From 57670ffc7682e4ccf669771d931885217eaeb41c Mon Sep 17 00:00:00 2001 From: JonKazama-Hellion Date: Sat, 2 May 2026 23:15:20 +0200 Subject: [PATCH] ci(codeql): replace default setup with manual-build workflow The default GitHub-managed CodeQL setup builds C# without the Dalamud assemblies (they live in user AppData, not in the repo or in NuGet), so call-target resolution sits at 64% and the analysis tile reports 'Low C# analysis quality'. This workflow runs the same Dalamud staging download we use for the regular build before the CodeQL build step, which gives the analyser a fully-resolved compilation and pushes both quality metrics above the 85% thresholds. Two jobs: - analyze-csharp on windows-latest with build-mode: manual and the security-extended query suite, so we get the full SQL-injection, path-traversal and crypto-misuse rule set on a clean compilation - analyze-actions on ubuntu-latest with build-mode: none, scans the workflow files in .github for action-injection patterns Schedule runs Mondays at 06:17 UTC (low-traffic window). The repo's CodeQL default setup needs to be switched to advanced in Settings -> Code security before this workflow takes over, otherwise both run in parallel and we waste runner minutes. --- .github/workflows/codeql.yml | 93 ++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..c05a8e2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,93 @@ +name: CodeQL + +# Replaces the GitHub default-setup CodeQL scan. The default setup runs +# without resolving the Dalamud assemblies (they live in a user-AppData +# path) and reports "Low C# analysis quality" because call-target +# resolution sits at ~64%. This workflow downloads the Dalamud staging +# distribution before the build, runs a manual dotnet build, and then +# lets CodeQL analyse the fully-resolved compilation. Quality climbs +# back above the 85% thresholds. +# +# This workflow only consumes trusted inputs: the tag/branch ref via +# the standard checkout action, and the Dalamud distribution URL which +# is pinned to a goatcorp-controlled GitHub Pages target. No user- +# controlled event payload (issue title, PR body, commit message) flows +# into a run-step. +# +# Disable the default setup in the repo before this workflow lands: +# Settings -> Code security -> Code scanning -> "CodeQL analysis" tile +# -> Switch to advanced. + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '17 6 * * 1' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze-csharp: + name: Analyze (csharp) + runs-on: windows-latest + timeout-minutes: 30 + + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Setup .NET 10 + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 10.0.x + + - name: Download Dalamud staging + shell: pwsh + run: | + $hooks = Join-Path $env:APPDATA "XIVLauncher\addon\Hooks\dev" + New-Item -ItemType Directory -Force -Path $hooks | Out-Null + Invoke-WebRequest -Uri https://goatcorp.github.io/dalamud-distrib/stg/latest.zip -OutFile dalamud.zip + Expand-Archive -Force -Path dalamud.zip -DestinationPath $hooks + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: csharp + build-mode: manual + queries: security-extended + + - name: Restore + run: dotnet restore ChatTwo/ChatTwo.csproj + + - name: Build (Release) + run: dotnet build ChatTwo/ChatTwo.csproj --configuration Release --no-restore + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: /language:csharp + + analyze-actions: + name: Analyze (actions) + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: actions + build-mode: none + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: /language:actions