From 1e7527ea8c68459011dc64acc886e474b2ef9a65 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Mon, 26 Aug 2024 10:14:45 +0300 Subject: [PATCH 1/2] enable dependabot to check github-actions updates Signed-off-by: Mikko Ylinen --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..e2999188 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +version: 2 +updates: + # Check updates to action versions in .github/workflows + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week on Saturday + interval: "weekly" + day: "saturday" From 1bde94e31996ec708eeb9c6c4bdb4f762881ec43 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Mon, 26 Aug 2024 10:16:03 +0300 Subject: [PATCH 2/2] workflows: enable CodeQL checks Signed-off-by: Mikko Ylinen --- .github/workflows/lib-codeql.yaml | 35 +++++++++++++++++++++++++++++++ .github/workflows/makefile.yaml | 13 ++++++++++-- 2 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/lib-codeql.yaml diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml new file mode 100644 index 00000000..e6e5f39c --- /dev/null +++ b/.github/workflows/lib-codeql.yaml @@ -0,0 +1,35 @@ +name: "CodeQL" + +on: + workflow_call: + +permissions: + actions: read + contents: read + +jobs: + analyze: + name: Analysis + runs-on: ubuntu-22.04 + timeout-minutes: 360 + + permissions: + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5 + with: + go-version-file: go.mod + check-latest: true + + - name: Initialize CodeQL + uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3 + with: + languages: 'go' + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3 + with: + category: "/language:go" diff --git a/.github/workflows/makefile.yaml b/.github/workflows/makefile.yaml index f084da9b..98f66dbb 100644 --- a/.github/workflows/makefile.yaml +++ b/.github/workflows/makefile.yaml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5 with: go-version-file: go.mod check-latest: true @@ -34,3 +34,12 @@ jobs: - name: Build bundle run: make bundle IMG=quay.io/confidential-containers/operator:latest + + codeql: + permissions: + actions: read + contents: read + security-events: write + needs: + - build + uses: "./.github/workflows/lib-codeql.yaml"