sandbox: add Kotlin support to sandbox execution #301
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: codeql | |
| # GitHub's semantic security scanner. Same engine that powers their | |
| # security advisories — catches SQL/command/path injection, hardcoded | |
| # credentials, unsafe deserialization, weak crypto, and other classes | |
| # the test/lint workflows can't see. Free for public repos and uses | |
| # its own runner pool, so it doesn't eat install/test minutes. | |
| on: | |
| push: | |
| branches: [main, dev] | |
| pull_request: | |
| branches: [main, dev] | |
| # Re-scan weekly even without commits — query packs are updated by | |
| # GitHub regularly and a stale code base can pick up new findings. | |
| schedule: | |
| - cron: '0 6 * * 1' # Mondays 06:00 UTC | |
| concurrency: | |
| group: codeql-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| analyze: | |
| name: codeql (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Required to write findings to the Security tab. | |
| security-events: write | |
| # Required for actions/checkout on private repos; harmless on public. | |
| contents: read | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [python, go] | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| # setup-go must run BEFORE codeql init: init injects a traced go | |
| # wrapper into PATH, and a later setup-go would repoint PATH at the | |
| # toolcache go, bypassing CodeQL's build tracing. | |
| - name: setup go | |
| if: matrix.language == 'go' | |
| uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 | |
| with: | |
| # 1.26 covers both modules (tui requires 1.26+ via go.mod; | |
| # proxy's 1.24 floor builds fine on it). setup-go v6 pins | |
| # GOTOOLCHAIN=local, so the version here must satisfy every | |
| # module — no auto-fetch. | |
| go-version: '1.26' | |
| # The modules live in proxy/ and tui/ (no root go.mod); without | |
| # this the default cache lookup warns and never caches. | |
| cache-dependency-path: | | |
| proxy/go.sum | |
| tui/go.sum | |
| - name: init codeql (${{ matrix.language }}) | |
| uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # security-and-quality runs the broader pack — catches both | |
| # security bugs and general correctness issues. Default | |
| # security-extended is also fine; we pick the wider one | |
| # because we already gate Pyflakes via ruff. | |
| queries: security-and-quality | |
| - name: build go modules | |
| # CodeQL needs to observe a real compile to extract dataflow. | |
| # autobuild can't handle our two-module layout (proxy/ + tui/) | |
| # so we do it manually. Each module's `go build ./...` is enough | |
| # for extraction — we don't need the artifacts. | |
| if: matrix.language == 'go' | |
| run: | | |
| (cd proxy && go build ./...) | |
| (cd tui && go build ./...) | |
| - name: analyze | |
| uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 | |
| with: | |
| category: "/language:${{ matrix.language }}" |