feat: add a documentation site (Astro + Starlight) #45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL | |
| # CodeQL SAST (static application security testing) for the JVM (Java + Kotlin) surface of kuri, | |
| # plus CodeQL's reliability/maintainability queries — the query suite is set to security-and-quality | |
| # in .github/codeql/codeql-config.yml. CodeQL only extracts JVM-bytecode-producing compilation; in | |
| # this KMP project all production code is common + jvm Kotlin (the whole parsing engine lives in | |
| # commonMain, and the reflective binder in kuri-bind's jvmMain), which the JVM target compiles, so a | |
| # single traced JVM build covers commonMain + jvmMain — the entire security-relevant surface. Only | |
| # platform-specific `actual` bodies (in jsMain/nativeMain/wasmJsMain, if any) fall outside this JVM | |
| # extraction; CodeQL can't extract those targets, and they are covered by the CI test matrix instead. | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| schedule: | |
| # Weekly re-scan (Mondays 03:19 UTC) so newly published CodeQL queries flag issues even on a | |
| # week with no code change. Off-the-hour to avoid the top-of-hour scheduling congestion. | |
| - cron: '19 3 * * 1' | |
| # A newer push to the same PR ref cancels an in-flight scan instead of stacking concurrent analyses; | |
| # main runs are never cancelled, so every default-branch commit keeps its own recorded CodeQL result. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| # Least privilege by default; the analyze job widens to what code-scanning upload needs. | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| name: Analyze (Java/Kotlin) | |
| runs-on: ubuntu-latest | |
| # A wedged extractor or build should fail fast rather than burn the 6-hour default. | |
| timeout-minutes: 30 | |
| permissions: | |
| # Upload the SARIF results to the repository's code-scanning alerts. | |
| security-events: write | |
| # Read workflow run metadata (required by CodeQL on private repos; harmless here). | |
| actions: read | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: actions/setup-java@v5 | |
| with: | |
| # Match the CI jobs: Gradle runs on Corretto 21 (the module's jvmToolchain(21)). | |
| distribution: corretto | |
| java-version: '21' | |
| # Default (Enhanced Caching, gradle-actions-caching): free for public repos, no extra config | |
| # needed, and it caches GRADLE_USER_HOME (dependencies, wrapper distributions, build cache). | |
| - uses: gradle/actions/setup-gradle@v6 | |
| # Initialise the CodeQL tracer BEFORE the build so the Kotlin/Java compilation is extracted. | |
| # 'java' is CodeQL's identifier for the Java/Kotlin extractor (it analyses Kotlin too). | |
| # Pinned to the codeql-action's current major (@v4 → latest 4.x), matching how every other | |
| # action here is pinned by major tag. The action version and the CodeQL CLI *bundle* version are | |
| # separate schemes: @v4 selects the action, which ships a recent CLI bundle (2.26.x) on its own. | |
| # (The previous @v2.26.0 pinned the long-deprecated v2 *action* — not the 2.26.0 CLI bundle it | |
| # was mistaken for.) | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: java | |
| # v4's explicit mode for a compiled language whose database is built by manual commands | |
| # between init and analyze (the `compileKotlinJvm` step below), never by autobuild — which | |
| # would build the whole KMP project. Omitting it works too (the tracer path is identical for | |
| # Java), but declaring it self-documents that autobuild is deliberately avoided. | |
| build-mode: manual | |
| # security-and-quality query suite + generated-code exclusions. | |
| config-file: ./.github/codeql/codeql-config.yml | |
| # Manual traced build instead of autobuild: compile only the JVM target of every module | |
| # (compileKotlinJvm runs in :kuri and :kuri-bind). Autobuild would run the whole KMP build, | |
| # including the native/JS/Wasm targets CodeQL can't extract. --no-build-cache forces a real | |
| # compile (the project has the Gradle build cache on, which would otherwise serve cached | |
| # classes and leave the tracer nothing to see); --no-daemon keeps compilation in the traced | |
| # build process rather than a pre-existing untraced daemon. | |
| - name: Compile JVM sources for CodeQL | |
| run: ./gradlew compileKotlinJvm --no-daemon --no-build-cache --stacktrace | |
| - name: Perform CodeQL analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:java" |