diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 918e1b95..927376e9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,96 +1,51 @@ -name: CodeQL ( Swift ) - SAST +name: CodeQL (Swift) - SAST +# Trigger the workflow on pushes and pull requests targeting the `master` branch +# as well as through manual dispatch from the Actions tab. on: - pull_request: + push: branches: - master - push: + pull_request: branches: - master workflow_dispatch: -permissions: - security-events: write - # required to fetch internal or private CodeQL packs - packages: read - actions: read - contents: read - -defaults: - run: - shell: bash - jobs: - code-scanning: - name: Code Scanning - runs-on: macos-15 - timeout-minutes: 30 + analyze: + # The CodeQL analysis will run on macOS with the specified Xcode version. + name: Code Scanning - CodeQL strategy: fail-fast: false - - steps: - - name: Checkout - uses: actions/checkout@v4 - + matrix: + include: + # Only run the CodeQL scan on macOS. You can add additional entries + # here if you need to support other macOS versions or Xcode releases. + - os: macos-15 + xcode_version: 16.2 + runs-on: ${{ matrix.os }} + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + steps: + # Always check out the repository so the CodeQL scan has access to your source code. + - uses: actions/checkout@v3 + + # On macOS runners, set up the requested Xcode version to build Swift code. - name: Setup Xcode + if: runner.os == 'macOS' uses: maxim-lobanov/setup-xcode@v1 with: - xcode-version: '16.2' - - - name: Carthage [Setup cache] - uses: actions/cache@v3 - with: - path: Carthage - key: ${{ runner.os }}-carthage-${{ hashFiles('**/Cartfile.resolved') }} - restore-keys: | - ${{ runner.os }}-carthage-${{ hashFiles('**/Cartfile.resolved') }} - - - name: Carthage [Install dependencies] - run: carthage bootstrap - --platform ios - --cache-builds - --use-xcframeworks - --no-use-binaries - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: swift - build-mode: manual - debug: true - - - name: xcodebuild (default) - run: | - os_version=17.5 - device="iPhone 15 Pro" - destination="platform=iOS Simulator,name=${device},OS=${os_version}" - scheme=HyperwalletUISDK - build_dir=${HOME}/Library/Developer/Xcode/DerivedData/${scheme} - source_packages=${build_dir}/SourcePackages + xcode-version: '${{ matrix.xcode_version }}' - args=( - "-configuration Debug" - "-scheme HyperwalletUISDK" - "-derivedDataPath ${build_dir}" - "-clonedSourcePackagesDirPath ${source_packages}" - "-disableAutomaticPackageResolution" - "-scmProvider system" - "-destination 'generic/platform=iOS Simulator'" - ) - - if [[ -n "HyperwalletUISDK.xcodeproj" ]]; then - t=1 - #args+=("-workspace HyperwalletUISDK.xcodeproj") - fi - - args+=("clean") - args+=("build") - - build_cmd="xcodebuild ${args[*]}" - echo "${build_cmd}" - eval "${build_cmd}" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + # Invoke the reusable CodeQL workflow. It will initialize CodeQL with the + # specified language (Swift) and perform an autobuild. The timeout for + # scanning can be customized if needed. + - uses: hyperwallet/public-security-workflows/codeql@main with: - category: "/language:swift" \ No newline at end of file + language: swift + build-mode: autobuild + timeout-minutes: 25 \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 19140c5a..e69cdb12 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,9 +1,8 @@ -name: CodeQL Dependency Review - SCA +name: Dependency Review on: pull_request: - push: - workflow_dispatch: + branches: [ master ] jobs: dependency-review: