Setup .NET Core SDK in CodeQL workflow #5
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added .NET Core SDK setup to CodeQL workflow. Signed-off-by: Igor Holt <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
❌ Deploy Preview for genesis-conductor failed.
|
|
There was a problem hiding this comment.
Pull request overview
This pull request adds a CodeQL workflow for automated security and code quality scanning, and attempts to include .NET Core SDK setup. However, the .NET Core SDK setup has critical formatting issues that will prevent the workflow from functioning correctly.
Key Changes:
- Added a new CodeQL workflow file configured to scan Actions and Python code on pushes, pull requests, and weekly schedule
- Attempted to add .NET Core SDK setup step, but with incorrect placement and indentation
- Configured appropriate permissions and matrix strategy for multi-language analysis
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+98
to
+121
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
| with: | ||
| category: "/language:${{matrix.language}}" | ||
| - name: Setup .NET Core SDK | ||
| uses: actions/[email protected] | ||
| with: | ||
| # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx | ||
| dotnet-version: # optional | ||
| # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. | ||
| dotnet-quality: # optional | ||
| # Optional global.json location, if your global.json isn't located in the root of the repo. | ||
| global-json-file: # optional | ||
| # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword | ||
| source-url: # optional | ||
| # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url | ||
| owner: # optional | ||
| # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. | ||
| config-file: # optional | ||
| # Optional input to enable caching of the NuGet global-packages folder | ||
| cache: # optional | ||
| # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. | ||
| cache-dependency-path: # optional | ||
|
|
There was a problem hiding this comment.
The .NET Core SDK setup step has incorrect indentation and is placed after the CodeQL Analysis step has already started. This step appears to be part of the "with" block for the CodeQL analyze action (line 100), but should be a separate step. The indentation should align with other steps (starting at column 5 with "- name:"), and it should be positioned before the CodeQL analysis step if .NET analysis is needed.
Suggested change
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - name: Setup .NET Core SDK | |
| uses: actions/[email protected] | |
| with: | |
| # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx | |
| dotnet-version: # optional | |
| # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. | |
| dotnet-quality: # optional | |
| # Optional global.json location, if your global.json isn't located in the root of the repo. | |
| global-json-file: # optional | |
| # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword | |
| source-url: # optional | |
| # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url | |
| owner: # optional | |
| # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. | |
| config-file: # optional | |
| # Optional input to enable caching of the NuGet global-packages folder | |
| cache: # optional | |
| # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. | |
| cache-dependency-path: # optional | |
| - name: Setup .NET Core SDK | |
| uses: actions/[email protected] | |
| with: | |
| # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx | |
| dotnet-version: # optional | |
| # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. | |
| dotnet-quality: # optional | |
| # Optional global.json location, if your global.json isn't located in the root of the repo. | |
| global-json-file: # optional | |
| # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword | |
| source-url: # optional | |
| # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url | |
| owner: # optional | |
| # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. | |
| config-file: # optional | |
| # Optional input to enable caching of the NuGet global-packages folder | |
| cache: # optional | |
| # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. | |
| cache-dependency-path: # optional | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" |
Comment on lines
+102
to
+121
| - name: Setup .NET Core SDK | ||
| uses: actions/[email protected] | ||
| with: | ||
| # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx | ||
| dotnet-version: # optional | ||
| # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. | ||
| dotnet-quality: # optional | ||
| # Optional global.json location, if your global.json isn't located in the root of the repo. | ||
| global-json-file: # optional | ||
| # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword | ||
| source-url: # optional | ||
| # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url | ||
| owner: # optional | ||
| # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. | ||
| config-file: # optional | ||
| # Optional input to enable caching of the NuGet global-packages folder | ||
| cache: # optional | ||
| # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. | ||
| cache-dependency-path: # optional | ||
|
|
There was a problem hiding this comment.
The .NET Core SDK setup is being added but the workflow matrix only includes 'actions' and 'python' languages. If this SDK setup is intended to support C# or .NET analysis, you need to add a corresponding entry to the matrix with 'csharp' as the language. Otherwise, this setup step serves no purpose in the current configuration.
Suggested change
| - name: Setup .NET Core SDK | |
| uses: actions/[email protected] | |
| with: | |
| # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx | |
| dotnet-version: # optional | |
| # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. | |
| dotnet-quality: # optional | |
| # Optional global.json location, if your global.json isn't located in the root of the repo. | |
| global-json-file: # optional | |
| # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword | |
| source-url: # optional | |
| # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url | |
| owner: # optional | |
| # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. | |
| config-file: # optional | |
| # Optional input to enable caching of the NuGet global-packages folder | |
| cache: # optional | |
| # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. | |
| cache-dependency-path: # optional | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds a new GitHub Actions workflow for CodeQL analysis, enabling automated security and code quality scanning for the repository. The workflow is set up to run on pushes, pull requests, and a weekly schedule, and supports both Actions and Python code scanning.
Security and code analysis automation:
.github/workflows/codeql.ymlto define a CodeQL workflow that scans for security vulnerabilities and code quality issues on pushes, pull requests, and a weekly schedule. The workflow supports the 'actions' and 'python' languages, and is configured to use the appropriate runners and permissions for analysis.