katipally · katipally · Jun 9, 2026 · Jun 9, 2026
@@ -0,0 +1,82 @@
+name: CodeQL
+
+# Static security analysis. Two independent analyses run in parallel:
+#   • swift   — the macOS app + DoomCoderCore (compiled, then queried for
+#               security issues: injection, unsafe APIs, data flow, etc.)
+#   • actions — the workflow files themselves (script injection, untrusted
+#               ${{ }} interpolation, over-broad permissions). This is what
+#               would have flagged the old release-drafter pull_request_target.
+#
+# Findings appear in the repo's Security tab and as annotations on PRs.
+# Uses the default (high-confidence) query suite — no "extended" pack — so
+# results stay actionable rather than noisy.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly re-scan catches newly-published CodeQL queries against code that
+    # hasn't changed. Fixed time (not randomized) so runs are predictable.
+    - cron: "23 5 * * 1"
+
+# Least privilege at the workflow level; the job widens only what it needs.
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 60
+    permissions:
+      security-events: write   # upload SARIF results
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: swift
+            runner: macos-26
+            build-mode: manual
+          - language: actions
+            runner: ubuntu-latest
+            build-mode: none
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      # Swift is a compiled language: CodeQL can only see what the compiler
+      # sees, so we build under its tracer. Mirrors the Build Mac (Debug) job
+      # in ci.yml exactly — same scheme, same no-signing flags — so if CI
+      # builds, this builds.
+      - name: Build Swift
+        if: matrix.language == 'swift'
+        run: |
+          sudo xcode-select -s /Applications/Xcode.app
+          xcodebuild -resolvePackageDependencies \
+            -project DoomCoder.xcodeproj \
+            -scheme DoomCoder
+          xcodebuild \
+            -project DoomCoder.xcodeproj \
+            -scheme DoomCoder \
+            -configuration Debug \
+            -destination 'platform=macOS' \
+            CODE_SIGN_IDENTITY="-" \
+            CODE_SIGNING_REQUIRED=NO \
+            CODE_SIGNING_ALLOWED=YES \
+            build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
@@ -0,0 +1,36 @@
+name: Dependency Review
+
+# On every PR, diff the dependency manifests (Swift Package.resolved, GitHub
+# Actions versions) and fail if the PR introduces a dependency with a known
+# vulnerability or a license outside our allowlist. This is the supply-chain
+# complement to CodeQL: CodeQL audits *our* code, this audits what we pull in.
+#
+# Free for public repositories (uses GitHub's dependency graph). Only runs on
+# pull_request, so it can never block a release.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: Review dependency changes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # Block PRs that add a dependency with a moderate-or-worse advisory.
+          fail-on-severity: moderate
+          # Deny only strong-copyleft licenses that are genuinely incompatible
+          # with shipping a closed-source signed app under MIT. A deny-list
+          # (not an allow-list) avoids false-blocking the many benign permissive
+          # licenses we'd otherwise have to enumerate and keep current.
+          deny-licenses: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0
+          comment-summary-in-pr: on-failure