chore: add CodeQL workflow + pin actions to commit SHAs#3
Merged
Conversation
Adds .github/workflows/codeql.yml running CodeQL static analysis on push, pull_request, and a weekly schedule (Sun 00:00). Targets the javascript-typescript language pack since the spec ships with TS generation tooling. Pins every third-party action invocation (actions/checkout, actions/setup-node, github/codeql-action/*) to a full commit SHA with the corresponding semver tag in a trailing comment. Pinning to SHA closes the supply-chain hole where a compromised or rewritten tag could ship malicious code into CI. Adds a least-privilege top-level `permissions: contents: read` block to the existing validate workflow. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/codeql.ymlrunning CodeQL static analysis on push, PR, and weekly (Sun 00:00 UTC) against thejavascript-typescriptlanguage pack.actions/checkout,actions/setup-node,github/codeql-action/init,github/codeql-action/analyze) to a full commit SHA, with the semver tag in a trailing comment for human readability.permissions: contents: readto the existing validate workflow as least-privilege baseline.Why pin to SHA
Pinning to a tag (
@v4) gives a supply-chain attacker who compromises the action's tag (or convinces the maintainer to retag) a path into CI with whatever permissions the workflow grants. Pinning to a full commit SHA removes that path — the SHA is immutable.Pinned SHAs
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5(v4)actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020(v4)github/codeql-action/*@c35d1b164463ee62a100735382aaaa525c5d3496(codeql-bundle-v2.25.6)Test plan