From 75da91025bdecb02892175cf8bac44a05c097f96 Mon Sep 17 00:00:00 2001 From: Sherin Mirza Date: Fri, 20 May 2022 13:12:15 -0500 Subject: [PATCH 01/10] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 66 +++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..15f797bf --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 From d0a06a984ce6e9ac14552a0e9564ec72d6e65462 Mon Sep 17 00:00:00 2001 From: Sherin Mirza Date: Tue, 31 May 2022 13:16:04 -0500 Subject: [PATCH 02/10] Create SonarQube.yml --- .github/workflows/SonarQube.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/SonarQube.yml diff --git a/.github/workflows/SonarQube.yml b/.github/workflows/SonarQube.yml new file mode 100644 index 00000000..90d280c1 --- /dev/null +++ b/.github/workflows/SonarQube.yml @@ -0,0 +1,17 @@ +name: SonarQube +on: + workflow_dispatch: + +jobs: + build: + name: SonarQube + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: SonarSource/sonarqube-scan-action@v1.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} From d50f4159b11ba3a8e18dede4466cd5158c80dc36 Mon Sep 17 00:00:00 2001 From: Sherin Mirza Date: Tue, 31 May 2022 13:22:38 -0500 Subject: [PATCH 03/10] Create sonar-project.properties --- sonar-project.properties | 1 + 1 file changed, 1 insertion(+) create mode 100644 sonar-project.properties diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..13963749 --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1 @@ +sonar.projectKey=com.shell.action-download-artifact From 172689374cb6f4eb9f5ae53c393bfec1ea5b95f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Tue, 12 May 2026 14:57:32 +0200 Subject: [PATCH 04/10] Workflows: trigger SonarQube on master pushes --- .github/workflows/SonarQube.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/SonarQube.yml b/.github/workflows/SonarQube.yml index 90d280c1..4f18562b 100644 --- a/.github/workflows/SonarQube.yml +++ b/.github/workflows/SonarQube.yml @@ -1,5 +1,8 @@ name: SonarQube on: + push: + branches: + - master workflow_dispatch: jobs: From c91b83c89537def4a594b4d3dd48ddc405711374 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Tue, 12 May 2026 15:18:11 +0200 Subject: [PATCH 05/10] Try sonarqube-scan-action@v7 --- .github/workflows/SonarQube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/SonarQube.yml b/.github/workflows/SonarQube.yml index 4f18562b..7e0b1fa3 100644 --- a/.github/workflows/SonarQube.yml +++ b/.github/workflows/SonarQube.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 - - uses: SonarSource/sonarqube-scan-action@v1.0.0 + - uses: SonarSource/sonarqube-scan-action@v7 env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 4869a291bd7451df54bea80672e2ddd98c5e14da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Fri, 15 May 2026 11:25:20 +0200 Subject: [PATCH 06/10] Update dependabot configuration to disable all version updates (security updates are configured separately and remain enabled) --- .github/dependabot.yml | 34 ++++++++++------------------------ 1 file changed, 10 insertions(+), 24 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d490a138..d62b9c43 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,26 +1,12 @@ version: 2 +# Dependabot version updates are explicitly disabled for all known package +# ecosystems. Ecosystems not listed here are not monitored by Dependabot at all. +# To enable updates for an ecosystem, remove its open-pull-requests-limit or set +# it to a value greater than 0, and add the required directory and schedule. +# Note: Dependabot security updates are configured separately and remain enabled. updates: -- package-ecosystem: npm - directory: "/" - schedule: - interval: daily - time: "04:00" - pull-request-branch-name: - separator: "-" - open-pull-requests-limit: 10 - ignore: - - dependency-name: filesize - versions: - - 6.2.6 - - 6.3.0 - - dependency-name: adm-zip - versions: - - 0.5.3 -- package-ecosystem: github-actions - directory: "/" - schedule: - interval: daily - time: "04:00" - pull-request-branch-name: - separator: "-" - open-pull-requests-limit: 10 + - package-ecosystem: npm + open-pull-requests-limit: 0 + + - package-ecosystem: github-actions + open-pull-requests-limit: 0 From df6bd75abe1dcfd0b59baf9f0ce43bebe25ed3b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Fri, 15 May 2026 11:35:31 +0200 Subject: [PATCH 07/10] Use Node 24 actions/checkout in SonarQube workflow --- .github/workflows/SonarQube.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/SonarQube.yml b/.github/workflows/SonarQube.yml index 7e0b1fa3..0f40290b 100644 --- a/.github/workflows/SonarQube.yml +++ b/.github/workflows/SonarQube.yml @@ -10,7 +10,7 @@ jobs: name: SonarQube runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 with: fetch-depth: 0 - uses: SonarSource/sonarqube-scan-action@v7 From 2ec85ac3e4d3c8b594bef662094b28e224080bcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Fri, 15 May 2026 11:42:17 +0200 Subject: [PATCH 08/10] Add SonarQube Quality Gate check to fail run --- .github/workflows/SonarQube.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/SonarQube.yml b/.github/workflows/SonarQube.yml index 0f40290b..50dd3d39 100644 --- a/.github/workflows/SonarQube.yml +++ b/.github/workflows/SonarQube.yml @@ -13,8 +13,15 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + - uses: SonarSource/sonarqube-scan-action@v7 env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + - name: SonarQube Quality Gate check + uses: sonarsource/sonarqube-quality-gate-action@v1 + timeout-minutes: 5 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From b5844909dcca770289ba8cd7f178f4cd4964ccc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Mon, 18 May 2026 14:17:21 +0200 Subject: [PATCH 09/10] Fix incorrect Dependabot configuration --- .github/dependabot.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d62b9c43..d6fc438f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,11 +2,17 @@ version: 2 # Dependabot version updates are explicitly disabled for all known package # ecosystems. Ecosystems not listed here are not monitored by Dependabot at all. # To enable updates for an ecosystem, remove its open-pull-requests-limit or set -# it to a value greater than 0, and add the required directory and schedule. +# it to a value greater than 0. # Note: Dependabot security updates are configured separately and remain enabled. updates: - package-ecosystem: npm + directory: "/" + schedule: + interval: weekly open-pull-requests-limit: 0 - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly open-pull-requests-limit: 0 From 875dec87ff0038880b57ed3e9b31664bf1b7d0f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Beurskens?= Date: Mon, 18 May 2026 14:21:24 +0200 Subject: [PATCH 10/10] Remove unused CodeQL configuration file --- .github/workflows/codeql-analysis.yml | 66 --------------------------- 1 file changed, 66 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 15f797bf..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,66 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2