updated

Author: alexbritodev

.github/codeql/codeql-config.yml

@@ -0,0 +1,15 @@
+name: tailwind-css-forge-codeql
+
+paths:
+  - backend
+  - desktop
+  - frontend
+  - scripts
+
+paths-ignore:
+  - backend/.venv/**
+  - build/**
+  - desktop/src-tauri/target/**
+  - desktop/src-tauri/vendor/**
+  - frontend/node_modules/**
+  - runtime/**

.github/workflows/codeql.yml

@@ -0,0 +1,47 @@
+name: codeql
+
+on:
+  push:
+    branches: ["main", "master"]
+  pull_request:
+    branches: ["main", "master"]
+  schedule:
+    - cron: "24 4 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+          - language: rust
+            build-mode: autobuild
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Autobuild
+        if: matrix.build-mode == 'autobuild'
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3

scripts/validate_installer_bundle.py

@@ -15,17 +15,17 @@ def main() -> int:
     args = parse_args()
     bundle_dir = args.bundle.resolve()
     validate_bundle(bundle_dir)
-    print(f"Bundle válido: {bundle_dir}")
+    print(f"Bundle valid: {bundle_dir}")
     return 0
 
 
 def parse_args() -> Namespace:
-    parser = ArgumentParser(description="Valida o bundle installer-ready do Tailwind CSS Forge.")
+    parser = ArgumentParser(description="Validates the installer-ready bundle of Tailwind CSS Forge.")
     parser.add_argument(
         "--bundle",
         type=Path,
         default=DEFAULT_BUNDLE,
-        help="Diretório do bundle staged para validar.",
+        help="Directory of the staged bundle to validate.",
     )
     return parser.parse_args()
 
@@ -54,14 +54,14 @@ def validate_bundle(bundle_dir: Path) -> None:
     missing = [str(path) for path in required_files if not path.exists()]
     if missing:
         missing_list = "\n".join(f"- {path}" for path in missing)
-        raise SystemExit(f"Bundle incompleto. Arquivos ausentes:\n{missing_list}")
+        raise SystemExit(f"Incomplete bundle. Missing files:\n{missing_list}")
 
     manifest = json.loads((bundle_dir / "installer-manifest.json").read_text(encoding="utf-8"))
     metadata = json.loads((bundle_dir / "forge-product.json").read_text(encoding="utf-8"))
     if manifest.get("app_name") != "Tailwind CSS Forge":
-        raise SystemExit("Manifesto inválido: app_name incorreto.")
+        raise SystemExit("Invalid manifest: incorrect app_name.")
     if manifest.get("version") != metadata.get("version"):
-        raise SystemExit("Manifesto inválido: versão divergente do metadata do produto.")
+        raise SystemExit("Invalid manifest: version mismatch with product metadata.")
 
     forbidden_paths = [
         bundle_dir / "app" / "backend" / "tests",
@@ -73,7 +73,8 @@ def validate_bundle(bundle_dir: Path) -> None:
     ]
     forbidden_found = [str(path) for path in forbidden_paths if path.exists()]
     if forbidden_found:
-        raise SystemExit(f"Bundle contém conteúdo indevido: {forbidden_found}")
+        forbidden_list = "\n".join(f"- {path}" for path in forbidden_found)
+        raise SystemExit(f"Bundle contains unexpected content:\n{forbidden_list}")
 
     _validate_launcher_self_check(bundle_dir)
 
@@ -95,15 +96,15 @@ def _validate_launcher_self_check(bundle_dir: Path) -> None:
     )
     if completed.returncode != 0:
         raise SystemExit(
-            "Launcher self-check falhou: "
+            "Launcher self-check failed: "
             f"{completed.stderr.strip() or completed.stdout.strip()}",
         )
 
     report = json.loads(completed.stdout)
     if not report.get("installed_layout"):
-        raise SystemExit("Launcher self-check inválido: o bundle staged não foi reconhecido como layout instalado.")
+        raise SystemExit("Invalid launcher self-check: staged bundle was not recognized as an installed layout.")
     if not report.get("ready"):
-        raise SystemExit("Launcher self-check inválido: o bundle staged não foi marcado como pronto.")
+        raise SystemExit("Invalid launcher self-check: staged bundle was not marked as ready.")
 
 
 if __name__ == "__main__":