From 137f616285caf3696a40ab1331f17c9d8e946eee Mon Sep 17 00:00:00 2001 From: Algis Dumbris Date: Fri, 22 May 2026 08:46:30 +0300 Subject: [PATCH 1/6] ci(053): add CodeQL analysis for Go + JS/TS (WP-B1) --- .github/workflows/codeql.yml | 53 ++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..825263f2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: CodeQL Analysis + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + # Weekly scan — Tuesday 03:17 UTC (off-peak, avoids Monday congestion) + - cron: '17 3 * * 2' + +permissions: + security-events: write + packages: read + actions: read + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + include: + - language: go + # build-mode: none — GA for Go in codeql-action v4; performs + # dependency-free source analysis without running `go build`. + # Preferred over autobuild here because the repo uses build tags + # (-tags server) that autobuild can't infer, and CGO on Ubuntu + # runners is fragile for cross-platform code. + build-mode: none + - language: javascript-typescript + # build-mode: none — default for JS/TS; no compilation needed. + build-mode: none + + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Initialize CodeQL + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + with: + category: /language:${{ matrix.language }} From 145ddd7741b9c82599c1bc94d5ec575b911c7ad3 Mon Sep 17 00:00:00 2001 From: Algis Dumbris Date: Fri, 22 May 2026 08:49:14 +0300 Subject: [PATCH 2/6] ci(053): add OpenSSF Scorecard workflow + README badge (WP-B2) --- .github/workflows/scorecard.yml | 65 +++++++++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 66 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..4c9d6b6e --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,65 @@ +name: OpenSSF Scorecard + +on: + # Fires whenever branch protection rules change — one of the three canonical + # Scorecard triggers; lets the score update immediately after policy changes. + branch_protection_rule: + + # Weekly scan — Sunday 02:47 UTC (off-peak; spread from codeql's Tuesday slot) + schedule: + - cron: '47 2 * * 0' + + # Score every push to the default branch so the badge reflects current state. + push: + branches: + - main + +# Least-privilege default; the analysis job adds only what it needs. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + + # One concurrent run per ref; cancel in-progress if a newer push arrives. + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + + permissions: + # Required to upload SARIF results to the repository Security tab. + security-events: write + # Required by ossf/scorecard-action when publish_results: true. + id-token: write + # Required to read source code. + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: Run OpenSSF Scorecard + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + # publish_results: true publishes the score to the public Scorecard API + # (https://api.securityscorecards.dev) and enables the README badge. + # Requires id-token: write (OIDC) and only takes effect on the default + # branch; pull_request runs always skip publishing. + publish_results: true + + - name: Upload SARIF artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: scorecard-results + path: results.sarif + retention-days: 5 + + - name: Upload SARIF to GitHub Security tab + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index bb4f27e2..ef8c3137 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ [![Go Reference](https://pkg.go.dev/badge/github.com/smart-mcp-proxy/mcpproxy-go.svg)](https://pkg.go.dev/github.com/smart-mcp-proxy/mcpproxy-go) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) [![GitHub stars](https://img.shields.io/github/stars/smart-mcp-proxy/mcpproxy-go?style=social)](https://github.com/smart-mcp-proxy/mcpproxy-go/stargazers) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/smart-mcp-proxy/mcpproxy-go/badge)](https://securityscorecards.dev/viewer/?uri=github.com/smart-mcp-proxy/mcpproxy-go) MCPProxy — Supercharge AI Agents, Safely From 52fa46c326202fdc21029caaf0ff34e11d2f4306 Mon Sep 17 00:00:00 2001 From: Algis Dumbris Date: Fri, 22 May 2026 08:50:36 +0300 Subject: [PATCH 3/6] ci(053): add dependency-review gate on PRs (WP-B3) --- .github/workflows/dependency-review.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..7cc23801 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +name: Dependency Review + +on: + pull_request: + branches: [main] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Dependency Review + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 + with: + fail-on-severity: high + comment-summary-in-pr: on-failure From 33e46f6a38792ab32dc74220707962e4e4d787e4 Mon Sep 17 00:00:00 2001 From: Algis Dumbris Date: Fri, 22 May 2026 08:52:38 +0300 Subject: [PATCH 4/6] ci(053): add Trivy image scan to scanner-images build (WP-B4) --- .github/workflows/scanner-images.yml | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/scanner-images.yml b/.github/workflows/scanner-images.yml index ecf16ba4..fcb0aac9 100644 --- a/.github/workflows/scanner-images.yml +++ b/.github/workflows/scanner-images.yml @@ -29,6 +29,7 @@ on: permissions: contents: read packages: write + security-events: write # required for SARIF upload to the Security tab jobs: build: @@ -95,3 +96,41 @@ jobs: labels: | org.opencontainers.image.source=https://github.com/smart-mcp-proxy/mcpproxy-go org.opencontainers.image.revision=${{ github.sha }} + + # Trivy image scan — runs only on push/workflow_dispatch (not pull_request) because + # multi-platform builds (linux/amd64,linux/arm64) cannot be loaded to the runner with + # `load: true`, so there is no local image to scan on PRs. On push the image is + # already in GHCR and Trivy pulls it directly. + # exit-code: '0' → report-only, never fails the build. Scanner base images routinely + # carry unfixable CVEs (upstream OS packages); blocking builds on those would create + # constant noise with no actionable remediation. Visibility via the Security tab and + # the workflow log is the goal. + - name: Scan image with Trivy + if: github.event_name != 'pull_request' + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + image-ref: ${{ matrix.image }}:${{ steps.tags.outputs.short_sha }} + scan-type: image + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + exit-code: '0' + format: table + + - name: Upload Trivy SARIF to Security tab + if: github.event_name != 'pull_request' + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + image-ref: ${{ matrix.image }}:${{ steps.tags.outputs.short_sha }} + scan-type: image + severity: 'CRITICAL,HIGH' + ignore-unfixed: true + exit-code: '0' + format: sarif + output: trivy-results-${{ matrix.id }}.sarif + + - name: Upload SARIF + if: github.event_name != 'pull_request' + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + with: + sarif_file: trivy-results-${{ matrix.id }}.sarif + category: trivy-${{ matrix.id }} From 1c2264bce15a13d6a0bb3d9afada7f811fbbdfa3 Mon Sep 17 00:00:00 2001 From: Algis Dumbris Date: Fri, 22 May 2026 09:04:53 +0300 Subject: [PATCH 5/6] ci(053): pin all GitHub Actions to commit SHAs (WP-B5) --- .../actions/build-linux-packages/action.yml | 2 +- .github/workflows/claude-md-check.yml | 2 +- .github/workflows/codeql.yml | 6 +- .github/workflows/docs.yml | 6 +- .github/workflows/e2e-tests.yml | 36 +++++------ .github/workflows/frontend.yml | 8 +-- .github/workflows/pr-build.yml | 24 ++++---- .github/workflows/prerelease.yml | 20 +++---- .github/workflows/release.yml | 60 +++++++++---------- .github/workflows/retry-sign-release.yml | 12 ++-- .github/workflows/scanner-images.yml | 10 ++-- .github/workflows/test-macos-build.yml | 6 +- .github/workflows/unit-tests.yml | 36 +++++------ 13 files changed, 114 insertions(+), 114 deletions(-) diff --git a/.github/actions/build-linux-packages/action.yml b/.github/actions/build-linux-packages/action.yml index 94ef7efc..bddfb5d9 100644 --- a/.github/actions/build-linux-packages/action.yml +++ b/.github/actions/build-linux-packages/action.yml @@ -43,7 +43,7 @@ runs: ls -la linux-packages/ - name: Upload Linux packages artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: linux-packages-${{ inputs.goarch }} path: linux-packages/* diff --git a/.github/workflows/claude-md-check.yml b/.github/workflows/claude-md-check.yml index 9d08bcf8..ec1198e4 100644 --- a/.github/workflows/claude-md-check.yml +++ b/.github/workflows/claude-md-check.yml @@ -9,7 +9,7 @@ jobs: check-size: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check CLAUDE.md size run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 825263f2..a608c296 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,15 +39,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Initialize CodeQL - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: category: /language:${{ matrix.language }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 3f051867..a2302e05 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -21,10 +21,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' @@ -59,7 +59,7 @@ jobs: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'smart-mcp-proxy/mcpproxy-go' - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@9681c2997648301493e78cacbfb790a9f19c833f # v3.9.0 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index f1af15d5..0c248ea6 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' @@ -29,7 +29,7 @@ jobs: run: cd frontend && npm run build - name: Upload frontend artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: frontend-dist-e2e path: frontend/dist/ @@ -52,10 +52,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: ${{ matrix.go-version }} cache: true @@ -67,7 +67,7 @@ jobs: run: go mod verify - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist-e2e path: frontend/dist @@ -176,16 +176,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" cache: true - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist-e2e path: frontend/dist @@ -239,7 +239,7 @@ jobs: go tool cover -html=coverage-logs.out -o coverage-logs.html - name: Upload coverage reports - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: file: ./coverage.out flags: e2e-tests @@ -272,16 +272,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" cache: true - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist-e2e path: frontend/dist @@ -433,10 +433,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" cache: true @@ -460,16 +460,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" cache: true - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist-e2e path: frontend/dist diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index a639f49a..d621749d 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' @@ -42,8 +42,8 @@ jobs: run: cd frontend && npm run build - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: frontend-dist path: frontend/dist/ - retention-days: 7 \ No newline at end of file + retention-days: 7 diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 3c4c299a..25ab4466 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -16,7 +16,7 @@ jobs: latest_tag: ${{ steps.version.outputs.latest_tag }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -47,10 +47,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" @@ -66,10 +66,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' @@ -82,7 +82,7 @@ jobs: run: cd frontend && npm run build - name: Upload frontend artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: frontend-dist-pr path: frontend/dist/ @@ -136,12 +136,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" cache: false # Disable built-in cache to use explicit cache step below @@ -153,7 +153,7 @@ jobs: rm -rf ~/go/pkg/mod/golang.org/toolchain* || true - name: Cache Go modules and build - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/go-build @@ -167,7 +167,7 @@ jobs: run: go mod download - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist-pr path: frontend/dist @@ -357,7 +357,7 @@ jobs: echo "Production builds go through full notarization in release workflow" - name: Upload archive artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: archive-${{ matrix.goos }}-${{ matrix.goarch }} path: mcpproxy-*-${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.archive_format }} @@ -365,7 +365,7 @@ jobs: - name: Upload macOS installer DMG if: matrix.goos == 'darwin' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: installer-dmg-${{ matrix.goos }}-${{ matrix.goarch }} path: mcpproxy-*-darwin-${{ matrix.goarch }}-installer.dmg diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index e04e643c..8fd5684a 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -62,17 +62,17 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" - name: Cache Go modules and build - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/go-build @@ -86,7 +86,7 @@ jobs: run: go mod download - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' @@ -463,7 +463,7 @@ jobs: - name: Upload Windows installer artifact (Prerelease) if: matrix.goos == 'windows' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: installer-windows-${{ matrix.goarch }} path: dist/mcpproxy-setup-*-${{ matrix.goarch }}.exe @@ -698,7 +698,7 @@ jobs: fi - name: Upload versioned archive artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: versioned-${{ matrix.goos }}-${{ matrix.goarch }} path: mcpproxy-*-${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.archive_format }} @@ -743,7 +743,7 @@ jobs: - name: Upload macOS installers artifact if: matrix.goos == 'darwin' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: installers-${{ matrix.goos }}-${{ matrix.goarch }} path: installers-artifact/* @@ -757,12 +757,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: dist @@ -843,7 +843,7 @@ jobs: echo "CLEAN_VERSION=${VERSION}" >> $GITHUB_ENV - name: Create prerelease with binaries - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: files: release-files/* prerelease: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9cd75ea1..a252f593 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Full history for git log @@ -179,7 +179,7 @@ jobs: echo "notes_file=$NOTES_FILE" >> $GITHUB_OUTPUT - name: Upload release notes artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: release-notes path: RELEASE_NOTES-${{ github.ref_name }}.md @@ -249,24 +249,24 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Download release notes artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: release-notes path: . continue-on-error: true # Don't fail if notes not yet available - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" - name: Cache Go modules and build - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/go-build @@ -280,7 +280,7 @@ jobs: run: go mod download - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' @@ -695,7 +695,7 @@ jobs: - name: Upload unsigned Windows installer for signing if: matrix.goos == 'windows' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 id: upload-unsigned-installer with: name: unsigned-installer-windows-${{ matrix.goarch }} @@ -909,13 +909,13 @@ jobs: fi - name: Upload versioned archive artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: versioned-${{ matrix.edition || 'personal' }}-${{ matrix.goos }}-${{ matrix.goarch }} path: mcpproxy-*-${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.archive_format }} - name: Upload latest archive artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: latest-${{ matrix.edition || 'personal' }}-${{ matrix.goos }}-${{ matrix.goarch }} path: mcpproxy-latest-${{ matrix.goos }}-${{ matrix.goarch }}.${{ matrix.archive_format }} @@ -951,7 +951,7 @@ jobs: - name: Upload macOS installers artifact if: matrix.goos == 'darwin' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: installers-${{ matrix.goos }}-${{ matrix.goarch }} path: installers-artifact/* @@ -968,21 +968,21 @@ jobs: steps: - name: Download unsigned installer - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: unsigned-installer-windows-${{ matrix.arch }} path: unsigned - name: Re-upload for SignPath id: reupload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: signpath-input-windows-${{ matrix.arch }} # Upload exe - GitHub Actions will ZIP it for SignPath path: unsigned/*.exe - name: Submit to SignPath for signing - uses: signpath/github-action-submit-signing-request@v1 + uses: signpath/github-action-submit-signing-request@ced31329c0317e779dad2eec2a7c3bb46ea1343e # v1.3 with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '84efd51b-c11c-4a85-82e6-7c3b1157d7ca' @@ -1020,7 +1020,7 @@ jobs: fi - name: Upload signed Windows installer - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: installer-windows-${{ matrix.arch }} path: signed/mcpproxy-setup-${{ github.ref_name }}-${{ matrix.arch }}.exe @@ -1034,14 +1034,14 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 - - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 + - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/build-push-action@v5 + - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . push: true @@ -1060,12 +1060,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: dist @@ -1146,7 +1146,7 @@ jobs: echo "CLEAN_VERSION=${VERSION}" >> $GITHUB_ENV - name: Create release with binaries - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: files: release-files/* body: | @@ -1262,7 +1262,7 @@ jobs: steps: - name: Checkout tap repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: smart-mcp-proxy/homebrew-mcpproxy token: ${{ secrets.HOMEBREW_TAP_TOKEN }} @@ -1463,7 +1463,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install repo tooling run: | @@ -1472,7 +1472,7 @@ jobs: aws --version - name: Download package artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: release-artifacts pattern: linux-packages-* @@ -1502,10 +1502,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' @@ -1531,7 +1531,7 @@ jobs: npm run build - name: Deploy to Cloudflare Pages - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@9681c2997648301493e78cacbfb790a9f19c833f # v3.9.0 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} @@ -1547,7 +1547,7 @@ jobs: steps: - name: Trigger marketing site update - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: token: ${{ secrets.MARKETING_SITE_DISPATCH_TOKEN }} repository: smart-mcp-proxy/mcpproxy.app-website @@ -1561,7 +1561,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') continue-on-error: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Extract version from tag id: version diff --git a/.github/workflows/retry-sign-release.yml b/.github/workflows/retry-sign-release.yml index 1da835cf..dc96dff9 100644 --- a/.github/workflows/retry-sign-release.yml +++ b/.github/workflows/retry-sign-release.yml @@ -47,13 +47,13 @@ jobs: - name: Re-upload for SignPath id: reupload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: signpath-input-windows-${{ matrix.arch }} path: unsigned/*.exe - name: Submit to SignPath for signing - uses: signpath/github-action-submit-signing-request@v1 + uses: signpath/github-action-submit-signing-request@ced31329c0317e779dad2eec2a7c3bb46ea1343e # v1.3 with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '84efd51b-c11c-4a85-82e6-7c3b1157d7ca' @@ -89,7 +89,7 @@ jobs: fi - name: Upload signed Windows installer - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: installer-windows-${{ matrix.arch }} path: signed/mcpproxy-setup-${{ inputs.tag }}-${{ matrix.arch }}.exe @@ -101,7 +101,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ inputs.tag }} fetch-depth: 0 @@ -133,7 +133,7 @@ jobs: find dist -type f | head -50 - name: Download signed Windows installers - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: dist pattern: installer-windows-* @@ -225,7 +225,7 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT - name: Create release with binaries - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: tag_name: ${{ inputs.tag }} files: release-files/* diff --git a/.github/workflows/scanner-images.yml b/.github/workflows/scanner-images.yml index fcb0aac9..1a0cd162 100644 --- a/.github/workflows/scanner-images.yml +++ b/.github/workflows/scanner-images.yml @@ -52,21 +52,21 @@ jobs: context: docker/scanners/proximity steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Skip if not selected if: ${{ github.event_name == 'workflow_dispatch' && inputs.scanner != '' && inputs.scanner != matrix.id }} run: echo "Skipping ${{ matrix.id }} (workflow_dispatch selected ${{ inputs.scanner }})" && exit 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 - name: Log in to GHCR if: ${{ github.event_name != 'pull_request' }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -85,7 +85,7 @@ jobs: fi - name: Build and push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: ${{ matrix.context }} platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/test-macos-build.yml b/.github/workflows/test-macos-build.yml index 316352c3..1c1b9c54 100644 --- a/.github/workflows/test-macos-build.yml +++ b/.github/workflows/test-macos-build.yml @@ -7,10 +7,10 @@ jobs: build-macos: runs-on: macos-15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.24' @@ -56,7 +56,7 @@ jobs: ./scripts/create-app-dmg.sh "$APP" vtest arm64 - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: macos-test-build path: | diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 766f0077..e0556132 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' @@ -29,7 +29,7 @@ jobs: run: cd frontend && npm run build - name: Upload frontend artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: frontend-dist path: frontend/dist/ @@ -40,10 +40,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" @@ -70,10 +70,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: ${{ matrix.go-version }} cache: true @@ -85,7 +85,7 @@ jobs: run: go mod verify - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist path: frontend/dist @@ -125,7 +125,7 @@ jobs: - name: Upload coverage to Codecov if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.23.10' - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: file: ./coverage.out flags: unittests @@ -134,7 +134,7 @@ jobs: - name: Upload coverage artifacts if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.23.10' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-report path: | @@ -151,15 +151,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist path: frontend/dist @@ -171,7 +171,7 @@ jobs: cp -r frontend/dist web/frontend/ - name: golangci-lint - uses: golangci/golangci-lint-action@v7 + uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7.0.1 with: version: v2.6.2 args: --timeout=5m @@ -192,16 +192,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: "1.25" cache: true - name: Download frontend artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: frontend-dist path: frontend/dist @@ -240,7 +240,7 @@ jobs: - name: Upload build artifacts if: matrix.os == 'ubuntu-latest' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: binaries path: mcpproxy-* From deb39eebd494b3cb0a4a2ba43bcd8faa95719b9e Mon Sep 17 00:00:00 2001 From: Algis Dumbris Date: Fri, 22 May 2026 09:43:23 +0300 Subject: [PATCH 6/6] fix(053): use autobuild for CodeQL Go analysis (build-mode:none unsupported for Go) --- .github/workflows/codeql.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a608c296..63bd6fe9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,12 +27,11 @@ jobs: matrix: include: - language: go - # build-mode: none — GA for Go in codeql-action v4; performs - # dependency-free source analysis without running `go build`. - # Preferred over autobuild here because the repo uses build tags - # (-tags server) that autobuild can't infer, and CGO on Ubuntu - # runners is fragile for cross-platform code. - build-mode: none + # build-mode: autobuild — CodeQL 2.25.x does not support + # build-mode:none for Go; autobuild runs `go build ./...` which + # is sufficient because the standard module builds cleanly on + # ubuntu-latest (verified by the Build CI job). + build-mode: autobuild - language: javascript-typescript # build-mode: none — default for JS/TS; no compilation needed. build-mode: none @@ -47,6 +46,10 @@ jobs: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} + - name: Autobuild + if: matrix.build-mode == 'autobuild' + uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: