0x7c13 · 0x7c13 · Mar 24, 2021 · Jan 12, 2021 · Jan 12, 2021 · Jan 12, 2021
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "nuget"
+    # location of package manifests
+    directory: "/src/Notepads"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "nuget"
+    # location of package manifests
+    directory: "/src/Notepads.Controls"
+    schedule:
+      interval: "daily"
+
+# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,73 @@
+name: CodeQL Analysis
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 8 * * *'
+
+jobs:
+  analyze:
+    name: codeql-analysis
+    runs-on: windows-latest
+    strategy:
+      matrix:
+        configuration: [ Production ]
+    env:
+      SOLUTION_NAME: src\Notepads.sln
+      PROJECT_PATH: src\Notepads\Notepads.csproj
+      CONFIGURATION: ${{ matrix.configuration }}
+    steps:
+      - name: Checkout repository
+        id: checkout_repo
+        uses: actions/checkout@v2
+
+      # Due to the insufficient memory allocated by default, CodeQL sometimes requires more to be manually allocated
+      - name: Configure Pagefile
+        id: config_pagefile
+        uses: al-cheb/[email protected]
+        with:
+            minimum-size: 8GB
+            maximum-size: 32GB
+            disk-root: "D:"
+
+      - name: Setup MSBuild
+        id: setup_msbuild
+        uses: microsoft/setup-msbuild@v1
+
+      - name: Restore application
+        id: restore_app
+        shell: pwsh
+        run: |
+          msbuild $env:SOLUTION_NAME `
+          /t:Restore `
+          /p:Configuration=$env:CONFIGURATION          
+
+      - name: Initialize CodeQL
+        id: init_codeql
+        uses: github/codeql-action/init@v1
+        with:
+          queries: security-and-quality
+
+      - name: Build application
+        id: build_app
+        shell: pwsh
+        run: |
+          msbuild $env:PROJECT_PATH `
+          /p:Platform=$env:PLATFORM `
+          /p:Configuration=$env:CONFIGURATION `
+          /p:UapAppxPackageBuildMode=$env:APPX_PACKAGE_BUILD_MODE `
+          /p:AppxBundle=$env:APPX_BUNDLE `
+          /p:AppxPackageSigningEnabled=false `
+          /p:AppxBundlePlatforms="$env:APPX_BUNDLE_PLATFORMS"
+        env:
+          PLATFORM: x64
+          APPX_PACKAGE_BUILD_MODE: StoreUpload
+          APPX_BUNDLE: Always
+          APPX_BUNDLE_PLATFORMS: x64
+
+      - name: Perform CodeQL Analysis
+        id: analyze_codeql
+        uses: github/codeql-action/analyze@v1
+
+# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
diff --git a/.github/workflows/csa-bulk-dismissal.yml b/.github/workflows/csa-bulk-dismissal.yml
@@ -0,0 +1,58 @@
+name: Code scanning alerts bulk dismissal
+
+on: [workflow_dispatch]
+
+jobs:
+  dismiss-alerts: 
+    name: Dismiss alerts
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ALERT_DESC: ['"Calls to unmanaged code"', '"Unmanaged code"']
+    env:
+      # Settings
+      OWNER: ${{ github.repository_owner }} # verbatim from URL
+      PROJECT_NAME: ${{ github.event.repository.name }} # verbatim from URL
+      ACCESS_TOKEN: ${{ secrets.CSA_ACCESS_TOKEN }} # requires security_events read/write permissions
+      DISMISS_REASON: ${{ secrets.DISMISS_REASON_VAR }} # "false positive", "won't fix" or "used in tests". 
+      ALERTS_PER_PAGE: 100
+      ALERT_DESCRIPTION: ${{ matrix.ALERT_DESC }}
+    steps:
+      - name: Install jq
+        id: install_jq
+        uses: r26d/jq-action@master
+        with:
+          cmd: jq -n env
+
+      - name: Run automation
+        id: run_automation
+        shell: bash
+        run: |
+          page=1
+          LIST_OF_ALERTS=$(curl -u $OWNER:$ACCESS_TOKEN -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/$OWNER/$PROJECT_NAME/code-scanning/alerts?state=open&page=$page&per_page=$ALERTS_PER_PAGE"| jq .[].number )
+
+          while [ -n "$LIST_OF_ALERTS" ]
+          do
+            echo -n $LIST_OF_ALERTS" " >> "data.json"
+
+            ((page=page+1))
+
+            LIST_OF_ALERTS=$(curl -u $OWNER:$ACCESS_TOKEN -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/$OWNER/$PROJECT_NAME/code-scanning/alerts?state=open&page=$page&per_page=$ALERTS_PER_PAGE"| jq .[].number )
+          done
+
+          LIST_OF_INDEXES=$(cat data.json)
+
+          for index in $LIST_OF_INDEXES
+          do
+            ALERT_DESC=$(curl -u $OWNER:$ACCESS_TOKEN -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/$OWNER/$PROJECT_NAME/code-scanning/alerts/$index" | jq .rule.description)
+
+            if [ "$ALERT_DESC" == "$ALERT_DESCRIPTION" ]; then
+              ALERT_URL="https://api.github.com/repos/$OWNER/$PROJECT_NAME/code-scanning/alerts/$index"
+
+              curl -u $OWNER:$ACCESS_TOKEN -X PATCH -H "Accept: application/vnd.github.v3+json" $ALERT_URL -d '{"state":"dismissed","dismissed_reason":"'"$DISMISS_REASON"'"}'
+            fi
+          done
+
+          rm -f data.json
+
+# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)