From 1cbc567f1c2b8827b9f25fa77c5231b5a412d6b0 Mon Sep 17 00:00:00 2001 From: Eva Date: Thu, 18 Jun 2026 15:01:16 +0700 Subject: [PATCH] =?UTF-8?q?ci(codeql):=20advanced=20setup=20=E2=80=94=20sc?= =?UTF-8?q?ope=20Swift=20autobuild=20to=20macos/**=20+=20weekly?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace GitHub CodeQL default setup (which autobuilds the Swift macOS app on EVERY PR, no path filter — the 20M+ per-PR tax) with committed advanced workflows: - codeql.yml: python + javascript-typescript + actions on ubuntu, build-free, every PR/push + weekly. Cheap, unchanged coverage. - codeql-swift.yml: swift on macos-latest, autobuild, scoped to paths: macos/** (+ the workflow itself) + a weekly schedule — so the app still gets periodic security scanning but a pure-Python/QA PR no longer triggers the Swift autobuild. REQUIRES a one-time repo-owner toggle: Settings -> Code security and analysis -> Code scanning -> CodeQL analysis -> switch Default to Advanced (default + advanced cannot both run; codeql-action/init fails by design until default setup is disabled). --- .github/workflows/codeql-swift.yml | 46 ++++++++++++++++++++++++++ .github/workflows/codeql.yml | 53 ++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 .github/workflows/codeql-swift.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql-swift.yml b/.github/workflows/codeql-swift.yml new file mode 100644 index 00000000..e7d1c2e3 --- /dev/null +++ b/.github/workflows/codeql-swift.yml @@ -0,0 +1,46 @@ +name: CodeQL Swift + +# The EXPENSIVE half of CodeQL: Swift requires autobuilding the macOS app (minutes on a +# macos-latest runner). Scoped so it runs ONLY when the Swift app actually changes (macos/**) +# or on a weekly schedule — so the app still gets periodic security scanning even without +# macos/ churn — but NOT on every pure-Python/QA PR. The non-Swift languages live in codeql.yml. +# +# REQUIRED: GitHub default CodeQL setup must be DISABLED (see codeql.yml header) for this to run. + +on: + push: + branches: [main] + paths: + - 'macos/**' + - '.github/workflows/codeql-swift.yml' + pull_request: + branches: [main] + paths: + - 'macos/**' + - '.github/workflows/codeql-swift.yml' + schedule: + - cron: '41 3 * * 1' # weekly, Monday 03:41 UTC + +jobs: + analyze-swift: + name: Analyze (swift) + runs-on: macos-latest + timeout-minutes: 30 + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: swift + build-mode: autobuild + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:swift" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..8d517263 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: CodeQL + +# Advanced CodeQL setup (replaces GitHub "default setup"). The non-Swift languages are +# interpreted / build-free, so they scan cheaply on every PR + push + weekly. Swift — which +# requires autobuilding the macOS app and is the slow/expensive job — is split out into +# codeql-swift.yml, scoped to macos/** changes + a weekly schedule, so a pure-Python/QA PR no +# longer pays the Swift-autobuild tax on every run. +# +# REQUIRED ONE-TIME TOGGLE (repo owner): GitHub default CodeQL setup must be DISABLED for these +# committed workflows to run — Settings -> Code security and analysis -> Code scanning -> +# "CodeQL analysis" -> switch from "Default" to "Advanced". Until that toggle is flipped, +# github/codeql-action/init fails by design (default + advanced cannot both run). + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '27 3 * * 1' # weekly, Monday 03:27 UTC + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + - language: javascript-typescript + build-mode: none + - language: actions + build-mode: none + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}"