scratch-pad/.github/workflows/codeql-basic.yml at main · pbean/scratch-pad · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: CodeQL Security Scan
on:
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Monday at 6 AM
  pull_request:
    branches: [main]
    paths:
      - '**.js'
      - '**.jsx'
      - '**.ts'
      - '**.tsx'
      - '**.rs'
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  workflow_dispatch:  # Allow manual triggering

jobs:
  analyze-javascript:
    name: CodeQL JavaScript/TypeScript
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v5

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript
          config-file: ./.github/codeql-config.yml

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:javascript-typescript"

  analyze-rust:
    name: CodeQL Rust (Experimental)
    runs-on: ubuntu-22.04
    timeout-minutes: 20  # Reduced from 30 - fail faster if stuck
    # Only run on PRs initially to limit noise
    if: github.event_name == 'pull_request'
    continue-on-error: true  # Non-blocking while in beta
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v5

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: x86_64-unknown-linux-gnu

      - name: Install system dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libssl-dev librsvg2-dev

      - name: Cache Rust dependencies
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            src-tauri/target
          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-

      - name: Initialize CodeQL for Rust
        uses: github/codeql-action/init@v3
        with:
          languages: rust
          # Rust-specific config if needed
          setup-python-dependencies: false

      - name: Build Rust code for analysis
        run: |
          cd src-tauri
          # Using release mode for accurate analysis despite slower build
          # Consider using debug mode if timeouts persist
          cargo build --release --verbose
        env:
          CARGO_TERM_COLOR: always

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:rust-experimental"
          # Add custom queries path when available
          # queries: .github/codeql/rust-queries