diff --git a/.github/codeql/codeql-config.yaml b/.github/codeql/codeql-config.yaml index 9e1591a..c1f56eb 100644 --- a/.github/codeql/codeql-config.yaml +++ b/.github/codeql/codeql-config.yaml @@ -1,7 +1,7 @@ # Copyright 2026 BitWise Media Group Ltd # SPDX-License-Identifier: MIT -# CodeQL analysis configuration for this repo's own self-codeql.yaml run. +# CodeQL analysis configuration for this repo's own self-security.yaml run. # # Security only: the security-extended suite runs the security queries (a # superset of the default) without the maintainability/reliability "quality" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3dffaae..c964d1c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,7 +19,7 @@ # # Runs via workflow_call from a thin caller (examples/ci.yaml) that owns the # push/pull_request triggers. -name: Continuous integration +name: Reusable Continuous Integration on: workflow_call: diff --git a/.github/workflows/dependabot-merge.yaml b/.github/workflows/dependabot-merge.yaml index 78b6061..46831db 100644 --- a/.github/workflows/dependabot-merge.yaml +++ b/.github/workflows/dependabot-merge.yaml @@ -37,7 +37,7 @@ # review decision to APPROVED) — the same assumption as the `/merge` flow. See # README.md for the one-time org setup (App, ruleset bypass, org var/secret); it # is the same "FF Merge" App as merge.yaml. -name: Dependabot auto-merge +name: Reusable Dependabot Auto-Merge on: workflow_call: @@ -122,11 +122,13 @@ jobs: with: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} - # ff-merge moves the ref (contents) and reads the PR (pull-requests); - # the approval (minor/patch only) is the authorization gate, not + # ff-merge moves the ref (contents) and reads the PR (pull-requests), and + # needs workflows to move a ref whose commits touch .github/workflows/ + # files; the approval (minor/patch only) is the authorization gate, not # maintainer-only, so no administration scope is needed. permission-contents: write permission-pull-requests: write + permission-workflows: write - name: Resolve the open Dependabot PR for this branch id: pr diff --git a/.github/workflows/merge-notice.yaml b/.github/workflows/merge-notice.yaml index eb13d60..2c7a301 100644 --- a/.github/workflows/merge-notice.yaml +++ b/.github/workflows/merge-notice.yaml @@ -14,7 +14,7 @@ # run's GITHUB_TOKEN, scoped to pull-requests:write. No App token or secret is # needed — posting a comment is not a privileged operation. -name: Fast-forward merge notice +name: Reusable Merge Notice on: workflow_call: diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml index 50a8efa..a790b16 100644 --- a/.github/workflows/merge.yaml +++ b/.github/workflows/merge.yaml @@ -39,7 +39,7 @@ # require-approval:true, so a qualifying approval plus green checks is always required. # Requires branch protection that requires PR review. See README.md for the one-time # org setup (App, ruleset bypass, org var/secret). -name: Merge +name: Reusable Merge on: workflow_call: @@ -89,9 +89,9 @@ jobs: # action still re-verifies write access authoritatively, so this only filters # noise before any token is minted. if: >- - github.event_name == 'issue_comment' && github.event.issue.pull_request && - github.event.comment.body == inputs.merge-command && - contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) + github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == + inputs.merge-command && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), + github.event.comment.author_association) runs-on: ubuntu-latest concurrency: group: ff-merge-${{ github.repository }} @@ -105,11 +105,14 @@ jobs: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} # Least-privilege within the App's installation ceiling: ff-merge moves the - # base ref (contents), reads/comments on the PR (pull-requests), and - # resolves the actor's access level for maintainer-only (administration). + # base ref (contents), reads/comments on the PR (pull-requests), resolves + # the actor's access level for maintainer-only (administration), and moves a + # ref whose commits touch .github/workflows/ files (workflows — GitHub + # rejects any ref update that adds or edits a workflow file without it). permission-contents: write permission-pull-requests: write permission-administration: read + permission-workflows: write - name: Fast-forward merge uses: bitwise-media-group/ff-merge@76046d3da4a351eb1b1225727a3a7d0d178f1dfe # v1.1.0 @@ -128,12 +131,11 @@ jobs: # triage+ requirement for labelling plus the approval gate below, and is scoped # to same-repo PRs (a labelled fork PR has no secrets, so it arms by comment). if: >- - (github.event_name == 'issue_comment' && github.event.issue.pull_request && - github.event.comment.body == inputs.arm-command && - contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || - (github.event_name == 'pull_request' && github.event.action == 'labeled' && - github.event.label.name == inputs.label && - github.event.pull_request.head.repo.full_name == github.repository) + (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == + inputs.arm-command && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), + github.event.comment.author_association)) || (github.event_name == 'pull_request' && github.event.action == + 'labeled' && github.event.label.name == inputs.label && github.event.pull_request.head.repo.full_name == + github.repository) runs-on: ubuntu-latest concurrency: group: ff-merge-${{ github.repository }} @@ -147,10 +149,12 @@ jobs: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} # Labels and comments on the PR (pull-requests) and moves the ref via the - # best-effort ff-merge (contents); maintainer-only:false here, so no + # best-effort ff-merge (contents), which also needs workflows when the merge + # touches .github/workflows/ files; maintainer-only:false here, so no # administration scope is needed. permission-contents: write permission-pull-requests: write + permission-workflows: write - name: Resolve the pull request number id: pr @@ -233,10 +237,12 @@ jobs: with: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} - # ff-merge moves the ref (contents) and reads the PR (pull-requests); - # maintainer-only:false here, so no administration scope is needed. + # ff-merge moves the ref (contents) and reads the PR (pull-requests), and + # needs workflows to move a ref whose commits touch .github/workflows/ + # files; maintainer-only:false here, so no administration scope is needed. permission-contents: write permission-pull-requests: write + permission-workflows: write - name: Resolve the open PR for this branch id: pr @@ -297,10 +303,12 @@ jobs: with: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} - # ff-merge moves the ref (contents) and reads the PR (pull-requests); - # maintainer-only:false here, so no administration scope is needed. + # ff-merge moves the ref (contents) and reads the PR (pull-requests), and + # needs workflows to move a ref whose commits touch .github/workflows/ + # files; maintainer-only:false here, so no administration scope is needed. permission-contents: write permission-pull-requests: write + permission-workflows: write - name: Fast-forward merge # Best effort, like the arm attempt: a decline (e.g. CI not green yet) must diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a4b8bbd..4707898 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -26,7 +26,7 @@ # # Runs via workflow_call from a thin caller (examples/release.yaml) that owns the # push trigger and grants the release permissions. -name: Release +name: Reusable Release on: workflow_call: @@ -55,7 +55,11 @@ on: needed if .goreleaser.yaml publishes a cask. required: false -permissions: {} # granted per job +# Granted per job below. Note for callers: GitHub validates a reusable workflow's +# permissions as the union of every job and ignores `if:`, so a caller must grant +# the goreleaser job's id-token/attestations/artifact-metadata even on the publish +# path where that job is skipped -- see examples/release.yaml. +permissions: {} # concurrent release-please runs can open duplicate release PRs; queue them. concurrency: @@ -133,8 +137,7 @@ jobs: # not a denylist of fork-triggerable events: a new event type GitHub may add # later fails closed (the job is skipped) until it is vetted and added here. if: >- - needs.release-please.outputs.release_created && - needs.release-please.outputs.goreleaser && + needs.release-please.outputs.release_created && needs.release-please.outputs.goreleaser && contains(fromJSON('["push","workflow_dispatch","schedule"]'), github.event_name) runs-on: ubuntu-latest permissions: @@ -208,8 +211,7 @@ jobs: # Same trusted-trigger allowlist as the goreleaser job above (fails closed on # any event type not vetted here). if: >- - needs.release-please.outputs.release_created && - !needs.release-please.outputs.goreleaser && + needs.release-please.outputs.release_created && !needs.release-please.outputs.goreleaser && contains(fromJSON('["push","workflow_dispatch","schedule"]'), github.event_name) runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/codeql.yaml b/.github/workflows/security.yaml similarity index 92% rename from .github/workflows/codeql.yaml rename to .github/workflows/security.yaml index 9a1897b..d544bcc 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/security.yaml @@ -22,9 +22,9 @@ # installs the toolchain matched to go-version-file (default go.mod), never the # workflow. # -# Runs via workflow_call from a thin caller (examples/codeql.yaml) that owns the +# Runs via workflow_call from a thin caller (examples/security.yaml) that owns the # push/pull_request/schedule triggers and grants the analyze permissions. -name: CodeQL analysis +name: Reusable Security Analysis on: workflow_call: @@ -42,9 +42,9 @@ on: type: string languages: description: - Comma-separated CodeQL languages to analyse (e.g. "actions" or "actions,go"), overriding root - detection. Empty (default) auto-detects actions, plus go (root go.mod) and javascript-typescript - (package.json). Set this when detection would add an empty leg -- e.g. a tooling-only package.json. + Comma-separated CodeQL languages to analyse (e.g. "actions" or "actions,go"), overriding root detection. Empty + (default) auto-detects actions, plus go (root go.mod) and javascript-typescript (package.json). Set this when + detection would add an empty leg -- e.g. a tooling-only package.json. required: false default: "" type: string @@ -162,5 +162,7 @@ jobs: # permission already granted to this job; in SARIF mode zizmor exits 0 even # with findings, so this step never fails the run. - name: Run zizmor - if: matrix.language == 'actions' && hashFiles('zizmor.yml', 'zizmor.yaml', '.github/zizmor.yml', '.github/zizmor.yaml') != '' + if: + matrix.language == 'actions' && hashFiles('zizmor.yml', 'zizmor.yaml', '.github/zizmor.yml', + '.github/zizmor.yaml') != '' uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 diff --git a/.github/workflows/self-ci.yaml b/.github/workflows/self-ci.yaml index c1eb00a..d7a36c5 100644 --- a/.github/workflows/self-ci.yaml +++ b/.github/workflows/self-ci.yaml @@ -6,7 +6,7 @@ # go.mod and no committed dist/ -- just a package.json for the prose toolchain -- # so the reusable workflow sets up node only and runs the canonical Makefile gates: # lint (prettier --check + markdownlint), with build and test as no-ops here. -name: Continuous integration +name: Continuous Integration on: push: diff --git a/.github/workflows/self-dependabot-merge.yaml b/.github/workflows/self-dependabot-merge.yaml index 398598e..a1ddd95 100644 --- a/.github/workflows/self-dependabot-merge.yaml +++ b/.github/workflows/self-dependabot-merge.yaml @@ -12,20 +12,20 @@ # # Both triggers are required: pull_request_target to approve on open, and # workflow_run to fast-forward once CI finishes green. The workflow_run list names -# every workflow that must pass — "Continuous integration" (self-ci.yaml) and -# "CodeQL analysis" (self-codeql.yaml); whichever finishes last triggers the merge +# every workflow that must pass — "Continuous Integration" (self-ci.yaml) and +# "Security Analysis" (self-security.yaml); whichever finishes last triggers the merge # attempt, and ff-merge verifies all checks before moving the ref. # # Org prerequisites (see bitwise-media-group/ff-merge): the FF_MERGE_CLIENT_ID # variable + FF_MERGE_PRIVATE_KEY secret and the "FF Merge" App in main's ruleset # bypass list — the same App as the /merge flow. -name: Dependabot auto-merge +name: Dependabot Auto-Merge on: # zizmor: ignore[dangerous-triggers] -- required: approve needs base-repo secrets; no PR code is checked out or run pull_request_target: types: [opened, reopened, synchronize] workflow_run: - workflows: ["Continuous integration", "CodeQL analysis"] + workflows: ["Continuous Integration", "Security Analysis"] types: [completed] # the app token does the privileged work; the caller grants nothing diff --git a/.github/workflows/self-merge-notice.yaml b/.github/workflows/self-merge-notice.yaml index af2988a..38ca644 100644 --- a/.github/workflows/self-merge-notice.yaml +++ b/.github/workflows/self-merge-notice.yaml @@ -10,7 +10,7 @@ # reusable workflow only posts a static comment with a pull-requests:write token, # so the elevated context is safe. No secret needed. -name: Merge notice +name: Merge Notice on: # zizmor: ignore[dangerous-triggers] -- required: notice must reach fork PRs; only posts a static comment, no PR code is run pull_request_target: diff --git a/.github/workflows/self-merge.yaml b/.github/workflows/self-merge.yaml index 0068988..dd05ef7 100644 --- a/.github/workflows/self-merge.yaml +++ b/.github/workflows/self-merge.yaml @@ -14,8 +14,8 @@ # All four triggers are routed by github.event_name inside merge.yaml. issue_comment # runs in the base-repo context (so `/merge` and `/auto-merge` work even for fork # PRs); the label-arm and review paths are same-repo only. The workflow_run list -# names every workflow that must pass — "Continuous integration" (self-ci.yaml) and -# "CodeQL analysis" (self-codeql.yaml); whichever finishes last triggers the attempt +# names every workflow that must pass — "Continuous Integration" (self-ci.yaml) and +# "Security Analysis" (self-security.yaml); whichever finishes last triggers the attempt # and ff-merge re-verifies all checks. # # Org prerequisites (see bitwise-media-group/ff-merge): the FF_MERGE_CLIENT_ID @@ -31,7 +31,7 @@ on: # zizmor: ignore[dangerous-triggers] -- required: workflow_run gates auto-me pull_request_review: types: [submitted] workflow_run: - workflows: ["Continuous integration", "CodeQL analysis"] + workflows: ["Continuous Integration", "Security Analysis"] types: [completed] # the App token does the privileged work; the caller grants nothing diff --git a/.github/workflows/self-release.yaml b/.github/workflows/self-release.yaml index a2807c8..7e6b1de 100644 --- a/.github/workflows/self-release.yaml +++ b/.github/workflows/self-release.yaml @@ -11,13 +11,27 @@ on: push: branches: [main] -# release-please needs issues + pull-requests; the publish job moves the vanity -# tags with contents:write. No .goreleaser.yaml here, so the reusable workflow's -# goreleaser job is skipped and its id-token/attestations are not granted. +# Ceiling for the reusable workflow's release-please + publish jobs. GitHub +# resolves a reusable workflow's permissions statically at startup: it takes the +# union of every job's declared permissions and ignores `if:`. So the caller must +# grant what the goreleaser job declares (id-token / attestations / +# artifact-metadata) even though that job is skipped here (no .goreleaser.yaml) -- +# dropping them startup_failures the whole run. No executed job realizes them at +# runtime: release-please and publish declare their own narrower job-level +# permissions, and the goreleaser job never runs. permissions: + # release-please cuts the release/tag; publish moves the vanity tags contents: write + # release-please creates pr labels via the issues api issues: write + # release-please opens the release pull request pull-requests: write + # cosign keyless signing + id-token: write + # github build-provenance attestation + attestations: write + # artifact storage record for the attestation + artifact-metadata: write jobs: release: diff --git a/.github/workflows/self-codeql.yaml b/.github/workflows/self-security.yaml similarity index 86% rename from .github/workflows/self-codeql.yaml rename to .github/workflows/self-security.yaml index 085bfaa..477b170 100644 --- a/.github/workflows/self-codeql.yaml +++ b/.github/workflows/self-security.yaml @@ -1,14 +1,14 @@ # Copyright 2026 BitWise Media Group Ltd # SPDX-License-Identifier: MIT -# This repo's own CodeQL run, dogfooding the reusable codeql workflow by local path +# This repo's own CodeQL run, dogfooding the reusable security workflow by local path # (so it always runs the current definition, not a release pin). The library is # GitHub Actions YAML + Markdown with no compilable Go and no JavaScript/TypeScript # product source -- the package.json is prose-linting tooling only -- so it pins # `languages: actions` rather than let detection add an empty javascript-typescript # leg from that package.json. The actions leg also runs zizmor, gated on the root # zizmor.yaml shipped here. -name: CodeQL analysis +name: Security Analysis on: push: @@ -31,6 +31,6 @@ permissions: jobs: analyze: - uses: ./.github/workflows/codeql.yaml + uses: ./.github/workflows/security.yaml with: languages: actions diff --git a/README.md b/README.md index 0576a24..ddc2d89 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ action is pinned to a full commit SHA; Dependabot keeps the pins fresh. | Workflow | Platform | What it does | | ------------------------------------------------ | -------- | ---------------------------------------------------------------------------------------------------------------- | | [`ci.yaml`](#ciyaml) | any | canonical Makefile gates (lint/build/test) per job, toolchains by detection, Codecov upload | -| [`codeql.yaml`](#codeqlyaml) | any | CodeQL over actions + go (autobuild) + javascript-typescript, language matrix by detection | +| [`security.yaml`](#securityyaml) | any | CodeQL over actions + go (autobuild) + javascript-typescript, language matrix by detection | | [`release.yaml`](#releaseyaml) | any | release-please (two-pass) → GoReleaser (if `.goreleaser.yaml`) or `dist/` rebuild + verify; optional vanity tags | | [`merge.yaml`](#mergeyaml) | any | signature-preserving fast-forward merge — `/merge` now, or `/auto-merge` (comment/label) when approved + green | | [`merge-notice.yaml`](#merge-noticeyaml) | any | posts a one-time "this repo merges via `/merge`" comment on new PRs | @@ -54,7 +54,7 @@ jobs: Full example: [`examples/ci.yaml`](examples/ci.yaml). -### `codeql.yaml` +### `security.yaml` _Any repo._ CodeQL analysis whose language matrix is detected at the repo root: `actions` (build-free) always, plus `go` (via `autobuild`; `setup-go` matches `go-version-file`) when a root `go.mod` exists and `javascript-typescript` @@ -81,10 +81,10 @@ permissions: contents: read jobs: analyze: - uses: bitwise-media-group/github-workflows/.github/workflows/codeql.yaml@v2 + uses: bitwise-media-group/github-workflows/.github/workflows/security.yaml@v2 ``` -Full example: [`examples/codeql.yaml`](examples/codeql.yaml). +Full example: [`examples/security.yaml`](examples/security.yaml). ### `release.yaml` @@ -97,9 +97,10 @@ _Any repo._ Runs release-please (two-pass), then branches by detection: a repo w (default `false`; move the floating `v1` / `v1.1` tags — set it for Actions/reusable repos whose consumers pin `@v1`). - **Secrets:** `homebrew-tap-token` — optional; only needed if `.goreleaser.yaml` publishes a Homebrew cask to another repo (`secrets.HOMEBREW_TAP_GITHUB_TOKEN`). -- **Permissions (caller grants):** `contents: write`, `issues: write`, `pull-requests: write`; plus `id-token: write`, - `attestations: write`, `artifact-metadata: write` for the GoReleaser path only (drop them if you have no - `.goreleaser.yaml`). +- **Permissions (caller grants):** `contents: write`, `issues: write`, `pull-requests: write`, `id-token: write`, + `attestations: write`, `artifact-metadata: write`. Grant all six even without a `.goreleaser.yaml`: GitHub resolves a + reusable workflow's permissions as the union of every job and ignores `if:`, so the skipped GoReleaser job's + `id-token` / `attestations` / `artifact-metadata` are still required or the run fails at startup. ```yaml on: @@ -109,9 +110,9 @@ permissions: contents: write issues: write pull-requests: write - id-token: write # GoReleaser path only - attestations: write # GoReleaser path only - artifact-metadata: write # GoReleaser path only + id-token: write # cosign keyless signing + attestations: write # github build-provenance attestation + artifact-metadata: write # artifact storage record for the attestation jobs: release: uses: bitwise-media-group/github-workflows/.github/workflows/release.yaml@v2 @@ -278,9 +279,9 @@ its ruleset bypass, and the `FF_MERGE_CLIENT_ID` variable + `FF_MERGE_PRIVATE_KE This repo dogfoods its own reusable workflows by local path: `self-ci.yaml` calls `ci.yaml` (which detects node only — there is no root `go.mod` — and runs the canonical `make` gates) and `self-release.yaml` calls `release.yaml` (the -publish path, moving the vanity tags). `self-codeql.yaml` stays a bespoke `actions`-only scan: the library has no -compilable Go and no JS/TS product source, so the reusable `codeql.yaml` would add an empty `javascript-typescript` leg -from its tooling-only `package.json`. The `/merge` + auto-merge flows (`self-merge.yaml`), the merge notice +publish path, moving the vanity tags). `self-security.yaml` stays a bespoke `actions`-only scan: the library has no +compilable Go and no JS/TS product source, so the reusable `security.yaml` would add an empty `javascript-typescript` +leg from its tooling-only `package.json`. The `/merge` + auto-merge flows (`self-merge.yaml`), the merge notice (`self-merge-notice.yaml`), and Dependabot auto-merge (`self-dependabot-merge.yaml`, which keeps the reusable workflows' action pins fresh) dogfood the rest. Validate a change to a reusable workflow by temporarily pointing a real consumer's caller at a feature branch or SHA (`@your-branch`) and opening a PR there. diff --git a/examples/ci.yaml b/examples/ci.yaml index f727df4..38e910b 100644 --- a/examples/ci.yaml +++ b/examples/ci.yaml @@ -15,7 +15,7 @@ # # Pin @v2 to a release tag or full commit SHA -- see README "Pinning". -name: Continuous integration +name: Continuous Integration on: push: diff --git a/examples/dependabot-merge.yaml b/examples/dependabot-merge.yaml index cab25ea..90403e7 100644 --- a/examples/dependabot-merge.yaml +++ b/examples/dependabot-merge.yaml @@ -19,7 +19,7 @@ # - the "FF Merge" App installed on this repo and in the ruleset bypass list # # Pin @v2 to a release tag or full commit SHA — see README "Pinning". -name: Dependabot auto-merge +name: Dependabot Auto-Merge # Both triggers are required. pull_request_target approves on open; workflow_run # fast-forwards once CI is green. check_suite is NOT usable here — GitHub does not diff --git a/examples/merge-notice.yaml b/examples/merge-notice.yaml index 552b4fc..d1b2f90 100644 --- a/examples/merge-notice.yaml +++ b/examples/merge-notice.yaml @@ -12,7 +12,7 @@ # # Pin @v2 to a release tag or full commit SHA — see README "Pinning". -name: Fast-forward merge notice +name: Merge Notice on: pull_request_target: diff --git a/examples/release.yaml b/examples/release.yaml index c1a5bea..0f2e51f 100644 --- a/examples/release.yaml +++ b/examples/release.yaml @@ -29,11 +29,11 @@ permissions: issues: write # release-please opens the release pull request pull-requests: write - # cosign keyless signing -- GoReleaser path only; drop if you have no .goreleaser.yaml + # cosign keyless signing id-token: write - # github build-provenance attestation -- GoReleaser path only + # github build-provenance attestation attestations: write - # artifact storage record for the attestation -- GoReleaser path only + # artifact storage record for the attestation artifact-metadata: write jobs: diff --git a/examples/codeql.yaml b/examples/security.yaml similarity index 88% rename from examples/codeql.yaml rename to examples/security.yaml index 54f0048..b4851f3 100644 --- a/examples/codeql.yaml +++ b/examples/security.yaml @@ -1,15 +1,15 @@ # Copyright 2026 BitWise Media Group Ltd # SPDX-License-Identifier: MIT -# Caller workflow -- copy to `.github/workflows/codeql.yaml` in any repo. It owns -# the triggers and grants the analyze permissions; the reusable codeql workflow +# Caller workflow -- copy to `.github/workflows/security.yaml` in any repo. It owns +# the triggers and grants the analyze permissions; the reusable security workflow # detects languages at the repo root and scans actions (build-free), plus go (via # autobuild) when a root go.mod exists and javascript-typescript (build-free) when # package.json exists. # # Pin @v2 to a release tag or full commit SHA -- see README "Pinning". -name: CodeQL analysis +name: Security Analysis on: push: @@ -32,7 +32,7 @@ permissions: jobs: analyze: - uses: bitwise-media-group/github-workflows/.github/workflows/codeql.yaml@v2 + uses: bitwise-media-group/github-workflows/.github/workflows/security.yaml@v2 # with: # go-version-file: go.mod # default # config-file: ./.github/codeql/codeql-config.yaml # a repo with a bundled dist/ should exclude it diff --git a/security/code-scanning/1.md b/security/code-scanning/1.md index c2b30e5..c27c76c 100644 --- a/security/code-scanning/1.md +++ b/security/code-scanning/1.md @@ -3,14 +3,14 @@ **Finding:** [github.com/bitwise-media-group/github-workflows/security/code-scanning/1](https://github.com/bitwise-media-group/github-workflows/security/code-scanning/1) -| Field | Value | -| -------- | ------------------------------------------------------- | -| Rule | `actions/unpinned-tag` (CWE-829) | -| Tool | CodeQL 2.25.6 | -| Severity | Warning (security-severity: medium) | -| Location | `.github/workflows/merge.yaml:72` | -| Detected | 2026-06-15 against commit `ad8c9e3` (`refs/heads/main`) | -| Outcome | **Remediated** | +| Field | Value | +| -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Rule | `actions/unpinned-tag` (CWE-829) | +| Tool | CodeQL 2.25.6 | +| Severity | Warning (security-severity: medium) | +| Location | [`.github/workflows/merge.yaml:72`](https://github.com/bitwise-media-group/github-workflows/blob/ad8c9e38e233a04ee3aee7c94aedde8dc64ceb85/.github/workflows/merge.yaml#L72) | +| Detected | 2026-06-15 against commit `ad8c9e3` (`refs/heads/main`) | +| Outcome | **Remediated** | ## What CodeQL reported diff --git a/security/code-scanning/2.md b/security/code-scanning/2.md index 7f3d54d..a273554 100644 --- a/security/code-scanning/2.md +++ b/security/code-scanning/2.md @@ -3,14 +3,14 @@ **Finding:** [github.com/bitwise-media-group/github-workflows/security/code-scanning/2](https://github.com/bitwise-media-group/github-workflows/security/code-scanning/2) -| Field | Value | -| -------- | ------------------------------------------------------- | -| Rule | `actions/untrusted-checkout/medium` (CWE-829) | -| Tool | CodeQL 2.25.6 | -| Severity | Warning (security-severity: medium) | -| Location | `.github/workflows/release-actions.yaml:60-65` | -| Detected | 2026-06-15 against commit `ad8c9e3` (`refs/heads/main`) | -| Outcome | **Remediated** | +| Field | Value | +| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Rule | `actions/untrusted-checkout/medium` (CWE-829) | +| Tool | CodeQL 2.25.6 | +| Severity | Warning (security-severity: medium) | +| Location | [`.github/workflows/release-actions.yaml:60-65`](https://github.com/bitwise-media-group/github-workflows/blob/ad8c9e38e233a04ee3aee7c94aedde8dc64ceb85/.github/workflows/release-actions.yaml#L60-L65) | +| Detected | 2026-06-15 against commit `ad8c9e3` (`refs/heads/main`) | +| Outcome | **Remediated** | ## What CodeQL reported diff --git a/security/code-scanning/3.md b/security/code-scanning/3.md index 64dbe2b..a795100 100644 --- a/security/code-scanning/3.md +++ b/security/code-scanning/3.md @@ -3,14 +3,14 @@ **Finding:** [github.com/bitwise-media-group/github-workflows/security/code-scanning/3](https://github.com/bitwise-media-group/github-workflows/security/code-scanning/3) -| Field | Value | -| -------- | ------------------------------------------------------- | -| Rule | `actions/untrusted-checkout/medium` (CWE-829) | -| Tool | CodeQL 2.25.6 | -| Severity | Warning (security-severity: medium) | -| Location | `.github/workflows/release-go.yaml:96-102` | -| Detected | 2026-06-15 against commit `ad8c9e3` (`refs/heads/main`) | -| Outcome | **Remediated** | +| Field | Value | +| -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Rule | `actions/untrusted-checkout/medium` (CWE-829) | +| Tool | CodeQL 2.25.6 | +| Severity | Warning (security-severity: medium) | +| Location | [`.github/workflows/release-go.yaml:96-102`](https://github.com/bitwise-media-group/github-workflows/blob/ad8c9e38e233a04ee3aee7c94aedde8dc64ceb85/.github/workflows/release-go.yaml#L96-L102) | +| Detected | 2026-06-15 against commit `ad8c9e3` (`refs/heads/main`) | +| Outcome | **Remediated** | ## What CodeQL reported diff --git a/security/code-scanning/4.md b/security/code-scanning/4.md index 0e688af..57d6b0a 100644 --- a/security/code-scanning/4.md +++ b/security/code-scanning/4.md @@ -3,14 +3,14 @@ **Finding:** [github.com/bitwise-media-group/github-workflows/security/code-scanning/4](https://github.com/bitwise-media-group/github-workflows/security/code-scanning/4) -| Field | Value | -| -------- | --------------------------------------------------------- | -| Rule | `actions/code-injection/medium` (CWE-94) | -| Tool | CodeQL 2.25.6 | -| Severity | Warning (security-severity: medium) | -| Location | `.github/workflows/codeql.yaml:60` | -| Detected | 2026-06-20 against commit `66b14ef` (`refs/pull/8/merge`) | -| Outcome | **Remediated** | +| Field | Value | +| -------- | -------------------------------------------------------------------------------------------------------------------------------------------- | +| Rule | `actions/code-injection/medium` (CWE-94) | +| Tool | CodeQL 2.25.6 | +| Severity | Warning (security-severity: medium) | +| Location | [`.github/workflows/codeql.yaml:60`](https://github.com/bitwise-media-group/github-workflows/blob/66b14ef/.github/workflows/codeql.yaml#L60) | +| Detected | 2026-06-20 against commit `66b14ef` (`refs/pull/8/merge`) | +| Outcome | **Remediated** | ## What CodeQL reported diff --git a/security/code-scanning/5.md b/security/code-scanning/5.md index d23393e..8c84e0b 100644 --- a/security/code-scanning/5.md +++ b/security/code-scanning/5.md @@ -3,14 +3,14 @@ **Finding:** [github.com/bitwise-media-group/github-workflows/security/code-scanning/5](https://github.com/bitwise-media-group/github-workflows/security/code-scanning/5) -| Field | Value | -| -------- | --------------------------------------------------------- | -| Rule | `actions/code-injection/medium` (CWE-94) | -| Tool | CodeQL 2.25.6 | -| Severity | Warning (security-severity: medium) | -| Location | `.github/workflows/codeql.yaml:63` | -| Detected | 2026-06-20 against commit `66b14ef` (`refs/pull/8/merge`) | -| Outcome | **Remediated** | +| Field | Value | +| -------- | -------------------------------------------------------------------------------------------------------------------------------------------- | +| Rule | `actions/code-injection/medium` (CWE-94) | +| Tool | CodeQL 2.25.6 | +| Severity | Warning (security-severity: medium) | +| Location | [`.github/workflows/codeql.yaml:63`](https://github.com/bitwise-media-group/github-workflows/blob/66b14ef/.github/workflows/codeql.yaml#L63) | +| Detected | 2026-06-20 against commit `66b14ef` (`refs/pull/8/merge`) | +| Outcome | **Remediated** | ## What CodeQL reported diff --git a/zizmor.yaml b/zizmor.yaml index c86d8bd..150a658 100644 --- a/zizmor.yaml +++ b/zizmor.yaml @@ -3,7 +3,7 @@ # zizmor configuration (https://docs.zizmor.sh/configuration/). zizmor audits this # repo's GitHub Actions workflows; it runs locally and in CI via `zizmor .` in -# `make lint`. The reusable CodeQL workflow (.github/workflows/codeql.yaml) also +# `make lint`. The reusable security workflow (.github/workflows/security.yaml) also # runs zizmor for any consuming repo that ships a config file like this one. # # This library SHA-pins every third-party action, so require a full commit hash for