feat: add Helm chart version bumping support (Chart.yaml) #106
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CodeQL Advanced setup for SAP/pull-request-semver-bumper | |
| # | |
| # Scans: | |
| # - GitHub Actions workflows and action definitions (language: actions) | |
| # - TypeScript / JavaScript sources (language: javascript-typescript) | |
| # | |
| # Triggers: | |
| # - push to main (baseline analysis of merged code) | |
| # - pull_request on main (all PRs: same-repo branches and forks) | |
| # - weekly schedule (catches new queries / advisories) | |
| # | |
| # pull_request_target is intentionally NOT used. The pull_request event | |
| # fires for fork PRs too, and CodeQL analysis with build-mode: none does | |
| # not require the privileged base-repo token that pull_request_target | |
| # provides. For fork PRs, SARIF upload is skipped (upload: never) — the | |
| # analysis still runs and the job passes/fails on findings, but results | |
| # are not posted to the Code Scanning dashboard. | |
| # | |
| # Security model: | |
| # - actions/checkout uses persist-credentials: false so no token is | |
| # available to subsequent steps. | |
| # - build-mode: none for both languages — CodeQL extracts directly from | |
| # source; no `npm install`, no `run:` step executes untrusted code. | |
| # - The CodeQL configuration (paths-ignore, queries) is provided INLINE | |
| # via the `config:` input rather than read from a file in the working | |
| # directory. This prevents a contributor from disabling queries or | |
| # adding broad paths-ignore in their PR to neuter the security gate. | |
| name: "CodeQL Advanced" | |
| on: # zizmor: ignore[pull-request-target] | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '26 1 * * 3' | |
| # Workflow-level permissions intentionally empty. | |
| # The analyze job declares only what it needs. | |
| permissions: {} | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| build-mode: none | |
| - language: javascript-typescript | |
| build-mode: none | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| # For pull_request events (including forks), actions/checkout checks out | |
| # the PR merge commit by default — no explicit ref or repository needed. | |
| persist-credentials: false | |
| - name: Resolve SARIF upload mode | |
| env: | |
| HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | |
| run: | | |
| # Fork PRs: skip upload — analysis still runs and gates the PR on findings, | |
| # but results are not posted to the base repo's Code Scanning dashboard. | |
| # All other events (same-repo PR, push, schedule): upload as normal. | |
| if [[ "${{ github.event_name }}" == "pull_request" && \ | |
| "$HEAD_REPO" != "${{ github.repository }}" ]]; then | |
| echo "CODEQL_UPLOAD=never" >> "$GITHUB_ENV" | |
| else | |
| echo "CODEQL_UPLOAD=always" >> "$GITHUB_ENV" | |
| fi | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # Use the security-and-quality suite to also report quality alerts, | |
| # which the repo ruleset's `code_quality` rule consumes. | |
| queries: security-and-quality | |
| # Inline config (NOT config-file) so a contributor's working-directory | |
| # version cannot override paths-ignore or disable queries. | |
| config: | | |
| paths-ignore: | |
| # Generated bundles produced by ncc/webpack — analyzing them | |
| # duplicates alerts already covered by the TS sources. | |
| - "**/dist/**" | |
| # Vendored dependencies. | |
| - "**/node_modules/**" | |
| # Build artefacts and TypeScript output directories. | |
| - "**/build/**" | |
| - "**/out/**" | |
| - "**/coverage/**" | |
| # Test fixtures and snapshots. | |
| - "**/__fixtures__/**" | |
| - "**/__snapshots__/**" | |
| - "**/*.snap" | |
| # Lockfiles. | |
| - "**/package-lock.json" | |
| - "**/yarn.lock" | |
| - "**/pnpm-lock.yaml" | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| upload: ${{ env.CODEQL_UPLOAD }} |