ci: add CodeQL workflow for GitHub code scanning - close #18

un-ts · Dec 13, 2023 · de4a29c · de4a29c
1 parent e1c0571
commit de4a29c
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 26 deletions.
diff --git a/.codesandbox/ci.json b/.codesandbox/ci.json
@@ -1,5 +1,4 @@
 {
-  "node": "16",
-  "installCommand": "codesandbox:install",
+  "node": "18",
   "sandboxes": []
 }
diff --git a/.eslintignore b/.eslintignore
@@ -2,6 +2,7 @@ coverage
 dist
 lib
 CHANGELOG.md
+/auto-imports.d.ts
 /pnpm-lock.yaml
 !/.github
 !/.*.cjs
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,7 +35,7 @@ jobs:
         run: pnpm i
 
       - name: Build, Lint and Test
-        run: pnpm run-s build lint test
+        run: pnpm run-s build lint
         env:
           EFF_NO_LINK_RULES: true
           PARSER_NO_WATCH: true

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,44 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '18 13 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: '/language:${{ matrix.language }}'
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ coverage
 dist
 lib
 node_modules
+/auto-imports.d.ts
diff --git a/auto-imports.d.ts b/auto-imports.d.ts
diff --git a/package.json b/package.json
@@ -31,26 +31,23 @@
     "xml-sanitizer"
   ],
   "scripts": {
-    "build": "run-p build:*",
+    "build": "pnpm test && run-p build:*",
     "build:r": "r -f cjs",
     "build:tsc": "tsc -p src",
-    "codesandbox:install": "yarn",
     "dev": "vitest",
     "docs:build": "w -e docs -p --publicPath /",
     "docs:dev": "w -e docs",
     "lint": "run-p lint:*",
     "lint:es": "eslint . --cache -f friendly --max-warnings 10",
     "lint:style": "stylelint . --cache",
     "lint:tsc": "tsc --noEmit",
-    "postversion": "pnpm i --no-frozen-lockfile",
     "prepare": "simple-git-hooks",
-    "prerelease": "pnpm build",
-    "release": "changeset publish",
+    "release": "pnpm build && changeset publish",
     "serve": "sirv dist -s",
     "test": "vitest run --coverage",
     "typecov": "type-coverage",
     "vercel-build": "pnpm docs:build",
-    "version": "changeset version"
+    "version": "changeset version && pnpm i --no-frozen-lockfile"
   },
   "devDependencies": {
     "@1stg/app-config": "^7.2.1",

diff --git a/vitest.config.ts b/vitest.config.ts
@@ -12,6 +12,7 @@ export default defineConfig({
   ],
   test: {
     coverage: {
+      include: ['src'],
       provider: 'istanbul',
       reporter: ['lcov', 'json', 'text'],
     },
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,3 +5,4 @@ coverage @@
     dist
     lib
     node_modules
+    /auto-imports.d.ts