Merge pull request #279 from advanced-security/data-douser/cds-extractor-windows-os

data-douser · web-flow · commit 192a203be0b6 · 2025-12-30T18:31:41.000-07:00
Update `.github/workflows/*.yml` : YAML Lint, least-privilege `permissions` &amp;  actions versions
diff --git a/.github/workflows/cds-extractor-dist-bundle.yml b/.github/workflows/cds-extractor-dist-bundle.yml
@@ -3,7 +3,7 @@ name: CDS Extractor Distribution Bundle
 on:
   push:
     branches: [ main ]
-    paths: 
+    paths:
       - 'extractors/cds/**'
   pull_request:
     branches: [ main ]
@@ -12,77 +12,80 @@ on:
   workflow_dispatch:
     # This job can be manually triggered to validate the CDS extractor bundle
 
+permissions:
+  contents: read
+
 jobs:
   bundle-validation:
     name: CDS extractor bundle validation
     runs-on: ubuntu-latest
-    
+
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v5
-    
-    - name: Setup Node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: '20'
-        cache: 'npm'
-        cache-dependency-path: 'extractors/cds/tools/package-lock.json'
-    
-    - name: Install node dependencies
-      working-directory: extractors/cds/tools
-      run: npm ci
-    
-    - name: Run TS code linter
-      working-directory: extractors/cds/tools
-      run: npm run lint
-    
-    - name: Run TS code unit tests with coverage report
-      working-directory: extractors/cds/tools
-      run: npm run test:coverage
-    
-    - name: Build and validate the CDS extractor bundle
-      working-directory: extractors/cds/tools
-      run: npm run build:validate
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: 'extractors/cds/tools/package-lock.json'
+
+      - name: Install node dependencies
+        working-directory: extractors/cds/tools
+        run: npm ci
+
+      - name: Run TS code linter
+        working-directory: extractors/cds/tools
+        run: npm run lint
+
+      - name: Run TS code unit tests with coverage report
+        working-directory: extractors/cds/tools
+        run: npm run test:coverage
+
+      - name: Build and validate the CDS extractor bundle
+        working-directory: extractors/cds/tools
+        run: npm run build:validate
 
-    - name: Validate CDS extractor JS bundle and map files
-      working-directory: extractors/cds/tools
-      run: |
-        _bundle_file="dist/cds-extractor.bundle.js"
-        _bundle_map_file="${_bundle_file}.map"
-        if [ -f "$_bundle_file" ]; then
-          echo "✅ Bundle file exists."
-        else
-          echo "❌ Bundle file not found."
-          exit 2
-        fi
+      - name: Validate CDS extractor JS bundle and map files
+        working-directory: extractors/cds/tools
+        run: |
+          _bundle_file="dist/cds-extractor.bundle.js"
+          _bundle_map_file="${_bundle_file}.map"
+          if [ -f "$_bundle_file" ]; then
+            echo "✅ Bundle file exists."
+          else
+            echo "❌ Bundle file not found."
+            exit 2
+          fi
 
-        if [ -f "$_bundle_map_file" ]; then
-          echo "✅ CDS extractor JS bundle source map file exists."
-        else
-          echo "❌ CDS extractor JS bundle source map file not found."
-          exit 3
-        fi
+          if [ -f "$_bundle_map_file" ]; then
+            echo "✅ CDS extractor JS bundle source map file exists."
+          else
+            echo "❌ CDS extractor JS bundle source map file not found."
+            exit 3
+          fi
 
-        # Check if the built bundle and map files differ
-        # from the versions committed to git.
-        if git diff --exit-code "$_bundle_file" "$_bundle_map_file"; then
-          echo "✅ CDS JS bundle and map files match committed versions."
-        else
-          echo "❌ CDS JS bundle and/or map file(s) differ from committed version(s)."
-          echo "The built bundle and/or source map do not match the committed versions."
-          echo "Please rebuild the bundle and commit the changes:"
-          echo "  cd extractors/cds/tools"
-          echo "  npm install"
-          echo "  npm run build:all"
-          echo "  git add dist/cds-extractor.bundle.*"
-          echo "  git commit -m 'Update CDS extractor dist bundle'"
-          exit 4
-        fi
+          # Check if the built bundle and map files differ
+          # from the versions committed to git.
+          if git diff --exit-code "$_bundle_file" "$_bundle_map_file"; then
+            echo "✅ CDS JS bundle and map files match committed versions."
+          else
+            echo "❌ CDS JS bundle and/or map file(s) differ from committed version(s)."
+            echo "The built bundle and/or source map do not match the committed versions."
+            echo "Please rebuild the bundle and commit the changes:"
+            echo "  cd extractors/cds/tools"
+            echo "  npm install"
+            echo "  npm run build:all"
+            echo "  git add dist/cds-extractor.bundle.*"
+            echo "  git commit -m 'Update CDS extractor dist bundle'"
+            exit 4
+          fi
 
-        # Check if bundle file starts with the expected shebang for `node`.
-        if head -n 1 "${_bundle_file}" | grep -q "#!/usr/bin/env node"; then
-          echo "✅ Bundle has Node.js shebang"
-        else
-          echo "❌  Bundle missing Node.js shebang"
-          exit 5
-        fi
+          # Check if bundle file starts with the expected shebang for `node`.
+          if head -n 1 "${_bundle_file}" | grep -q "#!/usr/bin/env node"; then
+            echo "✅ Bundle has Node.js shebang"
+          else
+            echo "❌  Bundle missing Node.js shebang"
+            exit 5
+          fi
diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml
@@ -10,6 +10,9 @@ on:
     - cron: '39 12 * * 2'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
 
@@ -39,7 +42,7 @@ jobs:
     - name: Extract CodeQL bundle version from qlt.conf.json
       run: |
         echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
-            
+
     - name: Initialize CodeQL
       id: initialize-codeql
       uses: github/codeql-action/init@v4
@@ -52,7 +55,7 @@ jobs:
         db-location: ${{ runner.temp }}/codeql-database
         tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
         debug: true
-    
+
     - name: Run CDS extractor
       shell: bash
       run: |
diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml
@@ -7,6 +7,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   codeql:
     uses: advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml@main
diff --git a/.github/workflows/run-codeql-unit-tests-javascript.yml b/.github/workflows/run-codeql-unit-tests-javascript.yml
@@ -10,6 +10,9 @@ on:
       - 'main'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   create-unit-test-matrix:
     name: Create CodeQL Unit Test Matrix
@@ -18,7 +21,7 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Install QLT
         id: install-qlt
@@ -43,7 +46,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Install QLT
         id: install-qlt
@@ -80,7 +83,7 @@ jobs:
       - name: Setup Node.js for CDS compilation
         uses: actions/setup-node@v6
         with:
-          node-version: '18'
+          node-version: '20'
           cache: 'npm'
           cache-dependency-path: 'extractors/cds/tools/package-lock.json'
 
@@ -121,7 +124,7 @@ jobs:
           --work-dir $RUNNER_TMP
 
       - name: Upload test results
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -135,7 +138,7 @@ jobs:
     steps:
 
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Install QLT
         id: install-qlt
@@ -146,10 +149,9 @@ jobs:
 
 
       - name: Collect test results
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
 
       - name: Validate test results
         run: |
           qlt test run validate-unit-tests --pretty-print --results-directory . >> $GITHUB_STEP_SUMMARY
           qlt test run validate-unit-tests --results-directory .
-          
diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml
@@ -17,7 +17,7 @@ jobs:
 
         steps:
         - name: Checkout repository
-          uses: actions/checkout@v5
+          uses: actions/checkout@v6
 
         - name: Check latest CodeQL CLI version and update qlt.conf.json
           id: check-version
