build(deps): Bump github.com/wailsapp/wails/v3 in the go-deps group #1788
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Weekly on Monday at 06:00 UTC — offset from Dependabot (Sunday) to spread load. | |
| - cron: '0 6 * * 1' | |
| # contents: read — check out code | |
| # actions: read — required for private repos (no-op on public, included for portability) | |
| # security-events: write — upload SARIF results to GitHub Security tab | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: go | |
| build-mode: manual | |
| - language: javascript-typescript | |
| build-mode: none | |
| # GitHub Actions workflow analysis. CodeQL's `actions` language | |
| # parses every .github/workflows/*.yml plus composite actions | |
| # under .github/actions/ and runs queries that catch workflow | |
| # security smells — script-injection sinks (untrusted PR/issue | |
| # context interpolated into run: blocks), missing checkout | |
| # persist-credentials hardening, untrusted input flowing into | |
| # env vars, etc. No toolchain prep needed. | |
| - language: actions | |
| build-mode: none | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| # Go toolchain and frontend dist must be set up BEFORE codeql-action/init. | |
| # CodeQL's init wraps whichever `go` binary is on PATH at that moment; if | |
| # setup-go runs after init it overrides the tracer wrapper and no Go source | |
| # gets recorded, causing the "didn't build any of it" fatal error. | |
| - if: matrix.language == 'go' | |
| name: Set up Go | |
| uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 | |
| with: | |
| go-version-file: go.mod | |
| # assets.go has //go:embed all:frontend/dist — dist/ must exist before | |
| # `go build` or the embed directive fails at compile time. CodeQL's | |
| # Go analysis only needs the dir to be present; a real Vite build | |
| # would add ~30s with no analytical benefit, so we stub. | |
| - if: matrix.language == 'go' | |
| name: Prepare frontend/dist (stub for //go:embed) | |
| uses: ./.github/actions/prepare-frontend-dist | |
| with: | |
| real-assets: "false" | |
| - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # security-and-quality bundles three query packs in one suite: | |
| # 1. code-scanning (default) — core security queries | |
| # 2. security-extended — adds hardcoded-credentials / | |
| # weak-crypto / extra taint sinks | |
| # (the "secret scanning" layer) | |
| # 3. plus code-quality queries — dead code, redundant logic, | |
| # complexity smells | |
| # Higher false-positive rate than the default code-scanning suite, | |
| # so triage every alert that lands in the Security tab. Languages | |
| # without a security-and-quality pack (currently `actions`) | |
| # silently fall back to their default suite. | |
| queries: security-and-quality | |
| # Build the serveronly variant (pure Go, CGO_ENABLED=0) — covers all | |
| # business logic without needing WebKitGTK/CGo deps on the runner. | |
| - if: matrix.language == 'go' | |
| name: Build Go (serveronly — no CGo required) | |
| env: | |
| CGO_ENABLED: "0" | |
| run: go build -tags serveronly ./... | |
| - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| with: | |
| category: /language:${{ matrix.language }} |