Skip to content

feat: add a documentation site (Astro + Starlight) #45

feat: add a documentation site (Astro + Starlight)

feat: add a documentation site (Astro + Starlight) #45

Workflow file for this run

name: CodeQL
# CodeQL SAST (static application security testing) for the JVM (Java + Kotlin) surface of kuri,
# plus CodeQL's reliability/maintainability queries — the query suite is set to security-and-quality
# in .github/codeql/codeql-config.yml. CodeQL only extracts JVM-bytecode-producing compilation; in
# this KMP project all production code is common + jvm Kotlin (the whole parsing engine lives in
# commonMain, and the reflective binder in kuri-bind's jvmMain), which the JVM target compiles, so a
# single traced JVM build covers commonMain + jvmMain — the entire security-relevant surface. Only
# platform-specific `actual` bodies (in jsMain/nativeMain/wasmJsMain, if any) fall outside this JVM
# extraction; CodeQL can't extract those targets, and they are covered by the CI test matrix instead.
on:
push:
branches: [ main ]
pull_request:
schedule:
# Weekly re-scan (Mondays 03:19 UTC) so newly published CodeQL queries flag issues even on a
# week with no code change. Off-the-hour to avoid the top-of-hour scheduling congestion.
- cron: '19 3 * * 1'
# A newer push to the same PR ref cancels an in-flight scan instead of stacking concurrent analyses;
# main runs are never cancelled, so every default-branch commit keeps its own recorded CodeQL result.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
# Least privilege by default; the analyze job widens to what code-scanning upload needs.
permissions:
contents: read
jobs:
analyze:
name: Analyze (Java/Kotlin)
runs-on: ubuntu-latest
# A wedged extractor or build should fail fast rather than burn the 6-hour default.
timeout-minutes: 30
permissions:
# Upload the SARIF results to the repository's code-scanning alerts.
security-events: write
# Read workflow run metadata (required by CodeQL on private repos; harmless here).
actions: read
contents: read
steps:
- uses: actions/checkout@v7
- uses: actions/setup-java@v5
with:
# Match the CI jobs: Gradle runs on Corretto 21 (the module's jvmToolchain(21)).
distribution: corretto
java-version: '21'
# Default (Enhanced Caching, gradle-actions-caching): free for public repos, no extra config
# needed, and it caches GRADLE_USER_HOME (dependencies, wrapper distributions, build cache).
- uses: gradle/actions/setup-gradle@v6
# Initialise the CodeQL tracer BEFORE the build so the Kotlin/Java compilation is extracted.
# 'java' is CodeQL's identifier for the Java/Kotlin extractor (it analyses Kotlin too).
# Pinned to the codeql-action's current major (@v4 → latest 4.x), matching how every other
# action here is pinned by major tag. The action version and the CodeQL CLI *bundle* version are
# separate schemes: @v4 selects the action, which ships a recent CLI bundle (2.26.x) on its own.
# (The previous @v2.26.0 pinned the long-deprecated v2 *action* — not the 2.26.0 CLI bundle it
# was mistaken for.)
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: java
# v4's explicit mode for a compiled language whose database is built by manual commands
# between init and analyze (the `compileKotlinJvm` step below), never by autobuild — which
# would build the whole KMP project. Omitting it works too (the tracer path is identical for
# Java), but declaring it self-documents that autobuild is deliberately avoided.
build-mode: manual
# security-and-quality query suite + generated-code exclusions.
config-file: ./.github/codeql/codeql-config.yml
# Manual traced build instead of autobuild: compile only the JVM target of every module
# (compileKotlinJvm runs in :kuri and :kuri-bind). Autobuild would run the whole KMP build,
# including the native/JS/Wasm targets CodeQL can't extract. --no-build-cache forces a real
# compile (the project has the Gradle build cache on, which would otherwise serve cached
# classes and leave the tracer nothing to see); --no-daemon keeps compilation in the traced
# build process rather than a pre-existing untraced daemon.
- name: Compile JVM sources for CodeQL
run: ./gradlew compileKotlinJvm --no-daemon --no-build-cache --stacktrace
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:java"