chore(ci): update CodeQL workflow MONGOSH-1994 (#2327)

Author: nirinchev

.github/workflows/bump-auxiliary-packages.yml

@@ -2,6 +2,9 @@ name: Bump Auxiliary Packages
 on:
   workflow_dispatch:
 
+permissions:
+  contents: none # We use the github app to checkout and create PR
+
 jobs:
   update_generated_files:
     name: Bump packages
@@ -11,7 +14,7 @@ jobs:
         id: app-token
         with:
           app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
-          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} 
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
       - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD

.github/workflows/check-pr-title.yml

@@ -3,22 +3,25 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled, converted_to_draft, edited]
 
+permissions:
+  pull-requests: read # to read PR title and labels
+
 jobs:
   check-pr-title:
     name: Check PR Title
     runs-on: ubuntu-latest
     steps:
       - name: Enforce conventional commit style
-        uses: realm/ci-actions/title-checker@main
+        uses: realm/ci-actions/title-checker@d6cc8f067474759d38e6d24e272027b4c88bc0a9
         with:
           regex: '^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test|ops){1}(\([\w\-\.]+\))?(!)?: .*'
           error-hint: 'Invalid PR title. Make sure it follows the conventional commit specification (i.e. "<type>(<optional scope>): <description>") or add the no-title-validation label'
-          ignore-labels: 'no-title-validation'
+          ignore-labels: "no-title-validation"
       - name: Enforce JIRA ticket in title
-        uses: realm/ci-actions/title-checker@main
+        uses: realm/ci-actions/title-checker@d6cc8f067474759d38e6d24e272027b4c88bc0a9
         # Skip the JIRA ticket check for PRs opened by bots
         if: ${{ !contains(github.event.pull_request.user.login, '[bot]') }}
         with:
-          regex: '[A-Z]{4,10}-[0-9]{1,5}$'
-          error-hint: 'Invalid PR title. Make sure it ends with a JIRA ticket - i.e. MONGOSH-1234 or add the no-title-validation label'
-          ignore-labels: 'no-title-validation'
+          regex: "[A-Z]{4,10}-[0-9]{1,5}$"
+          error-hint: "Invalid PR title. Make sure it ends with a JIRA ticket - i.e. MONGOSH-1234 or add the no-title-validation label"
+          ignore-labels: "no-title-validation"

.github/workflows/codeql.yml

@@ -1,34 +1,26 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
-    branches: [ "main" ]
+    branches:
+      - main
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches:
+      - main
   schedule:
-    - cron: '30 20 * * 1'
+    - cron: "30 20 * * 1"
   workflow_run:
-    workflows: ["Update automatically generated files"]
+    workflows:
+      - Update automatically generated files
     types:
       - completed
-    branches: [ "main" ]
+    branches:
+      - main
 
 jobs:
   analyze:
     name: Analyze
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
@@ -37,55 +29,32 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Use only 'java' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        language:
+          - javascript
+          - actions
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-        config: |
-          paths-ignore:
-            - '**/*.test.js'
-            - '**/*.spec.js'
-            - '**/*.test.ts'
-            - '**/*.spec.ts'
-            - '**/*.test.tsx'
-            - '**/*.spec.tsx'
-            - 'packages/build/**'
-            - 'packages/e2e-tests/**'
-            - 'scripts/**'
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #     echo "Run, Build Application using script"
-    #     ./location_of_script_within_repo/buildscript.sh
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          config: |
+            paths-ignore:
+              - '**/*.test.js'
+              - '**/*.spec.js'
+              - '**/*.test.ts'
+              - '**/*.spec.ts'
+              - '**/*.test.tsx'
+              - '**/*.spec.tsx'
+              - 'packages/build/**'
+              - 'packages/e2e-tests/**'
+              - 'scripts/**'
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/cron-tasks.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: none # We use the github app to checkout and push changes
+
 jobs:
   update_generated_files:
     name: Update automatically generated files

.github/workflows/homebrew.yml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   smoke-test-homebrew:
     name: Test on ${{ matrix.runner }}
@@ -21,10 +24,7 @@ jobs:
 
       - name: Report failure
         if: ${{ failure() }}
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_MONGOSH_DEVEL_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
-        uses: slackapi/[email protected]
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # 2.0.0
         with:
           payload: |
             {
@@ -39,3 +39,5 @@ jobs:
                 }
               ]
             }
+          webhook: ${{ secrets.SLACK_MONGOSH_DEVEL_WEBHOOK_URL }}
+          webhook-type: incoming-webhook

.github/workflows/publish-auxiliary-packages.yml

@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: none # We use the github app to checkout and push tags
+
 jobs:
   publish:
     if: |
@@ -18,40 +21,39 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
-      id: app-token
-      with:
-        app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
-        private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
-    
-    - uses: actions/checkout@v4
-      with:
-        # don't checkout a detatched HEAD
-        ref: ${{ github.head_ref }}
-
-        # this is important so git log can pick up on
-        # the whole history to generate the list of AUTHORS
-        fetch-depth: "0"
-        token: ${{ steps.app-token.outputs.token }}
-
-    - name: "Use Node.js 20"
-      uses: actions/setup-node@v4
-      with:
-        node-version: 20.16.0
-
-    - name: Install [email protected]
-      run: npm install -g [email protected]
-
-    - name: Install Dependencies
-      run: |
-        npm ci
-
-    - name: "Publish what is not already in NPM"
-      env:
-        NPM_TOKEN: ${{ secrets.DEVTOOLSBOT_NPM_TOKEN }}
-      run: |
-        echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
-        npm config list
-        echo "Publishing packages as $(npm whoami)"
-        npm run publish-auxiliary
-
+      - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          # don't checkout a detatched HEAD
+          ref: ${{ github.head_ref }}
+
+          # this is important so git log can pick up on
+          # the whole history to generate the list of AUTHORS
+          fetch-depth: "0"
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: "Use Node.js 20"
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.16.0
+
+      - name: Install [email protected]
+        run: npm install -g [email protected]
+
+      - name: Install Dependencies
+        run: |
+          npm ci
+
+      - name: "Publish what is not already in NPM"
+        env:
+          NPM_TOKEN: ${{ secrets.DEVTOOLSBOT_NPM_TOKEN }}
+        run: |
+          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
+          npm config list
+          echo "Publishing packages as $(npm whoami)"
+          npm run publish-auxiliary

.github/workflows/smoke-tests.yml

@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   smoke-tests:
     name: "OS: ${{ matrix.runner }}, node@${{ matrix.node }}"

.github/workflows/update-node-js.yaml

@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: none # We use the github app to open a PR
+
 jobs:
   update_generated_files:
     name: Update Node.js versions
@@ -21,6 +24,7 @@ jobs:
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - uses: actions/setup-node@v4
         with: