From 70c09a69346a7cdcb64e94524c71af00d3b1ebe5 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sat, 23 Aug 2025 08:15:38 +0800 Subject: [PATCH 1/3] fix Codeql.yml --- .github/workflows/Codeql.yml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index ac1a6c7cf44..33f37895583 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,4 +1,4 @@ -name: "CodeQL Python Security Scan (Top-N + PR Comment)" +name: "CodeQL Python Security Scan (Top-N)" on: pull_request: @@ -35,20 +35,3 @@ jobs: uses: github/codeql-action/analyze@v3 with: upload: true - - - name: Comment CodeQL Alerts on PR - if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository - uses: marocchino/sticky-pull-request-comment@v2 - with: - path: results.sarif - header: "### :shield: CodeQL Python Security Alerts Summary" - layout: "group-by-file" - format: "markdown-table" - sort-severity: true - highlight: "Critical,High" - collapse: "Medium,Low" - max-items-per-file: 5 - show-summary: true - show-file-overview: true - overflow-text: "+{remaining} more alerts in this file" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 841f8530a93099f9f0a33ef22796b9a5879fba18 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sat, 23 Aug 2025 09:33:44 +0800 Subject: [PATCH 2/3] Upgrade Codeql.yml --- .github/workflows/Codeql.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index 33f37895583..e7c6f2bb7f3 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,4 +1,4 @@ -name: "CodeQL Python Security Scan (Top-N)" +name: "CodeQL Python Security Scan" on: pull_request: @@ -27,6 +27,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: python + queries: +security-extended,+security-and-quality - name: Autobuild uses: github/codeql-action/autobuild@v3 @@ -34,4 +35,4 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - upload: true + upload: true \ No newline at end of file From e42c6e85634be7b945b94e17f2874aa280dac424 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sat, 23 Aug 2025 09:37:00 +0800 Subject: [PATCH 3/3] Upgrade Codeql.yml --- .github/workflows/Codeql.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml index e7c6f2bb7f3..8888ce47d41 100644 --- a/.github/workflows/Codeql.yml +++ b/.github/workflows/Codeql.yml @@ -1,11 +1,10 @@ -name: "CodeQL Python Security Scan" +name: "CodeQL Python Security and Quality Scan" on: - pull_request: - branches: [ main, master ] - types: [opened, synchronize, reopened] push: branches: [ main, master ] + pull_request: + branches: [ main, master ] permissions: contents: read @@ -18,21 +17,26 @@ jobs: runs-on: ubuntu-latest steps: + # 1. 检出代码 - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 + # 2. 初始化 CodeQL - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: python - queries: +security-extended,+security-and-quality + # 不指定 queries,Action 会默认跑安全 + 质量查询 + # 3. 自动构建 - name: Autobuild uses: github/codeql-action/autobuild@v3 + # 4. 执行分析 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: + # 不指定 queries,Action 会自动跑安全 + 质量规则 upload: true \ No newline at end of file