From 5e04c116e00a9cd5cbcc54a8ac6f000d11c9939d Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Sat, 14 Feb 2026 17:57:04 +0100 Subject: [PATCH 1/3] security(codeql): CodeQL-Advanced-Setup fuer C# (manual build) --- .github/workflows/codeql.yml | 64 ++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..17bb207 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,64 @@ +name: codeql + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + # Weekly scan to catch new CodeQL queries or dependency drift. + - cron: "23 3 * * 0" + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + +defaults: + run: + shell: bash + +jobs: + analyze: + name: Analyze (csharp) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + language: ["csharp"] + + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + fetch-depth: 0 + fetch-tags: true + + - name: Setup .NET + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 + with: + dotnet-version: "10.0.102" + + - name: Initialize CodeQL + uses: github/codeql-action/init@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3 + with: + languages: ${{ matrix.language }} + build-mode: manual + queries: security-and-quality + + - name: Build (CodeQL traced) + run: | + dotnet restore FileClassifier.sln + dotnet build -c Release --no-restore FileClassifier.sln + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3 + with: + category: "/language:${{ matrix.language }}" + From bf583b3fa73e29f0e13565b0de4604eb7c95a90e Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Sat, 14 Feb 2026 18:02:22 +0100 Subject: [PATCH 2/3] docs(codeql): Hinweis zu deaktiviertem Default Setup --- .github/workflows/codeql.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 17bb207..6f1be30 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,8 @@ name: codeql +# NOTE: This workflow is an "advanced configuration". GitHub CodeQL "default setup" +# must be set to "not-configured" for this repository, otherwise SARIF uploads will fail. + on: push: branches: ["main"] @@ -61,4 +64,3 @@ jobs: uses: github/codeql-action/analyze@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3 with: category: "/language:${{ matrix.language }}" - From 162daf37ada7519b701e837b4442d5ea11273465 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Sat, 14 Feb 2026 18:10:08 +0100 Subject: [PATCH 3/3] fix(codeql): restore im locked-mode --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6f1be30..487874e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -57,8 +57,8 @@ jobs: - name: Build (CodeQL traced) run: | - dotnet restore FileClassifier.sln - dotnet build -c Release --no-restore FileClassifier.sln + dotnet restore --locked-mode -v minimal FileClassifier.sln + dotnet build -c Release --no-restore -v minimal FileClassifier.sln - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3