diff --git a/.github/actions/setup-codeql-environment/action.yml b/.github/actions/setup-codeql-environment/action.yml index 126229e..0a65b3a 100644 --- a/.github/actions/setup-codeql-environment/action.yml +++ b/.github/actions/setup-codeql-environment/action.yml @@ -101,7 +101,7 @@ runs: - name: Cache QLT and CodeQL packages id: cache-codeql if: inputs.install-codeql == 'true' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ~/.qlt/packages @@ -112,7 +112,7 @@ runs: - name: Install QLT (CodeQL Development Toolkit) id: install-qlt - uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main + uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@da8bc39fd7dc759c8a528b7c2e7534675c06c62c # main with: qlt-version: "latest" add-to-path: true @@ -425,7 +425,7 @@ runs: # Language-specific setup steps with enhanced caching (only if language runtimes installation is enabled) - name: Setup Node.js if: inputs.install-language-runtimes == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: cache: "npm" cache-dependency-path: "package-lock.json" @@ -435,7 +435,7 @@ runs: - name: Cache language runtimes id: cache-runtimes if: inputs.install-language-runtimes == 'true' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ~/go/pkg/mod @@ -449,20 +449,20 @@ runs: - name: Setup Python (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'true' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} cache: "pip" - name: Setup Python (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'python') && steps.check-deps.outputs.python-deps == 'false' - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} - name: Setup Java (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'true' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "temurin" java-version: ${{ inputs.java-version }} @@ -470,21 +470,21 @@ runs: - name: Setup Java (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'java') && steps.check-deps.outputs.java-deps == 'false' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "temurin" java-version: ${{ inputs.java-version }} - name: Setup Go (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'true' - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: ${{ inputs.go-version }} cache: true - name: Setup Go (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'go') && steps.check-deps.outputs.go-deps == 'false' - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: ${{ inputs.go-version }} cache: false @@ -493,7 +493,7 @@ runs: - name: Cache .NET packages if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp') id: cache-dotnet-packages - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ~/.nuget/packages @@ -505,20 +505,20 @@ runs: - name: Setup .NET (for C#) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'csharp') - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5 with: dotnet-version: ${{ inputs.dotnet-version }} - name: Setup Ruby (with cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'true' - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1 with: ruby-version: ${{ inputs.ruby-version }} bundler-cache: true - name: Setup Ruby (without cache) if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'ruby') && steps.check-deps.outputs.ruby-deps == 'false' - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@0cb964fd540e0a24c900370abf38a33466142735 # v1 with: ruby-version: ${{ inputs.ruby-version }} bundler-cache: false @@ -527,7 +527,7 @@ runs: - name: Cache C++ build tools if: inputs.install-language-runtimes == 'true' && contains(inputs.languages, 'cpp') id: cache-cpp-tools - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ~/.ccache diff --git a/.github/instructions/github_workflows_yaml.instructions.md b/.github/instructions/github_workflows_yaml.instructions.md new file mode 100644 index 0000000..eb53249 --- /dev/null +++ b/.github/instructions/github_workflows_yaml.instructions.md @@ -0,0 +1,35 @@ +--- +applyTo: '.github/{actions,workflows}/**/*.{yml,yaml}' +description: 'Instructions for editing GitHub Actions workflows for this repository.' +--- + +# Copilot Instructions for `.github/{actions,workflows}/**/*.{yml,yaml}` files + +## PURPOSE + +This file contains instructions for working with GitHub Actions YAML files in the `.github/actions/` and `.github/workflows/` directories of the `codeql-development-template` repository. + +## REQUIREMENTS + +- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its underlying commit SHA (handling annotated tags correctly), run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG^{}`; for branch-based refs, use `refs/heads/BRANCH`. +- ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows. +- ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions. +- ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability. +- ALWAYS use descriptive names for workflows, jobs, and steps that clearly explain their purpose. +- ALWAYS check formatting with `npm run lint && npm run format:check` from the repo root directory to ensure consistent formatting after making changes. +- ALWAYS fix linting and formatting errors by running `npm run lint:fix && npm run format` from the repo root directory before committing changes. + +## PREFERENCES + +- PREFER explicit permissions declarations using the `permissions` key for security. +- PREFER descriptive step names that include the workflow context (e.g., "Lint and Format - Checkout repository"). +- PREFER matrix strategies for testing multiple versions when applicable. +- PREFER adding summary outputs using `$GITHUB_STEP_SUMMARY` for better workflow visibility. + +## CONSTRAINTS + +- **NEVER reference an external GitHub Action by tag or branch name (e.g., `@v6`, `@main`). ALWAYS use the full 40-character commit SHA with a `# tag` comment.** +- NEVER use overly broad permissions. +- NEVER leave any trailing whitespace on any line. +- NEVER use deprecated GitHub Actions or workflow syntax. +- NEVER commit workflow files without running the formatting checks first. diff --git a/.github/workflows/codeql-qlt-unit-tests.yml b/.github/workflows/codeql-qlt-unit-tests.yml index 9879c8b..85ea471 100644 --- a/.github/workflows/codeql-qlt-unit-tests.yml +++ b/.github/workflows/codeql-qlt-unit-tests.yml @@ -30,7 +30,7 @@ jobs: has_languages: ${{ steps.find-languages.outputs.has_languages }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup CodeQL environment for discovering unit tests uses: ./.github/actions/setup-codeql-environment @@ -102,7 +102,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup CodeQL environment for executing `qlt` unit tests uses: ./.github/actions/setup-codeql-environment @@ -153,7 +153,7 @@ jobs: - name: Upload test results # Upload results even if tests failed, but only if the language is valid if: ${{ always() && matrix.language && matrix.language != 'unknown' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: qlt-test-results-${{ matrix.language }}-${{ runner.os }} path: | @@ -167,7 +167,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup CodeQL environment for validating `qlt` unit tests uses: ./.github/actions/setup-codeql-environment @@ -177,7 +177,7 @@ jobs: install-ql-packs: false - name: Download CodeQL unit test results - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: qlt-test-results-* path: test-results/ diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index beff13b..8602fba 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Copilot Setup - Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Copilot Setup - Setup CodeQL environment uses: ./.github/actions/setup-codeql-environment diff --git a/.github/workflows/lint-and-format.yml b/.github/workflows/lint-and-format.yml index df8efbd..df21ed0 100644 --- a/.github/workflows/lint-and-format.yml +++ b/.github/workflows/lint-and-format.yml @@ -35,10 +35,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: cache: "npm" node-version-file: "package.json" diff --git a/languages/qlt.conf.json b/languages/qlt.conf.json index 442c18d..5a806a5 100644 --- a/languages/qlt.conf.json +++ b/languages/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.23.5", - "CodeQLStandardLibrary": "codeql-cli/v2.23.5", - "CodeQLCLIBundle": "codeql-bundle-v2.23.5" + "CodeQLCLI": "2.25.2", + "CodeQLStandardLibrary": "codeql-cli/v2.25.2", + "CodeQLCLIBundle": "codeql-bundle-v2.25.2" } diff --git a/qlt.conf.json b/qlt.conf.json index 442c18d..5a806a5 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.23.5", - "CodeQLStandardLibrary": "codeql-cli/v2.23.5", - "CodeQLCLIBundle": "codeql-bundle-v2.23.5" + "CodeQLCLI": "2.25.2", + "CodeQLStandardLibrary": "codeql-cli/v2.25.2", + "CodeQLCLIBundle": "codeql-bundle-v2.25.2" }