From 19cc3b8a33a7e05860207f50eb0932f2156c5d0d Mon Sep 17 00:00:00 2001
From: katipally <yashwanthreddy3471@gmail.com>
Date: Tue, 9 Jun 2026 05:11:42 -0700
Subject: [PATCH] ci(security): add CodeQL (Swift + Actions) and Dependency
 Review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CodeQL: parallel analysis of (1) Swift — the app + DoomCoderCore, built
under the CodeQL tracer mirroring the existing CI build, and (2) Actions
— the workflow files, which catches script-injection / unsafe ${{ }}
interpolation / over-broad tokens (the class of bug the old
release-drafter pull_request_target trigger was). Default high-confidence
query suite to stay actionable, weekly scheduled re-scan, least-privilege
permissions.

Dependency Review: on each PR, fails if it introduces a dependency with a
known moderate+ advisory or a strong-copyleft license. Supply-chain
complement to CodeQL; PR-only so it never blocks a release.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/codeql.yml            | 82 +++++++++++++++++++++++++
 .github/workflows/dependency-review.yml | 36 +++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 .github/workflows/codeql.yml
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..ce6a0f5
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,82 @@
+name: CodeQL
+
+# Static security analysis. Two independent analyses run in parallel:
+#   • swift   — the macOS app + DoomCoderCore (compiled, then queried for
+#               security issues: injection, unsafe APIs, data flow, etc.)
+#   • actions — the workflow files themselves (script injection, untrusted
+#               ${{ }} interpolation, over-broad permissions). This is what
+#               would have flagged the old release-drafter pull_request_target.
+#
+# Findings appear in the repo's Security tab and as annotations on PRs.
+# Uses the default (high-confidence) query suite — no "extended" pack — so
+# results stay actionable rather than noisy.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly re-scan catches newly-published CodeQL queries against code that
+    # hasn't changed. Fixed time (not randomized) so runs are predictable.
+    - cron: "23 5 * * 1"
+
+# Least privilege at the workflow level; the job widens only what it needs.
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 60
+    permissions:
+      security-events: write   # upload SARIF results
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: swift
+            runner: macos-26
+            build-mode: manual
+          - language: actions
+            runner: ubuntu-latest
+            build-mode: none
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      # Swift is a compiled language: CodeQL can only see what the compiler
+      # sees, so we build under its tracer. Mirrors the Build Mac (Debug) job
+      # in ci.yml exactly — same scheme, same no-signing flags — so if CI
+      # builds, this builds.
+      - name: Build Swift
+        if: matrix.language == 'swift'
+        run: |
+          sudo xcode-select -s /Applications/Xcode.app
+          xcodebuild -resolvePackageDependencies \
+            -project DoomCoder.xcodeproj \
+            -scheme DoomCoder
+          xcodebuild \
+            -project DoomCoder.xcodeproj \
+            -scheme DoomCoder \
+            -configuration Debug \
+            -destination 'platform=macOS' \
+            CODE_SIGN_IDENTITY="-" \
+            CODE_SIGNING_REQUIRED=NO \
+            CODE_SIGNING_ALLOWED=YES \
+            build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000..364bd09
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,36 @@
+name: Dependency Review
+
+# On every PR, diff the dependency manifests (Swift Package.resolved, GitHub
+# Actions versions) and fail if the PR introduces a dependency with a known
+# vulnerability or a license outside our allowlist. This is the supply-chain
+# complement to CodeQL: CodeQL audits *our* code, this audits what we pull in.
+#
+# Free for public repositories (uses GitHub's dependency graph). Only runs on
+# pull_request, so it can never block a release.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: Review dependency changes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # Block PRs that add a dependency with a moderate-or-worse advisory.
+          fail-on-severity: moderate
+          # Deny only strong-copyleft licenses that are genuinely incompatible
+          # with shipping a closed-source signed app under MIT. A deny-list
+          # (not an allow-list) avoids false-blocking the many benign permissive
+          # licenses we'd otherwise have to enumerate and keep current.
+          deny-licenses: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0
+          comment-summary-in-pr: on-failure