From fbcca7eb1315d4f9f4614f3daa007a9c56b51c96 Mon Sep 17 00:00:00 2001 From: RViktor <120401244+v1k70rk4@users.noreply.github.com> Date: Wed, 17 Jun 2026 19:54:54 +0200 Subject: [PATCH 1/2] ci: add CodeQL code scanning (csharp) Add .github/workflows/codeql.yml: CodeQL static analysis of the C# code on push/PR to master and weekly. build-mode: none (no build infra; runs on ubuntu). Actions are SHA-pinned and checkout uses persist-credentials: false, matching the repo hardening. This is the code-level SAST layer; dependencies are already covered by Dependabot + the audit gate. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/codeql.yml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..685b69e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,39 @@ +name: CodeQL + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '23 5 * * 1' # weekly, Monday 05:23 UTC + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (csharp) + runs-on: ubuntu-latest + permissions: + security-events: write # upload analysis results to the Security tab + actions: read + contents: read + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + # build-mode: none analyzes the C# sources directly (no build infra needed, runs on ubuntu). + # Switch to a built mode on windows-latest later if more precision is wanted. + - name: Initialize CodeQL + uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2 + with: + languages: csharp + build-mode: none + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2 + with: + category: "/language:csharp" From c54d361b3c1ab671206106f725f860a39a9d0420 Mon Sep 17 00:00:00 2001 From: RViktor <120401244+v1k70rk4@users.noreply.github.com> Date: Wed, 17 Jun 2026 20:00:21 +0200 Subject: [PATCH 2/2] ci: bump CodeQL action to v4 CodeQL Action v3 is deprecated (end of life December 2026). Move init/analyze to v4.36.2 (SHA-pinned), so the workflow starts on the current major. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 685b69e..f968bdd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,12 +28,12 @@ jobs: # build-mode: none analyzes the C# sources directly (no build infra needed, runs on ubuntu). # Switch to a built mode on windows-latest later if more precision is wanted. - name: Initialize CodeQL - uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: csharp build-mode: none - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:csharp"