Skip to content

Potential fix for code scanning alert no. 1910: Workflow does not contain permissions #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AnnaSasDev merged 7 commits into from
May 2, 2026
Merged

Potential fix for code scanning alert no. 1910: Workflow does not contain permissions #266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e44fbd7
Potential fix for code scanning alert no. 1910: Workflow does not con…
AnnaSasDev Apr 30, 2026
f2e4c1c
Fix: Update CodeQL workflow permissions and logic
AnnaSasDev May 2, 2026
61ed613
Refactor: Enhance CodeQL workflow with `workflow_dispatch` inputs, im…
AnnaSasDev May 2, 2026
b2442e2
Refactor: Simplify CodeQL workflow by removing redundant conditionals…
AnnaSasDev May 2, 2026
251db6b
Refactor: Streamline CodeQL workflow by centralizing analysis decisio…
AnnaSasDev May 2, 2026
7c5818b
Refactor: Improve CodeQL workflow conditional logic for `workflow_dis…
AnnaSasDev May 2, 2026
bdffaf4
Refactor: Extend CodeQL workflow with additional language filters, im…
AnnaSasDev May 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
248 changes: 248 additions & 0 deletions .github/workflows/ci-codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,248 @@
name: "CodeQL Advanced"

concurrency:
group: codeql-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
push:
branches: [ "core" ]
pull_request:
branches: [ "core" ]
types: [ ready_for_review, synchronize, reopened ]
paths-ignore:
- '**/*.md'
- 'docs/**'
- '.github/ISSUE_TEMPLATE/**'
- '.github/*.md'
workflow_dispatch:
inputs:
full_scan:
description: "Run full CodeQL scan (ignore path filters)"
required: false
default: "false"
type: choice
options:
- "false"
- "true"

jobs:
changes:
name: Detect Changed Areas
runs-on: ubuntu-latest
if: >
github.event_name != 'workflow_dispatch' ||
github.event.inputs.full_scan != 'true'
permissions:
contents: read
outputs:
actions: ${{ steps.filter.outputs.actions }}
csharp: ${{ steps.filter.outputs.csharp }}
cpp: ${{ steps.filter.outputs.cpp }}
javascript_typescript: ${{ steps.filter.outputs.javascript_typescript }}
python: ${{ steps.filter.outputs.python }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Detect Changes
id: filter
uses: dorny/paths-filter@v4

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'CodeQL Advanced' step
Uses Step: filter
Loading
uses 'dorny/paths-filter' with ref 'v4', not a pinned commit hash
Comment thread
AnnaSasDev marked this conversation as resolved.
Dismissed
with:
filters: |
actions:
- '.github/workflows/**'
- '.github/actions/**'
- '.github/dependabot.yml'
- '.github/codeql-config.yml'
csharp:
- 'src/**/*.cs'
- 'src/**/*.csproj'
- 'src/**/*.props'
- 'src/**/*.targets'
- 'src/**/*.razor'
- 'src/**/*.razor.css'
- 'Directory.Packages.props'
- 'global.json'
- '.github/workflows/ci-codeql.yml'
- '.github/codeql-config.yml'
cpp:
- 'src/InfiniFrame.Native/**'
- 'native-vendor-deps.json'
- 'global.json'
- '.github/actions/setup-dependencies-native/**'
- '.github/workflows/ci-codeql.yml'
- '.github/codeql-config.yml'
javascript_typescript:
- 'src/**/*.js'
- 'src/**/*.jsx'
- 'src/**/*.ts'
- 'src/**/*.tsx'
- 'src/**/*.mjs'
- 'src/**/*.cjs'
- 'src/**/*.vue'
- 'src/**/*.html'
- 'src/**/package.json'
- 'src/**/package-lock.json'
- 'src/**/tsconfig*.json'
- 'src/**/vite.config.*'
- 'src/**/webpack.config.*'
- 'src/**/eslint.config.*'
- '.github/actions/**/*.js'
- '.github/actions/**/*.ts'
- '.github/workflows/ci-codeql.yml'
- '.github/codeql-config.yml'
python:
- '.github/scripts/**/*.py'
- '.github/scripts/**/*.pyi'
- '.github/scripts/**/pyproject.toml'
- '.github/scripts/**/requirements*.txt'
- '.github/scripts/**/Pipfile'
- '.github/scripts/**/Pipfile.lock'
- '.github/scripts/**/tox.ini'
- '.github/scripts/**/setup.cfg'
- 'scripts/**/*.py'
- 'scripts/**/*.pyi'
- 'scripts/**/pyproject.toml'
- 'scripts/**/requirements*.txt'
- 'scripts/**/Pipfile'
- 'scripts/**/Pipfile.lock'
- 'scripts/**/tox.ini'
- 'scripts/**/setup.cfg'
- '.github/workflows/ci-codeql.yml'
- '.github/codeql-config.yml'

analyze:
name: Analyze (${{ matrix.language }} on ${{ matrix.os }})
needs: changes
runs-on: ${{ matrix.os }}
timeout-minutes: 90

if: >
always() && (
needs.changes.result == 'success'
|| (
github.event_name == 'workflow_dispatch'
&& github.event.inputs.full_scan == 'true'
&& needs.changes.result == 'skipped'
)) && (
github.event_name != 'pull_request'
|| github.event.pull_request.draft == false
)

permissions:
contents: read
security-events: write
actions: read
packages: read
pull-requests: write
checks: write

strategy:
fail-fast: false
matrix:
include:
- language: actions
os: ubuntu-latest
build-mode: none
- language: c-cpp
os: ubuntu-latest
build-mode: manual
- language: c-cpp
os: windows-latest
build-mode: manual
- language: csharp
os: ubuntu-latest
build-mode: none
- language: javascript-typescript
os: ubuntu-latest
build-mode: none
- language: python
os: ubuntu-latest
build-mode: none

steps:
- name: Decide Whether to Analyze
id: should_analyze
shell: bash
env:
FULL_SCAN: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.full_scan == 'true' }}
LANGUAGE: ${{ matrix.language }}
ACTIONS_CHANGED: ${{ needs.changes.outputs.actions }}
CSHARP_CHANGED: ${{ needs.changes.outputs.csharp }}
CPP_CHANGED: ${{ needs.changes.outputs.cpp }}
JAVASCRIPT_TYPESCRIPT_CHANGED: ${{ needs.changes.outputs.javascript_typescript }}
PYTHON_CHANGED: ${{ needs.changes.outputs.python }}
run: |
should_run=false

if [[ "$FULL_SCAN" == "true" ]]; then should_run=true
elif [[ "$LANGUAGE" == "actions" && "$ACTIONS_CHANGED" == "true" ]]; then should_run=true
elif [[ "$LANGUAGE" == "csharp" && "$CSHARP_CHANGED" == "true" ]]; then should_run=true
elif [[ "$LANGUAGE" == "c-cpp" && "$CPP_CHANGED" == "true" ]]; then should_run=true
elif [[ "$LANGUAGE" == "javascript-typescript" && "$JAVASCRIPT_TYPESCRIPT_CHANGED" == "true" ]]; then should_run=true
elif [[ "$LANGUAGE" == "python" && "$PYTHON_CHANGED" == "true" ]]; then should_run=true
fi

echo "run=$should_run" >> "$GITHUB_OUTPUT"

- name: Checkout
if: steps.should_analyze.outputs.run == 'true'
uses: actions/checkout@v6
with:
fetch-depth: 1

- name: Setup .NET
if: steps.should_analyze.outputs.run == 'true'
uses: actions/setup-dotnet@v5
with:
dotnet-version: |
8.x
9.x
10.x

- name: Setup CMake
if: steps.should_analyze.outputs.run == 'true' && matrix.language == 'c-cpp'
uses: lukka/get-cmake@latest

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'CodeQL Advanced' step
Uses Step
Loading
uses 'lukka/get-cmake' with ref 'latest', not a pinned commit hash
Comment thread
AnnaSasDev marked this conversation as resolved.
Dismissed

- name: Setup Native dependencies
if: steps.should_analyze.outputs.run == 'true' && matrix.language == 'c-cpp'
uses: ./.github/actions/setup-dependencies-native
# noinspection UndefinedParamsPresent
with:
apt-cache-version: 1.0
brew-cache-key: ${{ runner.os }}-${{ matrix.language }}-brew-native-${{ hashFiles('.github/actions/setup-dependencies-native/action.yml', '.github/workflows/codeql.yml') }}
brew-restore-key: ${{ runner.os }}-${{ matrix.language }}-brew-native-

- name: Initialize CodeQL
if: steps.should_analyze.outputs.run == 'true'
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended,security-and-quality
config-file: ./.github/codeql-config.yml

- name: Restore C# (.slnx)
if: steps.should_analyze.outputs.run == 'true' && matrix.language == 'csharp' && matrix.build-mode == 'manual'
run: |
dotnet restore InfiniFrame.slnx /p:NoWarn=NU1503

- name: Build Native (CodeQL)
if: steps.should_analyze.outputs.run == 'true' && matrix.language == 'c-cpp'
shell: pwsh
run: |
dotnet build src/InfiniFrame.Native/InfiniFrame.Native.proj --configuration Release --no-restore -p:SolutionDir="${{ github.workspace }}/" -p:Platform=x64

- name: Build C# (.slnx)
if: steps.should_analyze.outputs.run == 'true' && matrix.language == 'csharp' && matrix.build-mode == 'manual'
run: |
dotnet build InfiniFrame.slnx --no-restore --configuration Release -p:InfiniFramePackAfterBuild=false

- name: Perform CodeQL Analysis
if: steps.should_analyze.outputs.run == 'true'
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
Loading
Loading