From 04880468a29f687050b3e9e970d8114325406db3 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 10:01:43 -0600 Subject: [PATCH 01/31] Workflows commit for security --- .github/workflows/workflows/codeql.yml | 0 .github/workflows/workflows/dependency-review.yml | 12 ++++++++++++ 2 files changed, 12 insertions(+) create mode 100644 .github/workflows/workflows/codeql.yml create mode 100644 .github/workflows/workflows/dependency-review.yml diff --git a/.github/workflows/workflows/codeql.yml b/.github/workflows/workflows/codeql.yml new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/workflows/dependency-review.yml b/.github/workflows/workflows/dependency-review.yml new file mode 100644 index 0000000..4b768ab --- /dev/null +++ b/.github/workflows/workflows/dependency-review.yml @@ -0,0 +1,12 @@ +name: Dependency Review + +on: + pull_request: + branches: [ develop ] + push: + branches: [ develop ] + workflow_dispatch: + +jobs: + dependency-review: + uses: hyperwallet/security-workflows/.github/workflows/dependency-review.yml@main From 26052ec7f7ef4498b751b30f0f4ddbb9d1784a57 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 10:45:56 -0600 Subject: [PATCH 02/31] Updating branching patterns for codeql Updating to match branch conventions --- .github/workflows/workflows/dependency-review.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/workflows/dependency-review.yml b/.github/workflows/workflows/dependency-review.yml index 4b768ab..477a406 100644 --- a/.github/workflows/workflows/dependency-review.yml +++ b/.github/workflows/workflows/dependency-review.yml @@ -2,9 +2,19 @@ name: Dependency Review on: pull_request: - branches: [ develop ] + branches: + - master + - support/SDK-V3 + - feature/** + - bugfix/** + - dependabot/** push: - branches: [ develop ] + branches: + - master + - support/SDK-V3 + - feature/** + - bugfix/** + - dependabot/** workflow_dispatch: jobs: From 7173dd16886d74b6fbd15875937c0b9c7620a421 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 10:48:18 -0600 Subject: [PATCH 03/31] Quick testing --- .github/workflows/workflows/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/workflows/dependency-review.yml b/.github/workflows/workflows/dependency-review.yml index 477a406..55f2f28 100644 --- a/.github/workflows/workflows/dependency-review.yml +++ b/.github/workflows/workflows/dependency-review.yml @@ -8,6 +8,7 @@ on: - feature/** - bugfix/** - dependabot/** + - feature/security-workflows push: branches: - master @@ -15,6 +16,7 @@ on: - feature/** - bugfix/** - dependabot/** + - feature/security-workflows workflow_dispatch: jobs: From 6cb8bc6c25a1d1e86f7bac7b781e92d889a15c0c Mon Sep 17 00:00:00 2001 From: palguindigue <86317480+palguindigue@users.noreply.github.com> Date: Thu, 27 Feb 2025 10:50:06 -0600 Subject: [PATCH 04/31] Create test.yml --- .github/workflows/workflows/test.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/workflows/workflows/test.yml diff --git a/.github/workflows/workflows/test.yml b/.github/workflows/workflows/test.yml new file mode 100644 index 0000000..3b78add --- /dev/null +++ b/.github/workflows/workflows/test.yml @@ -0,0 +1,9 @@ +name: Dependency Review + +on: + push: + workflow_dispatch: + +jobs: + dependency-review: + uses: hyperwallet/security-workflows/.github/workflows/dependency-review.yml@main From e814096c4178710b1af4d0260eee35f310e618bb Mon Sep 17 00:00:00 2001 From: palguindigue <86317480+palguindigue@users.noreply.github.com> Date: Thu, 27 Feb 2025 10:51:46 -0600 Subject: [PATCH 05/31] Update test.yml --- .github/workflows/workflows/test.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/workflows/test.yml b/.github/workflows/workflows/test.yml index 3b78add..79d6a26 100644 --- a/.github/workflows/workflows/test.yml +++ b/.github/workflows/workflows/test.yml @@ -6,4 +6,9 @@ on: jobs: dependency-review: - uses: hyperwallet/security-workflows/.github/workflows/dependency-review.yml@main + runs-on: ubuntu-latest + + steps: + - run: echo test + shell: bash + From 4e1264573453f484a593389d34738ff6eb3a6466 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 10:53:31 -0600 Subject: [PATCH 06/31] Fixing wrong location Updating running location for workflows --- .github/workflows/{workflows => }/codeql.yml | 0 .../{workflows => }/dependency-review.yml | 0 .github/workflows/workflows/test.yml | 14 -------------- 3 files changed, 14 deletions(-) rename .github/workflows/{workflows => }/codeql.yml (100%) rename .github/workflows/{workflows => }/dependency-review.yml (100%) delete mode 100644 .github/workflows/workflows/test.yml diff --git a/.github/workflows/workflows/codeql.yml b/.github/workflows/codeql.yml similarity index 100% rename from .github/workflows/workflows/codeql.yml rename to .github/workflows/codeql.yml diff --git a/.github/workflows/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml similarity index 100% rename from .github/workflows/workflows/dependency-review.yml rename to .github/workflows/dependency-review.yml diff --git a/.github/workflows/workflows/test.yml b/.github/workflows/workflows/test.yml deleted file mode 100644 index 79d6a26..0000000 --- a/.github/workflows/workflows/test.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Dependency Review - -on: - push: - workflow_dispatch: - -jobs: - dependency-review: - runs-on: ubuntu-latest - - steps: - - run: echo test - shell: bash - From 426f623f9a4e93f4cfae333fbbacec12bfc86474 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 14:21:22 -0600 Subject: [PATCH 07/31] Confining to just javascript --- .github/workflows/codeql.yml | 19 +++++++++++++++++++ .github/workflows/dependency-review.yml | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e69de29..c3dc390 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -0,0 +1,19 @@ +name: CodeQL + +on: + pull_request: + branches: [ main ] + # will skip CodeQL for changes in the following paths (docs, tests, etc) + push: + branches: [ main ] + # schedule: + # - cron: '21 6 * * 0' + workflow_dispatch: + +jobs: + codeql-javascript: + uses: hyperwallet/public-security-workflows/.github/workflows/codeql-javascript.yml@main + with: + # optional input for longer-running builds + timeout-minutes: 25 + diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 55f2f28..b6977f0 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,4 +21,4 @@ on: jobs: dependency-review: - uses: hyperwallet/security-workflows/.github/workflows/dependency-review.yml@main + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main From 29e27a05702ae481c22bb5a34e30c02cfd805f23 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 14:38:54 -0600 Subject: [PATCH 08/31] Updating styling --- .github/workflows/codeql.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c3dc390..4f05ee8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,12 +2,22 @@ name: CodeQL on: pull_request: - branches: [ main ] + branches: + - master + - support/SDK-V3 + - feature/** + - bugfix/** + - dependabot/** + - feature/security-workflows # will skip CodeQL for changes in the following paths (docs, tests, etc) push: - branches: [ main ] - # schedule: - # - cron: '21 6 * * 0' + branches: + - master + - support/SDK-V3 + - feature/** + - bugfix/** + - dependabot/** + - feature/security-workflows workflow_dispatch: jobs: From 5e2df5fee476c31fb55ac25b4c3a722b8aefdfe8 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 27 Feb 2025 14:47:12 -0600 Subject: [PATCH 09/31] Testing more --- .github/workflows/test.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..d6172c7 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,26 @@ +name: CodeQL (Javascript) + +on: + push: + +jobs: + analyze: + name: Code Scanning - CodeQL + runs-on: ubuntu-latest. + timeout-minutes: ${{ inputs.timeout-minutes }} + permissions: + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories + actions: read + contents: read + strategy: + fail-fast: false + + steps: + - uses: hyperwallet/public-security-workflows/codeql@main + with: + language: javascript-typescript + build-mode: 'none' + timeout-minutes: 25 From e23f9c02454e029a7589f821b4387651af47dea8 Mon Sep 17 00:00:00 2001 From: palguindigue <86317480+palguindigue@users.noreply.github.com> Date: Thu, 27 Feb 2025 15:00:57 -0600 Subject: [PATCH 10/31] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d6172c7..2b87b91 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,4 +23,4 @@ jobs: with: language: javascript-typescript build-mode: 'none' - timeout-minutes: 25 + timeout-minutes: "25" From 6c097a56b5efee809200313ebccb61284df3b45b Mon Sep 17 00:00:00 2001 From: palguindigue <86317480+palguindigue@users.noreply.github.com> Date: Thu, 27 Feb 2025 15:16:20 -0600 Subject: [PATCH 11/31] Update test.yml --- .github/workflows/test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2b87b91..56c67de 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,4 @@ -name: CodeQL (Javascript) +name: CodeQL (Javascript) Test on: push: @@ -7,7 +7,7 @@ jobs: analyze: name: Code Scanning - CodeQL runs-on: ubuntu-latest. - timeout-minutes: ${{ inputs.timeout-minutes }} + timeout-minutes: 25 permissions: security-events: write # required to fetch internal or private CodeQL packs @@ -23,4 +23,4 @@ jobs: with: language: javascript-typescript build-mode: 'none' - timeout-minutes: "25" + timeout-minutes: 25 From 86b1121808667ae29ed461315425b66ed9f9cceb Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:04:20 -0600 Subject: [PATCH 12/31] Update test.yml --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 56c67de..d1e3805 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,7 +6,7 @@ on: jobs: analyze: name: Code Scanning - CodeQL - runs-on: ubuntu-latest. + runs-on: ubuntu-latest timeout-minutes: 25 permissions: security-events: write From 83ec0b42b74968b80d47c366c8751cfcf774b4b9 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:22:34 -0600 Subject: [PATCH 13/31] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b6977f0..6c5807e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,4 +21,9 @@ on: jobs: dependency-review: - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main + runs-on: ubuntu-latest # Specify the type of runner that the job will run on + steps: + - name: Checkout code # This step checks out the repository code + uses: actions/checkout@v2 + - name: Use Dependency Review Action from another repository + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main From 92ef11ef14e5c9fe773f02a7145cce57a21dd626 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:23:56 -0600 Subject: [PATCH 14/31] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 6c5807e..14cac91 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,6 +24,6 @@ jobs: runs-on: ubuntu-latest # Specify the type of runner that the job will run on steps: - name: Checkout code # This step checks out the repository code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Use Dependency Review Action from another repository uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main From ced26109735cc7c5a06d8305ebd010aae0cfdd8b Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:34:16 -0600 Subject: [PATCH 15/31] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 14cac91..fbea5f9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -25,5 +25,7 @@ jobs: steps: - name: Checkout code # This step checks out the repository code uses: actions/checkout@v4 + - name: Checkout cache # This step checks out the repository code + uses: actions/cache@v4 - name: Use Dependency Review Action from another repository uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main From f2ae8304ca6055085ad7860638c95c27ab8ecebe Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:42:18 -0600 Subject: [PATCH 16/31] Update test.yml --- .github/workflows/test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d1e3805..c36b31f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,7 +2,6 @@ name: CodeQL (Javascript) Test on: push: - jobs: analyze: name: Code Scanning - CodeQL From 8c57a4b603b6bbb095b1fc2c4049fff0c1a7115f Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:49:29 -0600 Subject: [PATCH 17/31] All in one --- .github/workflows/test.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c36b31f..2d6e67b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ name: CodeQL (Javascript) Test on: push: + jobs: analyze: name: Code Scanning - CodeQL @@ -9,17 +10,20 @@ jobs: timeout-minutes: 25 permissions: security-events: write - # required to fetch internal or private CodeQL packs packages: read - # only required for workflows in private repositories actions: read contents: read strategy: fail-fast: false - steps: - uses: hyperwallet/public-security-workflows/codeql@main with: language: javascript-typescript - build-mode: 'none' + build-mode: 'none' timeout-minutes: 25 + + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Use Dependency Review Action from another repository + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From b04197a382b661f377f0be0983aef29afbb0b37c Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 09:52:04 -0600 Subject: [PATCH 18/31] Update test.yml --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2d6e67b..7724d65 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,7 +23,7 @@ jobs: timeout-minutes: 25 dependency-review: - runs-on: ubuntu-latest - steps: - - name: Use Dependency Review Action from another repository - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main + with: + # Include any required inputs for the dependency-review workflow here + secrets: inherit \ No newline at end of file From 8f9c0943f9c24f2dd2e29940a2d7e58367d61660 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 10:21:54 -0600 Subject: [PATCH 19/31] Update test.yml --- .github/workflows/test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7724d65..23e78b8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,7 +2,6 @@ name: CodeQL (Javascript) Test on: push: - jobs: analyze: name: Code Scanning - CodeQL From c4bf0fb52fa89fbd12ec19206bf71952232e707a Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 10:23:34 -0600 Subject: [PATCH 20/31] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 23e78b8..68d7854 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ name: CodeQL (Javascript) Test on: push: + jobs: analyze: name: Code Scanning - CodeQL From 4780b6c0f568c144ecb668c1a3f7dbbdfb6a2493 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 10:25:15 -0600 Subject: [PATCH 21/31] Update test.yml --- .github/workflows/test.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 68d7854..36f59be 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,7 +2,7 @@ name: CodeQL (Javascript) Test on: push: - + jobs: analyze: name: Code Scanning - CodeQL @@ -24,6 +24,4 @@ jobs: dependency-review: uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main - with: - # Include any required inputs for the dependency-review workflow here - secrets: inherit \ No newline at end of file + \ No newline at end of file From b5615901ddc08d66056627869d6a6165c220e7ef Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 10:34:52 -0600 Subject: [PATCH 22/31] Update test.yml --- .github/workflows/test.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 36f59be..c750c25 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,5 +23,10 @@ jobs: timeout-minutes: 25 dependency-review: - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main + runs-on: ubuntu-latest # Specify the type of runner that the job will run on + steps: + - name: Checkout code # This step checks out the repository code + uses: actions/checkout@v4 + - name: Use Dependency Review Action from another repository + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From 62e92b14e91ba5f0e66691617e43b6c8b78fc108 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 10:42:39 -0600 Subject: [PATCH 23/31] try --- .github/workflows/test.yml | 43 +++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c750c25..70d912c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,29 +4,24 @@ on: push: jobs: - analyze: - name: Code Scanning - CodeQL - runs-on: ubuntu-latest - timeout-minutes: 25 - permissions: - security-events: write - packages: read - actions: read - contents: read - strategy: - fail-fast: false - steps: - - uses: hyperwallet/public-security-workflows/codeql@main - with: - language: javascript-typescript - build-mode: 'none' - timeout-minutes: 25 - - dependency-review: - runs-on: ubuntu-latest # Specify the type of runner that the job will run on - steps: - - name: Checkout code # This step checks out the repository code - uses: actions/checkout@v4 - - name: Use Dependency Review Action from another repository + analyze: + name: Code Scanning - CodeQL + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + steps: + - uses: hyperwallet/public-security-workflows/codeql@main + with: + language: javascript-typescript + build-mode: 'none' + timeout-minutes: 25 + + dependency-review: uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From 4f9ea195e120439422e88174b59e2e367ba8f157 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 10:44:14 -0600 Subject: [PATCH 24/31] Update test.yml --- .github/workflows/test.yml | 41 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 70d912c..5a9e732 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,24 +4,23 @@ on: push: jobs: - analyze: - name: Code Scanning - CodeQL - runs-on: ubuntu-latest - timeout-minutes: 25 - permissions: - security-events: write - packages: read - actions: read - contents: read - strategy: - fail-fast: false - steps: - - uses: hyperwallet/public-security-workflows/codeql@main - with: - language: javascript-typescript - build-mode: 'none' - timeout-minutes: 25 - - dependency-review: - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main - \ No newline at end of file + analyze: + name: Code Scanning - CodeQL + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + steps: + - uses: hyperwallet/public-security-workflows/codeql@main + with: + language: javascript-typescript + build-mode: 'none' + timeout-minutes: 25 + + dependency-review: + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From 77ab9a7ddf8e4657c4b59e0799adb17297f300f6 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:02:17 -0600 Subject: [PATCH 25/31] Update codeql.yml --- .github/workflows/codeql.yml | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4f05ee8..938d928 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: CodeQL (Javascript) Test on: pull_request: @@ -21,9 +21,21 @@ on: workflow_dispatch: jobs: - codeql-javascript: - uses: hyperwallet/public-security-workflows/.github/workflows/codeql-javascript.yml@main - with: - # optional input for longer-running builds - timeout-minutes: 25 - + analyze: + name: Code Scanning - CodeQL + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + steps: + - uses: hyperwallet/public-security-workflows/codeql@main + with: + language: javascript-typescript + build-mode: 'none' + timeout-minutes: 25 + From 509d288ef23e287b6bf56297773582b0e7aebbb7 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:04:53 -0600 Subject: [PATCH 26/31] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fbea5f9..e74ddff 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -9,8 +9,9 @@ on: - bugfix/** - dependabot/** - feature/security-workflows + # will skip CodeQL for changes in the following paths (docs, tests, etc) push: - branches: + branches: - master - support/SDK-V3 - feature/** @@ -20,12 +21,17 @@ on: workflow_dispatch: jobs: - dependency-review: - runs-on: ubuntu-latest # Specify the type of runner that the job will run on + analyze: + name: DepReview - CodeQL + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false steps: - - name: Checkout code # This step checks out the repository code - uses: actions/checkout@v4 - - name: Checkout cache # This step checks out the repository code - uses: actions/cache@v4 - - name: Use Dependency Review Action from another repository - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main + - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main + \ No newline at end of file From f5a74d955bfcf98fee11a5c32a7b7f4dd2bdb35a Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:05:26 -0600 Subject: [PATCH 27/31] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 938d928..2e701d0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: CodeQL (Javascript) Test +name: CodeQL (Javascript) on: pull_request: From db4882e6449abcafb40b8b0f3fc184dec4f022da Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:09:17 -0600 Subject: [PATCH 28/31] Update test.yml --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5a9e732..8b872dc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,7 @@ name: CodeQL (Javascript) Test on: push: + pull_request: jobs: analyze: From 69b7de73bdd686ff83a0658f2e7642fe0ffb8cf0 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:13:32 -0600 Subject: [PATCH 29/31] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 32 ++----------------------- 1 file changed, 2 insertions(+), 30 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e74ddff..e74087c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -2,36 +2,8 @@ name: Dependency Review on: pull_request: - branches: - - master - - support/SDK-V3 - - feature/** - - bugfix/** - - dependabot/** - - feature/security-workflows - # will skip CodeQL for changes in the following paths (docs, tests, etc) push: - branches: - - master - - support/SDK-V3 - - feature/** - - bugfix/** - - dependabot/** - - feature/security-workflows - workflow_dispatch: jobs: - analyze: - name: DepReview - CodeQL - runs-on: ubuntu-latest - timeout-minutes: 25 - permissions: - security-events: write - packages: read - actions: read - contents: read - strategy: - fail-fast: false - steps: - - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main - \ No newline at end of file + dependency-review: + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From e4fb8c9be8ac379d511ab399c41786ac143097aa Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:16:37 -0600 Subject: [PATCH 30/31] Removing test workflow --- .github/workflows/test.yml | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 8b872dc..0000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: CodeQL (Javascript) Test - -on: - push: - pull_request: - -jobs: - analyze: - name: Code Scanning - CodeQL - runs-on: ubuntu-latest - timeout-minutes: 25 - permissions: - security-events: write - packages: read - actions: read - contents: read - strategy: - fail-fast: false - steps: - - uses: hyperwallet/public-security-workflows/codeql@main - with: - language: javascript-typescript - build-mode: 'none' - timeout-minutes: 25 - - dependency-review: - uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From ac547568b3579fdbe71af19bb1b05531d4eb16f9 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Mon, 3 Mar 2025 11:21:05 -0600 Subject: [PATCH 31/31] Updating triggers --- .github/workflows/codeql.yml | 17 +---------------- .github/workflows/dependency-review.yml | 2 +- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2e701d0..7f0f90e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,23 +1,8 @@ -name: CodeQL (Javascript) +name: CodeQL (Javascript) - SAST on: pull_request: - branches: - - master - - support/SDK-V3 - - feature/** - - bugfix/** - - dependabot/** - - feature/security-workflows - # will skip CodeQL for changes in the following paths (docs, tests, etc) push: - branches: - - master - - support/SDK-V3 - - feature/** - - bugfix/** - - dependabot/** - - feature/security-workflows workflow_dispatch: jobs: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e74087c..9e61d05 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,4 +1,4 @@ -name: Dependency Review +name: CodeQL Dependency Review - SCA on: pull_request: