Skip to content

chore: add CodeQL workflow + pin actions to commit SHAs#3

Merged
sansware merged 1 commit into
mainfrom
chore/codeql-2026-06-28
Jun 28, 2026
Merged

chore: add CodeQL workflow + pin actions to commit SHAs#3
sansware merged 1 commit into
mainfrom
chore/codeql-2026-06-28

Conversation

@sansware

Copy link
Copy Markdown
Contributor

Summary

  • Adds .github/workflows/codeql.yml running CodeQL static analysis on push, PR, and weekly (Sun 00:00 UTC) against the javascript-typescript language pack.
  • Pins every third-party action invocation in this repo (actions/checkout, actions/setup-node, github/codeql-action/init, github/codeql-action/analyze) to a full commit SHA, with the semver tag in a trailing comment for human readability.
  • Adds a top-level permissions: contents: read to the existing validate workflow as least-privilege baseline.

Why pin to SHA

Pinning to a tag (@v4) gives a supply-chain attacker who compromises the action's tag (or convinces the maintainer to retag) a path into CI with whatever permissions the workflow grants. Pinning to a full commit SHA removes that path — the SHA is immutable.

Pinned SHAs

  • actions/checkout @ 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4)
  • actions/setup-node @ 49933ea5288caeca8642d1e84afbd3f7d6820020 (v4)
  • github/codeql-action/* @ c35d1b164463ee62a100735382aaaa525c5d3496 (codeql-bundle-v2.25.6)

Test plan

  • Validate workflow still passes on this PR (redocly lint + swagger-cli).
  • CodeQL workflow runs on this PR and uploads results to the Security tab.
  • No new high-severity findings introduced.

Adds .github/workflows/codeql.yml running CodeQL static analysis on
push, pull_request, and a weekly schedule (Sun 00:00). Targets the
javascript-typescript language pack since the spec ships with TS
generation tooling.

Pins every third-party action invocation (actions/checkout,
actions/setup-node, github/codeql-action/*) to a full commit SHA with
the corresponding semver tag in a trailing comment. Pinning to SHA
closes the supply-chain hole where a compromised or rewritten tag
could ship malicious code into CI.

Adds a least-privilege top-level `permissions: contents: read` block
to the existing validate workflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@sansware sansware merged commit 3721761 into main Jun 28, 2026
1 of 2 checks passed
@sansware sansware deleted the chore/codeql-2026-06-28 branch June 28, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant