fix(cloudflare): serve wrangler secrets via single-shot FIFO #412

Workflow file for this run

.github/workflows/codeql.yaml at 37147be

	name: CodeQL Analysis

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	# weekly scan — Sundays at 4am UTC
	- cron: '0 4 * * 0'

	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.ref }}
	cancel-in-progress: ${{ github.event_name == 'pull_request' }}

	permissions:
	contents: read
	security-events: write

	jobs:
	check-changes:
	name: Check changed languages
	runs-on: ubuntu-latest
	outputs:
	js-changed: ${{ steps.check.outputs.js-changed }}
	actions-changed: ${{ steps.check.outputs.actions-changed }}
	swift-changed: ${{ steps.check.outputs.swift-changed }}
	rust-changed: ${{ steps.check.outputs.rust-changed }}
	steps:
	- id: check
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	# On schedule, scan everything
	if [[ "${{ github.event_name }}" == "schedule" ]]; then
	for lang in js actions swift rust; do
	echo "${lang}-changed=true" >> $GITHUB_OUTPUT
	done
	exit 0
	fi

	# Get changed files via API (no checkout needed)
	if [[ "${{ github.event_name }}" == "pull_request" ]]; then
	FILES=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files --paginate --jq '.[].filename')
	else
	FILES=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq '.files[].filename')
	fi

	check_pattern() {
	if echo "$FILES" \| grep -qE "$1"; then
	echo "true"
	else
	echo "false"
	fi
	}

	echo "js-changed=$(check_pattern '\.(js\|ts\|jsx\|tsx\|mjs\|cjs)$')" >> $GITHUB_OUTPUT
	echo "actions-changed=$(check_pattern '^\.github/')" >> $GITHUB_OUTPUT
	echo "swift-changed=$(check_pattern '^packages/encryption-binary-swift/')" >> $GITHUB_OUTPUT
	echo "rust-changed=$(check_pattern '^packages/encryption-binary-rust/')" >> $GITHUB_OUTPUT

	analyze-js:
	name: Analyze JavaScript/TypeScript
	needs: check-changes
	if: needs.check-changes.outputs.js-changed == 'true'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: javascript-typescript
	config-file: ./.github/codeql/codeql-config.yml
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: javascript-typescript

	analyze-actions:
	name: Analyze Actions
	needs: check-changes
	if: needs.check-changes.outputs.actions-changed == 'true'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: actions
	config-file: ./.github/codeql/codeql-config.yml
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: actions

	analyze-swift:
	name: Analyze Swift
	needs: check-changes
	if: needs.check-changes.outputs.swift-changed == 'true'
	runs-on: macos-latest
	steps:
	- uses: actions/checkout@v6
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: swift
	config-file: ./.github/codeql/codeql-config.yml
	- name: Build Swift binary
	run: \|
	cd packages/encryption-binary-swift/swift
	swift build
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: swift

	analyze-rust:
	name: Analyze Rust
	needs: check-changes
	if: needs.check-changes.outputs.rust-changed == 'true'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: rust
	config-file: ./.github/codeql/codeql-config.yml
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: rust

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(cloudflare): serve wrangler secrets via single-shot FIFO #412

Workflow file

fix(cloudflare): serve wrangler secrets via single-shot FIFO #412

Uh oh!

Workflow file for this run