From bdb54cddfdc40009809363f1c0e8927aa712ccd7 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 18:02:46 -0600 Subject: [PATCH 1/5] ci: add CodeQL workflow for Swift analysis on macOS The default CodeQL setup only runs on Linux runners, which can't build this project's Swift package (requires Xcode/iOS SDK). This adds a dedicated workflow using macos-15 runners with path filtering so it only runs when Swift code changes. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql-swift.yml | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/codeql-swift.yml diff --git a/.github/workflows/codeql-swift.yml b/.github/workflows/codeql-swift.yml new file mode 100644 index 000000000..dfed2fb02 --- /dev/null +++ b/.github/workflows/codeql-swift.yml @@ -0,0 +1,42 @@ +name: 'CodeQL (Swift)' + +on: + push: + branches: [trunk] + paths: + - 'ios/Sources/**/*.swift' + - 'Package.swift' + pull_request: + branches: [trunk] + paths: + - 'ios/Sources/**/*.swift' + - 'Package.swift' + schedule: + - cron: '0 6 * * 1' # Weekly on Monday at 6am UTC + +permissions: + security-events: write + contents: read + +jobs: + analyze: + name: Analyze Swift + runs-on: macos-15 + timeout-minutes: 30 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: swift + + - name: Build Swift package + run: swift build --target GutenbergKit --target GutenbergKitHTTP + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:swift' From 766fbc582fe4609a16c55580731f24c7ba7d7862 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 18:05:04 -0600 Subject: [PATCH 2/5] ci: add workflow_dispatch trigger to CodeQL Swift workflow Allows manual triggering from the Actions tab for testing. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql-swift.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-swift.yml b/.github/workflows/codeql-swift.yml index dfed2fb02..86f9d612b 100644 --- a/.github/workflows/codeql-swift.yml +++ b/.github/workflows/codeql-swift.yml @@ -1,6 +1,7 @@ name: 'CodeQL (Swift)' on: + workflow_dispatch: push: branches: [trunk] paths: From ef8faa547c3341582345ead7a647186cd4958d5c Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 18:05:48 -0600 Subject: [PATCH 3/5] ci: trigger CodeQL Swift workflow with trivial whitespace change Remove trailing newline to trigger the path-filtered workflow on this PR. This can be reverted after verifying the workflow passes. Co-Authored-By: Claude Opus 4.6 --- ios/Sources/GutenbergKitHTTP/HTTPServer.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ios/Sources/GutenbergKitHTTP/HTTPServer.swift b/ios/Sources/GutenbergKitHTTP/HTTPServer.swift index 17cfeb1c7..485cc9b79 100644 --- a/ios/Sources/GutenbergKitHTTP/HTTPServer.swift +++ b/ios/Sources/GutenbergKitHTTP/HTTPServer.swift @@ -626,4 +626,4 @@ extension Logger { static let httpServer = Logger(subsystem: "com.gutenbergkit.http", category: "server") } -#endif // canImport(Network) +#endif // canImport(Network) \ No newline at end of file From c33b5ccec047162f40f64f1dfb1184b324a6f3b2 Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 18:11:57 -0600 Subject: [PATCH 4/5] ci: replace Swift-only workflow with full CodeQL workflow The default CodeQL setup and custom workflows can't coexist, so this replaces the default setup with a single workflow covering all languages. Swift runs on macos-15 with Xcode 16.3 (for Swift 6.2); JS, Kotlin, and Actions run on ubuntu-latest with autobuild. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql-swift.yml | 43 ------------------- .github/workflows/codeql.yml | 67 ++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 43 deletions(-) delete mode 100644 .github/workflows/codeql-swift.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql-swift.yml b/.github/workflows/codeql-swift.yml deleted file mode 100644 index 86f9d612b..000000000 --- a/.github/workflows/codeql-swift.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: 'CodeQL (Swift)' - -on: - workflow_dispatch: - push: - branches: [trunk] - paths: - - 'ios/Sources/**/*.swift' - - 'Package.swift' - pull_request: - branches: [trunk] - paths: - - 'ios/Sources/**/*.swift' - - 'Package.swift' - schedule: - - cron: '0 6 * * 1' # Weekly on Monday at 6am UTC - -permissions: - security-events: write - contents: read - -jobs: - analyze: - name: Analyze Swift - runs-on: macos-15 - timeout-minutes: 30 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: swift - - - name: Build Swift package - run: swift build --target GutenbergKit --target GutenbergKitHTTP - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: '/language:swift' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..00257167e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,67 @@ +name: 'CodeQL' + +on: + workflow_dispatch: + push: + branches: [trunk] + pull_request: + branches: [trunk] + schedule: + - cron: '0 6 * * 1' # Weekly on Monday at 6am UTC + +permissions: + security-events: write + contents: read + +jobs: + analyze-interpreted: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 15 + + strategy: + fail-fast: false + matrix: + language: [actions, java-kotlin, javascript-typescript] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:${{ matrix.language }}' + + analyze-swift: + name: Analyze (swift) + runs-on: macos-15 + timeout-minutes: 30 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Select Xcode 16.3 + run: sudo xcode-select -s /Applications/Xcode_16.3.app/Contents/Developer + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: swift + + - name: Build Swift package + run: swift build --target GutenbergKit --target GutenbergKitHTTP + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: '/language:swift' From 686ebccd4b99f90cb79235c54117a21be8a289ee Mon Sep 17 00:00:00 2001 From: Jeremy Massel <1123407+jkmassel@users.noreply.github.com> Date: Wed, 1 Apr 2026 18:47:56 -0600 Subject: [PATCH 5/5] ci: fix Swift Xcode version and disable default CodeQL setup - Use Xcode 26.0.1 (Swift 6.2) instead of Xcode 16.3 (Swift 6.1) - Disabled default CodeQL setup via API since custom and default workflows cannot coexist - Reverted back to Swift-only + all-languages workflow Co-Authored-By: Claude Opus 4.6 --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 00257167e..68d2c6929 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,8 +50,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Select Xcode 16.3 - run: sudo xcode-select -s /Applications/Xcode_16.3.app/Contents/Developer + - name: Select Xcode + run: sudo xcode-select -s /Applications/Xcode_26.0.1.app/Contents/Developer - name: Initialize CodeQL uses: github/codeql-action/init@v3