From 46422c5e2100b7febbc01e063f309d0305883f88 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 30 Sep 2025 08:18:21 +0530 Subject: [PATCH 1/5] [DTECSCSAO-5489]Apply the GHAS standards --- .github/{ => workflows}/codeql.yml | 6 +++++- .github/{ => workflows}/dependency-review.yml | 5 ++--- 2 files changed, 7 insertions(+), 4 deletions(-) rename .github/{ => workflows}/codeql.yml (89%) rename .github/{ => workflows}/dependency-review.yml (68%) diff --git a/.github/codeql.yml b/.github/workflows/codeql.yml similarity index 89% rename from .github/codeql.yml rename to .github/workflows/codeql.yml index 64b07c7..5483a88 100644 --- a/.github/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,8 +1,12 @@ name: CodeQL (Swift) - SAST on: - pull_request: push: + branches: + - master + pull_request: + branches: + - master workflow_dispatch: jobs: diff --git a/.github/dependency-review.yml b/.github/workflows/dependency-review.yml similarity index 68% rename from .github/dependency-review.yml rename to .github/workflows/dependency-review.yml index 19140c5..e69cdb1 100644 --- a/.github/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,9 +1,8 @@ -name: CodeQL Dependency Review - SCA +name: Dependency Review on: pull_request: - push: - workflow_dispatch: + branches: [ master ] jobs: dependency-review: From 313c1384d529ce9aa2431fa91d9722041a6261b9 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 30 Sep 2025 08:31:41 +0530 Subject: [PATCH 2/5] [DTECSCSAO-5489]Apply the GHAS standards --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5483a88..80b7ed2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,6 @@ jobs: - uses: hyperwallet/public-security-workflows/codeql@main with: language: swift - build-mode: 'manual' + build-mode: 'none' timeout-minutes: 25 From 151cf801ea4da5fa1919303cae4daeb9b65a6b65 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 30 Sep 2025 08:52:39 +0530 Subject: [PATCH 3/5] [DTECSCSAO-5489]Apply the GHAS standards --- .github/workflows/codeql.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 80b7ed2..f06c13a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,5 @@ jobs: - uses: hyperwallet/public-security-workflows/codeql@main with: language: swift - build-mode: 'none' - timeout-minutes: 25 - + build-mode: autobuild + timeout-minutes: 25 \ No newline at end of file From bc593bf4c139b391ecd6655b52cff653ca265070 Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:43:07 +0530 Subject: [PATCH 4/5] [DTECSCSAO-5489]Apply the GHAS standards --- .github/workflows/codeql.yml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f06c13a..0e72412 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,7 @@ name: CodeQL (Swift) - SAST +# Trigger the workflow on pushes and pull requests targeting the `master` branch +# as well as through manual dispatch from the Actions tab. on: push: branches: @@ -11,17 +13,37 @@ on: jobs: analyze: + # The CodeQL analysis will run on both Linux and macOS to ensure broad + # coverage. On macOS we also specify an Xcode version for Swift builds. name: Code Scanning - CodeQL - runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - os: ubuntu-latest + - os: macos-15 + xcode_version: 16.2 + runs-on: ${{ matrix.os }} timeout-minutes: 25 permissions: security-events: write packages: read actions: read contents: read - strategy: - fail-fast: false steps: + # Always check out the repository so the CodeQL scan has access to your source code. + - uses: actions/checkout@v3 + + # On macOS runners, set up the requested Xcode version to build Swift code. + - name: Setup Xcode + if: runner.os == 'macOS' + uses: maxim-lobanov/setup-xcode@v1 + with: + xcode-version: '${{ matrix.xcode_version }}' + + # Invoke the reusable CodeQL workflow. It will initialize CodeQL with the + # specified language (Swift) and perform an autobuild. The timeout for + # scanning can be customized if needed. - uses: hyperwallet/public-security-workflows/codeql@main with: language: swift From 4a46656d3d741ef467bdea780b3bc46275d22fff Mon Sep 17 00:00:00 2001 From: sekhara-madduru <123759301+sekhara-madduru@users.noreply.github.com> Date: Tue, 30 Sep 2025 09:46:09 +0530 Subject: [PATCH 5/5] [DTECSCSAO-5489]Apply the GHAS standards --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e72412..927376e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -13,14 +13,14 @@ on: jobs: analyze: - # The CodeQL analysis will run on both Linux and macOS to ensure broad - # coverage. On macOS we also specify an Xcode version for Swift builds. + # The CodeQL analysis will run on macOS with the specified Xcode version. name: Code Scanning - CodeQL strategy: fail-fast: false matrix: include: - - os: ubuntu-latest + # Only run the CodeQL scan on macOS. You can add additional entries + # here if you need to support other macOS versions or Xcode releases. - os: macos-15 xcode_version: 16.2 runs-on: ${{ matrix.os }}