From 40e2c2e203e92f16f9e163ffe88936fd6c88f1b3 Mon Sep 17 00:00:00 2001 From: Yiming Date: Mon, 16 Dec 2024 11:11:42 +0800 Subject: [PATCH] chore: fix codeql config (#1915) --- .github/workflows/codeql.yml | 1 + .github/workflows/config/codeql-config.yml | 8 +++ .github/workflows/management-changelog.yml | 58 ---------------- .../security-defender-for-devops.yml | 66 ------------------- 4 files changed, 9 insertions(+), 124 deletions(-) create mode 100644 .github/workflows/config/codeql-config.yml delete mode 100644 .github/workflows/management-changelog.yml delete mode 100644 .github/workflows/security-defender-for-devops.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index edf61f55a..d9c4f07a1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -62,6 +62,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: + config-file: ./.github/workflows/config/codeql-config.yml languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. diff --git a/.github/workflows/config/codeql-config.yml b/.github/workflows/config/codeql-config.yml new file mode 100644 index 000000000..17504a392 --- /dev/null +++ b/.github/workflows/config/codeql-config.yml @@ -0,0 +1,8 @@ +paths: + - 'packages' +paths-ignore: + - '**/*.test.js' + - '**/*.test.ts' + - '**/*.test.tsx' + - '**/__tests__/**' + - 'packages/ide/**' diff --git a/.github/workflows/management-changelog.yml b/.github/workflows/management-changelog.yml deleted file mode 100644 index 9b6ba1f12..000000000 --- a/.github/workflows/management-changelog.yml +++ /dev/null @@ -1,58 +0,0 @@ -on: - push: - branches: [] - # branches: - # - main # Your main branch - # - dev # Your development branch - # - release/* # Your releases branch - # - v2 # Temp V2 integration branch - -permissions: - contents: read - -name: Management - Release Workflow - -jobs: - release: - permissions: - contents: write - pull-requests: write - env: - GITHUB_TOKEN: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - runs-on: ubuntu-latest - steps: - # Harden-Runner provides runtime security for GitHub-hosted and self-hosted environments. - - name: Harden Runner - uses: step-security/harden-runner@v2.6.1 - with: - egress-policy: audit - - - uses: google-github-actions/release-please-action@v4 - id: release - with: - config-file: '.github/release/release-main-config.json' - manifest-file: '.github/release/.release-manifest.json' - include-component-in-tag: false - target-branch: ${{ github.ref_name == 'dev' && 'main' || github.ref_name }} - - - uses: actions/checkout@v4 - if: ${{ steps.release.outputs.release_created }} - - - uses: pnpm/action-setup@v2 - if: ${{ steps.release.outputs.release_created }} - with: - version: ^7.15.0 - - - uses: actions/setup-node@v4 - if: ${{ steps.release.outputs.release_created }} - with: - node-version: 20.x - registry-url: 'https://registry.npmjs.org' - - - run: pnpm i # Install using pnpm - if: ${{ steps.release.outputs.release_created }} - - - run: pnpm publish-test # Publish using pre-defined pnpm script - if: ${{ steps.release.outputs.release_created }} - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} diff --git a/.github/workflows/security-defender-for-devops.yml b/.github/workflows/security-defender-for-devops.yml deleted file mode 100644 index 526cebf1e..000000000 --- a/.github/workflows/security-defender-for-devops.yml +++ /dev/null @@ -1,66 +0,0 @@ -# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. -# MSDO installs, configures and runs the latest versions of static analysis tools -# (including, but not limited to, SDL/security and compliance tools). -# -# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, -# as well as Windows self hosted agents. ubuntu-latest support coming soon. -# -# For more information about the action , check out https://github.com/microsoft/security-devops-action -# -# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration -# and provide permission before this can report data back to azure. -# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github - -name: Security - Microsoft Defender For Devops - -on: - merge_group: - push: - branches: - - main - - dev - - release/* - - v2 - pull_request: - branches: - - main - - dev - - release/* - - v2 - schedule: - - cron: '34 12 * * 0' - -permissions: - contents: read - security-events: read - -jobs: - MSDO: - # currently only windows latest is supported - runs-on: windows-latest - permissions: - security-events: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2.6.1 - with: - egress-policy: audit - - # checks out the repository - - uses: actions/checkout@v4 - - - uses: actions/setup-dotnet@v3.2.0 - with: - dotnet-version: | - 5.0.x - 6.0.x - - - name: Run Microsoft Security DevOps - uses: microsoft/security-devops-action@v1.6.0 - id: msdo - - - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v2.22.12 - with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }}