, reopened] # PR 有代码变化时运行 + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: Test: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v5 with: python-version: '3.13' - name: Cache Python dependencies - id: cache-pip uses: actions/cache@v3 with: path: ~/.cache/pip @@ -42,4 +50,4 @@ jobs: run: mypy . --ignore-missing-imports || true - name: Run Pytest tests - run: pytest \ No newline at end of file + run: pytest From 57e83533d861412812c341c16e4d94bf37a4faa6 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 12:35:34 +0800 Subject: [PATCH 2/9] Upgrade python.yml --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 6d2b77f8bab..84ed5cded48 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -2,7 +2,7 @@ name: Python Checks on: pull_request: - types: [opened, synchronize, reopened] # PR 有代码变化时运行 + types: [opened, synchronize, reopened] push: branches: - main From 5d3080d38fcc3a07e31bbcdba0f697828cb62081 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 12:58:19 +0800 Subject: [PATCH 3/9] Create Codeql.yml --- .github/workflows/Codeql.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/Codeql.yml diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml new file mode 100644 index 00000000000..6f8919309a8 --- /dev/null +++ b/.github/workflows/Codeql.yml @@ -0,0 +1,29 @@ +name: "CodeQL" + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + codeql: + name: "CodeQL Analysis" + runs-on: ubuntu-latest + + concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 51c8af08bc8eb83ff2d17cc6220901bde14ced70 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 13:26:24 +0800 Subject: [PATCH 4/9] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20Codeql.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/Codeql.yml | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index 6f8919309a8..94ca923d248 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: "CodeQL Full Scan with PR Comments (Ultimate Version)" on: pull_request: @@ -14,16 +14,40 @@ jobs: cancel-in-progress: true steps: + # 1️⃣ Checkout the repository - name: Checkout repository uses: actions/checkout@v4 + # 2️⃣ Initialize CodeQL - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: - languages: python + languages: ["python","javascript"] # Add more languages if needed + # 3️⃣ Auto-build the project for CodeQL - name: Autobuild uses: github/codeql-action/autobuild@v3 + # 4️⃣ Perform CodeQL analysis and generate SARIF report - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 + with: + output: results.sarif + upload-sarif: true # Upload to GitHub Security tab + + # 5️⃣ Comment Top-N alerts per file + PR summary + file severity overview + overflow notice + - name: Comment CodeQL Alerts with Top-N and File Severity Overview + uses: marocchino/sticky-pull-request-comment@v2 + with: + path: results.sarif + header: "### :shield: CodeQL Security Alerts Summary" + layout: "group-by-file" + format: "markdown-table" + sort-severity: true # Sort alerts: Critical → High → Medium → Low + highlight: "Critical,High" # Highlight most severe alerts + collapse: "Medium,Low" # Collapse medium/low severity alerts + max-items-per-file: 5 # Display top 5 alerts per file + show-summary: true # Show total alert summary table for the PR + show-file-overview: true # Show file-level Critical/High counts + overflow-text: "+{remaining} more alerts in this file" # Folded notice for extra alerts + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 15f38cdb280d0dcff7770e8e950588857597399d Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 13:29:19 +0800 Subject: [PATCH 5/9] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20Codeql.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/Codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index 94ca923d248..3d40075e20f 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,4 +1,4 @@ -name: "CodeQL Full Scan with PR Comments (Ultimate Version)" +name: "CodeQL code Scan" on: pull_request: From cc6c9b20c3d245518b453909d85475589e3134d2 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 13:35:16 +0800 Subject: [PATCH 6/9] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20Codeql.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/Codeql.yml | 48 +++++++++++++++++++----------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index 3d40075e20f..9aa617481c6 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,53 +1,57 @@ -name: "CodeQL code Scan" +name: "CodeQL Security Scan" on: pull_request: types: [opened, synchronize, reopened] + push: + branches: [main, master] + +permissions: + security-events: write + actions: read + contents: read jobs: codeql: name: "CodeQL Analysis" runs-on: ubuntu-latest + if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true steps: # 1️⃣ Checkout the repository - name: Checkout repository uses: actions/checkout@v4 + with: + # 必须深度检出以获取完整历史记录进行精确分析 + fetch-depth: 0 # 2️⃣ Initialize CodeQL - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: - languages: ["python","javascript"] # Add more languages if needed + languages: ["python","javascript"] + # 如果是私有仓库或需要认证的依赖,配置这里 + # config-file: ./.github/codeql/codeql-config.yml # 3️⃣ Auto-build the project for CodeQL - name: Autobuild uses: github/codeql-action/autobuild@v3 - # 4️⃣ Perform CodeQL analysis and generate SARIF report + # 4️⃣ Perform CodeQL analysis - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - output: results.sarif - upload-sarif: true # Upload to GitHub Security tab - - # 5️⃣ Comment Top-N alerts per file + PR summary + file severity overview + overflow notice - - name: Comment CodeQL Alerts with Top-N and File Severity Overview - uses: marocchino/sticky-pull-request-comment@v2 + category: "/language:python_and_javascript" + # 上传结果到GitHub安全选项卡 + upload: true + + # 5️⃣ 可选:添加PR注释(仅当不是fork PR时) + - name: Comment PR with CodeQL results + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository + uses: github/codeql-action/comment@v3 with: - path: results.sarif - header: "### :shield: CodeQL Security Alerts Summary" - layout: "group-by-file" - format: "markdown-table" - sort-severity: true # Sort alerts: Critical → High → Medium → Low - highlight: "Critical,High" # Highlight most severe alerts - collapse: "Medium,Low" # Collapse medium/low severity alerts - max-items-per-file: 5 # Display top 5 alerts per file - show-summary: true # Show total alert summary table for the PR - show-file-overview: true # Show file-level Critical/High counts - overflow-text: "+{remaining} more alerts in this file" # Folded notice for extra alerts - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + moniker: codeql-analysis \ No newline at end of file From 35858f8d7a3219eae986fd7aa0ec2c5eebda0957 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 14:20:19 +0800 Subject: [PATCH 7/9] Upgrade Codeql.yml --- .github/workflows/Codeql.yml | 88 ++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index 9aa617481c6..ead0e87ff70 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,57 +1,57 @@ -name: "CodeQL Security Scan" +name: "CodeQL Python Security Scan (Top-N + PR Comment)" on: pull_request: + branches: [ main, master ] types: [opened, synchronize, reopened] push: - branches: [main, master] + branches: [ main, master ] permissions: - security-events: write - actions: read contents: read + actions: read + security-events: write jobs: - codeql: - name: "CodeQL Analysis" + codeql-analysis: + name: "CodeQL Analysis (Python)" runs-on: ubuntu-latest - if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository - - concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true + if: > + github.event_name == 'push' || + (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) steps: - # 1️⃣ Checkout the repository - - name: Checkout repository - uses: actions/checkout@v4 - with: - # 必须深度检出以获取完整历史记录进行精确分析 - fetch-depth: 0 - - # 2️⃣ Initialize CodeQL - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ["python","javascript"] - # 如果是私有仓库或需要认证的依赖,配置这里 - # config-file: ./.github/codeql/codeql-config.yml - - # 3️⃣ Auto-build the project for CodeQL - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # 4️⃣ Perform CodeQL analysis - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:python_and_javascript" - # 上传结果到GitHub安全选项卡 - upload: true - - # 5️⃣ 可选:添加PR注释(仅当不是fork PR时) - - name: Comment PR with CodeQL results - if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository - uses: github/codeql-action/comment@v3 - with: - moniker: codeql-analysis \ No newline at end of file + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + upload-sarif: true + + - name: Comment CodeQL Alerts on PR + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository + uses: marocchino/sticky-pull-request-comment@v2 + with: + path: results.sarif + header: "### :shield: CodeQL Python Security Alerts Summary" + layout: "group-by-file" + format: "markdown-table" + sort-severity: true + highlight: "Critical,High" + collapse: "Medium,Low" + max-items-per-file: 5 + show-summary: true + show-file-overview: true + overflow-text: "+{remaining} more alerts in this file" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From aba29326b50b2dedebfa2290fec0bed1a6ca3972 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 14:21:31 +0800 Subject: [PATCH 8/9] Upgrade Codeql.yml --- .github/workflows/Codeql.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index ead0e87ff70..9a96d16edfc 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -16,9 +16,6 @@ jobs: codeql-analysis: name: "CodeQL Analysis (Python)" runs-on: ubuntu-latest - if: > - github.event_name == 'push' || - (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) steps: - name: Checkout repository From ccb717b5cdebbb86bb3ce8a10f96b9b0f025334d Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Fri, 22 Aug 2025 14:25:36 +0800 Subject: [PATCH 9/9] Upgrade Codeql.yml --- .github/workflows/Codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index 9a96d16edfc..ac1a6c7cf44 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -34,7 +34,7 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - upload-sarif: true + upload: true - name: Comment CodeQL Alerts on PR if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository