Skip to content

fix: resolve macOS E2E failures #2749

fix: resolve macOS E2E failures

fix: resolve macOS E2E failures #2749

Workflow file for this run

name: Security Code Scan
on:
push:
branches: [ main, develop, v3-beta ]
paths:
- 'Packages/src/**/*.cs'
- 'Assets/**/*.cs'
- 'cli/**/*.go'
- 'cli/.golangci.yml'
- 'cli/.go-version'
- '**/go.mod'
- '**/go.sum'
- 'cli/release-automation/**'
- '.github/workflows/**'
- 'scripts/**'
- 'cli/dispatcher/attestation/trusted_root.json'
- 'Packages/src/project-runner-pin.json'
- '.uloop/project-runner-pin.json'
pull_request:
branches: [ main, v3-beta ]
paths:
- 'Packages/src/**/*.cs'
- 'Assets/**/*.cs'
- 'cli/**/*.go'
- 'cli/.golangci.yml'
- 'cli/.go-version'
- '**/go.mod'
- '**/go.sum'
- 'cli/release-automation/**'
- '.github/workflows/**'
- 'scripts/**'
- 'cli/dispatcher/attestation/trusted_root.json'
- 'Packages/src/project-runner-pin.json'
- '.uloop/project-runner-pin.json'
workflow_dispatch:
jobs:
security-scan:
name: C# Security Analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
with:
go-version-file: cli/.go-version
cache: false
- name: Initialize CodeQL C# analysis
uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
languages: csharp
build-mode: none
tools: linked
queries: +security-extended
config: |
paths:
- Packages/src
- Assets/Tests
- name: Analyze C# security code with CodeQL
uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
category: codeql-csharp-security
output: ${{ runner.temp }}/codeql-results
upload: never
- name: Validate CodeQL SARIF
working-directory: cli/release-automation
run: go run ./cmd/check-codeql-sarif --sarif "${{ runner.temp }}/codeql-results/csharp.sarif"
- name: Upload verified CodeQL SARIF
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
sarif_file: ${{ runner.temp }}/codeql-results/csharp.sarif
category: codeql-csharp-security
- name: Explain fork pull request SARIF upload policy
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork
run: echo "CodeQL SARIF upload is skipped for fork pull requests because their token has no security-events write permission."
go-security:
name: Go CLI Security Analysis
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
with:
go-version-file: cli/.go-version
cache: false
- name: Install golangci-lint
run: |
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.0
echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
- name: Check Go CLI
run: scripts/check-go-cli.sh
- name: Install govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
- name: Run govulncheck
run: |
for module_dir in cli/common cli/dispatcher cli/project-runner cli/release-automation; do
(cd "$module_dir" && govulncheck ./...)
done