.
. #34837
pull Sazwanend wants to merge 11 commits into bitcoin:master from Sazwanend:Sazwanend-patch-1 changing 8 files +670 −2-
Sazwanend commented at 8:08 PM on March 16, 2026: none
-
Create copilot 06c7ac5a1b
-
Create Lunux 0348e2857b
-
Create python d9e0c6657e
-
Merge branch 'bitcoin:master' into master 259a7a40c4
-
f18edf300a
Create codeql.yml
name: "CodeQL" on: push: branches: [main] pull_request: branches: [main] schedule: - cron: "20 2 * * *" jobs: analyze: name: Analyze runs-on: ubuntu-latest strategy: matrix: language: ["javascript", "python"] # CodeQL supports many languages. You can add other languages here. # For more information, see: # https://docs.github.com/en/code-security/code-scanning/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: - name: Checkout repository uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and queries in the config file. # For more information on CodeQL queries, see: # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-codeql-code-scanning # queries: +security-extended, +security-and-quality # Performs CodeQL Analysis - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 -
Merge branch 'bitcoin:master' into master c40a7cdc42
-
Merge branch 'bitcoin:master' into master f6a371c75c
-
500799a95a
Create cmake-single-platform.yml (#2)
* Create cmake-single-platform.yml Here's a `cmake-single-platform.yml` GitHub Actions workflow that builds and tests a CMake project on Linux: ```yaml name: CMake Build and Test on: push: branches: [ main, master ] pull_request: branches: [ main, master ] jobs: build: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y build-essential cmake - name: Create build directory run: cmake -E make_directory build - name: Configure CMake working-directory: build run: cmake .. -DCMAKE_BUILD_TYPE=Release - name: Build project working-directory: build run: cmake --build . --config Release --parallel $(nproc) - name: Run tests working-directory: build run: ctest -C Release --output-on-failure ``` ### Key Features: 1. **Triggers**: - Runs on push/PR to main/master branches 2. **Environment**: - Uses latest Ubuntu runner 3. **Steps**: - Installs essential build tools and CMake - Creates a separate build directory - Configures CMake in Release mode - Builds with parallel compilation (uses all available cores) - Runs tests with detailed failure output 4. **Optimizations**: - Parallel builds using `$(nproc)` to detect available CPU cores - Separate build directory keeps source tree clean - Output-on-failure for test debugging ### Customization Options: 1. **Add Dependencies**: ```yaml - name: Install custom dependencies run: sudo apt-get install -y libboost-dev libopencv-dev ``` 2. **CMake Configuration Flags**: ```yaml run: cmake .. -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTS=ON ``` 3. **Cross-Platform** (modify `runs-on`): ```yaml # For Windows runs-on: windows-latest # For macOS runs-on: macos-latest ``` 4. **Caching Dependencies** (add before build step): ```yaml - name: Cache dependencies uses: actions/cache@v3 with: path: ~/.cache key: ${{ runner.os }}-deps-${{ hashFiles('**/CMakeLists.txt') }} ``` 5. **Artifact Upload** (add after build): ```yaml - name: Upload build artifacts uses: actions/upload-artifact@v3 with: name: build-output path: build/ ``` To use this workflow: 1. Create `.github/workflows/cmake-single-platform.yml` in your repo 2. Commit and push to trigger the workflow 3. Monitor executions in GitHub Actions tab The workflow will automatically: - Build Release configuration - Run all registered CTest targets - Fail fast on compilation errors or test failures - Provide detailed build logs for debugging * Update ci.yml Based on the CI badge you've shared, here's how to create a similar status badge for your updated SLSA Level 3 publish workflow: ### 1. Create the SLSA Publish Workflow Badge Add this markdown to your README.md: ```markdown [](https://github.com/Sazwanismail/bitcoin/actions/workflows/generator-generic-ossf-slsa3-publish.yml) ``` ### 2. Key Parameters Explained: | Parameter | Value | Purpose | |--------------------|-------------------------------------------------|------------------------------------------| | Workflow filename | `generator-generic-ossf-slsa3-publish.yml` | Matches your updated workflow file | | Branch | `branch=master` | Shows status for master branch | | Event | (Automatic - no need to specify) | Uses default release published trigger | ### 3. For Workflow Dispatch Trigger: If you want to add manual trigger status (like your CI badge), modify to: ```markdown [](https://github.com/Sazwanismail/bitcoin/actions/workflows/generator-generic-ossf-slsa3-publish.yml) ``` Note the added `&event=workflow_dispatch` parameter ### 4. Badge Appearance Options: - **Passing**:  - **Failing**:  - **In Progress**:  ### 5. Recommended Placement: Add both badges together for better visibility: ```markdown ## Build Status [](https://github.com/Sazwanismail/bitcoin/actions/workflows/ci.yml) [](https://github.com/Sazwanismail/bitcoin/actions/workflows/generator-generic-ossf-slsa3-publish.yml) ``` This creates a professional status overview showing both regular CI builds and SLSA-compliant release publishing in your README. The badges will automatically update to show real-time workflow status. * Update cmake-single-platform.yml I'll update the `cmake-single-platform.yml` workflow with significant improvements for security, performance, and compliance. Here's the enhanced version: ```yaml name: CMake Build (SLSA L3 Provenance) - Single Platform on: push: branches: [main, release/*] tags: [v*] pull_request: release: types: [published] workflow_dispatch: inputs: build-type: description: 'Build type' required: true default: 'Release' type: choice options: [Debug, Release, RelWithDebInfo] permissions: id-token: write # Required for OIDC provenance signing contents: read # Minimal permissions for code access actions: read # Required for reusable workflows jobs: setup: runs-on: ubuntu-latest outputs: build-type: ${{ steps.inputs.outputs.build-type }} run-id: ${{ github.run_id }} steps: - name: Capture build type id: inputs run: | build_type="${{ github.event.inputs.build-type || 'Release' }}" echo "build-type=$build_type" >> $GITHUB_OUTPUT - name: Generate unique run ID id: run-id run: echo "run-id=${{ github.run_id }}" >> $GITHUB_OUTPUT cmake-build: needs: setup runs-on: ubuntu-latest outputs: base64-subjects: ${{ steps.hashes.outputs.base64_subjects }} artifacts-name: artifacts-${{ needs.setup.outputs.run-id }} build-type: ${{ needs.setup.outputs.build-type }} steps: - name: Checkout code (full history) uses: actions/checkout@v4 with: fetch-depth: 0 # Essential for SLSA provenance - name: Cache build dependencies uses: actions/cache@v3 with: path: | ~/.cache/ccache build key: ${{ runner.os }}-cmake-${{ hashFiles('**/CMakeLists.txt') }}-${{ needs.setup.outputs.run-id }} restore-keys: | ${{ runner.os }}-cmake- - name: Setup build environment run: | sudo apt-get update sudo apt-get install -y build-essential cmake ccache ninja-build - name: Configure CMake run: | cmake -B build -G Ninja \ -DCMAKE_BUILD_TYPE=${{ needs.setup.outputs.build-type }} \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache - name: Build project run: cmake --build build --parallel 4 - name: Test project run: ctest --test-dir build --output-on-failure - name: Package artifacts run: | mkdir -p artifacts # Copy binaries, libraries, and other distributables find build -type f \( -executable -o -name "*.so*" -o -name "*.a" \) \ -exec cp -t artifacts/ {} + # Create versioned archive version=${{ github.event.release.tag_name || 'nightly' }} tar czf artifacts-$version.tar.gz -C artifacts . mv artifacts-$version.tar.gz artifacts/ - name: Generate artifact hashes id: hashes run: | cd artifacts subjects="[]" for file in *; do # Use SHA512 for stronger security hash=$(sha512sum "$file" | awk '{print $1}') subjects=$(jq -c \ --arg name "$file" \ --arg hash "sha512:$hash" \ '. += [{"name": $file, "digest": $hash}]' \ <<< "$subjects") done echo "base64_subjects=$(echo -n "$subjects" | base64 -w0)" >> $GITHUB_OUTPUT - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: artifacts-${{ needs.setup.outputs.run-id }} path: artifacts/ retention-days: 3 provenance: needs: [setup, cmake-build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 permissions: id-token: write contents: write actions: read with: base64-subjects: ${{ needs.cmake-build.outputs.base64-subjects }} upload-artifacts-name: ${{ needs.cmake-build.outputs.artifacts-name }} upload-assets: ${{ github.event_name == 'release' && github.event.action == 'published' }} build-type: ${{ needs.cmake-build.outputs.build-type }} secrets: inherit security-scan: needs: [cmake-build] runs-on: ubuntu-latest steps: - name: Download artifacts uses: actions/download-artifact@v4 with: name: ${{ needs.cmake-build.outputs.artifacts-name }} - name: Run vulnerability scan uses: shiftleft/scan-action@v2 with: output: reports/ scan-type: all - name: Upload security report uses: actions/upload-artifact@v4 with: name: security-report-${{ needs.setup.outputs.run-id }} path: reports/ deploy: needs: [provenance, security-scan] if: github.event_name == 'release' && github.event.action == 'published' runs-on: ubuntu-latest environment: production steps: - name: Download artifacts uses: actions/download-artifact@v4 with: name: ${{ needs.cmake-build.outputs.artifacts-name }} - name: Verify provenance run: | # Install SLSA verifier curl -sSL https://github.com/slsa-framework/slsa-verifier/releases/download/v3.0.0/slsa-verifier-linux-amd64 -o slsa-verifier chmod +x slsa-verifier ./slsa-verifier verify-artifact \ --provenance-path provenance.json \ --source-uri github.com/${{ github.repository }} \ --builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 \ artifacts/*.tar.gz - name: Deploy to production run: | # Add your deployment commands here echo "Deploying verified artifacts..." ``` ### Key Improvements: 1. **Workflow Structure**: - Added `setup` job for input handling and run ID generation - Separated build, provenance, security scanning, and deployment - Matrix-ready for future multi-platform expansion 2. **Enhanced Security**: - SHA512 hashing instead of SHA256 - Full provenance verification before deployment - Security scanning with ShiftLeft - Explicit permission scoping - SLSA generator updated to v2.1.0 3. **Build Improvements**: - Added CCache for build acceleration - Ninja build system for faster compilation - Parallel builds (`--parallel 4`) - Automated testing with CTest - Build type parameterization (Debug/Release) 4. **Artifact Management**: - Versioned tarballs for releases - Better artifact collection with pattern matching - Shortened artifact retention (3 days) - Automated cleanup of old artifacts 5. **New Features**: - Security scanning job - Deployment environment with verification gate - Workflow dispatch with build options - Release tag detection - Branch protection patterns (`release/*`) 6. **Compliance Enhancements**: - Explicit builder ID in verifier - Non-repudiable provenance - Full build environment capture - Source integrity verification ### Usage Notes: 1. **Customize Build**: - Modify `Package artifacts` step to match your project structure - Adjust CMake flags in `Configure CMake` step - Update artifact patterns in `find` command 2. **Deployment**: - Add your actual deployment commands in the `Deploy to production` step - Configure environment protection rules in GitHub settings 3. **Security**: - Review security scan results - Consider adding additional scanners (Trivy, OWASP ZAP) - Enable branch protection rules 4. **Verification**: - The SLSA verifier step ensures provenance matches artifacts - Verification occurs in deployment job before release This updated workflow provides a comprehensive CI/CD pipeline with strong security guarantees, faster builds, and better artifact management while maintaining SLSA Level 3 compliance. * New Update ci.yml Based on your request to update a `ci.yml` (typically `.gitlab-ci.yml` or similar CI/CD configuration file), here's a structured approach incorporating 2025 best practices from industry sources. Key updates focus on **security**, **efficiency**, **reusability**, and **scalability**: ### ๐ง 1. **Adopt Dynamic Child Pipelines for Environment Management** - **Problem**: Managing numerous environments (e.g., `env1`, `env2`) bloats the YAML file . - **Solution**: Use a `parallel:matrix` to generate deployment jobs dynamically: ```yaml deploy: stage: deploy script: ./deploy.sh $ENV_NAME parallel: matrix: - ENV_NAME: [dev, staging, prod] # Add/remove environments here ``` - **Benefits**: Reduces code duplication; adds environments without modifying pipeline structure . ### ๐ 2. **Implement Kaniko for Secure Docker Builds** - Replace `docker build` with **Kaniko** to eliminate privileged container risks: ```yaml build: stage: build image: name: gcr.io/kaniko-project/executor:v1.9.0 entrypoint: [""] script: - /kaniko/executor --context $CI_PROJECT_DIR --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ``` - **Why**: Avoids security flaws in Docker-in-Docker (DinD) and uses layer caching for faster builds . ### โป๏ธ 3. **Centralize CI Templates for Cross-Project Consistency** - Store reusable templates in a dedicated repo (e.g., `ci-templates/`): ```yaml include: - project: 'my-org/ci-templates' ref: main file: '/templates/kaniko-build.yml' ``` - **Advantages**: Ensures standardized pipelines; updates propagate globally . ### โก 4. **Optimize Trigger Rules to Reduce Resource Waste** - Run pipelines selectively using `rules`: ```yaml deploy_prod: stage: deploy script: ./deploy.sh prod rules: - if: $CI_COMMIT_BRANCH == "main" changes: - "src/prod-config/*" # Only trigger if prod config changes ``` - **Efficiency**: Cuts unnecessary job runs by 40โ60% . ### ๐ก๏ธ 5. **Integrate Security Scanning & Secrets Management** - Add built-in security scans and use **Vault** for secrets: ```yaml security_scan: stage: test image: shiftleft/scan script: - scan --src $CI_PROJECT_DIR --type php secrets: VAULT_TOKEN: $VAULT_CI_TOKEN # Inject secrets securely ``` - **Compliance**: Automated SAST/DAST scans; secrets never exposed in logs . --- ### ๐ **Advanced Optimization Techniques** - **YAML Anchors & `!reference`**: Reuse configurations without duplication : ```yaml .base_script: &base_script before_script: - apt-get update job1: <<: *base_script script: ./test.sh ``` - **Protected Tags/Branches**: Prevent accidental deployments to `main` . - **Windows Runner Fixes**: Use explicit tags (e.g., `saas-windows-medium-amd64`) to avoid Linux/Windows conflicts . --- ### ๐ **Sample Snippet for a Modern `.gitlab-ci.yml`** ```yaml stages: - build - test - deploy include: - project: 'my-org/ci-templates' file: '/security-scan.yml' build: extends: .kaniko_template # From centralized template variables: CONTEXT: $CI_PROJECT_DIR deploy: stage: deploy parallel: matrix: - ENV: [dev, staging, prod] script: ./deploy.sh $ENV rules: - if: $CI_COMMIT_TAG != null # Deploy only on tagged releases ``` ### Key Trends for 2025 : - **AI-Driven Pipelines**: Auto-fix failed jobs using ML. - **GitOps Integration**: Tools like **Argo CD** for Kubernetes deployments. - **Cost Control**: Parallel jobs + caching to reduce cloud spending. For further implementation details: - GitLab CI Editor/Lint: Validate syntax in real-time . - Dynamic Environments: Use `environment:url` with review apps. Let me know if you need help adapting this to a specific tool (e.g., GitHub Actions) or legacy systems! ๐ * Create CodeQL Advanced # CodeQL Advanced Implementation ## ๐ Complete Advanced CodeQL Setup ### 1. Advanced CodeQL Configuration Structure ``` .github/ โโโ workflows/ โ โโโ codeql-advanced.yml โ โโโ codeql-security-gates.yml โ โโโ codeql-custom-analysis.yml โโโ codeql/ โ โโโ config/ โ โ โโโ codeql-config.yml โ โ โโโ query-suites.qls โ โ โโโ performance-config.yml โ โโโ custom-queries/ โ โ โโโ qlpack.yml โ โ โโโ Security/ โ โ โโโ Performance/ โ โ โโโ Architecture/ โ โโโ scripts/ โ โโโ aggregate-results.py โ โโโ security-gates.py ``` ### 2. Main Advanced CodeQL Workflow ```yaml # .github/workflows/codeql-advanced.yml name: "Advanced CodeQL Analysis" on: push: branches: [ main, develop, release/* ] paths: - 'src/**' - 'lib/**' - '**.java' - '**.js' - '**.ts' - '**.py' - '**.go' - '**.cpp' paths-ignore: - '**/*.md' - '**/*.txt' - '**/test/**' - '**/spec/**' pull_request: branches: [ main, develop ] schedule: - cron: '0 2 * * 1' # Weekly on Monday at 2 AM UTC workflow_dispatch: inputs: analysis-depth: description: 'Analysis depth level' required: true default: 'deep' type: choice options: - quick - standard - deep include-experimental: description: 'Include experimental queries' required: false type: boolean default: false env: CODEQL_ACTION_VERBOSITY: info CODEQL_POWERFUL_ANALYSIS: true CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: false jobs: initialize: name: Initialize Analysis runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} database-locations: ${{ steps.set-matrix.outputs.database-locations }} steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up analysis matrix id: set-matrix run: | MATRIX_JSON=$(python .github/codeql/scripts/detect-languages.py) echo "matrix=$MATRIX_JSON" >> $GITHUB_OUTPUT echo "database-locations=$(echo $MATRIX_JSON | jq -r '.include[].database_location' | tr '\n' ',' | sed 's/,$//')" >> $GITHUB_OUTPUT analyze-multi-language: name: Analyze (${{ matrix.language }}) needs: initialize runs-on: ${{ matrix.runner }} strategy: fail-fast: false matrix: ${{ fromJSON(needs.initialize.outputs.matrix) }} steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} queries: ${{ matrix.queries }} config-file: ./.github/codeql/config/codeql-config.yml config: ${{ matrix.config }} tools: latest database: ${{ matrix.database_location }} - name: Build ${{ matrix.language }} code if: matrix.build-command run: ${{ matrix.build-command }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:${{ matrix.language }}" output: sarif-results/${{ matrix.language }} upload-database: true skip-queries: ${{ github.event_name == 'schedule' && 'security' || '' }} threads: ${{ matrix.threads }} ram: ${{ matrix.ram }} env: CODEQL_RAM: ${{ matrix.ram }} CODEQL_THREADS: ${{ matrix.threads }} custom-query-analysis: name: Custom Query Analysis needs: analyze-multi-language runs-on: ubuntu-latest if: always() steps: - name: Checkout repository uses: actions/checkout@v4 - name: Download CodeQL databases run: | mkdir -p databases echo "${{ needs.initialize.outputs.database-locations }}" | tr ',' '\n' | xargs -I {} cp -r {} databases/ - name: Run Custom Queries uses: github/codeql-action/analyze@v3 with: queries: ./.github/codeql/custom-queries/ packs: ./.github/codeql/custom-queries/ output: sarif-results/custom category: "custom" security-metrics: name: Generate Security Metrics needs: [analyze-multi-language, custom-query-analysis] runs-on: ubuntu-latest if: always() steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Security Report run: | python .github/codeql/scripts/aggregate-results.py - name: Upload Security Metrics uses: actions/upload-artifact@v4 with: name: security-metrics path: | security-report.html codeql-metrics.json retention-days: 30 - name: Update Security Dashboard run: | echo "## CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY echo "โ Multi-language analysis completed" >> $GITHUB_STEP_SUMMARY echo "๐ Custom queries executed" >> $GITHUB_STEP_SUMMARY echo "๐ Security metrics generated" >> $GITHUB_STEP_SUMMARY ``` ### 3. Language Detection Script ```python # .github/codeql/scripts/detect-languages.py #!/usr/bin/env python3 import json import os from pathlib import Path def detect_languages(): """Detect programming languages in the repository""" language_files = { 'java': ['**/*.java', '**/pom.xml', '**/build.gradle', '**/build.gradle.kts'], 'javascript': ['**/*.js', '**/*.ts', '**/package.json', '**/yarn.lock'], 'python': ['**/*.py', '**/requirements.txt', '**/Pipfile', '**/pyproject.toml'], 'go': ['**/*.go', '**/go.mod'], 'cpp': ['**/*.cpp', '**/*.hpp', '**/*.c', '**/*.h', '**/CMakeLists.txt'], } detected_languages = [] for lang, patterns in language_files.items(): for pattern in patterns: if list(Path('.').glob(pattern)): detected_languages.append(lang) break # Default to javascript if no languages detected if not detected_languages: detected_languages = ['javascript'] return detected_languages def generate_matrix(languages): """Generate workflow matrix configuration""" matrix_config = { 'include': [] } language_configs = { 'java': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality,security-extended', 'build-command': './gradlew build -x test || mvn compile -DskipTests', 'threads': 4, 'ram': 8192, 'config': '{"packs": ["codeql/java-queries"]}' }, 'javascript': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality,security-extended', 'build-command': '', 'threads': 2, 'ram': 4096, 'config': '{"packs": ["codeql/javascript-queries"]}' }, 'python': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality,security-extended', 'build-command': '', 'threads': 2, 'ram': 4096, 'config': '{"packs": ["codeql/python-queries"]}' }, 'go': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality', 'build-command': 'go build ./...', 'threads': 2, 'ram': 4096, 'config': '{"packs": ["codeql/go-queries"]}' }, 'cpp': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality', 'build-command': 'mkdir -p build && cd build && cmake .. && make -j4', 'threads': 4, 'ram': 8192, 'config': '{"packs": ["codeql/cpp-queries"]}' } } for lang in languages: if lang in language_configs: config = language_configs[lang] matrix_config['include'].append({ 'language': lang, 'runner': config['runner'], 'queries': config['queries'], 'build-command': config['build-command'], 'threads': config['threads'], 'ram': config['ram'], 'config': config['config'], 'database_location': f'.codeql/databases/{lang}' }) return matrix_config if __name__ == "__main__": languages = detect_languages() matrix = generate_matrix(languages) print(json.dumps(matrix)) ``` ### 4. Advanced CodeQL Configuration ```yaml # .github/codeql/config/codeql-config.yml name: "Advanced CodeQL Configuration" query-filters: - exclude: id: - "java/example/too-many-loops" - "js/debugger-statement" - "python/trivial-conditional" - include: tags: - "security" - "external/cwe/cwe-798" - "external/cwe/cwe-259" - "external/cwe/cwe-89" - "external/cwe/cwe-79" - include: precision: - "high" - "medium" paths: - "src/" - "lib/" - "app/" - "main/" paths-ignore: - "**/test/**" - "**/spec/**" - "**/node_modules/**" - "**/vendor/**" - "**/build/**" - "**/dist/**" - "**/.cache/**" languages: java: build-command: - "./gradlew build -x test" - "mvn compile -DskipTests" source-roots: - "src/main/java" - "src/main/kotlin" javascript: build-command: "npm run build --if-present" source-roots: - "src" - "lib" python: build-command: "python -m py_compile **/*.py" source-roots: - "src" - "app" go: build-command: "go build ./..." source-roots: - "." cpp: build-command: "mkdir -p build && cd build && cmake .. && make -j4" source-roots: - "src" - "include" queries: - uses: ./.github/codeql/config/query-suites.qls - uses: ./.github/codeql/custom-queries/qlpack.yml packs: - "codeql/java-queries" - "codeql/javascript-queries" - "codeql/python-queries" - "codeql/go-queries" - "codeql/cpp-queries" - "./.github/codeql/custom-queries" database: location: "./.codeql/databases" cleanup: true retention-days: 30 analysis: mode: "${{ env.ANALYSIS_MODE || 'deep' }}" timeout: 300 memory: 8192 threads: 0 # 0 means automatic output: format: sarif-latest include-column-numbers: true include-severity: true include-help-links: true ``` ### 5. Custom Query Pack Configuration ```yaml # .github/codeql/custom-queries/qlpack.yml name: custom-security-queries version: 1.0.0 libraryPathDependencies: - codeql/java-all - codeql/javascript-all - codeql/python-all - codeql/go-all - codeql/cpp-all extractor: | none dependencies: codeql/java-all: "*" codeql/javascript-all: "*" codeql/python-all: "*" codeql/go-all: "*" codeql/cpp-all: "*" ``` ### 6. Advanced Security Queries ```ql // .github/codeql/custom-queries/Security/SQLInjectionAdvanced.ql /** * @name Advanced SQL Injection Detection * @description Detects complex SQL injection patterns with taint tracking * @kind path-problem * @problem.severity error * @precision high * @id java/advanced-sql-injection * @tags security * external/cwe/cwe-89 * external/cwe/cwe-564 */ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph class SqlInjectionConfiguration extends TaintTracking::Configuration { SqlInjectionConfiguration() { this = "SqlInjectionConfiguration" } override predicate isSource(DataFlow::Node source) { // HTTP request parameters exists(Method m | m.hasName("getParameter") or m.hasName("getHeader") or m.hasName("getQueryString") or m.hasName("getCookies") or m.hasName("getAttribute") | source.asExpr() = m.getACall() ) or // File input exists(Method m | m.hasName("readLine") or m.hasName("read") and m.getDeclaringType().hasQualifiedName("java.io", "Reader") | source.asExpr() = m.getACall() ) } override predicate isSink(DataFlow::Node sink) { // Database operations exists(Method m | m.hasName("executeQuery") or m.hasName("executeUpdate") or m.hasName("execute") or m.hasName("prepareStatement") or m.hasName("createStatement") | sink.asExpr() = m.getACall() or sink.asExpr() = m.getArgument(0) ) or // ORM operations exists(Method m | m.hasName("createNativeQuery") or m.hasName("createQuery") and m.getDeclaringType().getASupertype*().hasQualifiedName("javax.persistence", "EntityManager") | sink.asExpr() = m.getACall() ) } override predicate isSanitizer(DataFlow::Node sanitizer) { // Parameterized queries exists(Method m | m.hasName("setString") or m.hasName("setInt") or m.hasName("setDate") and m.getDeclaringType().getASupertype*().hasQualifiedName("java.sql", "PreparedStatement") | sanitizer.asExpr() = m.getACall() ) or // Input validation exists(Method m | m.hasName("matches") or m.hasName("isAlphanumeric") or m.hasName("escapeSql") | sanitizer.asExpr() = m.getACall() ) or // Encoding/escaping exists(Method m | m.hasName("encode") or m.hasName("escape") and m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "StringEscapeUtils") | sanitizer.asExpr() = m.getACall() ) } override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { // String concatenation and manipulation exists(BinaryExpr bin | bin.getOperator() = BinaryExpr.ADD and (bin.getLeftOperand() = node1.asExpr() and bin.getRightOperand() = node2.asExpr() or bin.getRightOperand() = node1.asExpr() and bin.getLeftOperand() = node2.asExpr()) ) or // String builder operations exists(MethodAccess ma | ma.getMethod().hasName("append") and ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("java.lang", "AbstractStringBuilder") and node1.asExpr() = ma.getQualifier() and node2.asExpr() = ma ) } } from SqlInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink where config.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Potential SQL injection vulnerability: user input flows to database operation without proper sanitization" ``` ### 7. Performance Analysis Queries ```ql // .github/codeql/custom-queries/Performance/MemoryLeakDetection.ql /** * @name Memory Leak Detection * @description Identifies potential memory leaks in Java applications * @kind problem * @problem.severity warning * @precision medium * @id java/memory-leak-detection * @tags performance * maintainability */ import java class ResourceAllocation extends Method { ResourceAllocation() { this.getName().matches("create%") or this.getName().matches("new%") or this.getName().matches("open%") or this.getName().matches("allocate%") or this.getName().matches("init%") } } class ResourceRelease extends Method { ResourceRelease() { this.getName().matches("close%") or this.getName().matches("destroy%") or this.getName().matches("release%") or this.getName().matches("free%") or this.getName().matches("cleanup%") or this.getName().matches("dispose%") } } class PotentialMemoryLeak extends ResourceAllocation { PotentialMemoryLeak() { not exists(ResourceRelease release | release.getDeclaringType() = this.getDeclaringType() and release.getName().toLowerCase() = this.getName().replace("create", "close").toLowerCase() or release.getName().toLowerCase() = this.getName().replace("new", "delete").toLowerCase() or release.getName().toLowerCase() = this.getName().replace("open", "close").toLowerCase() or release.getName().toLowerCase() = this.getName().replace("allocate", "free").toLowerCase() ) } } from PotentialMemoryLeak allocation select allocation, "Potential memory leak: resource allocation method '" + allocation.getName() + "' without corresponding release method" ``` ### 8. Security Quality Gates Workflow ```yaml # .github/workflows/codeql-security-gates.yml name: "CodeQL Security Gates" on: pull_request: branches: [ main, develop ] jobs: security-gates: name: Security Quality Gates runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Run CodeQL Analysis uses: github/codeql-action/analyze@v3 with: output: sarif-results category: "security-gates" upload-database: false - name: Check Security Thresholds id: security-check run: | python .github/codeql/scripts/security-gates.py - name: Fail on Critical Security Issues if: steps.security-check.outputs.critical_issues > 0 run: | echo "โ CRITICAL: ${{ steps.security-check.outputs.critical_issues }} critical security issues found" echo "Blocking merge due to security policy violations" exit 1 - name: Warn on High Security Issues if: steps.security-check.outputs.high_issues > 5 run: | echo "โ ๏ธ WARNING: ${{ steps.security-check.outputs.high_issues }} high severity issues found" echo "Consider addressing these issues before merge" - name: Generate Security Report if: always() run: | echo "## CodeQL Security Quality Gates" >> $GITHUB_STEP_SUMMARY echo "### Results Summary" >> $GITHUB_STEP_SUMMARY echo "- โ Critical Issues: ${{ steps.security-check.outputs.critical_issues }}" >> $GITHUB_STEP_SUMMARY echo "- โ ๏ธ High Issues: ${{ steps.security-check.outputs.high_issues }}" >> $GITHUB_STEP_SUMMARY echo "- ๐ Medium Issues: ${{ steps.security-check.outputs.medium_issues }}" >> $GITHUB_STEP_SUMMARY if [ ${{ steps.security-check.outputs.critical_issues }} -eq 0 ]; then echo "### โ Security Gates PASSED" >> $GITHUB_STEP_SUMMARY else echo "### โ Security Gates FAILED" >> $GITHUB_STEP_SUMMARY fi ``` ### 9. Security Gates Script ```python # .github/codeql/scripts/security-gates.py #!/usr/bin/env python3 import json import os import sys from pathlib import Path def load_sarif_results(): """Load and parse SARIF results from CodeQL analysis""" results = [] sarif_dir = Path("sarif-results") if not sarif_dir.exists(): return results for sarif_file in sarif_dir.glob("**/*.sarif"): with open(sarif_file, 'r') as f: data = json.load(f) for run in data.get('runs', []): results.extend(run.get('results', [])) return results def analyze_severity_distribution(results): """Analyze severity distribution of security issues""" severity_count = { 'critical': 0, 'high': 0, 'medium': 0, 'low': 0 } for result in results: # Map CodeQL levels to our severity levels level = result.get('level', 'warning') if level == 'error': severity_count['critical'] += 1 elif level == 'warning': severity_count['high'] += 1 elif level == 'note': severity_count['medium'] += 1 else: severity_count['low'] += 1 return severity_count def check_security_gates(severity_count): """Check if security gates are passed""" gates_passed = True # Critical issues always fail the gates if severity_count['critical'] > 0: gates_passed = False # More than 10 high issues fails the gates if severity_count['high'] > 10: gates_passed = False return gates_passed def main(): results = load_sarif_results() severity_count = analyze_severity_distribution(results) gates_passed = check_security_gates(severity_count) # Set output variables for GitHub Actions print(f"::set-output name=critical_issues::{severity_count['critical']}") print(f"::set-output name=high_issues::{severity_count['high']}") print(f"::set-output name=medium_issues::{severity_count['medium']}") print(f"::set-output name=low_issues::{severity_count['low']}") print(f"::set-output name=gates_passed::{str(gates_passed).lower()}") # Print summary print("Security Analysis Summary:") print(f" Critical Issues: {severity_count['critical']}") print(f" High Issues: {severity_count['high']}") print(f" Medium Issues: {severity_count['medium']}") print(f" Low Issues: {severity_count['low']}") print(f" Security Gates: {'PASSED' if gates_passed else 'FAILED'}") return 0 if gates_passed else 1 if __name__ == "__main__": sys.exit(main()) ``` ### 10. Performance Configuration ```yaml # .github/codeql/config/performance-config.yml optimization: max-paths: 1000 timeout: 300 memory: 8192 threads: 4 analysis: mode: deep precision: balanced caching: enabled: true location: ./.codeql/cache cleanup-age: 30d max-size: 10GB logging: level: INFO queries: true performance: true timing: true monitoring: enable-metrics: true metrics-interval: 60 memory-usage: true ``` ### 11. Query Suites Configuration ```ql // .github/codeql/config/query-suites.qls - description: "Security and Quality Suite" - queries: . from: security-and-quality - queries: . from: security-extended - include: tags: - security - external/cwe/cwe-89 - external/cwe/cwe-79 - external/cwe/cwe-78 - external/cwe/cwe-798 - external/cwe/cwe-259 - exclude: precision: very-low - exclude: kind: example - description: "Custom Security Queries" - queries: . from: custom-security-queries.qls ``` ## ๐ Deployment Instructions ### 1. Initialize the Structure ```bash # Create directory structure mkdir -p .github/{workflows,codeql/{config,custom-queries/{Security,Performance,Architecture},scripts}} # Create all the files as shown above ``` ### 2. Set Up Dependencies ```bash # Install CodeQL CLI (if needed) wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip unzip codeql-linux64.zip sudo mv codeql /usr/local/bin/ # Create custom query pack cd .github/codeql/custom-queries codeql pack init custom-security-queries ``` ### 3. Commit and Push ```bash git add . git commit -m "feat: Add advanced CodeQL configuration" git push origin main ``` ## ๐ง Key Features ### โ Advanced Analysis Capabilities - **Multi-language Support**: Java, JavaScript, Python, Go, C++ - **Custom Query Development**: Advanced security and performance queries - **Performance Optimization**: Configurable resources and caching - **Security Quality Gates**: Automated security thresholds - **Comprehensive Reporting**: Detailed security metrics and dashboards ### โ Enterprise-Grade Security - **Advanced Taint Tracking**: Complex data flow analysis - **Memory Leak Detection**: Performance and resource management - **SQL Injection Prevention**: Comprehensive injection detection - **Security Thresholds**: Configurable quality gates ### โ Performance Optimization - **Parallel Execution**: Multi-language concurrent analysis - **Resource Management**: Configurable memory and CPU usage - **Caching Strategy**: Reduced analysis times for subsequent runs - **Incremental Analysis**: Smart change detection This advanced CodeQL setup provides enterprise-grade code security analysis with custom rules, performance optimization, and comprehensive security gates! -
0ab516f941
Sazwanismail patch 4 (#8)
* Create cmake-single-platform.yml Here's a `cmake-single-platform.yml` GitHub Actions workflow that builds and tests a CMake project on Linux: ```yaml name: CMake Build and Test on: push: branches: [ main, master ] pull_request: branches: [ main, master ] jobs: build: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y build-essential cmake - name: Create build directory run: cmake -E make_directory build - name: Configure CMake working-directory: build run: cmake .. -DCMAKE_BUILD_TYPE=Release - name: Build project working-directory: build run: cmake --build . --config Release --parallel $(nproc) - name: Run tests working-directory: build run: ctest -C Release --output-on-failure ``` ### Key Features: 1. **Triggers**: - Runs on push/PR to main/master branches 2. **Environment**: - Uses latest Ubuntu runner 3. **Steps**: - Installs essential build tools and CMake - Creates a separate build directory - Configures CMake in Release mode - Builds with parallel compilation (uses all available cores) - Runs tests with detailed failure output 4. **Optimizations**: - Parallel builds using `$(nproc)` to detect available CPU cores - Separate build directory keeps source tree clean - Output-on-failure for test debugging ### Customization Options: 1. **Add Dependencies**: ```yaml - name: Install custom dependencies run: sudo apt-get install -y libboost-dev libopencv-dev ``` 2. **CMake Configuration Flags**: ```yaml run: cmake .. -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTS=ON ``` 3. **Cross-Platform** (modify `runs-on`): ```yaml # For Windows runs-on: windows-latest # For macOS runs-on: macos-latest ``` 4. **Caching Dependencies** (add before build step): ```yaml - name: Cache dependencies uses: actions/cache@v3 with: path: ~/.cache key: ${{ runner.os }}-deps-${{ hashFiles('**/CMakeLists.txt') }} ``` 5. **Artifact Upload** (add after build): ```yaml - name: Upload build artifacts uses: actions/upload-artifact@v3 with: name: build-output path: build/ ``` To use this workflow: 1. Create `.github/workflows/cmake-single-platform.yml` in your repo 2. Commit and push to trigger the workflow 3. Monitor executions in GitHub Actions tab The workflow will automatically: - Build Release configuration - Run all registered CTest targets - Fail fast on compilation errors or test failures - Provide detailed build logs for debugging * Update ci.yml Based on the CI badge you've shared, here's how to create a similar status badge for your updated SLSA Level 3 publish workflow: ### 1. Create the SLSA Publish Workflow Badge Add this markdown to your README.md: ```markdown [](https://github.com/Sazwanismail/bitcoin/actions/workflows/generator-generic-ossf-slsa3-publish.yml) ``` ### 2. Key Parameters Explained: | Parameter | Value | Purpose | |--------------------|-------------------------------------------------|------------------------------------------| | Workflow filename | `generator-generic-ossf-slsa3-publish.yml` | Matches your updated workflow file | | Branch | `branch=master` | Shows status for master branch | | Event | (Automatic - no need to specify) | Uses default release published trigger | ### 3. For Workflow Dispatch Trigger: If you want to add manual trigger status (like your CI badge), modify to: ```markdown [](https://github.com/Sazwanismail/bitcoin/actions/workflows/generator-generic-ossf-slsa3-publish.yml) ``` Note the added `&event=workflow_dispatch` parameter ### 4. Badge Appearance Options: - **Passing**:  - **Failing**:  - **In Progress**:  ### 5. Recommended Placement: Add both badges together for better visibility: ```markdown ## Build Status [](https://github.com/Sazwanismail/bitcoin/actions/workflows/ci.yml) [](https://github.com/Sazwanismail/bitcoin/actions/workflows/generator-generic-ossf-slsa3-publish.yml) ``` This creates a professional status overview showing both regular CI builds and SLSA-compliant release publishing in your README. The badges will automatically update to show real-time workflow status. * Update cmake-single-platform.yml I'll update the `cmake-single-platform.yml` workflow with significant improvements for security, performance, and compliance. Here's the enhanced version: ```yaml name: CMake Build (SLSA L3 Provenance) - Single Platform on: push: branches: [main, release/*] tags: [v*] pull_request: release: types: [published] workflow_dispatch: inputs: build-type: description: 'Build type' required: true default: 'Release' type: choice options: [Debug, Release, RelWithDebInfo] permissions: id-token: write # Required for OIDC provenance signing contents: read # Minimal permissions for code access actions: read # Required for reusable workflows jobs: setup: runs-on: ubuntu-latest outputs: build-type: ${{ steps.inputs.outputs.build-type }} run-id: ${{ github.run_id }} steps: - name: Capture build type id: inputs run: | build_type="${{ github.event.inputs.build-type || 'Release' }}" echo "build-type=$build_type" >> $GITHUB_OUTPUT - name: Generate unique run ID id: run-id run: echo "run-id=${{ github.run_id }}" >> $GITHUB_OUTPUT cmake-build: needs: setup runs-on: ubuntu-latest outputs: base64-subjects: ${{ steps.hashes.outputs.base64_subjects }} artifacts-name: artifacts-${{ needs.setup.outputs.run-id }} build-type: ${{ needs.setup.outputs.build-type }} steps: - name: Checkout code (full history) uses: actions/checkout@v4 with: fetch-depth: 0 # Essential for SLSA provenance - name: Cache build dependencies uses: actions/cache@v3 with: path: | ~/.cache/ccache build key: ${{ runner.os }}-cmake-${{ hashFiles('**/CMakeLists.txt') }}-${{ needs.setup.outputs.run-id }} restore-keys: | ${{ runner.os }}-cmake- - name: Setup build environment run: | sudo apt-get update sudo apt-get install -y build-essential cmake ccache ninja-build - name: Configure CMake run: | cmake -B build -G Ninja \ -DCMAKE_BUILD_TYPE=${{ needs.setup.outputs.build-type }} \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache - name: Build project run: cmake --build build --parallel 4 - name: Test project run: ctest --test-dir build --output-on-failure - name: Package artifacts run: | mkdir -p artifacts # Copy binaries, libraries, and other distributables find build -type f \( -executable -o -name "*.so*" -o -name "*.a" \) \ -exec cp -t artifacts/ {} + # Create versioned archive version=${{ github.event.release.tag_name || 'nightly' }} tar czf artifacts-$version.tar.gz -C artifacts . mv artifacts-$version.tar.gz artifacts/ - name: Generate artifact hashes id: hashes run: | cd artifacts subjects="[]" for file in *; do # Use SHA512 for stronger security hash=$(sha512sum "$file" | awk '{print $1}') subjects=$(jq -c \ --arg name "$file" \ --arg hash "sha512:$hash" \ '. += [{"name": $file, "digest": $hash}]' \ <<< "$subjects") done echo "base64_subjects=$(echo -n "$subjects" | base64 -w0)" >> $GITHUB_OUTPUT - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: artifacts-${{ needs.setup.outputs.run-id }} path: artifacts/ retention-days: 3 provenance: needs: [setup, cmake-build] uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 permissions: id-token: write contents: write actions: read with: base64-subjects: ${{ needs.cmake-build.outputs.base64-subjects }} upload-artifacts-name: ${{ needs.cmake-build.outputs.artifacts-name }} upload-assets: ${{ github.event_name == 'release' && github.event.action == 'published' }} build-type: ${{ needs.cmake-build.outputs.build-type }} secrets: inherit security-scan: needs: [cmake-build] runs-on: ubuntu-latest steps: - name: Download artifacts uses: actions/download-artifact@v4 with: name: ${{ needs.cmake-build.outputs.artifacts-name }} - name: Run vulnerability scan uses: shiftleft/scan-action@v2 with: output: reports/ scan-type: all - name: Upload security report uses: actions/upload-artifact@v4 with: name: security-report-${{ needs.setup.outputs.run-id }} path: reports/ deploy: needs: [provenance, security-scan] if: github.event_name == 'release' && github.event.action == 'published' runs-on: ubuntu-latest environment: production steps: - name: Download artifacts uses: actions/download-artifact@v4 with: name: ${{ needs.cmake-build.outputs.artifacts-name }} - name: Verify provenance run: | # Install SLSA verifier curl -sSL https://github.com/slsa-framework/slsa-verifier/releases/download/v3.0.0/slsa-verifier-linux-amd64 -o slsa-verifier chmod +x slsa-verifier ./slsa-verifier verify-artifact \ --provenance-path provenance.json \ --source-uri github.com/${{ github.repository }} \ --builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 \ artifacts/*.tar.gz - name: Deploy to production run: | # Add your deployment commands here echo "Deploying verified artifacts..." ``` ### Key Improvements: 1. **Workflow Structure**: - Added `setup` job for input handling and run ID generation - Separated build, provenance, security scanning, and deployment - Matrix-ready for future multi-platform expansion 2. **Enhanced Security**: - SHA512 hashing instead of SHA256 - Full provenance verification before deployment - Security scanning with ShiftLeft - Explicit permission scoping - SLSA generator updated to v2.1.0 3. **Build Improvements**: - Added CCache for build acceleration - Ninja build system for faster compilation - Parallel builds (`--parallel 4`) - Automated testing with CTest - Build type parameterization (Debug/Release) 4. **Artifact Management**: - Versioned tarballs for releases - Better artifact collection with pattern matching - Shortened artifact retention (3 days) - Automated cleanup of old artifacts 5. **New Features**: - Security scanning job - Deployment environment with verification gate - Workflow dispatch with build options - Release tag detection - Branch protection patterns (`release/*`) 6. **Compliance Enhancements**: - Explicit builder ID in verifier - Non-repudiable provenance - Full build environment capture - Source integrity verification ### Usage Notes: 1. **Customize Build**: - Modify `Package artifacts` step to match your project structure - Adjust CMake flags in `Configure CMake` step - Update artifact patterns in `find` command 2. **Deployment**: - Add your actual deployment commands in the `Deploy to production` step - Configure environment protection rules in GitHub settings 3. **Security**: - Review security scan results - Consider adding additional scanners (Trivy, OWASP ZAP) - Enable branch protection rules 4. **Verification**: - The SLSA verifier step ensures provenance matches artifacts - Verification occurs in deployment job before release This updated workflow provides a comprehensive CI/CD pipeline with strong security guarantees, faster builds, and better artifact management while maintaining SLSA Level 3 compliance. * New Update ci.yml Based on your request to update a `ci.yml` (typically `.gitlab-ci.yml` or similar CI/CD configuration file), here's a structured approach incorporating 2025 best practices from industry sources. Key updates focus on **security**, **efficiency**, **reusability**, and **scalability**: ### ๐ง 1. **Adopt Dynamic Child Pipelines for Environment Management** - **Problem**: Managing numerous environments (e.g., `env1`, `env2`) bloats the YAML file . - **Solution**: Use a `parallel:matrix` to generate deployment jobs dynamically: ```yaml deploy: stage: deploy script: ./deploy.sh $ENV_NAME parallel: matrix: - ENV_NAME: [dev, staging, prod] # Add/remove environments here ``` - **Benefits**: Reduces code duplication; adds environments without modifying pipeline structure . ### ๐ 2. **Implement Kaniko for Secure Docker Builds** - Replace `docker build` with **Kaniko** to eliminate privileged container risks: ```yaml build: stage: build image: name: gcr.io/kaniko-project/executor:v1.9.0 entrypoint: [""] script: - /kaniko/executor --context $CI_PROJECT_DIR --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ``` - **Why**: Avoids security flaws in Docker-in-Docker (DinD) and uses layer caching for faster builds . ### โป๏ธ 3. **Centralize CI Templates for Cross-Project Consistency** - Store reusable templates in a dedicated repo (e.g., `ci-templates/`): ```yaml include: - project: 'my-org/ci-templates' ref: main file: '/templates/kaniko-build.yml' ``` - **Advantages**: Ensures standardized pipelines; updates propagate globally . ### โก 4. **Optimize Trigger Rules to Reduce Resource Waste** - Run pipelines selectively using `rules`: ```yaml deploy_prod: stage: deploy script: ./deploy.sh prod rules: - if: $CI_COMMIT_BRANCH == "main" changes: - "src/prod-config/*" # Only trigger if prod config changes ``` - **Efficiency**: Cuts unnecessary job runs by 40โ60% . ### ๐ก๏ธ 5. **Integrate Security Scanning & Secrets Management** - Add built-in security scans and use **Vault** for secrets: ```yaml security_scan: stage: test image: shiftleft/scan script: - scan --src $CI_PROJECT_DIR --type php secrets: VAULT_TOKEN: $VAULT_CI_TOKEN # Inject secrets securely ``` - **Compliance**: Automated SAST/DAST scans; secrets never exposed in logs . --- ### ๐ **Advanced Optimization Techniques** - **YAML Anchors & `!reference`**: Reuse configurations without duplication : ```yaml .base_script: &base_script before_script: - apt-get update job1: <<: *base_script script: ./test.sh ``` - **Protected Tags/Branches**: Prevent accidental deployments to `main` . - **Windows Runner Fixes**: Use explicit tags (e.g., `saas-windows-medium-amd64`) to avoid Linux/Windows conflicts . --- ### ๐ **Sample Snippet for a Modern `.gitlab-ci.yml`** ```yaml stages: - build - test - deploy include: - project: 'my-org/ci-templates' file: '/security-scan.yml' build: extends: .kaniko_template # From centralized template variables: CONTEXT: $CI_PROJECT_DIR deploy: stage: deploy parallel: matrix: - ENV: [dev, staging, prod] script: ./deploy.sh $ENV rules: - if: $CI_COMMIT_TAG != null # Deploy only on tagged releases ``` ### Key Trends for 2025 : - **AI-Driven Pipelines**: Auto-fix failed jobs using ML. - **GitOps Integration**: Tools like **Argo CD** for Kubernetes deployments. - **Cost Control**: Parallel jobs + caching to reduce cloud spending. For further implementation details: - GitLab CI Editor/Lint: Validate syntax in real-time . - Dynamic Environments: Use `environment:url` with review apps. Let me know if you need help adapting this to a specific tool (e.g., GitHub Actions) or legacy systems! ๐ * Create CodeQL Advanced # CodeQL Advanced Implementation ## ๐ Complete Advanced CodeQL Setup ### 1. Advanced CodeQL Configuration Structure ``` .github/ โโโ workflows/ โ โโโ codeql-advanced.yml โ โโโ codeql-security-gates.yml โ โโโ codeql-custom-analysis.yml โโโ codeql/ โ โโโ config/ โ โ โโโ codeql-config.yml โ โ โโโ query-suites.qls โ โ โโโ performance-config.yml โ โโโ custom-queries/ โ โ โโโ qlpack.yml โ โ โโโ Security/ โ โ โโโ Performance/ โ โ โโโ Architecture/ โ โโโ scripts/ โ โโโ aggregate-results.py โ โโโ security-gates.py ``` ### 2. Main Advanced CodeQL Workflow ```yaml # .github/workflows/codeql-advanced.yml name: "Advanced CodeQL Analysis" on: push: branches: [ main, develop, release/* ] paths: - 'src/**' - 'lib/**' - '**.java' - '**.js' - '**.ts' - '**.py' - '**.go' - '**.cpp' paths-ignore: - '**/*.md' - '**/*.txt' - '**/test/**' - '**/spec/**' pull_request: branches: [ main, develop ] schedule: - cron: '0 2 * * 1' # Weekly on Monday at 2 AM UTC workflow_dispatch: inputs: analysis-depth: description: 'Analysis depth level' required: true default: 'deep' type: choice options: - quick - standard - deep include-experimental: description: 'Include experimental queries' required: false type: boolean default: false env: CODEQL_ACTION_VERBOSITY: info CODEQL_POWERFUL_ANALYSIS: true CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: false jobs: initialize: name: Initialize Analysis runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} database-locations: ${{ steps.set-matrix.outputs.database-locations }} steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up analysis matrix id: set-matrix run: | MATRIX_JSON=$(python .github/codeql/scripts/detect-languages.py) echo "matrix=$MATRIX_JSON" >> $GITHUB_OUTPUT echo "database-locations=$(echo $MATRIX_JSON | jq -r '.include[].database_location' | tr '\n' ',' | sed 's/,$//')" >> $GITHUB_OUTPUT analyze-multi-language: name: Analyze (${{ matrix.language }}) needs: initialize runs-on: ${{ matrix.runner }} strategy: fail-fast: false matrix: ${{ fromJSON(needs.initialize.outputs.matrix) }} steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} queries: ${{ matrix.queries }} config-file: ./.github/codeql/config/codeql-config.yml config: ${{ matrix.config }} tools: latest database: ${{ matrix.database_location }} - name: Build ${{ matrix.language }} code if: matrix.build-command run: ${{ matrix.build-command }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:${{ matrix.language }}" output: sarif-results/${{ matrix.language }} upload-database: true skip-queries: ${{ github.event_name == 'schedule' && 'security' || '' }} threads: ${{ matrix.threads }} ram: ${{ matrix.ram }} env: CODEQL_RAM: ${{ matrix.ram }} CODEQL_THREADS: ${{ matrix.threads }} custom-query-analysis: name: Custom Query Analysis needs: analyze-multi-language runs-on: ubuntu-latest if: always() steps: - name: Checkout repository uses: actions/checkout@v4 - name: Download CodeQL databases run: | mkdir -p databases echo "${{ needs.initialize.outputs.database-locations }}" | tr ',' '\n' | xargs -I {} cp -r {} databases/ - name: Run Custom Queries uses: github/codeql-action/analyze@v3 with: queries: ./.github/codeql/custom-queries/ packs: ./.github/codeql/custom-queries/ output: sarif-results/custom category: "custom" security-metrics: name: Generate Security Metrics needs: [analyze-multi-language, custom-query-analysis] runs-on: ubuntu-latest if: always() steps: - name: Checkout repository uses: actions/checkout@v4 - name: Generate Security Report run: | python .github/codeql/scripts/aggregate-results.py - name: Upload Security Metrics uses: actions/upload-artifact@v4 with: name: security-metrics path: | security-report.html codeql-metrics.json retention-days: 30 - name: Update Security Dashboard run: | echo "## CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY echo "โ Multi-language analysis completed" >> $GITHUB_STEP_SUMMARY echo "๐ Custom queries executed" >> $GITHUB_STEP_SUMMARY echo "๐ Security metrics generated" >> $GITHUB_STEP_SUMMARY ``` ### 3. Language Detection Script ```python # .github/codeql/scripts/detect-languages.py #!/usr/bin/env python3 import json import os from pathlib import Path def detect_languages(): """Detect programming languages in the repository""" language_files = { 'java': ['**/*.java', '**/pom.xml', '**/build.gradle', '**/build.gradle.kts'], 'javascript': ['**/*.js', '**/*.ts', '**/package.json', '**/yarn.lock'], 'python': ['**/*.py', '**/requirements.txt', '**/Pipfile', '**/pyproject.toml'], 'go': ['**/*.go', '**/go.mod'], 'cpp': ['**/*.cpp', '**/*.hpp', '**/*.c', '**/*.h', '**/CMakeLists.txt'], } detected_languages = [] for lang, patterns in language_files.items(): for pattern in patterns: if list(Path('.').glob(pattern)): detected_languages.append(lang) break # Default to javascript if no languages detected if not detected_languages: detected_languages = ['javascript'] return detected_languages def generate_matrix(languages): """Generate workflow matrix configuration""" matrix_config = { 'include': [] } language_configs = { 'java': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality,security-extended', 'build-command': './gradlew build -x test || mvn compile -DskipTests', 'threads': 4, 'ram': 8192, 'config': '{"packs": ["codeql/java-queries"]}' }, 'javascript': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality,security-extended', 'build-command': '', 'threads': 2, 'ram': 4096, 'config': '{"packs": ["codeql/javascript-queries"]}' }, 'python': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality,security-extended', 'build-command': '', 'threads': 2, 'ram': 4096, 'config': '{"packs": ["codeql/python-queries"]}' }, 'go': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality', 'build-command': 'go build ./...', 'threads': 2, 'ram': 4096, 'config': '{"packs": ["codeql/go-queries"]}' }, 'cpp': { 'runner': 'ubuntu-latest', 'queries': 'security-and-quality', 'build-command': 'mkdir -p build && cd build && cmake .. && make -j4', 'threads': 4, 'ram': 8192, 'config': '{"packs": ["codeql/cpp-queries"]}' } } for lang in languages: if lang in language_configs: config = language_configs[lang] matrix_config['include'].append({ 'language': lang, 'runner': config['runner'], 'queries': config['queries'], 'build-command': config['build-command'], 'threads': config['threads'], 'ram': config['ram'], 'config': config['config'], 'database_location': f'.codeql/databases/{lang}' }) return matrix_config if __name__ == "__main__": languages = detect_languages() matrix = generate_matrix(languages) print(json.dumps(matrix)) ``` ### 4. Advanced CodeQL Configuration ```yaml # .github/codeql/config/codeql-config.yml name: "Advanced CodeQL Configuration" query-filters: - exclude: id: - "java/example/too-many-loops" - "js/debugger-statement" - "python/trivial-conditional" - include: tags: - "security" - "external/cwe/cwe-798" - "external/cwe/cwe-259" - "external/cwe/cwe-89" - "external/cwe/cwe-79" - include: precision: - "high" - "medium" paths: - "src/" - "lib/" - "app/" - "main/" paths-ignore: - "**/test/**" - "**/spec/**" - "**/node_modules/**" - "**/vendor/**" - "**/build/**" - "**/dist/**" - "**/.cache/**" languages: java: build-command: - "./gradlew build -x test" - "mvn compile -DskipTests" source-roots: - "src/main/java" - "src/main/kotlin" javascript: build-command: "npm run build --if-present" source-roots: - "src" - "lib" python: build-command: "python -m py_compile **/*.py" source-roots: - "src" - "app" go: build-command: "go build ./..." source-roots: - "." cpp: build-command: "mkdir -p build && cd build && cmake .. && make -j4" source-roots: - "src" - "include" queries: - uses: ./.github/codeql/config/query-suites.qls - uses: ./.github/codeql/custom-queries/qlpack.yml packs: - "codeql/java-queries" - "codeql/javascript-queries" - "codeql/python-queries" - "codeql/go-queries" - "codeql/cpp-queries" - "./.github/codeql/custom-queries" database: location: "./.codeql/databases" cleanup: true retention-days: 30 analysis: mode: "${{ env.ANALYSIS_MODE || 'deep' }}" timeout: 300 memory: 8192 threads: 0 # 0 means automatic output: format: sarif-latest include-column-numbers: true include-severity: true include-help-links: true ``` ### 5. Custom Query Pack Configuration ```yaml # .github/codeql/custom-queries/qlpack.yml name: custom-security-queries version: 1.0.0 libraryPathDependencies: - codeql/java-all - codeql/javascript-all - codeql/python-all - codeql/go-all - codeql/cpp-all extractor: | none dependencies: codeql/java-all: "*" codeql/javascript-all: "*" codeql/python-all: "*" codeql/go-all: "*" codeql/cpp-all: "*" ``` ### 6. Advanced Security Queries ```ql // .github/codeql/custom-queries/Security/SQLInjectionAdvanced.ql /** * @name Advanced SQL Injection Detection * @description Detects complex SQL injection patterns with taint tracking * @kind path-problem * @problem.severity error * @precision high * @id java/advanced-sql-injection * @tags security * external/cwe/cwe-89 * external/cwe/cwe-564 */ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph class SqlInjectionConfiguration extends TaintTracking::Configuration { SqlInjectionConfiguration() { this = "SqlInjectionConfiguration" } override predicate isSource(DataFlow::Node source) { // HTTP request parameters exists(Method m | m.hasName("getParameter") or m.hasName("getHeader") or m.hasName("getQueryString") or m.hasName("getCookies") or m.hasName("getAttribute") | source.asExpr() = m.getACall() ) or // File input exists(Method m | m.hasName("readLine") or m.hasName("read") and m.getDeclaringType().hasQualifiedName("java.io", "Reader") | source.asExpr() = m.getACall() ) } override predicate isSink(DataFlow::Node sink) { // Database operations exists(Method m | m.hasName("executeQuery") or m.hasName("executeUpdate") or m.hasName("execute") or m.hasName("prepareStatement") or m.hasName("createStatement") | sink.asExpr() = m.getACall() or sink.asExpr() = m.getArgument(0) ) or // ORM operations exists(Method m | m.hasName("createNativeQuery") or m.hasName("createQuery") and m.getDeclaringType().getASupertype*().hasQualifiedName("javax.persistence", "EntityManager") | sink.asExpr() = m.getACall() ) } override predicate isSanitizer(DataFlow::Node sanitizer) { // Parameterized queries exists(Method m | m.hasName("setString") or m.hasName("setInt") or m.hasName("setDate") and m.getDeclaringType().getASupertype*().hasQualifiedName("java.sql", "PreparedStatement") | sanitizer.asExpr() = m.getACall() ) or // Input validation exists(Method m | m.hasName("matches") or m.hasName("isAlphanumeric") or m.hasName("escapeSql") | sanitizer.asExpr() = m.getACall() ) or // Encoding/escaping exists(Method m | m.hasName("encode") or m.hasName("escape") and m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "StringEscapeUtils") | sanitizer.asExpr() = m.getACall() ) } override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { // String concatenation and manipulation exists(BinaryExpr bin | bin.getOperator() = BinaryExpr.ADD and (bin.getLeftOperand() = node1.asExpr() and bin.getRightOperand() = node2.asExpr() or bin.getRightOperand() = node1.asExpr() and bin.getLeftOperand() = node2.asExpr()) ) or // String builder operations exists(MethodAccess ma | ma.getMethod().hasName("append") and ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("java.lang", "AbstractStringBuilder") and node1.asExpr() = ma.getQualifier() and node2.asExpr() = ma ) } } from SqlInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink where config.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Potential SQL injection vulnerability: user input flows to database operation without proper sanitization" ``` ### 7. Performance Analysis Queries ```ql // .github/codeql/custom-queries/Performance/MemoryLeakDetection.ql /** * @name Memory Leak Detection * @description Identifies potential memory leaks in Java applications * @kind problem * @problem.severity warning * @precision medium * @id java/memory-leak-detection * @tags performance * maintainability */ import java class ResourceAllocation extends Method { ResourceAllocation() { this.getName().matches("create%") or this.getName().matches("new%") or this.getName().matches("open%") or this.getName().matches("allocate%") or this.getName().matches("init%") } } class ResourceRelease extends Method { ResourceRelease() { this.getName().matches("close%") or this.getName().matches("destroy%") or this.getName().matches("release%") or this.getName().matches("free%") or this.getName().matches("cleanup%") or this.getName().matches("dispose%") } } class PotentialMemoryLeak extends ResourceAllocation { PotentialMemoryLeak() { not exists(ResourceRelease release | release.getDeclaringType() = this.getDeclaringType() and release.getName().toLowerCase() = this.getName().replace("create", "close").toLowerCase() or release.getName().toLowerCase() = this.getName().replace("new", "delete").toLowerCase() or release.getName().toLowerCase() = this.getName().replace("open", "close").toLowerCase() or release.getName().toLowerCase() = this.getName().replace("allocate", "free").toLowerCase() ) } } from PotentialMemoryLeak allocation select allocation, "Potential memory leak: resource allocation method '" + allocation.getName() + "' without corresponding release method" ``` ### 8. Security Quality Gates Workflow ```yaml # .github/workflows/codeql-security-gates.yml name: "CodeQL Security Gates" on: pull_request: branches: [ main, develop ] jobs: security-gates: name: Security Quality Gates runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Run CodeQL Analysis uses: github/codeql-action/analyze@v3 with: output: sarif-results category: "security-gates" upload-database: false - name: Check Security Thresholds id: security-check run: | python .github/codeql/scripts/security-gates.py - name: Fail on Critical Security Issues if: steps.security-check.outputs.critical_issues > 0 run: | echo "โ CRITICAL: ${{ steps.security-check.outputs.critical_issues }} critical security issues found" echo "Blocking merge due to security policy violations" exit 1 - name: Warn on High Security Issues if: steps.security-check.outputs.high_issues > 5 run: | echo "โ ๏ธ WARNING: ${{ steps.security-check.outputs.high_issues }} high severity issues found" echo "Consider addressing these issues before merge" - name: Generate Security Report if: always() run: | echo "## CodeQL Security Quality Gates" >> $GITHUB_STEP_SUMMARY echo "### Results Summary" >> $GITHUB_STEP_SUMMARY echo "- โ Critical Issues: ${{ steps.security-check.outputs.critical_issues }}" >> $GITHUB_STEP_SUMMARY echo "- โ ๏ธ High Issues: ${{ steps.security-check.outputs.high_issues }}" >> $GITHUB_STEP_SUMMARY echo "- ๐ Medium Issues: ${{ steps.security-check.outputs.medium_issues }}" >> $GITHUB_STEP_SUMMARY if [ ${{ steps.security-check.outputs.critical_issues }} -eq 0 ]; then echo "### โ Security Gates PASSED" >> $GITHUB_STEP_SUMMARY else echo "### โ Security Gates FAILED" >> $GITHUB_STEP_SUMMARY fi ``` ### 9. Security Gates Script ```python # .github/codeql/scripts/security-gates.py #!/usr/bin/env python3 import json import os import sys from pathlib import Path def load_sarif_results(): """Load and parse SARIF results from CodeQL analysis""" results = [] sarif_dir = Path("sarif-results") if not sarif_dir.exists(): return results for sarif_file in sarif_dir.glob("**/*.sarif"): with open(sarif_file, 'r') as f: data = json.load(f) for run in data.get('runs', []): results.extend(run.get('results', [])) return results def analyze_severity_distribution(results): """Analyze severity distribution of security issues""" severity_count = { 'critical': 0, 'high': 0, 'medium': 0, 'low': 0 } for result in results: # Map CodeQL levels to our severity levels level = result.get('level', 'warning') if level == 'error': severity_count['critical'] += 1 elif level == 'warning': severity_count['high'] += 1 elif level == 'note': severity_count['medium'] += 1 else: severity_count['low'] += 1 return severity_count def check_security_gates(severity_count): """Check if security gates are passed""" gates_passed = True # Critical issues always fail the gates if severity_count['critical'] > 0: gates_passed = False # More than 10 high issues fails the gates if severity_count['high'] > 10: gates_passed = False return gates_passed def main(): results = load_sarif_results() severity_count = analyze_severity_distribution(results) gates_passed = check_security_gates(severity_count) # Set output variables for GitHub Actions print(f"::set-output name=critical_issues::{severity_count['critical']}") print(f"::set-output name=high_issues::{severity_count['high']}") print(f"::set-output name=medium_issues::{severity_count['medium']}") print(f"::set-output name=low_issues::{severity_count['low']}") print(f"::set-output name=gates_passed::{str(gates_passed).lower()}") # Print summary print("Security Analysis Summary:") print(f" Critical Issues: {severity_count['critical']}") print(f" High Issues: {severity_count['high']}") print(f" Medium Issues: {severity_count['medium']}") print(f" Low Issues: {severity_count['low']}") print(f" Security Gates: {'PASSED' if gates_passed else 'FAILED'}") return 0 if gates_passed else 1 if __name__ == "__main__": sys.exit(main()) ``` ### 10. Performance Configuration ```yaml # .github/codeql/config/performance-config.yml optimization: max-paths: 1000 timeout: 300 memory: 8192 threads: 4 analysis: mode: deep precision: balanced caching: enabled: true location: ./.codeql/cache cleanup-age: 30d max-size: 10GB logging: level: INFO queries: true performance: true timing: true monitoring: enable-metrics: true metrics-interval: 60 memory-usage: true ``` ### 11. Query Suites Configuration ```ql // .github/codeql/config/query-suites.qls - description: "Security and Quality Suite" - queries: . from: security-and-quality - queries: . from: security-extended - include: tags: - security - external/cwe/cwe-89 - external/cwe/cwe-79 - external/cwe/cwe-78 - external/cwe/cwe-798 - external/cwe/cwe-259 - exclude: precision: very-low - exclude: kind: example - description: "Custom Security Queries" - queries: . from: custom-security-queries.qls ``` ## ๐ Deployment Instructions ### 1. Initialize the Structure ```bash # Create directory structure mkdir -p .github/{workflows,codeql/{config,custom-queries/{Security,Performance,Architecture},scripts}} # Create all the files as shown above ``` ### 2. Set Up Dependencies ```bash # Install CodeQL CLI (if needed) wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip unzip codeql-linux64.zip sudo mv codeql /usr/local/bin/ # Create custom query pack cd .github/codeql/custom-queries codeql pack init custom-security-queries ``` ### 3. Commit and Push ```bash git add . git commit -m "feat: Add advanced CodeQL configuration" git push origin main ``` ## ๐ง Key Features ### โ Advanced Analysis Capabilities - **Multi-language Support**: Java, JavaScript, Python, Go, C++ - **Custom Query Development**: Advanced security and performance queries - **Performance Optimization**: Configurable resources and caching - **Security Quality Gates**: Automated security thresholds - **Comprehensive Reporting**: Detailed security metrics and dashboards ### โ Enterprise-Grade Security - **Advanced Taint Tracking**: Complex data flow analysis - **Memory Leak Detection**: Performance and resource management - **SQL Injection Prevention**: Comprehensive injection detection - **Security Thresholds**: Configurable quality gates ### โ Performance Optimization - **Parallel Execution**: Multi-language concurrent analysis - **Resource Management**: Configurable memory and CPU usage - **Caching Strategy**: Reduced analysis times for subsequent runs - **Incremental Analysis**: Smart change detection This advanced CodeQL setup provides enterprise-grade code security analysis with custom rules, performance optimization, and comprehensive security gates! * Create Development I'll provide a comprehensive and well-documented version of the `first-responder-v2-prs-collect.yml` workflow. This version includes detailed comments, additional steps for robustness, and follows best practices for GitHub Actions. ```yaml # .github/workflows/first-responder-v2-prs-collect.yml # Collects pull requests for first responder v2 and sends notifications to Slack. # Runs every 15 minutes during working hours (Mon-Fri, 9am-5pm UTC). # Also allows manual trigger via workflow_dispatch. name: First Responder v2 PRs Collect on: schedule: # Cron syntax: minute hour day-of-month month day-of-week # Every 15 minutes between 9:00 and 16:45 UTC (last run at 16:45) # Only on weekdays (1-5 = Monday-Friday) - cron: "*/15 9-16 * * 1-5" workflow_dispatch: # Allow manual triggering with optional inputs (if needed) inputs: debug: description: 'Enable debug logging' required: false default: false type: boolean # Set permissions for the GITHUB_TOKEN permissions: contents: read pull-requests: read issues: read jobs: collect-prs: name: Collect PRs and notify Slack runs-on: ubuntu-latest # Add timeout to prevent runaway jobs timeout-minutes: 10 steps: # Step 1: Check out the repository code - name: Checkout repository uses: actions/checkout@v3 with: fetch-depth: 1 # Shallow clone for speed # Step 2: Set up Node.js environment - name: Setup Node.js uses: actions/setup-node@v3 with: node-version: '18' cache: 'npm' # Cache npm dependencies for faster installs # Step 3: Install dependencies from package-lock.json - name: Install dependencies run: npm ci # npm ci is faster and uses exact versions from package-lock.json # Step 4: Run PR collection script with environment variables - name: Run PR collection script env: # GitHub token automatically provided by GitHub Actions GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Slack bot token required to post messages SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} # Slack channel IDs for announcements and join channel SLACK_ANNOUNCEMENT_CHANNEL_ID: ${{ secrets.SLACK_ANNOUNCEMENT_CHANNEL_ID }} SLACK_JOIN_CHANNEL_ID: ${{ secrets.SLACK_JOIN_CHANNEL_ID }} # Optional debug flag if manual trigger with debug DEBUG: ${{ github.event.inputs.debug && 'true' || '' }} run: node src/scripts/first-responder-v2/prs-collect.js # Step 5: (Optional) Notify on failure - name: Notify Slack on failure if: failure() env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} SLACK_ANNOUNCEMENT_CHANNEL_ID: ${{ secrets.SLACK_ANNOUNCEMENT_CHANNEL_ID }} run: | curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ -H "Content-type: application/json" \ --data "{ \"channel\": \"$SLACK_ANNOUNCEMENT_CHANNEL_ID\", \"text\": \":x: First Responder v2 PR collection failed at $(date -u +'%Y-%m-%d %H:%M:%S UTC')\" }" \ https://slack.com/api/chat.postMessage ``` **Key Features of this Updated YAML:** - **Detailed comments** explaining each section. - **Permissions block** to restrict token scope for security. - **Timeout** to prevent long-running jobs. - **Caching** for npm dependencies to speed up runs. - **Manual trigger** with optional `debug` input. - **Failure notification** step to alert Slack if the script fails. - **Environment variables** clearly listed. Make sure you have the required secrets set in your repository: - `SLACK_BOT_TOKEN` - `SLACK_ANNOUNCEMENT_CHANNEL_ID` - `SLACK_JOIN_CHANNEL_ID` If you need further adjustments or have a different file in mind, let me know! Tentu, saya akan memberikan lebih banyak detail dan konteks terkait workflow `first-responder-v2-prs-collect.yml` serta komponen-komponennya. Berikut adalah penjelasan mendalam, tips penggunaan, dan kode tambahan untuk memaksimalkan workflow ini. ## 1. Penjelasan Mendalam tentang Cron Schedule Workflow ini menggunakan cron expression `*/15 9-16 * * 1-5`. Mari kita uraikan: - `*/15` โ Setiap 15 menit (menit 0,15,30,45). - `9-16` โ Jam 9 pagi hingga 4 sore UTC (jam 16). Karena cron menjalankan pada menit ke-0,15,30,45 di jam tersebut, maka run terakhir dimulai pukul 16:45 UTC (setara pukul 23:45 WIB jika UTC+7). - `*` โ Setiap hari dalam bulan. - `*` โ Setiap bulan. - `1-5` โ Senin sampai Jumat (1=Senin, 5=Jumat). ### Mengubah ke Zona Waktu Lokal Jika Anda ingin menjalankan workflow sesuai jam kerja di Indonesia (misal 09:00โ17:00 WIB), Anda bisa menyesuaikan cron dengan mempertimbangkan offset UTC. Contoh untuk WIB (UTC+7): ```yaml # 09:00โ17:00 WIB = 02:00โ10:00 UTC on: schedule: - cron: "*/15 2-9 * * 1-5" # Setiap 15 menit jam 2โ9 UTC ``` Perhatikan bahwa jam 10:00 UTC = 17:00 WIB, tapi menit terakhir di jam 9 adalah 09:45 UTC = 16:45 WIB. Jika ingin sampai jam 17:00 WIB (10:00 UTC), Anda perlu menjadwalkan di jam 10 juga, tapi hanya di menit 0 agar tidak berjalan setelah jam 17:00 WIB. Anda bisa menggunakan multiple cron lines: ```yaml on: schedule: - cron: "*/15 2-9 * * 1-5" # 09:00โ16:45 WIB - cron: "0 10 * * 1-5" # 17:00 WIB tepat ``` ## 2. Variabel Lingkungan dan Secret yang Diperlukan Workflow ini menggunakan tiga Slack channel ID: - `SLACK_ANNOUNCEMENT_CHANNEL_ID`: Channel untuk pengumuman penting, misalnya ringkasan PR yang dikumpulkan. - `SLACK_JOIN_CHANNEL_ID`: Channel khusus untuk mengundang anggota baru atau notifikasi onboarding. - `SLACK_BOT_TOKEN`: Token bot Slack dengan hak akses `chat:write` dan `channels:join` (jika perlu mengundang bot ke channel). **Cara mendapatkan Slack Bot Token dan Channel ID:** 1. Buat aplikasi Slack di [api.slack.com/apps](https://api.slack.com/apps). 2. Tambahkan scope `chat:write` dan `channels:join` (atau `groups:write` untuk private channel). 3. Install aplikasi ke workspace Anda. 4. Salin Bot User OAuth Token (mulai dengan `xoxb-`). 5. Untuk mendapatkan Channel ID, buka channel di Slack, klik nama channel di bagian atas, dan sali ID dari URL (biasanya diawali `C` atau `G`). Tambahkan semua nilai tersebut sebagai **repository secrets** di GitHub (Settings > Secrets and variables > Actions). ## 3. Script `prs-collect.js` โ Contoh Sederhana Workflow ini menjalankan script Node.js. Berikut adalah contoh minimal script yang mungkin digunakan (anda dapat menyesuaikan dengan logika Anda sendiri): ```javascript // src/scripts/first-responder-v2/prs-collect.js const { Octokit } = require('@octokit/rest'); const { WebClient } = require('@slack/web-api'); // Inisialisasi klien const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN }); const slack = new WebClient(process.env.SLACK_BOT_TOKEN); async function collectPRs() { try { // Contoh: ambil PR terbuka di repo tertentu const { data: pullRequests } = await octokit.pulls.list({ owner: 'sazwan96', repo: 'sazwanismail', // ganti dengan repo Anda state: 'open' }); console.log(`Ditemukan ${pullRequests.length} PR terbuka.`); // Kirim notifikasi ke Slack if (pullRequests.length > 0) { const message = { channel: process.env.SLACK_ANNOUNCEMENT_CHANNEL_ID, text: `Ada ${pullRequests.length} PR baru yang perlu direview!`, blocks: [ { type: 'section', text: { type: 'mrkdwn', text: `*Daftar PR Terbuka:*` } }, ...pullRequests.map(pr => ({ type: 'section', text: { type: 'mrkdwn', text: `<${pr.html_url}|#${pr.number}: ${pr.title}> oleh @${pr.user.login}` } })) ] }; await slack.chat.postMessage(message); } else { // Opsional: kirim pesan bahwa tidak ada PR await slack.chat.postMessage({ channel: process.env.SLACK_ANNOUNCEMENT_CHANNEL_ID, text: 'Tidak ada PR terbuka saat ini.' }); } // Kirim pesan ke join channel (misal untuk onboarding) await slack.chat.postMessage({ channel: process.env.SLACK_JOIN_CHANNEL_ID, text: 'Workflow PR collection berjalan dengan sukses.' }); } catch (error) { console.error('Error:', error); // Opsional: kirim notifikasi error ke Slack await slack.chat.postMessage({ channel: process.env.SLACK_ANNOUNCEMENT_CHANNEL_ID, text: `Terjadi error: ${error.message}` }); process.exit(1); } } collectPRs(); ``` Pastikan Anda menginstal dependencies yang diperlukan: ```bash npm install @octokit/rest @slack/web-api ``` ## 4. Menambahkan Logging dan Monitoring Untuk memudahkan debugging, Anda dapat menambahkan step yang meng-upload log sebagai artifact jika terjadi error: ```yaml - name: Upload logs on failure if: failure() uses: actions/upload-artifact@v3 with: name: error-logs path: /home/runner/.npm/_logs/ retention-days: 5 ``` ## 5. Menambahkan Step untuk Menjalankan Test Sebelum Collect Jika Anda ingin memastikan script berfungsi sebelum menjalankan koleksi PR, Anda bisa menambahkan step test: ```yaml - name: Run tests run: npm test ``` ## 6. Menjadwalkan dengan Input Manual yang Lebih Fleksibel Anda dapat memperluas `workflow_dispatch` dengan input untuk memilih repositori target atau mode debug: ```yaml on: workflow_dispatch: inputs: repo: description: 'Repository to scan (format: owner/repo)' required: false default: 'sazwan96/sazwanismail' debug: description: 'Enable debug logging' required: false default: false type: boolean ``` Kemudian di script, baca input tersebut: ```javascript const repoFullName = process.env.INPUT_REPO || 'sazwan96/sazwanismail'; const [owner, repo] = repoFullName.split('/'); ``` ## 7. Keamanan: Menggunakan GitHub App Token Jika Anda membutuhkan akses yang lebih aman atau spesifik, pertimbangkan untuk menggunakan GitHub App token daripada `GITHUB_TOKEN`. Anda bisa menggunakan action `tibdex/github-app-token` untuk menghasilkan token dengan izin terbatas. ## 8. Alternatif: Menggunakan Action `schedule` dengan If Condition Jika Anda ingin mengontrol eksekusi berdasarkan kondisi tertentu (misal hanya jika ada perubahan file tertentu), Anda bisa menambahkan conditional step: ```yaml - name: Check if script changed id: changed uses: tj-actions/changed-files@v35 with: files: | src/scripts/first-responder-v2/prs-collect.js .github/workflows/first-responder-v2-prs-collect.yml - name: Run PR collection only if relevant files changed if: steps.changed.outputs.any_changed == 'true' run: node src/scripts/first-responder-v2/prs-collect.js ``` ## 9. Integrasi dengan Database atau API Eksternal Jika Anda perlu menyimpan hasil koleksi PR ke database atau memanggil API eksternal, tambahkan step tersebut di dalam script atau sebagai step terpisah. ## 10. Notifikasi ke Multiple Channel Anda bisa mengirim notifikasi ke lebih dari dua channel dengan menambahkan variabel lingkungan tambahan: ```yaml env: SLACK_CHANNEL_1: ${{ secrets.SLACK_CHANNEL_1 }} SLACK_CHANNEL_2: ${{ secrets.SLACK_CHANNEL_2 }} ``` Lalu di script, Anda bisa memposting ke semua channel yang didefinisikan. --- Dengan semua tambahan ini, workflow Anda menjadi lebih powerful, fleksibel, dan mudah dipelihara. Jika ada bagian spesifik yang ingin didalami atau ditambahkan, beri tahu saya! * Update cmake-single-platform.yml # Updated CMake Single Platform GitHub Actions Workflow This repository provides an up-to-date GitHub Actions workflow for building CMake projects on a single platform (Linux, macOS, or Windows). It includes: - CMake configuration and build - Caching for dependencies (vcpkg, ccache) - Multiple build types (Debug, Release) - Running tests with CTest - Uploading build artifacts - Code formatting and linting (optional) ## ๐ Workflow File: `.github/workflows/cmake-single-platform.yml` ```yaml name: CMake Single Platform Build on: push: branches: [ main, develop ] pull_request: branches: [ main ] workflow_dispatch: # Allow manual trigger env: BUILD_TYPE: Release # Customize CMake build type if needed jobs: build: # Choose the runner: ubuntu-latest, windows-latest, or macos-latest runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 # ===== SETUP DEPENDENCIES ===== - name: Install Linux dependencies (if any) if: runner.os == 'Linux' run: | sudo apt-get update sudo apt-get install -y ninja-build ccache # Add other packages as needed - name: Install macOS dependencies if: runner.os == 'macOS' run: | brew install ninja ccache # Add other packages - name: Install Windows dependencies (using Chocolatey) if: runner.os == 'Windows' run: | choco install ninja ccache # Or use vcpkg (see below) # ===== CACHE MANAGEMENT ===== - name: Cache ccache uses: actions/cache@v4 with: path: ~/.ccache key: ${{ runner.os }}-ccache-${{ github.sha }} restore-keys: ${{ runner.os }}-ccache- - name: Cache vcpkg (if used) if: false # Enable if you use vcpkg uses: actions/cache@v4 with: path: | ~/.cache/vcpkg build/vcpkg_installed key: ${{ runner.os }}-vcpkg-${{ hashFiles('**/vcpkg.json') }} restore-keys: ${{ runner.os }}-vcpkg- # ===== CONFIGURE & BUILD ===== - name: Configure CMake run: | cmake -B build -S . \ -DCMAKE_BUILD_TYPE=${{ env.BUILD_TYPE }} \ -G Ninja \ -DCMAKE_C_COMPILER_LAUNCHER=ccache \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache env: CC: clang # Override compiler if needed (gcc, clang, cl) CXX: clang++ - name: Build run: cmake --build build --config ${{ env.BUILD_TYPE }} --parallel # ===== TEST ===== - name: Test working-directory: build run: ctest -C ${{ env.BUILD_TYPE }} --output-on-failure --parallel # ===== CODE QUALITY (optional) ===== - name: Run clang-format lint if: false # Enable if you want formatting checks uses: jidicula/clang-format-action@v4.11.0 with: clang-format-version: '16' check-path: 'src' # ===== ARTIFACTS ===== - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: ${{ runner.os }}-${{ env.BUILD_TYPE }}-binaries path: | build/bin build/lib build/*.exe build/*.dll build/*.so build/*.dylib if-no-files-found: ignore ``` ## ๐ง Customization Tips 1. **Runner OS**: Change `runs-on` to `windows-latest` or `macos-latest` as needed. 2. **Dependencies**: Adjust package installation steps for your specific libraries. 3. **vcpkg**: If your project uses vcpkg, enable the vcpkg cache step and install vcpkg in a setup step. 4. **Compiler**: Override `CC` and `CXX` environment variables to use different compilers (e.g., `gcc`, `clang`, `msvc`). 5. **Build Types**: You can matrix over `BUILD_TYPE` to build both Debug and Release, or add a strategy matrix. 6. **Artifacts**: Customize the artifact paths to match your output locations. ## ๐ฆ Example with vcpkg and Matrix If you need multiple build types or configurations, extend with a matrix: ```yaml jobs: build: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest, windows-latest, macos-latest] build_type: [Debug, Release] env: BUILD_TYPE: ${{ matrix.build_type }} steps: # ... steps (use matrix.os and matrix.build_type) ``` ## โ Best Practices Included - **Caching** with ccache and vcpkg speeds up rebuilds. - **Ninja** generator for faster builds. - **Parallel** builds and tests. - **Artifact** upload for easy access to binaries. - **Manual trigger** (`workflow_dispatch`) for ad-hoc runs. ## ๐ References - [GitHub Actions Documentation](https://docs.github.com/actions) - [CMake Documentation](https://cmake.org/cmake/help/latest/) - [vcpkg with GitHub Actions](https://vcpkg.io/en/getting-started.html) --- **Maintainer:** Your Team **License:** MIT # Updated Advanced CMake Single/Multi-Platform Workflow This workflow provides a robust CI pipeline for CMake projects, supporting multiple operating systems and build configurations. It includes caching, testing, code coverage, static analysis, and artifact upload. ## ๐ `.github/workflows/cmake-advanced.yml` ```yaml name: CMake Advanced CI on: push: branches: [ main, develop ] pull_request: branches: [ main ] workflow_dispatch: # Allow manual trigger env: # Global build type; can be overridden per matrix BUILD_TYPE: Release jobs: build: name: ${{ matrix.os }} / ${{ matrix.build_type }} runs-on: ${{ matrix.os }} strategy: fail-fast: false # Continue other jobs if one fails matrix: os: [ubuntu-latest, windows-latest, macos-latest] build_type: [Debug, Release] # Optionally exclude some combinations # exclude: # - os: windows-latest # build_type: Debug steps: - name: Checkout code uses: actions/checkout@v4 # ===== DEPENDENCY INSTALLATION ===== - name: Install Linux dependencies if: runner.os == 'Linux' run: | sudo apt-get update sudo apt-get install -y \ ninja-build \ ccache \ lcov \ clang-tidy \ curl \ zip # Add project-specific packages here - name: Install macOS dependencies if: runner.os == 'macOS' run: | brew install \ ninja \ ccache \ llvm # provides clang-tidy, lcov # Ensure llvm binaries are in PATH echo "$(brew --prefix llvm)/bin" >> $GITHUB_PATH - name: Install Windows dependencies if: runner.os == 'Windows' run: | choco install ninja ccache # vcpkg is usually installed on GitHub runners; if needed, bootstrap: # git clone https://github.com/Microsoft/vcpkg.git # .\vcpkg\bootstrap-vcpkg.bat # echo "${{ github.workspace }}/vcpkg" >> $GITHUB_PATH # ===== CACHE SETUP ===== - name: Cache ccache uses: actions/cache@v4 with: path: ~/.ccache key: ${{ runner.os }}-ccache-${{ matrix.build_type }}-${{ github.sha }} restore-keys: | ${{ runner.os }}-ccache-${{ matrix.build_type }}- ${{ runner.os }}-ccache- - name: Cache vcpkg (if used) if: false # Enable if you use vcpkg.json manifest mode uses: actions/cache@v4 with: path: | ~/.cache/vcpkg ${{ github.workspace }}/build/vcpkg_installed key: ${{ runner.os }}-vcpkg-${{ hashFiles('**/vcpkg.json') }} restore-keys: ${{ runner.os }}-vcpkg- # ===== CONFIGURE CMAKE ===== - name: Configure CMake shell: bash run: | cmake -B build -S . \ -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} \ -G Ninja \ -DCMAKE_C_COMPILER_LAUNCHER=ccache \ -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \ -DCMAKE_EXPORT_COMPILE_COMMANDS=ON # for clang-tidy # ===== BUILD ===== - name: Build run: cmake --build build --config ${{ matrix.build_type }} --parallel # ===== RUN TESTS ===== - name: Test working-directory: build run: ctest -C ${{ matrix.build_type }} --output-on-failure --parallel # ===== STATIC ANALYSIS (clang-tidy) ===== - name: Run clang-tidy if: runner.os == 'Linux' && matrix.build_type == 'Debug' # Run once to avoid duplication working-directory: build run: | # Adjust source directory and checks as needed run-clang-tidy -p . -extra-arg=-Wno-unknown-warning-option -quiet # ===== CODE COVERAGE (Linux only) ===== - name: Generate coverage report if: runner.os == 'Linux' && matrix.build_type == 'Debug' && github.event_name == 'push' run: | # Ensure you have built with coverage flags: -fprofile-arcs -ftest-coverage lcov --directory . --capture --output-file coverage.info lcov --remove coverage.info '/usr/*' --output-file coverage.info lcov --list coverage.info working-directory: build - name: Upload coverage to Codecov if: runner.os == 'Linux' && matrix.build_type == 'Debug' && github.event_name == 'push' uses: codecov/codecov-action@v4 with: files: build/coverage.info flags: unittests name: codecov-umbrella fail_ci_if_error: false token: ${{ secrets.CODECOV_TOKEN }} # ===== UPLOAD ARTIFACTS ===== - name: Prepare artifacts shell: bash run: | mkdir -p artifacts # Copy binaries, libraries, etc. if [ -d build/bin ]; then cp -r build/bin artifacts/; fi if [ -d build/lib ]; then cp -r build/lib artifacts/; fi # Include compile_commands.json for debugging cp build/compile_commands.json artifacts/ || true - name: Upload build artifacts uses: actions/upload-artifact@v4โฆ -
3db06a5413
Update ci.yml
I understand you want to update the ci.yml file with the name "Muhamad sazwan bin ismail". However, I need to know exactly where and how this name should appear in the CI configuration. Here are some common ways names are used in CI files: 1. Author/committer metadata โ If the CI pipeline makes commits (e.g., updating a version, generating files), you might want to set the Git user name. 2. Notification settings โ For sending emails or messages with the author's name. 3. Workflow file comments โ A simple comment at the top indicating who created/modified the file. 4. Environment variable โ Setting an environment variable like AUTHOR_NAME for use in scripts. 5. Docker image label โ Adding a maintainer label if building Docker images. Could you clarify your goal? If you provide more details about your project and what you're trying to achieve, I can give you a precise update. For now, here's an enhanced GitHub Actions template with multiple places where you might insert the name. Pick the parts you need: ```yaml name: CI # Optional: Comment with author info # Author: Muhamad Sazwan bin Ismail # Last updated: 2025-03-17 on: push: branches: [ main ] pull_request: branches: [ main ] env: AUTHOR_NAME: "Muhamad Sazwan bin Ismail" # Set as environment variable jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # Set Git user (if your pipeline commits) - name: Configure Git user run: | git config --global user.name "Muhamad Sazwan bin Ismail" git config --global user.email "your-email@example.com" # replace with email # Example of using the env variable - name: Show author run: echo "Running CI for $AUTHOR_NAME" # Add your actual build/test steps here - run: npm ci - run: npm test ``` If this isn't what you need, please describe: ยท What CI system you're using (GitHub Actions, GitLab CI, etc.) ยท The current content of your ci.yml (if any) ยท Where exactly you want the name to appear and what for I'm ready to help once I have those details. -
Merge branch 'bitcoin:master' into Sazwanend-patch-1 856b8452e0
-
DrahtBot commented at 8:08 PM on March 16, 2026: contributor
โป๏ธ Automatically closing for now based on heuristics. Please leave a comment, if this was erroneous. Generally, please focus on creating high-quality, original content that demonstrates a clear understanding of the project's requirements and goals.
๐ Moderators: If this is spam, please replace the title with
., so that the thread does not appear in search results. - DrahtBot closed this on Mar 16, 2026
-
DrahtBot commented at 8:08 PM on March 16, 2026: contributor
LLM spam detection (โจ experimental): SPAM. The submission contains only boilerplate/template help text with no substantive description, rationale, or code changes to review; the title is generic and there's no meaningful content indicating a real contribution.
โป๏ธ Automatically wiping, closing, and locking for now based on heuristics. Generally, please focus on creating high-quality, original content that demonstrates a clear understanding of the project's requirements and goals.
- DrahtBot renamed this:
Sazwanend patch 1
.
on Mar 16, 2026 - bitcoin locked this on Mar 16, 2026
-
DrahtBot commented at 8:09 PM on March 16, 2026: contributor
<!--e57a25ab6845829454e8d69fc972939a-->
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
<!--021abf342d371248e50ceaed478a90ca-->
Reviews
See the guideline for information on the review process. A summary of reviews will appear here.
<!--5faf32d7da4f0f540f40219e4f7537a3-->
LLM Linter (โจ experimental)
Possible typos and grammar issues:
- ?Great! -> ? Great! [Missing space after question mark makes the two sentences run together and harms readability]
<sup>2026-03-16 20:09:02</sup>
