diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3a81675..ec30823 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,9 +1,8 @@ --- name: CodeQL on: - pull_request: schedule: - - cron: '09 09 * * 1' + - cron: "09 09 * * 1" jobs: codeql: @@ -16,13 +15,46 @@ jobs: with: go-version: ^1.23 + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: go + token: ${{ steps.app-token.outputs.token }} - name: Build run: make build - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 + with: + token: ${{ steps.app-token.outputs.token }} + upload: never + + # Workaround for parallel GitHub bugs + # * Can't use GHA token with IP allowlisting + # https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list + # * Can't use codeql-action/analyze with custom token + # https://support.github.com/ticket/enterprise/3427/3214517 + - name: Prepare CodeQL Results + run: | + echo "SARIF_RESULTS=$(gzip -c ../results/go.sarif | base64 -w0)" >> $GITHUB_ENV + + # Workaround for parallel GitHub bugs + # * Can't use GHA token with IP allowlisting + # https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list + # * Can't use codeql-action/analyze with custom token + # https://support.github.com/ticket/enterprise/3427/3214517 + - name: Upload CodeQL Results + run: | + curl --fail-with-body \ + -X POST \ + -H "Authorization: token ${{ steps.app-token.outputs.token }}" \ + -H "Accept: application/vnd.github.v3+json" \ + -d '{"commit_sha": "${{ github.sha }}", "ref": "${{ github.ref }}", "sarif": "${{ env.SARIF_RESULTS }}"}' \ + https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 2f08252..5fcb7f5 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,6 +11,12 @@ jobs: update_release_draft: runs-on: ubuntu-latest steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ff97ec1..9efae36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,10 +19,16 @@ jobs: with: go-version: ^1.23 + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Run GoReleaser uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 with: args: release --clean env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}