sandbox/.github/workflows/codeql.yml

---
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: 'CodeQL'

on:
  push:
    branches:
      - master
    paths:
      - '**.js'
      - '**.jsx'
      - '**.ts'
      - '**.tsx'
  pull_request:
    branches:
      - master
  schedule:
    - cron: '45 21 * * 2'

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    # Runner size impacts CodeQL analysis time. To learn more, please see:
    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
    #   - https://gh.io/supported-runners-and-hardware-resources
    #   - https://gh.io/using-larger-runners (GitHub.com only)
    # Consider using larger runners or machines with greater resources
    # for possible analysis time improvements.
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    permissions:
      # required for all workflows
      security-events: write

      # required to fetch internal or private CodeQL packs
      packages: read

      # only required for workflows in private repositories
      actions: read
      contents: read

    strategy:
      fail-fast: false
      matrix:
        include:
          # CodeQL supports the following values keywords for 'language':
          # 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
          # Use `c-cpp` to analyze code written in C, C++ or both
          # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
          # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
          # To learn more about changing the languages that are analyzed or customizing the build
          # mode for your analysis,
          # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
          # If you are analyzing a compiled language, you can modify the 'build-mode' for that
          # language to customize how your codebase is analyzed, see
          # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
          - language: javascript-typescript
            build-mode: none
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.

          # For more details on CodeQL's query packs, refer to:
          # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}

      # If the analyze step fails for one of the languages you are analyzing with
      # "We were unable to automatically build your code", modify the matrix above
      # to set the build mode to "manual" for that language. Then modify this step
      # to build your code.
      # Command-line programs to run using the OS shell.
      # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
      - name: 'warn manual build mode'
        if: matrix.build-mode == 'manual'
        shell: bash
        run: |
          echo 'If you are using a "manual" build mode for one or more of the' \
            'languages you are analyzing, replace this with the commands to build' \
            'your code, for example:'
          echo '  make bootstrap'
          echo '  make release'
          exit 1

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: '/language:${{matrix.language}}'
CI(GitHub Actions): add codeql Summary: CodeQL just for... CodeQL. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc land`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D343 2024-06-17 06:05:15 +02:00			`---`
			`# For most projects, this workflow file will not need changing; you simply need`
			`# to commit it to your repository.`
			`#`
			`# You may wish to alter this file to override the set of languages analyzed,`
			`# or to provide custom queries or build logic.`
			`#`
			`# ****** NOTE ******`
			`# We have attempted to detect the languages in your repository. Please check`
			# the `language` matrix defined below to confirm you have the correct set of
			`# supported CodeQL languages.`
			`#`
			`name: 'CodeQL'`

			`on:`
			`push:`
CI: fix (CodeQL\|yamllint) rules Summary: - run CodeQL on js/ts file edits. - yamllint rule modified to respect my styling decision (1 space before comment). Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc lint`, wait for codeql run next time. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D475 2024-06-30 10:22:14 +02:00			`branches:`
			`- master`
			`paths:`
			`- '**.js'`
			`- '**.jsx'`
			`- '**.ts'`
			`- '**.tsx'`
CI(GitHub Actions): add codeql Summary: CodeQL just for... CodeQL. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc land`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D343 2024-06-17 06:05:15 +02:00			`pull_request:`
CI: fix (CodeQL\|yamllint) rules Summary: - run CodeQL on js/ts file edits. - yamllint rule modified to respect my styling decision (1 space before comment). Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc lint`, wait for codeql run next time. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D475 2024-06-30 10:22:14 +02:00			`branches:`
			`- master`
CI(GitHub Actions): add codeql Summary: CodeQL just for... CodeQL. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc land`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D343 2024-06-17 06:05:15 +02:00			`schedule:`
			`- cron: '45 21 * * 2'`

			`jobs:`
			`analyze:`
			`name: Analyze (${{ matrix.language }})`
			`# Runner size impacts CodeQL analysis time. To learn more, please see:`
			`# - https://gh.io/recommended-hardware-resources-for-running-codeql`
			`# - https://gh.io/supported-runners-and-hardware-resources`
			`# - https://gh.io/using-larger-runners (GitHub.com only)`
			`# Consider using larger runners or machines with greater resources`
			`# for possible analysis time improvements.`
			`runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') \|\| 'ubuntu-latest' }}`
			`timeout-minutes: ${{ (matrix.language == 'swift' && 120) \|\| 360 }}`
			`permissions:`
			`# required for all workflows`
			`security-events: write`

			`# required to fetch internal or private CodeQL packs`
			`packages: read`

			`# only required for workflows in private repositories`
			`actions: read`
			`contents: read`

			`strategy:`
			`fail-fast: false`
			`matrix:`
			`include:`
CI: fix (CodeQL\|yamllint) rules Summary: - run CodeQL on js/ts file edits. - yamllint rule modified to respect my styling decision (1 space before comment). Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc lint`, wait for codeql run next time. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D475 2024-06-30 10:22:14 +02:00			`# CodeQL supports the following values keywords for 'language':`
			`# 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'`
			# Use `c-cpp` to analyze code written in C, C++ or both
			`# Use 'java-kotlin' to analyze code written in Java, Kotlin or both`
			`# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both`
			`# To learn more about changing the languages that are analyzed or customizing the build`
			`# mode for your analysis,`
			`# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.`
			`# If you are analyzing a compiled language, you can modify the 'build-mode' for that`
			`# language to customize how your codebase is analyzed, see`
			`# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages`
CI(GitHub Actions): add codeql Summary: CodeQL just for... CodeQL. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc land`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D343 2024-06-17 06:05:15 +02:00			`- language: javascript-typescript`
			`build-mode: none`
			`steps:`
			`- name: Checkout repository`
			`uses: actions/checkout@v4`

			`# Initializes the CodeQL tools for scanning.`
			`- name: Initialize CodeQL`
			`uses: github/codeql-action/init@v3`
			`with:`
			`# If you wish to specify custom queries, you can do so here or in a config file.`
			`# By default, queries listed here will override any specified in a config file.`
			`# Prefix the list here with "+" to use these queries and those in the config file.`

			`# For more details on CodeQL's query packs, refer to:`
			`# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs`
			`# queries: security-extended,security-and-quality`
CI: fix (CodeQL\|yamllint) rules Summary: - run CodeQL on js/ts file edits. - yamllint rule modified to respect my styling decision (1 space before comment). Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc lint`, wait for codeql run next time. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D475 2024-06-30 10:22:14 +02:00			`languages: ${{ matrix.language }}`
			`build-mode: ${{ matrix.build-mode }}`
CI(GitHub Actions): add codeql Summary: CodeQL just for... CodeQL. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc land`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D343 2024-06-17 06:05:15 +02:00
			`# If the analyze step fails for one of the languages you are analyzing with`
			`# "We were unable to automatically build your code", modify the matrix above`
			`# to set the build mode to "manual" for that language. Then modify this step`
			`# to build your code.`
npm(prettier-config): add prettier plugins, add rules, consolidate Summary: And run `npm run p:w .` for that, and add .prettierignore so `sh` plugin ignores them. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `npm run p:c .` and `npm publish`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D355 2024-06-18 11:42:33 +02:00			`# Command-line programs to run using the OS shell.`
			`# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun`
			`- name: 'warn manual build mode'`
			`if: matrix.build-mode == 'manual'`
CI(GitHub Actions): add codeql Summary: CodeQL just for... CodeQL. Signed-off-by: Yongmin Hong <revi@omglol.email> Test Plan: `arc land`. Reviewers: O1 revi & automations, revi Reviewed By: O1 revi & automations, revi Differential Revision: https://issuetracker.revi.xyz/D343 2024-06-17 06:05:15 +02:00			`shell: bash`
			`run: \|`
			`echo 'If you are using a "manual" build mode for one or more of the' \`
			`'languages you are analyzing, replace this with the commands to build' \`
			`'your code, for example:'`
			`echo ' make bootstrap'`
			`echo ' make release'`
			`exit 1`

			`- name: Perform CodeQL Analysis`
			`uses: github/codeql-action/analyze@v3`
			`with:`
			`category: '/language:${{matrix.language}}'`