Skip to content

chore(main): release 0.22.3 #1787

chore(main): release 0.22.3

chore(main): release 0.22.3 #1787

Workflow file for this run

name: CodeQL
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly on Monday at 06:00 UTC — offset from Dependabot (Sunday) to spread load.
- cron: '0 6 * * 1'
# contents: read — check out code
# actions: read — required for private repos (no-op on public, included for portability)
# security-events: write — upload SARIF results to GitHub Security tab
permissions:
contents: read
actions: read
security-events: write
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- language: go
build-mode: manual
- language: javascript-typescript
build-mode: none
# GitHub Actions workflow analysis. CodeQL's `actions` language
# parses every .github/workflows/*.yml plus composite actions
# under .github/actions/ and runs queries that catch workflow
# security smells — script-injection sinks (untrusted PR/issue
# context interpolated into run: blocks), missing checkout
# persist-credentials hardening, untrusted input flowing into
# env vars, etc. No toolchain prep needed.
- language: actions
build-mode: none
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
# Go toolchain and frontend dist must be set up BEFORE codeql-action/init.
# CodeQL's init wraps whichever `go` binary is on PATH at that moment; if
# setup-go runs after init it overrides the tracer wrapper and no Go source
# gets recorded, causing the "didn't build any of it" fatal error.
- if: matrix.language == 'go'
name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6
with:
go-version-file: go.mod
# assets.go has //go:embed all:frontend/dist — dist/ must exist before
# `go build` or the embed directive fails at compile time. CodeQL's
# Go analysis only needs the dir to be present; a real Vite build
# would add ~30s with no analytical benefit, so we stub.
- if: matrix.language == 'go'
name: Prepare frontend/dist (stub for //go:embed)
uses: ./.github/actions/prepare-frontend-dist
with:
real-assets: "false"
- uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# security-and-quality bundles three query packs in one suite:
# 1. code-scanning (default) — core security queries
# 2. security-extended — adds hardcoded-credentials /
# weak-crypto / extra taint sinks
# (the "secret scanning" layer)
# 3. plus code-quality queries — dead code, redundant logic,
# complexity smells
# Higher false-positive rate than the default code-scanning suite,
# so triage every alert that lands in the Security tab. Languages
# without a security-and-quality pack (currently `actions`)
# silently fall back to their default suite.
queries: security-and-quality
# Build the serveronly variant (pure Go, CGO_ENABLED=0) — covers all
# business logic without needing WebKitGTK/CGo deps on the runner.
- if: matrix.language == 'go'
name: Build Go (serveronly — no CGo required)
env:
CGO_ENABLED: "0"
run: go build -tags serveronly ./...
- uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
category: /language:${{ matrix.language }}