hyperwallet · grmeyer-hw-dev · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,96 +1,51 @@
-name: CodeQL ( Swift ) - SAST
+name: CodeQL (Swift) - SAST
 
+# Trigger the workflow on pushes and pull requests targeting the `master` branch
+# as well as through manual dispatch from the Actions tab.
 on:
-  pull_request:
+  push:
     branches:
       - master
-  push:
+  pull_request:
     branches:
       - master
   workflow_dispatch:
 
-permissions:
-  security-events: write
-  # required to fetch internal or private CodeQL packs
-  packages: read
-  actions: read
-  contents: read
-
-defaults:
-  run:
-    shell: bash
-
 jobs:
-  code-scanning:
-    name: Code Scanning
-    runs-on: macos-15
-    timeout-minutes: 30
+  analyze:
+    # The CodeQL analysis will run on macOS with the specified Xcode version.
+    name: Code Scanning - CodeQL
     strategy:
       fail-fast: false
-
-    steps:     
-      - name: Checkout
-        uses: actions/checkout@v4
-
+      matrix:
+        include:
+          # Only run the CodeQL scan on macOS.  You can add additional entries
+          # here if you need to support other macOS versions or Xcode releases.
+          - os: macos-15
+            xcode_version: 16.2
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 25
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    steps:
+      # Always check out the repository so the CodeQL scan has access to your source code.
+      - uses: actions/checkout@v3
+
+      # On macOS runners, set up the requested Xcode version to build Swift code.
       - name: Setup Xcode
+        if: runner.os == 'macOS'
         uses: maxim-lobanov/setup-xcode@v1
         with:
-          xcode-version: '16.2'
-
-      - name: Carthage [Setup cache]
-        uses: actions/cache@v3
-        with:
-          path: Carthage
-          key: ${{ runner.os }}-carthage-${{ hashFiles('**/Cartfile.resolved') }}
-          restore-keys: |
-            ${{ runner.os }}-carthage-${{ hashFiles('**/Cartfile.resolved') }}
-
-      - name: Carthage [Install dependencies]
-        run: carthage bootstrap
-          --platform ios
-          --cache-builds
-          --use-xcframeworks
-          --no-use-binaries
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: swift
-          build-mode: manual
-          debug: true
-
-      - name: xcodebuild (default)
-        run: |
-          os_version=17.5
-          device="iPhone 15 Pro"
-          destination="platform=iOS Simulator,name=${device},OS=${os_version}"
-          scheme=HyperwalletUISDK
-          build_dir=${HOME}/Library/Developer/Xcode/DerivedData/${scheme}
-          source_packages=${build_dir}/SourcePackages
+          xcode-version: '${{ matrix.xcode_version }}'
 
-          args=(
-            "-configuration Debug"
-            "-scheme HyperwalletUISDK"
-            "-derivedDataPath ${build_dir}"
-            "-clonedSourcePackagesDirPath ${source_packages}"
-            "-disableAutomaticPackageResolution"
-            "-scmProvider system"
-            "-destination 'generic/platform=iOS Simulator'"            
-          )
-
-          if [[ -n "HyperwalletUISDK.xcodeproj" ]]; then
-            t=1
-            #args+=("-workspace HyperwalletUISDK.xcodeproj")
-          fi
-
-          args+=("clean")
-          args+=("build")
-
-          build_cmd="xcodebuild ${args[*]}"
-          echo "${build_cmd}"
-          eval "${build_cmd}"
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+      # Invoke the reusable CodeQL workflow.  It will initialize CodeQL with the
+      # specified language (Swift) and perform an autobuild.  The timeout for
+      # scanning can be customized if needed.
+      - uses: hyperwallet/public-security-workflows/codeql@main
         with:
-          category: "/language:swift"
+          language: swift
+          build-mode: autobuild
+          timeout-minutes: 25
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,9 +1,8 @@
-name: CodeQL Dependency Review - SCA
+name: Dependency Review
 
 on:
   pull_request:
-  push:
-  workflow_dispatch:
+    branches: [ master ]
 
 jobs:
   dependency-review: