From 19dcf4a6fae95c172e47f3c17e1e21bceff88925 Mon Sep 17 00:00:00 2001 From: "firstof9@gmail.com" Date: Thu, 14 May 2026 09:52:35 -0700 Subject: [PATCH 1/4] chore: fix codeql.yml indentation --- .github/dependabot.yml | 5 +++++ .github/workflows/codeql.yml | 39 ++++++++++++++++++++++++++++++++++++ .github/workflows/links.yml | 20 ++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/links.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 28598133..17fc16e8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,8 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..8000dc40 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,39 @@ +name: "CodeQL" + +on: + push: + branches: ["main", "dev"] + pull_request: + branches: ["main", "dev"] + schedule: + - cron: '30 1 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python"] + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml new file mode 100644 index 00000000..06239946 --- /dev/null +++ b/.github/workflows/links.yml @@ -0,0 +1,20 @@ +name: Links + +on: + push: + branches: ["main", "dev"] + pull_request: + branches: ["main", "dev"] + schedule: + - cron: "0 0 * * 1" + +jobs: + linkChecker: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + + - name: Link Checker + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2 + with: + args: --verbose --no-progress './**/*.md' From 5cecaad28a93c043377786a00b6ea190e675d44e Mon Sep 17 00:00:00 2001 From: "firstof9@gmail.com" Date: Thu, 14 May 2026 09:56:34 -0700 Subject: [PATCH 2/4] chore: add explicit permissions to release-drafter workflow --- .github/workflows/release-drafter.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 22e06631..64b2462b 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -5,6 +5,10 @@ on: branches: - main +permissions: + contents: write + pull-requests: read + jobs: update_release_draft: runs-on: ubuntu-latest From c982ad89a1e8b37c1de55f2260a42cdc4b003fb4 Mon Sep 17 00:00:00 2001 From: Chris <1105672+firstof9@users.noreply.github.com> Date: Thu, 14 May 2026 09:57:10 -0700 Subject: [PATCH 3/4] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/links.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 06239946..eb2a6b41 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -8,6 +8,9 @@ on: schedule: - cron: "0 0 * * 1" +permissions: + contents: read + jobs: linkChecker: runs-on: ubuntu-latest From 9d443ad6752c70135899fa856059c99c5a9b726f Mon Sep 17 00:00:00 2001 From: "firstof9@gmail.com" Date: Thu, 14 May 2026 10:01:36 -0700 Subject: [PATCH 4/4] chore: remove codeql.yml as it is handled by GitHub default setup --- .github/workflows/codeql.yml | 39 ------------------------------------ 1 file changed, 39 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 8000dc40..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: ["main", "dev"] - pull_request: - branches: ["main", "dev"] - schedule: - - cron: '30 1 * * 6' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["python"] - - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3