-
-
Notifications
You must be signed in to change notification settings - Fork 1
90 lines (82 loc) · 3.68 KB
/
codeql.yml
File metadata and controls
90 lines (82 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
---
name: "CodeQL Scan on Web Export"
on: # yamllint disable-line rule:truthy
# Makes it reusable; called by other workflows
workflow_call: # yamllint disable rule:empty-values
jobs:
export-and-scan:
runs-on: "ubuntu-latest"
# Adding 'timeout-minutes: 10' would prevent jobs from running
# indefinitely if something goes wrong
timeout-minutes: 10
permissions:
actions: "read"
contents: "read"
# Needed to upload SARIF results
security-events: "write"
strategy:
fail-fast: false
matrix:
# Limit to JS for export/web files
language: ["javascript"]
steps:
- name: "Checkout repository"
uses: "actions/checkout@v6"
with:
# This explicitly tells the runner to use the branch that triggered the workflow
ref: ${{ github.ref_name }}
fetch-depth: 0
persist-credentials: false
- name: "Create Export Directories"
run: |
mkdir -p export/web
- name: "Export Godot to Web"
id: "export"
# yamllint disable rule:line-length
uses: "firebelley/godot-export@930577654862a320eef793f399ee911b4479efb9" # Pinned to SHA for security (was @v6.0.0)
with:
godot_executable_download_url: "https://github.com/godotengine/godot-builds/releases/download/4.5-stable/Godot_v4.5-stable_linux.x86_64.zip" # Updated to Godot 4.5-stable
godot_export_templates_download_url: "https://github.com/godotengine/godot-builds/releases/download/4.5-stable/Godot_v4.5-stable_export_templates.tpz" # Updated to Godot 4.5-stable
relative_project_path: "./" # Project root
relative_export_path: "./export/web" # Output folder
archive_output: false # Zips for upload
verbose: true
cache: true # Enable caching for Godot executable and templates
presets_to_export: "Web"
use_preset_export_path: true # Move exports to the directory defined in export_presets.cfg
- name: "Flatten Export Directory"
run: |
bash ./.github/scripts/flatten_export.sh "export/web" "Web"
- name: "List files in export/web (for visibility)"
run: |
echo "Files to be scanned in export:"
ls -R export || echo "No files found—check if folder exists!"
echo "Files to be scanned in export/web:"
ls -R export/web || echo "No files found—check if folder exists!"
- name: "Patch index.js for security"
run: |
bash ./.github/scripts/patch_index_js.sh "export/web"
- name: "Initialize CodeQL"
uses: "github/codeql-action/init@v4.32.4"
with:
# yamllint disable rule:quoted-strings
languages: ${{ matrix.language }}
# References our path limiter
config-file: ".github/codeql-config.yml"
# Enables dep caching (minimal impact here but covers possibilities)
dependency-caching: "true"
# Enable debug for more detailed logs and artifacts
debug: "false"
- name: "Autobuild (optional for JS but included for completeness)"
uses: "github/codeql-action/autobuild@v4.32.4"
- name: "Perform CodeQL Analysis"
uses: "github/codeql-action/analyze@v4.32.4"
- name: "Post-scan summary (optional)"
if: "always()" # Run even if previous steps fail
# yamllint disable rule:line-length
run: |
if [ -n "$(find . -name '*.sarif')" ]; then
echo "Scan complete—check Security > Code scanning for results or download artifacts for debug info."
else
echo "Scan complete—no supported files or issues found. No results uploaded."
fi