Refactor code to exclude target files from file watcher #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Enhanced CodeQL Advanced Security Scan with Automated Fixes" | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '18 6 * * 4' # Weekly scan on Thursday at 6:18 UTC | ||
| jobs: | ||
| analyze: | ||
| name: Analyze (${{ matrix.language }}) | ||
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
| permissions: | ||
| security-events: write | ||
| packages: read | ||
| actions: read | ||
| contents: read | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - language: python | ||
| build-mode: none | ||
| - language: javascript-typescript | ||
| build-mode: none | ||
| - language: c-cpp | ||
| build-mode: manual | ||
| steps: | ||
| # Step 1: Checkout the code | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| # Step 2: Initialize CodeQL with enhanced queries | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
| queries: +security-extended,performance-extended | ||
| # Step 3: Build for languages needing compilation (e.g., C/C++) | ||
| - if: matrix.build-mode == 'manual' | ||
| name: Build Project (Manual Build Mode) | ||
| run: | | ||
| echo "Building project for ${matrix.language}..." | ||
| cmake . | ||
| make | ||
| # Step 4: Perform CodeQL analysis | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v3 | ||
| with: | ||
| category: "/language:${{matrix.language}}" | ||
| # Step 5: Automated Fixes for Minor Issues | ||
| - name: Apply Automated Fixes for Python | ||
| if: matrix.language == 'python' | ||
| run: | | ||
| pip install black | ||
| black . # Automatically format Python code | ||
| - name: Apply Automated Fixes for JavaScript/TypeScript | ||
| if: matrix.language == 'javascript-typescript' | ||
| run: | | ||
| npm install --save-dev eslint prettier | ||
| npx eslint . --fix # Automatically fix JavaScript/TypeScript linting issues | ||
| npx prettier --write . # Format code with Prettier | ||
| - name: Apply Automated Fixes for Rust | ||
| if: matrix.language == 'c-cpp' | ||
| run: | | ||
| rustup component add rustfmt | ||
| cargo fmt # Automatically format Rust code | ||
| # Step 6: Dependency Fixes | ||
| - name: Fix Node.js Dependency Vulnerabilities | ||
| if: matrix.language == 'javascript-typescript' | ||
| run: npm audit fix || true # Automatically fix npm vulnerabilities | ||
| - name: Fix Rust Dependency Vulnerabilities | ||
| if: matrix.language == 'c-cpp' | ||
| run: | | ||
| cargo install cargo-audit | ||
| cargo audit fix || true # Automatically fix Rust dependencies where possible | ||
| # Step 7: Commit and Push Automated Fixes | ||
| - name: Commit and Push Fixes | ||
| if: github.ref == 'refs/heads/main' | ||
| run: | | ||
| git config --local user.name "github-actions" | ||
| git config --local user.email "[email protected]" | ||
| git add . | ||
| git commit -m "Automated code and dependency fixes [CI]" || echo "No changes to commit" | ||
| git push origin main || echo "No changes to push" | ||
| # Step 8: Upload CodeQL SARIF results for report review | ||
| - name: Upload CodeQL SARIF Results | ||
| uses: actions/upload-artifact@v2 | ||
| with: | ||
| name: CodeQL-SARIF-${{ matrix.language }} | ||
| path: *.sarif | ||
| # Notification Job | ||
| notify: | ||
| runs-on: ubuntu-latest | ||
| needs: analyze | ||
| if: always() | ||
| steps: | ||
| - name: Check if CodeQL found any issues | ||
| id: check_sarif | ||
| run: | | ||
| grep -q '"severity":' *.sarif && echo "issues_found=true" || echo "issues_found=false" | ||
| # Slack Notification on Analysis Completion | ||
| - name: Notify Slack | ||
| if: steps.check_sarif.outputs.issues_found == 'true' | ||
| run: | | ||
| curl -X POST -H 'Content-type: application/json' --data '{"text":":warning: CodeQL scan completed with issues. Please review the report."}' ${{ secrets.SLACK_WEBHOOK }} | ||
| - name: Notify Slack No Issues | ||
| if: steps.check_sarif.outputs.issues_found == 'false' | ||
| run: | | ||
| curl -X POST -H 'Content-type: application/json' --data '{"text":"CodeQL scan completed with no issues found."}' ${{ secrets.SLACK_WEBHOOK }} | ||
| # Generate and Upload Report Artifact | ||
| reporting: | ||
| runs-on: ubuntu-latest | ||
| needs: notify | ||
| steps: | ||
| - name: Generate Report Summary | ||
| run: | | ||
| echo "## CodeQL Security Report" > report.md | ||
| echo "### Code Quality and Security Checks" >> report.md | ||
| echo "- Code analysis and vulnerability scan completed." >> report.md | ||
| echo "- SARIF results available for download if issues were detected." >> report.md | ||
| echo "### Results Summary" >> report.md | ||
| if [[ ${{needs.notify.outputs.issues_found}} == 'true' ]]; then | ||
| echo "- :warning: Issues detected. Please review the SARIF files." >> report.md | ||
| else | ||
| echo "- No issues detected." >> report.md | ||
| fi | ||
| - name: Upload Report Artifact | ||
| uses: actions/upload-artifact@v2 | ||
| with: | ||
| name: CodeQL-Report | ||
| path: report.md | ||
