diff --git a/.github/instructions/github_workflows_yaml.instructions.md b/.github/instructions/github_workflows_yaml.instructions.md new file mode 100644 index 000000000..b19b34cfd --- /dev/null +++ b/.github/instructions/github_workflows_yaml.instructions.md @@ -0,0 +1,32 @@ +--- +applyTo: '.github/{actions,workflows}/*.{yml,yaml}' +description: 'Instructions for editing GitHub Actions workflows for this repository.' +--- + +# Copilot Instructions for `.github/{actions,workflows}/*.{yml,yaml}` files + +## PURPOSE + +This file contains instructions for working with GitHub Actions YAML files in the `.github/actions/` and `.github/workflows/` directories of the `codeql-sap-js` repository. + +## REQUIREMENTS + +- **ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained `actions/*` actions.** Add a trailing comment with the original tag for readability (e.g., `uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6`). To resolve a tag to its commit SHA, run `git ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG^{}` (or `refs/heads/BRANCH` for branch-based refs). +- ALWAYS use the principle of least privilege, and explicitly set `permissions` for workflows. +- ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions. +- ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability. +- ALWAYS use descriptive names for workflows, jobs, and steps that clearly explain their purpose. + +## PREFERENCES + +- PREFER explicit permissions declarations using the `permissions` key for security. +- PREFER descriptive step names that include the workflow context (e.g., "Tag - Checkout repository"). +- PREFER matrix strategies for testing multiple versions when applicable. +- PREFER adding summary outputs using `$GITHUB_STEP_SUMMARY` for better workflow visibility. + +## CONSTRAINTS + +- **NEVER reference an external GitHub Action by tag or branch name (e.g., `@v6`, `@main`). ALWAYS use the full 40-character commit SHA with a `# tag` comment.** +- NEVER use overly broad permissions. +- NEVER leave any trailing whitespace on any line. +- NEVER use deprecated GitHub Actions or workflow syntax. diff --git a/.github/workflows/cds-extractor-dist-bundle.yml b/.github/workflows/cds-extractor-dist-bundle.yml index 1d919b131..f2ccc4b69 100644 --- a/.github/workflows/cds-extractor-dist-bundle.yml +++ b/.github/workflows/cds-extractor-dist-bundle.yml @@ -22,10 +22,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml index 04ae7caa1..2a2f6756a 100644 --- a/.github/workflows/code_scanning.yml +++ b/.github/workflows/code_scanning.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Extract CodeQL bundle version from qlt.conf.json run: | @@ -35,7 +35,7 @@ jobs: - name: Initialize CodeQL id: initialize-codeql - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@256d634097be96e792d6764f9edaefc4320557b1 # v4 env: # Add our custom extractor to the CodeQL search path CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"init":["--search-path","${{ github.workspace }}/extractors:${{ github.workspace }}"]}}' @@ -55,7 +55,7 @@ jobs: - name: Perform CodeQL Analysis id: analyze - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@256d634097be96e792d6764f9edaefc4320557b1 # v4 env: LGTM_INDEX_XML_MODE: all LGTM_INDEX_FILETYPES: ".json:JSON" @@ -63,11 +63,11 @@ jobs: CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"run-queries":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"],"interpret-results":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"]}}' - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.10" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.cache/pip key: ${{ runner.os }}-pip @@ -84,7 +84,7 @@ jobs: - name: Upload sarif change if: steps.validate.outcome != 'success' - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: sarif path: | diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml index e2cec4e7f..448d4d507 100644 --- a/.github/workflows/codeql-ql.yml +++ b/.github/workflows/codeql-ql.yml @@ -12,5 +12,5 @@ permissions: jobs: codeql: - uses: advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml@main + uses: advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml@a0e88ede84d03cd069b01d18540db7fc86c52cf8 # main secrets: inherit diff --git a/.github/workflows/ql-unit-tests-linux.yml b/.github/workflows/ql-unit-tests-linux.yml index 0fbc05962..66cb3ebf5 100644 --- a/.github/workflows/ql-unit-tests-linux.yml +++ b/.github/workflows/ql-unit-tests-linux.yml @@ -20,11 +20,11 @@ jobs: matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install QLT id: install-qlt - uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main + uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@177984f7fc369b131c844b3a50d8d1e9a8e5223b # main with: qlt-version: 'latest' add-to-path: true @@ -45,11 +45,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install QLT id: install-qlt - uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main + uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@177984f7fc369b131c844b3a50d8d1e9a8e5223b # main with: qlt-version: 'latest' add-to-path: true @@ -80,7 +80,7 @@ jobs: qlt query run install-packs - name: Setup Node.js for CDS compilation - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '20' cache: 'npm' @@ -123,7 +123,7 @@ jobs: --work-dir $RUNNER_TMP - name: Upload test results - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }} path: | @@ -137,18 +137,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install QLT id: install-qlt - uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main + uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@177984f7fc369b131c844b3a50d8d1e9a8e5223b # main with: qlt-version: 'latest' add-to-path: true - name: Collect test results - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 - name: Validate test results run: | diff --git a/.github/workflows/ql-unit-tests-windows.yml b/.github/workflows/ql-unit-tests-windows.yml index e595a3fac..ad7190cbc 100644 --- a/.github/workflows/ql-unit-tests-windows.yml +++ b/.github/workflows/ql-unit-tests-windows.yml @@ -69,7 +69,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup CodeQL CLI id: setup-codeql @@ -155,7 +155,7 @@ jobs: Write-Host "QL pack installation complete" - name: Setup Node.js for CDS compilation - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '20' cache: 'npm' @@ -287,7 +287,7 @@ jobs: - name: Upload test results if: ${{ always() }} - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: windows-test-results-${{ matrix.test_suite }} path: | @@ -296,7 +296,7 @@ jobs: - name: Upload CAP test artifacts if: ${{ always() && (matrix.test_suite == 'cap-models' || matrix.test_suite == 'cap-queries') }} - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: windows-cap-debug-${{ matrix.test_suite }} path: | @@ -311,10 +311,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download test results - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: pattern: windows-test-results-* path: test-results/ diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml index 2d3aa87ca..3602a19ef 100644 --- a/.github/workflows/release-codeql.yml +++ b/.github/workflows/release-codeql.yml @@ -56,7 +56,7 @@ jobs: echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT - name: CodeQL - Checkout tag - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: refs/tags/${{ steps.version.outputs.version }} @@ -101,7 +101,7 @@ jobs: run: ./scripts/bundle-packs.sh --output-dir dist-packs - name: CodeQL - Upload pack artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: codeql-pack-bundles-${{ steps.version.outputs.version }} path: dist-packs/*.tar.gz diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 9e7f1b2f5..623cb6f0c 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Tag - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 fetch-tags: true @@ -149,7 +149,7 @@ jobs: - name: Tag - Setup Node.js for CDS compilation if: steps.needs-creation.outputs.needed == 'true' - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7ef61506a..1c7bbd694 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -130,7 +130,7 @@ jobs: steps: - name: Release - Download CodeQL pack artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: codeql-pack-bundles-${{ needs.resolve-version.outputs.version }} path: dist-packs diff --git a/.github/workflows/update-codeql.yml b/.github/workflows/update-codeql.yml index 28ebc605e..e2fcc8df1 100644 --- a/.github/workflows/update-codeql.yml +++ b/.github/workflows/update-codeql.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Detect - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Detect - Check latest CodeQL CLI version id: check-version @@ -102,7 +102,7 @@ jobs: steps: - name: Update - Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Update - Update version in all files run: | @@ -130,7 +130,7 @@ jobs: run: ./scripts/upgrade-packs.sh - name: Update - Setup Node.js for CDS compilation - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: '20' cache: 'npm' @@ -153,7 +153,7 @@ jobs: -- javascript/ - name: Update - Create Pull Request - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: title: 'Upgrade CodeQL CLI dependency to ${{ needs.detect-update.outputs.version }}' body: |