waveterm/.github/workflows/codeql.yml
dependabot[bot] 2cd00dae26
Bump arduino/setup-task from 1 to 2 in /.github/workflows (#139)
Bumps [arduino/setup-task](https://github.com/arduino/setup-task) from 1
to 2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/arduino/setup-task/releases">arduino/setup-task's
releases</a>.</em></p>
<blockquote>
<h2>2.0.0</h2>
<h2>Migration Guide</h2>
<p>The version of the <a
href="https://nodejs.org/en/about"><strong>Node.js</strong></a> runtime
used to execute the action has been updated from 16 to 20. This could be
a breaking change for certain GitHub Actions workflows.</p>
<p>If a workflow with dependency on the
<strong>arduino/setup-task</strong> action uses only <a
href="https://docs.github.com/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners">GitHub-hosted
GitHub Actions runners</a>, no changes are required.</p>
<p>If the workflow uses a <a
href="https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners">self-hosted
runner</a>, the workflow run might fail after updating
<strong>arduino/setup-task</strong>:</p>
<pre lang="text"><code>Error: System.ArgumentOutOfRangeException:
Specified argument was out of the range of valid values. (Parameter
''using: node20' is not supported, use 'docker', 'node12' or 'node16'
instead.')
at
GitHub.Runner.Worker.ActionManifestManager.ConvertRuns(IExecutionContext
executionContext, TemplateContext templateContext, TemplateToken
inputsToken, String fileRelativePath, MappingToken outputs)
at GitHub.Runner.Worker.ActionManifestManager.Load(IExecutionContext
executionContext, String manifestFile)
Error: Fail to load arduino/setup-task/v2/action.yml
</code></pre>
<p>This means an older runner version that does not provide Node.js 20.x
is installed on the runner machine and you must update the runner
version.</p>
<h2>Changelog</h2>
<h4>Breaking</h4>
<ul>
<li>Update Node.js runtime for action from 16 to 20 (<a
href="https://redirect.github.com/arduino/setup-task/issues/919">#919</a>)</li>
</ul>
<h4>Enhancement</h4>
<ul>
<li><a
href="https://github.com/arduino/compile-sketches/pulls?q=merged%3A2023-01-31..2024-02-05+author%3Aapp%2Fdependabot">Various
dependency updates</a></li>
</ul>
<h2>Full Changeset</h2>
<p><a
href="https://github.com/arduino/setup-task/compare/1.0.3...2.0.0">https://github.com/arduino/setup-task/compare/1.0.3...2.0.0</a></p>
<h2>Contributors</h2>
<ul>
<li><a href="https://github.com/gdraynz"><code>@​gdraynz</code></a></li>
</ul>
<h2>1.0.3</h2>
<h2>Changelog</h2>
<h4>Enhancement</h4>
<ul>
<li>Add support for all Task build architectures
(43e1bb8c37ce39c24e88b4622c2f66b6d7d9ebbd)</li>
</ul>
<h2>Full Changeset</h2>
<p><a
href="https://github.com/arduino/setup-task/compare/1.0.2...1.0.3">https://github.com/arduino/setup-task/compare/1.0.2...1.0.3</a></p>
<h2>1.0.2</h2>
<h2>Release Notes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b91d5d2c96"><code>b91d5d2</code></a>
update readme (<a
href="https://redirect.github.com/arduino/setup-task/issues/929">#929</a>)</li>
<li><a
href="f2514b0e1c"><code>f2514b0</code></a>
Bump node from 16 to 20 (<a
href="https://redirect.github.com/arduino/setup-task/issues/919">#919</a>)</li>
<li><a
href="2007903d11"><code>2007903</code></a>
Merge pull request <a
href="https://redirect.github.com/arduino/setup-task/issues/928">#928</a>
from arduino/dependabot/npm_and_yarn/prettier-3.2.5</li>
<li><a
href="3f2ef95f2f"><code>3f2ef95</code></a>
build(deps-dev): bump prettier from 3.2.2 to 3.2.5</li>
<li><a
href="88d658bbef"><code>88d658b</code></a>
Merge pull request <a
href="https://redirect.github.com/arduino/setup-task/issues/927">#927</a>
from arduino/dependabot/npm_and_yarn/types/node-16.18.79</li>
<li><a
href="b79a1c3f82"><code>b79a1c3</code></a>
build(deps-dev): bump <code>@​types/node</code> from 16.18.78 to
16.18.79</li>
<li><a
href="5abddba872"><code>5abddba</code></a>
Merge pull request <a
href="https://redirect.github.com/arduino/setup-task/issues/926">#926</a>
from arduino/dependabot/npm_and_yarn/types/node-16.18.78</li>
<li><a
href="b3e99c0fa2"><code>b3e99c0</code></a>
build(deps-dev): bump <code>@​types/node</code> from 16.18.76 to
16.18.78</li>
<li><a
href="4145542cd7"><code>4145542</code></a>
Merge pull request <a
href="https://redirect.github.com/arduino/setup-task/issues/924">#924</a>
from arduino/dependabot/npm_and_yarn/typescript-eslin...</li>
<li><a
href="10406e6d87"><code>10406e6</code></a>
build(deps-dev): bump <code>@​typescript-eslint/parser</code> from
6.19.1 to 6.20.0</li>
<li>Additional commits viewable in <a
href="https://github.com/arduino/setup-task/compare/v1.0.0...v2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=arduino/setup-task&package-manager=github_actions&previous-version=1&new-version=2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-23 11:53:09 -07:00

115 lines
4.6 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
- cron: "36 5 * * 5"
env:
NODE_VERSION: "21.5.0"
jobs:
analyze:
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["go", "javascript-typescript"]
# CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
# Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.x
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: stable
cache-dependency-path: |
go.sum
- uses: actions/setup-node@v4
with:
node-version: ${{env.NODE_VERSION}}
- name: Install yarn
run: |
corepack enable
yarn install
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: Generate bindings
run: task generate
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild (not Go)
if: matrix.language != 'go'
uses: github/codeql-action/autobuild@v3
- name: Build (Go only)
if: matrix.language == 'go'
run: |
task build:server
task build:wsh
# Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"